diff --git a/Cryptlib/Cryptlib.diff b/Cryptlib/Cryptlib.diff index 9663d90..a2f49d6 100644 --- a/Cryptlib/Cryptlib.diff +++ b/Cryptlib/Cryptlib.diff @@ -6,8 +6,8 @@ index 68bc25a..1abe78e 100644 // BUG: hardcode OldSize == size! We have no any knowledge about // memory size of original pointer ptr. // -- return ReallocatePool ((UINTN)size, (UINTN)size, ptr); -+ return ReallocatePool (ptr, (UINTN)size, (UINTN)size); +- return ReallocatePool ((UINTN) size, (UINTN) size, ptr); ++ return ReallocatePool (ptr, (UINTN) size, (UINTN) size); } /* De-allocates or frees a memory block */ diff --git a/Cryptlib/Include/OpenSslSupport.h b/Cryptlib/Include/OpenSslSupport.h index 5a2745d..9e56ced 100644 --- a/Cryptlib/Include/OpenSslSupport.h +++ b/Cryptlib/Include/OpenSslSupport.h @@ -35,6 +35,14 @@ typedef VOID *FILE; // Map all va_xxxx elements to VA_xxx defined in MdePkg/Include/Base.h // #if !defined(__CC_ARM) // if va_list is not already defined +/* + * These are now unconditionally #defined by GNU_EFI's efistdarg.h, + * so we should #undef them here before providing a new definition. + */ +#undef va_arg +#undef va_start +#undef va_end + #define va_list VA_LIST #define va_arg VA_ARG #define va_start VA_START diff --git a/Cryptlib/Include/openssl/bn.h b/Cryptlib/Include/openssl/bn.h index f1719a5..688a4e7 100644 --- a/Cryptlib/Include/openssl/bn.h +++ b/Cryptlib/Include/openssl/bn.h @@ -511,6 +511,8 @@ BIGNUM *BN_mod_inverse(BIGNUM *ret, BIGNUM *BN_mod_sqrt(BIGNUM *ret, const BIGNUM *a, const BIGNUM *n,BN_CTX *ctx); +void BN_consttime_swap(BN_ULONG swap, BIGNUM *a, BIGNUM *b, int nwords); + /* Deprecated versions */ #ifndef OPENSSL_NO_DEPRECATED BIGNUM *BN_generate_prime(BIGNUM *ret,int bits,int safe, @@ -740,11 +742,20 @@ int RAND_pseudo_bytes(unsigned char *buf,int num); #define bn_fix_top(a) bn_check_top(a) +#define bn_check_size(bn, bits) bn_wcheck_size(bn, ((bits+BN_BITS2-1))/BN_BITS2) +#define bn_wcheck_size(bn, words) \ + do { \ + const BIGNUM *_bnum2 = (bn); \ + assert(words <= (_bnum2)->dmax && words >= (_bnum2)->top); \ + } while(0) + #else /* !BN_DEBUG */ #define bn_pollute(a) #define bn_check_top(a) #define bn_fix_top(a) bn_correct_top(a) +#define bn_check_size(bn, bits) +#define bn_wcheck_size(bn, words) #endif diff --git a/Cryptlib/Include/openssl/crypto.h b/Cryptlib/Include/openssl/crypto.h index fc1374f..ac0c949 100644 --- a/Cryptlib/Include/openssl/crypto.h +++ b/Cryptlib/Include/openssl/crypto.h @@ -235,15 +235,15 @@ typedef struct openssl_item_st #ifndef OPENSSL_NO_LOCKING #ifndef CRYPTO_w_lock #define CRYPTO_w_lock(type) \ - CRYPTO_lock(CRYPTO_LOCK|CRYPTO_WRITE,type,__FILE__,__LINE__) + CRYPTO_lock(CRYPTO_LOCK|CRYPTO_WRITE,type,NULL,0) #define CRYPTO_w_unlock(type) \ - CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_WRITE,type,__FILE__,__LINE__) + CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_WRITE,type,NULL,0) #define CRYPTO_r_lock(type) \ - CRYPTO_lock(CRYPTO_LOCK|CRYPTO_READ,type,__FILE__,__LINE__) + CRYPTO_lock(CRYPTO_LOCK|CRYPTO_READ,type,NULL,0) #define CRYPTO_r_unlock(type) \ - CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_READ,type,__FILE__,__LINE__) + CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_READ,type,NULL,0) #define CRYPTO_add(addr,amount,type) \ - CRYPTO_add_lock(addr,amount,type,__FILE__,__LINE__) + CRYPTO_add_lock(addr,amount,type,NULL,0) #endif #else #define CRYPTO_w_lock(a) @@ -361,19 +361,19 @@ int CRYPTO_is_mem_check_on(void); #define MemCheck_off() CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE) #define is_MemCheck_on() CRYPTO_is_mem_check_on() -#define OPENSSL_malloc(num) CRYPTO_malloc((int)num,__FILE__,__LINE__) -#define OPENSSL_strdup(str) CRYPTO_strdup((str),__FILE__,__LINE__) +#define OPENSSL_malloc(num) CRYPTO_malloc((int)num,NULL,0) +#define OPENSSL_strdup(str) CRYPTO_strdup((str),NULL,0) #define OPENSSL_realloc(addr,num) \ - CRYPTO_realloc((char *)addr,(int)num,__FILE__,__LINE__) + CRYPTO_realloc((char *)addr,(int)num,NULL,0) #define OPENSSL_realloc_clean(addr,old_num,num) \ - CRYPTO_realloc_clean(addr,old_num,num,__FILE__,__LINE__) + CRYPTO_realloc_clean(addr,old_num,num,NULL,0) #define OPENSSL_remalloc(addr,num) \ - CRYPTO_remalloc((char **)addr,(int)num,__FILE__,__LINE__) + CRYPTO_remalloc((char **)addr,(int)num,NULL,0) #define OPENSSL_freeFunc CRYPTO_free #define OPENSSL_free(addr) CRYPTO_free(addr) #define OPENSSL_malloc_locked(num) \ - CRYPTO_malloc_locked((int)num,__FILE__,__LINE__) + CRYPTO_malloc_locked((int)num,NULL,0) #define OPENSSL_free_locked(addr) CRYPTO_free_locked(addr) @@ -487,7 +487,7 @@ void CRYPTO_set_mem_debug_options(long bits); long CRYPTO_get_mem_debug_options(void); #define CRYPTO_push_info(info) \ - CRYPTO_push_info_(info, __FILE__, __LINE__); + CRYPTO_push_info_(info, NULL, 0); int CRYPTO_push_info_(const char *info, const char *file, int line); int CRYPTO_pop_info(void); int CRYPTO_remove_all_info(void); @@ -528,17 +528,17 @@ void CRYPTO_mem_leaks_cb(CRYPTO_MEM_LEAK_CB *cb); /* die if we have to */ void OpenSSLDie(const char *file,int line,const char *assertion); -#define OPENSSL_assert(e) (void)((e) ? 0 : (OpenSSLDie(__FILE__, __LINE__, #e),1)) +#define OPENSSL_assert(e) (void)((e) ? 0 : (OpenSSLDie(NULL, 0, #e),1)) unsigned long *OPENSSL_ia32cap_loc(void); #define OPENSSL_ia32cap (*(OPENSSL_ia32cap_loc())) int OPENSSL_isservice(void); #ifdef OPENSSL_FIPS -#define FIPS_ERROR_IGNORED(alg) OpenSSLDie(__FILE__, __LINE__, \ +#define FIPS_ERROR_IGNORED(alg) OpenSSLDie(NULL, 0, \ alg " previous FIPS forbidden algorithm error ignored"); -#define FIPS_BAD_ABORT(alg) OpenSSLDie(__FILE__, __LINE__, \ +#define FIPS_BAD_ABORT(alg) OpenSSLDie(NULL, 0, \ #alg " Algorithm forbidden in FIPS mode"); #ifdef OPENSSL_FIPS_STRICT @@ -591,6 +591,13 @@ int OPENSSL_isservice(void); #define OPENSSL_HAVE_INIT 1 void OPENSSL_init(void); +/* CRYPTO_memcmp returns zero iff the |len| bytes at |a| and |b| are equal. It + * takes an amount of time dependent on |len|, but independent of the contents + * of |a| and |b|. Unlike memcmp, it cannot be used to put elements into a + * defined order as the return value when a != b is undefined, other than to be + * non-zero. */ +int CRYPTO_memcmp(const void *a, const void *b, size_t len); + /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. diff --git a/Cryptlib/Include/openssl/ec.h b/Cryptlib/Include/openssl/ec.h index 8bc2a23..367307f 100644 --- a/Cryptlib/Include/openssl/ec.h +++ b/Cryptlib/Include/openssl/ec.h @@ -321,7 +321,15 @@ void EC_KEY_set_conv_form(EC_KEY *, point_conversion_form_t); /* functions to set/get method specific data */ void *EC_KEY_get_key_method_data(EC_KEY *, void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *)); -void EC_KEY_insert_key_method_data(EC_KEY *, void *data, +/** Sets the key method data of an EC_KEY object, if none has yet been set. + * \param key EC_KEY object + * \param data opaque data to install. + * \param dup_func a function that duplicates |data|. + * \param free_func a function that frees |data|. + * \param clear_free_func a function that wipes and frees |data|. + * \return the previously set data pointer, or NULL if |data| was inserted. + */ +void *EC_KEY_insert_key_method_data(EC_KEY *key, void *data, void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *)); /* wrapper functions for the underlying EC_GROUP object */ void EC_KEY_set_asn1_flag(EC_KEY *, int); diff --git a/Cryptlib/Include/openssl/engine.h b/Cryptlib/Include/openssl/engine.h index d4bc1ef..b4e0444 100644 --- a/Cryptlib/Include/openssl/engine.h +++ b/Cryptlib/Include/openssl/engine.h @@ -335,15 +335,15 @@ void ENGINE_load_gmp(void); void ENGINE_load_nuron(void); void ENGINE_load_sureware(void); void ENGINE_load_ubsec(void); -#endif -void ENGINE_load_cryptodev(void); -void ENGINE_load_padlock(void); -void ENGINE_load_builtin_engines(void); #ifdef OPENSSL_SYS_WIN32 #ifndef OPENSSL_NO_CAPIENG void ENGINE_load_capi(void); #endif #endif +#endif +void ENGINE_load_cryptodev(void); +void ENGINE_load_padlock(void); +void ENGINE_load_builtin_engines(void); /* Get and set global flags (ENGINE_TABLE_FLAG_***) for the implementation * "registry" handling. */ diff --git a/Cryptlib/Include/openssl/opensslv.h b/Cryptlib/Include/openssl/opensslv.h index 4a5a5ae..e5ab5c4 100644 --- a/Cryptlib/Include/openssl/opensslv.h +++ b/Cryptlib/Include/openssl/opensslv.h @@ -25,11 +25,11 @@ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -#define OPENSSL_VERSION_NUMBER 0x0090817fL +#define OPENSSL_VERSION_NUMBER 0x009081afL #ifdef OPENSSL_FIPS -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8w-fips 23 Apr 2012" +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8za-fips 5 Jun 2014" #else -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8w 23 Apr 2012" +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8za 5 Jun 2014" #endif #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/Cryptlib/Include/openssl/ssl.h b/Cryptlib/Include/openssl/ssl.h index eb50e14..5f2a04e 100644 --- a/Cryptlib/Include/openssl/ssl.h +++ b/Cryptlib/Include/openssl/ssl.h @@ -490,11 +490,14 @@ typedef struct ssl_session_st #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L -#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L /* no effect since 0.9.7h and 0.9.8b */ +#define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000040L #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L #define SSL_OP_TLS_D5_BUG 0x00000100L #define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L +/* Hasn't done anything since OpenSSL 0.9.7h, retained for compatibility */ +#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x0 + /* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added * in OpenSSL 0.9.6d. Usually (depending on the application protocol) * the workaround is not needed. Unfortunately some broken SSL/TLS @@ -1204,6 +1207,8 @@ size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count); #define SSL_AD_CERTIFICATE_UNOBTAINABLE TLS1_AD_CERTIFICATE_UNOBTAINABLE #define SSL_AD_UNRECOGNIZED_NAME TLS1_AD_UNRECOGNIZED_NAME #define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE +#define SSL_AD_BAD_CERTIFICATE_HASH_VALUE TLS1_AD_BAD_CERTIFICATE_HASH_VALUE +#define SSL_AD_UNKNOWN_PSK_IDENTITY TLS1_AD_UNKNOWN_PSK_IDENTITY /* fatal */ #define SSL_ERROR_NONE 0 #define SSL_ERROR_SSL 1 @@ -1820,6 +1825,7 @@ void ERR_load_SSL_strings(void); #define SSL_F_SSL_GET_NEW_SESSION 181 #define SSL_F_SSL_GET_PREV_SESSION 217 #define SSL_F_SSL_GET_SERVER_SEND_CERT 182 +#define SSL_F_SSL_GET_SERVER_SEND_PKEY 317 #define SSL_F_SSL_GET_SIGN_PKEY 183 #define SSL_F_SSL_INIT_WBIO_BUFFER 184 #define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185 @@ -2073,6 +2079,11 @@ void ERR_load_SSL_strings(void); #define SSL_R_TLSV1_ALERT_RECORD_OVERFLOW 1022 #define SSL_R_TLSV1_ALERT_UNKNOWN_CA 1048 #define SSL_R_TLSV1_ALERT_USER_CANCELLED 1090 +#define SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE 1114 +#define SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE 1113 +#define SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE 1111 +#define SSL_R_TLSV1_UNRECOGNIZED_NAME 1112 +#define SSL_R_TLSV1_UNSUPPORTED_EXTENSION 1110 #define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 232 #define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 227 #define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233 diff --git a/Cryptlib/Include/openssl/ssl3.h b/Cryptlib/Include/openssl/ssl3.h index b9a85ef..de5e559 100644 --- a/Cryptlib/Include/openssl/ssl3.h +++ b/Cryptlib/Include/openssl/ssl3.h @@ -333,6 +333,7 @@ typedef struct ssl3_buffer_st #define SSL3_FLAGS_DELAY_CLIENT_FINISHED 0x0002 #define SSL3_FLAGS_POP_BUFFER 0x0004 #define TLS1_FLAGS_TLS_PADDING_BUG 0x0008 +#define SSL3_FLAGS_CCS_OK 0x0080 /* SSL3_FLAGS_SGC_RESTART_DONE is set when we * restart a handshake because of MS SGC and so prevents us @@ -460,6 +461,15 @@ typedef struct ssl3_state_st unsigned char previous_server_finished[EVP_MAX_MD_SIZE]; unsigned char previous_server_finished_len; int send_connection_binding; /* TODOEKR */ + +#ifndef OPENSSL_NO_TLSEXT +#ifndef OPENSSL_NO_EC + /* This is set to true if we believe that this is a version of Safari + * running on OS X 10.6 or newer. We wish to know this because Safari + * on 10.8 .. 10.8.3 has broken ECDHE-ECDSA support. */ + char is_probably_safari; +#endif /* !OPENSSL_NO_EC */ +#endif /* !OPENSSL_NO_TLSEXT */ } SSL3_STATE; diff --git a/Cryptlib/Include/openssl/symhacks.h b/Cryptlib/Include/openssl/symhacks.h index 0114093..c540771 100644 --- a/Cryptlib/Include/openssl/symhacks.h +++ b/Cryptlib/Include/openssl/symhacks.h @@ -252,15 +252,15 @@ #define EC_POINT_set_compressed_coordinates_GF2m \ EC_POINT_set_compr_coords_GF2m #undef ec_GF2m_simple_group_clear_finish -#define ec_GF2m_simple_group_clear_finish ec_GF2m_simple_grp_clr_finish +#define ec_GF2m_simple_group_clear_finish ec_GF2m_simple_grp_clr_finish #undef ec_GF2m_simple_group_check_discriminant #define ec_GF2m_simple_group_check_discriminant ec_GF2m_simple_grp_chk_discrim #undef ec_GF2m_simple_point_clear_finish -#define ec_GF2m_simple_point_clear_finish ec_GF2m_simple_pt_clr_finish +#define ec_GF2m_simple_point_clear_finish ec_GF2m_simple_pt_clr_finish #undef ec_GF2m_simple_point_set_to_infinity -#define ec_GF2m_simple_point_set_to_infinity ec_GF2m_simple_pt_set_to_inf +#define ec_GF2m_simple_point_set_to_infinity ec_GF2m_simple_pt_set_to_inf #undef ec_GF2m_simple_points_make_affine -#define ec_GF2m_simple_points_make_affine ec_GF2m_simple_pts_make_affine +#define ec_GF2m_simple_points_make_affine ec_GF2m_simple_pts_make_affine #undef ec_GF2m_simple_point_set_affine_coordinates #define ec_GF2m_simple_point_set_affine_coordinates \ ec_GF2m_smp_pt_set_af_coords @@ -288,8 +288,6 @@ #define ec_GFp_simple_point_set_to_infinity ec_GFp_simple_pt_set_to_inf #undef ec_GFp_simple_points_make_affine #define ec_GFp_simple_points_make_affine ec_GFp_simple_pts_make_affine -#undef ec_GFp_simple_group_get_curve_GFp -#define ec_GFp_simple_group_get_curve_GFp ec_GFp_simple_grp_get_curve_GFp #undef ec_GFp_simple_set_Jprojective_coordinates_GFp #define ec_GFp_simple_set_Jprojective_coordinates_GFp \ ec_GFp_smp_set_Jproj_coords_GFp diff --git a/Cryptlib/Include/openssl/tls1.h b/Cryptlib/Include/openssl/tls1.h index afe4807..47f25af 100644 --- a/Cryptlib/Include/openssl/tls1.h +++ b/Cryptlib/Include/openssl/tls1.h @@ -80,10 +80,24 @@ extern "C" { #define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 0 +#define TLS1_2_VERSION 0x0303 +#define TLS1_2_VERSION_MAJOR 0x03 +#define TLS1_2_VERSION_MINOR 0x03 + +#define TLS1_1_VERSION 0x0302 +#define TLS1_1_VERSION_MAJOR 0x03 +#define TLS1_1_VERSION_MINOR 0x02 + #define TLS1_VERSION 0x0301 #define TLS1_VERSION_MAJOR 0x03 #define TLS1_VERSION_MINOR 0x01 +#define TLS1_get_version(s) \ + ((s->version >> 8) == TLS1_VERSION_MAJOR ? s->version : 0) + +#define TLS1_get_client_version(s) \ + ((s->client_version >> 8) == TLS1_VERSION_MAJOR ? s->client_version : 0) + #define TLS1_AD_DECRYPTION_FAILED 21 #define TLS1_AD_RECORD_OVERFLOW 22 #define TLS1_AD_UNKNOWN_CA 48 /* fatal */ diff --git a/Cryptlib/Makefile b/Cryptlib/Makefile index a05a4db..9719a27 100644 --- a/Cryptlib/Makefile +++ b/Cryptlib/Makefile @@ -1,18 +1,15 @@ -ARCH = $(shell uname -m | sed s,i[3456789]86,ia32,) -LIB_PATH = /usr/lib64 - -EFI_INCLUDE = /usr/include/efi -EFI_INCLUDES = -nostdinc -IInclude -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -EFI_PATH = /usr/lib64/gnuefi - -LIB_GCC = $(shell $(CC) -print-libgcc-file-name) -EFI_LIBS = -lefi -lgnuefi $(LIB_GCC) +EFI_INCLUDES = -IInclude -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol CFLAGS = -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \ - -Wall $(EFI_INCLUDES) -mno-red-zone -maccumulate-outgoing-args -mno-sse -mno-mmx + -Wall $(EFI_INCLUDES) + ifeq ($(ARCH),x86_64) - CFLAGS += -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI + CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args \ + -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI +endif +ifeq ($(ARCH),ia32) + CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args -m32 endif LDFLAGS = -nostdlib -znocombreloc @@ -28,9 +25,10 @@ OBJS = Hash/CryptMd4.o \ Cipher/CryptArc4.o \ Rand/CryptRand.o \ Pk/CryptRsaBasic.o \ - Pk/CryptRsaExt.o \ - Pk/CryptPkcs7.o \ - Pk/CryptDh.o \ + Pk/CryptRsaExtNull.o \ + Pk/CryptPkcs7SignNull.o \ + Pk/CryptPkcs7Verify.o \ + Pk/CryptDhNull.o \ Pk/CryptX509.o \ Pk/CryptAuthenticode.o \ Pem/CryptPem.o \ diff --git a/Cryptlib/OpenSSL/Makefile b/Cryptlib/OpenSSL/Makefile index c93d5af..7990b3c 100644 --- a/Cryptlib/OpenSSL/Makefile +++ b/Cryptlib/OpenSSL/Makefile @@ -1,18 +1,22 @@ -ARCH = $(shell uname -m | sed s,i[3456789]86,ia32,) -LIB_PATH = /usr/lib64 - -EFI_INCLUDE = /usr/include/efi EFI_INCLUDES = -I../Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -EFI_PATH = /usr/lib64/gnuefi -LIB_GCC = $(shell $(CC) -print-libgcc-file-name) -EFI_LIBS = -lefi -lgnuefi $(LIB_GCC) +CFLAGS = -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \ + -Wall $(EFI_INCLUDES) -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC -CFLAGS = -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc -mno-mmx -mno-sse -mno-red-zone -maccumulate-outgoing-args \ - -Wall $(EFI_INCLUDES) -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -DSIXTY_FOUR_BIT_LONG -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC ifeq ($(ARCH),x86_64) - CFLAGS += -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI + CFLAGS += -mno-mmx -mno-sse -mno-red-zone -maccumulate-outgoing-args \ + -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI -DSIXTY_FOUR_BIT_LONG +endif +ifeq ($(ARCH),ia32) + CFLAGS += -mno-mmx -mno-sse -mno-red-zone -maccumulate-outgoing-args \ + -m32 -DTHIRTY_TWO_BIT +endif +ifeq ($(ARCH),aarch64) + CFLAGS += -O2 -DSIXTY_FOUR_BIT_LONG -ffreestanding -I$(shell $(CC) -print-file-name=include) +endif +ifeq ($(ARCH),arm) + CFLAGS += -O2 -DTHIRTY_TWO_BIT -ffreestanding -I$(shell $(CC) -print-file-name=include) endif LDFLAGS = -nostdlib -znocombreloc diff --git a/Cryptlib/OpenSSL/crypto/aes/aes_cbc.c b/Cryptlib/OpenSSL/crypto/aes/aes_cbc.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/aes/aes_cfb.c b/Cryptlib/OpenSSL/crypto/aes/aes_cfb.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/aes/aes_core.c b/Cryptlib/OpenSSL/crypto/aes/aes_core.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/aes/aes_ctr.c b/Cryptlib/OpenSSL/crypto/aes/aes_ctr.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/aes/aes_ecb.c b/Cryptlib/OpenSSL/crypto/aes/aes_ecb.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/aes/aes_ige.c b/Cryptlib/OpenSSL/crypto/aes/aes_ige.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/aes/aes_misc.c b/Cryptlib/OpenSSL/crypto/aes/aes_misc.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/aes/aes_ofb.c b/Cryptlib/OpenSSL/crypto/aes/aes_ofb.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/aes/aes_wrap.c b/Cryptlib/OpenSSL/crypto/aes/aes_wrap.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_bitstr.c b/Cryptlib/OpenSSL/crypto/asn1/a_bitstr.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_bool.c b/Cryptlib/OpenSSL/crypto/asn1/a_bool.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_bytes.c b/Cryptlib/OpenSSL/crypto/asn1/a_bytes.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_d2i_fp.c b/Cryptlib/OpenSSL/crypto/asn1/a_d2i_fp.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_digest.c b/Cryptlib/OpenSSL/crypto/asn1/a_digest.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_dup.c b/Cryptlib/OpenSSL/crypto/asn1/a_dup.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_enum.c b/Cryptlib/OpenSSL/crypto/asn1/a_enum.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_gentm.c b/Cryptlib/OpenSSL/crypto/asn1/a_gentm.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_hdr.c b/Cryptlib/OpenSSL/crypto/asn1/a_hdr.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_i2d_fp.c b/Cryptlib/OpenSSL/crypto/asn1/a_i2d_fp.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_int.c b/Cryptlib/OpenSSL/crypto/asn1/a_int.c old mode 100755 new mode 100644 index f551bdb..ee26c31 --- a/Cryptlib/OpenSSL/crypto/asn1/a_int.c +++ b/Cryptlib/OpenSSL/crypto/asn1/a_int.c @@ -116,7 +116,7 @@ int i2c_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp) int pad=0,ret,i,neg; unsigned char *p,*n,pb=0; - if ((a == NULL) || (a->data == NULL)) return(0); + if (a == NULL) return(0); neg=a->type & V_ASN1_NEG; if (a->length == 0) ret=1; diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_mbstr.c b/Cryptlib/OpenSSL/crypto/asn1/a_mbstr.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_meth.c b/Cryptlib/OpenSSL/crypto/asn1/a_meth.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_object.c b/Cryptlib/OpenSSL/crypto/asn1/a_object.c old mode 100755 new mode 100644 index 3ac2bc2..e50501a --- a/Cryptlib/OpenSSL/crypto/asn1/a_object.c +++ b/Cryptlib/OpenSSL/crypto/asn1/a_object.c @@ -285,16 +285,28 @@ err: ASN1_OBJECT_free(ret); return(NULL); } + ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, long len) { ASN1_OBJECT *ret=NULL; const unsigned char *p; - int i; - /* Sanity check OID encoding: can't have leading 0x80 in - * subidentifiers, see: X.690 8.19.2 + int i, length; + + /* Sanity check OID encoding. + * Need at least one content octet. + * MSB must be clear in the last octet. + * can't have leading 0x80 in subidentifiers, see: X.690 8.19.2 */ - for (i = 0, p = *pp; i < len; i++, p++) + if (len <= 0 || len > INT_MAX || pp == NULL || (p = *pp) == NULL || + p[len - 1] & 0x80) + { + ASN1err(ASN1_F_C2I_ASN1_OBJECT,ASN1_R_INVALID_OBJECT_ENCODING); + return NULL; + } + /* Now 0 < len <= INT_MAX, so the cast is safe. */ + length = (int)len; + for (i = 0; i < length; i++, p++) { if (*p == 0x80 && (!i || !(p[-1] & 0x80))) { @@ -313,20 +325,20 @@ ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, else ret=(*a); p= *pp; - if ((ret->data == NULL) || (ret->length < len)) + if ((ret->data == NULL) || (ret->length < length)) { if (ret->data != NULL) OPENSSL_free(ret->data); - ret->data=(unsigned char *)OPENSSL_malloc(len ? (int)len : 1); + ret->data=(unsigned char *)OPENSSL_malloc(length); ret->flags|=ASN1_OBJECT_FLAG_DYNAMIC_DATA; if (ret->data == NULL) { i=ERR_R_MALLOC_FAILURE; goto err; } } - memcpy(ret->data,p,(int)len); - ret->length=(int)len; + memcpy(ret->data,p,length); + ret->length=length; ret->sn=NULL; ret->ln=NULL; /* ret->flags=ASN1_OBJECT_FLAG_DYNAMIC; we know it is dynamic */ - p+=len; + p+=length; if (a != NULL) (*a)=ret; *pp=p; diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_octet.c b/Cryptlib/OpenSSL/crypto/asn1/a_octet.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_print.c b/Cryptlib/OpenSSL/crypto/asn1/a_print.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_set.c b/Cryptlib/OpenSSL/crypto/asn1/a_set.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_sign.c b/Cryptlib/OpenSSL/crypto/asn1/a_sign.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_strex.c b/Cryptlib/OpenSSL/crypto/asn1/a_strex.c old mode 100755 new mode 100644 index 264ebf2..ead37ac --- a/Cryptlib/OpenSSL/crypto/asn1/a_strex.c +++ b/Cryptlib/OpenSSL/crypto/asn1/a_strex.c @@ -567,6 +567,7 @@ int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in) if(mbflag == -1) return -1; mbflag |= MBSTRING_FLAG; stmp.data = NULL; + stmp.length = 0; ret = ASN1_mbstring_copy(&str, in->data, in->length, mbflag, B_ASN1_UTF8STRING); if(ret < 0) return ret; *out = stmp.data; diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_strnid.c b/Cryptlib/OpenSSL/crypto/asn1/a_strnid.c old mode 100755 new mode 100644 index b68ae43..9b7d688 --- a/Cryptlib/OpenSSL/crypto/asn1/a_strnid.c +++ b/Cryptlib/OpenSSL/crypto/asn1/a_strnid.c @@ -75,7 +75,7 @@ static int table_cmp(const void *a, const void *b); * certain software (e.g. Netscape) has problems with them. */ -static unsigned long global_mask = 0xFFFFFFFFL; +static unsigned long global_mask = B_ASN1_UTF8STRING; void ASN1_STRING_set_default_mask(unsigned long mask) { diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_time.c b/Cryptlib/OpenSSL/crypto/asn1/a_time.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_type.c b/Cryptlib/OpenSSL/crypto/asn1/a_type.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_utctm.c b/Cryptlib/OpenSSL/crypto/asn1/a_utctm.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_utf8.c b/Cryptlib/OpenSSL/crypto/asn1/a_utf8.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_verify.c b/Cryptlib/OpenSSL/crypto/asn1/a_verify.c old mode 100755 new mode 100644 index da3efaa..7ded69b --- a/Cryptlib/OpenSSL/crypto/asn1/a_verify.c +++ b/Cryptlib/OpenSSL/crypto/asn1/a_verify.c @@ -138,6 +138,12 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat unsigned char *buf_in=NULL; int ret= -1,i,inl; + if (!pkey) + { + ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ERR_R_PASSED_NULL_PARAMETER); + return -1; + } + EVP_MD_CTX_init(&ctx); i=OBJ_obj2nid(a->algorithm); type=EVP_get_digestbyname(OBJ_nid2sn(i)); diff --git a/Cryptlib/OpenSSL/crypto/asn1/asn1_err.c b/Cryptlib/OpenSSL/crypto/asn1/asn1_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/asn1_gen.c b/Cryptlib/OpenSSL/crypto/asn1/asn1_gen.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/asn1_lib.c b/Cryptlib/OpenSSL/crypto/asn1/asn1_lib.c old mode 100755 new mode 100644 index 5af559e..d345155 --- a/Cryptlib/OpenSSL/crypto/asn1/asn1_lib.c +++ b/Cryptlib/OpenSSL/crypto/asn1/asn1_lib.c @@ -131,6 +131,9 @@ int ASN1_get_object(const unsigned char **pp, long *plength, int *ptag, *pclass=xclass; if (!asn1_get_length(&p,&inf,plength,(int)max)) goto err; + if (inf && !(ret & V_ASN1_CONSTRUCTED)) + goto err; + #if 0 fprintf(stderr,"p=%d + *plength=%ld > omax=%ld + *pp=%d (%d > %d)\n", (int)p,*plength,omax,(int)*pp,(int)(p+ *plength), diff --git a/Cryptlib/OpenSSL/crypto/asn1/asn1_par.c b/Cryptlib/OpenSSL/crypto/asn1/asn1_par.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/asn_mime.c b/Cryptlib/OpenSSL/crypto/asn1/asn_mime.c old mode 100755 new mode 100644 index ad8fbed..095887f --- a/Cryptlib/OpenSSL/crypto/asn1/asn_mime.c +++ b/Cryptlib/OpenSSL/crypto/asn1/asn_mime.c @@ -595,6 +595,8 @@ static STACK_OF(MIME_HEADER) *mime_parse_hdr(BIO *bio) int len, state, save_state = 0; headers = sk_MIME_HEADER_new(mime_hdr_cmp); + if (!headers) + return NULL; while ((len = BIO_gets(bio, linebuf, MAX_SMLEN)) > 0) { /* If whitespace at line start then continuation line */ if(mhdr && isspace((unsigned char)linebuf[0])) state = MIME_NAME; diff --git a/Cryptlib/OpenSSL/crypto/asn1/asn_moid.c b/Cryptlib/OpenSSL/crypto/asn1/asn_moid.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/asn_pack.c b/Cryptlib/OpenSSL/crypto/asn1/asn_pack.c old mode 100755 new mode 100644 index f1a5a05..c373714 --- a/Cryptlib/OpenSSL/crypto/asn1/asn_pack.c +++ b/Cryptlib/OpenSSL/crypto/asn1/asn_pack.c @@ -134,15 +134,23 @@ ASN1_STRING *ASN1_pack_string(void *obj, i2d_of_void *i2d, ASN1_STRING **oct) if (!(octmp->length = i2d(obj, NULL))) { ASN1err(ASN1_F_ASN1_PACK_STRING,ASN1_R_ENCODE_ERROR); - return NULL; + goto err; } if (!(p = OPENSSL_malloc (octmp->length))) { ASN1err(ASN1_F_ASN1_PACK_STRING,ERR_R_MALLOC_FAILURE); - return NULL; + goto err; } octmp->data = p; i2d (obj, &p); return octmp; + err: + if (!oct || !*oct) + { + ASN1_STRING_free(octmp); + if (oct) + *oct = NULL; + } + return NULL; } #endif diff --git a/Cryptlib/OpenSSL/crypto/asn1/d2i_pr.c b/Cryptlib/OpenSSL/crypto/asn1/d2i_pr.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/d2i_pu.c b/Cryptlib/OpenSSL/crypto/asn1/d2i_pu.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/evp_asn1.c b/Cryptlib/OpenSSL/crypto/asn1/evp_asn1.c old mode 100755 new mode 100644 index f3d9804..1b94459 --- a/Cryptlib/OpenSSL/crypto/asn1/evp_asn1.c +++ b/Cryptlib/OpenSSL/crypto/asn1/evp_asn1.c @@ -66,7 +66,11 @@ int ASN1_TYPE_set_octetstring(ASN1_TYPE *a, unsigned char *data, int len) ASN1_STRING *os; if ((os=M_ASN1_OCTET_STRING_new()) == NULL) return(0); - if (!M_ASN1_OCTET_STRING_set(os,data,len)) return(0); + if (!M_ASN1_OCTET_STRING_set(os,data,len)) + { + M_ASN1_OCTET_STRING_free(os); + return 0; + } ASN1_TYPE_set(a,V_ASN1_OCTET_STRING,os); return(1); } diff --git a/Cryptlib/OpenSSL/crypto/asn1/f_enum.c b/Cryptlib/OpenSSL/crypto/asn1/f_enum.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/f_int.c b/Cryptlib/OpenSSL/crypto/asn1/f_int.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/f_string.c b/Cryptlib/OpenSSL/crypto/asn1/f_string.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/i2d_pr.c b/Cryptlib/OpenSSL/crypto/asn1/i2d_pr.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/i2d_pu.c b/Cryptlib/OpenSSL/crypto/asn1/i2d_pu.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/n_pkey.c b/Cryptlib/OpenSSL/crypto/asn1/n_pkey.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/nsseq.c b/Cryptlib/OpenSSL/crypto/asn1/nsseq.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/p5_pbe.c b/Cryptlib/OpenSSL/crypto/asn1/p5_pbe.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/p5_pbev2.c b/Cryptlib/OpenSSL/crypto/asn1/p5_pbev2.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/p8_pkey.c b/Cryptlib/OpenSSL/crypto/asn1/p8_pkey.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/t_bitst.c b/Cryptlib/OpenSSL/crypto/asn1/t_bitst.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/t_crl.c b/Cryptlib/OpenSSL/crypto/asn1/t_crl.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/t_pkey.c b/Cryptlib/OpenSSL/crypto/asn1/t_pkey.c old mode 100755 new mode 100644 index afb95d6..bc23f56 --- a/Cryptlib/OpenSSL/crypto/asn1/t_pkey.c +++ b/Cryptlib/OpenSSL/crypto/asn1/t_pkey.c @@ -208,11 +208,6 @@ int DSA_print(BIO *bp, const DSA *x, int off) if (x->p) buf_len = (size_t)BN_num_bytes(x->p); - else - { - DSAerr(DSA_F_DSA_PRINT,DSA_R_MISSING_PARAMETERS); - goto err; - } if (x->q) if (buf_len < (i = (size_t)BN_num_bytes(x->q))) buf_len = i; diff --git a/Cryptlib/OpenSSL/crypto/asn1/t_req.c b/Cryptlib/OpenSSL/crypto/asn1/t_req.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/t_spki.c b/Cryptlib/OpenSSL/crypto/asn1/t_spki.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/t_x509.c b/Cryptlib/OpenSSL/crypto/asn1/t_x509.c old mode 100755 new mode 100644 index 6f295b4..f9dad0e --- a/Cryptlib/OpenSSL/crypto/asn1/t_x509.c +++ b/Cryptlib/OpenSSL/crypto/asn1/t_x509.c @@ -465,6 +465,8 @@ int X509_NAME_print(BIO *bp, X509_NAME *name, int obase) l=80-2-obase; b=X509_NAME_oneline(name,NULL,0); + if (!b) + return 0; if (!*b) { OPENSSL_free(b); diff --git a/Cryptlib/OpenSSL/crypto/asn1/t_x509a.c b/Cryptlib/OpenSSL/crypto/asn1/t_x509a.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/tasn_dec.c b/Cryptlib/OpenSSL/crypto/asn1/tasn_dec.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/tasn_enc.c b/Cryptlib/OpenSSL/crypto/asn1/tasn_enc.c old mode 100755 new mode 100644 index 2721f90..b3687f9 --- a/Cryptlib/OpenSSL/crypto/asn1/tasn_enc.c +++ b/Cryptlib/OpenSSL/crypto/asn1/tasn_enc.c @@ -453,9 +453,14 @@ static int asn1_set_seq_out(STACK_OF(ASN1_VALUE) *sk, unsigned char **out, { derlst = OPENSSL_malloc(sk_ASN1_VALUE_num(sk) * sizeof(*derlst)); - tmpdat = OPENSSL_malloc(skcontlen); - if (!derlst || !tmpdat) + if (!derlst) return 0; + tmpdat = OPENSSL_malloc(skcontlen); + if (!tmpdat) + { + OPENSSL_free(derlst); + return 0; + } } } /* If not sorting just output each item */ diff --git a/Cryptlib/OpenSSL/crypto/asn1/tasn_fre.c b/Cryptlib/OpenSSL/crypto/asn1/tasn_fre.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/tasn_new.c b/Cryptlib/OpenSSL/crypto/asn1/tasn_new.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/tasn_typ.c b/Cryptlib/OpenSSL/crypto/asn1/tasn_typ.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/tasn_utl.c b/Cryptlib/OpenSSL/crypto/asn1/tasn_utl.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_algor.c b/Cryptlib/OpenSSL/crypto/asn1/x_algor.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_attrib.c b/Cryptlib/OpenSSL/crypto/asn1/x_attrib.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_bignum.c b/Cryptlib/OpenSSL/crypto/asn1/x_bignum.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_crl.c b/Cryptlib/OpenSSL/crypto/asn1/x_crl.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_exten.c b/Cryptlib/OpenSSL/crypto/asn1/x_exten.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_info.c b/Cryptlib/OpenSSL/crypto/asn1/x_info.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_long.c b/Cryptlib/OpenSSL/crypto/asn1/x_long.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_name.c b/Cryptlib/OpenSSL/crypto/asn1/x_name.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_pkey.c b/Cryptlib/OpenSSL/crypto/asn1/x_pkey.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_pubkey.c b/Cryptlib/OpenSSL/crypto/asn1/x_pubkey.c old mode 100755 new mode 100644 index 94d9f7e..bc8a7bf --- a/Cryptlib/OpenSSL/crypto/asn1/x_pubkey.c +++ b/Cryptlib/OpenSSL/crypto/asn1/x_pubkey.c @@ -371,12 +371,15 @@ EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key) CRYPTO_w_lock(CRYPTO_LOCK_EVP_PKEY); if (key->pkey) { + CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY); EVP_PKEY_free(ret); ret = key->pkey; } else + { key->pkey = ret; - CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY); + CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY); + } CRYPTO_add(&ret->references, 1, CRYPTO_LOCK_EVP_PKEY); return(ret); err: diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_req.c b/Cryptlib/OpenSSL/crypto/asn1/x_req.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_sig.c b/Cryptlib/OpenSSL/crypto/asn1/x_sig.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_spki.c b/Cryptlib/OpenSSL/crypto/asn1/x_spki.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_val.c b/Cryptlib/OpenSSL/crypto/asn1/x_val.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_x509.c b/Cryptlib/OpenSSL/crypto/asn1/x_x509.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_x509a.c b/Cryptlib/OpenSSL/crypto/asn1/x_x509a.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bf/bf_cfb64.c b/Cryptlib/OpenSSL/crypto/bf/bf_cfb64.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bf/bf_ecb.c b/Cryptlib/OpenSSL/crypto/bf/bf_ecb.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bf/bf_enc.c b/Cryptlib/OpenSSL/crypto/bf/bf_enc.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bf/bf_ofb64.c b/Cryptlib/OpenSSL/crypto/bf/bf_ofb64.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bf/bf_skey.c b/Cryptlib/OpenSSL/crypto/bf/bf_skey.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bio/b_dump.c b/Cryptlib/OpenSSL/crypto/bio/b_dump.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bio/bf_buff.c b/Cryptlib/OpenSSL/crypto/bio/bf_buff.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bio/bf_nbio.c b/Cryptlib/OpenSSL/crypto/bio/bf_nbio.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bio/bf_null.c b/Cryptlib/OpenSSL/crypto/bio/bf_null.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bio/bio_cb.c b/Cryptlib/OpenSSL/crypto/bio/bio_cb.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bio/bio_err.c b/Cryptlib/OpenSSL/crypto/bio/bio_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bio/bio_lib.c b/Cryptlib/OpenSSL/crypto/bio/bio_lib.c old mode 100755 new mode 100644 index 371cdf5..6346c19 --- a/Cryptlib/OpenSSL/crypto/bio/bio_lib.c +++ b/Cryptlib/OpenSSL/crypto/bio/bio_lib.c @@ -132,8 +132,8 @@ int BIO_free(BIO *a) CRYPTO_free_ex_data(CRYPTO_EX_INDEX_BIO, a, &a->ex_data); - if ((a->method == NULL) || (a->method->destroy == NULL)) return(1); - a->method->destroy(a); + if ((a->method != NULL) && (a->method->destroy != NULL)) + a->method->destroy(a); OPENSSL_free(a); return(1); } diff --git a/Cryptlib/OpenSSL/crypto/bio/bss_bio.c b/Cryptlib/OpenSSL/crypto/bio/bss_bio.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bio/bss_dgram.c b/Cryptlib/OpenSSL/crypto/bio/bss_dgram.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bio/bss_fd.c b/Cryptlib/OpenSSL/crypto/bio/bss_fd.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bio/bss_file.c b/Cryptlib/OpenSSL/crypto/bio/bss_file.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bio/bss_log.c b/Cryptlib/OpenSSL/crypto/bio/bss_log.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bio/bss_mem.c b/Cryptlib/OpenSSL/crypto/bio/bss_mem.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bio/bss_null.c b/Cryptlib/OpenSSL/crypto/bio/bss_null.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_add.c b/Cryptlib/OpenSSL/crypto/bn/bn_add.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_asm.c b/Cryptlib/OpenSSL/crypto/bn/bn_asm.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_blind.c b/Cryptlib/OpenSSL/crypto/bn/bn_blind.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_const.c b/Cryptlib/OpenSSL/crypto/bn/bn_const.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_ctx.c b/Cryptlib/OpenSSL/crypto/bn/bn_ctx.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_depr.c b/Cryptlib/OpenSSL/crypto/bn/bn_depr.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_div.c b/Cryptlib/OpenSSL/crypto/bn/bn_div.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_err.c b/Cryptlib/OpenSSL/crypto/bn/bn_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_exp.c b/Cryptlib/OpenSSL/crypto/bn/bn_exp.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_exp2.c b/Cryptlib/OpenSSL/crypto/bn/bn_exp2.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_gcd.c b/Cryptlib/OpenSSL/crypto/bn/bn_gcd.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_gf2m.c b/Cryptlib/OpenSSL/crypto/bn/bn_gf2m.c old mode 100755 new mode 100644 index 5d90f1e..28f1fa8 --- a/Cryptlib/OpenSSL/crypto/bn/bn_gf2m.c +++ b/Cryptlib/OpenSSL/crypto/bn/bn_gf2m.c @@ -1095,3 +1095,54 @@ int BN_GF2m_arr2poly(const unsigned int p[], BIGNUM *a) return 1; } +/* + * Constant-time conditional swap of a and b. + * a and b are swapped if condition is not 0. The code assumes that at most one bit of condition is set. + * nwords is the number of words to swap. The code assumes that at least nwords are allocated in both a and b, + * and that no more than nwords are used by either a or b. + * a and b cannot be the same number + */ +void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords) + { + BN_ULONG t; + int i; + + bn_wcheck_size(a, nwords); + bn_wcheck_size(b, nwords); + + assert(a != b); + assert((condition & (condition - 1)) == 0); + assert(sizeof(BN_ULONG) >= sizeof(int)); + + condition = ((condition - 1) >> (BN_BITS2 - 1)) - 1; + + t = (a->top^b->top) & condition; + a->top ^= t; + b->top ^= t; + +#define BN_CONSTTIME_SWAP(ind) \ + do { \ + t = (a->d[ind] ^ b->d[ind]) & condition; \ + a->d[ind] ^= t; \ + b->d[ind] ^= t; \ + } while (0) + + + switch (nwords) { + default: + for (i = 10; i < nwords; i++) + BN_CONSTTIME_SWAP(i); + /* Fallthrough */ + case 10: BN_CONSTTIME_SWAP(9); /* Fallthrough */ + case 9: BN_CONSTTIME_SWAP(8); /* Fallthrough */ + case 8: BN_CONSTTIME_SWAP(7); /* Fallthrough */ + case 7: BN_CONSTTIME_SWAP(6); /* Fallthrough */ + case 6: BN_CONSTTIME_SWAP(5); /* Fallthrough */ + case 5: BN_CONSTTIME_SWAP(4); /* Fallthrough */ + case 4: BN_CONSTTIME_SWAP(3); /* Fallthrough */ + case 3: BN_CONSTTIME_SWAP(2); /* Fallthrough */ + case 2: BN_CONSTTIME_SWAP(1); /* Fallthrough */ + case 1: BN_CONSTTIME_SWAP(0); + } +#undef BN_CONSTTIME_SWAP +} diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_kron.c b/Cryptlib/OpenSSL/crypto/bn/bn_kron.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_lib.c b/Cryptlib/OpenSSL/crypto/bn/bn_lib.c old mode 100755 new mode 100644 index 32a8fba..c288844 --- a/Cryptlib/OpenSSL/crypto/bn/bn_lib.c +++ b/Cryptlib/OpenSSL/crypto/bn/bn_lib.c @@ -320,6 +320,15 @@ static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words) BNerr(BN_F_BN_EXPAND_INTERNAL,ERR_R_MALLOC_FAILURE); return(NULL); } +#ifdef PURIFY + /* Valgrind complains in BN_consttime_swap because we process the whole + * array even if it's not initialised yet. This doesn't matter in that + * function - what's important is constant time operation (we're not + * actually going to use the data) + */ + memset(a, 0, sizeof(BN_ULONG)*words); +#endif + #if 1 B=b->d; /* Check if the previous number needs to be copied */ diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_mod.c b/Cryptlib/OpenSSL/crypto/bn/bn_mod.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_mont.c b/Cryptlib/OpenSSL/crypto/bn/bn_mont.c old mode 100755 new mode 100644 index 4799b15..27cafb1 --- a/Cryptlib/OpenSSL/crypto/bn/bn_mont.c +++ b/Cryptlib/OpenSSL/crypto/bn/bn_mont.c @@ -701,32 +701,38 @@ BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from) BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, int lock, const BIGNUM *mod, BN_CTX *ctx) { - int got_write_lock = 0; BN_MONT_CTX *ret; CRYPTO_r_lock(lock); - if (!*pmont) - { - CRYPTO_r_unlock(lock); - CRYPTO_w_lock(lock); - got_write_lock = 1; - - if (!*pmont) - { - ret = BN_MONT_CTX_new(); - if (ret && !BN_MONT_CTX_set(ret, mod, ctx)) - BN_MONT_CTX_free(ret); - else - *pmont = ret; - } - } - ret = *pmont; - - if (got_write_lock) - CRYPTO_w_unlock(lock); + CRYPTO_r_unlock(lock); + if (ret) + return ret; + + /* We don't want to serialise globally while doing our lazy-init math in + * BN_MONT_CTX_set. That punishes threads that are doing independent + * things. Instead, punish the case where more than one thread tries to + * lazy-init the same 'pmont', by having each do the lazy-init math work + * independently and only use the one from the thread that wins the race + * (the losers throw away the work they've done). */ + ret = BN_MONT_CTX_new(); + if (!ret) + return NULL; + if (!BN_MONT_CTX_set(ret, mod, ctx)) + { + BN_MONT_CTX_free(ret); + return NULL; + } + + /* The locked compare-and-set, after the local work is done. */ + CRYPTO_w_lock(lock); + if (*pmont) + { + BN_MONT_CTX_free(ret); + ret = *pmont; + } else - CRYPTO_r_unlock(lock); - + *pmont = ret; + CRYPTO_w_unlock(lock); return ret; } diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_mpi.c b/Cryptlib/OpenSSL/crypto/bn/bn_mpi.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_mul.c b/Cryptlib/OpenSSL/crypto/bn/bn_mul.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_nist.c b/Cryptlib/OpenSSL/crypto/bn/bn_nist.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_opt.c b/Cryptlib/OpenSSL/crypto/bn/bn_opt.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_prime.c b/Cryptlib/OpenSSL/crypto/bn/bn_prime.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_print.c b/Cryptlib/OpenSSL/crypto/bn/bn_print.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_rand.c b/Cryptlib/OpenSSL/crypto/bn/bn_rand.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_recp.c b/Cryptlib/OpenSSL/crypto/bn/bn_recp.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_shift.c b/Cryptlib/OpenSSL/crypto/bn/bn_shift.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_sqr.c b/Cryptlib/OpenSSL/crypto/bn/bn_sqr.c old mode 100755 new mode 100644 index 270d0cd..65bbf16 --- a/Cryptlib/OpenSSL/crypto/bn/bn_sqr.c +++ b/Cryptlib/OpenSSL/crypto/bn/bn_sqr.c @@ -77,6 +77,7 @@ int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx) if (al <= 0) { r->top=0; + r->neg = 0; return 1; } diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_sqrt.c b/Cryptlib/OpenSSL/crypto/bn/bn_sqrt.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_word.c b/Cryptlib/OpenSSL/crypto/bn/bn_word.c old mode 100755 new mode 100644 index ee7b87c..de83a15 --- a/Cryptlib/OpenSSL/crypto/bn/bn_word.c +++ b/Cryptlib/OpenSSL/crypto/bn/bn_word.c @@ -144,26 +144,17 @@ int BN_add_word(BIGNUM *a, BN_ULONG w) a->neg=!(a->neg); return(i); } - /* Only expand (and risk failing) if it's possibly necessary */ - if (((BN_ULONG)(a->d[a->top - 1] + 1) == 0) && - (bn_wexpand(a,a->top+1) == NULL)) - return(0); - i=0; - for (;;) + for (i=0;w!=0 && itop;i++) { - if (i >= a->top) - l=w; - else - l=(a->d[i]+w)&BN_MASK2; - a->d[i]=l; - if (w > l) - w=1; - else - break; - i++; + a->d[i] = l = (a->d[i]+w)&BN_MASK2; + w = (w>l)?1:0; } - if (i >= a->top) + if (w && i==a->top) + { + if (bn_wexpand(a,a->top+1) == NULL) return 0; a->top++; + a->d[i]=w; + } bn_check_top(a); return(1); } diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_x931p.c b/Cryptlib/OpenSSL/crypto/bn/bn_x931p.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/buffer/buf_err.c b/Cryptlib/OpenSSL/crypto/buffer/buf_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/buffer/buf_str.c b/Cryptlib/OpenSSL/crypto/buffer/buf_str.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/buffer/buffer.c b/Cryptlib/OpenSSL/crypto/buffer/buffer.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/cast/c_cfb64.c b/Cryptlib/OpenSSL/crypto/cast/c_cfb64.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/cast/c_ecb.c b/Cryptlib/OpenSSL/crypto/cast/c_ecb.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/cast/c_enc.c b/Cryptlib/OpenSSL/crypto/cast/c_enc.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/cast/c_ofb64.c b/Cryptlib/OpenSSL/crypto/cast/c_ofb64.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/cast/c_skey.c b/Cryptlib/OpenSSL/crypto/cast/c_skey.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/comp/c_rle.c b/Cryptlib/OpenSSL/crypto/comp/c_rle.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/comp/c_zlib.c b/Cryptlib/OpenSSL/crypto/comp/c_zlib.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/comp/comp_err.c b/Cryptlib/OpenSSL/crypto/comp/comp_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/comp/comp_lib.c b/Cryptlib/OpenSSL/crypto/comp/comp_lib.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/conf/conf_api.c b/Cryptlib/OpenSSL/crypto/conf/conf_api.c old mode 100755 new mode 100644 index 17bae83..55d1d50 --- a/Cryptlib/OpenSSL/crypto/conf/conf_api.c +++ b/Cryptlib/OpenSSL/crypto/conf/conf_api.c @@ -294,7 +294,7 @@ CONF_VALUE *_CONF_new_section(CONF *conf, const char *section) v->value=(char *)sk; vv=(CONF_VALUE *)lh_insert(conf->data,v); - assert(vv == NULL); + OPENSSL_assert(vv == NULL); ok=1; err: if (!ok) diff --git a/Cryptlib/OpenSSL/crypto/conf/conf_def.c b/Cryptlib/OpenSSL/crypto/conf/conf_def.c index 3c58936..a168339 100644 --- a/Cryptlib/OpenSSL/crypto/conf/conf_def.c +++ b/Cryptlib/OpenSSL/crypto/conf/conf_def.c @@ -324,7 +324,7 @@ again: p=eat_ws(conf, end); if (*p != ']') { - if (*p != '\0') + if (*p != '\0' && ss != p) { ss=p; goto again; diff --git a/Cryptlib/OpenSSL/crypto/conf/conf_err.c b/Cryptlib/OpenSSL/crypto/conf/conf_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/conf/conf_mall.c b/Cryptlib/OpenSSL/crypto/conf/conf_mall.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/conf/conf_mod.c b/Cryptlib/OpenSSL/crypto/conf/conf_mod.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/cpt_err.c b/Cryptlib/OpenSSL/crypto/cpt_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/cryptlib.c b/Cryptlib/OpenSSL/crypto/cryptlib.c old mode 100755 new mode 100644 index dd74ea8..dec3286 --- a/Cryptlib/OpenSSL/crypto/cryptlib.c +++ b/Cryptlib/OpenSSL/crypto/cryptlib.c @@ -542,3 +542,19 @@ void OpenSSLDie(const char *file,int line,const char *assertion) } void *OPENSSL_stderr(void) { return stderr; } + +#ifndef OPENSSL_FIPS + +int CRYPTO_memcmp(const void *in_a, const void *in_b, size_t len) + { + size_t i; + const unsigned char *a = in_a; + const unsigned char *b = in_b; + unsigned char x = 0; + + for (i = 0; i < len; i++) + x |= a[i] ^ b[i]; + + return x; + } +#endif diff --git a/Cryptlib/OpenSSL/crypto/cversion.c b/Cryptlib/OpenSSL/crypto/cversion.