public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
* [PATCH v3 0/6] CryptoPkg: Upgrade OpenSSL to 1.1.1b
@ 2019-05-13 13:25 Xiaoyu lu
  2019-05-13 13:25 ` [PATCH v3 1/6] CryptoPkg/OpensslLib: Modify process_files.pl for upgrading OpenSSL Xiaoyu lu
                   ` (6 more replies)
  0 siblings, 7 replies; 18+ messages in thread
From: Xiaoyu lu @ 2019-05-13 13:25 UTC (permalink / raw)
  To: devel; +Cc: lersek, xiaoyux.lu, Jian J Wang, Ting Ye

(1) CryptoPkg/OpensslLib: Modify process_files.pl for  upgrading OpenSSL
  OpenSSL only support seeding NONE for UEFI(rand_unix.c line 93).
  So add --with-rand-seed=none to process_files.pl.

(2) CryptoPkg/OpensslLib: Exclude unnecessary files in  process_files.pl
  When running process_files.py to configure OpenSSL, we can exclude some unnecessary files. This can reduce porting time, compiling time and library size.

(3) CryptoPkg/IntrinsicLib: Fix possible unresolved  external symbol issue

(4) CryptoPkg/OpensslLib: Prepare for upgrading OpenSSL
  Disable warning for building OpenSSL_1_1_1b

(5) CryptoPkg: Upgrade OpenSSL to 1.1.1b
  Update OpenSSL submodule to OpenSSL_1_1_1b
  OpenSSL_1_1_1b(50eaac9f3337667259de725451f201e784599687)

  OpenSSL doesn't implement some rand_pool function for UEFI.
  Use EFI_RNG_PROTOCOL to generate random for entropy.
  If EFI_RNG_PROTOCOL is not avaliable, fall back to performance
  counter, but we not sure about the amount of randomness it provides.

(6) CryptoPkg/BaseCryptLib: Make HMAC_CTX size backward  compatible

  Note: Will be remove next update.
  Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1792
  Ref: https://github.com/openssl/openssl/pull/4338


Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>


Xiaoyu Lu (3):
  CryptoPkg/IntrinsicLib: Fix possible unresolved external symbol issue
  CryptoPkg: Upgrade OpenSSL to 1.1.1b
  CryptoPkg/BaseCryptLib: Make HMAC_CTX size backward compatible

Xiaoyu lu (3):
  CryptoPkg/OpensslLib: Modify process_files.pl for upgrading OpenSSL
  CryptoPkg/OpensslLib: Exclude unnecessary files in process_files.pl
  CryptoPkg/OpensslLib: Prepare for upgrading OpenSSL

 CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c |   8 +-
 .../Library/BaseCryptLib/Hmac/CryptHmacSha1.c      |   9 +-
 .../Library/BaseCryptLib/Hmac/CryptHmacSha256.c    |   8 +-
 CryptoPkg/Library/Include/CrtLibSupport.h          |  11 +
 CryptoPkg/Library/Include/openssl/opensslconf.h    |  54 +++-
 CryptoPkg/Library/Include/sys/syscall.h            |   9 +
 CryptoPkg/Library/IntrinsicLib/Ia32/MathFtol.c     |  22 ++
 CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf    |   4 +-
 CryptoPkg/Library/OpensslLib/OpensslLib.inf        |  63 +++-
 CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf  |  54 +++-
 CryptoPkg/Library/OpensslLib/buildinf.h            |   2 +
 CryptoPkg/Library/OpensslLib/openssl               |   2 +-
 CryptoPkg/Library/OpensslLib/ossl_store.c          |  17 ++
 CryptoPkg/Library/OpensslLib/process_files.pl      |  11 +-
 CryptoPkg/Library/OpensslLib/rand_pool.c           | 339 +++++++++++++++++++++
 15 files changed, 564 insertions(+), 49 deletions(-)
 create mode 100644 CryptoPkg/Library/Include/sys/syscall.h
 create mode 100644 CryptoPkg/Library/IntrinsicLib/Ia32/MathFtol.c
 create mode 100644 CryptoPkg/Library/OpensslLib/ossl_store.c
 create mode 100644 CryptoPkg/Library/OpensslLib/rand_pool.c

-- 
2.7.4


^ permalink raw reply	[flat|nested] 18+ messages in thread

* [PATCH v3 1/6] CryptoPkg/OpensslLib: Modify process_files.pl for upgrading OpenSSL
  2019-05-13 13:25 [PATCH v3 0/6] CryptoPkg: Upgrade OpenSSL to 1.1.1b Xiaoyu lu
@ 2019-05-13 13:25 ` Xiaoyu lu
  2019-05-13 13:25 ` [PATCH v3 2/6] CryptoPkg/OpensslLib: Exclude unnecessary files in process_files.pl Xiaoyu lu
                   ` (5 subsequent siblings)
  6 siblings, 0 replies; 18+ messages in thread
From: Xiaoyu lu @ 2019-05-13 13:25 UTC (permalink / raw)
  To: devel; +Cc: lersek, xiaoyux.lu, Jian J Wang, Ting Ye

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1089

OpenSSL configure mechanism use --with-rand-seed=xxx option to configure
random number generation.

OpenSSL_1_1_0j(74f2d9c1ec5f5510e1d3da5a9f03c28df0977762)
we use default --with-rand-seed=os option to for building it.

But OpenSSL_1_1_1b(50eaac9f3337667259de725451f201e784599687)
only support seeding NONE for UEFI(rand_unix.c line 93).

This OpenSSL change was introduced in commit
8389ec4b4950 ("Add --with-rand-seed", 2017-07-22).

So add --with-rand-seed=none to process_files.pl.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
---
 CryptoPkg/Library/OpensslLib/process_files.pl | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/CryptoPkg/Library/OpensslLib/process_files.pl b/CryptoPkg/Library/OpensslLib/process_files.pl
index f6e1f43..6c136cc 100755
--- a/CryptoPkg/Library/OpensslLib/process_files.pl
+++ b/CryptoPkg/Library/OpensslLib/process_files.pl
@@ -90,7 +90,10 @@ BEGIN {
                 "no-threads",
                 "no-ts",
                 "no-ui",
-                "no-whirlpool"
+                "no-whirlpool",
+                # OpenSSL1_1_1b doesn't support default rand-seed-os for UEFI
+                # UEFI only support --with-rand-seed=none
+                "--with-rand-seed=none"
                 ) == 0 ||
                     die "OpenSSL Configure failed!\n";
 
-- 
2.7.4


^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [PATCH v3 2/6] CryptoPkg/OpensslLib: Exclude unnecessary files in process_files.pl
  2019-05-13 13:25 [PATCH v3 0/6] CryptoPkg: Upgrade OpenSSL to 1.1.1b Xiaoyu lu
  2019-05-13 13:25 ` [PATCH v3 1/6] CryptoPkg/OpensslLib: Modify process_files.pl for upgrading OpenSSL Xiaoyu lu
@ 2019-05-13 13:25 ` Xiaoyu lu
  2019-05-13 13:25 ` [PATCH v3 3/6] CryptoPkg/IntrinsicLib: Fix possible unresolved external symbol issue Xiaoyu lu
                   ` (4 subsequent siblings)
  6 siblings, 0 replies; 18+ messages in thread
From: Xiaoyu lu @ 2019-05-13 13:25 UTC (permalink / raw)
  To: devel; +Cc: lersek, xiaoyux.lu, Jian J Wang, Ting Ye

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1089

When running process_files.py to configure OpenSSL, we can exclude
some unnecessary files. This can reduce porting time, compiling
time and library size.

Upstream OpenSSL commit 71a5516dcc8a which was as part of
OpenSSL_1_1_1b, Add the STORE module(crypto/store/*).
But UEFI don't use them. So exclude these files.

Functions in crypto/rand/randfile.c OpenSSL and edk2 don't
call them. And it requires more crt runtime support.
So exclude it.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
---
 CryptoPkg/Library/OpensslLib/process_files.pl | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/CryptoPkg/Library/OpensslLib/process_files.pl b/CryptoPkg/Library/OpensslLib/process_files.pl
index 6c136cc..e277108 100755
--- a/CryptoPkg/Library/OpensslLib/process_files.pl
+++ b/CryptoPkg/Library/OpensslLib/process_files.pl
@@ -127,6 +127,12 @@ foreach my $product ((@{$unified_info{libraries}},
         foreach my $s (@{$unified_info{sources}->{$o}}) {
             next if ($unified_info{generate}->{$s});
             next if $s =~ "crypto/bio/b_print.c";
+
+            # No need to add unused files in UEFI.
+            # So it can reduce porting time, compile time, library size.
+            next if $s =~ "crypto/rand/randfile.c";
+            next if $s =~ "crypto/store/";
+
             if ($product =~ "libssl") {
                 push @sslfilelist, '  $(OPENSSL_PATH)/' . $s . "\r\n";
                 next;
-- 
2.7.4


^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [PATCH v3 3/6] CryptoPkg/IntrinsicLib: Fix possible unresolved external symbol issue
  2019-05-13 13:25 [PATCH v3 0/6] CryptoPkg: Upgrade OpenSSL to 1.1.1b Xiaoyu lu
  2019-05-13 13:25 ` [PATCH v3 1/6] CryptoPkg/OpensslLib: Modify process_files.pl for upgrading OpenSSL Xiaoyu lu
  2019-05-13 13:25 ` [PATCH v3 2/6] CryptoPkg/OpensslLib: Exclude unnecessary files in process_files.pl Xiaoyu lu
@ 2019-05-13 13:25 ` Xiaoyu lu
  2019-05-13 13:25 ` [PATCH v3 4/6] CryptoPkg/OpensslLib: Prepare for upgrading OpenSSL Xiaoyu lu
                   ` (3 subsequent siblings)
  6 siblings, 0 replies; 18+ messages in thread
From: Xiaoyu lu @ 2019-05-13 13:25 UTC (permalink / raw)
  To: devel; +Cc: lersek, xiaoyux.lu, Jian J Wang, Ting Ye

From: Xiaoyu Lu <xiaoyux.lu@intel.com>

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1089

This is for the upcoming upgrade to OpenSSL_1_1_1b

Compiler optimization(Visual Studio) may automatically use _ftol2
instead of some type conversion. For example:

 OpensslLib.lib(drbg_lib.obj) : error LNK2001:
    unresolved external symbol __ftol2

This patch add _ftol2 function for the compiler intrinsic.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
---
 CryptoPkg/Library/IntrinsicLib/Ia32/MathFtol.c  | 22 ++++++++++++++++++++++
 CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf |  4 +++-
 2 files changed, 25 insertions(+), 1 deletion(-)
 create mode 100644 CryptoPkg/Library/IntrinsicLib/Ia32/MathFtol.c

diff --git a/CryptoPkg/Library/IntrinsicLib/Ia32/MathFtol.c b/CryptoPkg/Library/IntrinsicLib/Ia32/MathFtol.c
new file mode 100644
index 0000000..147a19a
--- /dev/null
+++ b/CryptoPkg/Library/IntrinsicLib/Ia32/MathFtol.c
@@ -0,0 +1,22 @@
+/** @file
+  64-bit Math Worker Function.
+  The 32-bit versions of C compiler generate calls to library routines
+  to handle 64-bit math. These functions use non-standard calling conventions.
+
+Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+/*
+ * Floating point to integer conversion.
+ */
+__declspec(naked) void _ftol2 (void)
+{
+  _asm {
+    fistp qword ptr [esp-8]
+    mov   edx, [esp-4]
+    mov   eax, [esp-8]
+    ret
+  }
+}
diff --git a/CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf b/CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
index 5a20967..fcbb933 100644
--- a/CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
+++ b/CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
@@ -1,7 +1,7 @@
 ## @file
 #  Intrinsic Routines Wrapper Library Instance.
 #
-#  Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
+#  Copyright (c) 2010 - 2019, Intel Corporation. All rights reserved.<BR>
 #  SPDX-License-Identifier: BSD-2-Clause-Patent
 #
 ##
@@ -29,9 +29,11 @@
 
   Ia32/MathLShiftS64.c      | MSFT
   Ia32/MathRShiftU64.c      | MSFT
+  Ia32/MathFtol.c           | MSFT
 
   Ia32/MathLShiftS64.c      | INTEL
   Ia32/MathRShiftU64.c      | INTEL
+  Ia32/MathFtol.c           | INTEL
 
   Ia32/MathLShiftS64.nasm   | GCC
   Ia32/MathRShiftU64.nasm   | GCC
-- 
2.7.4


^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [PATCH v3 4/6] CryptoPkg/OpensslLib: Prepare for upgrading OpenSSL
  2019-05-13 13:25 [PATCH v3 0/6] CryptoPkg: Upgrade OpenSSL to 1.1.1b Xiaoyu lu
                   ` (2 preceding siblings ...)
  2019-05-13 13:25 ` [PATCH v3 3/6] CryptoPkg/IntrinsicLib: Fix possible unresolved external symbol issue Xiaoyu lu
@ 2019-05-13 13:25 ` Xiaoyu lu
  2019-05-13 13:25 ` [PATCH v3 5/6] CryptoPkg: Upgrade OpenSSL to 1.1.1b Xiaoyu lu
                   ` (2 subsequent siblings)
  6 siblings, 0 replies; 18+ messages in thread
From: Xiaoyu lu @ 2019-05-13 13:25 UTC (permalink / raw)
  To: devel; +Cc: lersek, xiaoyux.lu, Jian J Wang, Ting Ye

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1089

Disable warning for building OpenSSL_1_1_1b

add /wd4132 /wd4700 /wd4310 for Visual Studio in OpensslLib[Crypto].inf

add -Wno-error=unused-but-set-variable for GCC in OpensslLib[Crypto].inf
Although this option is set in some build environments by default.
But this is only for OpenSSL compilation, no matter how the
default options change.

Due to --with-rand-seed=none, We need to provide a placeholder header
file CryptoPkg/Library/Include/sys/syscall.h.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
---
 CryptoPkg/Library/Include/sys/syscall.h           |  9 +++++++++
 CryptoPkg/Library/OpensslLib/OpensslLib.inf       | 16 ++++++++++------
 CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf | 16 ++++++++++------
 3 files changed, 29 insertions(+), 12 deletions(-)
 create mode 100644 CryptoPkg/Library/Include/sys/syscall.h

diff --git a/CryptoPkg/Library/Include/sys/syscall.h b/CryptoPkg/Library/Include/sys/syscall.h
new file mode 100644
index 0000000..bd212b0
--- /dev/null
+++ b/CryptoPkg/Library/Include/sys/syscall.h
@@ -0,0 +1,9 @@
+/** @file
+  Include file to support building the third-party cryptographic library.
+
+Copyright (c) 2010 - 2019, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <CrtLibSupport.h>
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index 530ac5f..f4d7772 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -530,17 +530,20 @@
   # Disables the following Visual Studio compiler warnings brought by openssl source,
   # so we do not break the build with /WX option:
   #   C4090: 'function' : different 'const' qualifiers
+  #   C4132: 'object' : const object should be initialized (tls13_enc.c)
   #   C4244: conversion from type1 to type2, possible loss of data
   #   C4245: conversion from type1 to type2, signed/unsigned mismatch
   #   C4267: conversion from size_t to type, possible loss of data
   #   C4306: 'identifier' : conversion from 'type1' to 'type2' of greater size
+  #   C4310: cast truncates constant value
   #   C4389: 'operator' : signed/unsigned mismatch (xxxx)
+  #   C4700: uninitialized local variable 'name' used. (conf_sap.c(71))
   #   C4702: unreachable code
   #   C4706: assignment within conditional expression
   #   C4819: The file contains a character that cannot be represented in the current code page
   #
-  MSFT:*_*_IA32_CC_FLAGS   = -U_WIN32 -U_WIN64 -U_MSC_VER $(OPENSSL_FLAGS) /wd4090 /wd4244 /wd4245 /wd4267 /wd4389 /wd4702 /wd4706 /wd4819
-  MSFT:*_*_X64_CC_FLAGS    = -U_WIN32 -U_WIN64 -U_MSC_VER $(OPENSSL_FLAGS) /wd4090 /wd4244 /wd4245 /wd4267 /wd4306 /wd4389 /wd4702 /wd4706 /wd4819
+  MSFT:*_*_IA32_CC_FLAGS   = -U_WIN32 -U_WIN64 -U_MSC_VER $(OPENSSL_FLAGS) /wd4090 /wd4132 /wd4244 /wd4245 /wd4267 /wd4310 /wd4389 /wd4700 /wd4702 /wd4706 /wd4819
+  MSFT:*_*_X64_CC_FLAGS    = -U_WIN32 -U_WIN64 -U_MSC_VER $(OPENSSL_FLAGS) /wd4090 /wd4132 /wd4244 /wd4245 /wd4267 /wd4306 /wd4310 /wd4700 /wd4389 /wd4702 /wd4706 /wd4819
 
