From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) (using TLSv1 with cipher CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id CC90F1A1DEB for ; Wed, 28 Sep 2016 23:45:50 -0700 (PDT) Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by orsmga101.jf.intel.com with ESMTP; 28 Sep 2016 23:45:51 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.30,414,1470726000"; d="scan'208";a="1047320593" Received: from fmsmsx107.amr.corp.intel.com ([10.18.124.205]) by fmsmga001.fm.intel.com with ESMTP; 28 Sep 2016 23:45:50 -0700 Received: from fmsmsx114.amr.corp.intel.com (10.18.116.8) by fmsmsx107.amr.corp.intel.com (10.18.124.205) with Microsoft SMTP Server (TLS) id 14.3.248.2; Wed, 28 Sep 2016 23:45:49 -0700 Received: from shsmsx102.ccr.corp.intel.com (10.239.4.154) by FMSMSX114.amr.corp.intel.com (10.18.116.8) with Microsoft SMTP Server (TLS) id 14.3.248.2; Wed, 28 Sep 2016 23:45:48 -0700 Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.234]) by shsmsx102.ccr.corp.intel.com ([169.254.2.15]) with mapi id 14.03.0248.002; Thu, 29 Sep 2016 14:45:44 +0800 From: "Ye, Ting" To: "Long, Qin" , "edk2-devel@lists.01.org" CC: "Woodhouse, David" Thread-Topic: [Patch] CryptoPkg/OpensslLib: Upgrade OpenSSL version to 1.0.2j Thread-Index: AQHSGhgigH5LrmIm4EuqCFPVju97waCQBdpA Date: Thu, 29 Sep 2016 06:45:43 +0000 Message-ID: References: <20160929060925.11152-1-qin.long@intel.com> In-Reply-To: <20160929060925.11152-1-qin.long@intel.com> Accept-Language: zh-CN, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [Patch] CryptoPkg/OpensslLib: Upgrade OpenSSL version to 1.0.2j X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Sep 2016 06:45:51 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Ye Ting =20 -----Original Message----- From: Long, Qin=20 Sent: Thursday, September 29, 2016 2:09 PM To: edk2-devel@lists.01.org Cc: Ye, Ting ; Woodhouse, David Subject: [Patch] CryptoPkg/OpensslLib: Upgrade OpenSSL version to 1.0.2j Two official releases (OpenSSL 1.0.2i and 1.0.2j) were available with sever= al severity fixes at 22-Sep-2016 and 26-Sep-2016 with several security fixe= s. Refer to https://www.openssl.org/news/secadv/20160922.txt and https://ww= w.openssl.org/news/secadv/20160926.txt. This patch is to upgrade the supported OpenSSL version in CryptoPkg/Openssl= Lib to catch the latest release 1.0.2j. Cc: Ting Ye Cc: David Woodhouse Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long --- CryptoPkg/CryptoPkg.dec | 2 +- ...ssl-1.0.2h.patch =3D> EDKII_openssl-1.0.2j.patch} | 171 ++++++---------= ------ CryptoPkg/Library/OpensslLib/Install.cmd | 2 +- CryptoPkg/Library/OpensslLib/Install.sh | 2 +- CryptoPkg/Library/OpensslLib/OpensslLib.inf | 2 +- CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt | 26 ++-- 6 files changed, 62 insertions(+), 143 deletions(-) rename CryptoPkg/Libr= ary/OpensslLib/{EDKII_openssl-1.0.2h.patch =3D> EDKII_openssl-1.0.2j.patch}= (92%) diff --git a/CryptoPkg/CryptoPkg.dec b/CryptoPkg/CryptoPkg.dec index c0885b= b..80579b7 100644 --- a/CryptoPkg/CryptoPkg.dec +++ b/CryptoPkg/CryptoPkg.dec @@ -24,7 +24,7 @@ =20 [Includes] Include - Library/OpensslLib/openssl-1.0.2h/include + Library/OpensslLib/openssl-1.0.2j/include =20 [LibraryClasses] ## @libraryclass Provides basic library functions for cryptographic pr= imitives. diff --git