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/cbc_cksm.c b/Cryptlib/OpenSSL/crypto/des/cbc_cksm.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/cbc_enc.c b/Cryptlib/OpenSSL/crypto/des/cbc_enc.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/cfb64ede.c b/Cryptlib/OpenSSL/crypto/des/cfb64ede.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/cfb64enc.c b/Cryptlib/OpenSSL/crypto/des/cfb64enc.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/cfb_enc.c b/Cryptlib/OpenSSL/crypto/des/cfb_enc.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/des_enc.c b/Cryptlib/OpenSSL/crypto/des/des_enc.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/des_lib.c b/Cryptlib/OpenSSL/crypto/des/des_lib.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/des_old.c b/Cryptlib/OpenSSL/crypto/des/des_old.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/des_old2.c b/Cryptlib/OpenSSL/crypto/des/des_old2.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/ecb3_enc.c b/Cryptlib/OpenSSL/crypto/des/ecb3_enc.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/ecb_enc.c b/Cryptlib/OpenSSL/crypto/des/ecb_enc.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/ede_cbcm_enc.c b/Cryptlib/OpenSSL/crypto/des/ede_cbcm_enc.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/enc_read.c b/Cryptlib/OpenSSL/crypto/des/enc_read.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/enc_writ.c b/Cryptlib/OpenSSL/crypto/des/enc_writ.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/fcrypt.c b/Cryptlib/OpenSSL/crypto/des/fcrypt.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/fcrypt_b.c b/Cryptlib/OpenSSL/crypto/des/fcrypt_b.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/ofb64ede.c b/Cryptlib/OpenSSL/crypto/des/ofb64ede.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/ofb64enc.c b/Cryptlib/OpenSSL/crypto/des/ofb64enc.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/ofb_enc.c b/Cryptlib/OpenSSL/crypto/des/ofb_enc.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/pcbc_enc.c b/Cryptlib/OpenSSL/crypto/des/pcbc_enc.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/qud_cksm.c b/Cryptlib/OpenSSL/crypto/des/qud_cksm.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/rand_key.c b/Cryptlib/OpenSSL/crypto/des/rand_key.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/read2pwd.c b/Cryptlib/OpenSSL/crypto/des/read2pwd.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/rpc_enc.c b/Cryptlib/OpenSSL/crypto/des/rpc_enc.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/set_key.c b/Cryptlib/OpenSSL/crypto/des/set_key.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/str2key.c b/Cryptlib/OpenSSL/crypto/des/str2key.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/xcbc_enc.c b/Cryptlib/OpenSSL/crypto/des/xcbc_enc.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dh/dh_asn1.c b/Cryptlib/OpenSSL/crypto/dh/dh_asn1.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dh/dh_check.c b/Cryptlib/OpenSSL/crypto/dh/dh_check.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dh/dh_depr.c b/Cryptlib/OpenSSL/crypto/dh/dh_depr.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dh/dh_err.c b/Cryptlib/OpenSSL/crypto/dh/dh_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dh/dh_gen.c b/Cryptlib/OpenSSL/crypto/dh/dh_gen.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dh/dh_key.c b/Cryptlib/OpenSSL/crypto/dh/dh_key.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dh/dh_lib.c b/Cryptlib/OpenSSL/crypto/dh/dh_lib.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dsa/dsa_asn1.c b/Cryptlib/OpenSSL/crypto/dsa/dsa_asn1.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dsa/dsa_depr.c b/Cryptlib/OpenSSL/crypto/dsa/dsa_depr.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dsa/dsa_err.c b/Cryptlib/OpenSSL/crypto/dsa/dsa_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dsa/dsa_gen.c b/Cryptlib/OpenSSL/crypto/dsa/dsa_gen.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dsa/dsa_key.c b/Cryptlib/OpenSSL/crypto/dsa/dsa_key.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dsa/dsa_lib.c b/Cryptlib/OpenSSL/crypto/dsa/dsa_lib.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dsa/dsa_ossl.c b/Cryptlib/OpenSSL/crypto/dsa/dsa_ossl.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dsa/dsa_sign.c b/Cryptlib/OpenSSL/crypto/dsa/dsa_sign.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dsa/dsa_utl.c b/Cryptlib/OpenSSL/crypto/dsa/dsa_utl.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dsa/dsa_vrf.c b/Cryptlib/OpenSSL/crypto/dsa/dsa_vrf.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dso/dso_dl.c b/Cryptlib/OpenSSL/crypto/dso/dso_dl.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dso/dso_dlfcn.c b/Cryptlib/OpenSSL/crypto/dso/dso_dlfcn.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dso/dso_err.c b/Cryptlib/OpenSSL/crypto/dso/dso_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dso/dso_lib.c b/Cryptlib/OpenSSL/crypto/dso/dso_lib.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dso/dso_null.c b/Cryptlib/OpenSSL/crypto/dso/dso_null.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dso/dso_openssl.c b/Cryptlib/OpenSSL/crypto/dso/dso_openssl.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dso/dso_vms.c b/Cryptlib/OpenSSL/crypto/dso/dso_vms.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dso/dso_win32.c b/Cryptlib/OpenSSL/crypto/dso/dso_win32.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dyn_lck.c b/Cryptlib/OpenSSL/crypto/dyn_lck.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ebcdic.c b/Cryptlib/OpenSSL/crypto/ebcdic.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ec/ec2_mult.c b/Cryptlib/OpenSSL/crypto/ec/ec2_mult.c old mode 100755 new mode 100644 index 7dca5e4..6b570a3 --- a/Cryptlib/OpenSSL/crypto/ec/ec2_mult.c +++ b/Cryptlib/OpenSSL/crypto/ec/ec2_mult.c @@ -208,9 +208,12 @@ static int gf2m_Mxy(const EC_GROUP *group, const BIGNUM *x, const BIGNUM *y, BIG /* Computes scalar*point and stores the result in r. * point can not equal r. - * Uses algorithm 2P of + * Uses a modified algorithm 2P of * Lopex, J. and Dahab, R. "Fast multiplication on elliptic curves over * GF(2^m) without precomputation". + * + * To protect against side-channel attack the function uses constant time + * swap avoiding conditional branches. */ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, const EC_POINT *point, BN_CTX *ctx) @@ -244,6 +247,11 @@ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r, x2 = &r->X; z2 = &r->Y; + bn_wexpand(x1, group->field.top); + bn_wexpand(z1, group->field.top); + bn_wexpand(x2, group->field.top); + bn_wexpand(z2, group->field.top); + if (!BN_GF2m_mod_arr(x1, &point->X, group->poly)) goto err; /* x1 = x */ if (!BN_one(z1)) goto err; /* z1 = 1 */ if (!group->meth->field_sqr(group, z2, x1, ctx)) goto err; /* z2 = x1^2 = x^2 */ @@ -266,16 +274,12 @@ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r, { for (; j >= 0; j--) { - if (scalar->d[i] & mask) - { - if (!gf2m_Madd(group, &point->X, x1, z1, x2, z2, ctx)) goto err; - if (!gf2m_Mdouble(group, x2, z2, ctx)) goto err; - } - else - { - if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err; - if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err; - } + BN_consttime_swap(scalar->d[i] & mask, x1, x2, group->field.top); + BN_consttime_swap(scalar->d[i] & mask, z1, z2, group->field.top); + if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err; + if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err; + BN_consttime_swap(scalar->d[i] & mask, x1, x2, group->field.top); + BN_consttime_swap(scalar->d[i] & mask, z1, z2, group->field.top); mask >>= 1; } j = BN_BITS2 - 1; diff --git a/Cryptlib/OpenSSL/crypto/ec/ec2_smpl.c b/Cryptlib/OpenSSL/crypto/ec/ec2_smpl.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ec/ec_asn1.c b/Cryptlib/OpenSSL/crypto/ec/ec_asn1.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ec/ec_check.c b/Cryptlib/OpenSSL/crypto/ec/ec_check.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ec/ec_curve.c b/Cryptlib/OpenSSL/crypto/ec/ec_curve.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ec/ec_cvt.c b/Cryptlib/OpenSSL/crypto/ec/ec_cvt.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ec/ec_err.c b/Cryptlib/OpenSSL/crypto/ec/ec_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ec/ec_key.c b/Cryptlib/OpenSSL/crypto/ec/ec_key.c old mode 100755 new mode 100644 index 522802c..6c933d2 --- a/Cryptlib/OpenSSL/crypto/ec/ec_key.c +++ b/Cryptlib/OpenSSL/crypto/ec/ec_key.c @@ -435,18 +435,27 @@ void EC_KEY_set_conv_form(EC_KEY *key, point_conversion_form_t cform) void *EC_KEY_get_key_method_data(EC_KEY *key, void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *)) { - return EC_EX_DATA_get_data(key->method_data, dup_func, free_func, clear_free_func); + void *ret; + + CRYPTO_r_lock(CRYPTO_LOCK_EC); + ret = EC_EX_DATA_get_data(key->method_data, dup_func, free_func, clear_free_func); + CRYPTO_r_unlock(CRYPTO_LOCK_EC); + + return ret; } -void EC_KEY_insert_key_method_data(EC_KEY *key, void *data, +void *EC_KEY_insert_key_method_data(EC_KEY *key, void *data, void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *)) { EC_EXTRA_DATA *ex_data; + CRYPTO_w_lock(CRYPTO_LOCK_EC); ex_data = EC_EX_DATA_get_data(key->method_data, dup_func, free_func, clear_free_func); if (ex_data == NULL) EC_EX_DATA_set_data(&key->method_data, data, dup_func, free_func, clear_free_func); CRYPTO_w_unlock(CRYPTO_LOCK_EC); + + return ex_data; } void EC_KEY_set_asn1_flag(EC_KEY *key, int flag) diff --git a/Cryptlib/OpenSSL/crypto/ec/ec_lib.c b/Cryptlib/OpenSSL/crypto/ec/ec_lib.c old mode 100755 new mode 100644 index 5af8437..e7d11ff --- a/Cryptlib/OpenSSL/crypto/ec/ec_lib.c +++ b/Cryptlib/OpenSSL/crypto/ec/ec_lib.c @@ -480,10 +480,10 @@ int EC_GROUP_cmp(const EC_GROUP *a, const EC_GROUP *b, BN_CTX *ctx) if (EC_METHOD_get_field_type(EC_GROUP_method_of(a)) != EC_METHOD_get_field_type(EC_GROUP_method_of(b))) return 1; - /* compare the curve name (if present) */ + /* compare the curve name (if present in both) */ if (EC_GROUP_get_curve_name(a) && EC_GROUP_get_curve_name(b) && - EC_GROUP_get_curve_name(a) == EC_GROUP_get_curve_name(b)) - return 0; + EC_GROUP_get_curve_name(a) != EC_GROUP_get_curve_name(b)) + return 1; if (!ctx) ctx_new = ctx = BN_CTX_new(); @@ -1010,7 +1010,7 @@ int EC_POINT_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX * int EC_POINT_invert(const EC_GROUP *group, EC_POINT *a, BN_CTX *ctx) { - if (group->meth->dbl == 0) + if (group->meth->invert == 0) { ECerr(EC_F_EC_POINT_INVERT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; @@ -1061,12 +1061,12 @@ int EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN if (group->meth->point_cmp == 0) { ECerr(EC_F_EC_POINT_CMP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return 0; + return -1; } if ((group->meth != a->meth) || (a->meth != b->meth)) { ECerr(EC_F_EC_POINT_CMP, EC_R_INCOMPATIBLE_OBJECTS); - return 0; + return -1; } return group->meth->point_cmp(group, a, b, ctx); } diff --git a/Cryptlib/OpenSSL/crypto/ec/ec_mult.c b/Cryptlib/OpenSSL/crypto/ec/ec_mult.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ec/ec_print.c b/Cryptlib/OpenSSL/crypto/ec/ec_print.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ec/ecp_mont.c b/Cryptlib/OpenSSL/crypto/ec/ecp_mont.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ec/ecp_nist.c b/Cryptlib/OpenSSL/crypto/ec/ecp_nist.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ec/ecp_smpl.c b/Cryptlib/OpenSSL/crypto/ec/ecp_smpl.c old mode 100755 new mode 100644 index 66a92e2..b239088 --- a/Cryptlib/OpenSSL/crypto/ec/ecp_smpl.c +++ b/Cryptlib/OpenSSL/crypto/ec/ecp_smpl.c @@ -1540,9 +1540,8 @@ int ec_GFp_simple_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ct int ec_GFp_simple_points_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[], BN_CTX *ctx) { BN_CTX *new_ctx = NULL; - BIGNUM *tmp0, *tmp1; - size_t pow2 = 0; - BIGNUM **heap = NULL; + BIGNUM *tmp, *tmp_Z; + BIGNUM **prod_Z = NULL; size_t i; int ret = 0; @@ -1557,124 +1556,104 @@ int ec_GFp_simple_points_make_affine(const EC_GROUP *group, size_t num, EC_POINT } BN_CTX_start(ctx); - tmp0 = BN_CTX_get(ctx); - tmp1 = BN_CTX_get(ctx); - if (tmp0 == NULL || tmp1 == NULL) goto err; + tmp = BN_CTX_get(ctx); + tmp_Z = BN_CTX_get(ctx); + if (tmp == NULL || tmp_Z == NULL) goto err; - /* Before converting the individual points, compute inverses of all Z values. - * Modular inversion is rather slow, but luckily we can do with a single - * explicit inversion, plus about 3 multiplications per input value. - */ - - pow2 = 1; - while (num > pow2) - pow2 <<= 1; - /* Now pow2 is the smallest power of 2 satifsying pow2 >= num. - * We need twice that. */ - pow2 <<= 1; - - heap = OPENSSL_malloc(pow2 * sizeof heap[0]); - if (heap == NULL) goto err; - - /* The array is used as a binary tree, exactly as in heapsort: - * - * heap[1] - * heap[2] heap[3] - * heap[4] heap[5] heap[6] heap[7] - * heap[8]heap[9] heap[10]heap[11] heap[12]heap[13] heap[14] heap[15] - * - * We put the Z's in the last line; - * then we set each other node to the product of its two child-nodes (where - * empty or 0 entries are treated as ones); - * then we invert heap[1]; - * then we invert each other node by replacing it by the product of its - * parent (after inversion) and its sibling (before inversion). - */ - heap[0] = NULL; - for (i = pow2/2 - 1; i > 0; i--) - heap[i] = NULL; + prod_Z = OPENSSL_malloc(num * sizeof prod_Z[0]); + if (prod_Z == NULL) goto err; for (i = 0; i < num; i++) - heap[pow2/2 + i] = &points[i]->Z; - for (i = pow2/2 + num; i < pow2; i++) - heap[i] = NULL; - - /* set each node to the product of its children */ - for (i = pow2/2 - 1; i > 0; i--) { - heap[i] = BN_new(); - if (heap[i] == NULL) goto err; - - if (heap[2*i] != NULL) - { - if ((heap[2*i + 1] == NULL) || BN_is_zero(heap[2*i + 1])) - { - if (!BN_copy(heap[i], heap[2*i])) goto err; - } - else - { - if (BN_is_zero(heap[2*i])) - { - if (!BN_copy(heap[i], heap[2*i + 1])) goto err; - } - else - { - if (!group->meth->field_mul(group, heap[i], - heap[2*i], heap[2*i + 1], ctx)) goto err; - } - } - } + prod_Z[i] = BN_new(); + if (prod_Z[i] == NULL) goto err; } - /* invert heap[1] */ - if (!BN_is_zero(heap[1])) - { - if (!BN_mod_inverse(heap[1], heap[1], &group->field, ctx)) - { - ECerr(EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE, ERR_R_BN_LIB); - goto err; - } - } - if (group->meth->field_encode != 0) - { - /* in the Montgomery case, we just turned R*H (representing H) - * into 1/(R*H), but we need R*(1/H) (representing 1/H); - * i.e. we have need to multiply by the Montgomery factor twice */ - if (!group->meth->field_encode(group, heap[1], heap[1], ctx)) goto err; - if (!group->meth->field_encode(group, heap[1], heap[1], ctx)) goto err; - } + /* Set each prod_Z[i] to the product of points[0]->Z .. points[i]->Z, + * skipping any zero-valued inputs (pretend that they're 1). */ - /* set other heap[i]'s to their inverses */ - for (i = 2; i < pow2/2 + num; i += 2) + if (!BN_is_zero(&points[0]->Z)) { - /* i is even */ - if ((heap[i + 1] != NULL) && !BN_is_zero(heap[i + 1])) + if (!BN_copy(prod_Z[0], &points[0]->Z)) goto err; + } + else + { + if (group->meth->field_set_to_one != 0) { - if (!group->meth->field_mul(group, tmp0, heap[i/2], heap[i + 1], ctx)) goto err; - if (!group->meth->field_mul(group, tmp1, heap[i/2], heap[i], ctx)) goto err; - if (!BN_copy(heap[i], tmp0)) goto err; - if (!BN_copy(heap[i + 1], tmp1)) goto err; + if (!group->meth->field_set_to_one(group, prod_Z[0], ctx)) goto err; } else { - if (!BN_copy(heap[i], heap[i/2])) goto err; + if (!BN_one(prod_Z[0])) goto err; } } - /* we have replaced all non-zero Z's by their inverses, now fix up all the points */ + for (i = 1; i < num; i++) + { + if (!BN_is_zero(&points[i]->Z)) + { + if (!group->meth->field_mul(group, prod_Z[i], prod_Z[i - 1], &points[i]->Z, ctx)) goto err; + } + else + { + if (!BN_copy(prod_Z[i], prod_Z[i - 1])) goto err; + } + } + + /* Now use a single explicit inversion to replace every + * non-zero points[i]->Z by its inverse. */ + + if (!BN_mod_inverse(tmp, prod_Z[num - 1], &group->field, ctx)) + { + ECerr(EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE, ERR_R_BN_LIB); + goto err; + } + if (group->meth->field_encode != 0) + { + /* In the Montgomery case, we just turned R*H (representing H) + * into 1/(R*H), but we need R*(1/H) (representing 1/H); + * i.e. we need to multiply by the Montgomery factor twice. */ + if (!group->meth->field_encode(group, tmp, tmp, ctx)) goto err; + if (!group->meth->field_encode(group, tmp, tmp, ctx)) goto err; + } + + for (i = num - 1; i > 0; --i) + { + /* Loop invariant: tmp is the product of the inverses of + * points[0]->Z .. points[i]->Z (zero-valued inputs skipped). */ + if (!BN_is_zero(&points[i]->Z)) + { + /* Set tmp_Z to the inverse of points[i]->Z (as product + * of Z inverses 0 .. i, Z values 0 .. i - 1). */ + if (!group->meth->field_mul(group, tmp_Z, prod_Z[i - 1], tmp, ctx)) goto err; + /* Update tmp to satisfy the loop invariant for i - 1. */ + if (!group->meth->field_mul(group, tmp, tmp, &points[i]->Z, ctx)) goto err; + /* Replace points[i]->Z by its inverse. */ + if (!BN_copy(&points[i]->Z, tmp_Z)) goto err; + } + } + + if (!BN_is_zero(&points[0]->Z)) + { + /* Replace points[0]->Z by its inverse. */ + if (!BN_copy(&points[0]->Z, tmp)) goto err; + } + + /* Finally, fix up the X and Y coordinates for all points. */ + for (i = 0; i < num; i++) { EC_POINT *p = points[i]; - + if (!BN_is_zero(&p->Z)) { /* turn (X, Y, 1/Z) into (X/Z^2, Y/Z^3, 1) */ - if (!group->meth->field_sqr(group, tmp1, &p->Z, ctx)) goto err; - if (!group->meth->field_mul(group, &p->X, &p->X, tmp1, ctx)) goto err; + if (!group->meth->field_sqr(group, tmp, &p->Z, ctx)) goto err; + if (!group->meth->field_mul(group, &p->X, &p->X, tmp, ctx)) goto err; + + if (!group->meth->field_mul(group, tmp, tmp, &p->Z, ctx)) goto err; + if (!group->meth->field_mul(group, &p->Y, &p->Y, tmp, ctx)) goto err; - if (!group->meth->field_mul(group, tmp1, tmp1, &p->Z, ctx)) goto err; - if (!group->meth->field_mul(group, &p->Y, &p->Y, tmp1, ctx)) goto err; - if (group->meth->field_set_to_one != 0) { if (!group->meth->field_set_to_one(group, &p->Z, ctx)) goto err; @@ -1688,20 +1667,19 @@ int ec_GFp_simple_points_make_affine(const EC_GROUP *group, size_t num, EC_POINT } ret = 1; - + err: BN_CTX_end(ctx); if (new_ctx != NULL) BN_CTX_free(new_ctx); - if (heap != NULL) + if (prod_Z != NULL) { - /* heap[pow2/2] .. heap[pow2-1] have not been allocated locally! */ - for (i = pow2/2 - 1; i > 0; i--) + for (i = 0; i < num; i++) { - if (heap[i] != NULL) - BN_clear_free(heap[i]); + if (prod_Z[i] != NULL) + BN_clear_free(prod_Z[i]); } - OPENSSL_free(heap); + OPENSSL_free(prod_Z); } return ret; } diff --git a/Cryptlib/OpenSSL/crypto/ecdh/ech_err.c b/Cryptlib/OpenSSL/crypto/ecdh/ech_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ecdh/ech_key.c b/Cryptlib/OpenSSL/crypto/ecdh/ech_key.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ecdh/ech_lib.c b/Cryptlib/OpenSSL/crypto/ecdh/ech_lib.c old mode 100755 new mode 100644 index bf22234..f9ba5fb --- a/Cryptlib/OpenSSL/crypto/ecdh/ech_lib.c +++ b/Cryptlib/OpenSSL/crypto/ecdh/ech_lib.c @@ -205,8 +205,15 @@ ECDH_DATA *ecdh_check(EC_KEY *key) ecdh_data = (ECDH_DATA *)ecdh_data_new(); if (ecdh_data == NULL) return NULL; - EC_KEY_insert_key_method_data(key, (void *)ecdh_data, - ecdh_data_dup, ecdh_data_free, ecdh_data_free); + data = EC_KEY_insert_key_method_data(key, (void *)ecdh_data, + ecdh_data_dup, ecdh_data_free, ecdh_data_free); + if (data != NULL) + { + /* Another thread raced us to install the key_method + * data and won. */ + ecdh_data_free(ecdh_data); + ecdh_data = (ECDH_DATA *)data; + } } else ecdh_data = (ECDH_DATA *)data; diff --git a/Cryptlib/OpenSSL/crypto/ecdh/ech_ossl.c b/Cryptlib/OpenSSL/crypto/ecdh/ech_ossl.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ecdsa/ecs_asn1.c b/Cryptlib/OpenSSL/crypto/ecdsa/ecs_asn1.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ecdsa/ecs_err.c b/Cryptlib/OpenSSL/crypto/ecdsa/ecs_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ecdsa/ecs_lib.c b/Cryptlib/OpenSSL/crypto/ecdsa/ecs_lib.c old mode 100755 new mode 100644 index 2ebae3a..81082c9 --- a/Cryptlib/OpenSSL/crypto/ecdsa/ecs_lib.c +++ b/Cryptlib/OpenSSL/crypto/ecdsa/ecs_lib.c @@ -188,8 +188,15 @@ ECDSA_DATA *ecdsa_check(EC_KEY *key) ecdsa_data = (ECDSA_DATA *)ecdsa_data_new(); if (ecdsa_data == NULL) return NULL; - EC_KEY_insert_key_method_data(key, (void *)ecdsa_data, - ecdsa_data_dup, ecdsa_data_free, ecdsa_data_free); + data = EC_KEY_insert_key_method_data(key, (void *)ecdsa_data, + ecdsa_data_dup, ecdsa_data_free, ecdsa_data_free); + if (data != NULL) + { + /* Another thread raced us to install the key_method + * data and won. */ + ecdsa_data_free(ecdsa_data); + ecdsa_data = (ECDSA_DATA *)data; + } } else ecdsa_data = (ECDSA_DATA *)data; diff --git a/Cryptlib/OpenSSL/crypto/ecdsa/ecs_ossl.c b/Cryptlib/OpenSSL/crypto/ecdsa/ecs_ossl.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ecdsa/ecs_sign.c b/Cryptlib/OpenSSL/crypto/ecdsa/ecs_sign.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ecdsa/ecs_vrf.c b/Cryptlib/OpenSSL/crypto/ecdsa/ecs_vrf.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/engine/eng_all.c b/Cryptlib/OpenSSL/crypto/engine/eng_all.c old mode 100755 new mode 100644 index f29c167..8a1b9c7 --- a/Cryptlib/OpenSSL/crypto/engine/eng_all.c +++ b/Cryptlib/OpenSSL/crypto/engine/eng_all.c @@ -102,14 +102,14 @@ void ENGINE_load_builtin_engines(void) #if !defined(OPENSSL_NO_GMP) && !defined(OPENSSL_NO_HW_GMP) ENGINE_load_gmp(); #endif +#if defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_NO_CAPIENG) + ENGINE_load_capi(); +#endif #endif #ifndef OPENSSL_NO_HW #if defined(__OpenBSD__) || defined(__FreeBSD__) || defined(HAVE_CRYPTODEV) ENGINE_load_cryptodev(); #endif -#if defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_NO_CAPIENG) - ENGINE_load_capi(); -#endif #endif } diff --git a/Cryptlib/OpenSSL/crypto/engine/eng_cnf.c b/Cryptlib/OpenSSL/crypto/engine/eng_cnf.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/engine/eng_cryptodev.c b/Cryptlib/OpenSSL/crypto/engine/eng_cryptodev.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/engine/eng_ctrl.c b/Cryptlib/OpenSSL/crypto/engine/eng_ctrl.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/engine/eng_dyn.c b/Cryptlib/OpenSSL/crypto/engine/eng_dyn.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/engine/eng_err.c b/Cryptlib/OpenSSL/crypto/engine/eng_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/engine/eng_fat.c b/Cryptlib/OpenSSL/crypto/engine/eng_fat.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/engine/eng_init.c b/Cryptlib/OpenSSL/crypto/engine/eng_init.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/engine/eng_lib.c b/Cryptlib/OpenSSL/crypto/engine/eng_lib.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/engine/eng_list.c b/Cryptlib/OpenSSL/crypto/engine/eng_list.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/engine/eng_padlock.c b/Cryptlib/OpenSSL/crypto/engine/eng_padlock.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/engine/eng_pkey.c b/Cryptlib/OpenSSL/crypto/engine/eng_pkey.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/engine/eng_table.c b/Cryptlib/OpenSSL/crypto/engine/eng_table.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/engine/tb_cipher.c b/Cryptlib/OpenSSL/crypto/engine/tb_cipher.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/engine/tb_dh.c b/Cryptlib/OpenSSL/crypto/engine/tb_dh.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/engine/tb_digest.c b/Cryptlib/OpenSSL/crypto/engine/tb_digest.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/engine/tb_dsa.c b/Cryptlib/OpenSSL/crypto/engine/tb_dsa.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/engine/tb_ecdh.c b/Cryptlib/OpenSSL/crypto/engine/tb_ecdh.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/engine/tb_ecdsa.c b/Cryptlib/OpenSSL/crypto/engine/tb_ecdsa.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/engine/tb_rand.c b/Cryptlib/OpenSSL/crypto/engine/tb_rand.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/engine/tb_rsa.c b/Cryptlib/OpenSSL/crypto/engine/tb_rsa.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/engine/tb_store.c b/Cryptlib/OpenSSL/crypto/engine/tb_store.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/err/err.c b/Cryptlib/OpenSSL/crypto/err/err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/err/err_all.c b/Cryptlib/OpenSSL/crypto/err/err_all.c old mode 100755 new mode 100644 index 39796f7..0429389 --- a/Cryptlib/OpenSSL/crypto/err/err_all.c +++ b/Cryptlib/OpenSSL/crypto/err/err_all.c @@ -104,7 +104,9 @@ #ifndef OPENSSL_NO_JPAKE #include #endif +#ifndef OPENSSL_NO_COMP #include +#endif void ERR_load_crypto_strings(void) { diff --git a/Cryptlib/OpenSSL/crypto/err/err_bio.c b/Cryptlib/OpenSSL/crypto/err/err_bio.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/err/err_def.c b/Cryptlib/OpenSSL/crypto/err/err_def.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/err/err_prn.c b/Cryptlib/OpenSSL/crypto/err/err_prn.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/err/err_str.c b/Cryptlib/OpenSSL/crypto/err/err_str.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/bio_b64.c b/Cryptlib/OpenSSL/crypto/evp/bio_b64.c old mode 100755 new mode 100644 index 72a2a67..16863fe --- a/Cryptlib/OpenSSL/crypto/evp/bio_b64.c +++ b/Cryptlib/OpenSSL/crypto/evp/bio_b64.c @@ -226,6 +226,7 @@ static int b64_read(BIO *b, char *out, int outl) else if (ctx->start) { q=p=(unsigned char *)ctx->tmp; + num = 0; for (j=0; j v) { rv=-1; goto end; } ret+=(v-eof); } else diff --git a/Cryptlib/OpenSSL/crypto/evp/evp_acnf.c b/Cryptlib/OpenSSL/crypto/evp/evp_acnf.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/evp_cnf.c b/Cryptlib/OpenSSL/crypto/evp/evp_cnf.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/evp_enc.c b/Cryptlib/OpenSSL/crypto/evp/evp_enc.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/evp_err.c b/Cryptlib/OpenSSL/crypto/evp/evp_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/evp_key.c b/Cryptlib/OpenSSL/crypto/evp/evp_key.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/evp_lib.c b/Cryptlib/OpenSSL/crypto/evp/evp_lib.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/evp_pbe.c b/Cryptlib/OpenSSL/crypto/evp/evp_pbe.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/evp_pkey.c b/Cryptlib/OpenSSL/crypto/evp/evp_pkey.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/m_dss.c b/Cryptlib/OpenSSL/crypto/evp/m_dss.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/m_dss1.c b/Cryptlib/OpenSSL/crypto/evp/m_dss1.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/m_ecdsa.c b/Cryptlib/OpenSSL/crypto/evp/m_ecdsa.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/m_md2.c b/Cryptlib/OpenSSL/crypto/evp/m_md2.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/m_md4.c b/Cryptlib/OpenSSL/crypto/evp/m_md4.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/m_md5.c b/Cryptlib/OpenSSL/crypto/evp/m_md5.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/m_null.c b/Cryptlib/OpenSSL/crypto/evp/m_null.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/m_ripemd.c b/Cryptlib/OpenSSL/crypto/evp/m_ripemd.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/m_sha.c b/Cryptlib/OpenSSL/crypto/evp/m_sha.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/m_sha1.c b/Cryptlib/OpenSSL/crypto/evp/m_sha1.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/names.c b/Cryptlib/OpenSSL/crypto/evp/names.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/p5_crpt.c b/Cryptlib/OpenSSL/crypto/evp/p5_crpt.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/p5_crpt2.c b/Cryptlib/OpenSSL/crypto/evp/p5_crpt2.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/p_dec.c b/Cryptlib/OpenSSL/crypto/evp/p_dec.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/p_enc.c b/Cryptlib/OpenSSL/crypto/evp/p_enc.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/p_lib.c b/Cryptlib/OpenSSL/crypto/evp/p_lib.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/p_open.c b/Cryptlib/OpenSSL/crypto/evp/p_open.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/p_seal.c b/Cryptlib/OpenSSL/crypto/evp/p_seal.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/p_sign.c b/Cryptlib/OpenSSL/crypto/evp/p_sign.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/p_verify.c b/Cryptlib/OpenSSL/crypto/evp/p_verify.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ex_data.c b/Cryptlib/OpenSSL/crypto/ex_data.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/fips_err.c b/Cryptlib/OpenSSL/crypto/fips_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/hmac/hmac.c b/Cryptlib/OpenSSL/crypto/hmac/hmac.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/idea/i_cbc.c b/Cryptlib/OpenSSL/crypto/idea/i_cbc.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/idea/i_cfb64.c b/Cryptlib/OpenSSL/crypto/idea/i_cfb64.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/idea/i_ecb.c b/Cryptlib/OpenSSL/crypto/idea/i_ecb.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/idea/i_ofb64.c b/Cryptlib/OpenSSL/crypto/idea/i_ofb64.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/idea/i_skey.c b/Cryptlib/OpenSSL/crypto/idea/i_skey.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/krb5/krb5_asn.c b/Cryptlib/OpenSSL/crypto/krb5/krb5_asn.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/lhash/lh_stats.c b/Cryptlib/OpenSSL/crypto/lhash/lh_stats.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/lhash/lhash.c b/Cryptlib/OpenSSL/crypto/lhash/lhash.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/md2/md2_dgst.c b/Cryptlib/OpenSSL/crypto/md2/md2_dgst.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/md2/md2_one.c b/Cryptlib/OpenSSL/crypto/md2/md2_one.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/md4/md4_dgst.c b/Cryptlib/OpenSSL/crypto/md4/md4_dgst.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/md4/md4_one.c b/Cryptlib/OpenSSL/crypto/md4/md4_one.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/md5/md5_dgst.c b/Cryptlib/OpenSSL/crypto/md5/md5_dgst.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/md5/md5_one.c b/Cryptlib/OpenSSL/crypto/md5/md5_one.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/mem.c b/Cryptlib/OpenSSL/crypto/mem.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/mem_clr.c b/Cryptlib/OpenSSL/crypto/mem_clr.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/mem_dbg.c b/Cryptlib/OpenSSL/crypto/mem_dbg.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/o_dir.c b/Cryptlib/OpenSSL/crypto/o_dir.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/o_init.c b/Cryptlib/OpenSSL/crypto/o_init.c old mode 100755 new mode 100644 index d767a90..c89fda5 --- a/Cryptlib/OpenSSL/crypto/o_init.c +++ b/Cryptlib/OpenSSL/crypto/o_init.c @@ -93,4 +93,18 @@ void OPENSSL_init(void) #endif } +#ifdef OPENSSL_FIPS +int CRYPTO_memcmp(const void *in_a, const void *in_b, size_t len) + { + size_t i; + const unsigned char *a = in_a; + const unsigned char *b = in_b; + unsigned char x = 0; + + for (i = 0; i < len; i++) + x |= a[i] ^ b[i]; + + return x; + } +#endif diff --git a/Cryptlib/OpenSSL/crypto/o_str.c b/Cryptlib/OpenSSL/crypto/o_str.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/o_time.c b/Cryptlib/OpenSSL/crypto/o_time.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/objects/o_names.c b/Cryptlib/OpenSSL/crypto/objects/o_names.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/objects/obj_dat.c b/Cryptlib/OpenSSL/crypto/objects/obj_dat.c old mode 100755 new mode 100644 index 760af16..cf5ba2a --- a/Cryptlib/OpenSSL/crypto/objects/obj_dat.c +++ b/Cryptlib/OpenSSL/crypto/objects/obj_dat.c @@ -444,11 +444,12 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) unsigned char *p; char tbuf[DECIMAL_SIZE(i)+DECIMAL_SIZE(l)+2]; - if ((a == NULL) || (a->data == NULL)) { - buf[0]='\0'; - return(0); - } + /* Ensure that, at every state, |buf| is NUL-terminated. */ + if (buf && buf_len > 0) + buf[0] = '\0'; + if ((a == NULL) || (a->data == NULL)) + return(0); if (!no_name && (nid=OBJ_obj2nid(a)) != NID_undef) { @@ -527,9 +528,10 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) i=(int)(l/40); l-=(long)(i*40); } - if (buf && (buf_len > 0)) + if (buf && (buf_len > 1)) { *buf++ = i + '0'; + *buf = '\0'; buf_len--; } n++; @@ -544,9 +546,10 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) i = strlen(bndec); if (buf) { - if (buf_len > 0) + if (buf_len > 1) { *buf++ = '.'; + *buf = '\0'; buf_len--; } BUF_strlcpy(buf,bndec,buf_len); @@ -786,4 +789,3 @@ err: OPENSSL_free(buf); return(ok); } - diff --git a/Cryptlib/OpenSSL/crypto/objects/obj_err.c b/Cryptlib/OpenSSL/crypto/objects/obj_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/objects/obj_lib.c b/Cryptlib/OpenSSL/crypto/objects/obj_lib.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_asn.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_asn.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_cl.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_cl.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_err.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ext.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ext.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ht.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ht.c old mode 100755 new mode 100644 index 92aba08..fb87cd7 --- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ht.c +++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ht.c @@ -464,6 +464,9 @@ OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req) ctx = OCSP_sendreq_new(b, path, req, -1); + if (!ctx) + return NULL; + do { rv = OCSP_sendreq_nbio(&resp, ctx); diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_lib.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_lib.c old mode 100755 new mode 100644 index 441ccb7..5883b4e --- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_lib.c +++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_lib.c @@ -220,8 +220,19 @@ int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pss if (!*ppath) goto mem_err; + p = host; + if(host[0] == '[') + { + /* ipv6 literal */ + host++; + p = strchr(host, ']'); + if(!p) goto parse_err; + *p = '\0'; + p++; + } + /* Look for optional ':' for port number */ - if ((p = strchr(host, ':'))) + if ((p = strchr(p, ':'))) { *p = 0; port = p + 1; diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_prn.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_prn.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_srv.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_srv.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_vfy.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_vfy.c old mode 100755 new mode 100644 index 4a0c387..f24080f --- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_vfy.c +++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_vfy.c @@ -91,9 +91,12 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, { EVP_PKEY *skey; skey = X509_get_pubkey(signer); - ret = OCSP_BASICRESP_verify(bs, skey, 0); - EVP_PKEY_free(skey); - if(ret <= 0) + if (skey) + { + ret = OCSP_BASICRESP_verify(bs, skey, 0); + EVP_PKEY_free(skey); + } + if(!skey || ret <= 0) { OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNATURE_FAILURE); goto end; @@ -108,6 +111,7 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, init_res = X509_STORE_CTX_init(&ctx, st, signer, bs->certs); if(!init_res) { + ret = -1; OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,ERR_R_X509_LIB); goto end; } diff --git a/Cryptlib/OpenSSL/crypto/pem/pem_all.c b/Cryptlib/OpenSSL/crypto/pem/pem_all.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pem/pem_err.c b/Cryptlib/OpenSSL/crypto/pem/pem_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pem/pem_info.c b/Cryptlib/OpenSSL/crypto/pem/pem_info.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pem/pem_lib.c b/Cryptlib/OpenSSL/crypto/pem/pem_lib.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pem/pem_oth.c b/Cryptlib/OpenSSL/crypto/pem/pem_oth.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pem/pem_pk8.c b/Cryptlib/OpenSSL/crypto/pem/pem_pk8.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pem/pem_pkey.c b/Cryptlib/OpenSSL/crypto/pem/pem_pkey.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pem/pem_seal.c b/Cryptlib/OpenSSL/crypto/pem/pem_seal.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pem/pem_sign.c b/Cryptlib/OpenSSL/crypto/pem/pem_sign.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pem/pem_x509.c b/Cryptlib/OpenSSL/crypto/pem/pem_x509.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pem/pem_xaux.c b/Cryptlib/OpenSSL/crypto/pem/pem_xaux.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_add.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_add.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_asn.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_asn.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_attr.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_attr.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_crpt.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_crpt.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_crt.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_crt.c old mode 100755 new mode 100644 index 9522342..3ef3be1 --- a/Cryptlib/OpenSSL/crypto/pkcs12/p12_crt.c +++ b/Cryptlib/OpenSSL/crypto/pkcs12/p12_crt.c @@ -100,7 +100,11 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert, nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; else #endif +#ifdef OPENSSL_NO_RC2 + nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; +#else nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC; +#endif } if (!nid_key) nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; @@ -290,7 +294,11 @@ int PKCS12_add_safe(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags, free_safes = 0; if (nid_safe == 0) +#ifdef OPENSSL_NO_RC2 + nid_safe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; +#else nid_safe = NID_pbe_WithSHA1And40BitRC2_CBC; +#endif if (nid_safe == -1) p7 = PKCS12_pack_p7data(bags); diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_decr.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_decr.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_init.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_init.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_key.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_key.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_kiss.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_kiss.c old mode 100755 new mode 100644 index 5c4c6ec..bdbbbec --- a/Cryptlib/OpenSSL/crypto/pkcs12/p12_kiss.c +++ b/Cryptlib/OpenSSL/crypto/pkcs12/p12_kiss.c @@ -261,7 +261,7 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen, int len, r; unsigned char *data; len = ASN1_STRING_to_UTF8(&data, fname); - if(len > 0) { + if(len >= 0) { r = X509_alias_set1(x509, data, len); OPENSSL_free(data); if (!r) diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_mutl.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_mutl.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_npas.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_npas.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_p8d.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_p8d.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_p8e.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_p8e.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_utl.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_utl.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/pk12err.c b/Cryptlib/OpenSSL/crypto/pkcs12/pk12err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_asn1.c b/Cryptlib/OpenSSL/crypto/pkcs7/pk7_asn1.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_attr.c b/Cryptlib/OpenSSL/crypto/pkcs7/pk7_attr.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_doit.c b/Cryptlib/OpenSSL/crypto/pkcs7/pk7_doit.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_lib.c b/Cryptlib/OpenSSL/crypto/pkcs7/pk7_lib.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_mime.c b/Cryptlib/OpenSSL/crypto/pkcs7/pk7_mime.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_smime.c b/Cryptlib/OpenSSL/crypto/pkcs7/pk7_smime.c old mode 100755 new mode 100644 index b0ff89a..49b450d --- a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_smime.c +++ b/Cryptlib/OpenSSL/crypto/pkcs7/pk7_smime.c @@ -290,8 +290,8 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, bufsiz = 4096; buf = OPENSSL_malloc (bufsiz); - if (buf == NULL) { - goto err; + if (buf == NULL) { + goto err; } /* We now have to 'read' from p7bio to calculate digests etc. */ diff --git a/Cryptlib/OpenSSL/crypto/pkcs7/pkcs7err.c b/Cryptlib/OpenSSL/crypto/pkcs7/pkcs7err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pqueue/pqueue.c b/Cryptlib/OpenSSL/crypto/pqueue/pqueue.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rand/md_rand.c b/Cryptlib/OpenSSL/crypto/rand/md_rand.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rand/rand_egd.c b/Cryptlib/OpenSSL/crypto/rand/rand_egd.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rand/rand_eng.c b/Cryptlib/OpenSSL/crypto/rand/rand_eng.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rand/rand_err.c b/Cryptlib/OpenSSL/crypto/rand/rand_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rand/rand_lib.c b/Cryptlib/OpenSSL/crypto/rand/rand_lib.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rand/rand_nw.c b/Cryptlib/OpenSSL/crypto/rand/rand_nw.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rand/rand_os2.c b/Cryptlib/OpenSSL/crypto/rand/rand_os2.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rand/rand_unix.c b/Cryptlib/OpenSSL/crypto/rand/rand_unix.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rand/rand_win.c b/Cryptlib/OpenSSL/crypto/rand/rand_win.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rand/randfile.c b/Cryptlib/OpenSSL/crypto/rand/randfile.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rc2/rc2_cbc.c b/Cryptlib/OpenSSL/crypto/rc2/rc2_cbc.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rc2/rc2_ecb.c b/Cryptlib/OpenSSL/crypto/rc2/rc2_ecb.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rc2/rc2_skey.c b/Cryptlib/OpenSSL/crypto/rc2/rc2_skey.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rc2/rc2cfb64.c b/Cryptlib/OpenSSL/crypto/rc2/rc2cfb64.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rc2/rc2ofb64.c b/Cryptlib/OpenSSL/crypto/rc2/rc2ofb64.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rc4/rc4_enc.c b/Cryptlib/OpenSSL/crypto/rc4/rc4_enc.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rc4/rc4_fblk.c b/Cryptlib/OpenSSL/crypto/rc4/rc4_fblk.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rc4/rc4_skey.c b/Cryptlib/OpenSSL/crypto/rc4/rc4_skey.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ripemd/rmd_dgst.c b/Cryptlib/OpenSSL/crypto/ripemd/rmd_dgst.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ripemd/rmd_one.c b/Cryptlib/OpenSSL/crypto/ripemd/rmd_one.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_asn1.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_asn1.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_chk.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_chk.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_depr.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_depr.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_eay.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_eay.c old mode 100755 new mode 100644 index d477f08..203d702 --- a/Cryptlib/OpenSSL/crypto/rsa/rsa_eay.c +++ b/Cryptlib/OpenSSL/crypto/rsa/rsa_eay.c @@ -457,7 +457,7 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, if (padding == RSA_X931_PADDING) { BN_sub(f, rsa->n, ret); - if (BN_cmp(ret, f)) + if (BN_cmp(ret, f) > 0) res = f; else res = ret; diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_eng.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_eng.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_err.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_gen.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_gen.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_lib.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_lib.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_none.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_none.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_null.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_null.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_oaep.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_oaep.c old mode 100755 new mode 100644 index 546ae5f..b8e3edc --- a/Cryptlib/OpenSSL/crypto/rsa/rsa_oaep.c +++ b/Cryptlib/OpenSSL/crypto/rsa/rsa_oaep.c @@ -143,7 +143,7 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen, EVP_Digest((void *)param, plen, phash, NULL, EVP_sha1(), NULL); - if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad) + if (CRYPTO_memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad) goto decoding_err; else { diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_pk1.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_pk1.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_pss.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_pss.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_saos.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_saos.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_sign.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_sign.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_ssl.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_ssl.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_x931.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_x931.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_x931g.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_x931g.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/sha/sha1_one.c b/Cryptlib/OpenSSL/crypto/sha/sha1_one.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/sha/sha1dgst.c b/Cryptlib/OpenSSL/crypto/sha/sha1dgst.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/sha/sha256.c b/Cryptlib/OpenSSL/crypto/sha/sha256.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/sha/sha512.c b/Cryptlib/OpenSSL/crypto/sha/sha512.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/sha/sha_dgst.c b/Cryptlib/OpenSSL/crypto/sha/sha_dgst.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/sha/sha_one.c b/Cryptlib/OpenSSL/crypto/sha/sha_one.