   INTEL:*_*_IA32_CC_FLAGS  = -U_WIN32 -U_WIN64 -U_MSC_VER -U__ICC $(OPENSSL_FLAGS) /w
   INTEL:*_*_X64_CC_FLAGS   = -U_WIN32 -U_WIN64 -U_MSC_VER -U__ICC $(OPENSSL_FLAGS) /w
@@ -550,11 +553,12 @@
   #   -Werror=maybe-uninitialized: there exist some other paths for which the variable is not initialized.
   #   -Werror=format: Check calls to printf and scanf, etc., to make sure that the arguments supplied have
   #                   types appropriate to the format string specified.
+  #   -Werror=unused-but-set-variable: Warn whenever a local variable is assigned to, but otherwise unused (aside from its declaration).
   #
-  GCC:*_*_IA32_CC_FLAGS    = -U_WIN32 -U_WIN64 $(OPENSSL_FLAGS) -Wno-error=maybe-uninitialized
-  GCC:*_*_X64_CC_FLAGS     = -U_WIN32 -U_WIN64 $(OPENSSL_FLAGS) -Wno-error=maybe-uninitialized -Wno-error=format -Wno-format -DNO_MSABI_VA_FUNCS
-  GCC:*_*_ARM_CC_FLAGS     = $(OPENSSL_FLAGS) -Wno-error=maybe-uninitialized
-  GCC:*_*_AARCH64_CC_FLAGS = $(OPENSSL_FLAGS) -Wno-error=maybe-uninitialized -Wno-format
+  GCC:*_*_IA32_CC_FLAGS    = -U_WIN32 -U_WIN64 $(OPENSSL_FLAGS) -Wno-error=maybe-uninitialized -Wno-error=unused-but-set-variable
+  GCC:*_*_X64_CC_FLAGS     = -U_WIN32 -U_WIN64 $(OPENSSL_FLAGS) -Wno-error=maybe-uninitialized -Wno-error=format -Wno-format -Wno-error=unused-but-set-variable -DNO_MSABI_VA_FUNCS
+  GCC:*_*_ARM_CC_FLAGS     = $(OPENSSL_FLAGS) -Wno-error=maybe-uninitialized -Wno-error=unused-but-set-variable
+  GCC:*_*_AARCH64_CC_FLAGS = $(OPENSSL_FLAGS) -Wno-error=maybe-uninitialized -Wno-format -Wno-error=unused-but-set-variable
 
   # suppress the following warnings in openssl so we don't break the build with warnings-as-errors:
   # 1295: Deprecated declaration <entity> - give arg types
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
index 2310100..fd12d11 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
@@ -491,17 +491,20 @@
   # Disables the following Visual Studio compiler warnings brought by openssl source,
   # so we do not break the build with /WX option:
   #   C4090: 'function' : different 'const' qualifiers
+  #   C4132: 'object' : const object should be initialized (tls13_enc.c)
   #   C4244: conversion from type1 to type2, possible loss of data
   #   C4245: conversion from type1 to type2, signed/unsigned mismatch
   #   C4267: conversion from size_t to type, possible loss of data
   #   C4306: 'identifier' : conversion from 'type1' to 'type2' of greater size
+  #   C4310: cast truncates constant value
   #   C4389: 'operator' : signed/unsigned mismatch (xxxx)
+  #   C4700: uninitialized local variable 'name' used. (conf_sap.c(71))
   #   C4702: unreachable code
   #   C4706: assignment within conditional expression
   #   C4819: The file contains a character that cannot be represented in the current code page
   #
-  MSFT:*_*_IA32_CC_FLAGS   = -U_WIN32 -U_WIN64 -U_MSC_VER $(OPENSSL_FLAGS) /wd4090 /wd4244 /wd4245 /wd4267 /wd4389 /wd4702 /wd4706 /wd4819
-  MSFT:*_*_X64_CC_FLAGS    = -U_WIN32 -U_WIN64 -U_MSC_VER $(OPENSSL_FLAGS) /wd4090 /wd4244 /wd4245 /wd4267 /wd4306 /wd4389 /wd4702 /wd4706 /wd4819
+  MSFT:*_*_IA32_CC_FLAGS   = -U_WIN32 -U_WIN64 -U_MSC_VER $(OPENSSL_FLAGS) /wd4090 /wd4132 /wd4244 /wd4245 /wd4267 /wd4310 /wd4389 /wd4700 /wd4702 /wd4706 /wd4819
+  MSFT:*_*_X64_CC_FLAGS    = -U_WIN32 -U_WIN64 -U_MSC_VER $(OPENSSL_FLAGS) /wd4090 /wd4132 /wd4244 /wd4245 /wd4267 /wd4306 /wd4310 /wd4700 /wd4389 /wd4702 /wd4706 /wd4819
 
   INTEL:*_*_IA32_CC_FLAGS  = -U_WIN32 -U_WIN64 -U_MSC_VER -U__ICC $(OPENSSL_FLAGS) /w
   INTEL:*_*_X64_CC_FLAGS   = -U_WIN32 -U_WIN64 -U_MSC_VER -U__ICC $(OPENSSL_FLAGS) /w
@@ -511,11 +514,12 @@
   #   -Werror=maybe-uninitialized: there exist some other paths for which the variable is not initialized.
   #   -Werror=format: Check calls to printf and scanf, etc., to make sure that the arguments supplied have
   #                   types appropriate to the format string specified.
+  #   -Werror=unused-but-set-variable: Warn whenever a local variable is assigned to, but otherwise unused (aside from its declaration).
   #
-  GCC:*_*_IA32_CC_FLAGS    = -U_WIN32 -U_WIN64 $(OPENSSL_FLAGS) -Wno-error=maybe-uninitialized
-  GCC:*_*_X64_CC_FLAGS     = -U_WIN32 -U_WIN64 $(OPENSSL_FLAGS) -Wno-error=maybe-uninitialized -Wno-error=format -Wno-format -DNO_MSABI_VA_FUNCS
-  GCC:*_*_ARM_CC_FLAGS     = $(OPENSSL_FLAGS) -Wno-error=maybe-uninitialized
-  GCC:*_*_AARCH64_CC_FLAGS = $(OPENSSL_FLAGS) -Wno-error=maybe-uninitialized -Wno-format
+  GCC:*_*_IA32_CC_FLAGS    = -U_WIN32 -U_WIN64 $(OPENSSL_FLAGS) -Wno-error=maybe-uninitialized -Wno-error=unused-but-set-variable
+  GCC:*_*_X64_CC_FLAGS     = -U_WIN32 -U_WIN64 $(OPENSSL_FLAGS) -Wno-error=maybe-uninitialized -Wno-error=format -Wno-format -Wno-error=unused-but-set-variable -DNO_MSABI_VA_FUNCS
+  GCC:*_*_ARM_CC_FLAGS     = $(OPENSSL_FLAGS) -Wno-error=maybe-uninitialized -Wno-error=unused-but-set-variable
+  GCC:*_*_AARCH64_CC_FLAGS = $(OPENSSL_FLAGS) -Wno-error=maybe-uninitialized -Wno-format -Wno-error=unused-but-set-variable
 
   # suppress the following warnings in openssl so we don't break the build with warnings-as-errors:
   # 1295: Deprecated declaration <entity> - give arg types
-- 
2.7.4


^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [PATCH v3 5/6] CryptoPkg: Upgrade OpenSSL to 1.1.1b
  2019-05-13 13:25 [PATCH v3 0/6] CryptoPkg: Upgrade OpenSSL to 1.1.1b Xiaoyu lu
                   ` (3 preceding siblings ...)
  2019-05-13 13:25 ` [PATCH v3 4/6] CryptoPkg/OpensslLib: Prepare for upgrading OpenSSL Xiaoyu lu
@ 2019-05-13 13:25 ` Xiaoyu lu
  2019-05-13 13:25 ` [PATCH v3 6/6] CryptoPkg/BaseCryptLib: Make HMAC_CTX size backward compatible Xiaoyu lu
  2019-05-13 19:24 ` [edk2-devel] [PATCH v3 0/6] CryptoPkg: Upgrade OpenSSL to 1.1.1b Laszlo Ersek
  6 siblings, 0 replies; 18+ messages in thread
From: Xiaoyu lu @ 2019-05-13 13:25 UTC (permalink / raw)
  To: devel; +Cc: lersek, xiaoyux.lu, Jian J Wang, Ting Ye

From: Xiaoyu Lu <xiaoyux.lu@intel.com>

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1089

Update OpenSSL submodule to OpenSSL_1_1_1b
  OpenSSL_1_1_1b(50eaac9f3337667259de725451f201e784599687)

Run process_files.pl script to regenerate OpensslLib[Crypto].inf
  and opensslconf.h

Remove -DNO_SYSLOG from OPENSSL_FLAGS in OpensslLib[Crypto].inf,
due to upstream OpenSSL commit cff55b90e95e("Cleaning UEFI
Build with additional OPENSSL_SYS_UEFI flags", 2017-03-29),
which was first released as part of OpenSSL_1_1_1.

Starting with OpenSSL commit 8a8d9e1905(first release in
OpenSSL_1_1_1), the OpenSSL_version() function can no longer
return a pointer to the string literal "compiler: information
not available", in the case CFLAGS macro is not defined.
Instead, the function now has a hard dependency on the global
variable 'compiler_flags'. This variable is normally placed
by "util/mkbuildinf.pl" into "buildinf.h". In edk2 we don't
run that script whenever we build OpenSSL, therefor we
must provide our own dummy 'compiler_flags'.

Since OpenSSL_1_1_1b doesn't fully implement rand pool functions
for UEFI. So add a file(rand_pool.c) and implement them.
* rand_pool_acquire_entropy
* rand_pool_add_nonce_data
* rand_pool_add_additional_data
* rand_pool_init
* rand_pool_cleanup
* rand_pool_keep_random_devices_open
We use EFI_RNG_PROTOCOL to generate random outputs for
seeding entropy. And if EFI_RNG_PROTOCOL not provide by
a platform, we fall back to performance counter.

We don't need ossl_store functions. We exclude relative files
through process_files.pl. And ossl_store_cleanup_int was first
added in crypto/init.c OpenSSL_1_1_1(71a5516d).
So add a new file(ossl_store.c) to implement ossl_store_cleanup_int
function.

BUFSIZ is used by crypto/evp/evp_key.c(OpenSSL_1_1_1b)
And it is declared in stdio.h. So add it to CrtLibSupport.h.
Ref: https://github.com/openssl/openssl/issues/8904

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
---
 CryptoPkg/Library/Include/CrtLibSupport.h         |  11 +
 CryptoPkg/Library/Include/openssl/opensslconf.h   |  54 +++-
 CryptoPkg/Library/OpensslLib/OpensslLib.inf       |  47 ++-
 CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf |  38 ++-
 CryptoPkg/Library/OpensslLib/buildinf.h           |   2 +
 CryptoPkg/Library/OpensslLib/openssl              |   2 +-
 CryptoPkg/Library/OpensslLib/ossl_store.c         |  17 ++
 CryptoPkg/Library/OpensslLib/rand_pool.c          | 339 ++++++++++++++++++++++
 8 files changed, 481 insertions(+), 29 deletions(-)
 create mode 100644 CryptoPkg/Library/OpensslLib/ossl_store.c
 create mode 100644 CryptoPkg/Library/OpensslLib/rand_pool.c

diff --git a/CryptoPkg/Library/Include/CrtLibSupport.h b/CryptoPkg/Library/Include/CrtLibSupport.h
index b05c5d9..467f8c8 100644
--- a/CryptoPkg/Library/Include/CrtLibSupport.h
+++ b/CryptoPkg/Library/Include/CrtLibSupport.h
@@ -21,6 +21,17 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #define MAX_STRING_SIZE  0x1000
 
 //
+// We already have "no-ui" in out Configure invocation.
+// but the code still fails to compile.
+// Ref:  https://github.com/openssl/openssl/issues/8904
+//
+// This is defined in CRT library(stdio.h).
+//
+#ifndef BUFSIZ
+#define BUFSIZ  8192
+#endif
+
+//
 // OpenSSL relies on explicit configuration for word size in crypto/bn,
 // but we want it to be automatically inferred from the target. So we
 // bypass what's in <openssl/opensslconf.h> for OPENSSL_SYS_UEFI, and
diff --git a/CryptoPkg/Library/Include/openssl/opensslconf.h b/CryptoPkg/Library/Include/openssl/opensslconf.h
index 28dd9ab..07fa2d3 100644
--- a/CryptoPkg/Library/Include/openssl/opensslconf.h
+++ b/CryptoPkg/Library/Include/openssl/opensslconf.h
@@ -10,6 +10,8 @@
  * https://www.openssl.org/source/license.html
  */
 
+#include <openssl/opensslv.h>
+
 #ifdef  __cplusplus
 extern "C" {
 #endif
@@ -77,18 +79,21 @@ extern "C" {
 #ifndef OPENSSL_NO_SEED
 # define OPENSSL_NO_SEED
 #endif
+#ifndef OPENSSL_NO_SM2
+# define OPENSSL_NO_SM2
+#endif
 #ifndef OPENSSL_NO_SRP
 # define OPENSSL_NO_SRP
 #endif
 #ifndef OPENSSL_NO_TS
 # define OPENSSL_NO_TS
 #endif
-#ifndef OPENSSL_NO_UI
-# define OPENSSL_NO_UI
-#endif
 #ifndef OPENSSL_NO_WHIRLPOOL
 # define OPENSSL_NO_WHIRLPOOL
 #endif
+#ifndef OPENSSL_RAND_SEED_NONE
+# define OPENSSL_RAND_SEED_NONE
+#endif
 #ifndef OPENSSL_NO_AFALGENG
 # define OPENSSL_NO_AFALGENG
 #endif
@@ -122,6 +127,9 @@ extern "C" {
 #ifndef OPENSSL_NO_DEPRECATED
 # define OPENSSL_NO_DEPRECATED
 #endif
+#ifndef OPENSSL_NO_DEVCRYPTOENG
+# define OPENSSL_NO_DEVCRYPTOENG
+#endif
 #ifndef OPENSSL_NO_DGRAM
 # define OPENSSL_NO_DGRAM
 #endif
@@ -155,6 +163,9 @@ extern "C" {
 #ifndef OPENSSL_NO_ERR
 # define OPENSSL_NO_ERR
 #endif
+#ifndef OPENSSL_NO_EXTERNAL_TESTS
+# define OPENSSL_NO_EXTERNAL_TESTS
+#endif
 #ifndef OPENSSL_NO_FILENAMES
 # define OPENSSL_NO_FILENAMES
 #endif
@@ -209,15 +220,24 @@ extern "C" {
 #ifndef OPENSSL_NO_TESTS
 # define OPENSSL_NO_TESTS
 #endif
+#ifndef OPENSSL_NO_TLS1_3
+# define OPENSSL_NO_TLS1_3
+#endif
 #ifndef OPENSSL_NO_UBSAN
 # define OPENSSL_NO_UBSAN
 #endif
+#ifndef OPENSSL_NO_UI_CONSOLE
+# define OPENSSL_NO_UI_CONSOLE
+#endif
 #ifndef OPENSSL_NO_UNIT_TEST
 # define OPENSSL_NO_UNIT_TEST
 #endif
 #ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
 # define OPENSSL_NO_WEAK_SSL_CIPHERS
 #endif
+#ifndef OPENSSL_NO_DYNAMIC_ENGINE
+# define OPENSSL_NO_DYNAMIC_ENGINE
+#endif
 #ifndef OPENSSL_NO_AFALGENG
 # define OPENSSL_NO_AFALGENG
 #endif
@@ -236,15 +256,11 @@ extern "C" {
  * functions.
  */
 #ifndef DECLARE_DEPRECATED
-# if defined(OPENSSL_NO_DEPRECATED)
-#  define DECLARE_DEPRECATED(f)
-# else
-#  define DECLARE_DEPRECATED(f)   f;
-#  ifdef __GNUC__
-#   if __GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ > 0)
-#    undef DECLARE_DEPRECATED
-#    define DECLARE_DEPRECATED(f)    f __attribute__ ((deprecated));
-#   endif
+# define DECLARE_DEPRECATED(f)   f;
+# ifdef __GNUC__
+#  if __GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ > 0)
+#   undef DECLARE_DEPRECATED
+#   define DECLARE_DEPRECATED(f)    f __attribute__ ((deprecated));
 #  endif
 # endif
 #endif
@@ -268,6 +284,18 @@ extern "C" {
 # define OPENSSL_API_COMPAT OPENSSL_MIN_API
 #endif
 