a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2h.patch b/Cryp= toPkg/Library/OpensslLib/EDKII_openssl-1.0.2j.patch similarity index 92% rename from CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2h.patch rename to CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2j.patch index 559fc67..ecd13a9 100644 --- a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2h.patch +++ b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2j.patch @@ -1,5 +1,5 @@ diff --git a/Configure b/Configure -index c98107a..c122709 100755 +index c39f71a..98dd1d0 100755 --- a/Configure +++ b/Configure @@ -609,6 +609,9 @@ my %table=3D( @@ -12,7 +12,7 @@ index c98107a..c122709 100755 # UWIN "UWIN", "cc:-DTERMIOS -DL_ENDIAN -O -Wall:::UWIN::BN_LLONG ${x86_gcc_des}= ${x86_gcc_opts}:${no_asm}:win32", =20 -@@ -1088,7 +1091,7 @@ if (defined($disabled{"tls1"})) +@@ -1083,7 +1086,7 @@ if (defined($disabled{"md5"}) ||=20 +defined($disabled{"sha"}) } =20 if (defined($disabled{"ec"}) || defined($disabled{"dsa"}) @@ -22,20 +22,2= 0 @@ index c98107a..c122709 100755 $disabled{"gost"} =3D "forced"; } diff --git a/apps/apps.c b/apps/apps.c -index b1dd970..8278c28 100644 +index 9fdc3e0..6c183b0 100644 --- a/apps/apps.c +++ b/apps/apps.c -@@ -2374,6 +2374,8 @@ int args_verify(char ***pargs, int *pargc, +@@ -2375,6 +2375,8 @@ int args_verify(char ***pargs, int *pargc, flags |=3D X509_V_FLAG_PARTIAL_CHAIN; else if (!strcmp(arg, "-no_alt_chains")) flags |=3D X509_V_FLAG_NO_ALT_CHAINS; + else if (!strcmp(arg, "-no_check_time")) + flags |=3D X509_V_FLAG_NO_CHECK_TIME; + else if (!strcmp(arg, "-allow_proxy_certs")) + flags |=3D X509_V_FLAG_ALLOW_PROXY_CERTS; else - return 0; - diff --git a/crypto/asn1/a_strex.c b/crypto/asn1/a_strex.c -index 35fd44c.= .9f39bff 100644 +index 2d562f9..91203b7 100644 --- a/crypto/asn1/a_strex.c +++ b/crypto/asn1/a_strex.c @@ -104,6 +104,7 @@ static int send_bio_chars(void *arg, const void *buf, = int len) @@ -426,7 +426,7 @@ index 5281384..952b545 100644 #ifndef OPENSSL_NO_FP_API int NCONF_load_fp(CONF *conf, FILE *fp, long *eline) diff --git a/crypto= /conf/conf_mod.c b/crypto/conf/conf_mod.c -index 9acfca4..5e0a482 100644 +index e0c9a67..13d93ea 100644 --- a/crypto/conf/conf_mod.c +++ b/crypto/conf/conf_mod.c @@ -159,6 +159,7 @@ int CONF_modules_load(const CONF *cnf, const char *app= name, @@ -747,21 +747,6 @@ index b58e3fa..926be98 100644 } =20 const EVP_PKEY_METHOD dh_pkey_meth =3D { -diff --git a/crypto/ec/ec_ameth= .c b/crypto/ec/ec_ameth.c -index 83e208c..4869098 100644 ---- a/crypto/ec/ec_ameth.c -+++ b/crypto/ec/ec_ameth.c -@@ -67,8 +67,10 @@ - #include - #include "asn1_locl.h" -=20 -+#ifndef OPENSSL_NO_CMS - static int ecdh_cms_decrypt(CMS_RecipientInfo *ri); - static int ecdh_cms_encrypt(CMS_RecipientInfo *ri); -+#endif - - static int eckey_param2type(int *pptype, void **ppval, EC_KEY *ec_key) - { diff --git a/crypto/engine/eng_int.h b/crypto/engine/eng_int.h index 46f1= 63b..b4a72a0 100644 --- a/crypto/engine/eng_int.h @@ -943,7 +928,7 @@ index 7a1c85d..7162c0f 100644 #undef BN_LLONG =20 diff --git a/crypto/pem/pem.h b/crypto/pem/pem.h -index d3b23fc..5df6ffd 1= 00644 +index aac72fb..d271ec8 100644 --- a/crypto/pem/pem.h +++ b/crypto/pem/pem.h @@ -324,6 +324,7 @@ int PEM_write_bio_##name(BIO *bp, type *x, const EVP_C= IPHER *enc, \ @@ -987,7 +972,7 @@ index d3b23fc..5df6ffd 100644 EVP_PKEY *PEM_read_bio_Parameters(BIO *bp, EVP_PKEY **x); int PEM_write_bio_Parameters(BIO *bp, EVP_PKEY *x); diff --git a/crypto/= pem/pem_lib.c b/crypto/pem/pem_lib.c -index fe881d6..e25cc68 100644 +index c82b3c0..56c77b1 100644 --- a/crypto/pem/pem_lib.c +++ b/crypto/pem/pem_lib.c @@ -84,7 +84,7 @@ int pem_check_suffix(const char *pem_str, const char *su= ffix); @@ -1130,7 +1115,7 @@ index 737aebf..f23f348 100644 { return (-1); diff --git a/crypto/rand/rand_unix.c b/crypto/rand/rand_unix.c -index 2661= 11e..f60fac6 100644 +index 6c5b65d..11ee152 100644 --- a/crypto/rand/rand_unix.c +++ b/crypto/rand/rand_unix.c @@ -116,7 +116,7 @@ @@ -1151,71 +1136,6 @@ index 266111e..f60fac6 100644 int RAND_poll(void) { return 0; -diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c -index 4e0621= 8..ddead3d 100644 ---- a/crypto/rsa/rsa_ameth.c -+++ b/crypto/rsa/rsa_ameth.c -@@ -68,10 +68,12 @@ - #endif - #include "asn1_locl.h" -=20 -+#ifndef OPENSSL_NO_CMS - static int rsa_cms_sign(CMS_SignerInfo *si); - static int rsa_cms_verify(CMS_SignerInfo *si); - static int rsa_cms_decrypt(CMS_RecipientInfo *ri); - static int rsa_cms_encrypt(CMS_RecipientInfo *ri); -+#endif - - static int rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) - { -@@ -665,6 +667,7 @@ static int rsa_pss_to_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CT= X *pkctx, - return rv; - } -=20 -+#ifndef OPENSSL_NO_CMS - static int rsa_cms_verify(CMS_SignerInfo *si) - { - int nid, nid2; -@@ -683,6 +686,7 @@ static int rsa_cms_verify(CMS_SignerInfo *si) - } - return 0; - } -+#endif - - /* - * Customised RSA item verification routine. This is called when a signat= ure -@@ -705,6 +709,7 @@ static int rsa_item_verify(EVP_MD_CTX *ctx, const = ASN1_ITEM *it, void *asn, - return -1; - } -=20 -+#ifndef OPENSSL_NO_CMS - static int rsa_cms_sign(CMS_SignerInfo *si) - { - int pad_mode =3D RSA_PKCS1_PADDING; -@@ -729,6 +734,7 @@ static int rsa_cms_sign(CMS_SignerInfo *si) - X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsassaPss), V_ASN1_SEQUENCE, os)= ; - return 1; - } -+#endif - - static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn, - X509_ALGOR *alg1, X509_ALGOR *alg2, -@@ -762,6 +768,7 @@ static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_I= TEM *it, void *asn, - return 2; - } -=20 -+#ifndef OPENSSL_NO_CMS - static RSA_OAEP_PARAMS *rsa_oaep_decode(const X509_ALGOR *alg, - X509_ALGOR **pmaskHash) - { -@@ -920,6 +927,7 @@ static int rsa_cms_encrypt(CMS_RecipientInfo *ri) - ASN1_STRING_free(os); - return rv; - } -+#endif - - const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] =3D { - { diff --git a/crypto/srp/srp.h b/crypto/srp/srp.h index 028892a..4ed4bfe 1= 00644 --- a/crypto/srp/srp.h @@ -1231,10 +1151,10 @@ index 028892a..4ed4bfe 100644 /* This method ignores the configured seed and fails for an unknown user.= */ SRP_user_pwd *SRP_VBASE_get_by_user(SRP_VBASE *vb, char *username); diff= --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c -index 26ad3e0..6be4cf= 2 100644 +index a8ec52a..ce20804 100644 --- a/crypto/srp/srp_vfy.c +++ b/crypto/srp/srp_vfy.c -@@ -225,6 +225,7 @@ static int SRP_user_pwd_set_ids(SRP_user_pwd *vinfo, c= onst char *id, +@@ -228,6 +228,7 @@ static int SRP_user_pwd_set_ids(SRP_user_pwd=20 +*vinfo, const char *id, return (info =3D=3D NULL || NULL !