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/stack/stack.c b/Cryptlib/OpenSSL/crypto/stack/stack.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/store/str_err.c b/Cryptlib/OpenSSL/crypto/store/str_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/store/str_lib.c b/Cryptlib/OpenSSL/crypto/store/str_lib.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/store/str_mem.c b/Cryptlib/OpenSSL/crypto/store/str_mem.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/store/str_meth.c b/Cryptlib/OpenSSL/crypto/store/str_meth.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/txt_db/txt_db.c b/Cryptlib/OpenSSL/crypto/txt_db/txt_db.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ui/ui_compat.c b/Cryptlib/OpenSSL/crypto/ui/ui_compat.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ui/ui_err.c b/Cryptlib/OpenSSL/crypto/ui/ui_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ui/ui_lib.c b/Cryptlib/OpenSSL/crypto/ui/ui_lib.c old mode 100755 new mode 100644 index ac01008..67013f8 --- a/Cryptlib/OpenSSL/crypto/ui/ui_lib.c +++ b/Cryptlib/OpenSSL/crypto/ui/ui_lib.c @@ -897,9 +897,9 @@ int UI_set_result(UI *ui, UI_STRING *uis, const char *result) break; } } + } default: break; } - } return 0; } diff --git a/Cryptlib/OpenSSL/crypto/ui/ui_util.c b/Cryptlib/OpenSSL/crypto/ui/ui_util.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/uid.c b/Cryptlib/OpenSSL/crypto/uid.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/by_dir.c b/Cryptlib/OpenSSL/crypto/x509/by_dir.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/by_file.c b/Cryptlib/OpenSSL/crypto/x509/by_file.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_att.c b/Cryptlib/OpenSSL/crypto/x509/x509_att.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_cmp.c b/Cryptlib/OpenSSL/crypto/x509/x509_cmp.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_d2.c b/Cryptlib/OpenSSL/crypto/x509/x509_d2.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_def.c b/Cryptlib/OpenSSL/crypto/x509/x509_def.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_err.c b/Cryptlib/OpenSSL/crypto/x509/x509_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_ext.c b/Cryptlib/OpenSSL/crypto/x509/x509_ext.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_lu.c b/Cryptlib/OpenSSL/crypto/x509/x509_lu.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_obj.c b/Cryptlib/OpenSSL/crypto/x509/x509_obj.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_r2x.c b/Cryptlib/OpenSSL/crypto/x509/x509_r2x.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_req.c b/Cryptlib/OpenSSL/crypto/x509/x509_req.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_set.c b/Cryptlib/OpenSSL/crypto/x509/x509_set.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_trs.c b/Cryptlib/OpenSSL/crypto/x509/x509_trs.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_txt.c b/Cryptlib/OpenSSL/crypto/x509/x509_txt.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_v3.c b/Cryptlib/OpenSSL/crypto/x509/x509_v3.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_vfy.c b/Cryptlib/OpenSSL/crypto/x509/x509_vfy.c old mode 100755 new mode 100644 index af12520..b87617a --- a/Cryptlib/OpenSSL/crypto/x509/x509_vfy.c +++ b/Cryptlib/OpenSSL/crypto/x509/x509_vfy.c @@ -386,11 +386,7 @@ static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) static int check_chain_extensions(X509_STORE_CTX *ctx) { -#if defined(OPENSSL_NO_CHAIN_VERIFY) || defined(OPENSSL_SYS_UEFI) - /* - NOTE: Bypass KU Flags Checking for UEFI version. There are incorrect KU flag setting - in Authenticode Signing Certificates. - */ +#ifdef OPENSSL_NO_CHAIN_VERIFY return 1; #else int i, ok=0, must_be_ca, plen = 0; diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_vpm.c b/Cryptlib/OpenSSL/crypto/x509/x509_vpm.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/x509cset.c b/Cryptlib/OpenSSL/crypto/x509/x509cset.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/x509name.c b/Cryptlib/OpenSSL/crypto/x509/x509name.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/x509rset.c b/Cryptlib/OpenSSL/crypto/x509/x509rset.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/x509spki.c b/Cryptlib/OpenSSL/crypto/x509/x509spki.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/x509type.c b/Cryptlib/OpenSSL/crypto/x509/x509type.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/x_all.c b/Cryptlib/OpenSSL/crypto/x509/x_all.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/pcy_cache.c b/Cryptlib/OpenSSL/crypto/x509v3/pcy_cache.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/pcy_data.c b/Cryptlib/OpenSSL/crypto/x509v3/pcy_data.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/pcy_lib.c b/Cryptlib/OpenSSL/crypto/x509v3/pcy_lib.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/pcy_map.c b/Cryptlib/OpenSSL/crypto/x509v3/pcy_map.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/pcy_node.c b/Cryptlib/OpenSSL/crypto/x509v3/pcy_node.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/pcy_tree.c b/Cryptlib/OpenSSL/crypto/x509v3/pcy_tree.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_addr.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_addr.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_akey.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_akey.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_akeya.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_akeya.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_alt.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_alt.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_asid.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_asid.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_bcons.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_bcons.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_bitst.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_bitst.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_conf.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_conf.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_cpols.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_cpols.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_crld.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_crld.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_enum.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_enum.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_extku.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_extku.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_genn.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_genn.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_ia5.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_ia5.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_info.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_info.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_int.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_int.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_lib.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_lib.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_ncons.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_ncons.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_ocsp.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_ocsp.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_pcia.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_pcia.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_pcons.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_pcons.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_pku.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_pku.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_pmaps.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_pmaps.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_prn.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_prn.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_purp.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_purp.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_skey.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_skey.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_sxnet.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_sxnet.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_utl.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_utl.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3err.c b/Cryptlib/OpenSSL/crypto/x509v3/v3err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/e_os.h b/Cryptlib/OpenSSL/e_os.h old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/update.sh b/Cryptlib/OpenSSL/update.sh index cb25ccd..897ef2d 100755 --- a/Cryptlib/OpenSSL/update.sh +++ b/Cryptlib/OpenSSL/update.sh @@ -1,499 +1,504 @@ #/bin/sh -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/e_os.h e_os.h -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/cryptlib.c crypto/cryptlib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dyn_lck.c crypto/dyn_lck.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/mem.c crypto/mem.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/mem_clr.c crypto/mem_clr.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/mem_dbg.c crypto/mem_dbg.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/cversion.c crypto/cversion.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ex_data.c crypto/ex_data.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/cpt_err.c crypto/cpt_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ebcdic.c crypto/ebcdic.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/uid.c crypto/uid.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/o_time.c crypto/o_time.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/o_str.c crypto/o_str.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/o_dir.c crypto/o_dir.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/o_init.c crypto/o_init.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/fips_err.c crypto/fips_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/md2/md2_dgst.c crypto/md2/md2_dgst.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/md2/md2_one.c crypto/md2/md2_one.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/md4/md4_dgst.c crypto/md4/md4_dgst.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/md4/md4_one.c crypto/md4/md4_one.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/md5/md5_dgst.c crypto/md5/md5_dgst.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/md5/md5_one.c crypto/md5/md5_one.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/sha/sha_dgst.c crypto/sha/sha_dgst.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/sha/sha1dgst.c crypto/sha/sha1dgst.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/sha/sha_one.c crypto/sha/sha_one.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/sha/sha1_one.c crypto/sha/sha1_one.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/sha/sha256.c crypto/sha/sha256.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/sha/sha512.c crypto/sha/sha512.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/hmac/hmac.c crypto/hmac/hmac.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ripemd/rmd_dgst.c crypto/ripemd/rmd_dgst.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ripemd/rmd_one.c crypto/ripemd/rmd_one.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/des_lib.c crypto/des/des_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/set_key.c crypto/des/set_key.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/ecb_enc.c crypto/des/ecb_enc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/cbc_enc.c crypto/des/cbc_enc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/ecb3_enc.c crypto/des/ecb3_enc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/cfb64enc.c crypto/des/cfb64enc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/cfb64ede.c crypto/des/cfb64ede.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/cfb_enc.c crypto/des/cfb_enc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/ofb64ede.c crypto/des/ofb64ede.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/enc_read.c crypto/des/enc_read.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/enc_writ.c crypto/des/enc_writ.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/ofb64enc.c crypto/des/ofb64enc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/ofb_enc.c crypto/des/ofb_enc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/str2key.c crypto/des/str2key.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/pcbc_enc.c crypto/des/pcbc_enc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/qud_cksm.c crypto/des/qud_cksm.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/rand_key.c crypto/des/rand_key.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/des_enc.c crypto/des/des_enc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/fcrypt_b.c crypto/des/fcrypt_b.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/fcrypt.c crypto/des/fcrypt.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/xcbc_enc.c crypto/des/xcbc_enc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/rpc_enc.c crypto/des/rpc_enc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/cbc_cksm.c crypto/des/cbc_cksm.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/ede_cbcm_enc.c crypto/des/ede_cbcm_enc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/des_old.c crypto/des/des_old.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/des_old2.c crypto/des/des_old2.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/read2pwd.c crypto/des/read2pwd.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rc2/rc2_ecb.c crypto/rc2/rc2_ecb.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rc2/rc2_skey.c crypto/rc2/rc2_skey.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rc2/rc2_cbc.c crypto/rc2/rc2_cbc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rc2/rc2cfb64.c crypto/rc2/rc2cfb64.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rc2/rc2ofb64.c crypto/rc2/rc2ofb64.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rc4/rc4_enc.c crypto/rc4/rc4_enc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rc4/rc4_skey.c crypto/rc4/rc4_skey.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rc4/rc4_fblk.c crypto/rc4/rc4_fblk.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/idea/i_cbc.c crypto/idea/i_cbc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/idea/i_cfb64.c crypto/idea/i_cfb64.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/idea/i_ofb64.c crypto/idea/i_ofb64.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/idea/i_ecb.c crypto/idea/i_ecb.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/idea/i_skey.c crypto/idea/i_skey.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bf/bf_skey.c crypto/bf/bf_skey.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bf/bf_ecb.c crypto/bf/bf_ecb.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bf/bf_enc.c crypto/bf/bf_enc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bf/bf_cfb64.c crypto/bf/bf_cfb64.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bf/bf_ofb64.c crypto/bf/bf_ofb64.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/cast/c_skey.c crypto/cast/c_skey.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/cast/c_ecb.c crypto/cast/c_ecb.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/cast/c_enc.c crypto/cast/c_enc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/cast/c_cfb64.c crypto/cast/c_cfb64.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/cast/c_ofb64.c crypto/cast/c_ofb64.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/aes/aes_misc.c crypto/aes/aes_misc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/aes/aes_ecb.c crypto/aes/aes_ecb.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/aes/aes_cfb.c crypto/aes/aes_cfb.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/aes/aes_ofb.c crypto/aes/aes_ofb.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/aes/aes_ctr.c crypto/aes/aes_ctr.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/aes/aes_ige.c crypto/aes/aes_ige.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/aes/aes_wrap.c crypto/aes/aes_wrap.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/aes/aes_core.c crypto/aes/aes_core.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/aes/aes_cbc.c crypto/aes/aes_cbc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_add.c crypto/bn/bn_add.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_div.c crypto/bn/bn_div.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_exp.c crypto/bn/bn_exp.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_lib.c crypto/bn/bn_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_ctx.c crypto/bn/bn_ctx.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_mul.c crypto/bn/bn_mul.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_mod.c crypto/bn/bn_mod.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_print.c crypto/bn/bn_print.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_rand.c crypto/bn/bn_rand.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_shift.c crypto/bn/bn_shift.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_word.c crypto/bn/bn_word.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_blind.c crypto/bn/bn_blind.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_kron.c crypto/bn/bn_kron.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_sqrt.c crypto/bn/bn_sqrt.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_gcd.c crypto/bn/bn_gcd.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_prime.c crypto/bn/bn_prime.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_err.c crypto/bn/bn_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_sqr.c crypto/bn/bn_sqr.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_asm.c crypto/bn/bn_asm.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_recp.c crypto/bn/bn_recp.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_mont.c crypto/bn/bn_mont.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_mpi.c crypto/bn/bn_mpi.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_exp2.c crypto/bn/bn_exp2.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_gf2m.c crypto/bn/bn_gf2m.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_nist.c crypto/bn/bn_nist.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_depr.c crypto/bn/bn_depr.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_x931p.c crypto/bn/bn_x931p.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_const.c crypto/bn/bn_const.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_opt.c crypto/bn/bn_opt.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rsa/rsa_eay.c crypto/rsa/rsa_eay.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rsa/rsa_gen.c crypto/rsa/rsa_gen.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rsa/rsa_lib.c crypto/rsa/rsa_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rsa/rsa_sign.c crypto/rsa/rsa_sign.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rsa/rsa_saos.c crypto/rsa/rsa_saos.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rsa/rsa_err.c crypto/rsa/rsa_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rsa/rsa_pk1.c crypto/rsa/rsa_pk1.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rsa/rsa_ssl.c crypto/rsa/rsa_ssl.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rsa/rsa_none.c crypto/rsa/rsa_none.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rsa/rsa_oaep.c crypto/rsa/rsa_oaep.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rsa/rsa_chk.c crypto/rsa/rsa_chk.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rsa/rsa_null.c crypto/rsa/rsa_null.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rsa/rsa_pss.c crypto/rsa/rsa_pss.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rsa/rsa_x931.c crypto/rsa/rsa_x931.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rsa/rsa_x931g.c crypto/rsa/rsa_x931g.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rsa/rsa_asn1.c crypto/rsa/rsa_asn1.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rsa/rsa_depr.c crypto/rsa/rsa_depr.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rsa/rsa_eng.c crypto/rsa/rsa_eng.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dsa/dsa_gen.c crypto/dsa/dsa_gen.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dsa/dsa_key.c crypto/dsa/dsa_key.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dsa/dsa_lib.c crypto/dsa/dsa_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dsa/dsa_asn1.c crypto/dsa/dsa_asn1.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dsa/dsa_vrf.c crypto/dsa/dsa_vrf.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dsa/dsa_sign.c crypto/dsa/dsa_sign.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dsa/dsa_err.c crypto/dsa/dsa_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dsa/dsa_ossl.c crypto/dsa/dsa_ossl.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dsa/dsa_depr.c crypto/dsa/dsa_depr.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dsa/dsa_utl.c crypto/dsa/dsa_utl.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dso/dso_dl.c crypto/dso/dso_dl.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dso/dso_dlfcn.c crypto/dso/dso_dlfcn.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dso/dso_err.c crypto/dso/dso_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dso/dso_lib.c crypto/dso/dso_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dso/dso_null.c crypto/dso/dso_null.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dso/dso_openssl.c crypto/dso/dso_openssl.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dso/dso_win32.c crypto/dso/dso_win32.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dso/dso_vms.c crypto/dso/dso_vms.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dh/dh_asn1.c crypto/dh/dh_asn1.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dh/dh_gen.c crypto/dh/dh_gen.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dh/dh_key.c crypto/dh/dh_key.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dh/dh_lib.c crypto/dh/dh_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dh/dh_check.c crypto/dh/dh_check.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dh/dh_err.c crypto/dh/dh_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dh/dh_depr.c crypto/dh/dh_depr.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ec/ec_lib.c crypto/ec/ec_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ec/ecp_smpl.c crypto/ec/ecp_smpl.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ec/ecp_mont.c crypto/ec/ecp_mont.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ec/ecp_nist.c crypto/ec/ecp_nist.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ec/ec_cvt.c crypto/ec/ec_cvt.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ec/ec_mult.c crypto/ec/ec_mult.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ec/ec_err.c crypto/ec/ec_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ec/ec_curve.c crypto/ec/ec_curve.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ec/ec_check.c crypto/ec/ec_check.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ec/ec_print.c crypto/ec/ec_print.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ec/ec_asn1.c crypto/ec/ec_asn1.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ec/ec_key.c crypto/ec/ec_key.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ec/ec2_smpl.c crypto/ec/ec2_smpl.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ec/ec2_mult.c crypto/ec/ec2_mult.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ecdh/ech_lib.c crypto/ecdh/ech_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ecdh/ech_ossl.c crypto/ecdh/ech_ossl.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ecdh/ech_key.c crypto/ecdh/ech_key.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ecdh/ech_err.c crypto/ecdh/ech_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ecdsa/ecs_lib.c crypto/ecdsa/ecs_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ecdsa/ecs_asn1.c crypto/ecdsa/ecs_asn1.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ecdsa/ecs_ossl.c crypto/ecdsa/ecs_ossl.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ecdsa/ecs_sign.c crypto/ecdsa/ecs_sign.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ecdsa/ecs_vrf.c crypto/ecdsa/ecs_vrf.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ecdsa/ecs_err.c crypto/ecdsa/ecs_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/buffer/buffer.c crypto/buffer/buffer.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/buffer/buf_str.c crypto/buffer/buf_str.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/buffer/buf_err.c crypto/buffer/buf_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bio/bio_lib.c crypto/bio/bio_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bio/bio_cb.c crypto/bio/bio_cb.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bio/bio_err.c crypto/bio/bio_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bio/bss_mem.c crypto/bio/bss_mem.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bio/bss_null.c crypto/bio/bss_null.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bio/bss_fd.c crypto/bio/bss_fd.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bio/bss_file.c crypto/bio/bss_file.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bio/bf_null.c crypto/bio/bf_null.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bio/bf_buff.c crypto/bio/bf_buff.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bio/b_dump.c crypto/bio/b_dump.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bio/bf_nbio.c crypto/bio/bf_nbio.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bio/bss_log.c crypto/bio/bss_log.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bio/bss_bio.c crypto/bio/bss_bio.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bio/bss_dgram.c crypto/bio/bss_dgram.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/stack/stack.c crypto/stack/stack.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/lhash/lhash.c crypto/lhash/lhash.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/lhash/lh_stats.c crypto/lhash/lh_stats.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rand/md_rand.c crypto/rand/md_rand.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rand/randfile.c crypto/rand/randfile.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rand/rand_lib.c crypto/rand/rand_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rand/rand_eng.c crypto/rand/rand_eng.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rand/rand_err.c crypto/rand/rand_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rand/rand_egd.c crypto/rand/rand_egd.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rand/rand_win.c crypto/rand/rand_win.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rand/rand_unix.c crypto/rand/rand_unix.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rand/rand_os2.c crypto/rand/rand_os2.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rand/rand_nw.c crypto/rand/rand_nw.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/err/err.c crypto/err/err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/err/err_def.c crypto/err/err_def.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/err/err_all.c crypto/err/err_all.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/err/err_prn.c crypto/err/err_prn.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/err/err_str.c crypto/err/err_str.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/err/err_bio.c crypto/err/err_bio.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/objects/o_names.c crypto/objects/o_names.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/objects/obj_dat.c crypto/objects/obj_dat.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/objects/obj_lib.c crypto/objects/obj_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/objects/obj_err.c crypto/objects/obj_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/encode.c crypto/evp/encode.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/digest.c crypto/evp/digest.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/dig_eng.c crypto/evp/dig_eng.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/evp_enc.c crypto/evp/evp_enc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/evp_key.c crypto/evp/evp_key.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/evp_acnf.c crypto/evp/evp_acnf.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/evp_cnf.c crypto/evp/evp_cnf.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/e_des.c crypto/evp/e_des.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/e_bf.c crypto/evp/e_bf.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/e_idea.c crypto/evp/e_idea.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/e_des3.c crypto/evp/e_des3.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/e_rc4.c crypto/evp/e_rc4.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/e_aes.c crypto/evp/e_aes.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/names.c crypto/evp/names.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/e_xcbc_d.c crypto/evp/e_xcbc_d.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/e_rc2.c crypto/evp/e_rc2.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/e_cast.c crypto/evp/e_cast.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/e_rc5.c crypto/evp/e_rc5.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/enc_min.c crypto/evp/enc_min.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/m_null.c crypto/evp/m_null.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/m_md2.c crypto/evp/m_md2.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/m_md4.c crypto/evp/m_md4.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/m_md5.c crypto/evp/m_md5.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/m_sha.c crypto/evp/m_sha.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/m_sha1.c crypto/evp/m_sha1.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/m_dss.c crypto/evp/m_dss.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/m_dss1.c crypto/evp/m_dss1.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/m_ripemd.c crypto/evp/m_ripemd.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/m_ecdsa.c crypto/evp/m_ecdsa.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/p_open.c crypto/evp/p_open.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/p_seal.c crypto/evp/p_seal.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/p_sign.c crypto/evp/p_sign.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/p_verify.c crypto/evp/p_verify.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/p_lib.c crypto/evp/p_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/p_enc.c crypto/evp/p_enc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/p_dec.c crypto/evp/p_dec.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/bio_md.c crypto/evp/bio_md.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/bio_b64.c crypto/evp/bio_b64.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/bio_enc.c crypto/evp/bio_enc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/evp_err.c crypto/evp/evp_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/e_null.c crypto/evp/e_null.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/c_all.c crypto/evp/c_all.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/c_allc.c crypto/evp/c_allc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/c_alld.c crypto/evp/c_alld.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/evp_lib.c crypto/evp/evp_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/bio_ok.c crypto/evp/bio_ok.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/evp_pkey.c crypto/evp/evp_pkey.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/evp_pbe.c crypto/evp/evp_pbe.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/p5_crpt.c crypto/evp/p5_crpt.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/p5_crpt2.c crypto/evp/p5_crpt2.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/e_old.c crypto/evp/e_old.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_object.c crypto/asn1/a_object.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_bitstr.c crypto/asn1/a_bitstr.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_utctm.c crypto/asn1/a_utctm.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_gentm.c crypto/asn1/a_gentm.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_time.c crypto/asn1/a_time.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_int.c crypto/asn1/a_int.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_octet.c crypto/asn1/a_octet.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_print.c crypto/asn1/a_print.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_type.c crypto/asn1/a_type.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_set.c crypto/asn1/a_set.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_dup.c crypto/asn1/a_dup.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_d2i_fp.c crypto/asn1/a_d2i_fp.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_i2d_fp.c crypto/asn1/a_i2d_fp.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_enum.c crypto/asn1/a_enum.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_utf8.c crypto/asn1/a_utf8.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_sign.c crypto/asn1/a_sign.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_digest.c crypto/asn1/a_digest.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_verify.c crypto/asn1/a_verify.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_mbstr.c crypto/asn1/a_mbstr.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_strex.c crypto/asn1/a_strex.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/x_algor.c crypto/asn1/x_algor.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/x_val.c crypto/asn1/x_val.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/x_pubkey.c crypto/asn1/x_pubkey.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/x_sig.c crypto/asn1/x_sig.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/x_req.c crypto/asn1/x_req.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/x_attrib.c crypto/asn1/x_attrib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/x_bignum.c crypto/asn1/x_bignum.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/x_long.c crypto/asn1/x_long.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/x_name.c crypto/asn1/x_name.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/x_x509.c crypto/asn1/x_x509.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/x_x509a.c crypto/asn1/x_x509a.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/x_crl.c crypto/asn1/x_crl.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/x_info.c crypto/asn1/x_info.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/x_spki.c crypto/asn1/x_spki.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/nsseq.c crypto/asn1/nsseq.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/d2i_pu.c crypto/asn1/d2i_pu.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/d2i_pr.c crypto/asn1/d2i_pr.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/i2d_pu.c crypto/asn1/i2d_pu.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/i2d_pr.c crypto/asn1/i2d_pr.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/t_req.c crypto/asn1/t_req.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/t_x509.c crypto/asn1/t_x509.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/t_x509a.c crypto/asn1/t_x509a.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/t_crl.c crypto/asn1/t_crl.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/t_pkey.c crypto/asn1/t_pkey.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/t_spki.c crypto/asn1/t_spki.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/t_bitst.c crypto/asn1/t_bitst.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/tasn_new.c crypto/asn1/tasn_new.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/tasn_fre.c crypto/asn1/tasn_fre.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/tasn_enc.c crypto/asn1/tasn_enc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/tasn_dec.c crypto/asn1/tasn_dec.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/tasn_utl.c crypto/asn1/tasn_utl.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/tasn_typ.c crypto/asn1/tasn_typ.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/f_int.c crypto/asn1/f_int.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/f_string.c crypto/asn1/f_string.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/n_pkey.c crypto/asn1/n_pkey.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/f_enum.c crypto/asn1/f_enum.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_hdr.c crypto/asn1/a_hdr.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/x_pkey.c crypto/asn1/x_pkey.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_bool.c crypto/asn1/a_bool.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/x_exten.c crypto/asn1/x_exten.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/asn_mime.c crypto/asn1/asn_mime.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/asn1_gen.c crypto/asn1/asn1_gen.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/asn1_par.c crypto/asn1/asn1_par.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/asn1_lib.c crypto/asn1/asn1_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/asn1_err.c crypto/asn1/asn1_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_meth.c crypto/asn1/a_meth.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_bytes.c crypto/asn1/a_bytes.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_strnid.c crypto/asn1/a_strnid.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/evp_asn1.c crypto/asn1/evp_asn1.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/asn_pack.c crypto/asn1/asn_pack.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/p5_pbe.c crypto/asn1/p5_pbe.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/p5_pbev2.c crypto/asn1/p5_pbev2.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/p8_pkey.c crypto/asn1/p8_pkey.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/asn_moid.c crypto/asn1/asn_moid.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pem/pem_sign.c crypto/pem/pem_sign.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pem/pem_seal.c crypto/pem/pem_seal.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pem/pem_info.c crypto/pem/pem_info.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pem/pem_lib.c crypto/pem/pem_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pem/pem_all.c crypto/pem/pem_all.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pem/pem_err.c crypto/pem/pem_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pem/pem_x509.c crypto/pem/pem_x509.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pem/pem_xaux.c crypto/pem/pem_xaux.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pem/pem_oth.c crypto/pem/pem_oth.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pem/pem_pk8.c crypto/pem/pem_pk8.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pem/pem_pkey.c crypto/pem/pem_pkey.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/x509_def.c crypto/x509/x509_def.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/x509_d2.c crypto/x509/x509_d2.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/x509_r2x.c crypto/x509/x509_r2x.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/x509_cmp.c crypto/x509/x509_cmp.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/x509_obj.c crypto/x509/x509_obj.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/x509_req.c crypto/x509/x509_req.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/x509spki.c crypto/x509/x509spki.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/x509_vfy.c crypto/x509/x509_vfy.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/x509_set.c crypto/x509/x509_set.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/x509cset.c crypto/x509/x509cset.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/x509rset.c crypto/x509/x509rset.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/x509_err.c crypto/x509/x509_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/x509name.c crypto/x509/x509name.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/x509_v3.c crypto/x509/x509_v3.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/x509_ext.c crypto/x509/x509_ext.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/x509_att.c crypto/x509/x509_att.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/x509type.c crypto/x509/x509type.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/x509_lu.c crypto/x509/x509_lu.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/x_all.c crypto/x509/x_all.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/x509_txt.c crypto/x509/x509_txt.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/x509_trs.c crypto/x509/x509_trs.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/by_file.c crypto/x509/by_file.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/by_dir.c crypto/x509/by_dir.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/x509_vpm.c crypto/x509/x509_vpm.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_bcons.c crypto/x509v3/v3_bcons.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_bitst.c crypto/x509v3/v3_bitst.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_conf.c crypto/x509v3/v3_conf.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_extku.c crypto/x509v3/v3_extku.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_ia5.c crypto/x509v3/v3_ia5.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_lib.c crypto/x509v3/v3_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_prn.c crypto/x509v3/v3_prn.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_utl.c crypto/x509v3/v3_utl.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3err.c crypto/x509v3/v3err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_genn.c crypto/x509v3/v3_genn.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_alt.c crypto/x509v3/v3_alt.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_skey.c crypto/x509v3/v3_skey.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_akey.c crypto/x509v3/v3_akey.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_pku.c crypto/x509v3/v3_pku.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_int.c crypto/x509v3/v3_int.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_enum.c crypto/x509v3/v3_enum.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_sxnet.c crypto/x509v3/v3_sxnet.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_cpols.c crypto/x509v3/v3_cpols.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_crld.c crypto/x509v3/v3_crld.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_purp.c crypto/x509v3/v3_purp.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_info.c crypto/x509v3/v3_info.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_ocsp.c crypto/x509v3/v3_ocsp.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_akeya.c crypto/x509v3/v3_akeya.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_pmaps.c crypto/x509v3/v3_pmaps.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_pcons.c crypto/x509v3/v3_pcons.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_ncons.c crypto/x509v3/v3_ncons.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_pcia.c crypto/x509v3/v3_pcia.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_pci.c crypto/x509v3/v3_pci.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/pcy_cache.c crypto/x509v3/pcy_cache.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/pcy_node.c crypto/x509v3/pcy_node.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/pcy_data.c crypto/x509v3/pcy_data.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/pcy_map.c crypto/x509v3/pcy_map.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/pcy_tree.c crypto/x509v3/pcy_tree.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/pcy_lib.c crypto/x509v3/pcy_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_asid.c crypto/x509v3/v3_asid.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_addr.c crypto/x509v3/v3_addr.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/conf/conf_err.c crypto/conf/conf_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/conf/conf_lib.c crypto/conf/conf_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/conf/conf_api.c crypto/conf/conf_api.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/conf/conf_def.c crypto/conf/conf_def.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/conf/conf_mod.c crypto/conf/conf_mod.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/conf/conf_mall.c crypto/conf/conf_mall.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/conf/conf_sap.c crypto/conf/conf_sap.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/txt_db/txt_db.c crypto/txt_db/txt_db.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pkcs7/pk7_asn1.c crypto/pkcs7/pk7_asn1.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pkcs7/pk7_lib.c crypto/pkcs7/pk7_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pkcs7/pkcs7err.c crypto/pkcs7/pkcs7err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pkcs7/pk7_doit.c crypto/pkcs7/pk7_doit.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pkcs7/pk7_smime.c crypto/pkcs7/pk7_smime.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pkcs7/pk7_attr.c crypto/pkcs7/pk7_attr.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pkcs7/pk7_mime.c crypto/pkcs7/pk7_mime.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pkcs12/p12_add.c crypto/pkcs12/p12_add.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pkcs12/p12_asn.c crypto/pkcs12/p12_asn.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pkcs12/p12_attr.c crypto/pkcs12/p12_attr.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pkcs12/p12_crpt.c crypto/pkcs12/p12_crpt.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pkcs12/p12_crt.c crypto/pkcs12/p12_crt.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pkcs12/p12_decr.c crypto/pkcs12/p12_decr.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pkcs12/p12_init.c crypto/pkcs12/p12_init.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pkcs12/p12_key.c crypto/pkcs12/p12_key.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pkcs12/p12_kiss.c crypto/pkcs12/p12_kiss.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pkcs12/p12_mutl.c crypto/pkcs12/p12_mutl.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pkcs12/p12_utl.c crypto/pkcs12/p12_utl.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pkcs12/p12_npas.c crypto/pkcs12/p12_npas.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pkcs12/pk12err.c crypto/pkcs12/pk12err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pkcs12/p12_p8d.c crypto/pkcs12/p12_p8d.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pkcs12/p12_p8e.c crypto/pkcs12/p12_p8e.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/comp/comp_lib.c crypto/comp/comp_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/comp/comp_err.c crypto/comp/comp_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/comp/c_rle.c crypto/comp/c_rle.