+/*
+ * Do not deprecate things to be deprecated in version 1.2.0 before the
+ * OpenSSL version number matches.
+ */
+#if OPENSSL_VERSION_NUMBER < 0x10200000L
+# define DEPRECATEDIN_1_2_0(f)   f;
+#elif OPENSSL_API_COMPAT < 0x10200000L
+# define DEPRECATEDIN_1_2_0(f)   DECLARE_DEPRECATED(f)
+#else
+# define DEPRECATEDIN_1_2_0(f)
+#endif
+
 #if OPENSSL_API_COMPAT < 0x10100000L
 # define DEPRECATEDIN_1_1_0(f)   DECLARE_DEPRECATED(f)
 #else
@@ -286,8 +314,6 @@ extern "C" {
 # define DEPRECATEDIN_0_9_8(f)
 #endif
 
-
-
 /* Generate 80386 code? */
 #undef I386_ONLY
 
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index f4d7772..72f0a67 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -15,13 +15,15 @@
   VERSION_STRING                 = 1.0
   LIBRARY_CLASS                  = OpensslLib
   DEFINE OPENSSL_PATH            = openssl
-  DEFINE OPENSSL_FLAGS           = -DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DNO_SYSLOG
+  DEFINE OPENSSL_FLAGS           = -DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE
 
 #
 #  VALID_ARCHITECTURES           = IA32 X64 ARM AARCH64
 #
 
 [Sources]
+  ossl_store.c
+  rand_pool.c
   $(OPENSSL_PATH)/e_os.h
 # Autogenerated files list starts here
   $(OPENSSL_PATH)/crypto/aes/aes_cbc.c
@@ -32,6 +34,7 @@
   $(OPENSSL_PATH)/crypto/aes/aes_misc.c
   $(OPENSSL_PATH)/crypto/aes/aes_ofb.c
   $(OPENSSL_PATH)/crypto/aes/aes_wrap.c
+  $(OPENSSL_PATH)/crypto/aria/aria.c
   $(OPENSSL_PATH)/crypto/asn1/a_bitstr.c
   $(OPENSSL_PATH)/crypto/asn1/a_d2i_fp.c
   $(OPENSSL_PATH)/crypto/asn1/a_digest.c
@@ -54,6 +57,7 @@
   $(OPENSSL_PATH)/crypto/asn1/ameth_lib.c
   $(OPENSSL_PATH)/crypto/asn1/asn1_err.c
   $(OPENSSL_PATH)/crypto/asn1/asn1_gen.c
+  $(OPENSSL_PATH)/crypto/asn1/asn1_item_list.c
   $(OPENSSL_PATH)/crypto/asn1/asn1_lib.c
   $(OPENSSL_PATH)/crypto/asn1/asn1_par.c
   $(OPENSSL_PATH)/crypto/asn1/asn_mime.c
@@ -172,6 +176,7 @@
   $(OPENSSL_PATH)/crypto/conf/conf_ssl.c
   $(OPENSSL_PATH)/crypto/cpt_err.c
   $(OPENSSL_PATH)/crypto/cryptlib.c
+  $(OPENSSL_PATH)/crypto/ctype.c
   $(OPENSSL_PATH)/crypto/cversion.c
   $(OPENSSL_PATH)/crypto/des/cbc_cksm.c
   $(OPENSSL_PATH)/crypto/des/cbc_enc.c
@@ -189,7 +194,6 @@
   $(OPENSSL_PATH)/crypto/des/pcbc_enc.c
   $(OPENSSL_PATH)/crypto/des/qud_cksm.c
   $(OPENSSL_PATH)/crypto/des/rand_key.c
-  $(OPENSSL_PATH)/crypto/des/rpc_enc.c
   $(OPENSSL_PATH)/crypto/des/set_key.c
   $(OPENSSL_PATH)/crypto/des/str2key.c
   $(OPENSSL_PATH)/crypto/des/xcbc_enc.c
@@ -206,6 +210,7 @@
   $(OPENSSL_PATH)/crypto/dh/dh_pmeth.c
   $(OPENSSL_PATH)/crypto/dh/dh_prn.c
   $(OPENSSL_PATH)/crypto/dh/dh_rfc5114.c
+  $(OPENSSL_PATH)/crypto/dh/dh_rfc7919.c
   $(OPENSSL_PATH)/crypto/dso/dso_dl.c
   $(OPENSSL_PATH)/crypto/dso/dso_dlfcn.c
   $(OPENSSL_PATH)/crypto/dso/dso_err.c
@@ -228,6 +233,7 @@
   $(OPENSSL_PATH)/crypto/evp/e_aes.c
   $(OPENSSL_PATH)/crypto/evp/e_aes_cbc_hmac_sha1.c
   $(OPENSSL_PATH)/crypto/evp/e_aes_cbc_hmac_sha256.c
+  $(OPENSSL_PATH)/crypto/evp/e_aria.c
   $(OPENSSL_PATH)/crypto/evp/e_bf.c
   $(OPENSSL_PATH)/crypto/evp/e_camellia.c
   $(OPENSSL_PATH)/crypto/evp/e_cast.c
@@ -242,6 +248,7 @@
   $(OPENSSL_PATH)/crypto/evp/e_rc4_hmac_md5.c
   $(OPENSSL_PATH)/crypto/evp/e_rc5.c
   $(OPENSSL_PATH)/crypto/evp/e_seed.c
+  $(OPENSSL_PATH)/crypto/evp/e_sm4.c
   $(OPENSSL_PATH)/crypto/evp/e_xcbc_d.c
   $(OPENSSL_PATH)/crypto/evp/encode.c
   $(OPENSSL_PATH)/crypto/evp/evp_cnf.c
@@ -259,6 +266,7 @@
   $(OPENSSL_PATH)/crypto/evp/m_null.c
   $(OPENSSL_PATH)/crypto/evp/m_ripemd.c
   $(OPENSSL_PATH)/crypto/evp/m_sha1.c
+  $(OPENSSL_PATH)/crypto/evp/m_sha3.c
   $(OPENSSL_PATH)/crypto/evp/m_sigver.c
   $(OPENSSL_PATH)/crypto/evp/m_wp.c
   $(OPENSSL_PATH)/crypto/evp/names.c
@@ -271,10 +279,10 @@
   $(OPENSSL_PATH)/crypto/evp/p_seal.c
   $(OPENSSL_PATH)/crypto/evp/p_sign.c
   $(OPENSSL_PATH)/crypto/evp/p_verify.c
+  $(OPENSSL_PATH)/crypto/evp/pbe_scrypt.c
   $(OPENSSL_PATH)/crypto/evp/pmeth_fn.c
   $(OPENSSL_PATH)/crypto/evp/pmeth_gn.c
   $(OPENSSL_PATH)/crypto/evp/pmeth_lib.c
-  $(OPENSSL_PATH)/crypto/evp/scrypt.c
   $(OPENSSL_PATH)/crypto/ex_data.c
   $(OPENSSL_PATH)/crypto/getenv.c
   $(OPENSSL_PATH)/crypto/hmac/hm_ameth.c
@@ -283,6 +291,7 @@
   $(OPENSSL_PATH)/crypto/init.c
   $(OPENSSL_PATH)/crypto/kdf/hkdf.c
   $(OPENSSL_PATH)/crypto/kdf/kdf_err.c
+  $(OPENSSL_PATH)/crypto/kdf/scrypt.c
   $(OPENSSL_PATH)/crypto/kdf/tls1_prf.c
   $(OPENSSL_PATH)/crypto/lhash/lh_stats.c
   $(OPENSSL_PATH)/crypto/lhash/lhash.c
@@ -360,14 +369,14 @@
   $(OPENSSL_PATH)/crypto/pkcs7/pk7_mime.c
   $(OPENSSL_PATH)/crypto/pkcs7/pk7_smime.c
   $(OPENSSL_PATH)/crypto/pkcs7/pkcs7err.c
-  $(OPENSSL_PATH)/crypto/rand/md_rand.c
+  $(OPENSSL_PATH)/crypto/rand/drbg_ctr.c
+  $(OPENSSL_PATH)/crypto/rand/drbg_lib.c
   $(OPENSSL_PATH)/crypto/rand/rand_egd.c
   $(OPENSSL_PATH)/crypto/rand/rand_err.c
   $(OPENSSL_PATH)/crypto/rand/rand_lib.c
   $(OPENSSL_PATH)/crypto/rand/rand_unix.c
   $(OPENSSL_PATH)/crypto/rand/rand_vms.c
   $(OPENSSL_PATH)/crypto/rand/rand_win.c
-  $(OPENSSL_PATH)/crypto/rand/randfile.c
   $(OPENSSL_PATH)/crypto/rc4/rc4_enc.c
   $(OPENSSL_PATH)/crypto/rc4/rc4_skey.c
   $(OPENSSL_PATH)/crypto/rsa/rsa_ameth.c
@@ -379,8 +388,8 @@
   $(OPENSSL_PATH)/crypto/rsa/rsa_gen.c
   $(OPENSSL_PATH)/crypto/rsa/rsa_lib.c
   $(OPENSSL_PATH)/crypto/rsa/rsa_meth.c
+  $(OPENSSL_PATH)/crypto/rsa/rsa_mp.c
   $(OPENSSL_PATH)/crypto/rsa/rsa_none.c
-  $(OPENSSL_PATH)/crypto/rsa/rsa_null.c
   $(OPENSSL_PATH)/crypto/rsa/rsa_oaep.c
   $(OPENSSL_PATH)/crypto/rsa/rsa_ossl.c
   $(OPENSSL_PATH)/crypto/rsa/rsa_pk1.c
@@ -392,15 +401,27 @@
   $(OPENSSL_PATH)/crypto/rsa/rsa_ssl.c
   $(OPENSSL_PATH)/crypto/rsa/rsa_x931.c
   $(OPENSSL_PATH)/crypto/rsa/rsa_x931g.c
+  $(OPENSSL_PATH)/crypto/sha/keccak1600.c
   $(OPENSSL_PATH)/crypto/sha/sha1_one.c
   $(OPENSSL_PATH)/crypto/sha/sha1dgst.c
   $(OPENSSL_PATH)/crypto/sha/sha256.c
   $(OPENSSL_PATH)/crypto/sha/sha512.c
+  $(OPENSSL_PATH)/crypto/siphash/siphash.c
+  $(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c
+  $(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c
+  $(OPENSSL_PATH)/crypto/sm3/m_sm3.c
+  $(OPENSSL_PATH)/crypto/sm3/sm3.c
+  $(OPENSSL_PATH)/crypto/sm4/sm4.c
   $(OPENSSL_PATH)/crypto/stack/stack.c
   $(OPENSSL_PATH)/crypto/threads_none.c
   $(OPENSSL_PATH)/crypto/threads_pthread.c
   $(OPENSSL_PATH)/crypto/threads_win.c
   $(OPENSSL_PATH)/crypto/txt_db/txt_db.c
+  $(OPENSSL_PATH)/crypto/ui/ui_err.c
+  $(OPENSSL_PATH)/crypto/ui/ui_lib.c
+  $(OPENSSL_PATH)/crypto/ui/ui_null.c
+  $(OPENSSL_PATH)/crypto/ui/ui_openssl.c
+  $(OPENSSL_PATH)/crypto/ui/ui_util.c
   $(OPENSSL_PATH)/crypto/uid.c
   $(OPENSSL_PATH)/crypto/x509/by_dir.c
   $(OPENSSL_PATH)/crypto/x509/by_file.c
@@ -445,6 +466,7 @@
   $(OPENSSL_PATH)/crypto/x509v3/pcy_node.c
   $(OPENSSL_PATH)/crypto/x509v3/pcy_tree.c
   $(OPENSSL_PATH)/crypto/x509v3/v3_addr.c
+  $(OPENSSL_PATH)/crypto/x509v3/v3_admis.c
   $(OPENSSL_PATH)/crypto/x509v3/v3_akey.c
   $(OPENSSL_PATH)/crypto/x509v3/v3_akeya.c
   $(OPENSSL_PATH)/crypto/x509v3/v3_alt.c
@@ -479,12 +501,14 @@
   $(OPENSSL_PATH)/ssl/d1_msg.c
   $(OPENSSL_PATH)/ssl/d1_srtp.c
   $(OPENSSL_PATH)/ssl/methods.c
+  $(OPENSSL_PATH)/ssl/packet.c
   $(OPENSSL_PATH)/ssl/pqueue.c
   $(OPENSSL_PATH)/ssl/record/dtls1_bitmap.c
   $(OPENSSL_PATH)/ssl/record/rec_layer_d1.c
   $(OPENSSL_PATH)/ssl/record/rec_layer_s3.c
   $(OPENSSL_PATH)/ssl/record/ssl3_buffer.c
   $(OPENSSL_PATH)/ssl/record/ssl3_record.c
+  $(OPENSSL_PATH)/ssl/record/ssl3_record_tls13.c
   $(OPENSSL_PATH)/ssl/s3_cbc.c
   $(OPENSSL_PATH)/ssl/s3_enc.c
   $(OPENSSL_PATH)/ssl/s3_lib.c
@@ -502,16 +526,19 @@
   $(OPENSSL_PATH)/ssl/ssl_stat.c
   $(OPENSSL_PATH)/ssl/ssl_txt.c
   $(OPENSSL_PATH)/ssl/ssl_utst.c
+  $(OPENSSL_PATH)/ssl/statem/extensions.c
+  $(OPENSSL_PATH)/ssl/statem/extensions_clnt.c
+  $(OPENSSL_PATH)/ssl/statem/extensions_cust.c
+  $(OPENSSL_PATH)/ssl/statem/extensions_srvr.c
   $(OPENSSL_PATH)/ssl/statem/statem.c
   $(OPENSSL_PATH)/ssl/statem/statem_clnt.c
   $(OPENSSL_PATH)/ssl/statem/statem_dtls.c
   $(OPENSSL_PATH)/ssl/statem/statem_lib.c
   $(OPENSSL_PATH)/ssl/statem/statem_srvr.c
   $(OPENSSL_PATH)/ssl/t1_enc.c
-  $(OPENSSL_PATH)/ssl/t1_ext.c
   $(OPENSSL_PATH)/ssl/t1_lib.c
-  $(OPENSSL_PATH)/ssl/t1_reneg.c
   $(OPENSSL_PATH)/ssl/t1_trce.c
+  $(OPENSSL_PATH)/ssl/tls13_enc.c
   $(OPENSSL_PATH)/ssl/tls_srp.c
 # Autogenerated files list ends here
 
@@ -521,10 +548,14 @@
 
 [LibraryClasses]
   DebugLib
+  TimerLib
 
 [LibraryClasses.ARM]
   ArmSoftFloatLib
 
+[Protocols]
+  gEfiRngProtocolGuid
+
 [BuildOptions]
   #
   # Disables the following Visual Studio compiler warnings brought by openssl source,
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
index fd12d11..4484143 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
@@ -15,13 +15,15 @@
   VERSION_STRING                 = 1.0
   LIBRARY_CLASS                  = OpensslLib
   DEFINE OPENSSL_PATH            = openssl
-  DEFINE OPENSSL_FLAGS           = -DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DNO_SYSLOG
+  DEFINE OPENSSL_FLAGS           = -DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE
 