=3D (vinfo->info =3D BUF_strdup(inf= o))); } =20 @@ -1242,15 +1162,15 @@ index 26ad3e0..6be4cf2 100644 static int SRP_user_pwd_set_sv(SRP_user_pwd *vinfo, const char *s, const char *v) { -@@ -239,6 +240,7 @@ static int SRP_user_pwd_set_sv(SRP_user_pwd *vinfo, co= nst char *s, - len =3D t_fromb64(tmp, s); - return ((vinfo->s =3D BN_bin2bn(tmp, len, NULL)) !=3D NULL); +@@ -254,6 +255,7 @@ static int SRP_user_pwd_set_sv(SRP_user_pwd *vinfo, co= nst char *s, + vinfo->v =3D NULL; + return 0; } +#endif =20 static int SRP_user_pwd_set_sv_BN(SRP_user_pwd *vinfo, BIGNUM *s, BIGNUM = *v) { -@@ -297,6 +299,7 @@ int SRP_VBASE_free(SRP_VBASE *vb) +@@ -312,6 +314,7 @@ int SRP_VBASE_free(SRP_VBASE *vb) return 0; } =20 @@ -1258,7 +1178,7 @@ index 26ad3e0..6be4cf2 100644 static SRP_gN_cache *SRP_gN_new_init(const char *ch) { unsigned char tmp[MAX_LEN]; -@@ -328,6 +331,7 @@ static void SRP_gN_free(SRP_gN_cache *gN_cache) +@@ -346,6 +349,7 @@ static void SRP_gN_free(SRP_gN_cache *gN_cache) BN_free(gN_cache->bn); OPENSSL_free(gN_cache); } @@ -1266,7 +1186,7 @@ index 26ad3e0..6be4cf2 100644 =20 static SRP_gN *SRP_get_gN_by_id(const char *id, STACK_OF(SRP_gN) *gN_tab) { -@@ -344,6 +348,7 @@ static SRP_gN *SRP_get_gN_by_id(const char *id, STACK_= OF(SRP_gN) *gN_tab) +@@ -362,6 +366,7 @@ static SRP_gN *SRP_get_gN_by_id(const char *id,=20 +STACK_OF(SRP_gN) *gN_tab) return SRP_get_default_gN(id); } =20 @@ -1274,7 +1194,7 @@ index 26ad3e0..6be4cf2 100644 static BIGNUM *SRP_gN_place_bn(STACK_OF(SRP_gN_cache) *gN_cache, char *ch= ) { int i; -@@ -485,6 +490,7 @@ int SRP_VBASE_init(SRP_VBASE *vb, char *verifier_file) +@@ -503,6 +508,7 @@ int SRP_VBASE_init(SRP_VBASE *vb, char=20 +*verifier_file) return error_code; =20 } @@ -1283,7 +1203,7 @@ index 26ad3e0..6be4cf2 100644 static SRP_user_pwd *find_user(SRP_VBASE *vb, char *username) { diff --git a/crypto/ts/ts.h b/crypto/ts/ts.h -index 16eccbb..a9fe40e 10064= 4 +index 2daa1b2..5205bc5 100644 --- a/crypto/ts/ts.h +++ b/crypto/ts/ts.h @@ -281,8 +281,10 @@ TS_REQ *d2i_TS_REQ(TS_REQ **a, const unsigned char **= pp, long length); @@ -1342,7 +1262,7 @@ index 16eccbb..a9fe40e 100644 =20 TS_ACCURACY *TS_ACCURACY_new(void); void TS_ACCURACY_free(TS_ACCURACY *a); -@@ -728,15 +736,18 @@ int TS_MSG_= IMPRINT_print_bio(BIO *bio, TS_MSG_IMPRINT *msg); +@@ -731,15 +739,18 @@ int TS_MSG_IMPRINT_print_bio(BIO *bio,=20 +TS_MSG_IMPRINT *msg); * ts/ts_conf.c */ =20 @@ -1361,7 +1281,7 @@ index 16eccbb..a9fe40e 100644 int TS_CONF_set_signer_cert(CONF *conf, const char *section, const char *cert, TS_RESP_CTX *ctx); int TS_CONF_set_certs(CONF *conf, const char *section, const char *certs,= -@@ -744,6 +755,7 @@ int TS_CONF_set_certs(CONF *conf, const char *section= , const char *certs, +@@ -747,6 +758,7 @@ int TS_CONF_set_certs(CONF *conf, const char=20 +*section, const char *certs, int TS_CONF_set_signer_key(CONF *conf, const char *section, const char *key, const char *pass, TS_RESP_CTX *ctx); @@ -1369,7 +1289,7 @@ index= 16eccbb..a9fe40e 100644 int TS_CONF_set_def_policy(CONF *conf, const char *section, const char *policy, TS_RESP_CTX *ctx); int TS_CONF_set_policies(CONF *conf, const char *section, TS_RESP_CTX *ct= x); -@@ -784,6 +796,11 @@ void ERR_load_TS_strings(void); +@@ -787,6 +799,11 @@ void ERR_load_TS_strings(void); # define TS_F_TS_CHECK_SIGNING_CERTS 103 # define TS_F_TS_CHECK_STATUS_INFO 104 # define