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/comp/c_zlib.c crypto/comp/c_zlib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/engine/eng_err.c crypto/engine/eng_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/engine/eng_lib.c crypto/engine/eng_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/engine/eng_list.c crypto/engine/eng_list.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/engine/eng_init.c crypto/engine/eng_init.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/engine/eng_ctrl.c crypto/engine/eng_ctrl.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/engine/eng_table.c crypto/engine/eng_table.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/engine/eng_pkey.c crypto/engine/eng_pkey.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/engine/eng_fat.c crypto/engine/eng_fat.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/engine/eng_all.c crypto/engine/eng_all.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/engine/tb_rsa.c crypto/engine/tb_rsa.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/engine/tb_dsa.c crypto/engine/tb_dsa.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/engine/tb_ecdsa.c crypto/engine/tb_ecdsa.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/engine/tb_dh.c crypto/engine/tb_dh.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/engine/tb_ecdh.c crypto/engine/tb_ecdh.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/engine/tb_rand.c crypto/engine/tb_rand.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/engine/tb_store.c crypto/engine/tb_store.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/engine/tb_cipher.c crypto/engine/tb_cipher.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/engine/tb_digest.c crypto/engine/tb_digest.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/engine/eng_openssl.c crypto/engine/eng_openssl.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/engine/eng_cnf.c crypto/engine/eng_cnf.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/engine/eng_dyn.c crypto/engine/eng_dyn.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/engine/eng_cryptodev.c crypto/engine/eng_cryptodev.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/engine/eng_padlock.c crypto/engine/eng_padlock.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ocsp/ocsp_asn.c crypto/ocsp/ocsp_asn.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ocsp/ocsp_ext.c crypto/ocsp/ocsp_ext.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ocsp/ocsp_ht.c crypto/ocsp/ocsp_ht.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ocsp/ocsp_lib.c crypto/ocsp/ocsp_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ocsp/ocsp_cl.c crypto/ocsp/ocsp_cl.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ocsp/ocsp_srv.c crypto/ocsp/ocsp_srv.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ocsp/ocsp_prn.c crypto/ocsp/ocsp_prn.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ocsp/ocsp_vfy.c crypto/ocsp/ocsp_vfy.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ocsp/ocsp_err.c crypto/ocsp/ocsp_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ui/ui_err.c crypto/ui/ui_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ui/ui_lib.c crypto/ui/ui_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ui/ui_util.c crypto/ui/ui_util.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ui/ui_compat.c crypto/ui/ui_compat.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/krb5/krb5_asn.c crypto/krb5/krb5_asn.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/store/str_err.c crypto/store/str_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/store/str_lib.c crypto/store/str_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/store/str_meth.c crypto/store/str_meth.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/store/str_mem.c crypto/store/str_mem.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pqueue/pqueue.c crypto/pqueue/pqueue.c +DIR=$1 +version="0.9.8zb" + +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/e_os.h e_os.h +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/cryptlib.c crypto/cryptlib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dyn_lck.c crypto/dyn_lck.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/mem.c crypto/mem.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/mem_clr.c crypto/mem_clr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/mem_dbg.c crypto/mem_dbg.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/cversion.c crypto/cversion.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ex_data.c crypto/ex_data.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/cpt_err.c crypto/cpt_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ebcdic.c crypto/ebcdic.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/uid.c crypto/uid.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/o_time.c crypto/o_time.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/o_str.c crypto/o_str.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/o_dir.c crypto/o_dir.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/o_init.c crypto/o_init.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/fips_err.c crypto/fips_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/md2/md2_dgst.c crypto/md2/md2_dgst.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/md2/md2_one.c crypto/md2/md2_one.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/md4/md4_dgst.c crypto/md4/md4_dgst.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/md4/md4_one.c crypto/md4/md4_one.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/md5/md5_dgst.c crypto/md5/md5_dgst.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/md5/md5_one.c crypto/md5/md5_one.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/sha/sha_dgst.c crypto/sha/sha_dgst.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/sha/sha1dgst.c crypto/sha/sha1dgst.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/sha/sha_one.c crypto/sha/sha_one.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/sha/sha1_one.c crypto/sha/sha1_one.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/sha/sha256.c crypto/sha/sha256.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/sha/sha512.c crypto/sha/sha512.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/hmac/hmac.c crypto/hmac/hmac.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ripemd/rmd_dgst.c crypto/ripemd/rmd_dgst.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ripemd/rmd_one.c crypto/ripemd/rmd_one.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/des_lib.c crypto/des/des_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/set_key.c crypto/des/set_key.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/ecb_enc.c crypto/des/ecb_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/cbc_enc.c crypto/des/cbc_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/ecb3_enc.c crypto/des/ecb3_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/cfb64enc.c crypto/des/cfb64enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/cfb64ede.c crypto/des/cfb64ede.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/cfb_enc.c crypto/des/cfb_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/ofb64ede.c crypto/des/ofb64ede.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/enc_read.c crypto/des/enc_read.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/enc_writ.c crypto/des/enc_writ.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/ofb64enc.c crypto/des/ofb64enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/ofb_enc.c crypto/des/ofb_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/str2key.c crypto/des/str2key.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/pcbc_enc.c crypto/des/pcbc_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/qud_cksm.c crypto/des/qud_cksm.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/rand_key.c crypto/des/rand_key.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/des_enc.c crypto/des/des_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/fcrypt_b.c crypto/des/fcrypt_b.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/fcrypt.c crypto/des/fcrypt.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/xcbc_enc.c crypto/des/xcbc_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/rpc_enc.c crypto/des/rpc_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/cbc_cksm.c crypto/des/cbc_cksm.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/ede_cbcm_enc.c crypto/des/ede_cbcm_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/des_old.c crypto/des/des_old.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/des_old2.c crypto/des/des_old2.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/read2pwd.c crypto/des/read2pwd.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rc2/rc2_ecb.c crypto/rc2/rc2_ecb.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rc2/rc2_skey.c crypto/rc2/rc2_skey.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rc2/rc2_cbc.c crypto/rc2/rc2_cbc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rc2/rc2cfb64.c crypto/rc2/rc2cfb64.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rc2/rc2ofb64.c crypto/rc2/rc2ofb64.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rc4/rc4_enc.c crypto/rc4/rc4_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rc4/rc4_skey.c crypto/rc4/rc4_skey.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rc4/rc4_fblk.c crypto/rc4/rc4_fblk.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/idea/i_cbc.c crypto/idea/i_cbc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/idea/i_cfb64.c crypto/idea/i_cfb64.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/idea/i_ofb64.c crypto/idea/i_ofb64.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/idea/i_ecb.c crypto/idea/i_ecb.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/idea/i_skey.c crypto/idea/i_skey.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bf/bf_skey.c crypto/bf/bf_skey.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bf/bf_ecb.c crypto/bf/bf_ecb.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bf/bf_enc.c crypto/bf/bf_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bf/bf_cfb64.c crypto/bf/bf_cfb64.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bf/bf_ofb64.c crypto/bf/bf_ofb64.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/cast/c_skey.c crypto/cast/c_skey.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/cast/c_ecb.c crypto/cast/c_ecb.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/cast/c_enc.c crypto/cast/c_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/cast/c_cfb64.c crypto/cast/c_cfb64.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/cast/c_ofb64.c crypto/cast/c_ofb64.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/aes/aes_misc.c crypto/aes/aes_misc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/aes/aes_ecb.c crypto/aes/aes_ecb.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/aes/aes_cfb.c crypto/aes/aes_cfb.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/aes/aes_ofb.c crypto/aes/aes_ofb.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/aes/aes_ctr.c crypto/aes/aes_ctr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/aes/aes_ige.c crypto/aes/aes_ige.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/aes/aes_wrap.c crypto/aes/aes_wrap.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/aes/aes_core.c crypto/aes/aes_core.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/aes/aes_cbc.c crypto/aes/aes_cbc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_add.c crypto/bn/bn_add.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_div.c crypto/bn/bn_div.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_exp.c crypto/bn/bn_exp.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_lib.c crypto/bn/bn_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_ctx.c crypto/bn/bn_ctx.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_mul.c crypto/bn/bn_mul.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_mod.c crypto/bn/bn_mod.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_print.c crypto/bn/bn_print.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_rand.c crypto/bn/bn_rand.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_shift.c crypto/bn/bn_shift.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_word.c crypto/bn/bn_word.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_blind.c crypto/bn/bn_blind.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_kron.c crypto/bn/bn_kron.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_sqrt.c crypto/bn/bn_sqrt.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_gcd.c crypto/bn/bn_gcd.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_prime.c crypto/bn/bn_prime.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_err.c crypto/bn/bn_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_sqr.c crypto/bn/bn_sqr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_asm.c crypto/bn/bn_asm.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_recp.c crypto/bn/bn_recp.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_mont.c crypto/bn/bn_mont.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_mpi.c crypto/bn/bn_mpi.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_exp2.c crypto/bn/bn_exp2.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_gf2m.c crypto/bn/bn_gf2m.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_nist.c crypto/bn/bn_nist.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_depr.c crypto/bn/bn_depr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_x931p.c crypto/bn/bn_x931p.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_const.c crypto/bn/bn_const.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_opt.c crypto/bn/bn_opt.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rsa/rsa_eay.c crypto/rsa/rsa_eay.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rsa/rsa_gen.c crypto/rsa/rsa_gen.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rsa/rsa_lib.c crypto/rsa/rsa_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rsa/rsa_sign.c crypto/rsa/rsa_sign.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rsa/rsa_saos.c crypto/rsa/rsa_saos.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rsa/rsa_err.c crypto/rsa/rsa_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rsa/rsa_pk1.c crypto/rsa/rsa_pk1.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rsa/rsa_ssl.c crypto/rsa/rsa_ssl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rsa/rsa_none.c crypto/rsa/rsa_none.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rsa/rsa_oaep.c crypto/rsa/rsa_oaep.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rsa/rsa_chk.c crypto/rsa/rsa_chk.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rsa/rsa_null.c crypto/rsa/rsa_null.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rsa/rsa_pss.c crypto/rsa/rsa_pss.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rsa/rsa_x931.c crypto/rsa/rsa_x931.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rsa/rsa_x931g.c crypto/rsa/rsa_x931g.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rsa/rsa_asn1.c crypto/rsa/rsa_asn1.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rsa/rsa_depr.c crypto/rsa/rsa_depr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rsa/rsa_eng.c crypto/rsa/rsa_eng.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dsa/dsa_gen.c crypto/dsa/dsa_gen.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dsa/dsa_key.c crypto/dsa/dsa_key.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dsa/dsa_lib.c crypto/dsa/dsa_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dsa/dsa_asn1.c crypto/dsa/dsa_asn1.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dsa/dsa_vrf.c crypto/dsa/dsa_vrf.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dsa/dsa_sign.c crypto/dsa/dsa_sign.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dsa/dsa_err.c crypto/dsa/dsa_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dsa/dsa_ossl.c crypto/dsa/dsa_ossl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dsa/dsa_depr.c crypto/dsa/dsa_depr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dsa/dsa_utl.c crypto/dsa/dsa_utl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dso/dso_dl.c crypto/dso/dso_dl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dso/dso_dlfcn.c crypto/dso/dso_dlfcn.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dso/dso_err.c crypto/dso/dso_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dso/dso_lib.c crypto/dso/dso_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dso/dso_null.c crypto/dso/dso_null.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dso/dso_openssl.c crypto/dso/dso_openssl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dso/dso_win32.c crypto/dso/dso_win32.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dso/dso_vms.c crypto/dso/dso_vms.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dh/dh_asn1.c crypto/dh/dh_asn1.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dh/dh_gen.c crypto/dh/dh_gen.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dh/dh_key.c crypto/dh/dh_key.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dh/dh_lib.c crypto/dh/dh_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dh/dh_check.c crypto/dh/dh_check.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dh/dh_err.c crypto/dh/dh_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dh/dh_depr.c crypto/dh/dh_depr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ec/ec_lib.c crypto/ec/ec_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ec/ecp_smpl.c crypto/ec/ecp_smpl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ec/ecp_mont.c crypto/ec/ecp_mont.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ec/ecp_nist.c crypto/ec/ecp_nist.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ec/ec_cvt.c crypto/ec/ec_cvt.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ec/ec_mult.c crypto/ec/ec_mult.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ec/ec_err.c crypto/ec/ec_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ec/ec_curve.c crypto/ec/ec_curve.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ec/ec_check.c crypto/ec/ec_check.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ec/ec_print.c crypto/ec/ec_print.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ec/ec_asn1.c crypto/ec/ec_asn1.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ec/ec_key.c crypto/ec/ec_key.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ec/ec2_smpl.c crypto/ec/ec2_smpl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ec/ec2_mult.c crypto/ec/ec2_mult.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ecdh/ech_lib.c crypto/ecdh/ech_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ecdh/ech_ossl.c crypto/ecdh/ech_ossl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ecdh/ech_key.c crypto/ecdh/ech_key.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ecdh/ech_err.c crypto/ecdh/ech_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ecdsa/ecs_lib.c crypto/ecdsa/ecs_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ecdsa/ecs_asn1.c crypto/ecdsa/ecs_asn1.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ecdsa/ecs_ossl.c crypto/ecdsa/ecs_ossl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ecdsa/ecs_sign.c crypto/ecdsa/ecs_sign.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ecdsa/ecs_vrf.c crypto/ecdsa/ecs_vrf.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ecdsa/ecs_err.c crypto/ecdsa/ecs_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/buffer/buffer.c crypto/buffer/buffer.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/buffer/buf_str.c crypto/buffer/buf_str.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/buffer/buf_err.c crypto/buffer/buf_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bio/bio_lib.c crypto/bio/bio_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bio/bio_cb.c crypto/bio/bio_cb.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bio/bio_err.c crypto/bio/bio_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bio/bss_mem.c crypto/bio/bss_mem.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bio/bss_null.c crypto/bio/bss_null.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bio/bss_fd.c crypto/bio/bss_fd.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bio/bss_file.c crypto/bio/bss_file.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bio/bf_null.c crypto/bio/bf_null.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bio/bf_buff.c crypto/bio/bf_buff.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bio/b_dump.c crypto/bio/b_dump.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bio/bf_nbio.c crypto/bio/bf_nbio.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bio/bss_log.c crypto/bio/bss_log.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bio/bss_bio.c crypto/bio/bss_bio.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bio/bss_dgram.c crypto/bio/bss_dgram.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/stack/stack.c crypto/stack/stack.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/lhash/lhash.c crypto/lhash/lhash.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/lhash/lh_stats.c crypto/lhash/lh_stats.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rand/md_rand.c crypto/rand/md_rand.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rand/randfile.c crypto/rand/randfile.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rand/rand_lib.c crypto/rand/rand_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rand/rand_eng.c crypto/rand/rand_eng.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rand/rand_err.c crypto/rand/rand_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rand/rand_egd.c crypto/rand/rand_egd.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rand/rand_win.c crypto/rand/rand_win.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rand/rand_unix.c crypto/rand/rand_unix.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rand/rand_os2.c crypto/rand/rand_os2.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rand/rand_nw.c crypto/rand/rand_nw.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/err/err.c crypto/err/err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/err/err_def.c crypto/err/err_def.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/err/err_all.c crypto/err/err_all.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/err/err_prn.c crypto/err/err_prn.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/err/err_str.c crypto/err/err_str.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/err/err_bio.c crypto/err/err_bio.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/objects/o_names.c crypto/objects/o_names.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/objects/obj_dat.c crypto/objects/obj_dat.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/objects/obj_lib.c crypto/objects/obj_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/objects/obj_err.c crypto/objects/obj_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/encode.c crypto/evp/encode.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/digest.c crypto/evp/digest.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/dig_eng.c crypto/evp/dig_eng.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/evp_enc.c crypto/evp/evp_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/evp_key.c crypto/evp/evp_key.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/evp_acnf.c crypto/evp/evp_acnf.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/evp_cnf.c crypto/evp/evp_cnf.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/e_des.c crypto/evp/e_des.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/e_bf.c crypto/evp/e_bf.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/e_idea.c crypto/evp/e_idea.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/e_des3.c crypto/evp/e_des3.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/e_rc4.c crypto/evp/e_rc4.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/e_aes.c crypto/evp/e_aes.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/names.c crypto/evp/names.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/e_xcbc_d.c crypto/evp/e_xcbc_d.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/e_rc2.c crypto/evp/e_rc2.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/e_cast.c crypto/evp/e_cast.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/e_rc5.c crypto/evp/e_rc5.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/enc_min.c crypto/evp/enc_min.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/m_null.c crypto/evp/m_null.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/m_md2.c crypto/evp/m_md2.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/m_md4.c crypto/evp/m_md4.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/m_md5.c crypto/evp/m_md5.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/m_sha.c crypto/evp/m_sha.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/m_sha1.c crypto/evp/m_sha1.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/m_dss.c crypto/evp/m_dss.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/m_dss1.c crypto/evp/m_dss1.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/m_ripemd.c crypto/evp/m_ripemd.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/m_ecdsa.c crypto/evp/m_ecdsa.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/p_open.c crypto/evp/p_open.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/p_seal.c crypto/evp/p_seal.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/p_sign.c crypto/evp/p_sign.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/p_verify.c crypto/evp/p_verify.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/p_lib.c crypto/evp/p_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/p_enc.c crypto/evp/p_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/p_dec.c crypto/evp/p_dec.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/bio_md.c crypto/evp/bio_md.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/bio_b64.c crypto/evp/bio_b64.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/bio_enc.c crypto/evp/bio_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/evp_err.c crypto/evp/evp_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/e_null.c crypto/evp/e_null.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/c_all.c crypto/evp/c_all.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/c_allc.c crypto/evp/c_allc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/c_alld.c crypto/evp/c_alld.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/evp_lib.c crypto/evp/evp_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/bio_ok.c crypto/evp/bio_ok.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/evp_pkey.c crypto/evp/evp_pkey.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/evp_pbe.c crypto/evp/evp_pbe.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/p5_crpt.c crypto/evp/p5_crpt.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/p5_crpt2.c crypto/evp/p5_crpt2.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/e_old.c crypto/evp/e_old.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_object.c crypto/asn1/a_object.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_bitstr.c crypto/asn1/a_bitstr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_utctm.c crypto/asn1/a_utctm.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_gentm.c crypto/asn1/a_gentm.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_time.c crypto/asn1/a_time.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_int.c crypto/asn1/a_int.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_octet.c crypto/asn1/a_octet.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_print.c crypto/asn1/a_print.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_type.c crypto/asn1/a_type.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_set.c crypto/asn1/a_set.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_dup.c crypto/asn1/a_dup.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_d2i_fp.c crypto/asn1/a_d2i_fp.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_i2d_fp.c crypto/asn1/a_i2d_fp.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_enum.c crypto/asn1/a_enum.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_utf8.c crypto/asn1/a_utf8.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_sign.c crypto/asn1/a_sign.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_digest.c crypto/asn1/a_digest.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_verify.c crypto/asn1/a_verify.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_mbstr.c crypto/asn1/a_mbstr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_strex.c crypto/asn1/a_strex.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/x_algor.c crypto/asn1/x_algor.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/x_val.c crypto/asn1/x_val.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/x_pubkey.c crypto/asn1/x_pubkey.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/x_sig.c crypto/asn1/x_sig.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/x_req.c crypto/asn1/x_req.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/x_attrib.c crypto/asn1/x_attrib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/x_bignum.c crypto/asn1/x_bignum.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/x_long.c crypto/asn1/x_long.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/x_name.c crypto/asn1/x_name.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/x_x509.c crypto/asn1/x_x509.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/x_x509a.c crypto/asn1/x_x509a.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/x_crl.c crypto/asn1/x_crl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/x_info.c crypto/asn1/x_info.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/x_spki.c crypto/asn1/x_spki.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/nsseq.c crypto/asn1/nsseq.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/d2i_pu.c crypto/asn1/d2i_pu.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/d2i_pr.c crypto/asn1/d2i_pr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/i2d_pu.c crypto/asn1/i2d_pu.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/i2d_pr.c crypto/asn1/i2d_pr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/t_req.c crypto/asn1/t_req.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/t_x509.c crypto/asn1/t_x509.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/t_x509a.c crypto/asn1/t_x509a.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/t_crl.c crypto/asn1/t_crl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/t_pkey.c crypto/asn1/t_pkey.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/t_spki.c crypto/asn1/t_spki.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/t_bitst.c crypto/asn1/t_bitst.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/tasn_new.c crypto/asn1/tasn_new.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/tasn_fre.c crypto/asn1/tasn_fre.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/tasn_enc.c crypto/asn1/tasn_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/tasn_dec.c crypto/asn1/tasn_dec.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/tasn_utl.c crypto/asn1/tasn_utl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/tasn_typ.c crypto/asn1/tasn_typ.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/f_int.c crypto/asn1/f_int.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/f_string.c crypto/asn1/f_string.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/n_pkey.c crypto/asn1/n_pkey.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/f_enum.c crypto/asn1/f_enum.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_hdr.c crypto/asn1/a_hdr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/x_pkey.c crypto/asn1/x_pkey.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_bool.c crypto/asn1/a_bool.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/x_exten.c crypto/asn1/x_exten.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/asn_mime.c crypto/asn1/asn_mime.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/asn1_gen.c crypto/asn1/asn1_gen.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/asn1_par.c crypto/asn1/asn1_par.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/asn1_lib.c crypto/asn1/asn1_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/asn1_err.c crypto/asn1/asn1_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_meth.c crypto/asn1/a_meth.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_bytes.c crypto/asn1/a_bytes.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_strnid.c crypto/asn1/a_strnid.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/evp_asn1.c crypto/asn1/evp_asn1.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/asn_pack.c crypto/asn1/asn_pack.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/p5_pbe.c crypto/asn1/p5_pbe.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/p5_pbev2.c crypto/asn1/p5_pbev2.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/p8_pkey.c crypto/asn1/p8_pkey.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/asn_moid.c crypto/asn1/asn_moid.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pem/pem_sign.c crypto/pem/pem_sign.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pem/pem_seal.c crypto/pem/pem_seal.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pem/pem_info.c crypto/pem/pem_info.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pem/pem_lib.c crypto/pem/pem_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pem/pem_all.c crypto/pem/pem_all.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pem/pem_err.c crypto/pem/pem_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pem/pem_x509.c crypto/pem/pem_x509.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pem/pem_xaux.c crypto/pem/pem_xaux.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pem/pem_oth.c crypto/pem/pem_oth.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pem/pem_pk8.c crypto/pem/pem_pk8.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pem/pem_pkey.c crypto/pem/pem_pkey.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/x509_def.c crypto/x509/x509_def.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/x509_d2.c crypto/x509/x509_d2.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/x509_r2x.c crypto/x509/x509_r2x.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/x509_cmp.c crypto/x509/x509_cmp.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/x509_obj.c crypto/x509/x509_obj.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/x509_req.c crypto/x509/x509_req.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/x509spki.c crypto/x509/x509spki.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/x509_vfy.c crypto/x509/x509_vfy.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/x509_set.c crypto/x509/x509_set.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/x509cset.c crypto/x509/x509cset.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/x509rset.c crypto/x509/x509rset.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/x509_err.c crypto/x509/x509_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/x509name.c crypto/x509/x509name.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/x509_v3.c crypto/x509/x509_v3.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/x509_ext.c crypto/x509/x509_ext.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/x509_att.c crypto/x509/x509_att.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/x509type.c crypto/x509/x509type.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/x509_lu.c crypto/x509/x509_lu.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/x_all.c crypto/x509/x_all.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/x509_txt.c crypto/x509/x509_txt.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/x509_trs.c crypto/x509/x509_trs.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/by_file.c crypto/x509/by_file.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/by_dir.c crypto/x509/by_dir.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/x509_vpm.c crypto/x509/x509_vpm.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_bcons.c crypto/x509v3/v3_bcons.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_bitst.c crypto/x509v3/v3_bitst.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_conf.c crypto/x509v3/v3_conf.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_extku.c crypto/x509v3/v3_extku.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_ia5.c crypto/x509v3/v3_ia5.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_lib.c crypto/x509v3/v3_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_prn.c crypto/x509v3/v3_prn.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_utl.c crypto/x509v3/v3_utl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3err.c crypto/x509v3/v3err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_genn.c crypto/x509v3/v3_genn.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_alt.c crypto/x509v3/v3_alt.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_skey.c crypto/x509v3/v3_skey.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_akey.c crypto/x509v3/v3_akey.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_pku.c crypto/x509v3/v3_pku.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_int.c crypto/x509v3/v3_int.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_enum.c crypto/x509v3/v3_enum.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_sxnet.c crypto/x509v3/v3_sxnet.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_cpols.c crypto/x509v3/v3_cpols.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_crld.c crypto/x509v3/v3_crld.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_purp.c crypto/x509v3/v3_purp.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_info.c crypto/x509v3/v3_info.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_ocsp.c crypto/x509v3/v3_ocsp.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_akeya.c crypto/x509v3/v3_akeya.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_pmaps.c crypto/x509v3/v3_pmaps.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_pcons.c crypto/x509v3/v3_pcons.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_ncons.c crypto/x509v3/v3_ncons.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_pcia.c crypto/x509v3/v3_pcia.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_pci.c crypto/x509v3/v3_pci.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/pcy_cache.c crypto/x509v3/pcy_cache.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/pcy_node.c crypto/x509v3/pcy_node.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/pcy_data.c crypto/x509v3/pcy_data.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/pcy_map.c crypto/x509v3/pcy_map.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/pcy_tree.c crypto/x509v3/pcy_tree.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/pcy_lib.c crypto/x509v3/pcy_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_asid.c crypto/x509v3/v3_asid.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_addr.c crypto/x509v3/v3_addr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/conf/conf_err.c crypto/conf/conf_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/conf/conf_lib.c crypto/conf/conf_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/conf/conf_api.c crypto/conf/conf_api.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/conf/conf_def.c crypto/conf/conf_def.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/conf/conf_mod.c crypto/conf/conf_mod.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/conf/conf_mall.c crypto/conf/conf_mall.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/conf/conf_sap.c crypto/conf/conf_sap.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/txt_db/txt_db.c crypto/txt_db/txt_db.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pkcs7/pk7_asn1.c crypto/pkcs7/pk7_asn1.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pkcs7/pk7_lib.c crypto/pkcs7/pk7_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pkcs7/pkcs7err.c crypto/pkcs7/pkcs7err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pkcs7/pk7_doit.c crypto/pkcs7/pk7_doit.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pkcs7/pk7_smime.c crypto/pkcs7/pk7_smime.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pkcs7/pk7_attr.c crypto/pkcs7/pk7_attr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pkcs7/pk7_mime.c crypto/pkcs7/pk7_mime.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pkcs12/p12_add.c crypto/pkcs12/p12_add.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pkcs12/p12_asn.c crypto/pkcs12/p12_asn.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pkcs12/p12_attr.c crypto/pkcs12/p12_attr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pkcs12/p12_crpt.c crypto/pkcs12/p12_crpt.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pkcs12/p12_crt.c crypto/pkcs12/p12_crt.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pkcs12/p12_decr.c crypto/pkcs12/p12_decr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pkcs12/p12_init.c crypto/pkcs12/p12_init.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pkcs12/p12_key.c crypto/pkcs12/p12_key.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pkcs12/p12_kiss.c crypto/pkcs12/p12_kiss.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pkcs12/p12_mutl.c crypto/pkcs12/p12_mutl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pkcs12/p12_utl.c crypto/pkcs12/p12_utl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pkcs12/p12_npas.c crypto/pkcs12/p12_npas.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pkcs12/pk12err.c crypto/pkcs12/pk12err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pkcs12/p12_p8d.c crypto/pkcs12/p12_p8d.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pkcs12/p12_p8e.c crypto/pkcs12/p12_p8e.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/comp/comp_lib.c crypto/comp/comp_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/comp/comp_err.c crypto/comp/comp_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/comp/c_rle.c crypto/comp/c_rle.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/comp/c_zlib.c crypto/comp/c_zlib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/engine/eng_err.c crypto/engine/eng_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/engine/eng_lib.c crypto/engine/eng_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/engine/eng_list.c crypto/engine/eng_list.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/engine/eng_init.c crypto/engine/eng_init.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/engine/eng_ctrl.c crypto/engine/eng_ctrl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/engine/eng_table.c crypto/engine/eng_table.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/engine/eng_pkey.c crypto/engine/eng_pkey.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/engine/eng_fat.c crypto/engine/eng_fat.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/engine/eng_all.c crypto/engine/eng_all.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/engine/tb_rsa.c crypto/engine/tb_rsa.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/engine/tb_dsa.c crypto/engine/tb_dsa.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/engine/tb_ecdsa.c crypto/engine/tb_ecdsa.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/engine/tb_dh.c crypto/engine/tb_dh.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/engine/tb_ecdh.c crypto/engine/tb_ecdh.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/engine/tb_rand.c crypto/engine/tb_rand.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/engine/tb_store.c crypto/engine/tb_store.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/engine/tb_cipher.c crypto/engine/tb_cipher.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/engine/tb_digest.c crypto/engine/tb_digest.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/engine/eng_openssl.c crypto/engine/eng_openssl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/engine/eng_cnf.c crypto/engine/eng_cnf.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/engine/eng_dyn.c crypto/engine/eng_dyn.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/engine/eng_cryptodev.c crypto/engine/eng_cryptodev.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/engine/eng_padlock.c crypto/engine/eng_padlock.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ocsp/ocsp_asn.c crypto/ocsp/ocsp_asn.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ocsp/ocsp_ext.c crypto/ocsp/ocsp_ext.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ocsp/ocsp_ht.c crypto/ocsp/ocsp_ht.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ocsp/ocsp_lib.c crypto/ocsp/ocsp_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ocsp/ocsp_cl.c crypto/ocsp/ocsp_cl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ocsp/ocsp_srv.c crypto/ocsp/ocsp_srv.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ocsp/ocsp_prn.c crypto/ocsp/ocsp_prn.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ocsp/ocsp_vfy.c crypto/ocsp/ocsp_vfy.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ocsp/ocsp_err.c crypto/ocsp/ocsp_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ui/ui_err.c crypto/ui/ui_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ui/ui_lib.c crypto/ui/ui_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ui/ui_util.c crypto/ui/ui_util.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ui/ui_compat.c crypto/ui/ui_compat.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/krb5/krb5_asn.c crypto/krb5/krb5_asn.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/store/str_err.c crypto/store/str_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/store/str_lib.c crypto/store/str_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/store/str_meth.c crypto/store/str_meth.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/store/str_mem.c crypto/store/str_mem.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pqueue/pqueue.c crypto/pqueue/pqueue.c + +find . -name "*.[ch]" -exec chmod -x {} \; diff --git a/Cryptlib/Pk/CryptAuthenticode.c b/Cryptlib/Pk/CryptAuthenticode.c index bb5f6d4..7b8bca5 100644 --- a/Cryptlib/Pk/CryptAuthenticode.c +++ b/Cryptlib/Pk/CryptAuthenticode.c @@ -146,8 +146,8 @@ AuthenticodeVerify ( // // Long Form of Length Encoding, only support two bytes. // - ContentSize = (UINTN) (*(SpcIndirectDataContent + 2)); - ContentSize = (ContentSize << 8) + (UINTN)(*(SpcIndirectDataContent + 3)); + ContentSize = (UINTN) (*(UINT8 *)(SpcIndirectDataContent + 2)); + ContentSize = (ContentSize << 8) + (UINTN)(*(UINT8 *)(SpcIndirectDataContent + 3)); // // Skip the SEQUENCE Tag; // diff --git a/Cryptlib/Pk/CryptDh.c b/Cryptlib/Pk/CryptDh.c deleted file mode 100644 index 942b3d1..0000000 --- a/Cryptlib/Pk/CryptDh.c +++ /dev/null @@ -1,328 +0,0 @@ -/** @file - Diffie-Hellman Wrapper Implementation over OpenSSL. - -Copyright (c) 2010 - 2012, Intel Corporation. All rights reserved.