 #
 #  VALID_ARCHITECTURES           = IA32 X64 ARM AARCH64
 #
 
 [Sources]
+  ossl_store.c
+  rand_pool.c
   $(OPENSSL_PATH)/e_os.h
 # Autogenerated files list starts here
   $(OPENSSL_PATH)/crypto/aes/aes_cbc.c
@@ -32,6 +34,7 @@
   $(OPENSSL_PATH)/crypto/aes/aes_misc.c
   $(OPENSSL_PATH)/crypto/aes/aes_ofb.c
   $(OPENSSL_PATH)/crypto/aes/aes_wrap.c
+  $(OPENSSL_PATH)/crypto/aria/aria.c
   $(OPENSSL_PATH)/crypto/asn1/a_bitstr.c
   $(OPENSSL_PATH)/crypto/asn1/a_d2i_fp.c
   $(OPENSSL_PATH)/crypto/asn1/a_digest.c
@@ -54,6 +57,7 @@
   $(OPENSSL_PATH)/crypto/asn1/ameth_lib.c
   $(OPENSSL_PATH)/crypto/asn1/asn1_err.c
   $(OPENSSL_PATH)/crypto/asn1/asn1_gen.c
+  $(OPENSSL_PATH)/crypto/asn1/asn1_item_list.c
   $(OPENSSL_PATH)/crypto/asn1/asn1_lib.c
   $(OPENSSL_PATH)/crypto/asn1/asn1_par.c
   $(OPENSSL_PATH)/crypto/asn1/asn_mime.c
@@ -172,6 +176,7 @@
   $(OPENSSL_PATH)/crypto/conf/conf_ssl.c
   $(OPENSSL_PATH)/crypto/cpt_err.c
   $(OPENSSL_PATH)/crypto/cryptlib.c
+  $(OPENSSL_PATH)/crypto/ctype.c
   $(OPENSSL_PATH)/crypto/cversion.c
   $(OPENSSL_PATH)/crypto/des/cbc_cksm.c
   $(OPENSSL_PATH)/crypto/des/cbc_enc.c
@@ -189,7 +194,6 @@
   $(OPENSSL_PATH)/crypto/des/pcbc_enc.c
   $(OPENSSL_PATH)/crypto/des/qud_cksm.c
   $(OPENSSL_PATH)/crypto/des/rand_key.c
-  $(OPENSSL_PATH)/crypto/des/rpc_enc.c
   $(OPENSSL_PATH)/crypto/des/set_key.c
   $(OPENSSL_PATH)/crypto/des/str2key.c
   $(OPENSSL_PATH)/crypto/des/xcbc_enc.c
@@ -206,6 +210,7 @@
   $(OPENSSL_PATH)/crypto/dh/dh_pmeth.c
   $(OPENSSL_PATH)/crypto/dh/dh_prn.c
   $(OPENSSL_PATH)/crypto/dh/dh_rfc5114.c
+  $(OPENSSL_PATH)/crypto/dh/dh_rfc7919.c
   $(OPENSSL_PATH)/crypto/dso/dso_dl.c
   $(OPENSSL_PATH)/crypto/dso/dso_dlfcn.c
   $(OPENSSL_PATH)/crypto/dso/dso_err.c
@@ -228,6 +233,7 @@
   $(OPENSSL_PATH)/crypto/evp/e_aes.c
   $(OPENSSL_PATH)/crypto/evp/e_aes_cbc_hmac_sha1.c
   $(OPENSSL_PATH)/crypto/evp/e_aes_cbc_hmac_sha256.c
+  $(OPENSSL_PATH)/crypto/evp/e_aria.c
   $(OPENSSL_PATH)/crypto/evp/e_bf.c
   $(OPENSSL_PATH)/crypto/evp/e_camellia.c
   $(OPENSSL_PATH)/crypto/evp/e_cast.c
@@ -242,6 +248,7 @@
   $(OPENSSL_PATH)/crypto/evp/e_rc4_hmac_md5.c
   $(OPENSSL_PATH)/crypto/evp/e_rc5.c
   $(OPENSSL_PATH)/crypto/evp/e_seed.c
+  $(OPENSSL_PATH)/crypto/evp/e_sm4.c
   $(OPENSSL_PATH)/crypto/evp/e_xcbc_d.c
   $(OPENSSL_PATH)/crypto/evp/encode.c
   $(OPENSSL_PATH)/crypto/evp/evp_cnf.c
@@ -259,6 +266,7 @@
   $(OPENSSL_PATH)/crypto/evp/m_null.c
   $(OPENSSL_PATH)/crypto/evp/m_ripemd.c
   $(OPENSSL_PATH)/crypto/evp/m_sha1.c
+  $(OPENSSL_PATH)/crypto/evp/m_sha3.c
   $(OPENSSL_PATH)/crypto/evp/m_sigver.c
   $(OPENSSL_PATH)/crypto/evp/m_wp.c
   $(OPENSSL_PATH)/crypto/evp/names.c
@@ -271,10 +279,10 @@
   $(OPENSSL_PATH)/crypto/evp/p_seal.c
   $(OPENSSL_PATH)/crypto/evp/p_sign.c
   $(OPENSSL_PATH)/crypto/evp/p_verify.c
+  $(OPENSSL_PATH)/crypto/evp/pbe_scrypt.c
   $(OPENSSL_PATH)/crypto/evp/pmeth_fn.c
   $(OPENSSL_PATH)/crypto/evp/pmeth_gn.c
   $(OPENSSL_PATH)/crypto/evp/pmeth_lib.c
-  $(OPENSSL_PATH)/crypto/evp/scrypt.c
   $(OPENSSL_PATH)/crypto/ex_data.c
   $(OPENSSL_PATH)/crypto/getenv.c
   $(OPENSSL_PATH)/crypto/hmac/hm_ameth.c
@@ -283,6 +291,7 @@
   $(OPENSSL_PATH)/crypto/init.c
   $(OPENSSL_PATH)/crypto/kdf/hkdf.c
   $(OPENSSL_PATH)/crypto/kdf/kdf_err.c
+  $(OPENSSL_PATH)/crypto/kdf/scrypt.c
   $(OPENSSL_PATH)/crypto/kdf/tls1_prf.c
   $(OPENSSL_PATH)/crypto/lhash/lh_stats.c
   $(OPENSSL_PATH)/crypto/lhash/lhash.c
@@ -360,14 +369,14 @@
   $(OPENSSL_PATH)/crypto/pkcs7/pk7_mime.c
   $(OPENSSL_PATH)/crypto/pkcs7/pk7_smime.c
   $(OPENSSL_PATH)/crypto/pkcs7/pkcs7err.c
-  $(OPENSSL_PATH)/crypto/rand/md_rand.c
+  $(OPENSSL_PATH)/crypto/rand/drbg_ctr.c
+  $(OPENSSL_PATH)/crypto/rand/drbg_lib.c
   $(OPENSSL_PATH)/crypto/rand/rand_egd.c
   $(OPENSSL_PATH)/crypto/rand/rand_err.c
   $(OPENSSL_PATH)/crypto/rand/rand_lib.c
   $(OPENSSL_PATH)/crypto/rand/rand_unix.c
   $(OPENSSL_PATH)/crypto/rand/rand_vms.c
   $(OPENSSL_PATH)/crypto/rand/rand_win.c
-  $(OPENSSL_PATH)/crypto/rand/randfile.c
   $(OPENSSL_PATH)/crypto/rc4/rc4_enc.c
   $(OPENSSL_PATH)/crypto/rc4/rc4_skey.c
   $(OPENSSL_PATH)/crypto/rsa/rsa_ameth.c
@@ -379,8 +388,8 @@
   $(OPENSSL_PATH)/crypto/rsa/rsa_gen.c
   $(OPENSSL_PATH)/crypto/rsa/rsa_lib.c
   $(OPENSSL_PATH)/crypto/rsa/rsa_meth.c
+  $(OPENSSL_PATH)/crypto/rsa/rsa_mp.c
   $(OPENSSL_PATH)/crypto/rsa/rsa_none.c
-  $(OPENSSL_PATH)/crypto/rsa/rsa_null.c
   $(OPENSSL_PATH)/crypto/rsa/rsa_oaep.c
   $(OPENSSL_PATH)/crypto/rsa/rsa_ossl.c
   $(OPENSSL_PATH)/crypto/rsa/rsa_pk1.c
@@ -392,15 +401,27 @@
   $(OPENSSL_PATH)/crypto/rsa/rsa_ssl.c
   $(OPENSSL_PATH)/crypto/rsa/rsa_x931.c
   $(OPENSSL_PATH)/crypto/rsa/rsa_x931g.c
+  $(OPENSSL_PATH)/crypto/sha/keccak1600.c
   $(OPENSSL_PATH)/crypto/sha/sha1_one.c
   $(OPENSSL_PATH)/crypto/sha/sha1dgst.c
   $(OPENSSL_PATH)/crypto/sha/sha256.c
   $(OPENSSL_PATH)/crypto/sha/sha512.c
+  $(OPENSSL_PATH)/crypto/siphash/siphash.c
+  $(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c
+  $(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c
+  $(OPENSSL_PATH)/crypto/sm3/m_sm3.c
+  $(OPENSSL_PATH)/crypto/sm3/sm3.c
+  $(OPENSSL_PATH)/crypto/sm4/sm4.c
   $(OPENSSL_PATH)/crypto/stack/stack.c
   $(OPENSSL_PATH)/crypto/threads_none.c
   $(OPENSSL_PATH)/crypto/threads_pthread.c
   $(OPENSSL_PATH)/crypto/threads_win.c
   $(OPENSSL_PATH)/crypto/txt_db/txt_db.c
+  $(OPENSSL_PATH)/crypto/ui/ui_err.c
+  $(OPENSSL_PATH)/crypto/ui/ui_lib.c
+  $(OPENSSL_PATH)/crypto/ui/ui_null.c
+  $(OPENSSL_PATH)/crypto/ui/ui_openssl.c
+  $(OPENSSL_PATH)/crypto/ui/ui_util.c
   $(OPENSSL_PATH)/crypto/uid.c
   $(OPENSSL_PATH)/crypto/x509/by_dir.c
   $(OPENSSL_PATH)/crypto/x509/by_file.c
@@ -445,6 +466,7 @@
   $(OPENSSL_PATH)/crypto/x509v3/pcy_node.c
   $(OPENSSL_PATH)/crypto/x509v3/pcy_tree.c
   $(OPENSSL_PATH)/crypto/x509v3/v3_addr.c
+  $(OPENSSL_PATH)/crypto/x509v3/v3_admis.c
   $(OPENSSL_PATH)/crypto/x509v3/v3_akey.c
   $(OPENSSL_PATH)/crypto/x509v3/v3_akeya.c
   $(OPENSSL_PATH)/crypto/x509v3/v3_alt.c
@@ -482,10 +504,14 @@
 
 [LibraryClasses]
   DebugLib
+  TimerLib
 
 [LibraryClasses.ARM]
   ArmSoftFloatLib
 
+[Protocols]
+  gEfiRngProtocolGuid
+
 [BuildOptions]
   #
   # Disables the following Visual Studio compiler warnings brought by openssl source,
diff --git a/CryptoPkg/Library/OpensslLib/buildinf.h b/CryptoPkg/Library/OpensslLib/buildinf.h
index c5ca293..b840c86 100644
--- a/CryptoPkg/Library/OpensslLib/buildinf.h
+++ b/CryptoPkg/Library/OpensslLib/buildinf.h
@@ -1,2 +1,4 @@
 #define PLATFORM  "UEFI"
 #define DATE      "Fri Dec 22 01:23:45 PDT 2017"
+
+const char * compiler_flags = "compiler: information not available from edk2";
diff --git a/CryptoPkg/Library/OpensslLib/openssl b/CryptoPkg/Library/OpensslLib/openssl
index 74f2d9c..50eaac9 160000
--- a/CryptoPkg/Library/OpensslLib/openssl
+++ b/CryptoPkg/Library/OpensslLib/openssl
@@ -1 +1 @@
-Subproject commit 74f2d9c1ec5f5510e1d3da5a9f03c28df0977762
+Subproject commit 50eaac9f3337667259de725451f201e784599687
diff --git a/CryptoPkg/Library/OpensslLib/ossl_store.c b/CryptoPkg/Library/OpensslLib/ossl_store.c
new file mode 100644
index 0000000..29e1506
--- /dev/null
+++ b/CryptoPkg/Library/OpensslLib/ossl_store.c
@@ -0,0 +1,17 @@
+/** @file
+  Dummy implement ossl_store(Store retrieval functions) for UEFI.
+
+Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+/*
+ * This function is cleanup ossl store.
+ *
+ * Dummy Implement for UEFI
+ */
+void ossl_store_cleanup_int(void)
+{
+}
+
diff --git a/CryptoPkg/Library/OpensslLib/rand_pool.c b/CryptoPkg/Library/OpensslLib/rand_pool.c
new file mode 100644
index 0000000..a88ad8b
--- /dev/null
+++ b/CryptoPkg/Library/OpensslLib/rand_pool.c
@@ -0,0 +1,339 @@
+/** @file
+  OpenSSL_1_1_1b doesn't implement rand_pool_* functions for UEFI.
+  The file implement these functions.
+
+Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include "internal/rand_int.h"
+#include <openssl/aes.h>
+#include <Uefi.h>
+#include <Library/TimerLib.h>
+#include <Protocol/Rng.h>
+#include <Library/UefiBootServicesTableLib.h>
+
+/**
+  Get some randomness from low-order bits of GetPerformanceCounter results.
+  And combine them to the 64-bit value
+
+  @param[out] Rand    Buffer pointer to store the 64-bit random value.
+
+  @retval TRUE        Random number generated successfully.
+  @retval FALSE       Failed to generate.
+**/
+STATIC
+BOOLEAN
+EFIAPI
+RandNumber64FromPerformanceCounter(
+  OUT UINT64      *Rand
+  )
+{
+  UINT32 Index;
+  UINT32 *RandPtr;
+  RandPtr = (UINT32 *)Rand;
+
+  ASSERT (Rand != NULL);
+
+  for (Index = 0; Index < 2; Index ++) {
+    *RandPtr = (UINT32)(GetPerformanceCounter() & 0xFF);
+    MicroSecondDelay(10);
+    RandPtr++;
+  }
+
+  return TRUE;
+}
+
+
+/**
+  Generates a 64-bit random number.
+  if Rand is NULL, then ASSERT().
+  @param[out] Rand     Buffer pointer to store the 64-bit random value.
+  @retval TRUE         Random number generated successfully.
+  @retval FALSE        Failed to generate the random number.
+**/
+STATIC
+BOOLEAN
+EFIAPI
+RandomNumber64 (
+  OUT     UINT64                    *Rand
+  )
+{
+  EFI_RNG_PROTOCOL      *Rng;
+  UINTN                 Number = 8;
+  EFI_STATUS            Status;
+  BOOLEAN               Ret;
+
+  ASSERT (Rand != NULL);
+
+  Ret = FALSE;
+
+  Status = gBS->LocateProtocol(&gEfiRngProtocolGuid, NULL, (VOID **)&Rng);
+  if (Status == EFI_NOT_FOUND) {
+    //
+    // Fall back to use PerformanceCounter to generate rand nubmer.
+    // We are not sure about the amount of randomness it provides.
+    // If you really care about the security. please provide a EFI_RNG_PROTOCOL
+    //
+    Ret = RandNumber64FromPerformanceCounter(Rand);
+    return Ret;
+  }
+
+  if (Status == EFI_SUCCESS) {
+    Status = Rng->GetRNG (Rng, NULL, Number, (UINT8 *)Rand);
+  }
+
+  if (Status == EFI_SUCCESS) {
+    Ret = TRUE;
+  }
+
+  return Ret;
+}
+
+/**
+  Calls RandomNumber64 to fill
+  a buffer of arbitrary size with random bytes.
+
+  @param[in]   Length        Size of the buffer, in bytes,  to fill with.
+  @param[out]  RandBuffer    Pointer to the buffer to store the random result.
+
+  @retval EFI_SUCCESS        Random bytes generation succeeded.
+  @retval EFI_NOT_READY      Failed to request random bytes.
+
+**/
+STATIC
+BOOLEAN
+EFIAPI
+RandGetBytes (
+  IN UINTN         Length,
+  OUT UINT8        *RandBuffer
+  )
+{
+  BOOLEAN     Ret;
+  UINT64      TempRand;
+
+  Ret = FALSE;
+
+  while (Length > 0) {
+    Ret = RandomNumber64 (&TempRand);
+    if (!Ret) {
+      return Ret;
+    }
+    if (Length >= sizeof (TempRand)) {
+      *((UINT64*)RandBuffer) = TempRand;
+      RandBuffer += sizeof (UINT64);
+      Length -= sizeof (TempRand);
+    } else {
+      CopyMem (RandBuffer, &TempRand, Length);
+      Length = 0;
+    }
+  }
+
+  return Ret;
+}
+
+/**
+  Creates a 128bit random value that is fully forward and backward prediction resistant,
+  suitable for seeding a NIST SP800-90 Compliant.
+  This function takes multiple random numbers from PerformanceCounter to ensure reseeding
+  and performs AES-CBC-MAC over the data to compute the seed value.
+
+  @param[out]  SeedBuffer    Pointer to a 128bit buffer to store the random seed.
+
+  @retval TRUE        Random seed generation succeeded.
+  @retval FALSE      Failed to request random bytes.
+
+**/
+STATIC
+BOOLEAN
+EFIAPI
+RandGetSeed128 (
+  OUT UINT8        *SeedBuffer
+  )
+{
+  BOOLEAN     Ret;
+  UINT8       RandByte[16];
+  UINT8       Key[16];
+  UINT8       Ffv[16];
+  UINT8       Xored[16];
+  UINT32      Index;
+  UINT32      Index2;
+  AES_KEY     AESKey;
+
+  //
+  // Chose an arbitary key and zero the feed_forward_value (FFV)
+  //
+  for (Index = 0; Index < 16; Index++) {
+    Key[Index] = (UINT8) Index;
+    Ffv[Index] = 0;
+  }
+
+  AES_set_encrypt_key(Key, 16 * 8, &AESKey);
+
+  //
+  // Perform CBC_MAC over 32 * 128 bit values, with 10us gaps between 128 bit value
+  // The 10us gaps will ensure multiple reseeds within the system time with a large
+  // design margin.
+  //
+  for (Index = 0; Index < 32; Index++) {
+    MicroSecondDelay (10);
+    Ret = RandGetBytes (16, RandByte);
+    if (!Ret) {
+      return Ret;
+    }
+
+    //
+    // Perform XOR operations on two 128-bit value.
+    //
+    for (Index2 = 0; Index2 < 16; Index2++) {
+      Xored[Index2] = RandByte[Index2] ^ Ffv[Index2];
+    }
+
+    AES_encrypt(Xored, Ffv, &AESKey);
+  }
+
+  for (Index = 0; Index < 16; Index++) {
+    SeedBuffer[Index] = Ffv[Index];
+  }
+
+  return Ret;
+}
+
+/**
+  Generate high-quality entropy source.
+
+  @param[in]   Length        Size of the buffer, in bytes, to fill with.
+  @param[out]  Entropy       Pointer to the buffer to store the entropy data.
+
+  @retval EFI_SUCCESS        Entropy generation succeeded.
+  @retval EFI_NOT_READY      Failed to request random data.
+
+**/
+STATIC
+BOOLEAN
+EFIAPI
+RandGenerateEntropy (
+  IN UINTN         Length,
+  OUT UINT8        *Entropy
+  )
+{
+  BOOLEAN     Ret;
+  UINTN       BlockCount;
+  UINT8       Seed[16];
+  UINT8       *Ptr;
+
+  BlockCount = Length / 16;
+  Ptr        = (UINT8 *)Entropy;
+
+  //
+  // Generate high-quality seed for DRBG Entropy
+  //
+  while (BlockCount > 0) {
+    Ret = RandGetSeed128 (Seed);
+    if (!Ret) {
+      return Ret;
+    }
+    CopyMem (Ptr, Seed, 16);
+
+    BlockCount--;
+    Ptr = Ptr + 16;
+  }
+
+  //
+  // Populate the remained data as request.
+  //
+  Ret = RandGetSeed128 (Seed);
+  if (!Ret) {
+    return Ret;
+  }
+  CopyMem (Ptr, Seed, (Length % 16));
+
+  return Ret;
+}
+
+/*
+ * Add random bytes to the pool to acquire requested amount of entropy
+ *
+ * This function is platform specific and tries to acquire the requested
+ * amount of entropy by polling platform specific entropy sources.
+ */
+size_t rand_pool_acquire_entropy(RAND_POOL *pool)
+{
+  BOOLEAN  Ret;
+  size_t bytes_needed;
+  unsigned char * buffer;
+
+  bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
+  if (bytes_needed > 0) {
+    buffer = rand_pool_add_begin(pool, bytes_needed);
+
+    if (buffer != NULL) {
+      Ret = RandGenerateEntropy(bytes_needed, buffer);
+      if (FALSE == Ret) {
+        rand_pool_add_end(pool, 0, 0);
+      } else {
+        rand_pool_add_end(pool, bytes_needed, 8 * bytes_needed);
+      }
+    }
+  }
+
+  return rand_pool_entropy_available(pool);
+}
+
+/*
+ * Implementation for UEFI
+ */
+int rand_pool_add_nonce_data(RAND_POOL *pool)
+{
+  struct {
+    UINT64  MonotonicCount;
+    UINT64  Rand;
+    UINT64  TimerValue;
+  } data = { 0 };
+
+  gBS->GetNextMonotonicCount(&(data.MonotonicCount));
+  RandGetBytes(8, (UINT8 *)&(data.Rand));
+  data.TimerValue = GetPerformanceCounter();
+
+  return rand_pool_add(pool, (unsigned char*)&data, sizeof(data), 0);
+}
+
+/*
+ * Implementation for UEFI
+ */
+int rand_pool_add_additional_data(RAND_POOL *pool)
+{
+  struct {
+    UINT64  Rand;
+    UINT64  TimerValue;
+  } data = { 0 };
+
+  RandGetBytes(8, (UINT8 *)&(data.Rand));
+  data.TimerValue = GetPerformanceCounter();
+
+  return rand_pool_add(pool, (unsigned char*)&data, sizeof(data), 0);
+}
+
+/*
+ * Dummy Implememtation for UEFI
+ */
+int rand_pool_init(void)
+{
+  return 1;
+}
+
+/*
+ * Dummy Implememtation for UEFI
+ */
+void rand_pool_cleanup(void)
+{
+}
+
+/*
+ * Dummy Implememtation for UEFI
+ */
+void rand_pool_keep_random_devices_open(int keep)
+{
+}
+
-- 
2.7.4