TS_F_TS_COMPUTE_IMPRINT 145 @@ -1381,7 +1301,7 @@ index 16eccbb..a9fe40e 100644 # define TS_F_TS_CONF_SET_DEFAULT_ENGINE 146 # define TS_F_TS_GET_STATUS_TEXT 105 # define TS_F_TS_MSG_IMPRINT_SET_ALGO 118 -@@ -822,6 +839,8 @@ void ERR_load_TS_strings(void); +@@ -825,6 +842,8 @@ void ERR_load_TS_strings(void); /* Reason codes. */ # define TS_R_BAD_PKCS7_TYPE 132 # define TS_R_BAD_TYPE 133 @@ -1390,7 +1310,7 @@ index 16eccbb..a9fe40e 100644 # define TS_R_CERTIFICATE_VERIFY_ERROR 100 # define TS_R_COULD_NOT_SET_ENGINE 127 # define TS_R_COULD_NOT_SET_TIME 115 -@@ -854,6 +873,8 @@ void ERR_load_TS_strings(void); +@@ -857,6 +876,8 @@ void ERR_load_TS_strings(void); # define TS_R_UNACCEPTABLE_POLICY 125 # define TS_R_UNSUPPORTED_MD_ALGORITHM 126 # define TS_R_UNSUPPORTED_VERSION 113 @@ -1531,7 +1451,7 @@ index 0f29011..80dd40e 100644 int verify) { diff --git a/crypto/x509/by_dir.c b/crypto/x509/by_dir.c -index 9ee8f8d..6= 4b052e 100644 +index bbc3189..29695f9 100644 --- a/crypto/x509/by_dir.c +++ b/crypto/x509/by_dir.c @@ -69,6 +69,8 @@ @@ -1543,17 +1463,17 @@ index 9ee8f8d..64b052e 100644 #include #include =20 -@@ -434,3 +436,5 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int ty= pe, X509_NAME *name, +@@ -438,3 +440,5 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int=20 +type, X509_NAME *name, BUF_MEM_free(b); return (ok); } + +#endif /* OPENSSL_NO_STDIO */ diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c -index 4d34db= a..25e8a89 100644 +index 8334b3f..d075f66 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c -@@ -950,6 +950,8 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CR= L *crl, int notify) +@@ -1064,6 +1064,8 @@ static int check_crl_time(X509_STORE_CTX *ctx,=20 +X509_CRL *crl, int notify) ctx->current_crl =3D crl; if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) ptime =3D &ctx->param->check_time; @@ -1562,7 +1482,7 @@ index 4d= 34dba..25e8a89 100644 else ptime =3D NULL; =20 -@@ -1673,6 +1675,8 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509= *x) +@@ -1805,6 +1807,8 @@ static int check_cert_time(X509_STORE_CTX *ctx,=20 +X509 *x) =20 if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) ptime =3D &ctx->param->check_time; @@ -1572,10 +1492,10 @@ index = 4d34dba..25e8a89 100644 ptime =3D NULL; =20 diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h -index 2663e1= c..3790ef5 100644 +index 5062682..e90d931 100644 --- a/crypto/x509/x509_vfy.h +++ b/crypto/x509/x509_vfy.h -@@ -438,6 +438,8 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int= depth); +@@ -443,6 +443,8 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx,=20 +int depth); * will force the behaviour to match that of previous versions. */ # define X509_V_FLAG_NO_ALT_CHAINS 0x100000 @@ -1584,11 +1504,10 @@ index 2663e1c..3790ef5 100644 =20 # define X509_VP_FLAG_DEFAULT 0x1 # define X509_VP_FLAG_OVERWRITE 0x2 -@@ -490,9 +492,10 @@ void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx); - X509_STORE *X509_STORE_CTX_get0_store(X509_STORE_CTX *ctx); +@@ -496,8 +498,10 @@ X509_STORE=20 +*X509_STORE_CTX_get0_store(X509_STORE_CTX *ctx); =20 X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m); -- +=20 +#ifndef OPENSSL_NO_STDIO X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void); X509_LOOKUP_METHOD *X509_LOOKUP_file(void); @@ -1944,10 +1863,10 @@ index= f6b3ff2..1dcbe36 