-This program and the accompanying materials -are licensed and made available under the terms and conditions of the BSD License -which accompanies this distribution. The full text of the license may be found at -http://opensource.org/licenses/bsd-license.php - -THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. - -**/ - -#include "InternalCryptLib.h" -#include - - -/** - Allocates and Initializes one Diffie-Hellman Context for subsequent use. - - @return Pointer to the Diffie-Hellman Context that has been initialized. - If the allocations fails, DhNew() returns NULL. - -**/ -VOID * -EFIAPI -DhNew ( - VOID - ) -{ - // - // Allocates & Initializes DH Context by OpenSSL DH_new() - // - return (VOID *) DH_new (); -} - -/** - Release the specified DH context. - - If DhContext is NULL, then return FALSE. - - @param[in] DhContext Pointer to the DH context to be released. - -**/ -VOID -EFIAPI -DhFree ( - IN VOID *DhContext - ) -{ - // - // Free OpenSSL DH Context - // - DH_free ((DH *) DhContext); -} - -/** - Generates DH parameter. - - Given generator g, and length of prime number p in bits, this function generates p, - and sets DH context according to value of g and p. - - Before this function can be invoked, pseudorandom number generator must be correctly - initialized by RandomSeed(). - - If DhContext is NULL, then return FALSE. - If Prime is NULL, then return FALSE. - - @param[in, out] DhContext Pointer to the DH context. - @param[in] Generator Value of generator. - @param[in] PrimeLength Length in bits of prime to be generated. - @param[out] Prime Pointer to the buffer to receive the generated prime number. - - @retval TRUE DH pamameter generation succeeded. - @retval FALSE Value of Generator is not supported. - @retval FALSE PRNG fails to generate random prime number with PrimeLength. - -**/ -BOOLEAN -EFIAPI -DhGenerateParameter ( - IN OUT VOID *DhContext, - IN UINTN Generator, - IN UINTN PrimeLength, - OUT UINT8 *Prime - ) -{ - BOOLEAN RetVal; - - // - // Check input parameters. - // - if (DhContext == NULL || Prime == NULL || PrimeLength > INT_MAX) { - return FALSE; - } - - if (Generator != DH_GENERATOR_2 && Generator != DH_GENERATOR_5) { - return FALSE; - } - - RetVal = (BOOLEAN) DH_generate_parameters_ex (DhContext, (UINT32) PrimeLength, (UINT32) Generator, NULL); - if (!RetVal) { - return FALSE; - } - - BN_bn2bin (((DH *) DhContext)->p, Prime); - - return TRUE; -} - -/** - Sets generator and prime parameters for DH. - - Given generator g, and prime number p, this function and sets DH - context accordingly. - - If DhContext is NULL, then return FALSE. - If Prime is NULL, then return FALSE. - - @param[in, out] DhContext Pointer to the DH context. - @param[in] Generator Value of generator. - @param[in] PrimeLength Length in bits of prime to be generated. - @param[in] Prime Pointer to the prime number. - - @retval TRUE DH pamameter setting succeeded. - @retval FALSE Value of Generator is not supported. - @retval FALSE Value of Generator is not suitable for the Prime. - @retval FALSE Value of Prime is not a prime number. - @retval FALSE Value of Prime is not a safe prime number. - -**/ -BOOLEAN -EFIAPI -DhSetParameter ( - IN OUT VOID *DhContext, - IN UINTN Generator, - IN UINTN PrimeLength, - IN CONST UINT8 *Prime - ) -{ - DH *Dh; - BIGNUM *Bn; - - // - // Check input parameters. - // - if (DhContext == NULL || Prime == NULL || PrimeLength > INT_MAX) { - return FALSE; - } - - if (Generator != DH_GENERATOR_2 && Generator != DH_GENERATOR_5) { - return FALSE; - } - - Bn = NULL; - - Dh = (DH *) DhContext; - Dh->g = NULL; - Dh->p = BN_new (); - if (Dh->p == NULL) { - goto Error; - } - - Dh->g = BN_new (); - if (Dh->g == NULL) { - goto Error; - } - - Bn = BN_bin2bn (Prime, (UINT32) (PrimeLength / 8), Dh->p); - if (Bn == NULL) { - goto Error; - } - - if (BN_set_word (Dh->g, (UINT32) Generator) == 0) { - goto Error; - } - - return TRUE; - -Error: - - if (Dh->p != NULL) { - BN_free (Dh->p); - } - - if (Dh->g != NULL) { - BN_free (Dh->g); - } - - if (Bn != NULL) { - BN_free (Bn); - } - - return FALSE; -} - -/** - Generates DH public key. - - This function generates random secret exponent, and computes the public key, which is - returned via parameter PublicKey and PublicKeySize. DH context is updated accordingly. - If the PublicKey buffer is too small to hold the public key, FALSE is returned and - PublicKeySize is set to the required buffer size to obtain the public key. - - If DhContext is NULL, then return FALSE. - If PublicKeySize is NULL, then return FALSE. - If PublicKeySize is large enough but PublicKey is NULL, then return FALSE. - - @param[in, out] DhContext Pointer to the DH context. - @param[out] PublicKey Pointer to the buffer to receive generated public key. - @param[in, out] PublicKeySize On input, the size of PublicKey buffer in bytes. - On output, the size of data returned in PublicKey buffer in bytes. - - @retval TRUE DH public key generation succeeded. - @retval FALSE DH public key generation failed. - @retval FALSE PublicKeySize is not large enough. - -**/ -BOOLEAN -EFIAPI -DhGenerateKey ( - IN OUT VOID *DhContext, - OUT UINT8 *PublicKey, - IN OUT UINTN *PublicKeySize - ) -{ - BOOLEAN RetVal; - DH *Dh; - INTN Size; - - // - // Check input parameters. - // - if (DhContext == NULL || PublicKeySize == NULL) { - return FALSE; - } - - if (PublicKey == NULL && *PublicKeySize != 0) { - return FALSE; - } - - Dh = (DH *) DhContext; - - RetVal = (BOOLEAN) DH_generate_key (DhContext); - if (RetVal) { - Size = BN_num_bytes (Dh->pub_key); - if ((Size > 0) && (*PublicKeySize < (UINTN) Size)) { - *PublicKeySize = Size; - return FALSE; - } - - BN_bn2bin (Dh->pub_key, PublicKey); - *PublicKeySize = Size; - } - - return RetVal; -} - -/** - Computes exchanged common key. - - Given peer's public key, this function computes the exchanged common key, based on its own - context including value of prime modulus and random secret exponent. - - If DhContext is NULL, then return FALSE. - If PeerPublicKey is NULL, then return FALSE. - If KeySize is NULL, then return FALSE. - If Key is NULL, then return FALSE. - If KeySize is not large enough, then return FALSE. - - @param[in, out] DhContext Pointer to the DH context. - @param[in] PeerPublicKey Pointer to the peer's public key. - @param[in] PeerPublicKeySize Size of peer's public key in bytes. - @param[out] Key Pointer to the buffer to receive generated key. - @param[in, out] KeySize On input, the size of Key buffer in bytes. - On output, the size of data returned in Key buffer in bytes. - - @retval TRUE DH exchanged key generation succeeded. - @retval FALSE DH exchanged key generation failed. - @retval FALSE KeySize is not large enough. - -**/ -BOOLEAN -EFIAPI -DhComputeKey ( - IN OUT VOID *DhContext, - IN CONST UINT8 *PeerPublicKey, - IN UINTN PeerPublicKeySize, - OUT UINT8 *Key, - IN OUT UINTN *KeySize - ) -{ - BIGNUM *Bn; - INTN Size; - - // - // Check input parameters. - // - if (DhContext == NULL || PeerPublicKey == NULL || KeySize == NULL || Key == NULL) { - return FALSE; - } - - if (PeerPublicKeySize > INT_MAX) { - return FALSE; - } - - Bn = BN_bin2bn (PeerPublicKey, (UINT32) PeerPublicKeySize, NULL); - if (Bn == NULL) { - return FALSE; - } - - Size = DH_compute_key (Key, Bn, DhContext); - if (Size < 0) { - BN_free (Bn); - return FALSE; - } - - if (*KeySize < (UINTN) Size) { - *KeySize = Size; - BN_free (Bn); - return FALSE; - } - - *KeySize = Size; - BN_free (Bn); - return TRUE; -} diff --git a/Cryptlib/Pk/CryptDhNull.c b/Cryptlib/Pk/CryptDhNull.c new file mode 100644 index 0000000..35045db --- /dev/null +++ b/Cryptlib/Pk/CryptDhNull.c @@ -0,0 +1,156 @@ +/** @file + Diffie-Hellman Wrapper Implementation which does not provide + real capabilities. + +Copyright (c) 2012, Intel Corporation. All rights reserved.
+This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD License +which accompanies this distribution. The full text of the license may be found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + +**/ + +#include "InternalCryptLib.h" + +/** + Allocates and Initializes one Diffie-Hellman Context for subsequent use. + + @return Pointer to the Diffie-Hellman Context that has been initialized. + If the interface is not supported, DhNew() returns NULL. + +**/ +VOID * +EFIAPI +DhNew ( + VOID + ) +{ + ASSERT (FALSE); + return NULL; +} + +/** + Release the specified DH context. + + If the interface is not supported, then ASSERT(). + + @param[in] DhContext Pointer to the DH context to be released. + +**/ +VOID +EFIAPI +DhFree ( + IN VOID *DhContext + ) +{ + ASSERT (FALSE); +} + +/** + Generates DH parameter. + + Return FALSE to indicate this interface is not supported. + + @param[in, out] DhContext Pointer to the DH context. + @param[in] Generator Value of generator. + @param[in] PrimeLength Length in bits of prime to be generated. + @param[out] Prime Pointer to the buffer to receive the generated prime number. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DhGenerateParameter ( + IN OUT VOID *DhContext, + IN UINTN Generator, + IN UINTN PrimeLength, + OUT UINT8 *Prime + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Sets generator and prime parameters for DH. + + Return FALSE to indicate this interface is not supported. + + @param[in, out] DhContext Pointer to the DH context. + @param[in] Generator Value of generator. + @param[in] PrimeLength Length in bits of prime to be generated. + @param[in] Prime Pointer to the prime number. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DhSetParameter ( + IN OUT VOID *DhContext, + IN UINTN Generator, + IN UINTN PrimeLength, + IN CONST UINT8 *Prime + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Generates DH public key. + + Return FALSE to indicate this interface is not supported. + + @param[in, out] DhContext Pointer to the DH context. + @param[out] PublicKey Pointer to the buffer to receive generated public key. + @param[in, out] PublicKeySize On input, the size of PublicKey buffer in bytes. + On output, the size of data returned in PublicKey buffer in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DhGenerateKey ( + IN OUT VOID *DhContext, + OUT UINT8 *PublicKey, + IN OUT UINTN *PublicKeySize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Computes exchanged common key. + + Return FALSE to indicate this interface is not supported. + + @param[in, out] DhContext Pointer to the DH context. + @param[in] PeerPublicKey Pointer to the peer's public key. + @param[in] PeerPublicKeySize Size of peer's public key in bytes. + @param[out] Key Pointer to the buffer to receive generated key. + @param[in, out] KeySize On input, the size of Key buffer in bytes. + On output, the size of data returned in Key buffer in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DhComputeKey ( + IN OUT VOID *DhContext, + IN CONST UINT8 *PeerPublicKey, + IN UINTN PeerPublicKeySize, + OUT UINT8 *Key, + IN OUT UINTN *KeySize + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/Cryptlib/Pk/CryptPkcs7SignNull.c b/Cryptlib/Pk/CryptPkcs7SignNull.c new file mode 100644 index 0000000..539bb6b --- /dev/null +++ b/Cryptlib/Pk/CryptPkcs7SignNull.c @@ -0,0 +1,59 @@ +/** @file + PKCS#7 SignedData Sign Wrapper Implementation which does not provide real + capabilities. + +Copyright (c) 2012, Intel Corporation. All rights reserved.
+This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD License +which accompanies this distribution. The full text of the license may be found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + +**/ + +#include "InternalCryptLib.h" + +/** + Creates a PKCS#7 signedData as described in "PKCS #7: Cryptographic Message + Syntax Standard, version 1.5". This interface is only intended to be used for + application to perform PKCS#7 functionality validation. + + Return FALSE to indicate this interface is not supported. + + @param[in] PrivateKey Pointer to the PEM-formatted private key data for + data signing. + @param[in] PrivateKeySize Size of the PEM private key data in bytes. + @param[in] KeyPassword NULL-terminated passphrase used for encrypted PEM + key data. + @param[in] InData Pointer to the content to be signed. + @param[in] InDataSize Size of InData in bytes. + @param[in] SignCert Pointer to signer's DER-encoded certificate to sign with. + @param[in] OtherCerts Pointer to an optional additional set of certificates to + include in the PKCS#7 signedData (e.g. any intermediate + CAs in the chain). + @param[out] SignedData Pointer to output PKCS#7 signedData. + @param[out] SignedDataSize Size of SignedData in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Pkcs7Sign ( + IN CONST UINT8 *PrivateKey, + IN UINTN PrivateKeySize, + IN CONST UINT8 *KeyPassword, + IN UINT8 *InData, + IN UINTN InDataSize, + IN UINT8 *SignCert, + IN UINT8 *OtherCerts OPTIONAL, + OUT UINT8 **SignedData, + OUT UINTN *SignedDataSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + diff --git a/Cryptlib/Pk/CryptPkcs7Verify.c b/Cryptlib/Pk/CryptPkcs7Verify.c new file mode 100644 index 0000000..05c3f87 --- /dev/null +++ b/Cryptlib/Pk/CryptPkcs7Verify.c @@ -0,0 +1,677 @@ +/** @file + PKCS#7 SignedData Verification Wrapper Implementation over OpenSSL. + + Caution: This module requires additional review when modified. + This library will have external input - signature (e.g. UEFI Authenticated + Variable). It may by input in SMM mode. + This external input must be validated carefully to avoid security issue like + buffer overflow, integer overflow. + + WrapPkcs7Data(), Pkcs7GetSigners(), Pkcs7Verify() will get UEFI Authenticated + Variable and will do basic check for data structure. + +Copyright (c) 2009 - 2013, Intel Corporation. All rights reserved.
+This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD License +which accompanies this distribution. The full text of the license may be found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + +**/ + +#include "InternalCryptLib.h" + +#include +#include +#include +#include + +UINT8 mOidValue[9] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02 }; + +/** + Verification callback function to override any existing callbacks in OpenSSL + for intermediate certificate supports. + + @param[in] Status Original status before calling this callback. + @param[in] Context X509 store context. + + @retval 1 Current X509 certificate is verified successfully. + @retval 0 Verification failed. + +**/ +int +X509VerifyCb ( + IN int Status, + IN X509_STORE_CTX *Context + ) +{ + X509_OBJECT *Obj; + INTN Error; + INTN Index; + INTN Count; + + Obj = NULL; + Error = (INTN) X509_STORE_CTX_get_error (Context); + + // + // X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT and X509_V_ERR_UNABLE_TO_GET_ISSUER_ + // CERT_LOCALLY mean a X509 certificate is not self signed and its issuer + // can not be found in X509_verify_cert of X509_vfy.c. + // In order to support intermediate certificate node, we override the + // errors if the certification is obtained from X509 store, i.e. it is + // a trusted ceritifcate node that is enrolled by user. + // Besides,X509_V_ERR_CERT_UNTRUSTED and X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE + // are also ignored to enable such feature. + // + if ((Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT) || + (Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)) { + Obj = (X509_OBJECT *) malloc (sizeof (X509_OBJECT)); + if (Obj == NULL) { + return 0; + } + + Obj->type = X509_LU_X509; + Obj->data.x509 = Context->current_cert; + + CRYPTO_w_lock (CRYPTO_LOCK_X509_STORE); + + if (X509_OBJECT_retrieve_match (Context->ctx->objs, Obj)) { + Status = 1; + } else { + // + // If any certificate in the chain is enrolled as trusted certificate, + // pass the certificate verification. + // + if (Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) { + Count = (INTN) sk_X509_num (Context->chain); + for (Index = 0; Index < Count; Index++) { + Obj->data.x509 = sk_X509_value (Context->chain, (int) Index); + if (X509_OBJECT_retrieve_match (Context->ctx->objs, Obj)) { + Status = 1; + break; + } + } + } + } + + CRYPTO_w_unlock (CRYPTO_LOCK_X509_STORE); + } + + if ((Error == X509_V_ERR_CERT_UNTRUSTED) || + (Error == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) { + Status = 1; + } + + if (Obj != NULL) { + OPENSSL_free (Obj); + } + + return Status; +} + +/** + Check input P7Data is a wrapped ContentInfo structure or not. If not construct + a new structure to wrap P7Data. + + Caution: This function may receive untrusted input. + UEFI Authenticated Variable is external input, so this function will do basic + check for PKCS#7 data structure. + + @param[in] P7Data Pointer to the PKCS#7 message to verify. + @param[in] P7Length Length of the PKCS#7 message in bytes. + @param[out] WrapFlag If TRUE P7Data is a ContentInfo structure, otherwise + return FALSE. + @param[out] WrapData If return status of this function is TRUE: + 1) when WrapFlag is TRUE, pointer to P7Data. + 2) when WrapFlag is FALSE, pointer to a new ContentInfo + structure. It's caller's responsibility to free this + buffer. + @param[out] WrapDataSize Length of ContentInfo structure in bytes. + + @retval TRUE The operation is finished successfully. + @retval FALSE The operation is failed due to lack of resources. + +**/ +BOOLEAN +WrapPkcs7Data ( + IN CONST UINT8 *P7Data, + IN UINTN P7Length, + OUT BOOLEAN *WrapFlag, + OUT UINT8 **WrapData, + OUT UINTN *WrapDataSize + ) +{ + BOOLEAN Wrapped; + UINT8 *SignedData; + + // + // Check whether input P7Data is a wrapped ContentInfo structure or not. + // + Wrapped = FALSE; + if ((P7Data[4] == 0x06) && (P7Data[5] == 0x09)) { + if (CompareMem (P7Data + 6, mOidValue, sizeof (mOidValue)) == 0) { + if ((P7Data[15] == 0xA0) && (P7Data[16] == 0x82)) { + Wrapped = TRUE; + } + } + } + + if (Wrapped) { + *WrapData = (UINT8 *) P7Data; + *WrapDataSize = P7Length; + } else { + // + // Wrap PKCS#7 signeddata to a ContentInfo structure - add a header in 19 bytes. + // + *WrapDataSize = P7Length + 19; + *WrapData = malloc (*WrapDataSize); + if (*WrapData == NULL) { + *WrapFlag = Wrapped; + return FALSE; + } + + SignedData = *WrapData; + + // + // Part1: 0x30, 0x82. + // + SignedData[0] = 0x30; + SignedData[1] = 0x82; + + // + // Part2: Length1 = P7Length + 19 - 4, in big endian. + // + SignedData[2] = (UINT8) (((UINT16) (*WrapDataSize - 4)) >> 8); + SignedData[3] = (UINT8) (((UINT16) (*WrapDataSize - 4)) & 0xff); + + // + // Part3: 0x06, 0x09. + // + SignedData[4] = 0x06; + SignedData[5] = 0x09; + + // + // Part4: OID value -- 0x2A 0x86 0x48 0x86 0xF7 0x0D 0x01 0x07 0x02. + // + CopyMem (SignedData + 6, mOidValue, sizeof (mOidValue)); + + // + // Part5: 0xA0, 0x82. + // + SignedData[15] = 0xA0; + SignedData[16] = 0x82; + + // + // Part6: Length2 = P7Length, in big endian. + // + SignedData[17] = (UINT8) (((UINT16) P7Length) >> 8); + SignedData[18] = (UINT8) (((UINT16) P7Length) & 0xff); + + // + // Part7: P7Data. + // + CopyMem (SignedData + 19, P7Data, P7Length); + } + + *WrapFlag = Wrapped; + return TRUE; +} + +/** + Pop single certificate from STACK_OF(X509). + + If X509Stack, Cert, or CertSize is NULL, then return FALSE. + + @param[in] X509Stack Pointer to a X509 stack object. + @param[out] Cert Pointer to a X509 certificate. + @param[out] CertSize Length of output X509 certificate in bytes. + + @retval TRUE The X509 stack pop succeeded. + @retval FALSE The pop operation failed. + +**/ +BOOLEAN +X509PopCertificate ( + IN VOID *X509Stack, + OUT UINT8 **Cert, + OUT UINTN *CertSize + ) +{ + BIO *CertBio; + X509 *X509Cert; + STACK_OF(X509) *CertStack; + BOOLEAN Status; + INT32 Result; + INT32 Length; + VOID *Buffer; + + Status = FALSE; + + if ((X509Stack == NULL) || (Cert == NULL) || (CertSize == NULL)) { + return Status; + } + + CertStack = (STACK_OF(X509) *) X509Stack; + + X509Cert = sk_X509_pop (CertStack); + + if (X509Cert == NULL) { + return Status; + } + + Buffer = NULL; + + CertBio = BIO_new (BIO_s_mem ()); + if (CertBio == NULL) { + return Status; + } + + Result = i2d_X509_bio (CertBio, X509Cert); + if (Result == 0) { + goto _Exit; + } + + Length = ((BUF_MEM *) CertBio->ptr)->length; + if (Length <= 0) { + goto _Exit; + } + + Buffer = malloc (Length); + if (Buffer == NULL) { + goto _Exit; + } + + Result = BIO_read (CertBio, Buffer, Length); + if (Result != Length) { + goto _Exit; + } + + *Cert = Buffer; + *CertSize = Length; + + Status = TRUE; + +_Exit: + + BIO_free (CertBio); + + if (!Status && (Buffer != NULL)) { + free (Buffer); + } + + return Status; +} + +/** + Get the signer's certificates from PKCS#7 signed data as described in "PKCS #7: + Cryptographic Message Syntax Standard". The input signed data could be wrapped + in a ContentInfo structure. + + If P7Data, CertStack, StackLength, TrustedCert or CertLength is NULL, then + return FALSE. If P7Length overflow, then return FAlSE. + + Caution: This function may receive untrusted input. + UEFI Authenticated Variable is external input, so this function will do basic + check for PKCS#7 data structure. + + @param[in] P7Data Pointer to the PKCS#7 message to verify. + @param[in] P7Length Length of the PKCS#7 message in bytes. + @param[out] CertStack Pointer to Signer's certificates retrieved from P7Data. + It's caller's responsiblity to free the buffer. + @param[out] StackLength Length of signer's certificates in bytes. + @param[out] TrustedCert Pointer to a trusted certificate from Signer's certificates. + It's caller's responsiblity to free the buffer. + @param[out] CertLength Length of the trusted certificate in bytes. + + @retval TRUE The operation is finished successfully. + @retval FALSE Error occurs during the operation. + +**/ +BOOLEAN +EFIAPI +Pkcs7GetSigners ( + IN CONST UINT8 *P7Data, + IN UINTN P7Length, + OUT UINT8 **CertStack, + OUT UINTN *StackLength, + OUT UINT8 **TrustedCert, + OUT UINTN *CertLength + ) +{ + PKCS7 *Pkcs7; + BOOLEAN Status; + UINT8 *SignedData; + UINT8 *Temp; + UINTN SignedDataSize; + BOOLEAN Wrapped; + STACK_OF(X509) *Stack; + UINT8 Index; + UINT8 *CertBuf; + UINT8 *OldBuf; + UINTN BufferSize; + UINTN OldSize; + UINT8 *SingleCert; + UINTN SingleCertSize; + + if ((P7Data == NULL) || (CertStack == NULL) || (StackLength == NULL) || + (TrustedCert == NULL) || (CertLength == NULL) || (P7Length > INT_MAX)) { + return FALSE; + } + + Status = WrapPkcs7Data (P7Data, P7Length, &Wrapped, &SignedData, &SignedDataSize); + if (!Status) { + return Status; + } + + Status = FALSE; + Pkcs7 = NULL; + Stack = NULL; + CertBuf = NULL; + OldBuf = NULL; + SingleCert = NULL; + + // + // Retrieve PKCS#7 Data (DER encoding) + // + if (SignedDataSize > INT_MAX) { + goto _Exit; + } + + Temp = SignedData; + Pkcs7 = d2i_PKCS7 (NULL, (const unsigned char **) &Temp, (int) SignedDataSize); + if (Pkcs7 == NULL) { + goto _Exit; + } + + // + // Check if it's PKCS#7 Signed Data (for Authenticode Scenario) + // + if (!PKCS7_type_is_signed (Pkcs7)) { + goto _Exit; + } + + Stack = PKCS7_get0_signers(Pkcs7, NULL, PKCS7_BINARY); + if (Stack == NULL) { + goto _Exit; + } + + // + // Convert CertStack to buffer in following format: + // UINT8 CertNumber; + // UINT32 Cert1Length; + // UINT8 Cert1[]; + // UINT32 Cert2Length; + // UINT8 Cert2[]; + // ... + // UINT32 CertnLength; + // UINT8 Certn[]; + // + BufferSize = sizeof (UINT8); + OldSize = BufferSize; + + for (Index = 0; ; Index++) { + Status = X509PopCertificate (Stack, &SingleCert, &SingleCertSize); + if (!Status) { + break; + } + + OldSize = BufferSize; + OldBuf = CertBuf; + BufferSize = OldSize + SingleCertSize + sizeof (UINT32); + CertBuf = malloc (BufferSize); + + if (CertBuf == NULL) { + goto _Exit; + } + + if (OldBuf != NULL) { + CopyMem (CertBuf, OldBuf, OldSize); + free (OldBuf); + OldBuf = NULL; + } + + WriteUnaligned32 ((UINT32 *) (CertBuf + OldSize), (UINT32) SingleCertSize); + CopyMem (CertBuf + OldSize + sizeof (UINT32), SingleCert, SingleCertSize); + + free (SingleCert); + SingleCert = NULL; + } + + if (CertBuf != NULL) { + // + // Update CertNumber. + // + CertBuf[0] = Index; + + *CertLength = BufferSize - OldSize - sizeof (UINT32); + *TrustedCert = malloc (*CertLength); + if (*TrustedCert == NULL) { + goto _Exit; + } + + CopyMem (*TrustedCert, CertBuf + OldSize + sizeof (UINT32), *CertLength); + *CertStack = CertBuf; + *StackLength = BufferSize; + Status = TRUE; + } + +_Exit: + // + // Release Resources + // + if (!Wrapped) { + free (SignedData); + } + + if (Pkcs7 != NULL) { + PKCS7_free (Pkcs7); + } + + if (Stack != NULL) { + sk_X509_pop_free(Stack, X509_free); + } + + if (SingleCert != NULL) { + free (SingleCert); + } + + if (!Status && (CertBuf != NULL)) { + free (CertBuf); + *CertStack = NULL; + } + + if (OldBuf != NULL) { + free (OldBuf); + } + + return Status; +} + +/** + Wrap function to use free() to free allocated memory for certificates. + + @param[in] Certs Pointer to the certificates to be freed. + +**/ +VOID +EFIAPI +Pkcs7FreeSigners ( + IN UINT8 *Certs + ) +{ + if (Certs == NULL) { + return; + } + + free (Certs); +} + +/** + Verifies the validility of a PKCS#7 signed data as described in "PKCS #7: + Cryptographic Message Syntax Standard". The input signed data could be wrapped + in a ContentInfo structure. + + If P7Data, TrustedCert or InData is NULL, then return FALSE. + If P7Length, CertLength or DataLength overflow, then return FAlSE. + + Caution: This function may receive untrusted input. + UEFI Authenticated Variable is external input, so this function will do basic + check for PKCS#7 data structure. + + @param[in] P7Data Pointer to the PKCS#7 message to verify. + @param[in] P7Length Length of the PKCS#7 message in bytes. + @param[in] TrustedCert Pointer to a trusted/root certificate encoded in DER, which + is used for certificate chain verification. + @param[in] CertLength Length of the trusted certificate in bytes. + @param[in] InData Pointer to the content to be verified. + @param[in] DataLength Length of InData in bytes. + + @retval TRUE The specified PKCS#7 signed data is valid. + @retval FALSE Invalid PKCS#7 signed data. + +**/ +BOOLEAN +EFIAPI +Pkcs7Verify ( + IN CONST UINT8 *P7Data, + IN UINTN P7Length, + IN CONST UINT8 *TrustedCert, + IN UINTN CertLength, + IN CONST UINT8 *InData, + IN UINTN DataLength + ) +{ + PKCS7 *Pkcs7; + BIO *DataBio; + BOOLEAN Status; + X509 *Cert; + X509_STORE *CertStore; + UINT8 *SignedData; + UINT8 *Temp; + UINTN SignedDataSize; + BOOLEAN Wrapped; + + // + // Check input parameters. + // + if (P7Data == NULL || TrustedCert == NULL || InData == NULL || + P7Length > INT_MAX || CertLength > INT_MAX || DataLength > INT_MAX) { + return FALSE; + } + + Pkcs7 = NULL; + DataBio = NULL; + Cert = NULL; + CertStore = NULL; + + // + // Register & Initialize necessary digest algorithms for PKCS#7 Handling + // + if (EVP_add_digest (EVP_md5 ()) == 0) { + return FALSE; + } + if (EVP_add_digest (EVP_sha1 ()) == 0) { + return FALSE; + } + if (EVP_add_digest (EVP_sha256 ()) == 0) { + return FALSE; + } + if (EVP_add_digest_alias (SN_sha1WithRSAEncryption, SN_sha1WithRSA) == 0) { + return FALSE; + } + + + Status = WrapPkcs7Data (P7Data, P7Length, &Wrapped, &SignedData, &SignedDataSize); + if (!Status) { + return Status; + } + + Status = FALSE; + + // + // Retrieve PKCS#7 Data (DER encoding) + // + if (SignedDataSize > INT_MAX) { + goto _Exit; + } + + Temp = SignedData; + Pkcs7 = d2i_PKCS7 (NULL, (const unsigned char **) &Temp, (int) SignedDataSize); + if (Pkcs7 == NULL) { + goto _Exit; + } + + // + // Check if it's PKCS#7 Signed Data (for Authenticode Scenario) + // + if (!PKCS7_type_is_signed (Pkcs7)) { + goto _Exit; + } + + // + // Read DER-encoded root certificate and Construct X509 Certificate + // + Cert = d2i_X509 (NULL, &TrustedCert, (long) CertLength); + if (Cert == NULL) { + goto _Exit; + } + + // + // Setup X509 Store for trusted certificate + // + CertStore = X509_STORE_new (); + if (CertStore == NULL) { + goto _Exit; + } + if (!(X509_STORE_add_cert (CertStore, Cert))) { + goto _Exit; + } + + // + // Register customized X509 verification callback function to support + // trusted intermediate certificate anchor. + // + CertStore->verify_cb = X509VerifyCb; + + // + // For generic PKCS#7 handling, InData may be NULL if the content is present + // in PKCS#7 structure. So ignore NULL checking here. + // + DataBio = BIO_new (BIO_s_mem ()); + if (DataBio == NULL) { + goto _Exit; + } + + if (BIO_write (DataBio, InData, (int) DataLength) <= 0) { + goto _Exit; + } + + // + // OpenSSL PKCS7 Verification by default checks for SMIME (email signing) and + // doesn't support the extended key usage for Authenticode Code Signing. + // Bypass the certificate purpose checking by enabling any purposes setting. + // + X509_STORE_set_purpose (CertStore, X509_PURPOSE_ANY); + + // + // Verifies the PKCS#7 signedData structure + // + Status = (BOOLEAN) PKCS7_verify (Pkcs7, NULL, CertStore, DataBio, NULL, PKCS7_BINARY); + +_Exit: + // + // Release Resources + // + BIO_free (DataBio); + X509_free (Cert); + X509_STORE_free (CertStore); + PKCS7_free (Pkcs7); + + if (!Wrapped) { + OPENSSL_free (SignedData); + } + + return Status; +} diff --git a/Cryptlib/Pk/CryptRsaExt.c b/Cryptlib/Pk/CryptRsaExt.c deleted file mode 100644 index 5c21d12..0000000 --- a/Cryptlib/Pk/CryptRsaExt.c +++ /dev/null @@ -1,377 +0,0 @@ -/** @file - RSA Asymmetric Cipher Wrapper Implementation over OpenSSL. - - This file implements following APIs which provide more capabilities for RSA: - 1) RsaGetKey - 2) RsaGenerateKey - 3) RsaCheckKey - 4) RsaPkcs1Sign - -Copyright (c) 2009 - 2013, Intel Corporation. All rights reserved.
-This program and the accompanying materials -are licensed and made available under the terms and conditions of the BSD License -which accompanies this distribution. The full text of the license may be found at -http://opensource.org/licenses/bsd-license.php - -THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. - -**/ - -#include "InternalCryptLib.h" - -#include -#include -#include - -/** - Gets the tag-designated RSA key component from the established RSA context. - - This function retrieves the tag-designated RSA key component from the - established RSA context as a non-negative integer (octet string format - represented in RSA PKCS#1). - If specified key component has not been set or has been cleared, then returned - BnSize is set to 0. - If the BigNumber buffer is too small to hold the contents of the key, FALSE - is returned and BnSize is set to the required buffer size to obtain the key. - - If RsaContext is NULL, then return FALSE. - If BnSize is NULL, then return FALSE. - If BnSize is large enough but BigNumber is NULL, then return FALSE. - - @param[in, out] RsaContext Pointer to RSA context being set. - @param[in] KeyTag Tag of RSA key component being set. - @param[out] BigNumber Pointer to octet integer buffer. - @param[in, out] BnSize On input, the size of big number buffer in bytes. - On output, the size of data returned in big number buffer in bytes. - - @retval TRUE RSA key component was retrieved successfully. - @retval FALSE Invalid RSA key component tag. - @retval FALSE BnSize is too small. - -**/ -BOOLEAN -EFIAPI -RsaGetKey ( - IN OUT VOID *RsaContext, - IN RSA_KEY_TAG KeyTag, - OUT UINT8 *BigNumber, - IN OUT UINTN *BnSize - ) -{ - RSA *RsaKey; - BIGNUM *BnKey; - UINTN Size; - - // - // Check input parameters. - // - if (RsaContext == NULL || BnSize == NULL) { - return FALSE; - } - - RsaKey = (RSA *) RsaContext; - Size = *BnSize; - *BnSize = 0; - - switch (KeyTag) { - - // - // RSA Public Modulus (N) - // - case RsaKeyN: - if (RsaKey->n == NULL) { - return TRUE; - } - BnKey = RsaKey->n; - break; - - // - // RSA Public Exponent (e) - // - case RsaKeyE: - if (RsaKey->e == NULL) { - return TRUE; - } - BnKey = RsaKey->e; - break; - - // - // RSA Private Exponent (d) - // - case RsaKeyD: - if (RsaKey->d == NULL) { - return TRUE; - } - BnKey = RsaKey->d; - break; - - // - // RSA Secret Prime Factor of Modulus (p) - // - case RsaKeyP: - if (RsaKey->p == NULL) { - return TRUE; - } - BnKey = RsaKey->p; - break; - - // - // RSA Secret Prime Factor of Modules (q) - // - case RsaKeyQ: - if (RsaKey->q == NULL) { - return TRUE; - } - BnKey = RsaKey->q; - break; - - // - // p's CRT Exponent (== d mod (p - 1)) - // - case RsaKeyDp: - if (RsaKey->dmp1 == NULL) { - return TRUE; - } - BnKey = RsaKey->dmp1; - break; - - // - // q's CRT Exponent (== d mod (q - 1)) - // - case RsaKeyDq: - if (RsaKey->dmq1 == NULL) { - return TRUE; - } - BnKey = RsaKey->dmq1; - break; - - // - // The CRT Coefficient (== 1/q mod p) - // - case RsaKeyQInv: - if (RsaKey->iqmp == NULL) { - return TRUE; - } - BnKey = RsaKey->iqmp; - break; - - default: - return FALSE; - } - - *BnSize = Size; - Size = BN_num_bytes (BnKey); - - if (*BnSize < Size) { - *BnSize = Size; - return FALSE; - } - - if (BigNumber == NULL) { - return FALSE; - } - *BnSize = BN_bn2bin (BnKey, BigNumber) ; - - return TRUE; -} - -/** - Generates RSA key components. - - This function generates RSA key components. It takes RSA public exponent E and - length in bits of RSA modulus N as input, and generates all key components. - If PublicExponent is NULL, the default RSA public exponent (0x10001) will be used. - - Before this function can be invoked, pseudorandom number generator must be correctly - initialized by RandomSeed(). - - If RsaContext is NULL, then return FALSE. - - @param[in, out] RsaContext Pointer to RSA context being set. - @param[in] ModulusLength Length of RSA modulus N in bits. - @param[in] PublicExponent Pointer to RSA public exponent. - @param[in] PublicExponentSize Size of RSA public exponent buffer in bytes. - - @retval TRUE RSA key component was generated successfully. - @retval FALSE Invalid RSA key component tag. - -**/ -BOOLEAN -EFIAPI -RsaGenerateKey ( - IN OUT VOID *RsaContext, - IN UINTN ModulusLength, - IN CONST UINT8 *PublicExponent, - IN UINTN PublicExponentSize - ) -{ - BIGNUM *KeyE; - BOOLEAN RetVal; - - // - // Check input parameters. - // - if (RsaContext == NULL || ModulusLength > INT_MAX || PublicExponentSize > INT_MAX) { - return FALSE; - } - - KeyE = BN_new (); - if (KeyE == NULL) { - return FALSE; - } - - RetVal = FALSE; - - if (PublicExponent == NULL) { - if (BN_set_word (KeyE, 0x10001) == 0) { - goto _Exit; - } - } else { - if (BN_bin2bn (PublicExponent, (UINT32) PublicExponentSize, KeyE) == NULL) { - goto _Exit; - } - } - - if (RSA_generate_key_ex ((RSA *) RsaContext, (UINT32) ModulusLength, KeyE, NULL) == 1) { - RetVal = TRUE; - } - -_Exit: - BN_free (KeyE); - return RetVal; -} - -/** - Validates key components of RSA context. - - This function validates key compoents of RSA context in following aspects: - - Whether p is a prime - - Whether q is a prime - - Whether n = p * q - - Whether d*e = 1 mod lcm(p-1,q-1) - - If RsaContext is NULL, then return FALSE. - - @param[in] RsaContext Pointer to RSA context to check. - - @retval TRUE RSA key components are valid. - @retval FALSE RSA key components are not valid. - -**/ -BOOLEAN -EFIAPI -RsaCheckKey ( - IN VOID *RsaContext - ) -{ - UINTN Reason; - - // - // Check input parameters. - // - if (RsaContext == NULL) { - return FALSE; - } - - if (RSA_check_key ((RSA *) RsaContext) != 1) { - Reason = ERR_GET_REASON (ERR_peek_last_error ()); - if (Reason == RSA_R_P_NOT_PRIME || - Reason == RSA_R_Q_NOT_PRIME || - Reason == RSA_R_N_DOES_NOT_EQUAL_P_Q || - Reason == RSA_R_D_E_NOT_CONGRUENT_TO_1) { - return FALSE; - } - } - - return TRUE; -} - -/** - Carries out the RSA-SSA signature generation with EMSA-PKCS1-v1_5 encoding scheme. - - This function carries out the RSA-SSA signature generation with EMSA-PKCS1-v1_5 encoding scheme defined in - RSA PKCS#1. - If the Signature buffer is too small to hold the contents of signature, FALSE - is returned and SigSize is set to the required buffer size to obtain the signature. - - If RsaContext is NULL, then return FALSE. - If MessageHash is NULL, then return FALSE. - If HashSize is not equal to the size of MD5, SHA-1 or SHA-256 digest, then return FALSE. - If SigSize is large enough but Signature is NULL, then return FALSE. - - @param[in] RsaContext Pointer to RSA context for signature generation. - @param[in] MessageHash Pointer to octet message hash to be signed. - @param[in] HashSize Size of the message hash in bytes. - @param[out] Signature Pointer to buffer to receive RSA PKCS1-v1_5 signature. - @param[in, out] SigSize On input, the size of Signature buffer in bytes. - On output, the size of data returned in Signature buffer in bytes. - - @retval TRUE Signature successfully generated in PKCS1-v1_5. - @retval FALSE Signature generation failed. - @retval FALSE SigSize is too small. - -**/ -BOOLEAN -EFIAPI -RsaPkcs1Sign ( - IN VOID *RsaContext, - IN CONST UINT8 *MessageHash, - IN UINTN HashSize, - OUT UINT8 *Signature, - IN OUT UINTN *SigSize - ) -{ - RSA *Rsa; - UINTN Size; - INT32 DigestType; - - // - // Check input parameters. - // - if (RsaContext == NULL || MessageHash == NULL) { - return FALSE; - } - - Rsa = (RSA *) RsaContext; - Size = BN_num_bytes (Rsa->n); - - if (*SigSize < Size) { - *SigSize = Size; - return FALSE; - } - - if (Signature == NULL) { - return FALSE; - } - - // - // Determine the message digest algorithm according to digest size. - // Only MD5, SHA-1 or SHA-256 algorithm is supported. - // - switch (HashSize) { - case MD5_DIGEST_SIZE: - DigestType = NID_md5; - break; - - case SHA1_DIGEST_SIZE: - DigestType = NID_sha1; - break; - - case SHA256_DIGEST_SIZE: - DigestType = NID_sha256; - break; - - default: - return FALSE; - } - - return (BOOLEAN) RSA_sign ( - DigestType, - MessageHash, - (UINT32) HashSize, - Signature, - (UINT32 *) SigSize, - (RSA *) RsaContext - ); -} diff --git a/Cryptlib/Pk/CryptRsaExtNull.c b/Cryptlib/Pk/CryptRsaExtNull.c new file mode 100644 index 0000000..e44cdde --- /dev/null +++ b/Cryptlib/Pk/CryptRsaExtNull.c @@ -0,0 +1,125 @@ +/** @file + RSA Asymmetric Cipher Wrapper Implementation over OpenSSL. + + This file does not provide real capabilities for following APIs in RSA handling: + 1) RsaGetKey + 2) RsaGenerateKey + 3) RsaCheckKey + 4) RsaPkcs1Sign + +Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.
+This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD License +which accompanies this distribution. The full text of the license may be found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + +**/ + +#include "InternalCryptLib.h" + +/** + Gets the tag-designated RSA key component from the established RSA context. + + Return FALSE to indicate this interface is not supported. + + @param[in, out] RsaContext Pointer to RSA context being set. + @param[in] KeyTag Tag of RSA key component being set. + @param[out] BigNumber Pointer to octet integer buffer. + @param[in, out] BnSize On input, the size of big number buffer in bytes. + On output, the size of data returned in big number buffer in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +RsaGetKey ( + IN OUT VOID *RsaContext, + IN RSA_KEY_TAG KeyTag, + OUT UINT8 *BigNumber, + IN OUT UINTN *BnSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Generates RSA key components. + + Return FALSE to indicate this interface is not supported. + + @param[in, out] RsaContext Pointer to RSA context being set. + @param[in] ModulusLength Length of RSA modulus N in bits. + @param[in] PublicExponent Pointer to RSA public exponent. + @param[in] PublicExponentSize Size of RSA public exponent buffer in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +RsaGenerateKey ( + IN OUT VOID *RsaContext, + IN UINTN ModulusLength, + IN CONST UINT8 *PublicExponent, + IN UINTN PublicExponentSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Validates key components of RSA context. + + Return FALSE to indicate this interface is not supported. + + @param[in] RsaContext Pointer to RSA context to check. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +RsaCheckKey ( + IN VOID *RsaContext + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Carries out the RSA-SSA signature generation with EMSA-PKCS1-v1_5 encoding scheme. + + Return FALSE to indicate this interface is not supported. + + @param[in] RsaContext Pointer to RSA context for signature generation. + @param[in] MessageHash Pointer to octet message hash to be signed. + @param[in] HashSize Size of the message hash in bytes. + @param[out] Signature Pointer to buffer to receive RSA PKCS1-v1_5 signature. + @param[in, out] SigSize On input, the size of Signature buffer in bytes. + On output, the size of data returned in Signature buffer in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +RsaPkcs1Sign ( + IN VOID *RsaContext, + IN CONST UINT8 *MessageHash, + IN UINTN HashSize, + OUT UINT8 *Signature, + IN OUT UINTN *SigSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + + diff --git a/Cryptlib/Rand/CryptRand.c b/Cryptlib/Rand/CryptRand.c index dc3ab99..895ce83 100644 --- a/Cryptlib/Rand/CryptRand.c +++ b/Cryptlib/Rand/CryptRand.c @@ -1,7 +1,7 @@ /** @file Pseudorandom Number Generator Wrapper Implementation over OpenSSL. -Copyright (c) 2010 - 2012, Intel Corporation. All rights reserved.