^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [PATCH v3 6/6] CryptoPkg/BaseCryptLib: Make HMAC_CTX size backward compatible
  2019-05-13 13:25 [PATCH v3 0/6] CryptoPkg: Upgrade OpenSSL to 1.1.1b Xiaoyu lu
                   ` (4 preceding siblings ...)
  2019-05-13 13:25 ` [PATCH v3 5/6] CryptoPkg: Upgrade OpenSSL to 1.1.1b Xiaoyu lu
@ 2019-05-13 13:25 ` Xiaoyu lu
  2019-05-13 19:24 ` [edk2-devel] [PATCH v3 0/6] CryptoPkg: Upgrade OpenSSL to 1.1.1b Laszlo Ersek
  6 siblings, 0 replies; 18+ messages in thread
From: Xiaoyu lu @ 2019-05-13 13:25 UTC (permalink / raw)
  To: devel; +Cc: lersek, xiaoyux.lu, Jian J Wang, Ting Ye

From: Xiaoyu Lu <xiaoyux.lu@intel.com>

Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1089

OpenSSL internally redefines the size of HMAC_CTX at
crypto/hmac/hmac_lcl.h(OpenSSL commit e0810e35).
Ref: https://github.com/openssl/openssl/pull/4338

We should not use it directly and should remove relevant
functions(Hmac*GetContextSize).
Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1792

But for compatiblility, temporarily change these definition
of HMAC_*_CTX_SIZE.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
---
 CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c    | 8 ++++++--
 CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c   | 9 +++++++--
 CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha256.c | 8 ++++++--
 3 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c
index 3134806..19e9fbe 100644
--- a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c
+++ b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c
@@ -9,8 +9,12 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #include "InternalCryptLib.h"
 #include <openssl/hmac.h>
 
-#define HMAC_MD5_CTX_SIZE    sizeof(void *) * 4 + sizeof(unsigned int) + \
-                             sizeof(unsigned char) * HMAC_MAX_MD_CBLOCK
+//
+// NOTE: OpenSSL redefines the size of HMAC_CTX at crypto/hmac/hmac_lcl.h
+//       #define HMAC_MAX_MD_CBLOCK_SIZE     144
+//
+#define HMAC_MD5_CTX_SIZE    (sizeof(void *) * 4 + sizeof(unsigned int) + \
+                             sizeof(unsigned char) * 144)
 
 /**
   Retrieves the size, in bytes, of the context buffer required for HMAC-MD5 operations.
diff --git a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
index bbe3df4..7d7df96 100644
--- a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
+++ b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
@@ -9,8 +9,13 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #include "InternalCryptLib.h"
 #include <openssl/hmac.h>
 
-#define HMAC_SHA1_CTX_SIZE   sizeof(void *) * 4 + sizeof(unsigned int) + \
-                             sizeof(unsigned char) * HMAC_MAX_MD_CBLOCK
+//
+// NOTE: OpenSSL redefines the size of HMAC_CTX at crypto/hmac/hmac_lcl.h
+//       #define HMAC_MAX_MD_CBLOCK_SIZE     144
+//
+//
+#define  HMAC_SHA1_CTX_SIZE   (sizeof(void *) * 4 + sizeof(unsigned int) + \
+                             sizeof(unsigned char) * 144)
 
 /**
   Retrieves the size, in bytes, of the context buffer required for HMAC-SHA1 operations.
diff --git a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha256.c b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha256.c
index ac9084f..f24443e 100644
--- a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha256.c
+++ b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha256.c
@@ -9,8 +9,12 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #include "InternalCryptLib.h"
 #include <openssl/hmac.h>
 
-#define HMAC_SHA256_CTX_SIZE   sizeof(void *) * 4 + sizeof(unsigned int) + \
-                               sizeof(unsigned char) * HMAC_MAX_MD_CBLOCK
+//
+// NOTE: OpenSSL redefines the size of HMAC_CTX at crypto/hmac/hmac_lcl.h
+//       #define HMAC_MAX_MD_CBLOCK_SIZE     144
+//
+#define HMAC_SHA256_CTX_SIZE    (sizeof(void *) * 4 + sizeof(unsigned int) + \
+                             sizeof(unsigned char) * 144)
 
 /**
   Retrieves the size, in bytes, of the context buffer required for HMAC-SHA256 operations.
-- 
2.7.4


^ permalink raw reply related	[flat|nested] 18+ messages in thread

* Re: [edk2-devel] [PATCH v3 0/6] CryptoPkg: Upgrade OpenSSL to 1.1.1b
  2019-05-13 13:25 [PATCH v3 0/6] CryptoPkg: Upgrade OpenSSL to 1.1.1b Xiaoyu lu
                   ` (5 preceding siblings ...)
  2019-05-13 13:25 ` [PATCH v3 6/6] CryptoPkg/BaseCryptLib: Make HMAC_CTX size backward compatible Xiaoyu lu
@ 2019-05-13 19:24 ` Laszlo Ersek
  2019-05-14  6:16   ` Gary Lin
  2019-05-14 11:58   ` Laszlo Ersek
  6 siblings, 2 replies; 18+ messages in thread
From: Laszlo Ersek @ 2019-05-13 19:24 UTC (permalink / raw)
  To: devel, xiaoyux.lu, Gary Lin; +Cc: Jian J Wang, Ting Ye

On 05/13/19 15:25, Xiaoyu lu wrote:
> (1) CryptoPkg/OpensslLib: Modify process_files.pl for  upgrading OpenSSL
>   OpenSSL only support seeding NONE for UEFI(rand_unix.c line 93).
>   So add --with-rand-seed=none to process_files.pl.
> 
> (2) CryptoPkg/OpensslLib: Exclude unnecessary files in  process_files.pl
>   When running process_files.py to configure OpenSSL, we can exclude some unnecessary files. This can reduce porting time, compiling time and library size.
> 
> (3) CryptoPkg/IntrinsicLib: Fix possible unresolved  external symbol issue
> 
> (4) CryptoPkg/OpensslLib: Prepare for upgrading OpenSSL
>   Disable warning for building OpenSSL_1_1_1b
> 
> (5) CryptoPkg: Upgrade OpenSSL to 1.1.1b
>   Update OpenSSL submodule to OpenSSL_1_1_1b
>   OpenSSL_1_1_1b(50eaac9f3337667259de725451f201e784599687)
> 
>   OpenSSL doesn't implement some rand_pool function for UEFI.
>   Use EFI_RNG_PROTOCOL to generate random for entropy.
>   If EFI_RNG_PROTOCOL is not avaliable, fall back to performance
>   counter, but we not sure about the amount of randomness it provides.
> 
> (6) CryptoPkg/BaseCryptLib: Make HMAC_CTX size backward  compatible
> 
>   Note: Will be remove next update.
>   Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1792
>   Ref: https://github.com/openssl/openssl/pull/4338
> 
> 
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Ting Ye <ting.ye@intel.com>

I'm withdrawing from reviewing or testing this series.

Gary, if you have the time, can you please regression test this (for
HTTPS boot) in both OVMF and ArmVirtQemu?

Thank you
Laszlo

^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: [edk2-devel] [PATCH v3 0/6] CryptoPkg: Upgrade OpenSSL to 1.1.1b
  2019-05-13 19:24 ` [edk2-devel] [PATCH v3 0/6] CryptoPkg: Upgrade OpenSSL to 1.1.1b Laszlo Ersek
@ 2019-05-14  6:16   ` Gary Lin
  2019-05-14 12:06     ` Laszlo Ersek
  2019-05-14 11:58   ` Laszlo Ersek
  1 sibling, 1 reply; 18+ messages in thread
From: Gary Lin @ 2019-05-14  6:16 UTC (permalink / raw)
  To: devel, lersek; +Cc: xiaoyux.lu, Jian J Wang, Ting Ye

On Mon, May 13, 2019 at 09:24:39PM +0200, Laszlo Ersek wrote:
> On 05/13/19 15:25, Xiaoyu lu wrote:
> > (1) CryptoPkg/OpensslLib: Modify process_files.pl for  upgrading OpenSSL
> >   OpenSSL only support seeding NONE for UEFI(rand_unix.c line 93).
> >   So add --with-rand-seed=none to process_files.pl.
> > 
> > (2) CryptoPkg/OpensslLib: Exclude unnecessary files in  process_files.pl
> >   When running process_files.py to configure OpenSSL, we can exclude some unnecessary files. This can reduce porting time, compiling time and library size.
> > 
> > (3) CryptoPkg/IntrinsicLib: Fix possible unresolved  external symbol issue
> > 
> > (4) CryptoPkg/OpensslLib: Prepare for upgrading OpenSSL
> >   Disable warning for building OpenSSL_1_1_1b
> > 
> > (5) CryptoPkg: Upgrade OpenSSL to 1.1.1b
> >   Update OpenSSL submodule to OpenSSL_1_1_1b
> >   OpenSSL_1_1_1b(50eaac9f3337667259de725451f201e784599687)
> > 
> >   OpenSSL doesn't implement some rand_pool function for UEFI.
> >   Use EFI_RNG_PROTOCOL to generate random for entropy.
> >   If EFI_RNG_PROTOCOL is not avaliable, fall back to performance
> >   counter, but we not sure about the amount of randomness it provides.
> > 
> > (6) CryptoPkg/BaseCryptLib: Make HMAC_CTX size backward  compatible
> > 
> >   Note: Will be remove next update.
> >   Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1792
> >   Ref: https://github.com/openssl/openssl/pull/4338
> > 
> > 
> > Cc: Jian J Wang <jian.j.wang@intel.com>
> > Cc: Ting Ye <ting.ye@intel.com>
> 
> I'm withdrawing from reviewing or testing this series.
> 
> Gary, if you have the time, can you please regression test this (for
> HTTPS boot) in both OVMF and ArmVirtQemu?
> 
I'll find some time to do the regression test tomorrorw.

Cheers,

Gary Lin

^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: [edk2-devel] [PATCH v3 0/6] CryptoPkg: Upgrade OpenSSL to 1.1.1b
  2019-05-13 19:24 ` [edk2-devel] [PATCH v3 0/6] CryptoPkg: Upgrade OpenSSL to 1.1.1b Laszlo Ersek
  2019-05-14  6:16   ` Gary Lin
@ 2019-05-14 11:58   ` Laszlo Ersek
  2019-05-14 15:52     ` Xiaoyu lu
  1 sibling, 1 reply; 18+ messages in thread
From: Laszlo Ersek @ 2019-05-14 11:58 UTC (permalink / raw)
  To: xiaoyux.lu; +Cc: devel, Gary Lin, Jian J Wang, Ting Ye

On 05/13/19 21:24, Laszlo Ersek wrote:
> On 05/13/19 15:25, Xiaoyu lu wrote:
>> (1) CryptoPkg/OpensslLib: Modify process_files.pl for  upgrading
>>   OpenSSL OpenSSL only support seeding NONE for UEFI(rand_unix.c line
>>   93). So add --with-rand-seed=none to process_files.pl.
>>
>> (2) CryptoPkg/OpensslLib: Exclude unnecessary files in
>> process_files.pl
>>   When running process_files.py to configure OpenSSL, we can exclude
>>   some unnecessary files. This can reduce porting time, compiling
>>   time and library size.
>>
>> (3) CryptoPkg/IntrinsicLib: Fix possible unresolved  external symbol
>> issue
>>
>> (4) CryptoPkg/OpensslLib: Prepare for upgrading OpenSSL
>>   Disable warning for building OpenSSL_1_1_1b
>>
>> (5) CryptoPkg: Upgrade OpenSSL to 1.1.1b
>>   Update OpenSSL submodule to OpenSSL_1_1_1b
>>   OpenSSL_1_1_1b(50eaac9f3337667259de725451f201e784599687)
>>
>>   OpenSSL doesn't implement some rand_pool function for UEFI.
>>   Use EFI_RNG_PROTOCOL to generate random for entropy.
>>   If EFI_RNG_PROTOCOL is not avaliable, fall back to performance
>>   counter, but we not sure about the amount of randomness it
>>   provides.
>>
>> (6) CryptoPkg/BaseCryptLib: Make HMAC_CTX size backward  compatible
>>
>>   Note: Will be remove next update.
>>   Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1792
>>   Ref: https://github.com/openssl/openssl/pull/4338
>>
>>
>> Cc: Jian J Wang <jian.j.wang@intel.com>
>> Cc: Ting Ye <ting.ye@intel.com>
>
> I'm withdrawing from reviewing or testing this series.