100755 SEED,- SHA,- diff --git a/ssl/d1_both.c b/ssl/d1_both.c -index 5d26c94..ee3f49b 100644 +index 9bc6153..b5648eb 100644 --- a/ssl/d1_both.c +++ b/ssl/d1_both.c -@@ -1053,7 +1053,7 @@ int dtls1_send_change_cipher_spec(SSL *s, int a, int= b) +@@ -1068,7 +1068,7 @@ int dtls1_send_change_cipher_spec(SSL *s, int a,=20 +int b) int dtls1_read_failed(SSL *s, int code) { if (code > 0) { @@ -1957,7 +1876,7 @@ index 5d26c94..ee3f49b 100644 } =20 diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c -index 35cc27c..a1f5335 10064= 4 +index 499f0e8..5672f99 100644 --- a/ssl/ssl_asn1.c +++ b/ssl/ssl_asn1.c @@ -418,7 +418,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const un= signed char **pp, @@ -1992,9 +1911,9 @@ index 35cc27c..a1f5335 100644 c.error =3D SSL_R_BAD_LENGTH; - c.line =3D __LINE__; + c.line =3D OPENSSL_LINE; - goto err; - } else { - ret->sid_ctx_length =3D os.length; + OPENSSL_free(os.data); + os.data =3D NULL; + os.length =3D 0; diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index f48ebae..ac4f08c 10064= 4 --- a/ssl/ssl_cert.c @@ -2068,10 +1987,10 @@ index 8d3709d..2bb403b 100644 =20 static int ssl_conf_cmd_skip_prefix(SSL_CONF_CTX *cctx, const char **pcmd= ) diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c -index 514fcb3..2a54cc9 100644 +index b6d1ee9..75f38cd 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c -@@ -780,9 +780,7 @@ int tls1_enc(SSL *s, int send) +@@ -779,9 +779,7 @@ int tls1_enc(SSL *s, int send) * we can't write into the input stream: Can this eve= r * happen?? (steve) */ @@ -2152,7 +2071,7 @@ index b9b159a..9841498 100755 if ($keyword eq "TLSEXT" && $no_tlsext) { return 0; } if ($keyword eq "PSK" && $no_psk) { return 0; } diff --git a/util/mke= rr.pl b/util/mkerr.pl -index 09ebebe..cd57ade 100644 +index c197f3a..97b295c 100644 --- a/util/mkerr.pl +++ b/util/mkerr.pl @@ -89,7 +89,7 @@ Options: @@ -2164,7 +2083,7 @@ index 09ebebe..cd57ade 100644 while the code facilitates the use of these in an environ= ment where the error support routines are dynamically loaded a= t=20 runtime. -@@ -474,7 +474,7 @@ EOF +@@ -482,7 +482,7 @@ EOF ${staticloader}void ERR_load_${lib}_strings(void); ${staticloader}void ERR_unload_${lib}_strings(void); ${staticloader}void ERR_${lib}_error(int function, int reason, char *file= , int line); diff --git a/CryptoPkg/Library/OpensslLib/Install.cmd b/Crypto= Pkg/Library/OpensslLib/Install.cmd index 83d04d7..3d86bc7 100755 --- a/CryptoPkg/Library/OpensslLib/Install.cmd +++ b/CryptoPkg/Library/OpensslLib/Install.cmd @@ -1,4 +1,4 @@ -cd openssl-1.0.2h +cd openssl-1.0.2j copy ..\opensslconf.h crypto if not exist include\openssl mkdir include\openssl copy e_os2.h include\openssl diff --git a/CryptoPkg/Library/OpensslLib/Install.sh b/CryptoPkg/Library/Op= ensslLib/Install.sh index 95963ff..e6703d1 100755 --- a/CryptoPkg/Library/OpensslLib/Install.sh +++ b/CryptoPkg/Library/OpensslLib/Install.sh @@ -1,6 +1,6 @@ #!