+Copyright (c) 2010 - 2013, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -14,6 +14,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. #include "InternalCryptLib.h" #include +#include // // Default seed for UEFI Crypto Library @@ -47,6 +48,14 @@ RandomSeed ( return FALSE; } + // + // The software PRNG implementation built in OpenSSL depends on message digest algorithm. + // Make sure SHA-1 digest algorithm is available here. + // + if (EVP_add_digest (EVP_sha1 ()) == 0) { + return FALSE; + } + // // Seed the pseudorandom number generator with user-supplied value. // NOTE: A cryptographic PRNG must be seeded with unpredictable data. diff --git a/Cryptlib/update.sh b/Cryptlib/update.sh index 96bbece..0e34db9 100755 --- a/Cryptlib/update.sh +++ b/Cryptlib/update.sh @@ -13,9 +13,11 @@ cp $DIR/Cipher/CryptAes.c Cipher/CryptAes.c cp $DIR/Cipher/CryptTdes.c Cipher/CryptTdes.c cp $DIR/Cipher/CryptArc4.c Cipher/CryptArc4.c cp $DIR/Rand/CryptRand.c Rand/CryptRand.c -cp $DIR/Pk/CryptRsa.c Pk/CryptRsa.c -cp $DIR/Pk/CryptPkcs7.c Pk/CryptPkcs7.c -cp $DIR/Pk/CryptDh.c Pk/CryptDh.c +cp $DIR/Pk/CryptRsaBasic.c Pk/CryptRsaBasic.c +cp $DIR/Pk/CryptRsaExtNull.c Pk/CryptRsaExtNull.c +cp $DIR/Pk/CryptPkcs7SignNull.c Pk/CryptPkcs7SignNull.c +cp $DIR/Pk/CryptPkcs7Verify.c Pk/CryptPkcs7Verify.c +cp $DIR/Pk/CryptDhNull.c Pk/CryptDhNull.c cp $DIR/Pk/CryptX509.c Pk/CryptX509.c cp $DIR/Pk/CryptAuthenticode.c Pk/CryptAuthenticode.c cp $DIR/Pem/CryptPem.c Pem/CryptPem.c diff --git a/Makefile b/Makefile index a22c6b3..332a29b 100644 --- a/Makefile +++ b/Makefile @@ -1,10 +1,14 @@ -ARCH = $(shell uname -m | sed s,i[3456789]86,ia32,) +CC = $(CROSS_COMPILE)gcc +LD = $(CROSS_COMPILE)ld +OBJCOPY = $(CROSS_COMPILE)objcopy + +ARCH = $(shell $(CC) -dumpmachine | cut -f1 -d- | sed s,i[3456789]86,ia32,) SUBDIRS = Cryptlib lib LIB_PATH = /usr/lib64 -EFI_INCLUDE = /usr/include/efi +EFI_INCLUDE := /usr/include/efi EFI_INCLUDES = -nostdinc -ICryptlib -ICryptlib/Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -Iinclude EFI_PATH := /usr/lib64/gnuefi @@ -16,8 +20,8 @@ EFI_LDS = elf_$(ARCH)_efi.lds DEFAULT_LOADER := \\\\grub.efi CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ - -fshort-wchar -Wall -Werror -mno-red-zone -maccumulate-outgoing-args \ - -mno-mmx -mno-sse -fno-builtin \ + -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \ + -Werror=sign-compare \ "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \ "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \ $(EFI_INCLUDES) @@ -25,9 +29,23 @@ CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined) CFLAGS += -DOVERRIDE_SECURITY_POLICY endif + ifeq ($(ARCH),x86_64) - CFLAGS += -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI + CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args \ + -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI endif +ifeq ($(ARCH),ia32) + CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args -m32 +endif + +ifeq ($(ARCH),aarch64) + CFLAGS += -ffreestanding -I$(shell $(CC) -print-file-name=include) +endif + +ifeq ($(ARCH),arm) + CFLAGS += -ffreestanding -I$(shell $(CC) -print-file-name=include) +endif + ifneq ($(origin VENDOR_CERT_FILE), undefined) CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\" endif @@ -37,7 +55,7 @@ endif LDFLAGS = -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) -VERSION = 0.7 +VERSION = 0.8 TARGET = shim.efi MokManager.efi.signed fallback.efi.signed OBJS = shim.o netboot.o cert.o replacements.o version.o @@ -69,7 +87,6 @@ version.c : version.c.in certdb/secmod.db: shim.crt -mkdir certdb - certutil -A -n 'my CA' -d certdb/ -t CT,CT,CT -i ca.crt pk12util -d certdb/ -i shim.p12 -W "" -K "" certutil -d certdb/ -A -i shim.crt -n shim -t u @@ -83,7 +100,7 @@ shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a fallback.o: $(FALLBACK_SRCS) -fallback.so: $(FALLBACK_OBJS) +fallback.so: $(FALLBACK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) MokManager.o: $(MOK_SOURCES) @@ -98,20 +115,34 @@ Cryptlib/OpenSSL/libopenssl.a: $(MAKE) -C Cryptlib/OpenSSL lib/lib.a: - $(MAKE) -C lib EFI_PATH=$(EFI_PATH) + $(MAKE) -C lib + +ifeq ($(ARCH),aarch64) +FORMAT := -O binary +SUBSYSTEM := 0xa +LDFLAGS += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM) +endif + +ifeq ($(ARCH),arm) +FORMAT := -O binary +SUBSYSTEM := 0xa +LDFLAGS += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM) +endif + +FORMAT ?= --target efi-app-$(ARCH) %.efi: %.so - objcopy -j .text -j .sdata -j .data \ - -j .dynamic -j .dynsym -j .rel \ - -j .rela -j .reloc -j .eh_frame \ + $(OBJCOPY) -j .text -j .sdata -j .data \ + -j .dynamic -j .dynsym -j .rel* \ + -j .rela* -j .reloc -j .eh_frame \ -j .vendor_cert \ - --target=efi-app-$(ARCH) $^ $@ - objcopy -j .text -j .sdata -j .data \ - -j .dynamic -j .dynsym -j .rel \ - -j .rela -j .reloc -j .eh_frame \ + $(FORMAT) $^ $@ + $(OBJCOPY) -j .text -j .sdata -j .data \ + -j .dynamic -j .dynsym -j .rel* \ + -j .rela* -j .reloc -j .eh_frame \ -j .debug_info -j .debug_abbrev -j .debug_aranges \ -j .debug_line -j .debug_str -j .debug_ranges \ - --target=efi-app-$(ARCH) $^ $@.debug + $(FORMAT) $^ $@.debug %.efi.signed: %.efi certdb/secmod.db pesign -n certdb -i $< -c "shim" -s -o $@ -f @@ -148,3 +179,5 @@ archive: tag @dir=$$PWD; cd /tmp; tar -c --bzip2 -f $$dir/shim-$(VERSION).tar.bz2 shim-$(VERSION) @rm -rf /tmp/shim-$(VERSION) @echo "The archive is in shim-$(VERSION).tar.bz2" + +export ARCH CC LD OBJCOPY EFI_INCLUDE diff --git a/MokManager.c b/MokManager.c index f5ed379..ee29051 100644 --- a/MokManager.c +++ b/MokManager.c @@ -100,8 +100,18 @@ static UINT32 count_keys(void *Data, UINTN DataSize) EFI_GUID HashType = EFI_CERT_SHA256_GUID; UINTN dbsize = DataSize; UINT32 MokNum = 0; + void *end = Data + DataSize; while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) { + + /* Use ptr arithmetics to ensure bounded access. Do not allow 0 + * SignatureListSize that will cause endless loop. + */ + if ((void *)(CertList + 1) > end || CertList->SignatureListSize == 0) { + console_notify(L"Invalid MOK detected! Ignoring MOK List."); + return 0; + } + if ((CompareGuid (&CertList->SignatureType, &CertType) != 0) && (CompareGuid (&CertList->SignatureType, &HashType) != 0)) { console_notify(L"Doesn't look like a key or hash"); @@ -137,6 +147,7 @@ static MokListNode *build_mok_list(UINT32 num, void *Data, UINTN DataSize) { EFI_GUID HashType = EFI_CERT_SHA256_GUID; UINTN dbsize = DataSize; UINTN count = 0; + void *end = Data + DataSize; list = AllocatePool(sizeof(MokListNode) * num); @@ -146,6 +157,11 @@ static MokListNode *build_mok_list(UINT32 num, void *Data, UINTN DataSize) { } while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) { + /* CertList out of bounds? */ + if ((void *)(CertList + 1) > end || CertList->SignatureListSize == 0) { + FreePool(list); + return NULL; + } if ((CompareGuid (&CertList->SignatureType, &CertType) != 0) && (CompareGuid (&CertList->SignatureType, &HashType) != 0)) { dbsize -= CertList->SignatureListSize; @@ -165,10 +181,23 @@ static MokListNode *build_mok_list(UINT32 num, void *Data, UINTN DataSize) { Cert = (EFI_SIGNATURE_DATA *) (((UINT8 *) CertList) + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize); + /* Cert out of bounds? */ + if ((void *)(Cert + 1) > end || CertList->SignatureSize <= sizeof(EFI_GUID)) { + FreePool(list); + return NULL; + } + list[count].MokSize = CertList->SignatureSize - sizeof(EFI_GUID); list[count].Mok = (void *)Cert->SignatureData; list[count].Type = CertList->SignatureType; + /* MOK out of bounds? */ + if (list[count].MokSize > (unsigned long)end - + (unsigned long)list[count].Mok) { + FreePool(list); + return NULL; + } + count++; dbsize -= CertList->SignatureListSize; CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + @@ -436,7 +465,7 @@ static void show_mok_info (void *Mok, UINTN MokSize) static EFI_STATUS list_keys (void *KeyList, UINTN KeyListSize, CHAR16 *title) { - UINT32 MokNum = 0; + INTN MokNum = 0; MokListNode *keys = NULL; INTN key_num = 0; CHAR16 **menu_strings; @@ -449,6 +478,8 @@ static EFI_STATUS list_keys (void *KeyList, UINTN KeyListSize, CHAR16 *title) } MokNum = count_keys(KeyList, KeyListSize); + if (MokNum == 0) + return 0; keys = build_mok_list(MokNum, KeyList, KeyListSize); if (!keys) { @@ -488,13 +519,19 @@ static EFI_STATUS list_keys (void *KeyList, UINTN KeyListSize, CHAR16 *title) return EFI_SUCCESS; } -static UINT8 get_line (UINT32 *length, CHAR16 *line, UINT32 line_max, UINT8 show) +static EFI_STATUS get_line (UINT32 *length, CHAR16 *line, UINT32 line_max, UINT8 show) { EFI_INPUT_KEY key; - int count = 0; + EFI_STATUS status; + unsigned int count = 0; do { - key = console_get_keystroke(); + status = console_get_keystroke(&key); + if (EFI_ERROR (status)) { + console_error(L"Failed to read the keystroke", status); + *length = 0; + return status; + } if ((count >= line_max && key.UnicodeChar != CHAR_BACKSPACE) || @@ -525,7 +562,7 @@ static UINT8 get_line (UINT32 *length, CHAR16 *line, UINT32 line_max, UINT8 show *length = count; - return 1; + return EFI_SUCCESS; } static EFI_STATUS compute_pw_hash (void *Data, UINTN DataSize, UINT8 *password, @@ -640,7 +677,7 @@ static EFI_STATUS match_password (PASSWORD_CRYPT *pw_crypt, CHAR16 password[PASSWORD_MAX]; UINT32 pw_length; UINT8 fail_count = 0; - int i; + unsigned int i; if (pw_crypt) { auth_hash = pw_crypt->hash; @@ -989,6 +1026,7 @@ static INTN mok_deletion_prompt (void *MokDel, UINTN MokDelSize) static CHAR16 get_password_charater (CHAR16 *prompt) { SIMPLE_TEXT_OUTPUT_MODE SavedMode; + EFI_STATUS status; CHAR16 *message[2]; CHAR16 character; UINTN length; @@ -1003,7 +1041,9 @@ static CHAR16 get_password_charater (CHAR16 *prompt) message[1] = NULL; length = StrLen(message[0]); console_print_box_at(message, -1, -length-4, -5, length+4, 3, 0, 1); - get_line(&pw_length, &character, 1, 0); + status = get_line(&pw_length, &character, 1, 0); + if (EFI_ERROR(status)) + character = 0; console_restore_mode(&SavedMode); @@ -1112,7 +1152,16 @@ static INTN mok_sb_prompt (void *MokSB, UINTN MokSBSize) { return -1; } } else { - LibDeleteVariable(L"MokSBState", &shim_lock_guid); + efi_status = uefi_call_wrapper(RT->SetVariable, + 5, L"MokSBState", + &shim_lock_guid, + EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS, + 0, NULL); + if (efi_status != EFI_SUCCESS) { + console_notify(L"Failed to delete Secure Boot state"); + return -1; + } } console_notify(L"The system must now be rebooted"); @@ -1224,7 +1273,16 @@ static INTN mok_db_prompt (void *MokDB, UINTN MokDBSize) { return -1; } } else { - LibDeleteVariable(L"MokDBState", &shim_lock_guid); + efi_status = uefi_call_wrapper(RT->SetVariable, 5, + L"MokDBState", + &shim_lock_guid, + EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS, + 0, NULL); + if (efi_status != EFI_SUCCESS) { + console_notify(L"Failed to delete DB state"); + return -1; + } } console_notify(L"The system must now be rebooted"); @@ -1261,7 +1319,11 @@ static INTN mok_pw_prompt (void *MokPW, UINTN MokPWSize) { if (console_yes_no((CHAR16 *[]){L"Clear MOK password?", NULL}) == 0) return 0; - LibDeleteVariable(L"MokPWStore", &shim_lock_guid); + uefi_call_wrapper(RT->SetVariable, 5, L"MokPWStore", + &shim_lock_guid, + EFI_VARIABLE_NON_VOLATILE + | EFI_VARIABLE_BOOTSERVICE_ACCESS, + 0, NULL); LibDeleteVariable(L"MokPW", &shim_lock_guid); console_notify(L"The system must now be rebooted"); uefi_call_wrapper(RT->ResetSystem, 4, EfiResetWarm, EFI_SUCCESS, 0, @@ -1306,12 +1368,31 @@ static INTN mok_pw_prompt (void *MokPW, UINTN MokPWSize) { return -1; } -static BOOLEAN verify_certificate(void *cert, UINTN size) +static BOOLEAN verify_certificate(UINT8 *cert, UINTN size) { X509 *X509Cert; - if (!cert || size == 0) + UINTN length; + if (!cert || size < 0) return FALSE; + /* + * A DER encoding x509 certificate starts with SEQUENCE(0x30), + * the number of length bytes, and the number of value bytes. + * The size of a x509 certificate is usually between 127 bytes + * and 64KB. For convenience, assume the number of value bytes + * is 2, i.e. the second byte is 0x82. + */ + if (cert[0] != 0x30 || cert[1] != 0x82) { + console_notify(L"Not a DER encoding X509 certificate"); + return FALSE; + } + + length = (cert[2]<<8 | cert[3]); + if (length != (size - 4)) { + console_notify(L"Invalid X509 certificate: Inconsistent size"); + return FALSE; + } + if (!(X509ConstructCertificate(cert, size, (UINT8 **) &X509Cert)) || X509Cert == NULL) { console_notify(L"Invalid X509 certificate"); diff --git a/PasswordCrypt.c b/PasswordCrypt.c index 8d72a82..e0a82cf 100644 --- a/PasswordCrypt.c +++ b/PasswordCrypt.c @@ -154,7 +154,7 @@ static EFI_STATUS sha256_crypt (const char *key, UINT32 key_len, CopyMem(cp, tmp_result, cnt); SHA256_Init(&alt_ctx); - for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt) + for (cnt = 0; cnt < 16ul + alt_result[0]; ++cnt) SHA256_Update(&alt_ctx, salt, salt_size); SHA256_Final(tmp_result, &alt_ctx); @@ -242,7 +242,7 @@ static EFI_STATUS sha512_crypt (const char *key, UINT32 key_len, CopyMem(cp, tmp_result, cnt); SHA512_Init(&alt_ctx); - for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt) + for (cnt = 0; cnt < 16ul + alt_result[0]; ++cnt) SHA512_Update(&alt_ctx, salt, salt_size); SHA512_Final(tmp_result, &alt_ctx); diff --git a/README b/README index 2977f2a..24a39df 100644 --- a/README +++ b/README @@ -12,5 +12,5 @@ in the shim.h header file and provides a single entry point. On 64-bit systems this entry point expects to be called with SysV ABI rather than MSABI, and so calls to it should not be wrapped. -To use shim, simply place a hex dump of the public certificate in cert.h -and build it with make. \ No newline at end of file +To use shim, simply place a DER-encoded public certificate in a file such as +pub.cer and build with "make VENDOR_CERT_FILE=pub.cer". diff --git a/cert.S b/cert.S index 3cfd665..cfc4525 100644 --- a/cert.S +++ b/cert.S @@ -1,9 +1,7 @@ .globl cert_table - .data - .align 16 - .type cert_table, @object + .type cert_table, %object .size cert_table, 4 - .section .vendor_cert, "a", @progbits + .section .vendor_cert, "a", %progbits cert_table: #if defined(VENDOR_CERT_FILE) .long vendor_cert_priv_end - vendor_cert_priv @@ -20,48 +18,48 @@ cert_table: #if defined(VENDOR_CERT_FILE) .data .align 1 - .type vendor_cert_priv, @object + .type vendor_cert_priv, %object .size vendor_cert_priv, vendor_cert_priv_end-vendor_cert_priv - .section .vendor_cert, "a", @progbits + .section .vendor_cert, "a", %progbits vendor_cert_priv: .incbin VENDOR_CERT_FILE vendor_cert_priv_end: #else .bss - .type vendor_cert_priv, @object + .type vendor_cert_priv, %object .size vendor_cert_priv, 1 - .section .vendor_cert, "a", @progbits + .section .vendor_cert, "a", %progbits vendor_cert_priv: .zero 1 .data .align 4 - .type vendor_cert_size_priv, @object + .type vendor_cert_size_priv, %object .size vendor_cert_size_priv, 4 - .section .vendor_cert, "a", @progbits + .section .vendor_cert, "a", %progbits vendor_cert_priv_end: #endif #if defined(VENDOR_DBX_FILE) .data .align 1 - .type vendor_dbx_priv, @object + .type vendor_dbx_priv, %object .size vendor_dbx_priv, vendor_dbx_priv_end-vendor_dbx_priv - .section .vendor_cert, "a", @progbits + .section .vendor_cert, "a", %progbits vendor_dbx_priv: .incbin VENDOR_DBX_FILE vendor_dbx_priv_end: #else .bss - .type vendor_dbx_priv, @object + .type vendor_dbx_priv, %object .size vendor_dbx_priv, 1 - .section .vendor_cert, "a", @progbits + .section .vendor_cert, "a", %progbits vendor_dbx_priv: .zero 1 .data .align 4 - .type vendor_dbx_size_priv, @object + .type vendor_dbx_size_priv, %object .size vendor_dbx_size_priv, 4 - .section .vendor_cert, "a", @progbits + .section .vendor_cert, "a", %progbits vendor_dbx_priv_end: #endif diff --git a/debian/changelog b/debian/changelog index a48878b..953e874 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +shim (0.8-0ubuntu1) UNRELEASED; urgency=medium + + * New upstream release. + + -- Mathieu Trudel-Lapierre Wed, 06 May 2015 09:49:45 -0400 + shim (0.7-0ubuntu4) utopic; urgency=medium * SECURITY UPDATE: heap overflow and out-of-bounds read access when diff --git a/elf_aarch64_efi.lds b/elf_aarch64_efi.lds new file mode 100644 index 0000000..9c9a055 --- /dev/null +++ b/elf_aarch64_efi.lds @@ -0,0 +1,65 @@ +OUTPUT_FORMAT("elf64-littleaarch64", "elf64-littleaarch64", "elf64-littleaarch64") +OUTPUT_ARCH(aarch64) +ENTRY(_start) +SECTIONS +{ + .text 0x0 : { + *(.text.head) + *(.text) + *(.text.*) + *(.gnu.linkonce.t.*) + *(.srodata) + *(.rodata*) + . = ALIGN(16); + _etext = .; + } + .dynamic : { *(.dynamic) } + .data : + { + *(.sdata) + *(.data) + *(.data1) + *(.data.*) + *(.got.plt) + *(.got) + + /* the EFI loader doesn't seem to like a .bss section, so we stick + it all into .data: */ + . = ALIGN(16); + _bss = .; + *(.sbss) + *(.scommon) + *(.dynbss) + *(.bss) + *(COMMON) + . = ALIGN(16); + _bss_end = .; + } + + . = ALIGN(4096); + .vendor_cert : + { + *(.vendor_cert) + } + . = ALIGN(4096); + + .rela.dyn : { *(.rela.dyn) } + .rela.plt : { *(.rela.plt) } + .rela.got : { *(.rela.got) } + .rela.data : { *(.rela.data) *(.rela.data*) } + _edata = .; + _data_size = . - _etext; + + . = ALIGN(4096); + .dynsym : { *(.dynsym) } + . = ALIGN(4096); + .dynstr : { *(.dynstr) } + . = ALIGN(4096); + /DISCARD/ : + { + *(.rel.reloc) + *(.eh_frame) + *(.note.GNU-stack) + } + .comment 0 : { *(.comment) } +} diff --git a/elf_arm_efi.lds b/elf_arm_efi.lds new file mode 100644 index 0000000..c5dc298 --- /dev/null +++ b/elf_arm_efi.lds @@ -0,0 +1,65 @@ +OUTPUT_FORMAT("elf32-littlearm", "elf32-littlearm", "elf32-littlearm") +OUTPUT_ARCH(arm) +ENTRY(_start) +SECTIONS +{ + .text 0x0 : { + *(.text.head) + *(.text) + *(.text.*) + *(.gnu.linkonce.t.*) + *(.srodata) + *(.rodata*) + . = ALIGN(16); + _etext = .; + } + .dynamic : { *(.dynamic) } + .data : + { + *(.sdata) + *(.data) + *(.data1) + *(.data*) + *(.got.plt) + *(.got) + + /* the EFI loader doesn't seem to like a .bss section, so we stick + it all into .data: */ + . = ALIGN(16); + _bss = .; + *(.sbss) + *(.scommon) + *(.dynbss) + *(.bss) + *(COMMON) + . = ALIGN(16); + _bss_end = .; + } + + . = ALIGN(4096); + .vendor_cert : + { + *(.vendor_cert) + } + . = ALIGN(4096); + + .rel.dyn : { *(.rel.dyn) } + .rel.plt : { *(.rel.plt) } + .rel.got : { *(.rel.got) } + .rel.data : { *(.rel.data) *(.rel.data*) } + _edata = .; + _data_size = . - _etext; + + . = ALIGN(4096); + .dynsym : { *(.dynsym) } + . = ALIGN(4096); + .dynstr : { *(.dynstr) } + . = ALIGN(4096); + /DISCARD/ : + { + *(.rel.reloc) + *(.eh_frame) + *(.note.GNU-stack) + } + .comment 0 : { *(.comment) } +} diff --git a/fallback.c b/fallback.c index 82ddbf2..d10fb62 100644 --- a/fallback.c +++ b/fallback.c @@ -15,7 +15,28 @@ EFI_LOADED_IMAGE *this_image = NULL; static EFI_STATUS -get_file_size(EFI_FILE_HANDLE fh, UINT64 *retsize) +FindSubDevicePath(EFI_DEVICE_PATH *In, UINT8 Type, UINT8 SubType, + EFI_DEVICE_PATH **Out) +{ + EFI_DEVICE_PATH *dp = In; + if (!In || !Out) + return EFI_INVALID_PARAMETER; + + for (dp = In; !IsDevicePathEnd(dp); dp = NextDevicePathNode(dp)) { + if (DevicePathType(dp) == Type && + DevicePathSubType(dp) == SubType) { + *Out = DuplicateDevicePath(dp); + if (!*Out) + return EFI_OUT_OF_RESOURCES; + return EFI_SUCCESS; + } + } + *Out = NULL; + return EFI_NOT_FOUND; +} + +static EFI_STATUS +get_file_size(EFI_FILE_HANDLE fh, UINTN *retsize) { EFI_STATUS rc; void *buffer = NULL; @@ -60,7 +81,7 @@ read_file(EFI_FILE_HANDLE fh, CHAR16 *fullpath, CHAR16 **buffer, UINT64 *bs) return rc; } - UINT64 len = 0; + UINTN len = 0; CHAR16 *b = NULL; rc = get_file_size(fh2, &len); if (EFI_ERROR(rc)) { @@ -93,7 +114,9 @@ make_full_path(CHAR16 *dirname, CHAR16 *filename, CHAR16 **out, UINT64 *outlen) { UINT64 len; - len = StrLen(dirname) + StrLen(filename) + StrLen(L"\\EFI\\\\") + 2; + len = StrLen(L"\\EFI\\") + StrLen(dirname) + + StrLen(L"\\") + StrLen(filename) + + 2; CHAR16 *fullpath = AllocateZeroPool(len*sizeof(CHAR16)); if (!fullpath) { @@ -119,7 +142,8 @@ VOID *first_new_option_args = NULL; UINTN first_new_option_size = 0; EFI_STATUS -add_boot_option(EFI_DEVICE_PATH *dp, CHAR16 *filename, CHAR16 *label, CHAR16 *arguments) +add_boot_option(EFI_DEVICE_PATH *hddp, EFI_DEVICE_PATH *fulldp, + CHAR16 *filename, CHAR16 *label, CHAR16 *arguments) { static int i = 0; CHAR16 varname[] = L"Boot0000"; @@ -136,24 +160,31 @@ add_boot_option(EFI_DEVICE_PATH *dp, CHAR16 *filename, CHAR16 *label, CHAR16 *ar void *var = LibGetVariable(varname, &global); if (!var) { int size = sizeof(UINT32) + sizeof (UINT16) + - StrLen(label)*2 + 2 + DevicePathSize(dp) + - StrLen(arguments) * 2 + 2; + StrLen(label)*2 + 2 + DevicePathSize(hddp) + + StrLen(arguments) * 2; CHAR8 *data = AllocateZeroPool(size); CHAR8 *cursor = data; *(UINT32 *)cursor = LOAD_OPTION_ACTIVE; cursor += sizeof (UINT32); - *(UINT16 *)cursor = DevicePathSize(dp); + *(UINT16 *)cursor = DevicePathSize(hddp); cursor += sizeof (UINT16); StrCpy((CHAR16 *)cursor, label); cursor += StrLen(label)*2 + 2; - CopyMem(cursor, dp, DevicePathSize(dp)); - cursor += DevicePathSize(dp); + CopyMem(cursor, hddp, DevicePathSize(hddp)); + cursor += DevicePathSize(hddp); StrCpy((CHAR16 *)cursor, arguments); Print(L"Creating boot entry \"%s\" with label \"%s\" " L"for file \"%s\"\n", varname, label, filename); + + if (!first_new_option) { + first_new_option = DuplicateDevicePath(fulldp); + first_new_option_args = arguments; + first_new_option_size = StrLen(arguments) * sizeof (CHAR16); + } + rc = uefi_call_wrapper(RT->SetVariable, 5, varname, &global, EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | @@ -173,12 +204,12 @@ add_boot_option(EFI_DEVICE_PATH *dp, CHAR16 *filename, CHAR16 *label, CHAR16 *ar return EFI_OUT_OF_RESOURCES; int j = 0; + newbootorder[0] = i & 0xffff; if (nbootorder) { for (j = 0; j < nbootorder; j++) - newbootorder[j] = bootorder[j]; + newbootorder[j+1] = bootorder[j]; FreePool(bootorder); } - newbootorder[j] = i & 0xffff; bootorder = newbootorder; nbootorder += 1; #ifdef DEBUG_FALLBACK @@ -195,30 +226,105 @@ add_boot_option(EFI_DEVICE_PATH *dp, CHAR16 *filename, CHAR16 *label, CHAR16 *ar } EFI_STATUS -update_boot_order(void) +find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH *fulldp, + CHAR16 *filename, CHAR16 *label, CHAR16 *arguments, + UINT16 *optnum) +{ + unsigned int size = sizeof(UINT32) + sizeof (UINT16) + + StrLen(label)*2 + 2 + DevicePathSize(dp) + + StrLen(arguments) * 2; + + CHAR8 *data = AllocateZeroPool(size); + if (!data) + return EFI_OUT_OF_RESOURCES; + CHAR8 *cursor = data; + *(UINT32 *)cursor = LOAD_OPTION_ACTIVE; + cursor += sizeof (UINT32); + *(UINT16 *)cursor = DevicePathSize(dp); + cursor += sizeof (UINT16); + StrCpy((CHAR16 *)cursor, label); + cursor += StrLen(label)*2 + 2; + CopyMem(cursor, dp, DevicePathSize(dp)); + cursor += DevicePathSize(dp); + StrCpy((CHAR16 *)cursor, arguments); + + int i = 0; + CHAR16 varname[] = L"Boot0000"; + CHAR16 hexmap[] = L"0123456789ABCDEF"; + EFI_GUID global = EFI_GLOBAL_VARIABLE; + EFI_STATUS rc; + + CHAR8 *candidate = AllocateZeroPool(size); + if (!candidate) { + FreePool(data); + return EFI_OUT_OF_RESOURCES; + } + + for(i = 0; i < nbootorder && i < 0x10000; i++) { + varname[4] = hexmap[(bootorder[i] & 0xf000) >> 12]; + varname[5] = hexmap[(bootorder[i] & 0x0f00) >> 8]; + varname[6] = hexmap[(bootorder[i] & 0x00f0) >> 4]; + varname[7] = hexmap[(bootorder[i] & 0x000f) >> 0]; + + UINTN candidate_size = size; + rc = uefi_call_wrapper(RT->GetVariable, 5, varname, &global, + NULL, &candidate_size, candidate); + if (EFI_ERROR(rc)) + continue; + + if (candidate_size != size) + continue; + + if (CompareMem(candidate, data, size)) + continue; + + /* at this point, we have duplicate data. */ + if (!first_new_option) { + first_new_option = DuplicateDevicePath(fulldp); + first_new_option_args = arguments; + first_new_option_size = StrLen(arguments) * sizeof (CHAR16); + } + + *optnum = i; + FreePool(candidate); + FreePool(data); + return EFI_SUCCESS; + } + FreePool(candidate); + FreePool(data); + return EFI_NOT_FOUND; +} + +EFI_STATUS +set_boot_order(void) { CHAR16 *oldbootorder; UINTN size; EFI_GUID global = EFI_GLOBAL_VARIABLE; - CHAR16 *newbootorder = NULL; oldbootorder = LibGetVariableAndSize(L"BootOrder", &global, &size); if (oldbootorder) { - int n = size / sizeof (CHAR16) + nbootorder; - - newbootorder = AllocateZeroPool(n * sizeof (CHAR16)); - if (!newbootorder) - return EFI_OUT_OF_RESOURCES; - CopyMem(newbootorder, bootorder, nbootorder * sizeof (CHAR16)); - CopyMem(newbootorder + nbootorder, oldbootorder, size); - size = n * sizeof (CHAR16); - } else { - size = nbootorder * sizeof(CHAR16); - newbootorder = AllocateZeroPool(size); - if (!newbootorder) - return EFI_OUT_OF_RESOURCES; - CopyMem(newbootorder, bootorder, size); + nbootorder = size / sizeof (CHAR16); + bootorder = oldbootorder; } + return EFI_SUCCESS; + +} + +EFI_STATUS +update_boot_order(void) +{ + UINTN size; + UINTN len = 0; + EFI_GUID global = EFI_GLOBAL_VARIABLE; + CHAR16 *newbootorder = NULL; + EFI_STATUS rc; + + size = nbootorder * sizeof(CHAR16); + newbootorder = AllocateZeroPool(size); + if (!newbootorder) + return EFI_OUT_OF_RESOURCES; + CopyMem(newbootorder, bootorder, size); #ifdef DEBUG_FALLBACK Print(L"nbootorder: %d\nBootOrder: ", size / sizeof (CHAR16)); @@ -227,13 +333,11 @@ update_boot_order(void) Print(L"%04x ", newbootorder[j]); Print(L"\n"); #endif - - if (oldbootorder) { + rc = uefi_call_wrapper(RT->GetVariable, 5, L"BootOrder", &global, + NULL, &len, NULL); + if (rc == EFI_BUFFER_TOO_SMALL) LibDeleteVariable(L"BootOrder", &global); - FreePool(oldbootorder); - } - EFI_STATUS rc; rc = uefi_call_wrapper(RT->SetVariable, 5, L"BootOrder", &global, EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | @@ -254,7 +358,10 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 * if (EFI_ERROR(rc)) return rc; - EFI_DEVICE_PATH *dph = NULL, *dpf = NULL, *dp = NULL; + EFI_DEVICE_PATH *dph = NULL; + EFI_DEVICE_PATH *file = NULL; + EFI_DEVICE_PATH *full_device_path = NULL; + EFI_DEVICE_PATH *dp = NULL; dph = DevicePathFromHandle(this_image->DeviceHandle); if (!dph) { @@ -262,19 +369,31 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 * goto err; } - dpf = FileDevicePath(fh, fullpath); - if (!dpf) { + file = FileDevicePath(fh, fullpath); + if (!file) { rc = EFI_OUT_OF_RESOURCES; goto err; } - dp = AppendDevicePath(dph, dpf); - if (!dp) { + full_device_path = AppendDevicePath(dph, file); + if (!full_device_path) { rc = EFI_OUT_OF_RESOURCES; goto err; } + rc = FindSubDevicePath(full_device_path, + MEDIA_DEVICE_PATH, MEDIA_HARDDRIVE_DP, &dp); + if (EFI_ERROR(rc)) { + if (rc == EFI_NOT_FOUND) { + dp = full_device_path; + } else { + rc = EFI_OUT_OF_RESOURCES; + goto err; + } + } + #ifdef DEBUG_FALLBACK + { UINTN s = DevicePathSize(dp); int i; UINT8 *dpv = (void *)dp; @@ -287,20 +406,32 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 * CHAR16 *dps = DevicePathToStr(dp); Print(L"device path: \"%s\"\n", dps); + } #endif - if (!first_new_option) { - CHAR16 *dps = DevicePathToStr(dp); - Print(L"device path: \"%s\"\n", dps); - first_new_option = DuplicateDevicePath(dp); - first_new_option_args = arguments; - first_new_option_size = StrLen(arguments) * sizeof (CHAR16); + + UINT16 option; + rc = find_boot_option(dp, full_device_path, fullpath, label, arguments, &option); + if (EFI_ERROR(rc)) { + add_boot_option(dp, full_device_path, fullpath, label, arguments); + } else if (option != 0) { + CHAR16 *newbootorder; + newbootorder = AllocateZeroPool(sizeof (CHAR16) * nbootorder); + if (!newbootorder) + return EFI_OUT_OF_RESOURCES; + + newbootorder[0] = bootorder[option]; + CopyMem(newbootorder + 1, bootorder, sizeof (CHAR16) * option); + CopyMem(newbootorder + option + 1, bootorder + option + 1, + sizeof (CHAR16) * (nbootorder - option - 1)); + FreePool(bootorder); + bootorder = newbootorder; } - add_boot_option(dp, fullpath, label, arguments); - err: - if (dpf) - FreePool(dpf); + if (file) + FreePool(file); + if (full_device_path) + FreePool(full_device_path); if (dp) FreePool(dp); if (fullpath) @@ -445,25 +576,32 @@ find_boot_csv(EFI_FILE_HANDLE fh, CHAR16 *dirname) return EFI_SUCCESS; } FreePool(buffer); + buffer = NULL; bs = 0; do { bs = 0; rc = uefi_call_wrapper(fh->Read, 3, fh, &bs, NULL); - if (rc == EFI_BUFFER_TOO_SMALL) { - buffer = AllocateZeroPool(bs); - if (!buffer) { - Print(L"Could not allocate memory\n"); - return EFI_OUT_OF_RESOURCES; - } - - rc = uefi_call_wrapper(fh->Read, 3, fh, &bs, buffer); + if (EFI_ERROR(rc) && rc != EFI_BUFFER_TOO_SMALL) { + Print(L"Could not read \\EFI\\%s\\: %d\n", dirname, rc); + if (buffer) + FreePool(buffer); + return rc; } + + buffer = AllocateZeroPool(bs); + if (!buffer) { + Print(L"Could not allocate memory\n"); + return EFI_OUT_OF_RESOURCES; + } + + rc = uefi_call_wrapper(fh->Read, 3, fh, &bs, buffer); if (EFI_ERROR(rc)) { Print(L"Could not read \\EFI\\%s\\: %d\n", dirname, rc); FreePool(buffer); return rc; } + if (bs == 0) break; @@ -622,8 +760,19 @@ try_start_first_option(EFI_HANDLE parent_image_handle) first_new_option, NULL, 0, &image_handle); if (EFI_ERROR(rc)) { - Print(L"LoadImage failed: %d\n", rc); - uefi_call_wrapper(BS->Stall, 1, 2000000); + CHAR16 *dps = DevicePathToStr(first_new_option); + UINTN s = DevicePathSize(first_new_option); + unsigned int i; + UINT8 *dpv = (void *)first_new_option; + Print(L"LoadImage failed: %d\nDevice path: \"%s\"\n", rc, dps); + for (i = 0; i < s; i++) { + if (i > 0 && i % 16 == 0) + Print(L"\n"); + Print(L"%02x ", dpv[i]); + } + Print(L"\n"); + + uefi_call_wrapper(BS->Stall, 1, 500000000); return rc; } @@ -637,7 +786,7 @@ try_start_first_option(EFI_HANDLE parent_image_handle) rc = uefi_call_wrapper(BS->StartImage, 3, image_handle, NULL, NULL); if (EFI_ERROR(rc)) { Print(L"StartImage failed: %d\n", rc); - uefi_call_wrapper(BS->Stall, 1, 2000000); + uefi_call_wrapper(BS->Stall, 1, 500000000); } return rc; } @@ -657,6 +806,8 @@ efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *systab) Print(L"System BootOrder not found. Initializing defaults.\n"); + set_boot_order(); + rc = find_boot_options(this_image->DeviceHandle); if (EFI_ERROR(rc)) { Print(L"Error: could not find boot options: %d\n", rc); diff --git a/include/PeImage.h b/include/PeImage.h index ec13404..133e11e 100644 --- a/include/PeImage.h +++ b/include/PeImage.h @@ -49,6 +49,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. #define IMAGE_FILE_MACHINE_EBC 0x0EBC #define IMAGE_FILE_MACHINE_X64 0x8664 #define IMAGE_FILE_MACHINE_ARMTHUMB_MIXED 0x01c2 +#define IMAGE_FILE_MACHINE_ARM64 0xaa64 // // EXE file formats diff --git a/include/console.h b/include/console.h index e6c2818..9c793ea 100644 --- a/include/console.h +++ b/include/console.h @@ -1,8 +1,8 @@ #ifndef _SHIM_LIB_CONSOLE_H #define _SHIM_LIB_CONSOLE_H 1 -EFI_INPUT_KEY -console_get_keystroke(void); +EFI_STATUS +console_get_keystroke(EFI_INPUT_KEY *key); void console_print_box_at(CHAR16 *str_arr[], int highlight, int start_col, int start_row, int size_cols, int size_rows, int offset, int lines); void diff --git a/include/str.h b/include/str.h new file mode 100644 index 0000000..0f3e003 --- /dev/null +++ b/include/str.h @@ -0,0 +1,45 @@ +#ifndef SHIM_STR_H +#define SHIM_STR_H + +static inline +__attribute__((unused)) +unsigned long strnlena(const CHAR8 *s, unsigned long n) +{ + unsigned long i; + for (i = 0; i <= n; i++) + if (s[i] == '\0') + break; + return i; +} + +static inline +__attribute__((unused)) +CHAR8 * +strncpya(CHAR8 *dest, const CHAR8 *src, unsigned long n) +{ + unsigned long i; + + for (i = 0; i < n && src[i] != '\0'; i++) + dest[i] = src[i]; + for (; i < n; i++) + dest[i] = '\0'; + + return dest; +} + +static inline +__attribute__((unused)) +CHAR8 * +strcata(CHAR8 *dest, const CHAR8 *src) +{ + unsigned long dest_len = strlena(dest); + unsigned long i; + + for (i = 0; src[i] != '\0'; i++) + dest[dest_len + i] = src[i]; + dest[dest_len + i] = '\0'; + + return dest; +} + +#endif /* SHIM_STR_H */ diff --git a/include/variables.h b/include/variables.h index b207dbf..deed269 100644 --- a/include/variables.h +++ b/include/variables.h @@ -50,7 +50,7 @@ SETOSIndicationsAndReboot(UINT64 indications); int variable_is_secureboot(void); int -variable_is_setupmode(void); +variable_is_setupmode(int default_return); EFI_STATUS variable_enroll_hash(CHAR16 *var, EFI_GUID owner, UINT8 hash[SHA256_DIGEST_SIZE]); diff --git a/lib/Makefile b/lib/Makefile index adb0347..ebd21a1 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -2,20 +2,17 @@ TARGET = lib.a LIBFILES = simple_file.o guid.o console.o execute.o configtable.o shell.o variables.o security_policy.o -ARCH = $(shell uname -m | sed s,i[3456789]86,ia32,) - -EFI_INCLUDE = /usr/include/efi EFI_INCLUDES = -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -I../include -EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o -EFI_LDS = $(EFI_PATH)/elf_$(ARCH)_efi.lds - CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ - -fshort-wchar -Wall -mno-red-zone -DBUILD_EFI -fno-builtin \ - -Werror \ + -fshort-wchar -Wall -DBUILD_EFI -fno-builtin -Werror \ $(EFI_INCLUDES) + ifeq ($(ARCH),x86_64) - CFLAGS += -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI + CFLAGS += -mno-red-zone -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI +endif +ifeq ($(ARCH),ia32) + CFLAGS += -mno-red-zone -m32 endif lib.a: $(LIBFILES) diff --git a/lib/console.c b/lib/console.c index 2fc8db3..83ee679 100644 --- a/lib/console.c +++ b/lib/console.c @@ -40,16 +40,18 @@ SetMem16(CHAR16 *dst, UINT32 n, CHAR16 c) } } -EFI_INPUT_KEY -console_get_keystroke(void) +EFI_STATUS +console_get_keystroke(EFI_INPUT_KEY *key) { - EFI_INPUT_KEY key; UINTN EventIndex; + EFI_STATUS status; - uefi_call_wrapper(BS->WaitForEvent, 3, 1, &ST->ConIn->WaitForKey, &EventIndex); - uefi_call_wrapper(ST->ConIn->ReadKeyStroke, 2, ST->ConIn, &key); + do { + uefi_call_wrapper(BS->WaitForEvent, 3, 1, &ST->ConIn->WaitForKey, &EventIndex); + status = uefi_call_wrapper(ST->ConIn->ReadKeyStroke, 2, ST->ConIn, key); + } while (status == EFI_NOT_READY); - return key; + return status; } void @@ -162,6 +164,8 @@ console_print_box(CHAR16 *str_arr[], int highlight) { SIMPLE_TEXT_OUTPUT_MODE SavedConsoleMode; SIMPLE_TEXT_OUTPUT_INTERFACE *co = ST->ConOut; + EFI_INPUT_KEY key; + CopyMem(&SavedConsoleMode, co->Mode, sizeof(SavedConsoleMode)); uefi_call_wrapper(co->EnableCursor, 2, co, FALSE); uefi_call_wrapper(co->SetAttribute, 2, co, EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE); @@ -169,9 +173,7 @@ console_print_box(CHAR16 *str_arr[], int highlight) console_print_box_at(str_arr, highlight, 0, 0, -1, -1, 0, count_lines(str_arr)); - console_get_keystroke(); - - uefi_call_wrapper(co->EnableCursor, 2, co, SavedConsoleMode.CursorVisible); + console_get_keystroke(&key); uefi_call_wrapper(co->EnableCursor, 2, co, SavedConsoleMode.CursorVisible); uefi_call_wrapper(co->SetCursorPosition, 3, co, SavedConsoleMode.CursorColumn, SavedConsoleMode.CursorRow); @@ -184,6 +186,7 @@ console_select(CHAR16 *title[], CHAR16* selectors[], int start) SIMPLE_TEXT_OUTPUT_MODE SavedConsoleMode; SIMPLE_TEXT_OUTPUT_INTERFACE *co = ST->ConOut; EFI_INPUT_KEY k; + EFI_STATUS status; int selector; int selector_lines = count_lines(selectors); int selector_max_cols = 0; @@ -237,7 +240,12 @@ console_select(CHAR16 *title[], CHAR16* selectors[], int start) size_cols, size_rows, 0, lines); do { - k = console_get_keystroke(); + status = console_get_keystroke(&k); + if (EFI_ERROR (status)) { + Print(L"Failed to read the keystroke: %r", status); + selector = -1; + break; + } if (k.ScanCode == SCAN_ESC) { selector = -1; @@ -262,8 +270,6 @@ console_select(CHAR16 *title[], CHAR16* selectors[], int start) } while (!