To be clear, the reason I abandoned reviewing / testing this series is
not due to the use of TimerLib as entropy source, in patch #5. I
addressed that separately, stating that I wouldn't review patch #5, only
regression-test it.

The reason I intend to leave upcoming reviews & testing of this series
as a whole to others is that I've found a number of mistakes in relation
to the development workflow. And, it's exhausting for me to repeat all
the same guidelines, when I had documented them in the wiki [*].

At the same time, I realize that it may be difficult for a new edk2
contributor to adhere to everything described in [*] -- especially given
that [*] is not an official edk2 document, just something that I
personally distilled from experience.

In other words, my insisting on [*] in many repeated emails is
exhausting for both new contributors, and myself as a reviewer. Which is
why I thought I'd save us both some busywork, by withdrawing from this
series.

If you'd like me to look over this series again, then a v4 will be
necessary, just in order to remedy the following workflow-level
problems. (Afterwards, a v5 may be necessary for further technical
fixes.)

(1) Some of your patches are authored by "Xiaoyu Lu", some others by
    "Xiaoyu lu" (lower case). This messes up the shortlog in the blurb
    (and other statistics collected from the git log); you are
    represented as two different people.

    Please pick *one* email address (name included), and stick with
    that. Rebase the series, and use

      git commit --amend --author=...

    for fixing up the authorship on the patches that need it.

    Make sure your Signed-off-by follows suit in the commit messages.

(2) The series is hard to apply for local testing, with "git am", due to
    patch #5 modifying both CRLF and LF files. That's not necessarily a
    problem with the patch itself, but the norm has been, for
    non-trivial patch series, to push a topic branch to a personal repo,
    and to reference that repo & branch in the blurb. It permits easy
    fetching and easy commenting both.

    This wasn't done in v2, and I struggled with "git am". It hasn't
    been done in v3 either. Please do it in v4 and further versions.

(3) In my review of the v1 series, I requested that the CC_FLAGS
    changes, for the "OpensslLib.inf" and "OpensslLibCrypto.inf" files,
    be isolated to their own standalone patch. In v2, this was nicely
    addressed in patch #4, and I gave my R-b. In v3 however, you
    squashed a totally unrelated -- but at the series level, necessary
    -- change into the same patch (namely "sys/syscall.h"). While that
    improved the end result of the series for sure, it *negated* the v2
    improvement in the specific patch.

    In my v2 review, this was how I asked for "sys/syscall.h":

        So please include a patch in the v3 series that adds
        "CryptoPkg/Library/Include/sys/syscall.h" like suggested above.

    *Separate patch*.

    If you disagree with my request, that's 100% part of the process,
    but then please respond under the request, rather than dumping an
    entire new version of the series on me that does not comply with my
    request.

(4) In version 3, you failed to pick up my Reviewed-by tags that I had
    given for v2 1/6 and v2 6/6.

    In more technical terms, this means that you should have run "git
    rebase -i", selected the "reword" action for patches v2 1/6 and v2
    6/6, and appended -- using the clipboard -- my R-b tags, from my
    review emails, to the commit messages.

    This is documented in detail, in [*] (contributor step 28).

    (Referring to the previous bullet, you also failed to pick up my R-b
    for patch v2 4/6. However, ultimately, that was the correct action
    for that patch, given that you modified the patch in v3. If a patch
    is modified significantly in a revision, then review tags garnered
    earlier should be dropped, so that reviewers check the patch again.)

(5) Jian had some questions still open under v2 5/6, when you posted v3.
    The questions were addressed to me. Sometimes I cannot answer on the
    next day, and yes, there was a weekend to.

    If you think a reviewer missed something, please wait one or two
    business days, and ping them off-list or on-list, before sending the
    next version.

    If there isn't enough time left to catch the upcoming stable tag
    with this work, then we should postpone this work to the next stable
    tag.

[*] https://github.com/tianocore/tianocore.github.io/wiki/Laszlo's-unkempt-git-guide-for-edk2-contributors-and-maintainers

Thanks
Laszlo

^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: [edk2-devel] [PATCH v3 0/6] CryptoPkg: Upgrade OpenSSL to 1.1.1b
  2019-05-14  6:16   ` Gary Lin
@ 2019-05-14 12:06     ` Laszlo Ersek
  2019-05-14 13:26       ` Wang, Jian J
  0 siblings, 1 reply; 18+ messages in thread
From: Laszlo Ersek @ 2019-05-14 12:06 UTC (permalink / raw)
  To: devel, glin; +Cc: xiaoyux.lu, Jian J Wang, Ting Ye

On 05/14/19 08:16, Gary Lin wrote:
> On Mon, May 13, 2019 at 09:24:39PM +0200, Laszlo Ersek wrote:
>> On 05/13/19 15:25, Xiaoyu lu wrote:
>>> (1) CryptoPkg/OpensslLib: Modify process_files.pl for  upgrading OpenSSL
>>>   OpenSSL only support seeding NONE for UEFI(rand_unix.c line 93).
>>>   So add --with-rand-seed=none to process_files.pl.
>>>
>>> (2) CryptoPkg/OpensslLib: Exclude unnecessary files in  process_files.pl
>>>   When running process_files.py to configure OpenSSL, we can exclude some unnecessary files. This can reduce porting time, compiling time and library size.
>>>
>>> (3) CryptoPkg/IntrinsicLib: Fix possible unresolved  external symbol issue
>>>
>>> (4) CryptoPkg/OpensslLib: Prepare for upgrading OpenSSL
>>>   Disable warning for building OpenSSL_1_1_1b
>>>
>>> (5) CryptoPkg: Upgrade OpenSSL to 1.1.1b
>>>   Update OpenSSL submodule to OpenSSL_1_1_1b
>>>   OpenSSL_1_1_1b(50eaac9f3337667259de725451f201e784599687)
>>>
>>>   OpenSSL doesn't implement some rand_pool function for UEFI.
>>>   Use EFI_RNG_PROTOCOL to generate random for entropy.
>>>   If EFI_RNG_PROTOCOL is not avaliable, fall back to performance
>>>   counter, but we not sure about the amount of randomness it provides.
>>>
>>> (6) CryptoPkg/BaseCryptLib: Make HMAC_CTX size backward  compatible
>>>
>>>   Note: Will be remove next update.
>>>   Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1792
>>>   Ref: https://github.com/openssl/openssl/pull/4338
>>>
>>>
>>> Cc: Jian J Wang <jian.j.wang@intel.com>
>>> Cc: Ting Ye <ting.ye@intel.com>
>>
>> I'm withdrawing from reviewing or testing this series.
>>
>> Gary, if you have the time, can you please regression test this (for
>> HTTPS boot) in both OVMF and ArmVirtQemu?
>>
> I'll find some time to do the regression test tomorrorw.

Thanks, Gary!

Xiaoyu might post a v4 with a remote topic branch for reviewers to
fetch; I suggest awaiting that. (The series is difficult to apply with
git-am.)

Thanks
Laszlo

> Cheers,
> 
> Gary Lin
> 
> 
> 


^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: [edk2-devel] [PATCH v3 0/6] CryptoPkg: Upgrade OpenSSL to 1.1.1b
  2019-05-14 12:06     ` Laszlo Ersek
@ 2019-05-14 13:26       ` Wang, Jian J
  2019-05-15  1:53         ` Gary Lin
  0 siblings, 1 reply; 18+ messages in thread
From: Wang, Jian J @ 2019-05-14 13:26 UTC (permalink / raw)
  To: Laszlo Ersek, devel@edk2.groups.io, glin@suse.com; +Cc: Lu, XiaoyuX, Ye, Ting

Yes, please wait for v4 version of this patch series.

Regards,
Jian


> -----Original Message-----
> From: Laszlo Ersek [mailto:lersek@redhat.com]
> Sent: Tuesday, May 14, 2019 8:06 PM
> To: devel@edk2.groups.io; glin@suse.com
> Cc: Lu, XiaoyuX <xiaoyux.lu@intel.com>; Wang, Jian J <jian.j.wang@intel.com>;
> Ye, Ting <ting.ye@intel.com>
> Subject: Re: [edk2-devel] [PATCH v3 0/6] CryptoPkg: Upgrade OpenSSL to 1.1.1b
> 
> On 05/14/19 08:16, Gary Lin wrote:
> > On Mon, May 13, 2019 at 09:24:39PM +0200, Laszlo Ersek wrote:
> >> On 05/13/19 15:25, Xiaoyu lu wrote:
> >>> (1) CryptoPkg/OpensslLib: Modify process_files.pl for  upgrading OpenSSL
> >>>   OpenSSL only support seeding NONE for UEFI(rand_unix.c line 93).
> >>>   So add --with-rand-seed=none to process_files.pl.
> >>>
> >>> (2) CryptoPkg/OpensslLib: Exclude unnecessary files in  process_files.pl
> >>>   When running process_files.py to configure OpenSSL, we can exclude some
> unnecessary files. This can reduce porting time, compiling time and library size.
> >>>
> >>> (3) CryptoPkg/IntrinsicLib: Fix possible unresolved  external symbol issue
> >>>
> >>> (4) CryptoPkg/OpensslLib: Prepare for upgrading OpenSSL
> >>>   Disable warning for building OpenSSL_1_1_1b
> >>>
> >>> (5) CryptoPkg: Upgrade OpenSSL to 1.1.1b
> >>>   Update OpenSSL submodule to OpenSSL_1_1_1b
> >>>   OpenSSL_1_1_1b(50eaac9f3337667259de725451f201e784599687)
> >>>
> >>>   OpenSSL doesn't implement some rand_pool function for UEFI.
> >>>   Use EFI_RNG_PROTOCOL to generate random for entropy.
> >>>   If EFI_RNG_PROTOCOL is not avaliable, fall back to performance
> >>>   counter, but we not sure about the amount of randomness it provides.
> >>>
> >>> (6) CryptoPkg/BaseCryptLib: Make HMAC_CTX size backward  compatible
> >>>
> >>>   Note: Will be remove next update.
> >>>   Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1792
> >>>   Ref: https://github.com/openssl/openssl/pull/4338
> >>>
> >>>
> >>> Cc: Jian J Wang <jian.j.wang@intel.com>
> >>> Cc: Ting Ye <ting.ye@intel.com>
> >>
> >> I'm withdrawing from reviewing or testing this series.
> >>
> >> Gary, if you have the time, can you please regression test this (for
> >> HTTPS boot) in both OVMF and ArmVirtQemu?
> >>
> > I'll find some time to do the regression test tomorrorw.
> 
> Thanks, Gary!
> 
> Xiaoyu might post a v4 with a remote topic branch for reviewers to
> fetch; I suggest awaiting that. (The series is difficult to apply with
> git-am.)
> 
> Thanks
> Laszlo
> 
> > Cheers,
> >
> > Gary Lin
> >
> > 
> >


^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: [edk2-devel] [PATCH v3 0/6] CryptoPkg: Upgrade OpenSSL to 1.1.1b
  2019-05-14 11:58   ` Laszlo Ersek
@ 2019-05-14 15:52     ` Xiaoyu lu
  0 siblings, 0 replies; 18+ messages in thread
From: Xiaoyu lu @ 2019-05-14 15:52 UTC (permalink / raw)
  To: devel@edk2.groups.io, lersek@redhat.com; +Cc: Gary Lin, Wang, Jian J, Ye, Ting

Thank you, Laszlo.

I am very appreciate to you for being so patient with me .

(1) I cleaned the authored name.

(2) CryptoPkg/Library/Include/openssl/opensslconf.h This file is LF file, It copy from openssl, I think it should not be modified.

   Pushed my private repository to https://github.com/xiaoyuxlu/edk2/commits/bz_1089_patch_v4
   I have not finished yet. When I finish it, I will push v4 patches

(3) Thank you for explaining this clearly. I changed it back and added a patch.

(4) Now I know I should take R-b tags into commit message and the meaning to modify 'R-b tags patch'.
   If I modify it, should refer to R-b tags owner's opinion. I apologize for modify your R-b tags patch which makes you feel bad.

(5) Got it. 

I think it is very useful for me. 
[*] https://github.com/tianocore/tianocore.github.io/wiki/Laszlo's-unkempt-git-guide-for-edk2-contributors-and-maintainers
Thank you again.

Xiaoyu.

-----Original Message-----
From: devel@edk2.groups.io [mailto:devel@edk2.groups.io] On Behalf Of Laszlo Ersek
Sent: Tuesday, May 14, 2019 7:59 PM
To: Lu, XiaoyuX <xiaoyux.lu@intel.com>
Cc: devel@edk2.groups.io; Gary Lin <glin@suse.com>; Wang, Jian J <jian.j.wang@intel.com>; Ye, Ting <ting.ye@intel.com>
Subject: Re: [edk2-devel] [PATCH v3 0/6] CryptoPkg: Upgrade OpenSSL to 1.1.1b

On 05/13/19 21:24, Laszlo Ersek wrote:
> On 05/13/19 15:25, Xiaoyu lu wrote:
>> (1) CryptoPkg/OpensslLib: Modify process_files.pl for  upgrading
>>   OpenSSL OpenSSL only support seeding NONE for UEFI(rand_unix.c line
>>   93). So add --with-rand-seed=none to process_files.pl.
>>
>> (2) CryptoPkg/OpensslLib: Exclude unnecessary files in 
>> process_files.pl
>>   When running process_files.py to configure OpenSSL, we can exclude
>>   some unnecessary files. This can reduce porting time, compiling
>>   time and library size.
>>
>> (3) CryptoPkg/IntrinsicLib: Fix possible unresolved  external symbol 
>> issue
>>
>> (4) CryptoPkg/OpensslLib: Prepare for upgrading OpenSSL
>>   Disable warning for building OpenSSL_1_1_1b
>>
>> (5) CryptoPkg: Upgrade OpenSSL to 1.1.1b
>>   Update OpenSSL submodule to OpenSSL_1_1_1b
>>   OpenSSL_1_1_1b(50eaac9f3337667259de725451f201e784599687)
>>
>>   OpenSSL doesn't implement some rand_pool function for UEFI.
>>   Use EFI_RNG_PROTOCOL to generate random for entropy.
>>   If EFI_RNG_PROTOCOL is not avaliable, fall back to performance
>>   counter, but we not sure about the amount of randomness it
>>   provides.
>>
>> (6) CryptoPkg/BaseCryptLib: Make HMAC_CTX size backward  compatible
>>
>>   Note: Will be remove next update.
>>   Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1792
>>   Ref: https://github.com/openssl/openssl/pull/4338
>>
>>
>> Cc: Jian J Wang <jian.j.wang@intel.com>
>> Cc: Ting Ye <ting.ye@intel.com>
>
> I'm withdrawing from reviewing or testing this series.

To be clear, the reason I abandoned reviewing / testing this series is not due to the use of TimerLib as entropy source, in patch #5. I addressed that separately, stating that I wouldn't review patch #5, only regression-test it.

The reason I intend to leave upcoming reviews & testing of this series as a whole to others is that I've found a number of mistakes in relation to the development workflow. And, it's exhausting for me to repeat all the same guidelines, when I had documented them in the wiki [*].

At the same time, I realize that it may be difficult for a new edk2 contributor to adhere to everything described in [*] -- especially given that [*] is not an official edk2 document, just something that I personally distilled from experience.

In other words, my insisting on [*] in many repeated emails is exhausting for both new contributors, and myself as a reviewer. Which is why I thought I'd save us both some busywork, by withdrawing from this series.

If you'd like me to look over this series again, then a v4 will be necessary, just in order to remedy the following workflow-level problems. (Afterwards, a v5 may be necessary for further technical
fixes.)

(1) Some of your patches are authored by "Xiaoyu Lu", some others by
    "Xiaoyu lu" (lower case). This messes up the shortlog in the blurb
    (and other statistics collected from the git log); you are
    represented as two different people.

    Please pick *one* email address (name included), and stick with
    that. Rebase the series, and use

      git commit --amend --author=...

    for fixing up the authorship on the patches that need it.