/bin/sh =20 -cd openssl-1.0.2h +cd openssl-1.0.2j cp ../opensslconf.h crypto mkdir -p include/openssl cp e_os2.h include/openssl diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Librar= y/OpensslLib/OpensslLib.inf index 4c9f8aa..8121e83 100644 --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf @@ -20,7 +20,7 @@ MODULE_TYPE =3D BASE VERSION_STRING =3D 1.0 LIBRARY_CLASS =3D OpensslLib - DEFINE OPENSSL_PATH =3D openssl-1.0.2h + DEFINE OPENSSL_PATH =3D openssl-1.0.2j DEFINE OPENSSL_FLAGS =3D -DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT = -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE =20 # diff --git a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt b/CryptoPkg/Libra= ry/OpensslLib/Patch-HOWTO.txt index 91098b9..d7e3d9e 100644 --- a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt +++ b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt @@ -17,36 +17,36 @@ cryptography. This patch will enable openssl building u= nder UEFI environment. =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D OpenSSL-Version =3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D - Current supported OpenSSL version for UEFI Crypto Library is 1.0.2h. - http://www.openssl.org/source/openssl-1.0.2h.tar.gz + Current supported OpenSSL version for UEFI Crypto Library is 1.0.2j. + http://www.openssl.org/source/openssl-1.0.2j.tar.gz =20 =20 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D HOW to Install Openssl for UEFI Building =3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D -1. Download OpenSSL 1.0.2h from official website: - http://www.openssl.org/source/openssl-1.0.2h.tar.gz +1. Download OpenSSL 1.0.2j from official website: + http://www.openssl.org/source/openssl-1.0.2j.tar.gz =20 - NOTE: Some web browsers may rename the downloaded TAR file to openssl-= 1.0.2h.tar.tar. - When you do the download, rename the "openssl-1.0.2h.tar.tar" to - "openssl-1.0.2h.tar.gz" or rename the local downloaded file with= ".tar.tar" + NOTE: Some web browsers may rename the downloaded TAR file to openssl-= 1.0.2j.tar.tar. + When you do the download, rename the "openssl-1.0.2j.tar.tar" to + "openssl-1.0.2j.tar.gz" or rename the local downloaded file with= ".tar.tar" extension to ".tar.gz". =20 -2. Extract TAR into CryptoPkg/Library/OpensslLib/openssl-1.0.2h +2. Extract TAR into CryptoPkg/Library/OpensslLib/openssl-1.0.2j =20 NOTE: If you use WinZip to unpack the openssl source in Windows, pleas= e uncheck the WinZip smart CR/LF conversion option (WINZIP: Option= s --> Configuration --> Miscellaneous --> "TAR file smart CR/LF conver= sion"). =20 -3. Apply this patch: EDKII_openssl-1.0.2h.patch, and make installation +3. Apply this patch: EDKII_openssl-1.0.2j.patch, and make installation =20 For Windows Environment: ------------------------ 1) Make sure the patch utility has been installed in your machine. Install Cygwin or get the patch utility binary from http://gnuwin32.sourceforge.net/packages/patch.htm - 2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2h - 3) patch -p1 -i ..\EDKII_openssl-1.0.2h.patch + 2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2j + 3) patch -p1 -i ..\EDKII_openssl-1.0.2j.patch 4) cd .. 5) Install.cmd =20 @@ -54,8 +54,8 @@ cryptography. This patch will enable openssl building und= er UEFI environment. ----------------------- 1) Make sure the patch utility has been installed in your machine. Patch utility is available from http://directory.fsf.org/project/pa= tch/ - 2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2h - 3) patch -p1 -i ../EDKII_openssl-1.0.2h.patch + 2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2j + 3) patch -p1 -i ../EDKII_openssl-1.0.2j.patch 4) cd .. 5) ./Install.sh =20 -- 2.10.0.windows.1