(k.ScanCode == SCAN_NULL && k.UnicodeChar == CHAR_CARRIAGE_RETURN)); - uefi_call_wrapper(co->EnableCursor, 2, co, SavedConsoleMode.CursorVisible); - uefi_call_wrapper(co->EnableCursor, 2, co, SavedConsoleMode.CursorVisible); uefi_call_wrapper(co->SetCursorPosition, 3, co, SavedConsoleMode.CursorColumn, SavedConsoleMode.CursorRow); uefi_call_wrapper(co->SetAttribute, 2, co, SavedConsoleMode.Attribute); diff --git a/lib/shell.c b/lib/shell.c index 51de4e0..7337834 100644 --- a/lib/shell.c +++ b/lib/shell.c @@ -35,7 +35,7 @@ argsplit(EFI_HANDLE image, int *argc, CHAR16*** ARGV) (*argc)++; /* we counted spaces, so add one for initial */ - *ARGV = AllocatePool(*argc * sizeof(*ARGV)); + *ARGV = AllocatePool(*argc * sizeof(**ARGV)); if (!*ARGV) { return EFI_OUT_OF_RESOURCES; } diff --git a/lib/simple_file.c b/lib/simple_file.c index 3af0ec8..d345d87 100644 --- a/lib/simple_file.c +++ b/lib/simple_file.c @@ -415,7 +415,7 @@ simple_file_selector(EFI_HANDLE *im, CHAR16 **title, CHAR16 *name, CHAR16 *filter, CHAR16 **result) { EFI_STATUS status; - CHAR16 **entries; + CHAR16 **entries = NULL; EFI_FILE_INFO *dmp; int count, select, len; CHAR16 *newname, *selected; diff --git a/lib/variables.c b/lib/variables.c index 81bd34d..59d7d05 100644 --- a/lib/variables.c +++ b/lib/variables.c @@ -139,7 +139,7 @@ SetSecureVariable(CHAR16 *var, UINT8 *Data, UINTN len, EFI_GUID owner, /* Microsoft request: Bugs in some UEFI platforms mean that PK or any * other secure variable can be updated or deleted programmatically, * so prevent */ - if (!variable_is_setupmode()) + if (!variable_is_setupmode(1)) return EFI_SECURITY_VIOLATION; if (createtimebased) { @@ -224,7 +224,7 @@ get_variable_attr(CHAR16 *var, UINT8 **data, UINTN *len, EFI_GUID owner, return efi_status; *data = AllocateZeroPool(*len); - if (!data) + if (!*data) return EFI_OUT_OF_RESOURCES; efi_status = uefi_call_wrapper(RT->GetVariable, 5, var, &owner, @@ -279,14 +279,17 @@ find_in_variable_esl(CHAR16* var, EFI_GUID owner, UINT8 *key, UINTN keylen) } int -variable_is_setupmode(void) +variable_is_setupmode(int default_return) { /* set to 1 because we return true if SetupMode doesn't exist */ - UINT8 SetupMode = 1; + UINT8 SetupMode = default_return; UINTN DataSize = sizeof(SetupMode); + EFI_STATUS status; - uefi_call_wrapper(RT->GetVariable, 5, L"SetupMode", &GV_GUID, NULL, - &DataSize, &SetupMode); + status = uefi_call_wrapper(RT->GetVariable, 5, L"SetupMode", &GV_GUID, NULL, + &DataSize, &SetupMode); + if (EFI_ERROR(status)) + return default_return; return SetupMode; } @@ -297,10 +300,13 @@ variable_is_secureboot(void) /* return false if variable doesn't exist */ UINT8 SecureBoot = 0; UINTN DataSize; + EFI_STATUS status; DataSize = sizeof(SecureBoot); - uefi_call_wrapper(RT->GetVariable, 5, L"SecureBoot", &GV_GUID, NULL, - &DataSize, &SecureBoot); + status = uefi_call_wrapper(RT->GetVariable, 5, L"SecureBoot", &GV_GUID, NULL, + &DataSize, &SecureBoot); + if (EFI_ERROR(status)) + return 0; return SecureBoot; } diff --git a/netboot.c b/netboot.c index a83c82a..ad5d37e 100644 --- a/netboot.c +++ b/netboot.c @@ -38,16 +38,9 @@ #include #include "shim.h" #include "netboot.h" +#include "str.h" -static inline unsigned short int __swap16(unsigned short int x) -{ - __asm__("xchgb %b0,%h0" - : "=q" (x) - : "0" (x)); - return x; -} - -#define ntohs(x) __swap16(x) +#define ntohs(x) __builtin_bswap16(x) /* supported both by GCC and clang */ #define htons(x) ntohs(x) static EFI_PXE_BASE_CODE *pxe; @@ -84,105 +77,65 @@ translate_slashes(char *str) * Returns TRUE if we identify a protocol that is enabled and Providing us with * the needed information to fetch a grubx64.efi image */ -BOOLEAN findNetboot(EFI_HANDLE image_handle) +BOOLEAN findNetboot(EFI_HANDLE device) { - UINTN bs = sizeof(EFI_HANDLE); - EFI_GUID pxe_base_code_protocol = EFI_PXE_BASE_CODE_PROTOCOL; - EFI_HANDLE *hbuf; - BOOLEAN rc = FALSE; - void *buffer = AllocatePool(bs); - UINTN errcnt = 0; - UINTN i; EFI_STATUS status; - if (!buffer) + status = uefi_call_wrapper(BS->HandleProtocol, 3, device, + &PxeBaseCodeProtocol, (VOID **)&pxe); + if (status != EFI_SUCCESS) { + pxe = NULL; return FALSE; - -try_again: - status = uefi_call_wrapper(BS->LocateHandle,5, ByProtocol, - &pxe_base_code_protocol, NULL, &bs, - buffer); - - if (status == EFI_BUFFER_TOO_SMALL) { - errcnt++; - FreePool(buffer); - if (errcnt > 1) - return FALSE; - buffer = AllocatePool(bs); - if (!buffer) - return FALSE; - goto try_again; } - if (status == EFI_NOT_FOUND) { - FreePool(buffer); + if (!pxe || !pxe->Mode) { + pxe = NULL; + return FALSE; + } + + if (!pxe->Mode->Started || !pxe->Mode->DhcpAckReceived) { + pxe = NULL; return FALSE; } /* - * We have a list of pxe supporting protocols, lets see if any are - * active - */ - hbuf = buffer; - pxe = NULL; - for (i=0; i < (bs / sizeof(EFI_HANDLE)); i++) { - status = uefi_call_wrapper(BS->OpenProtocol, 6, hbuf[i], - &pxe_base_code_protocol, - (void **)&pxe, image_handle, NULL, - EFI_OPEN_PROTOCOL_GET_PROTOCOL); - - if (status != EFI_SUCCESS) { - pxe = NULL; - continue; - } - - if (!pxe || !pxe->Mode) { - pxe = NULL; - continue; - } - - if (pxe->Mode->Started && pxe->Mode->DhcpAckReceived) { - /* - * We've located a pxe protocol handle thats been - * started and has received an ACK, meaning its - * something we'll be able to get tftp server info - * out of - */ - rc = TRUE; - break; - } - - } - - FreePool(buffer); - return rc; + * We've located a pxe protocol handle thats been started and has + * received an ACK, meaning its something we'll be able to get + * tftp server info out of + */ + return TRUE; } static CHAR8 *get_v6_bootfile_url(EFI_PXE_BASE_CODE_DHCPV6_PACKET *pkt) { - void *optr; - EFI_DHCP6_PACKET_OPTION *option; - CHAR8 *url; - UINT32 urllen; + void *optr = NULL, *end = NULL; + EFI_DHCP6_PACKET_OPTION *option = NULL; + CHAR8 *url = NULL; + UINT32 urllen = 0; optr = pkt->DhcpOptions; + end = optr + sizeof(pkt->DhcpOptions); - for(;;) { + for (;;) { option = (EFI_DHCP6_PACKET_OPTION *)optr; if (ntohs(option->OpCode) == 0) - return NULL; + break; if (ntohs(option->OpCode) == 59) { /* This is the bootfile url option */ urllen = ntohs(option->Length); - url = AllocateZeroPool(urllen+1); + if ((void *)(option->Data + urllen) > end) + break; + url = AllocateZeroPool(urllen + 1); if (!url) - return NULL; + break; memcpy(url, option->Data, urllen); return url; } optr += 4 + ntohs(option->Length); + if (optr + sizeof(EFI_DHCP6_PACKET_OPTION) > end) + break; } return NULL; @@ -208,45 +161,60 @@ static CHAR16 str2ns(CHAR8 *str) static CHAR8 *str2ip6(CHAR8 *str) { - UINT8 i, j, p; - size_t len; - CHAR8 *a, *b, t; - static UINT16 ip[8]; + UINT8 i = 0, j = 0, p = 0; + size_t len = 0, dotcount = 0; + enum { MAX_IP6_DOTS = 7 }; + CHAR8 *a = NULL, *b = NULL, t = 0; + static UINT16 ip[8]; - for(i=0; i < 8; i++) { - ip[i] = 0; - } - len = strlen(str); - a = b = str; - for(i=p=0; i < len; i++, b++) { - if (*b != ':') - continue; - *b = '\0'; - ip[p++] = str2ns(a); - *b = ':'; - a = b + 1; - if ( *(b+1) == ':' ) - break; - } - a = b = (str + len); - for(j=len, p=7; j > i; j--, a--) { - if (*a != ':') - continue; - t = *b; - *b = '\0'; - ip[p--] = str2ns(a+1); - *b = t; - b = a; - } - return (CHAR8 *)ip; + memset(ip, 0, sizeof(ip)); + + /* Count amount of ':' to prevent overflows. + * max. count = 7. Returns an invalid ip6 that + * can be checked against + */ + for (a = str; *a != 0; ++a) { + if (*a == ':') + ++dotcount; + } + if (dotcount > MAX_IP6_DOTS) + return (CHAR8 *)ip; + + len = strlen(str); + a = b = str; + for (i = p = 0; i < len; i++, b++) { + if (*b != ':') + continue; + *b = '\0'; + ip[p++] = str2ns(a); + *b = ':'; + a = b + 1; + if (b[1] == ':' ) + break; + } + a = b = (str + len); + for (j = len, p = 7; j > i; j--, a--) { + if (*a != ':') + continue; + t = *b; + *b = '\0'; + ip[p--] = str2ns(a+1); + *b = t; + b = a; + } + return (CHAR8 *)ip; } static BOOLEAN extract_tftp_info(CHAR8 *url) { CHAR8 *start, *end; CHAR8 ip6str[40]; + CHAR8 ip6inv[16]; CHAR8 *template = (CHAR8 *)translate_slashes(DEFAULT_LOADER_CHAR); + // to check against str2ip6() errors + memset(ip6inv, 0, sizeof(ip6inv)); + if (strncmp((UINT8 *)url, (UINT8 *)"tftp://", 7)) { Print(L"URLS MUST START WITH tftp://\n"); return FALSE; @@ -261,19 +229,21 @@ static BOOLEAN extract_tftp_info(CHAR8 *url) end = start; while ((*end != '\0') && (*end != ']')) { end++; - if (end - start > 39) { + if (end - start >= (int)sizeof(ip6str)) { Print(L"TFTP URL includes malformed IPv6 address\n"); return FALSE; } } - if (end == '\0') { + if (*end == '\0') { Print(L"TFTP SERVER MUST BE ENCLOSED IN [..]\n"); return FALSE; } - memset(ip6str, 0, 40); + memset(ip6str, 0, sizeof(ip6str)); memcpy(ip6str, start, end - start); end++; memcpy(&tftp_addr.v6, str2ip6(ip6str), 16); + if (memcmp(&tftp_addr.v6, ip6inv, sizeof(ip6inv)) == 0) + return FALSE; full_path = AllocateZeroPool(strlen(end)+strlen(template)+1); if (!full_path) return FALSE; @@ -305,19 +275,34 @@ static EFI_STATUS parseDhcp6() static EFI_STATUS parseDhcp4() { - CHAR8 *template = (CHAR8 *)DEFAULT_LOADER_CHAR; - full_path = AllocateZeroPool(strlen(template)+1); + CHAR8 *template = (CHAR8 *)translate_slashes(DEFAULT_LOADER_CHAR); + INTN template_len = strlen(template) + 1; + + INTN dir_len = strnlena(pxe->Mode->DhcpAck.Dhcpv4.BootpBootFile, 127); + INTN i; + UINT8 *dir = pxe->Mode->DhcpAck.Dhcpv4.BootpBootFile; + + for (i = dir_len; i >= 0; i--) { + if (dir[i] == '/') + break; + } + dir_len = (i >= 0) ? i + 1 : 0; + + full_path = AllocateZeroPool(dir_len + template_len); if (!full_path) return EFI_OUT_OF_RESOURCES; + if (dir_len > 0) { + strncpya(full_path, dir, dir_len); + if (full_path[dir_len-1] == '/' && template[0] == '/') + full_path[dir_len-1] = '\0'; + } + if (dir_len == 0 && dir[0] != '/' && template[0] == '/') + template++; + strcata(full_path, template); memcpy(&tftp_addr.v4, pxe->Mode->DhcpAck.Dhcpv4.BootpSiAddr, 4); - memcpy(full_path, template, strlen(template)); - - /* Note we don't capture the filename option here because we know its shim.efi - * We instead assume the filename at the end of the path is going to be grubx64.efi - */ return EFI_SUCCESS; } diff --git a/netboot.h b/netboot.h index 2cdb421..6417373 100644 --- a/netboot.h +++ b/netboot.h @@ -5,5 +5,5 @@ extern BOOLEAN findNetboot(EFI_HANDLE image_handle); extern EFI_STATUS parseNetbootinfo(EFI_HANDLE image_handle); -extern EFI_STATUS FetchNetbootimage(EFI_HANDLE image_handle, VOID **buffer, UINTN *bufsiz); +extern EFI_STATUS FetchNetbootimage(EFI_HANDLE image_handle, VOID **buffer, UINT64 *bufsiz); #endif diff --git a/replacements.c b/replacements.c index bac5e5d..f7623d9 100644 --- a/replacements.c +++ b/replacements.c @@ -60,30 +60,85 @@ static EFI_SYSTEM_TABLE *systab; +static typeof(systab->BootServices->LoadImage) system_load_image; static typeof(systab->BootServices->StartImage) system_start_image; static typeof(systab->BootServices->Exit) system_exit; static typeof(systab->BootServices->ExitBootServices) system_exit_boot_services; -extern UINT8 insecure_mode; +static EFI_HANDLE last_loaded_image; void unhook_system_services(void) { - if (insecure_mode) + if (!systab) return; + systab->BootServices->Exit = system_exit; + systab->BootServices->LoadImage = system_load_image; systab->BootServices->StartImage = system_start_image; systab->BootServices->ExitBootServices = system_exit_boot_services; } +static EFI_STATUS EFIAPI +load_image(BOOLEAN BootPolicy, EFI_HANDLE ParentImageHandle, + EFI_DEVICE_PATH *DevicePath, VOID *SourceBuffer, + UINTN SourceSize, EFI_HANDLE *ImageHandle) +{ + EFI_STATUS status; + unhook_system_services(); + + status = systab->BootServices->LoadImage(BootPolicy, + ParentImageHandle, DevicePath, + SourceBuffer, SourceSize, ImageHandle); + hook_system_services(systab); + if (EFI_ERROR(status)) + last_loaded_image = NULL; + else + last_loaded_image = *ImageHandle; + return status; +} + static EFI_STATUS EFIAPI start_image(EFI_HANDLE image_handle, UINTN *exit_data_size, CHAR16 **exit_data) { EFI_STATUS status; unhook_system_services(); + + /* We have to uninstall shim's protocol here, because if we're + * On the fallback.efi path, then our call pathway is: + * + * shim->fallback->shim->grub + * ^ ^ ^ + * | | \- gets protocol #0 + * | \- installs its protocol (#1) + * \- installs its protocol (#0) + * and if we haven't removed this, then grub will get the *first* + * shim's protocol, but it'll get the second shim's systab + * replacements. So even though it will participate and verify + * the kernel, the systab never finds out. + */ + if (image_handle == last_loaded_image) { + loader_is_participating = 1; + uninstall_shim_protocols(); + } status = systab->BootServices->StartImage(image_handle, exit_data_size, exit_data); - if (EFI_ERROR(status)) + if (EFI_ERROR(status)) { + if (image_handle == last_loaded_image) { + EFI_STATUS status2 = install_shim_protocols(); + + if (EFI_ERROR(status2)) { + Print(L"Something has gone seriously wrong: %d\n", + status2); + Print(L"shim cannot continue, sorry.\n"); + systab->BootServices->Stall(5000000); + systab->RuntimeServices->ResetSystem( + EfiResetShutdown, + EFI_SECURITY_VIOLATION, 0, NULL); + } + } hook_system_services(systab); + loader_is_participating = 0; + } return status; } @@ -107,7 +162,7 @@ exit_boot_services(EFI_HANDLE image_key, UINTN map_key) } static EFI_STATUS EFIAPI -exit(EFI_HANDLE ImageHandle, EFI_STATUS ExitStatus, +do_exit(EFI_HANDLE ImageHandle, EFI_STATUS ExitStatus, UINTN ExitDataSize, CHAR16 *ExitData) { EFI_STATUS status; @@ -123,12 +178,20 @@ exit(EFI_HANDLE ImageHandle, EFI_STATUS ExitStatus, void hook_system_services(EFI_SYSTEM_TABLE *local_systab) { - if (insecure_mode) - return; systab = local_systab; /* We need to hook various calls to make this work... */ + /* We need LoadImage() hooked so that fallback.c can load shim + * without having to fake LoadImage as well. This allows it + * to call the system LoadImage(), and have us track the output + * and mark loader_is_participating in start_image. This means + * anything added by fallback has to be verified by the system db, + * which we want to preserve anyway, since that's all launching + * through BDS gives us. */ + system_load_image = systab->BootServices->LoadImage; + systab->BootServices->LoadImage = load_image; + /* we need StartImage() so that we can allow chain booting to an * image trusted by the firmware */ system_start_image = systab->BootServices->StartImage; @@ -143,5 +206,5 @@ hook_system_services(EFI_SYSTEM_TABLE *local_systab) * bootloader and still e.g. start a new one or run an internal * shell. */ system_exit = systab->BootServices->Exit; - systab->BootServices->Exit = exit; + systab->BootServices->Exit = do_exit; } diff --git a/replacements.h b/replacements.h index 5b57bc2..bd09424 100644 --- a/replacements.h +++ b/replacements.h @@ -41,4 +41,7 @@ extern int loader_is_participating; extern void hook_system_services(EFI_SYSTEM_TABLE *local_systab); extern void unhook_system_services(void); +extern EFI_STATUS install_shim_protocols(void); +extern void uninstall_shim_protocols(void); + #endif /* SHIM_REPLACEMENTS_H */ diff --git a/shim.c b/shim.c index 23dd0ee..8076caa 100644 --- a/shim.c +++ b/shim.c @@ -59,6 +59,14 @@ static EFI_STATUS (EFIAPI *entry_point) (EFI_HANDLE image_handle, EFI_SYSTEM_TAB static CHAR16 *second_stage; static void *load_options; static UINT32 load_options_size; +static UINT8 in_protocol; + +#define perror(fmt, ...) ({ \ + UINTN __perror_ret = 0; \ + if (!in_protocol) \ + __perror_ret = Print((fmt), ##__VA_ARGS__); \ + __perror_ret; \ + }) EFI_GUID SHIM_LOCK_GUID = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} }; @@ -85,7 +93,7 @@ int loader_is_participating; #define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }} -UINT8 insecure_mode; +UINT8 user_insecure_mode; UINT8 ignore_db; typedef enum { @@ -102,7 +110,7 @@ typedef struct { /* * Perform basic bounds checking of the intra-image pointers */ -static void *ImageAddress (void *image, int size, unsigned int address) +static void *ImageAddress (void *image, unsigned int size, unsigned int address) { if (address > size) return NULL; @@ -110,11 +118,112 @@ static void *ImageAddress (void *image, int size, unsigned int address) return image + address; } +/* here's a chart: + * i686 x86_64 aarch64 + * 64-on-64: nyet yes yes + * 64-on-32: nyet yes nyet + * 32-on-32: yes yes no + */ +static int +allow_64_bit(void) +{ +#if defined(__x86_64__) || defined(__aarch64__) + return 1; +#elif defined(__i386__) || defined(__i686__) + /* Right now blindly assuming the kernel will correctly detect this + * and /halt the system/ if you're not really on a 64-bit cpu */ + if (in_protocol) + return 1; + return 0; +#else /* assuming everything else is 32-bit... */ + return 0; +#endif +} + +static int +allow_32_bit(void) +{ +#if defined(__x86_64__) +#if defined(ALLOW_32BIT_KERNEL_ON_X64) + if (in_protocol) + return 1; + return 0; +#else + return 0; +#endif +#elif defined(__i386__) || defined(__i686__) + return 1; +#elif defined(__arch64__) + return 0; +#else /* assuming everything else is 32-bit... */ + return 1; +#endif +} + +static int +image_is_64_bit(EFI_IMAGE_OPTIONAL_HEADER_UNION *PEHdr) +{ + /* .Magic is the same offset in all cases */ + if (PEHdr->Pe32Plus.OptionalHeader.Magic + == EFI_IMAGE_NT_OPTIONAL_HDR64_MAGIC) + return 1; + return 0; +} + +static const UINT16 machine_type = +#if defined(__x86_64__) + IMAGE_FILE_MACHINE_X64; +#elif defined(__aarch64__) + IMAGE_FILE_MACHINE_ARM64; +#elif defined(__arm__) + IMAGE_FILE_MACHINE_ARMTHUMB_MIXED; +#elif defined(__i386__) || defined(__i486__) || defined(__i686__) + IMAGE_FILE_MACHINE_I386; +#elif defined(__ia64__) + IMAGE_FILE_MACHINE_IA64; +#else +#error this architecture is not supported by shim +#endif + +static int +image_is_loadable(EFI_IMAGE_OPTIONAL_HEADER_UNION *PEHdr) +{ + /* If the machine type doesn't match the binary, bail, unless + * we're in an allowed 64-on-32 scenario */ + if (PEHdr->Pe32.FileHeader.Machine != machine_type) { + if (!(machine_type == IMAGE_FILE_MACHINE_I386 && + PEHdr->Pe32.FileHeader.Machine == IMAGE_FILE_MACHINE_X64 && + allow_64_bit())) { + return 0; + } + } + + /* If it's not a header type we recognize at all, bail */ + switch (PEHdr->Pe32Plus.OptionalHeader.Magic) { + case EFI_IMAGE_NT_OPTIONAL_HDR64_MAGIC: + case EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC: + break; + default: + return 0; + } + + /* and now just check for general 64-vs-32 compatibility */ + if (image_is_64_bit(PEHdr)) { + if (allow_64_bit()) + return 1; + } else { + if (allow_32_bit()) + return 1; + } + return 0; +} + /* * Perform the actual relocation */ static EFI_STATUS relocate_coff (PE_COFF_LOADER_IMAGE_CONTEXT *context, - void *data) + EFI_IMAGE_SECTION_HEADER *Section, + void *orig, void *data) { EFI_IMAGE_BASE_RELOCATION *RelocBase, *RelocBaseEnd; UINT64 Adjust; @@ -124,24 +233,54 @@ static EFI_STATUS relocate_coff (PE_COFF_LOADER_IMAGE_CONTEXT *context, UINT32 *Fixup32; UINT64 *Fixup64; int size = context->ImageSize; - void *ImageEnd = (char *)data + size; + void *ImageEnd = (char *)orig + size; + int n = 0; - context->PEHdr->Pe32Plus.OptionalHeader.ImageBase = (UINT64)data; + if (image_is_64_bit(context->PEHdr)) + context->PEHdr->Pe32Plus.OptionalHeader.ImageBase = (UINT64)(unsigned long)data; + else + context->PEHdr->Pe32.OptionalHeader.ImageBase = (UINT32)(unsigned long)data; - if (context->NumberOfRvaAndSizes <= EFI_IMAGE_DIRECTORY_ENTRY_BASERELOC) { - Print(L"Image has no relocation entry\n"); - return EFI_UNSUPPORTED; - } + /* Alright, so here's how this works: + * + * context->RelocDir gives us two things: + * - the VA the table of base relocation blocks are (maybe) to be + * mapped at (RelocDir->VirtualAddress) + * - the virtual size (RelocDir->Size) + * + * The .reloc section (Section here) gives us some other things: + * - the name! kind of. (Section->Name) + * - the virtual size (Section->VirtualSize), which should be the same + * as RelocDir->Size + * - the virtual address (Section->VirtualAddress) + * - the file section size (Section->SizeOfRawData), which is + * a multiple of OptHdr->FileAlignment. Only useful for image + * validation, not really useful for iteration bounds. + * - the file address (Section->PointerToRawData) + * - a bunch of stuff we don't use that's 0 in our binaries usually + * - Flags (Section->Characteristics) + * + * and then the thing that's actually at the file address is an array + * of EFI_IMAGE_BASE_RELOCATION structs with some values packed behind + * them. The SizeOfBlock field of this structure includes the + * structure itself, and adding it to that structure's address will + * yield the next entry in the array. + */ + RelocBase = ImageAddress(orig, size, Section->PointerToRawData); + /* RelocBaseEnd here is the address of the first entry /past/ the + * table. */ + RelocBaseEnd = ImageAddress(orig, size, Section->PointerToRawData + + Section->Misc.VirtualSize); - RelocBase = ImageAddress(data, size, context->RelocDir->VirtualAddress); - RelocBaseEnd = ImageAddress(data, size, context->RelocDir->VirtualAddress + context->RelocDir->Size - 1); + if (!RelocBase && !RelocBaseEnd) + return EFI_SUCCESS; if (!RelocBase || !RelocBaseEnd) { - Print(L"Reloc table overflows binary\n"); + perror(L"Reloc table overflows binary\n"); return EFI_UNSUPPORTED; } - Adjust = (UINT64)data - context->ImageAddress; + Adjust = (UINTN)data - context->ImageAddress; if (Adjust == 0) return EFI_SUCCESS; @@ -150,19 +289,19 @@ static EFI_STATUS relocate_coff (PE_COFF_LOADER_IMAGE_CONTEXT *context, Reloc = (UINT16 *) ((char *) RelocBase + sizeof (EFI_IMAGE_BASE_RELOCATION)); if ((RelocBase->SizeOfBlock == 0) || (RelocBase->SizeOfBlock > context->RelocDir->Size)) { - Print(L"Reloc block size is invalid\n"); + perror(L"Reloc %d block size %d is invalid\n", n, RelocBase->SizeOfBlock); return EFI_UNSUPPORTED; } RelocEnd = (UINT16 *) ((char *) RelocBase + RelocBase->SizeOfBlock); - if ((void *)RelocEnd < data || (void *)RelocEnd > ImageEnd) { - Print(L"Reloc entry overflows binary\n"); + if ((void *)RelocEnd < orig || (void *)RelocEnd > ImageEnd) { + perror(L"Reloc %d entry overflows binary\n", n); return EFI_UNSUPPORTED; } FixupBase = ImageAddress(data, size, RelocBase->VirtualAddress); if (!FixupBase) { - Print(L"Invalid fixupbase\n"); + perror(L"Reloc %d Invalid fixupbase\n", n); return EFI_UNSUPPORTED; } @@ -211,55 +350,73 @@ static EFI_STATUS relocate_coff (PE_COFF_LOADER_IMAGE_CONTEXT *context, break; default: - Print(L"Unknown relocation\n"); + perror(L"Reloc %d Unknown relocation\n", n); return EFI_UNSUPPORTED; } Reloc += 1; } RelocBase = (EFI_IMAGE_BASE_RELOCATION *) RelocEnd; + n++; } return EFI_SUCCESS; } +static BOOLEAN verify_x509(UINT8 *Cert, UINTN CertSize) +{ + UINTN length; + + if (!Cert || CertSize < 4) + return FALSE; + + /* + * A DER encoding x509 certificate starts with SEQUENCE(0x30), + * the number of length bytes, and the number of value bytes. + * The size of a x509 certificate is usually between 127 bytes + * and 64KB. For convenience, assume the number of value bytes + * is 2, i.e. the second byte is 0x82. + */ + if (Cert[0] != 0x30 || Cert[1] != 0x82) + return FALSE; + + length = Cert[2]<<8 | Cert[3]; + if (length != (CertSize - 4)) + return FALSE; + + return TRUE; +} + static CHECK_STATUS check_db_cert_in_ram(EFI_SIGNATURE_LIST *CertList, UINTN dbsize, WIN_CERTIFICATE_EFI_PKCS *data, UINT8 *hash) { EFI_SIGNATURE_DATA *Cert; - UINTN CertCount, Index; + UINTN CertSize; BOOLEAN IsFound = FALSE; EFI_GUID CertType = X509_GUID; while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) { if (CompareGuid (&CertList->SignatureType, &CertType) == 0) { - CertCount = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize; Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize); - for (Index = 0; Index < CertCount; Index++) { + CertSize = CertList->SignatureSize - sizeof(EFI_GUID); + if (verify_x509(Cert->SignatureData, CertSize)) { IsFound = AuthenticodeVerify (data->CertData, data->Hdr.dwLength - sizeof(data->Hdr), Cert->SignatureData, - CertList->SignatureSize, + CertSize, hash, SHA256_DIGEST_SIZE); if (IsFound) - break; - - Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) Cert + CertList->SignatureSize); + return DATA_FOUND; + } else if (verbose) { + console_notify(L"Not a DER encoding x.509 Certificate"); } - } - if (IsFound) - break; - dbsize -= CertList->SignatureListSize; CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize); } - if (IsFound) - return DATA_FOUND; - return DATA_NOT_FOUND; } @@ -446,66 +603,81 @@ static EFI_STATUS check_whitelist (WIN_CERTIFICATE_EFI_PKCS *cert, static BOOLEAN secure_mode (void) { - EFI_STATUS status; - EFI_GUID global_var = EFI_GLOBAL_VARIABLE; - UINTN len; - UINT8 *Data; - UINT8 sb, setupmode; - - if (insecure_mode) + if (user_insecure_mode) return FALSE; - status = get_variable(L"SecureBoot", &Data, &len, global_var); - if (status != EFI_SUCCESS) { - if (verbose) - console_notify(L"Secure boot not enabled\n"); - return FALSE; - } - sb = *Data; - FreePool(Data); - - if (sb != 1) { - if (verbose) - console_notify(L"Secure boot not enabled\n"); + if (variable_is_secureboot() != 1) { + if (verbose && !in_protocol) + console_notify(L"Secure boot not enabled"); return FALSE; } - status = get_variable(L"SetupMode", &Data, &len, global_var); - if (status != EFI_SUCCESS) - return TRUE; - - setupmode = *Data; - FreePool(Data); - - if (setupmode == 1) { - if (verbose) - console_notify(L"Platform is in setup mode\n"); + /* If we /do/ have "SecureBoot", but /don't/ have "SetupMode", + * then the implementation is bad, but we assume that secure boot is + * enabled according to the status of "SecureBoot". If we have both + * of them, then "SetupMode" may tell us additional data, and we need + * to consider it. + */ + if (variable_is_setupmode(0) == 1) { + if (verbose && !in_protocol) + console_notify(L"Platform is in setup mode"); return FALSE; } return TRUE; } +#define check_size_line(data, datasize_in, hashbase, hashsize, l) ({ \ + if ((unsigned long)hashbase > \ + (unsigned long)data + datasize_in) { \ + perror(L"shim.c:%d Invalid hash base 0x%016x\n", l, \ + hashbase); \ + goto done; \ + } \ + if ((unsigned long)hashbase + hashsize > \ + (unsigned long)data + datasize_in) { \ + perror(L"shim.c:%d Invalid hash size 0x%016x\n", l, \ + hashsize); \ + goto done; \ + } \ +}) +#define check_size(d,ds,h,hs) check_size_line(d,ds,h,hs,__LINE__) + /* * Calculate the SHA1 and SHA256 hashes of a binary */ -static EFI_STATUS generate_hash (char *data, int datasize, +static EFI_STATUS generate_hash (char *data, unsigned int datasize_in, PE_COFF_LOADER_IMAGE_CONTEXT *context, UINT8 *sha256hash, UINT8 *sha1hash) { unsigned int sha256ctxsize, sha1ctxsize; - unsigned int size = datasize; + unsigned int size = datasize_in; void *sha256ctx = NULL, *sha1ctx = NULL; char *hashbase; unsigned int hashsize; unsigned int SumOfBytesHashed, SumOfSectionBytes; unsigned int index, pos; + unsigned int datasize; EFI_IMAGE_SECTION_HEADER *Section; EFI_IMAGE_SECTION_HEADER *SectionHeader = NULL; - EFI_IMAGE_SECTION_HEADER *SectionCache; EFI_STATUS status = EFI_SUCCESS; + EFI_IMAGE_DOS_HEADER *DosHdr = (void *)data; + unsigned int PEHdr_offset = 0; + + if (datasize_in < 0) { + perror(L"Invalid data size\n"); + return EFI_INVALID_PARAMETER; + } + size = datasize = (unsigned int)datasize_in; + + if (datasize <= sizeof (*DosHdr) || + DosHdr->e_magic != EFI_IMAGE_DOS_SIGNATURE) { + perror(L"Invalid signature\n"); + return EFI_INVALID_PARAMETER; + } + PEHdr_offset = DosHdr->e_lfanew; sha256ctxsize = Sha256GetContextSize(); sha256ctx = AllocatePool(sha256ctxsize); @@ -514,12 +686,12 @@ static EFI_STATUS generate_hash (char *data, int datasize, sha1ctx = AllocatePool(sha1ctxsize); if (!sha256ctx || !sha1ctx) { - Print(L"Unable to allocate memory for hash context\n"); + perror(L"Unable to allocate memory for hash context\n"); return EFI_OUT_OF_RESOURCES; } if (!Sha256Init(sha256ctx) || !Sha1Init(sha1ctx)) { - Print(L"Unable to initialise hash\n"); + perror(L"Unable to initialise hash\n"); status = EFI_OUT_OF_RESOURCES; goto done; } @@ -528,10 +700,11 @@ static EFI_STATUS generate_hash (char *data, int datasize, hashbase = data; hashsize = (char *)&context->PEHdr->Pe32.OptionalHeader.CheckSum - hashbase; + check_size(data, datasize_in, hashbase, hashsize); if (!(Sha256Update(sha256ctx, hashbase, hashsize)) || !(Sha1Update(sha1ctx, hashbase, hashsize))) { - Print(L"Unable to generate hash\n"); + perror(L"Unable to generate hash\n"); status = EFI_OUT_OF_RESOURCES; goto done; } @@ -540,54 +713,76 @@ static EFI_STATUS generate_hash (char *data, int datasize, hashbase = (char *)&context->PEHdr->Pe32.OptionalHeader.CheckSum + sizeof (int); hashsize = (char *)context->SecDir - hashbase; + check_size(data, datasize_in, hashbase, hashsize); if (!(Sha256Update(sha256ctx, hashbase, hashsize)) || !(Sha1Update(sha1ctx, hashbase, hashsize))) { - Print(L"Unable to generate hash\n"); + perror(L"Unable to generate hash\n"); status = EFI_OUT_OF_RESOURCES; goto done; } /* Hash end of certificate table to end of image header */ - hashbase = (char *) &context->PEHdr->Pe32Plus.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY + 1]; - hashsize = context->PEHdr->Pe32Plus.OptionalHeader.SizeOfHeaders - - (int) ((char *) (&context->PEHdr->Pe32Plus.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY + 1]) - data); + EFI_IMAGE_DATA_DIRECTORY *dd = context->SecDir + 1; + hashbase = (char *)dd; + hashsize = context->SizeOfHeaders - (unsigned long)((char *)dd - data); + if (hashsize > datasize_in) { + perror(L"Data Directory size %d is invalid\n", hashsize); + status = EFI_INVALID_PARAMETER; + goto done; + } + check_size(data, datasize_in, hashbase, hashsize); if (!(Sha256Update(sha256ctx, hashbase, hashsize)) || !(Sha1Update(sha1ctx, hashbase, hashsize))) { - Print(L"Unable to generate hash\n"); + perror(L"Unable to generate hash\n"); status = EFI_OUT_OF_RESOURCES; goto done; } /* Sort sections */ - SumOfBytesHashed = context->PEHdr->Pe32Plus.OptionalHeader.SizeOfHeaders; + SumOfBytesHashed = context->SizeOfHeaders; - Section = (EFI_IMAGE_SECTION_HEADER *) ( - (char *)context->PEHdr + sizeof (UINT32) + - sizeof (EFI_IMAGE_FILE_HEADER) + - context->PEHdr->Pe32.FileHeader.SizeOfOptionalHeader - ); + /* Validate section locations and sizes */ + for (index = 0, SumOfSectionBytes = 0; index < context->PEHdr->Pe32.FileHeader.NumberOfSections; index++) { + EFI_IMAGE_SECTION_HEADER *SectionPtr; - SectionCache = Section; - - for (index = 0, SumOfSectionBytes = 0; index < context->PEHdr->Pe32.FileHeader.NumberOfSections; index++, SectionCache++) { - SumOfSectionBytes += SectionCache->SizeOfRawData; - } - - if (SumOfSectionBytes >= datasize) { - Print(L"Malformed binary: %x %x\n", SumOfSectionBytes, size); - status = EFI_INVALID_PARAMETER; - goto done; + /* Validate SectionPtr is within image */ + SectionPtr = ImageAddress(data, datasize, + PEHdr_offset + + sizeof (UINT32) + + sizeof (EFI_IMAGE_FILE_HEADER) + + context->PEHdr->Pe32.FileHeader.SizeOfOptionalHeader + + (index * sizeof(*SectionPtr))); + if (!SectionPtr) { + perror(L"Malformed section %d\n", index); + status = EFI_INVALID_PARAMETER; + goto done; + } + /* Validate section size is within image. */ + if (SectionPtr->SizeOfRawData > + datasize - SumOfBytesHashed - SumOfSectionBytes) { + perror(L"Malformed section %d size\n", index); + status = EFI_INVALID_PARAMETER; + goto done; + } + SumOfSectionBytes += SectionPtr->SizeOfRawData; } SectionHeader = (EFI_IMAGE_SECTION_HEADER *) AllocateZeroPool (sizeof (EFI_IMAGE_SECTION_HEADER) * context->PEHdr->Pe32.FileHeader.NumberOfSections); if (SectionHeader == NULL) { - Print(L"Unable to allocate section header\n"); + perror(L"Unable to allocate section header\n"); status = EFI_OUT_OF_RESOURCES; goto done; } + /* Already validated above */ + Section = ImageAddress(data, datasize, + PEHdr_offset + + sizeof (UINT32) + + sizeof (EFI_IMAGE_FILE_HEADER) + + context->PEHdr->Pe32.FileHeader.SizeOfOptionalHeader); + /* Sort the section headers */ for (index = 0; index < context->PEHdr->Pe32.FileHeader.NumberOfSections; index++) { pos = index; @@ -606,17 +801,26 @@ static EFI_STATUS generate_hash (char *data, int datasize, continue; } hashbase = ImageAddress(data, size, Section->PointerToRawData); - hashsize = (unsigned int) Section->SizeOfRawData; if (!hashbase) { - Print(L"Malformed section header\n"); + perror(L"Malformed section header\n"); status = EFI_INVALID_PARAMETER; goto done; } + /* Verify hashsize within image. */ + if (Section->SizeOfRawData > + datasize - Section->PointerToRawData) { + perror(L"Malformed section raw size %d\n", index); + status = EFI_INVALID_PARAMETER; + goto done; + } + hashsize = (unsigned int) Section->SizeOfRawData; + check_size(data, datasize_in, hashbase, hashsize); + if (!(Sha256Update(sha256ctx, hashbase, hashsize)) || !(Sha1Update(sha1ctx, hashbase, hashsize))) { - Print(L"Unable to generate hash\n"); + perror(L"Unable to generate hash\n"); status = EFI_OUT_OF_RESOURCES; goto done; } @@ -624,16 +828,14 @@ static EFI_STATUS generate_hash (char *data, int datasize, } /* Hash all remaining data */ - if (size > SumOfBytesHashed) { + if (datasize > SumOfBytesHashed) { hashbase = data + SumOfBytesHashed; - hashsize = (unsigned int)( - size - - context->PEHdr->Pe32Plus.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY].Size - - SumOfBytesHashed); + hashsize = datasize - context->SecDir->Size - SumOfBytesHashed; + check_size(data, datasize_in, hashbase, hashsize); if (!(Sha256Update(sha256ctx, hashbase, hashsize)) || !(Sha1Update(sha1ctx, hashbase, hashsize))) { - Print(L"Unable to generate hash\n"); + perror(L"Unable to generate hash\n"); status = EFI_OUT_OF_RESOURCES; goto done; } @@ -641,7 +843,7 @@ static EFI_STATUS generate_hash (char *data, int datasize, if (!(Sha256Final(sha256ctx, sha256hash)) || !