    Make sure your Signed-off-by follows suit in the commit messages.

(2) The series is hard to apply for local testing, with "git am", due to
    patch #5 modifying both CRLF and LF files. That's not necessarily a
    problem with the patch itself, but the norm has been, for
    non-trivial patch series, to push a topic branch to a personal repo,
    and to reference that repo & branch in the blurb. It permits easy
    fetching and easy commenting both.

    This wasn't done in v2, and I struggled with "git am". It hasn't
    been done in v3 either. Please do it in v4 and further versions.

(3) In my review of the v1 series, I requested that the CC_FLAGS
    changes, for the "OpensslLib.inf" and "OpensslLibCrypto.inf" files,
    be isolated to their own standalone patch. In v2, this was nicely
    addressed in patch #4, and I gave my R-b. In v3 however, you
    squashed a totally unrelated -- but at the series level, necessary
    -- change into the same patch (namely "sys/syscall.h"). While that
    improved the end result of the series for sure, it *negated* the v2
    improvement in the specific patch.

    In my v2 review, this was how I asked for "sys/syscall.h":

        So please include a patch in the v3 series that adds
        "CryptoPkg/Library/Include/sys/syscall.h" like suggested above.

    *Separate patch*.

    If you disagree with my request, that's 100% part of the process,
    but then please respond under the request, rather than dumping an
    entire new version of the series on me that does not comply with my
    request.

(4) In version 3, you failed to pick up my Reviewed-by tags that I had
    given for v2 1/6 and v2 6/6.

    In more technical terms, this means that you should have run "git
    rebase -i", selected the "reword" action for patches v2 1/6 and v2
    6/6, and appended -- using the clipboard -- my R-b tags, from my
    review emails, to the commit messages.

    This is documented in detail, in [*] (contributor step 28).

    (Referring to the previous bullet, you also failed to pick up my R-b
    for patch v2 4/6. However, ultimately, that was the correct action
    for that patch, given that you modified the patch in v3. If a patch
    is modified significantly in a revision, then review tags garnered
    earlier should be dropped, so that reviewers check the patch again.)

(5) Jian had some questions still open under v2 5/6, when you posted v3.
    The questions were addressed to me. Sometimes I cannot answer on the
    next day, and yes, there was a weekend to.

    If you think a reviewer missed something, please wait one or two
    business days, and ping them off-list or on-list, before sending the
    next version.

    If there isn't enough time left to catch the upcoming stable tag
    with this work, then we should postpone this work to the next stable
    tag.

[*] https://github.com/tianocore/tianocore.github.io/wiki/Laszlo's-unkempt-git-guide-for-edk2-contributors-and-maintainers

Thanks
Laszlo




^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: [edk2-devel] [PATCH v3 0/6] CryptoPkg: Upgrade OpenSSL to 1.1.1b
  2019-05-14 13:26       ` Wang, Jian J
@ 2019-05-15  1:53         ` Gary Lin
  2019-05-15  2:00           ` Xiaoyu lu
  0 siblings, 1 reply; 18+ messages in thread
From: Gary Lin @ 2019-05-15  1:53 UTC (permalink / raw)
  To: devel, jian.j.wang; +Cc: Laszlo Ersek, Lu, XiaoyuX, Ye, Ting

On Tue, May 14, 2019 at 01:26:15PM +0000, Wang, Jian J wrote:
> Yes, please wait for v4 version of this patch series.

Good. I'm looking forward to the new series :)

Thanks,

Gary Lin

> 
> Regards,
> Jian
> 
> 
> > -----Original Message-----
> > From: Laszlo Ersek [mailto:lersek@redhat.com]
> > Sent: Tuesday, May 14, 2019 8:06 PM
> > To: devel@edk2.groups.io; glin@suse.com
> > Cc: Lu, XiaoyuX <xiaoyux.lu@intel.com>; Wang, Jian J <jian.j.wang@intel.com>;
> > Ye, Ting <ting.ye@intel.com>
> > Subject: Re: [edk2-devel] [PATCH v3 0/6] CryptoPkg: Upgrade OpenSSL to 1.1.1b
> > 
> > On 05/14/19 08:16, Gary Lin wrote:
> > > On Mon, May 13, 2019 at 09:24:39PM +0200, Laszlo Ersek wrote:
> > >> On 05/13/19 15:25, Xiaoyu lu wrote:
> > >>> (1) CryptoPkg/OpensslLib: Modify process_files.pl for  upgrading OpenSSL
> > >>>   OpenSSL only support seeding NONE for UEFI(rand_unix.c line 93).
> > >>>   So add --with-rand-seed=none to process_files.pl.
> > >>>
> > >>> (2) CryptoPkg/OpensslLib: Exclude unnecessary files in  process_files.pl
> > >>>   When running process_files.py to configure OpenSSL, we can exclude some
> > unnecessary files. This can reduce porting time, compiling time and library size.
> > >>>
> > >>> (3) CryptoPkg/IntrinsicLib: Fix possible unresolved  external symbol issue
> > >>>
> > >>> (4) CryptoPkg/OpensslLib: Prepare for upgrading OpenSSL
> > >>>   Disable warning for building OpenSSL_1_1_1b
> > >>>
> > >>> (5) CryptoPkg: Upgrade OpenSSL to 1.1.1b
> > >>>   Update OpenSSL submodule to OpenSSL_1_1_1b
> > >>>   OpenSSL_1_1_1b(50eaac9f3337667259de725451f201e784599687)
> > >>>
> > >>>   OpenSSL doesn't implement some rand_pool function for UEFI.
> > >>>   Use EFI_RNG_PROTOCOL to generate random for entropy.
> > >>>   If EFI_RNG_PROTOCOL is not avaliable, fall back to performance
> > >>>   counter, but we not sure about the amount of randomness it provides.
> > >>>
> > >>> (6) CryptoPkg/BaseCryptLib: Make HMAC_CTX size backward  compatible
> > >>>
> > >>>   Note: Will be remove next update.
> > >>>   Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1792
> > >>>   Ref: https://github.com/openssl/openssl/pull/4338
> > >>>
> > >>>
> > >>> Cc: Jian J Wang <jian.j.wang@intel.com>
> > >>> Cc: Ting Ye <ting.ye@intel.com>
> > >>
> > >> I'm withdrawing from reviewing or testing this series.
> > >>
> > >> Gary, if you have the time, can you please regression test this (for
> > >> HTTPS boot) in both OVMF and ArmVirtQemu?
> > >>
> > > I'll find some time to do the regression test tomorrorw.
> > 
> > Thanks, Gary!
> > 
> > Xiaoyu might post a v4 with a remote topic branch for reviewers to
> > fetch; I suggest awaiting that. (The series is difficult to apply with
> > git-am.)
> > 
> > Thanks
> > Laszlo
> > 
> > > Cheers,
> > >
> > > Gary Lin
> > >
> > > 
> > >
> 
> 
> 
> 

^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: [edk2-devel] [PATCH v3 0/6] CryptoPkg: Upgrade OpenSSL to 1.1.1b
  2019-05-15  1:53         ` Gary Lin
@ 2019-05-15  2:00           ` Xiaoyu lu
  2019-05-15  4:33             ` Gary Lin
  2019-05-15  8:06             ` Laszlo Ersek
  0 siblings, 2 replies; 18+ messages in thread
From: Xiaoyu lu @ 2019-05-15  2:00 UTC (permalink / raw)
  To: devel@edk2.groups.io, glin@suse.com, Wang, Jian J; +Cc: Laszlo Ersek, Ye, Ting

Hi Gary Lin:
	I also need to modify the code about the entropy source today.
	But I have uploaded a TimerLib based implementation.

	https://github.com/xiaoyuxlu/edk2/commits/bz_1089_patch_v4

Thanks.
Xiaoyu

-----Original Message-----
From: devel@edk2.groups.io [mailto:devel@edk2.groups.io] On Behalf Of Gary Lin
Sent: Wednesday, May 15, 2019 9:54 AM
To: devel@edk2.groups.io; Wang, Jian J <jian.j.wang@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>; Ye, Ting <ting.ye@intel.com>
Subject: Re: [edk2-devel] [PATCH v3 0/6] CryptoPkg: Upgrade OpenSSL to 1.1.1b

On Tue, May 14, 2019 at 01:26:15PM +0000, Wang, Jian J wrote:
> Yes, please wait for v4 version of this patch series.

Good. I'm looking forward to the new series :)

Thanks,

Gary Lin

> 
> Regards,
> Jian
> 
> 
> > -----Original Message-----
> > From: Laszlo Ersek [mailto:lersek@redhat.com]
> > Sent: Tuesday, May 14, 2019 8:06 PM
> > To: devel@edk2.groups.io; glin@suse.com
> > Cc: Lu, XiaoyuX <xiaoyux.lu@intel.com>; Wang, Jian J 
> > <jian.j.wang@intel.com>; Ye, Ting <ting.ye@intel.com>
> > Subject: Re: [edk2-devel] [PATCH v3 0/6] CryptoPkg: Upgrade OpenSSL 
> > to 1.1.1b
> > 
> > On 05/14/19 08:16, Gary Lin wrote:
> > > On Mon, May 13, 2019 at 09:24:39PM +0200, Laszlo Ersek wrote:
> > >> On 05/13/19 15:25, Xiaoyu lu wrote:
> > >>> (1) CryptoPkg/OpensslLib: Modify process_files.pl for  upgrading OpenSSL
> > >>>   OpenSSL only support seeding NONE for UEFI(rand_unix.c line 93).
> > >>>   So add --with-rand-seed=none to process_files.pl.
> > >>>
> > >>> (2) CryptoPkg/OpensslLib: Exclude unnecessary files in  process_files.pl
> > >>>   When running process_files.py to configure OpenSSL, we can 
> > >>> exclude some
> > unnecessary files. This can reduce porting time, compiling time and library size.
> > >>>
> > >>> (3) CryptoPkg/IntrinsicLib: Fix possible unresolved  external 
> > >>> symbol issue
> > >>>
> > >>> (4) CryptoPkg/OpensslLib: Prepare for upgrading OpenSSL
> > >>>   Disable warning for building OpenSSL_1_1_1b
> > >>>
> > >>> (5) CryptoPkg: Upgrade OpenSSL to 1.1.1b
> > >>>   Update OpenSSL submodule to OpenSSL_1_1_1b
> > >>>   OpenSSL_1_1_1b(50eaac9f3337667259de725451f201e784599687)
> > >>>
> > >>>   OpenSSL doesn't implement some rand_pool function for UEFI.
> > >>>   Use EFI_RNG_PROTOCOL to generate random for entropy.
> > >>>   If EFI_RNG_PROTOCOL is not avaliable, fall back to performance
> > >>>   counter, but we not sure about the amount of randomness it provides.
> > >>>
> > >>> (6) CryptoPkg/BaseCryptLib: Make HMAC_CTX size backward
> > >>> compatible
> > >>>
> > >>>   Note: Will be remove next update.
> > >>>   Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1792
> > >>>   Ref: https://github.com/openssl/openssl/pull/4338
> > >>>
> > >>>
> > >>> Cc: Jian J Wang <jian.j.wang@intel.com>
> > >>> Cc: Ting Ye <ting.ye@intel.com>
> > >>
> > >> I'm withdrawing from reviewing or testing this series.
> > >>
> > >> Gary, if you have the time, can you please regression test this 
> > >> (for HTTPS boot) in both OVMF and ArmVirtQemu?
> > >>
> > > I'll find some time to do the regression test tomorrorw.
> > 
> > Thanks, Gary!
> > 
> > Xiaoyu might post a v4 with a remote topic branch for reviewers to 
> > fetch; I suggest awaiting that. (The series is difficult to apply 
> > with
> > git-am.)
> > 
> > Thanks
> > Laszlo
> > 
> > > Cheers,
> > >
> > > Gary Lin
> > >
> > > 
> > >
> 
> 
> 
> 




^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: [edk2-devel] [PATCH v3 0/6] CryptoPkg: Upgrade OpenSSL to 1.1.1b
  2019-05-15  2:00           ` Xiaoyu lu
@ 2019-05-15  4:33             ` Gary Lin
  2019-05-15  8:06             ` Laszlo Ersek
  1 sibling, 0 replies; 18+ messages in thread
From: Gary Lin @ 2019-05-15  4:33 UTC (permalink / raw)
  To: devel, xiaoyux.lu; +Cc: Wang, Jian J, Laszlo Ersek, Ye, Ting

On Wed, May 15, 2019 at 02:00:27AM +0000, Xiaoyu lu wrote:
> Hi Gary Lin:
> 	I also need to modify the code about the entropy source today.
> 	But I have uploaded a TimerLib based implementation.
> 
> 	https://github.com/xiaoyuxlu/edk2/commits/bz_1089_patch_v4
Thanks! I'll go through the commits today and prepare for the incoming
series.

Gary Lin

> 
> Thanks.
> Xiaoyu
> 
> -----Original Message-----
> From: devel@edk2.groups.io [mailto:devel@edk2.groups.io] On Behalf Of Gary Lin
> Sent: Wednesday, May 15, 2019 9:54 AM
> To: devel@edk2.groups.io; Wang, Jian J <jian.j.wang@intel.com>
> Cc: Laszlo Ersek <lersek@redhat.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>; Ye, Ting <ting.ye@intel.com>
> Subject: Re: [edk2-devel] [PATCH v3 0/6] CryptoPkg: Upgrade OpenSSL to 1.1.1b
> 
> On Tue, May 14, 2019 at 01:26:15PM +0000, Wang, Jian J wrote:
> > Yes, please wait for v4 version of this patch series.
> 
> Good. I'm looking forward to the new series :)
> 
> Thanks,
> 
> Gary Lin
> 
> > 
> > Regards,
> > Jian
> > 
> > 
> > > -----Original Message-----
> > > From: Laszlo Ersek [mailto:lersek@redhat.com]
> > > Sent: Tuesday, May 14, 2019 8:06 PM
> > > To: devel@edk2.groups.io; glin@suse.com
> > > Cc: Lu, XiaoyuX <xiaoyux.lu@intel.com>; Wang, Jian J 
> > > <jian.j.wang@intel.com>; Ye, Ting <ting.ye@intel.com>
> > > Subject: Re: [edk2-devel] [PATCH v3 0/6] CryptoPkg: Upgrade OpenSSL 
> > > to 1.1.1b
> > > 
> > > On 05/14/19 08:16, Gary Lin wrote:
> > > > On Mon, May 13, 2019 at 09:24:39PM +0200, Laszlo Ersek wrote:
> > > >> On 05/13/19 15:25, Xiaoyu lu wrote:
> > > >>> (1) CryptoPkg/OpensslLib: Modify process_files.pl for  upgrading OpenSSL
> > > >>>   OpenSSL only support seeding NONE for UEFI(rand_unix.c line 93).
> > > >>>   So add --with-rand-seed=none to process_files.pl.
> > > >>>
> > > >>> (2) CryptoPkg/OpensslLib: Exclude unnecessary files in  process_files.pl
> > > >>>   When running process_files.py to configure OpenSSL, we can 
> > > >>> exclude some
> > > unnecessary files. This can reduce porting time, compiling time and library size.
> > > >>>
> > > >>> (3) CryptoPkg/IntrinsicLib: Fix possible unresolved  external 
> > > >>> symbol issue
> > > >>>
> > > >>> (4) CryptoPkg/OpensslLib: Prepare for upgrading OpenSSL
> > > >>>   Disable warning for building OpenSSL_1_1_1b
> > > >>>
> > > >>> (5) CryptoPkg: Upgrade OpenSSL to 1.1.1b
> > > >>>   Update OpenSSL submodule to OpenSSL_1_1_1b
> > > >>>   OpenSSL_1_1_1b(50eaac9f3337667259de725451f201e784599687)
> > > >>>
> > > >>>   OpenSSL doesn't implement some rand_pool function for UEFI.
> > > >>>   Use EFI_RNG_PROTOCOL to generate random for entropy.
> > > >>>   If EFI_RNG_PROTOCOL is not avaliable, fall back to performance
> > > >>>   counter, but we not sure about the amount of randomness it provides.
> > > >>>
> > > >>> (6) CryptoPkg/BaseCryptLib: Make HMAC_CTX size backward
> > > >>> compatible
> > > >>>
> > > >>>   Note: Will be remove next update.
> > > >>>   Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1792
> > > >>>   Ref: https://github.com/openssl/openssl/pull/4338
> > > >>>
> > > >>>
> > > >>> Cc: Jian J Wang <jian.j.wang@intel.com>
> > > >>> Cc: Ting Ye <ting.ye@intel.com>
> > > >>
> > > >> I'm withdrawing from reviewing or testing this series.
> > > >>
> > > >> Gary, if you have the time, can you please regression test this 
> > > >> (for HTTPS boot) in both OVMF and ArmVirtQemu?
> > > >>
> > > > I'll find some time to do the regression test tomorrorw.
> > > 
> > > Thanks, Gary!
> > > 
> > > Xiaoyu might post a v4 with a remote topic branch for reviewers to 
> > > fetch; I suggest awaiting that. (The series is difficult to apply 
> > > with
> > > git-am.)
> > > 
> > > Thanks
> > > Laszlo
> > > 
> > > > Cheers,
> > > >
> > > > Gary Lin
> > > >
> > > > 
> > > >
> > 
> > 
> > 
> > 
> 
> 
> 
> 
> 
> 
> 

^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: [edk2-devel] [PATCH v3 0/6] CryptoPkg: Upgrade OpenSSL to 1.1.1b
  2019-05-15  2:00           ` Xiaoyu lu
  2019-05-15  4:33             ` Gary Lin
@ 2019-05-15  8:06             ` Laszlo Ersek
  2019-05-15  8:58               ` Xiaoyu lu
  1 sibling, 1 reply; 18+ messages in thread
From: Laszlo Ersek @ 2019-05-15  8:06 UTC (permalink / raw)
  To: Lu, XiaoyuX, devel@edk2.groups.io, glin@suse.com, Wang, Jian J; +Cc: Ye, Ting

Hi Xiaoyu,

On 05/15/19 04:00, Lu, XiaoyuX wrote:
> Hi Gary Lin:
> 	I also need to modify the code about the entropy source today.
> 	But I have uploaded a TimerLib based implementation.
> 
> 	https://github.com/xiaoyuxlu/edk2/commits/bz_1089_patch_v4

This is not a good strategy.