(Sha1Final(sha1ctx, sha1hash))) { - Print(L"Unable to finalise hash\n"); + perror(L"Unable to finalise hash\n"); status = EFI_OUT_OF_RESOURCES; goto done; } @@ -670,13 +872,12 @@ static EFI_STATUS verify_mok (void) { status = get_variable_attr(L"MokList", &MokListData, &MokListDataSize, shim_lock_guid, &attributes); - if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) { - Print(L"MokList is compromised!\nErase all keys in MokList!\n"); + if (!EFI_ERROR(status) && attributes & EFI_VARIABLE_RUNTIME_ACCESS) { + perror(L"MokList is compromised!\nErase all keys in MokList!\n"); if (LibDeleteVariable(L"MokList", &shim_lock_guid) != EFI_SUCCESS) { - Print(L"Failed to erase MokList\n"); + perror(L"Failed to erase MokList\n"); + return EFI_ACCESS_DENIED; } - status = EFI_ACCESS_DENIED; - return status; } if (MokListData) @@ -702,13 +903,13 @@ static EFI_STATUS verify_buffer (char *data, int datasize, context->SecDir->VirtualAddress); if (!cert) { - Print(L"Certificate located outside the image\n"); + perror(L"Certificate located outside the image\n"); return EFI_INVALID_PARAMETER; } if (cert->Hdr.wCertificateType != WIN_CERT_TYPE_PKCS_SIGNED_DATA) { - Print(L"Unsupported certificate type %x\n", + perror(L"Unsupported certificate type %x\n", cert->Hdr.wCertificateType); return EFI_UNSUPPORTED; } @@ -722,7 +923,9 @@ static EFI_STATUS verify_buffer (char *data, int datasize, /* * Check that the MOK database hasn't been modified */ - verify_mok(); + status = verify_mok(); + if (status != EFI_SUCCESS) + return status; /* * Ensure that the binary isn't blacklisted @@ -730,7 +933,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize, status = check_blacklist(cert, sha256hash, sha1hash); if (status != EFI_SUCCESS) { - Print(L"Binary is blacklisted\n"); + perror(L"Binary is blacklisted\n"); return status; } @@ -746,7 +949,8 @@ static EFI_STATUS verify_buffer (char *data, int datasize, /* * Check against the shim build key */ - if (AuthenticodeVerify(cert->CertData, + if (sizeof(shim_cert) && + AuthenticodeVerify(cert->CertData, context->SecDir->Size - sizeof(cert->Hdr), shim_cert, sizeof(shim_cert), sha256hash, SHA256_DIGEST_SIZE)) { @@ -754,14 +958,13 @@ static EFI_STATUS verify_buffer (char *data, int datasize, return status; } - /* * And finally, check against shim's built-in key */ - if (AuthenticodeVerify(cert->CertData, - context->SecDir->Size - sizeof(cert->Hdr), - vendor_cert, vendor_cert_size, sha256hash, - SHA256_DIGEST_SIZE)) { + if (vendor_cert_size && AuthenticodeVerify(cert->CertData, + context->SecDir->Size - sizeof(cert->Hdr), + vendor_cert, vendor_cert_size, sha256hash, + SHA256_DIGEST_SIZE)) { status = EFI_SUCCESS; return status; } @@ -780,90 +983,108 @@ static EFI_STATUS read_header(void *data, unsigned int datasize, { EFI_IMAGE_DOS_HEADER *DosHdr = data; EFI_IMAGE_OPTIONAL_HEADER_UNION *PEHdr = data; - unsigned long HeaderWithoutDataDir, SectionHeaderOffset; + unsigned long HeaderWithoutDataDir, SectionHeaderOffset, OptHeaderSize; - if (datasize < sizeof(EFI_IMAGE_DOS_HEADER)) { - Print(L"Invalid image\n"); + if (datasize < sizeof (PEHdr->Pe32)) { + perror(L"Invalid image\n"); return EFI_UNSUPPORTED; } if (DosHdr->e_magic == EFI_IMAGE_DOS_SIGNATURE) PEHdr = (EFI_IMAGE_OPTIONAL_HEADER_UNION *)((char *)data + DosHdr->e_lfanew); - if (EFI_IMAGE_NUMBER_OF_DIRECTORY_ENTRIES - < PEHdr->Pe32Plus.OptionalHeader.NumberOfRvaAndSizes) { - Print(L"Image header too small\n"); + if (!image_is_loadable(PEHdr)) { + perror(L"Platform does not support this image\n"); return EFI_UNSUPPORTED; } - HeaderWithoutDataDir = sizeof (EFI_IMAGE_OPTIONAL_HEADER64) + if (image_is_64_bit(PEHdr)) { + context->NumberOfRvaAndSizes = PEHdr->Pe32Plus.OptionalHeader.NumberOfRvaAndSizes; + context->SizeOfHeaders = PEHdr->Pe32Plus.OptionalHeader.SizeOfHeaders; + context->ImageSize = PEHdr->Pe32Plus.OptionalHeader.SizeOfImage; + OptHeaderSize = sizeof(EFI_IMAGE_OPTIONAL_HEADER64); + } else { + context->NumberOfRvaAndSizes = PEHdr->Pe32.OptionalHeader.NumberOfRvaAndSizes; + context->SizeOfHeaders = PEHdr->Pe32.OptionalHeader.SizeOfHeaders; + context->ImageSize = (UINT64)PEHdr->Pe32.OptionalHeader.SizeOfImage; + OptHeaderSize = sizeof(EFI_IMAGE_OPTIONAL_HEADER32); + } + + context->NumberOfSections = PEHdr->Pe32.FileHeader.NumberOfSections; + + if (EFI_IMAGE_NUMBER_OF_DIRECTORY_ENTRIES < context->NumberOfRvaAndSizes) { + perror(L"Image header too small\n"); + return EFI_UNSUPPORTED; + } + + HeaderWithoutDataDir = OptHeaderSize - sizeof (EFI_IMAGE_DATA_DIRECTORY) * EFI_IMAGE_NUMBER_OF_DIRECTORY_ENTRIES; - if (((UINT32)PEHdr->Pe32Plus.FileHeader.SizeOfOptionalHeader - HeaderWithoutDataDir) != - PEHdr->Pe32Plus.OptionalHeader.NumberOfRvaAndSizes - * sizeof (EFI_IMAGE_DATA_DIRECTORY)) { - Print(L"Image header overflows data directory\n"); + if (((UINT32)PEHdr->Pe32.FileHeader.SizeOfOptionalHeader - HeaderWithoutDataDir) != + context->NumberOfRvaAndSizes * sizeof (EFI_IMAGE_DATA_DIRECTORY)) { + perror(L"Image header overflows data directory\n"); return EFI_UNSUPPORTED; } SectionHeaderOffset = DosHdr->e_lfanew + sizeof (UINT32) + sizeof (EFI_IMAGE_FILE_HEADER) - + PEHdr->Pe32Plus.FileHeader.SizeOfOptionalHeader; - if ((PEHdr->Pe32Plus.OptionalHeader.SizeOfImage - SectionHeaderOffset) / EFI_IMAGE_SIZEOF_SECTION_HEADER - <= PEHdr->Pe32Plus.FileHeader.NumberOfSections) { - Print(L"Image sections overflow image size\n"); + + PEHdr->Pe32.FileHeader.SizeOfOptionalHeader; + if (((UINT32)context->ImageSize - SectionHeaderOffset) / EFI_IMAGE_SIZEOF_SECTION_HEADER + <= context->NumberOfSections) { + perror(L"Image sections overflow image size\n"); return EFI_UNSUPPORTED; } - if ((PEHdr->Pe32Plus.OptionalHeader.SizeOfHeaders - SectionHeaderOffset) / EFI_IMAGE_SIZEOF_SECTION_HEADER - < (UINT32)PEHdr->Pe32Plus.FileHeader.NumberOfSections) { - Print(L"Image sections overflow section headers\n"); + if ((context->SizeOfHeaders - SectionHeaderOffset) / EFI_IMAGE_SIZEOF_SECTION_HEADER + < (UINT32)context->NumberOfSections) { + perror(L"Image sections overflow section headers\n"); return EFI_UNSUPPORTED; } if ((((UINT8 *)PEHdr - (UINT8 *)data) + sizeof(EFI_IMAGE_OPTIONAL_HEADER_UNION)) > datasize) { - Print(L"Invalid image\n"); + perror(L"Invalid image\n"); return EFI_UNSUPPORTED; } if (PEHdr->Te.Signature != EFI_IMAGE_NT_SIGNATURE) { - Print(L"Unsupported image type\n"); + perror(L"Unsupported image type\n"); return EFI_UNSUPPORTED; } if (PEHdr->Pe32.FileHeader.Characteristics & EFI_IMAGE_FILE_RELOCS_STRIPPED) { - Print(L"Unsupported image - Relocations have been stripped\n"); - return EFI_UNSUPPORTED; - } - - if (PEHdr->Pe32.OptionalHeader.Magic != EFI_IMAGE_NT_OPTIONAL_HDR64_MAGIC) { - Print(L"Only 64-bit images supported\n"); + perror(L"Unsupported image - Relocations have been stripped\n"); return EFI_UNSUPPORTED; } context->PEHdr = PEHdr; - context->ImageAddress = PEHdr->Pe32Plus.OptionalHeader.ImageBase; - context->ImageSize = (UINT64)PEHdr->Pe32Plus.OptionalHeader.SizeOfImage; - context->SizeOfHeaders = PEHdr->Pe32Plus.OptionalHeader.SizeOfHeaders; - context->EntryPoint = PEHdr->Pe32Plus.OptionalHeader.AddressOfEntryPoint; - context->RelocDir = &PEHdr->Pe32Plus.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_BASERELOC]; - context->NumberOfRvaAndSizes = PEHdr->Pe32Plus.OptionalHeader.NumberOfRvaAndSizes; - context->NumberOfSections = PEHdr->Pe32.FileHeader.NumberOfSections; + + if (image_is_64_bit(PEHdr)) { + context->ImageAddress = PEHdr->Pe32Plus.OptionalHeader.ImageBase; + context->EntryPoint = PEHdr->Pe32Plus.OptionalHeader.AddressOfEntryPoint; + context->RelocDir = &PEHdr->Pe32Plus.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_BASERELOC]; + context->SecDir = &PEHdr->Pe32Plus.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY]; + } else { + context->ImageAddress = PEHdr->Pe32.OptionalHeader.ImageBase; + context->EntryPoint = PEHdr->Pe32.OptionalHeader.AddressOfEntryPoint; + context->RelocDir = &PEHdr->Pe32.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_BASERELOC]; + context->SecDir = &PEHdr->Pe32.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY]; + } + context->FirstSection = (EFI_IMAGE_SECTION_HEADER *)((char *)PEHdr + PEHdr->Pe32.FileHeader.SizeOfOptionalHeader + sizeof(UINT32) + sizeof(EFI_IMAGE_FILE_HEADER)); - context->SecDir = (EFI_IMAGE_DATA_DIRECTORY *) &PEHdr->Pe32Plus.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY]; if (context->ImageSize < context->SizeOfHeaders) { - Print(L"Invalid image\n"); + perror(L"Invalid image\n"); return EFI_UNSUPPORTED; } - if (((UINT8 *)context->SecDir - (UINT8 *)data) > (datasize - sizeof(EFI_IMAGE_DATA_DIRECTORY))) { - Print(L"Invalid image\n"); + if ((unsigned long)((UINT8 *)context->SecDir - (UINT8 *)data) > + (datasize - sizeof(EFI_IMAGE_DATA_DIRECTORY))) { + perror(L"Invalid image\n"); return EFI_UNSUPPORTED; } if (context->SecDir->VirtualAddress >= datasize) { - Print(L"Malformed security header\n"); + perror(L"Malformed security header\n"); return EFI_INVALID_PARAMETER; } return EFI_SUCCESS; @@ -877,7 +1098,8 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, { EFI_STATUS efi_status; char *buffer; - int i, size; + int i; + unsigned int size; EFI_IMAGE_SECTION_HEADER *Section; char *base, *end; PE_COFF_LOADER_IMAGE_CONTEXT context; @@ -887,7 +1109,7 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, */ efi_status = read_header(data, datasize, &context); if (efi_status != EFI_SUCCESS) { - Print(L"Failed to read header\n"); + perror(L"Failed to read header: %r\n", efi_status); return efi_status; } @@ -909,17 +1131,27 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, buffer = AllocatePool(context.ImageSize); if (!buffer) { - Print(L"Failed to allocate image buffer\n"); + perror(L"Failed to allocate image buffer\n"); return EFI_OUT_OF_RESOURCES; } CopyMem(buffer, data, context.SizeOfHeaders); + char *RelocBase, *RelocBaseEnd; + RelocBase = ImageAddress(buffer, datasize, + context.RelocDir->VirtualAddress); + /* RelocBaseEnd here is the address of the last byte of the table */ + RelocBaseEnd = ImageAddress(buffer, datasize, + context.RelocDir->VirtualAddress + + context.RelocDir->Size - 1); + + EFI_IMAGE_SECTION_HEADER *RelocSection = NULL; + /* * Copy the executable's sections to their desired offsets */ Section = context.FirstSection; - for (i = 0; i < context.NumberOfSections; i++) { + for (i = 0; i < context.NumberOfSections; i++, Section++) { size = Section->Misc.VirtualSize; if (size > Section->SizeOfRawData) @@ -927,36 +1159,66 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, base = ImageAddress (buffer, context.ImageSize, Section->VirtualAddress); end = ImageAddress (buffer, context.ImageSize, Section->VirtualAddress + size - 1); - if (!base || !end) { - Print(L"Invalid section size\n"); + perror(L"Invalid section size\n"); return EFI_UNSUPPORTED; } if (Section->VirtualAddress < context.SizeOfHeaders || Section->PointerToRawData < context.SizeOfHeaders) { - Print(L"Section is inside image headers\n"); + perror(L"Section is inside image headers\n"); return EFI_UNSUPPORTED; } + /* We do want to process .reloc, but it's often marked + * discardable, so we don't want to memcpy it. */ + if (CompareMem(Section->Name, ".reloc\0\0", 8) == 0) { + if (RelocSection) { + perror(L"Image has multiple relocation sections\n"); + return EFI_UNSUPPORTED; + } + /* If it has nonzero sizes, and our bounds check + * made sense, and the VA and size match RelocDir's + * versions, then we believe in this section table. */ + if (Section->SizeOfRawData && + Section->Misc.VirtualSize && + base && end && + RelocBase == base && + RelocBaseEnd == end) { + RelocSection = Section; + } + } + + if (Section->Characteristics & 0x02000000) { + /* section has EFI_IMAGE_SCN_MEM_DISCARDABLE attr set */ + continue; + } + if (Section->SizeOfRawData > 0) CopyMem(base, data + Section->PointerToRawData, size); if (size < Section->Misc.VirtualSize) ZeroMem (base + size, Section->Misc.VirtualSize - size); - - Section += 1; } - /* - * Run the relocation fixups - */ - efi_status = relocate_coff(&context, buffer); - - if (efi_status != EFI_SUCCESS) { - Print(L"Relocation failed\n"); + if (context.NumberOfRvaAndSizes <= EFI_IMAGE_DIRECTORY_ENTRY_BASERELOC) { + perror(L"Image has no relocation entry\n"); FreePool(buffer); - return efi_status; + return EFI_UNSUPPORTED; + } + + if (context.RelocDir->Size && RelocSection) { + /* + * Run the relocation fixups + */ + efi_status = relocate_coff(&context, RelocSection, data, + buffer); + + if (efi_status != EFI_SUCCESS) { + perror(L"Relocation failed: %r\n", efi_status); + FreePool(buffer); + return efi_status; + } } entry_point = ImageAddress(buffer, context.ImageSize, context.EntryPoint); @@ -972,7 +1234,7 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, li->LoadOptionsSize = load_options_size; if (!entry_point) { - Print(L"Invalid entry point\n"); + perror(L"Invalid entry point\n"); FreePool(buffer); return EFI_UNSUPPORTED; } @@ -986,16 +1248,17 @@ should_use_fallback(EFI_HANDLE image_handle) EFI_GUID loaded_image_protocol = LOADED_IMAGE_PROTOCOL; EFI_LOADED_IMAGE *li; unsigned int pathlen = 0; - CHAR16 *bootpath; + CHAR16 *bootpath = NULL; EFI_FILE_IO_INTERFACE *fio = NULL; EFI_FILE *vh; EFI_FILE *fh; EFI_STATUS rc; + int ret = 0; rc = uefi_call_wrapper(BS->HandleProtocol, 3, image_handle, &loaded_image_protocol, (void **)&li); if (EFI_ERROR(rc)) { - Print(L"Could not get image for bootx64.efi: %d\n", rc); + perror(L"Could not get image for bootx64.efi: %r\n", rc); return 0; } @@ -1008,23 +1271,23 @@ should_use_fallback(EFI_HANDLE image_handle) */ if (StrnCaseCmp(bootpath, L"\\EFI\\BOOT\\BOOT", 14) && StrnCaseCmp(bootpath, L"\\EFI\\BOOT\\/BOOT", 15)) - return 0; + goto error; pathlen = StrLen(bootpath); if (pathlen < 5 || StrCaseCmp(bootpath + pathlen - 4, L".EFI")) - return 0; + goto error; rc = uefi_call_wrapper(BS->HandleProtocol, 3, li->DeviceHandle, &FileSystemProtocol, (void **)&fio); if (EFI_ERROR(rc)) { - Print(L"Could not get fio for li->DeviceHandle: %d\n", rc); - return 0; + perror(L"Could not get fio for li->DeviceHandle: %r\n", rc); + goto error; } - + rc = uefi_call_wrapper(fio->OpenVolume, 2, fio, &vh); if (EFI_ERROR(rc)) { - Print(L"Could not open fio volume: %d\n", rc); - return 0; + perror(L"Could not open fio volume: %r\n", rc); + goto error; } rc = uefi_call_wrapper(vh->Open, 5, vh, &fh, L"\\EFI\\BOOT" FALLBACK, @@ -1037,12 +1300,17 @@ should_use_fallback(EFI_HANDLE image_handle) * rc); */ uefi_call_wrapper(vh->Close, 1, vh); - return 0; + goto error; } uefi_call_wrapper(fh->Close, 1, fh); uefi_call_wrapper(vh->Close, 1, vh); - return 1; + ret = 1; +error: + if (bootpath) + FreePool(bootpath); + + return ret; } /* @@ -1050,16 +1318,15 @@ should_use_fallback(EFI_HANDLE image_handle) * of the executable */ static EFI_STATUS generate_path(EFI_LOADED_IMAGE *li, CHAR16 *ImagePath, - EFI_DEVICE_PATH **grubpath, CHAR16 **PathName) + CHAR16 **PathName) { EFI_DEVICE_PATH *devpath; - EFI_HANDLE device; - int i, j, last = -1; + unsigned int i; + int j, last = -1; unsigned int pathlen = 0; EFI_STATUS efi_status = EFI_SUCCESS; CHAR16 *bootpath; - device = li->DeviceHandle; devpath = li->FilePath; bootpath = DevicePathToStr(devpath); @@ -1102,7 +1369,7 @@ static EFI_STATUS generate_path(EFI_LOADED_IMAGE *li, CHAR16 *ImagePath, *PathName = AllocatePool(StrSize(bootpath) + StrSize(ImagePath)); if (!*PathName) { - Print(L"Failed to allocate path buffer\n"); + perror(L"Failed to allocate path buffer\n"); efi_status = EFI_OUT_OF_RESOURCES; goto error; } @@ -1112,8 +1379,6 @@ static EFI_STATUS generate_path(EFI_LOADED_IMAGE *li, CHAR16 *ImagePath, StrCat(*PathName, bootpath); StrCat(*PathName, ImagePath); - *grubpath = FileDevicePath(device, *PathName); - error: FreePool(bootpath); @@ -1145,14 +1410,14 @@ static EFI_STATUS load_image (EFI_LOADED_IMAGE *li, void **data, (void **)&drive); if (efi_status != EFI_SUCCESS) { - Print(L"Failed to find fs\n"); + perror(L"Failed to find fs: %r\n", efi_status); goto error; } efi_status = uefi_call_wrapper(drive->OpenVolume, 2, drive, &root); if (efi_status != EFI_SUCCESS) { - Print(L"Failed to open fs\n"); + perror(L"Failed to open fs: %r\n", efi_status); goto error; } @@ -1163,14 +1428,14 @@ static EFI_STATUS load_image (EFI_LOADED_IMAGE *li, void **data, EFI_FILE_MODE_READ, 0); if (efi_status != EFI_SUCCESS) { - Print(L"Failed to open %s - %lx\n", PathName, efi_status); + perror(L"Failed to open %s - %r\n", PathName, efi_status); goto error; } fileinfo = AllocatePool(buffersize); if (!fileinfo) { - Print(L"Unable to allocate file info buffer\n"); + perror(L"Unable to allocate file info buffer\n"); efi_status = EFI_OUT_OF_RESOURCES; goto error; } @@ -1186,7 +1451,7 @@ static EFI_STATUS load_image (EFI_LOADED_IMAGE *li, void **data, FreePool(fileinfo); fileinfo = AllocatePool(buffersize); if (!fileinfo) { - Print(L"Unable to allocate file info buffer\n"); + perror(L"Unable to allocate file info buffer\n"); efi_status = EFI_OUT_OF_RESOURCES; goto error; } @@ -1196,7 +1461,7 @@ static EFI_STATUS load_image (EFI_LOADED_IMAGE *li, void **data, } if (efi_status != EFI_SUCCESS) { - Print(L"Unable to get file info\n"); + perror(L"Unable to get file info: %r\n", efi_status); goto error; } @@ -1205,7 +1470,7 @@ static EFI_STATUS load_image (EFI_LOADED_IMAGE *li, void **data, *data = AllocatePool(buffersize); if (!*data) { - Print(L"Unable to allocate file buffer\n"); + perror(L"Unable to allocate file buffer\n"); efi_status = EFI_OUT_OF_RESOURCES; goto error; } @@ -1224,7 +1489,7 @@ static EFI_STATUS load_image (EFI_LOADED_IMAGE *li, void **data, } if (efi_status != EFI_SUCCESS) { - Print(L"Unexpected return from initial read: %x, buffersize %x\n", efi_status, buffersize); + perror(L"Unexpected return from initial read: %r, buffersize %x\n", efi_status, buffersize); goto error; } @@ -1254,6 +1519,7 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size) PE_COFF_LOADER_IMAGE_CONTEXT context; loader_is_participating = 1; + in_protocol = 1; if (!secure_mode()) return EFI_SUCCESS; @@ -1261,9 +1527,35 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size) status = read_header(buffer, size, &context); if (status != EFI_SUCCESS) - return status; + goto done; status = verify_buffer(buffer, size, &context); +done: + in_protocol = 0; + return status; +} + +static EFI_STATUS shim_hash (char *data, int datasize, + PE_COFF_LOADER_IMAGE_CONTEXT *context, + UINT8 *sha256hash, UINT8 *sha1hash) +{ + EFI_STATUS status; + + in_protocol = 1; + status = generate_hash(data, datasize, context, sha256hash, sha1hash); + in_protocol = 0; + + return status; +} + +static EFI_STATUS shim_read_header(void *data, unsigned int datasize, + PE_COFF_LOADER_IMAGE_CONTEXT *context) +{ + EFI_STATUS status; + + in_protocol = 1; + status = read_header(data, datasize, context); + in_protocol = 0; return status; } @@ -1276,7 +1568,6 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath) EFI_GUID loaded_image_protocol = LOADED_IMAGE_PROTOCOL; EFI_STATUS efi_status; EFI_LOADED_IMAGE *li, li_bak; - EFI_DEVICE_PATH *path; CHAR16 *PathName = NULL; void *sourcebuffer = NULL; UINT64 sourcesize = 0; @@ -1291,30 +1582,30 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath) &loaded_image_protocol, (void **)&li); if (efi_status != EFI_SUCCESS) { - Print(L"Unable to init protocol\n"); + perror(L"Unable to init protocol\n"); return efi_status; } /* * Build a new path from the existing one plus the executable name */ - efi_status = generate_path(li, ImagePath, &path, &PathName); + efi_status = generate_path(li, ImagePath, &PathName); if (efi_status != EFI_SUCCESS) { - Print(L"Unable to generate path: %s\n", ImagePath); + perror(L"Unable to generate path %s: %r\n", ImagePath, efi_status); goto done; } - if (findNetboot(image_handle)) { + if (findNetboot(li->DeviceHandle)) { efi_status = parseNetbootinfo(image_handle); if (efi_status != EFI_SUCCESS) { - Print(L"Netboot parsing failed: %d\n", efi_status); + perror(L"Netboot parsing failed: %r\n", efi_status); return EFI_PROTOCOL_ERROR; } efi_status = FetchNetbootimage(image_handle, &sourcebuffer, &sourcesize); if (efi_status != EFI_SUCCESS) { - Print(L"Unable to fetch TFTP image\n"); + perror(L"Unable to fetch TFTP image: %r\n", efi_status); return efi_status; } data = sourcebuffer; @@ -1326,7 +1617,7 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath) efi_status = load_image(li, &data, &datasize, PathName); if (efi_status != EFI_SUCCESS) { - Print(L"Failed to load image\n"); + perror(L"Failed to load image %s: %r\n", PathName, efi_status); goto done; } } @@ -1343,7 +1634,7 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath) efi_status = handle_image(data, datasize, li); if (efi_status != EFI_SUCCESS) { - Print(L"Failed to load image\n"); + perror(L"Failed to load image: %r\n", efi_status); CopyMem(li, &li_bak, sizeof(li_bak)); goto done; } @@ -1408,37 +1699,42 @@ EFI_STATUS mirror_mok_list() if (efi_status != EFI_SUCCESS) DataSize = 0; - FullDataSize = DataSize - + sizeof (*CertList) - + sizeof (EFI_GUID) - + vendor_cert_size - ; - FullData = AllocatePool(FullDataSize); - if (!FullData) { - Print(L"Failed to allocate space for MokListRT\n"); - return EFI_OUT_OF_RESOURCES; + if (vendor_cert_size) { + FullDataSize = DataSize + + sizeof (*CertList) + + sizeof (EFI_GUID) + + vendor_cert_size + ; + FullData = AllocatePool(FullDataSize); + if (!FullData) { + perror(L"Failed to allocate space for MokListRT\n"); + return EFI_OUT_OF_RESOURCES; + } + p = FullData; + + if (efi_status == EFI_SUCCESS && DataSize > 0) { + CopyMem(p, Data, DataSize); + p += DataSize; + } + CertList = (EFI_SIGNATURE_LIST *)p; + p += sizeof (*CertList); + CertData = (EFI_SIGNATURE_DATA *)p; + p += sizeof (EFI_GUID); + + CertList->SignatureType = EFI_CERT_X509_GUID; + CertList->SignatureListSize = vendor_cert_size + + sizeof (*CertList) + + sizeof (*CertData) + -1; + CertList->SignatureHeaderSize = 0; + CertList->SignatureSize = vendor_cert_size + sizeof (EFI_GUID); + + CertData->SignatureOwner = SHIM_LOCK_GUID; + CopyMem(p, vendor_cert, vendor_cert_size); + } else { + FullDataSize = DataSize; + FullData = Data; } - p = FullData; - - if (efi_status == EFI_SUCCESS && DataSize > 0) { - CopyMem(p, Data, DataSize); - p += DataSize; - } - CertList = (EFI_SIGNATURE_LIST *)p; - p += sizeof (*CertList); - CertData = (EFI_SIGNATURE_DATA *)p; - p += sizeof (EFI_GUID); - - CertList->SignatureType = EFI_CERT_X509_GUID; - CertList->SignatureListSize = vendor_cert_size - + sizeof (*CertList) - + sizeof (*CertData) - -1; - CertList->SignatureHeaderSize = 0; - CertList->SignatureSize = vendor_cert_size + sizeof (EFI_GUID); - - CertData->SignatureOwner = SHIM_LOCK_GUID; - CopyMem(p, vendor_cert, vendor_cert_size); efi_status = uefi_call_wrapper(RT->SetVariable, 5, L"MokListRT", &shim_lock_guid, @@ -1446,7 +1742,7 @@ EFI_STATUS mirror_mok_list() | EFI_VARIABLE_RUNTIME_ACCESS, FullDataSize, FullData); if (efi_status != EFI_SUCCESS) { - Print(L"Failed to set MokListRT %d\n", efi_status); + perror(L"Failed to set MokListRT: %r\n", efi_status); } return efi_status; @@ -1487,7 +1783,7 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle) efi_status = start_image(image_handle, MOK_MANAGER); if (efi_status != EFI_SUCCESS) { - Print(L"Failed to start MokManager\n"); + perror(L"Failed to start MokManager: %r\n", efi_status); return efi_status; } } @@ -1503,16 +1799,15 @@ static EFI_STATUS check_mok_sb (void) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS status = EFI_SUCCESS; - UINT8 *MokSBState = NULL; - UINTN MokSBStateSize = 0; + UINT8 MokSBState; + UINTN MokSBStateSize = sizeof(MokSBState); UINT32 attributes; - insecure_mode = 0; + user_insecure_mode = 0; ignore_db = 0; - status = get_variable_attr(L"MokSBState", &MokSBState, &MokSBStateSize, - shim_lock_guid, &attributes); - + status = uefi_call_wrapper(RT->GetVariable, 5, L"MokSBState", &shim_lock_guid, + &attributes, &MokSBStateSize, &MokSBState); if (status != EFI_SUCCESS) return EFI_ACCESS_DENIED; @@ -1521,19 +1816,17 @@ static EFI_STATUS check_mok_sb (void) * modified by the OS */ if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) { - Print(L"MokSBState is compromised! Clearing it\n"); + perror(L"MokSBState is compromised! Clearing it\n"); if (LibDeleteVariable(L"MokSBState", &shim_lock_guid) != EFI_SUCCESS) { - Print(L"Failed to erase MokSBState\n"); + perror(L"Failed to erase MokSBState\n"); } status = EFI_ACCESS_DENIED; } else { - if (*(UINT8 *)MokSBState == 1) { - insecure_mode = 1; + if (MokSBState == 1) { + user_insecure_mode = 1; } } - FreePool(MokSBState); - return status; } @@ -1545,13 +1838,12 @@ static EFI_STATUS check_mok_db (void) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS status = EFI_SUCCESS; - UINT8 *MokDBState = NULL; - UINTN MokDBStateSize = 0; + UINT8 MokDBState; + UINTN MokDBStateSize = sizeof(MokDBStateSize); UINT32 attributes; - status = get_variable_attr(L"MokDBState", &MokDBState, &MokDBStateSize, - shim_lock_guid, &attributes); - + status = uefi_call_wrapper(RT->GetVariable, 5, L"MokDBState", &shim_lock_guid, + &attributes, &MokDBStateSize, &MokDBState); if (status != EFI_SUCCESS) return EFI_ACCESS_DENIED; @@ -1562,19 +1854,17 @@ static EFI_STATUS check_mok_db (void) * modified by the OS */ if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) { - Print(L"MokDBState is compromised! Clearing it\n"); + perror(L"MokDBState is compromised! Clearing it\n"); if (LibDeleteVariable(L"MokDBState", &shim_lock_guid) != EFI_SUCCESS) { - Print(L"Failed to erase MokDBState\n"); + perror(L"Failed to erase MokDBState\n"); } status = EFI_ACCESS_DENIED; } else { - if (*(UINT8 *)MokDBState == 1) { + if (MokDBState == 1) { ignore_db = 1; } } - FreePool(MokDBState); - return status; } @@ -1594,7 +1884,7 @@ static EFI_STATUS mok_ignore_db() | EFI_VARIABLE_RUNTIME_ACCESS, DataSize, (void *)&Data); if (efi_status != EFI_SUCCESS) { - Print(L"Failed to set MokIgnoreDB %d\n", efi_status); + perror(L"Failed to set MokIgnoreDB: %r\n", efi_status); } } @@ -1610,9 +1900,10 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle) EFI_STATUS status; EFI_LOADED_IMAGE *li; CHAR16 *start = NULL, *c; - int i, remaining_size = 0; + unsigned int i; + int remaining_size = 0; CHAR16 *loader_str = NULL; - int loader_len = 0; + unsigned int loader_len = 0; second_stage = DEFAULT_LOADER; load_options = NULL; @@ -1621,7 +1912,7 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle) status = uefi_call_wrapper(BS->HandleProtocol, 3, image_handle, &LoadedImageProtocol, (void **) &li); if (status != EFI_SUCCESS) { - Print (L"Failed to get load options\n"); + perror (L"Failed to get load options: %r\n", status); return status; } @@ -1665,7 +1956,7 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle) if (loader_len > 0) { loader_str = AllocatePool((loader_len + 1) * sizeof(CHAR16)); if (!loader_str) { - Print(L"Failed to allocate loader string\n"); + perror(L"Failed to allocate loader string\n"); return EFI_OUT_OF_RESOURCES; } for (i = 0; i < loader_len; i++) @@ -1680,11 +1971,56 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle) return EFI_SUCCESS; } -EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) +static SHIM_LOCK shim_lock_interface; +static EFI_HANDLE shim_lock_handle; + +EFI_STATUS +install_shim_protocols(void) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; - static SHIM_LOCK shim_lock_interface; - EFI_HANDLE handle = NULL; + EFI_STATUS efi_status; + /* + * Install the protocol + */ + efi_status = uefi_call_wrapper(BS->InstallProtocolInterface, 4, + &shim_lock_handle, &shim_lock_guid, + EFI_NATIVE_INTERFACE, &shim_lock_interface); + if (EFI_ERROR(efi_status)) { + console_error(L"Could not install security protocol", + efi_status); + return efi_status; + } + +#if defined(OVERRIDE_SECURITY_POLICY) + /* + * Install the security protocol hook + */ + security_policy_install(shim_verify); +#endif + + return EFI_SUCCESS; +} + +void +uninstall_shim_protocols(void) +{ + EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; +#if defined(OVERRIDE_SECURITY_POLICY) + /* + * Clean up the security protocol hook + */ + security_policy_uninstall(); +#endif + + /* + * If we're back here then clean everything up before exiting + */ + uefi_call_wrapper(BS->UninstallProtocolInterface, 3, shim_lock_handle, + &shim_lock_guid, &shim_lock_interface); +} + +EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) +{ EFI_STATUS efi_status; verification_method = VERIFIED_BY_NOTHING; @@ -1699,8 +2035,8 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) * call back in and use shim functions */ shim_lock_interface.Verify = shim_verify; - shim_lock_interface.Hash = generate_hash; - shim_lock_interface.Context = read_header; + shim_lock_interface.Hash = shim_hash; + shim_lock_interface.Context = shim_read_header; systab = passed_systab; @@ -1726,35 +2062,24 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) /* * Tell the user that we're in insecure mode if necessary */ - if (!secure_mode()) { + if (user_insecure_mode) { Print(L"Booting in insecure mode\n"); uefi_call_wrapper(BS->Stall, 1, 2000000); - } else { - /* - * Install our hooks for ExitBootServices() and StartImage() - */ - hook_system_services(systab); - loader_is_participating = 0; + } else if (secure_mode()) { + if (vendor_cert_size || vendor_dbx_size) { + /* + * If shim includes its own certificates then ensure + * that anything it boots has performed some + * validation of the next image. + */ + hook_system_services(systab); + loader_is_participating = 0; + } } - /* - * Install the protocol - */ - efi_status = uefi_call_wrapper(BS->InstallProtocolInterface, 4, - &handle, &shim_lock_guid, EFI_NATIVE_INTERFACE, - &shim_lock_interface); - if (EFI_ERROR(efi_status)) { - console_error(L"Could not install security protocol", - efi_status); + efi_status = install_shim_protocols(); + if (EFI_ERROR(efi_status)) return efi_status; - } - -#if defined(OVERRIDE_SECURITY_POLICY) - /* - * Install the security protocol hook - */ - security_policy_install(shim_verify); -#endif /* * Enter MokManager if necessary @@ -1779,20 +2104,7 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) efi_status = init_grub(image_handle); -#if defined(OVERRIDE_SECURITY_POLICY) - /* - * Clean up the security protocol hook - */ - security_policy_uninstall(); -#endif - - /* - * If we're back here then clean everything up before exiting - */ - uefi_call_wrapper(BS->UninstallProtocolInterface, 3, handle, - &shim_lock_guid, &shim_lock_interface); - - + uninstall_shim_protocols(); /* * Remove our hooks from system services. */ diff --git a/testplan.txt b/testplan.txt new file mode 100644 index 0000000..0b0569e --- /dev/null +++ b/testplan.txt @@ -0,0 +1,87 @@ +How to test a new shim build for RHEL/fedora: + +1) build pesign-test-app, and sign it with the appropriate key +2) build shim with the appropriate key built in +3) install pesign-test-app and shim-unsigned on the test machine +4) make a lockdown.efi for "Red Hat Test Certificate" and put it in \EFI\test + mkdir /boot/efi/EFI/test/ + wget http://pjones.fedorapeople.org/shim/LockDown-rhtest.efi + mv LockDown-rhtest.efi /boot/efi/EFI/test/lockdown.efi +5) sign shim with RHTC and put it in \EFI\test: + pesign -i /usr/share/shim/shim.efi -o /boot/efi/EFI/test/shim.efi \ + -s -c "Red Hat Test Certificate" +6) put pesign-test-app-signed.efi in \EFI\test as grubx64.efi + cp /usr/share/pesign-test-app-0.4/pesign-test-app-signed.efi \ + /boot/efi/EFI/test/grubx64.efi +7) sign a copy of grubx64.efi with RHTC and iput it in \EFI\test\ . Also + leave an unsigned copy there: + pesign -i /boot/efi/EFI/redhat/grubx64.efi \ + -o /boot/efi/EFI/test/grubx64-unsigned.efi \ + -r -u 0 + pesign -i /boot/efi/EFI/test/grubx64-unsigned.efi \ + -o /boot/efi/EFI/test/grub.efi \ + -s -c "Red Hat Test Certificate" +8) sign a copy of mokmanager with RHTC and put it in \EFI\test: + pesign -i /usr/share/shim/MokManager.efi \ + -o /boot/efi/EFI/test/MokManager.efi -s \ + -c "Red Hat Test Certificate" +9) copy grub.cfg to our test directory: + cp /boot/efi/EFI/redhat/grub.cfg /boot/efi/EFI/test/grub.cfg +10) *move* \EFI\redhat\BOOT.CSV to \EFI\test + rm -rf /boot/efi/EFI/BOOT/ + mkdir /boot/efi/EFI/BOOT/ + mv /boot/efi/EFI/redhat/BOOT.CSV /boot/efi/EFI/test/BOOT.CSV +11) sign a copy of fallback.efi and put it in \EFI\BOOT\fallback.efi + pesign -i /usr/share/shim/fallback.efi \ + -o /boot/efi/EFI/BOOT/fallback.efi \ + -s -c "Red Hat Test Certificate" +12) put shim.efi there as well + cp /boot/efi/EFI/test/shim.efi /boot/efi/EFI/BOOT/BOOTX64.EFI +13) enroll the current kernel's certificate with mokutil: + # this should be a /different/ cert than the one signing pesign-test-app. + # for instance use a RHEL cert for p-t-a and a fedora cert+kernel here. + mokutil --import ~/fedora-ca.cer +14) put machine in setup mode +15) boot to the UEFI shell +16) run lockdown.efi from #4: + fs0:\EFI\test\lockdown.efi +17) enable secure boot verification +18) verify it can't run other binaries: + fs0:\EFI\test\grubx64.efi + result should be an error, probably similar to: + "fs0:\...\grubx64.efi is not recognized as an internal or external command" +19) in the EFI shell, run fs0:\EFI\test\shim.efi +20) you should see MokManager. Enroll the certificate you added in #13, and + the system will reboot. +21) reboot to the UEFI shell and run fs0:\EFI\test\shim.efi + result: "This is a test application that should be completely safe." + If you get the expected result, shim can run things signed by its internal + key ring. Check a box someplace that says it can do that. +22) from the EFI shell, copy grub to grubx64.efi: + cp \EFI\test\grub.efi \EFI\test\grubx64.efi +23) in the EFI shell, run fs0:\EFI\test\shim.efi + result: this should start grub, which will let you boot a kernel + If grub starts, it means shim can run things signed by a key in the system's + db. Check a box someplace that says it can do that. + If the kernel boots, it means shim can run things from Mok. Check a box + someplace that says it can do that. +24) remove all boot entries and the BootOrder variable: + [root@uefi ~]# cd /sys/firmware/efi/efivars/ + [root@uefi efivars]# rm -vf Boot[0123456789]* BootOrder-* + removed ‘Boot0000-8be4df61-93ca-11d2-aa0d-00e098032b8c’ + removed ‘Boot0001-8be4df61-93ca-11d2-aa0d-00e098032b8c’ + removed ‘Boot0002-8be4df61-93ca-11d2-aa0d-00e098032b8c’ + removed ‘Boot2001-8be4df61-93ca-11d2-aa0d-00e098032b8c’ + removed ‘BootOrder-8be4df61-93ca-11d2-aa0d-00e098032b8c’ + [root@uefi efivars]# +25) reboot +26) the system should run \EFI\BOOT\BOOTX64.EFI . If it doesn't, you may just + have an old machine. In that case, go to the EFI shell and run: + fs0:\EFI\BOOT\BOOTX64.EFI + If this works, you should see a bit of output very quickly and then the same + thing as #24. This means shim recognized it was in \EFI\BOOT and ran + fallback.efi, which worked. +27) copy the unsigned grub into place and reboot: + cp /boot/efi/EFI/test/grubx64-unsigned.efi /boot/efi/EFI/test/grubx64.efi +28) reboot again. + result: shim should refuse to load grub.