Please refer to contributor step 31:

https://github.com/tianocore/tianocore.github.io/wiki/Laszlo's-unkempt-git-guide-for-edk2-contributors-and-maintainers#contrib-31

You should push a topic branch called "xxxx_v4" *only* if you are ready
to post it immediately to the list, as "PATCH v4".

Topic branches in personal repos must be *identical* to the
corresponding posting on edk2-devel. And once such a topic branch is
pushed and referenced in an edk2-devel posting, the branch should never
ever be modified again. Not rebased, not force-pushed, not
fast-forwarded to additional commits on top. Once you have a v4 posting
on edk2-devel, the topic branch *for that version* becomes read-only. If
you need updates, you need to prepare a v5.

It's OK to push (even force-push) branches to your personal repo that
are work-in-progress. However, the name of the branch should be very
clear about that. For example, you could call the branch
"bz_1089_patch_v4_wip", with the "_wip" suffix standing for
"work-in-progress". Then people fetching that branch will understand
it's not final, and may easily change until the mailing list posting.
When you decide it's time to post, you can rename the branch (drop the
"_wip" suffix), from which point on you should treat the branch as
read-only.

Thanks
Laszlo

> -----Original Message-----
> From: devel@edk2.groups.io [mailto:devel@edk2.groups.io] On Behalf Of Gary Lin
> Sent: Wednesday, May 15, 2019 9:54 AM
> To: devel@edk2.groups.io; Wang, Jian J <jian.j.wang@intel.com>
> Cc: Laszlo Ersek <lersek@redhat.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>; Ye, Ting <ting.ye@intel.com>
> Subject: Re: [edk2-devel] [PATCH v3 0/6] CryptoPkg: Upgrade OpenSSL to 1.1.1b
> 
> On Tue, May 14, 2019 at 01:26:15PM +0000, Wang, Jian J wrote:
>> Yes, please wait for v4 version of this patch series.
> 
> Good. I'm looking forward to the new series :)
> 
> Thanks,
> 
> Gary Lin
> 
>>
>> Regards,
>> Jian
>>
>>
>>> -----Original Message-----
>>> From: Laszlo Ersek [mailto:lersek@redhat.com]
>>> Sent: Tuesday, May 14, 2019 8:06 PM
>>> To: devel@edk2.groups.io; glin@suse.com
>>> Cc: Lu, XiaoyuX <xiaoyux.lu@intel.com>; Wang, Jian J 
>>> <jian.j.wang@intel.com>; Ye, Ting <ting.ye@intel.com>
>>> Subject: Re: [edk2-devel] [PATCH v3 0/6] CryptoPkg: Upgrade OpenSSL 
>>> to 1.1.1b
>>>
>>> On 05/14/19 08:16, Gary Lin wrote:
>>>> On Mon, May 13, 2019 at 09:24:39PM +0200, Laszlo Ersek wrote:
>>>>> On 05/13/19 15:25, Xiaoyu lu wrote:
>>>>>> (1) CryptoPkg/OpensslLib: Modify process_files.pl for  upgrading OpenSSL
>>>>>>   OpenSSL only support seeding NONE for UEFI(rand_unix.c line 93).
>>>>>>   So add --with-rand-seed=none to process_files.pl.
>>>>>>
>>>>>> (2) CryptoPkg/OpensslLib: Exclude unnecessary files in  process_files.pl
>>>>>>   When running process_files.py to configure OpenSSL, we can 
>>>>>> exclude some
>>> unnecessary files. This can reduce porting time, compiling time and library size.
>>>>>>
>>>>>> (3) CryptoPkg/IntrinsicLib: Fix possible unresolved  external 
>>>>>> symbol issue
>>>>>>
>>>>>> (4) CryptoPkg/OpensslLib: Prepare for upgrading OpenSSL
>>>>>>   Disable warning for building OpenSSL_1_1_1b
>>>>>>
>>>>>> (5) CryptoPkg: Upgrade OpenSSL to 1.1.1b
>>>>>>   Update OpenSSL submodule to OpenSSL_1_1_1b
>>>>>>   OpenSSL_1_1_1b(50eaac9f3337667259de725451f201e784599687)
>>>>>>
>>>>>>   OpenSSL doesn't implement some rand_pool function for UEFI.
>>>>>>   Use EFI_RNG_PROTOCOL to generate random for entropy.
>>>>>>   If EFI_RNG_PROTOCOL is not avaliable, fall back to performance
>>>>>>   counter, but we not sure about the amount of randomness it provides.
>>>>>>
>>>>>> (6) CryptoPkg/BaseCryptLib: Make HMAC_CTX size backward  
>>>>>> compatible
>>>>>>
>>>>>>   Note: Will be remove next update.
>>>>>>   Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1792
>>>>>>   Ref: https://github.com/openssl/openssl/pull/4338
>>>>>>
>>>>>>
>>>>>> Cc: Jian J Wang <jian.j.wang@intel.com>
>>>>>> Cc: Ting Ye <ting.ye@intel.com>
>>>>>
>>>>> I'm withdrawing from reviewing or testing this series.
>>>>>
>>>>> Gary, if you have the time, can you please regression test this 
>>>>> (for HTTPS boot) in both OVMF and ArmVirtQemu?
>>>>>
>>>> I'll find some time to do the regression test tomorrorw.
>>>
>>> Thanks, Gary!
>>>
>>> Xiaoyu might post a v4 with a remote topic branch for reviewers to 
>>> fetch; I suggest awaiting that. (The series is difficult to apply 
>>> with
>>> git-am.)
>>>
>>> Thanks
>>> Laszlo
>>>
>>>> Cheers,
>>>>
>>>> Gary Lin
>>>>
>>>>
>>>>
>>
>>
>>
>>
> 
> 
> 


^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: [edk2-devel] [PATCH v3 0/6] CryptoPkg: Upgrade OpenSSL to 1.1.1b
  2019-05-15  8:06             ` Laszlo Ersek
@ 2019-05-15  8:58               ` Xiaoyu lu
  0 siblings, 0 replies; 18+ messages in thread
From: Xiaoyu lu @ 2019-05-15  8:58 UTC (permalink / raw)
  To: Laszlo Ersek, devel@edk2.groups.io, glin@suse.com, Wang, Jian J; +Cc: Ye, Ting

Hi Laszlo:

Thanks for your information.

If I send the patch v4, I will provide a new branch in my personal repos and not modify it.

Thanks,
Xiaoyu

-----Original Message-----
From: Laszlo Ersek [mailto:lersek@redhat.com] 
Sent: Wednesday, May 15, 2019 4:07 PM
To: Lu, XiaoyuX <xiaoyux.lu@intel.com>; devel@edk2.groups.io; glin@suse.com; Wang, Jian J <jian.j.wang@intel.com>
Cc: Ye, Ting <ting.ye@intel.com>
Subject: Re: [edk2-devel] [PATCH v3 0/6] CryptoPkg: Upgrade OpenSSL to 1.1.1b

Hi Xiaoyu,

On 05/15/19 04:00, Lu, XiaoyuX wrote:
> Hi Gary Lin:
> 	I also need to modify the code about the entropy source today.
> 	But I have uploaded a TimerLib based implementation.
> 
> 	https://github.com/xiaoyuxlu/edk2/commits/bz_1089_patch_v4

This is not a good strategy.

Please refer to contributor step 31:

https://github.com/tianocore/tianocore.github.io/wiki/Laszlo's-unkempt-git-guide-for-edk2-contributors-and-maintainers#contrib-31

You should push a topic branch called "xxxx_v4" *only* if you are ready to post it immediately to the list, as "PATCH v4".

Topic branches in personal repos must be *identical* to the corresponding posting on edk2-devel. And once such a topic branch is pushed and referenced in an edk2-devel posting, the branch should never ever be modified again. Not rebased, not force-pushed, not fast-forwarded to additional commits on top. Once you have a v4 posting on edk2-devel, the topic branch *for that version* becomes read-only. If you need updates, you need to prepare a v5.

It's OK to push (even force-push) branches to your personal repo that are work-in-progress. However, the name of the branch should be very clear about that. For example, you could call the branch "bz_1089_patch_v4_wip", with the "_wip" suffix standing for "work-in-progress". Then people fetching that branch will understand it's not final, and may easily change until the mailing list posting.
When you decide it's time to post, you can rename the branch (drop the "_wip" suffix), from which point on you should treat the branch as read-only.

Thanks
Laszlo

> -----Original Message-----
> From: devel@edk2.groups.io [mailto:devel@edk2.groups.io] On Behalf Of 
> Gary Lin
> Sent: Wednesday, May 15, 2019 9:54 AM
> To: devel@edk2.groups.io; Wang, Jian J <jian.j.wang@intel.com>
> Cc: Laszlo Ersek <lersek@redhat.com>; Lu, XiaoyuX 
> <xiaoyux.lu@intel.com>; Ye, Ting <ting.ye@intel.com>
> Subject: Re: [edk2-devel] [PATCH v3 0/6] CryptoPkg: Upgrade OpenSSL to 
> 1.1.1b
> 
> On Tue, May 14, 2019 at 01:26:15PM +0000, Wang, Jian J wrote:
>> Yes, please wait for v4 version of this patch series.
> 
> Good. I'm looking forward to the new series :)
> 
> Thanks,
> 
> Gary Lin
> 
>>
>> Regards,
>> Jian
>>
>>
>>> -----Original Message-----
>>> From: Laszlo Ersek [mailto:lersek@redhat.com]
>>> Sent: Tuesday, May 14, 2019 8:06 PM
>>> To: devel@edk2.groups.io; glin@suse.com
>>> Cc: Lu, XiaoyuX <xiaoyux.lu@intel.com>; Wang, Jian J 
>>> <jian.j.wang@intel.com>; Ye, Ting <ting.ye@intel.com>
>>> Subject: Re: [edk2-devel] [PATCH v3 0/6] CryptoPkg: Upgrade OpenSSL 
>>> to 1.1.1b
>>>
>>> On 05/14/19 08:16, Gary Lin wrote:
>>>> On Mon, May 13, 2019 at 09:24:39PM +0200, Laszlo Ersek wrote:
>>>>> On 05/13/19 15:25, Xiaoyu lu wrote:
>>>>>> (1) CryptoPkg/OpensslLib: Modify process_files.pl for  upgrading OpenSSL
>>>>>>   OpenSSL only support seeding NONE for UEFI(rand_unix.c line 93).
>>>>>>   So add --with-rand-seed=none to process_files.pl.
>>>>>>
>>>>>> (2) CryptoPkg/OpensslLib: Exclude unnecessary files in  process_files.pl
>>>>>>   When running process_files.py to configure OpenSSL, we can 
>>>>>> exclude some
>>> unnecessary files. This can reduce porting time, compiling time and library size.
>>>>>>
>>>>>> (3) CryptoPkg/IntrinsicLib: Fix possible unresolved  external 
>>>>>> symbol issue
>>>>>>
>>>>>> (4) CryptoPkg/OpensslLib: Prepare for upgrading OpenSSL
>>>>>>   Disable warning for building OpenSSL_1_1_1b
>>>>>>
>>>>>> (5) CryptoPkg: Upgrade OpenSSL to 1.1.1b
>>>>>>   Update OpenSSL submodule to OpenSSL_1_1_1b
>>>>>>   OpenSSL_1_1_1b(50eaac9f3337667259de725451f201e784599687)
>>>>>>
>>>>>>   OpenSSL doesn't implement some rand_pool function for UEFI.
>>>>>>   Use EFI_RNG_PROTOCOL to generate random for entropy.
>>>>>>   If EFI_RNG_PROTOCOL is not avaliable, fall back to performance
>>>>>>   counter, but we not sure about the amount of randomness it provides.
>>>>>>
>>>>>> (6) CryptoPkg/BaseCryptLib: Make HMAC_CTX size backward 
>>>>>> compatible
>>>>>>
>>>>>>   Note: Will be remove next update.
>>>>>>   Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1792
>>>>>>   Ref: https://github.com/openssl/openssl/pull/4338
>>>>>>
>>>>>>
>>>>>> Cc: Jian J Wang <jian.j.wang@intel.com>
>>>>>> Cc: Ting Ye <ting.ye@intel.com>
>>>>>
>>>>> I'm withdrawing from reviewing or testing this series.
>>>>>
>>>>> Gary, if you have the time, can you please regression test this 
>>>>> (for HTTPS boot) in both OVMF and ArmVirtQemu?
>>>>>
>>>> I'll find some time to do the regression test tomorrorw.
>>>
>>> Thanks, Gary!
>>>
>>> Xiaoyu might post a v4 with a remote topic branch for reviewers to 
>>> fetch; I suggest awaiting that. (The series is difficult to apply 
>>> with
>>> git-am.)
>>>
>>> Thanks
>>> Laszlo
>>>
>>>> Cheers,
>>>>
>>>> Gary Lin
>>>>
>>>>
>>>>
>>
>>
>>
>>
> 
> 
> 


^ permalink raw reply	[flat|nested] 18+ messages in thread

end of thread, other threads:[~2019-05-15  8:58 UTC | newest]

Thread overview: 18+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-05-13 13:25 [PATCH v3 0/6] CryptoPkg: Upgrade OpenSSL to 1.1.1b Xiaoyu lu
2019-05-13 13:25 ` [PATCH v3 1/6] CryptoPkg/OpensslLib: Modify process_files.pl for upgrading OpenSSL Xiaoyu lu
2019-05-13 13:25 ` [PATCH v3 2/6] CryptoPkg/OpensslLib: Exclude unnecessary files in process_files.pl Xiaoyu lu
2019-05-13 13:25 ` [PATCH v3 3/6] CryptoPkg/IntrinsicLib: Fix possible unresolved external symbol issue Xiaoyu lu
2019-05-13 13:25 ` [PATCH v3 4/6] CryptoPkg/OpensslLib: Prepare for upgrading OpenSSL Xiaoyu lu
2019-05-13 13:25 ` [PATCH v3 5/6] CryptoPkg: Upgrade OpenSSL to 1.1.1b Xiaoyu lu
2019-05-13 13:25 ` [PATCH v3 6/6] CryptoPkg/BaseCryptLib: Make HMAC_CTX size backward compatible Xiaoyu lu
2019-05-13 19:24 ` [edk2-devel] [PATCH v3 0/6] CryptoPkg: Upgrade OpenSSL to 1.1.1b Laszlo Ersek
2019-05-14  6:16   ` Gary Lin
2019-05-14 12:06     ` Laszlo Ersek
2019-05-14 13:26       ` Wang, Jian J
2019-05-15  1:53         ` Gary Lin
2019-05-15  2:00           ` Xiaoyu lu
2019-05-15  4:33             ` Gary Lin
2019-05-15  8:06             ` Laszlo Ersek
2019-05-15  8:58               ` Xiaoyu lu
2019-05-14 11:58   ` Laszlo Ersek
2019-05-14 15:52     ` Xiaoyu lu

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox