public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
* [Patch] CryptoPkg/OpensslLib: Upgrade OpenSSL version to 1.0.2j
@ 2016-09-29  6:09 Qin Long
  2016-09-29  6:45 ` Ye, Ting
                   ` (2 more replies)
  0 siblings, 3 replies; 7+ messages in thread
From: Qin Long @ 2016-09-29  6:09 UTC (permalink / raw)
  To: edk2-devel; +Cc: ting.ye, David.Woodhouse

Two official releases (OpenSSL 1.0.2i and 1.0.2j) were available
with several severity fixes at 22-Sep-2016 and 26-Sep-2016 with
several security fixes. Refer to
https://www.openssl.org/news/secadv/20160922.txt and
https://www.openssl.org/news/secadv/20160926.txt.
This patch is to upgrade the supported OpenSSL version in
CryptoPkg/OpensslLib to catch the latest release 1.0.2j.

Cc: Ting Ye <ting.ye@intel.com>
Cc: David Woodhouse <David.Woodhouse@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
---
 CryptoPkg/CryptoPkg.dec                            |   2 +-
 ...ssl-1.0.2h.patch => EDKII_openssl-1.0.2j.patch} | 171 ++++++---------------
 CryptoPkg/Library/OpensslLib/Install.cmd           |   2 +-
 CryptoPkg/Library/OpensslLib/Install.sh            |   2 +-
 CryptoPkg/Library/OpensslLib/OpensslLib.inf        |   2 +-
 CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt       |  26 ++--
 6 files changed, 62 insertions(+), 143 deletions(-)
 rename CryptoPkg/Library/OpensslLib/{EDKII_openssl-1.0.2h.patch => EDKII_openssl-1.0.2j.patch} (92%)

diff --git a/CryptoPkg/CryptoPkg.dec b/CryptoPkg/CryptoPkg.dec
index c0885bb..80579b7 100644
--- a/CryptoPkg/CryptoPkg.dec
+++ b/CryptoPkg/CryptoPkg.dec
@@ -24,7 +24,7 @@
 
 [Includes]
   Include
-  Library/OpensslLib/openssl-1.0.2h/include
+  Library/OpensslLib/openssl-1.0.2j/include
 
 [LibraryClasses]
   ##  @libraryclass  Provides basic library functions for cryptographic primitives.
diff --git a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2h.patch b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2j.patch
similarity index 92%
rename from CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2h.patch
rename to CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2j.patch
index 559fc67..ecd13a9 100644
--- a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2h.patch
+++ b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2j.patch
@@ -1,5 +1,5 @@
 diff --git a/Configure b/Configure
-index c98107a..c122709 100755
+index c39f71a..98dd1d0 100755
 --- a/Configure
 +++ b/Configure
 @@ -609,6 +609,9 @@ my %table=(
@@ -12,7 +12,7 @@ index c98107a..c122709 100755
  # UWIN 
  "UWIN", "cc:-DTERMIOS -DL_ENDIAN -O -Wall:::UWIN::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:win32",
  
-@@ -1088,7 +1091,7 @@ if (defined($disabled{"tls1"}))
+@@ -1083,7 +1086,7 @@ if (defined($disabled{"md5"}) || defined($disabled{"sha"})
  	}
  
  if (defined($disabled{"ec"}) || defined($disabled{"dsa"})
@@ -22,20 +22,20 @@ index c98107a..c122709 100755
  	$disabled{"gost"} = "forced";
  	}
 diff --git a/apps/apps.c b/apps/apps.c
-index b1dd970..8278c28 100644
+index 9fdc3e0..6c183b0 100644
 --- a/apps/apps.c
 +++ b/apps/apps.c
-@@ -2374,6 +2374,8 @@ int args_verify(char ***pargs, int *pargc,
+@@ -2375,6 +2375,8 @@ int args_verify(char ***pargs, int *pargc,
          flags |= X509_V_FLAG_PARTIAL_CHAIN;
      else if (!strcmp(arg, "-no_alt_chains"))
          flags |= X509_V_FLAG_NO_ALT_CHAINS;
 +    else if (!strcmp(arg, "-no_check_time"))
 +        flags |= X509_V_FLAG_NO_CHECK_TIME;
+     else if (!strcmp(arg, "-allow_proxy_certs"))
+         flags |= X509_V_FLAG_ALLOW_PROXY_CERTS;
      else
-         return 0;
- 
 diff --git a/crypto/asn1/a_strex.c b/crypto/asn1/a_strex.c
-index 35fd44c..9f39bff 100644
+index 2d562f9..91203b7 100644
 --- a/crypto/asn1/a_strex.c
 +++ b/crypto/asn1/a_strex.c
 @@ -104,6 +104,7 @@ static int send_bio_chars(void *arg, const void *buf, int len)
@@ -426,7 +426,7 @@ index 5281384..952b545 100644
  #ifndef OPENSSL_NO_FP_API
  int NCONF_load_fp(CONF *conf, FILE *fp, long *eline)
 diff --git a/crypto/conf/conf_mod.c b/crypto/conf/conf_mod.c
-index 9acfca4..5e0a482 100644
+index e0c9a67..13d93ea 100644
 --- a/crypto/conf/conf_mod.c
 +++ b/crypto/conf/conf_mod.c
 @@ -159,6 +159,7 @@ int CONF_modules_load(const CONF *cnf, const char *appname,
@@ -747,21 +747,6 @@ index b58e3fa..926be98 100644
  }
  
  const EVP_PKEY_METHOD dh_pkey_meth = {
-diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c
-index 83e208c..4869098 100644
---- a/crypto/ec/ec_ameth.c
-+++ b/crypto/ec/ec_ameth.c
-@@ -67,8 +67,10 @@
- #include <openssl/asn1t.h>
- #include "asn1_locl.h"
- 
-+#ifndef OPENSSL_NO_CMS
- static int ecdh_cms_decrypt(CMS_RecipientInfo *ri);
- static int ecdh_cms_encrypt(CMS_RecipientInfo *ri);
-+#endif
- 
- static int eckey_param2type(int *pptype, void **ppval, EC_KEY *ec_key)
- {
 diff --git a/crypto/engine/eng_int.h b/crypto/engine/eng_int.h
 index 46f163b..b4a72a0 100644
 --- a/crypto/engine/eng_int.h
@@ -943,7 +928,7 @@ index 7a1c85d..7162c0f 100644
  #undef BN_LLONG
  
 diff --git a/crypto/pem/pem.h b/crypto/pem/pem.h
-index d3b23fc..5df6ffd 100644
+index aac72fb..d271ec8 100644
 --- a/crypto/pem/pem.h
 +++ b/crypto/pem/pem.h
 @@ -324,6 +324,7 @@ int PEM_write_bio_##name(BIO *bp, type *x, const EVP_CIPHER *enc, \
@@ -987,7 +972,7 @@ index d3b23fc..5df6ffd 100644
  EVP_PKEY *PEM_read_bio_Parameters(BIO *bp, EVP_PKEY **x);
  int PEM_write_bio_Parameters(BIO *bp, EVP_PKEY *x);
 diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
-index fe881d6..e25cc68 100644
+index c82b3c0..56c77b1 100644
 --- a/crypto/pem/pem_lib.c
 +++ b/crypto/pem/pem_lib.c
 @@ -84,7 +84,7 @@ int pem_check_suffix(const char *pem_str, const char *suffix);
@@ -1130,7 +1115,7 @@ index 737aebf..f23f348 100644
  {
      return (-1);
 diff --git a/crypto/rand/rand_unix.c b/crypto/rand/rand_unix.c
-index 266111e..f60fac6 100644
+index 6c5b65d..11ee152 100644
 --- a/crypto/rand/rand_unix.c
 +++ b/crypto/rand/rand_unix.c
 @@ -116,7 +116,7 @@
@@ -1151,71 +1136,6 @@ index 266111e..f60fac6 100644
  int RAND_poll(void)
  {
      return 0;
-diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
-index 4e06218..ddead3d 100644
---- a/crypto/rsa/rsa_ameth.c
-+++ b/crypto/rsa/rsa_ameth.c
-@@ -68,10 +68,12 @@
- #endif
- #include "asn1_locl.h"
- 
-+#ifndef OPENSSL_NO_CMS
- static int rsa_cms_sign(CMS_SignerInfo *si);
- static int rsa_cms_verify(CMS_SignerInfo *si);
- static int rsa_cms_decrypt(CMS_RecipientInfo *ri);
- static int rsa_cms_encrypt(CMS_RecipientInfo *ri);
-+#endif
- 
- static int rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
- {
-@@ -665,6 +667,7 @@ static int rsa_pss_to_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pkctx,
-     return rv;
- }
- 
-+#ifndef OPENSSL_NO_CMS
- static int rsa_cms_verify(CMS_SignerInfo *si)
- {
-     int nid, nid2;
-@@ -683,6 +686,7 @@ static int rsa_cms_verify(CMS_SignerInfo *si)
-     }
-     return 0;
- }
-+#endif
- 
- /*
-  * Customised RSA item verification routine. This is called when a signature
-@@ -705,6 +709,7 @@ static int rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
-     return -1;
- }
- 
-+#ifndef OPENSSL_NO_CMS
- static int rsa_cms_sign(CMS_SignerInfo *si)
- {
-     int pad_mode = RSA_PKCS1_PADDING;
-@@ -729,6 +734,7 @@ static int rsa_cms_sign(CMS_SignerInfo *si)
-     X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsassaPss), V_ASN1_SEQUENCE, os);
-     return 1;
- }
-+#endif
- 
- static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
-                          X509_ALGOR *alg1, X509_ALGOR *alg2,
-@@ -762,6 +768,7 @@ static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
-     return 2;
- }
- 
-+#ifndef OPENSSL_NO_CMS
- static RSA_OAEP_PARAMS *rsa_oaep_decode(const X509_ALGOR *alg,
-                                         X509_ALGOR **pmaskHash)
- {
-@@ -920,6 +927,7 @@ static int rsa_cms_encrypt(CMS_RecipientInfo *ri)
-         ASN1_STRING_free(os);
-     return rv;
- }
-+#endif
- 
- const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] = {
-     {
 diff --git a/crypto/srp/srp.h b/crypto/srp/srp.h
 index 028892a..4ed4bfe 100644
 --- a/crypto/srp/srp.h
@@ -1231,10 +1151,10 @@ index 028892a..4ed4bfe 100644
  /* This method ignores the configured seed and fails for an unknown user. */
  SRP_user_pwd *SRP_VBASE_get_by_user(SRP_VBASE *vb, char *username);
 diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c
-index 26ad3e0..6be4cf2 100644
+index a8ec52a..ce20804 100644
 --- a/crypto/srp/srp_vfy.c
 +++ b/crypto/srp/srp_vfy.c
-@@ -225,6 +225,7 @@ static int SRP_user_pwd_set_ids(SRP_user_pwd *vinfo, const char *id,
+@@ -228,6 +228,7 @@ static int SRP_user_pwd_set_ids(SRP_user_pwd *vinfo, const char *id,
      return (info == NULL || NULL != (vinfo->info = BUF_strdup(info)));
  }
  
@@ -1242,15 +1162,15 @@ index 26ad3e0..6be4cf2 100644
  static int SRP_user_pwd_set_sv(SRP_user_pwd *vinfo, const char *s,
                                 const char *v)
  {
-@@ -239,6 +240,7 @@ static int SRP_user_pwd_set_sv(SRP_user_pwd *vinfo, const char *s,
-     len = t_fromb64(tmp, s);
-     return ((vinfo->s = BN_bin2bn(tmp, len, NULL)) != NULL);
+@@ -254,6 +255,7 @@ static int SRP_user_pwd_set_sv(SRP_user_pwd *vinfo, const char *s,
+     vinfo->v = NULL;
+     return 0;
  }
 +#endif
  
  static int SRP_user_pwd_set_sv_BN(SRP_user_pwd *vinfo, BIGNUM *s, BIGNUM *v)
  {
-@@ -297,6 +299,7 @@ int SRP_VBASE_free(SRP_VBASE *vb)
+@@ -312,6 +314,7 @@ int SRP_VBASE_free(SRP_VBASE *vb)
      return 0;
  }
  
@@ -1258,7 +1178,7 @@ index 26ad3e0..6be4cf2 100644
  static SRP_gN_cache *SRP_gN_new_init(const char *ch)
  {
      unsigned char tmp[MAX_LEN];
-@@ -328,6 +331,7 @@ static void SRP_gN_free(SRP_gN_cache *gN_cache)
+@@ -346,6 +349,7 @@ static void SRP_gN_free(SRP_gN_cache *gN_cache)
      BN_free(gN_cache->bn);
      OPENSSL_free(gN_cache);
  }
@@ -1266,7 +1186,7 @@ index 26ad3e0..6be4cf2 100644
  
  static SRP_gN *SRP_get_gN_by_id(const char *id, STACK_OF(SRP_gN) *gN_tab)
  {
-@@ -344,6 +348,7 @@ static SRP_gN *SRP_get_gN_by_id(const char *id, STACK_OF(SRP_gN) *gN_tab)
+@@ -362,6 +366,7 @@ static SRP_gN *SRP_get_gN_by_id(const char *id, STACK_OF(SRP_gN) *gN_tab)
      return SRP_get_default_gN(id);
  }
  
@@ -1274,7 +1194,7 @@ index 26ad3e0..6be4cf2 100644
  static BIGNUM *SRP_gN_place_bn(STACK_OF(SRP_gN_cache) *gN_cache, char *ch)
  {
      int i;
-@@ -485,6 +490,7 @@ int SRP_VBASE_init(SRP_VBASE *vb, char *verifier_file)
+@@ -503,6 +508,7 @@ int SRP_VBASE_init(SRP_VBASE *vb, char *verifier_file)
      return error_code;
  
  }
@@ -1283,7 +1203,7 @@ index 26ad3e0..6be4cf2 100644
  static SRP_user_pwd *find_user(SRP_VBASE *vb, char *username)
  {
 diff --git a/crypto/ts/ts.h b/crypto/ts/ts.h
-index 16eccbb..a9fe40e 100644
+index 2daa1b2..5205bc5 100644
 --- a/crypto/ts/ts.h
 +++ b/crypto/ts/ts.h
 @@ -281,8 +281,10 @@ TS_REQ *d2i_TS_REQ(TS_REQ **a, const unsigned char **pp, long length);
@@ -1342,7 +1262,7 @@ index 16eccbb..a9fe40e 100644
  
  TS_ACCURACY *TS_ACCURACY_new(void);
  void TS_ACCURACY_free(TS_ACCURACY *a);
-@@ -728,15 +736,18 @@ int TS_MSG_IMPRINT_print_bio(BIO *bio, TS_MSG_IMPRINT *msg);
+@@ -731,15 +739,18 @@ int TS_MSG_IMPRINT_print_bio(BIO *bio, TS_MSG_IMPRINT *msg);
   * ts/ts_conf.c
   */
  
@@ -1361,7 +1281,7 @@ index 16eccbb..a9fe40e 100644
  int TS_CONF_set_signer_cert(CONF *conf, const char *section,
                              const char *cert, TS_RESP_CTX *ctx);
  int TS_CONF_set_certs(CONF *conf, const char *section, const char *certs,
-@@ -744,6 +755,7 @@ int TS_CONF_set_certs(CONF *conf, const char *section, const char *certs,
+@@ -747,6 +758,7 @@ int TS_CONF_set_certs(CONF *conf, const char *section, const char *certs,
  int TS_CONF_set_signer_key(CONF *conf, const char *section,
                             const char *key, const char *pass,
                             TS_RESP_CTX *ctx);
@@ -1369,7 +1289,7 @@ index 16eccbb..a9fe40e 100644
  int TS_CONF_set_def_policy(CONF *conf, const char *section,
                             const char *policy, TS_RESP_CTX *ctx);
  int TS_CONF_set_policies(CONF *conf, const char *section, TS_RESP_CTX *ctx);
-@@ -784,6 +796,11 @@ void ERR_load_TS_strings(void);
+@@ -787,6 +799,11 @@ void ERR_load_TS_strings(void);
  # define TS_F_TS_CHECK_SIGNING_CERTS                      103
  # define TS_F_TS_CHECK_STATUS_INFO                        104
  # define TS_F_TS_COMPUTE_IMPRINT                          145
@@ -1381,7 +1301,7 @@ index 16eccbb..a9fe40e 100644
  # define TS_F_TS_CONF_SET_DEFAULT_ENGINE                  146
  # define TS_F_TS_GET_STATUS_TEXT                          105
  # define TS_F_TS_MSG_IMPRINT_SET_ALGO                     118
-@@ -822,6 +839,8 @@ void ERR_load_TS_strings(void);
+@@ -825,6 +842,8 @@ void ERR_load_TS_strings(void);
  /* Reason codes. */
  # define TS_R_BAD_PKCS7_TYPE                              132
  # define TS_R_BAD_TYPE                                    133
@@ -1390,7 +1310,7 @@ index 16eccbb..a9fe40e 100644
  # define TS_R_CERTIFICATE_VERIFY_ERROR                    100
  # define TS_R_COULD_NOT_SET_ENGINE                        127
  # define TS_R_COULD_NOT_SET_TIME                          115
-@@ -854,6 +873,8 @@ void ERR_load_TS_strings(void);
+@@ -857,6 +876,8 @@ void ERR_load_TS_strings(void);
  # define TS_R_UNACCEPTABLE_POLICY                         125
  # define TS_R_UNSUPPORTED_MD_ALGORITHM                    126
  # define TS_R_UNSUPPORTED_VERSION                         113
@@ -1531,7 +1451,7 @@ index 0f29011..80dd40e 100644
                             int verify)
  {
 diff --git a/crypto/x509/by_dir.c b/crypto/x509/by_dir.c
-index 9ee8f8d..64b052e 100644
+index bbc3189..29695f9 100644
 --- a/crypto/x509/by_dir.c
 +++ b/crypto/x509/by_dir.c
 @@ -69,6 +69,8 @@
@@ -1543,17 +1463,17 @@ index 9ee8f8d..64b052e 100644
  #include <openssl/lhash.h>
  #include <openssl/x509.h>
  
-@@ -434,3 +436,5 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name,
+@@ -438,3 +440,5 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name,
          BUF_MEM_free(b);
      return (ok);
  }
 +
 +#endif /* OPENSSL_NO_STDIO */
 diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
-index 4d34dba..25e8a89 100644
+index 8334b3f..d075f66 100644
 --- a/crypto/x509/x509_vfy.c
 +++ b/crypto/x509/x509_vfy.c
-@@ -950,6 +950,8 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
+@@ -1064,6 +1064,8 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
          ctx->current_crl = crl;
      if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
          ptime = &ctx->param->check_time;
@@ -1562,7 +1482,7 @@ index 4d34dba..25e8a89 100644
      else
          ptime = NULL;
  
-@@ -1673,6 +1675,8 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
+@@ -1805,6 +1807,8 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
  
      if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
          ptime = &ctx->param->check_time;
@@ -1572,10 +1492,10 @@ index 4d34dba..25e8a89 100644
          ptime = NULL;
  
 diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h
-index 2663e1c..3790ef5 100644
+index 5062682..e90d931 100644
 --- a/crypto/x509/x509_vfy.h
 +++ b/crypto/x509/x509_vfy.h
-@@ -438,6 +438,8 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
+@@ -443,6 +443,8 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
   * will force the behaviour to match that of previous versions.
   */
  # define X509_V_FLAG_NO_ALT_CHAINS               0x100000
@@ -1584,11 +1504,10 @@ index 2663e1c..3790ef5 100644
  
  # define X509_VP_FLAG_DEFAULT                    0x1
  # define X509_VP_FLAG_OVERWRITE                  0x2
-@@ -490,9 +492,10 @@ void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx);
- X509_STORE *X509_STORE_CTX_get0_store(X509_STORE_CTX *ctx);
+@@ -496,8 +498,10 @@ X509_STORE *X509_STORE_CTX_get0_store(X509_STORE_CTX *ctx);
  
  X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m);
--
+ 
 +#ifndef OPENSSL_NO_STDIO
  X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void);
  X509_LOOKUP_METHOD *X509_LOOKUP_file(void);
@@ -1944,10 +1863,10 @@ index f6b3ff2..1dcbe36 100755
  		     SEED,-
  		     SHA,-
 diff --git a/ssl/d1_both.c b/ssl/d1_both.c
-index 5d26c94..ee3f49b 100644
+index 9bc6153..b5648eb 100644
 --- a/ssl/d1_both.c
 +++ b/ssl/d1_both.c
-@@ -1053,7 +1053,7 @@ int dtls1_send_change_cipher_spec(SSL *s, int a, int b)
+@@ -1068,7 +1068,7 @@ int dtls1_send_change_cipher_spec(SSL *s, int a, int b)
  int dtls1_read_failed(SSL *s, int code)
  {
      if (code > 0) {
@@ -1957,7 +1876,7 @@ index 5d26c94..ee3f49b 100644
      }
  
 diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c
-index 35cc27c..a1f5335 100644
+index 499f0e8..5672f99 100644
 --- a/ssl/ssl_asn1.c
 +++ b/ssl/ssl_asn1.c
 @@ -418,7 +418,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
@@ -1992,9 +1911,9 @@ index 35cc27c..a1f5335 100644
              c.error = SSL_R_BAD_LENGTH;
 -            c.line = __LINE__;
 +            c.line = OPENSSL_LINE;
-             goto err;
-         } else {
-             ret->sid_ctx_length = os.length;
+             OPENSSL_free(os.data);
+             os.data = NULL;
+             os.length = 0;
 diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
 index f48ebae..ac4f08c 100644
 --- a/ssl/ssl_cert.c
@@ -2068,10 +1987,10 @@ index 8d3709d..2bb403b 100644
  
  static int ssl_conf_cmd_skip_prefix(SSL_CONF_CTX *cctx, const char **pcmd)
 diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
-index 514fcb3..2a54cc9 100644
+index b6d1ee9..75f38cd 100644
 --- a/ssl/t1_enc.c
 +++ b/ssl/t1_enc.c
-@@ -780,9 +780,7 @@ int tls1_enc(SSL *s, int send)
+@@ -779,9 +779,7 @@ int tls1_enc(SSL *s, int send)
                       * we can't write into the input stream: Can this ever
                       * happen?? (steve)
                       */
@@ -2152,7 +2071,7 @@ index b9b159a..9841498 100755
  			if ($keyword eq "TLSEXT" && $no_tlsext) { return 0; }
  			if ($keyword eq "PSK" && $no_psk) { return 0; }
 diff --git a/util/mkerr.pl b/util/mkerr.pl
-index 09ebebe..cd57ade 100644
+index c197f3a..97b295c 100644
 --- a/util/mkerr.pl
 +++ b/util/mkerr.pl
 @@ -89,7 +89,7 @@ Options:
@@ -2164,7 +2083,7 @@ index 09ebebe..cd57ade 100644
                  while the code facilitates the use of these in an environment
                  where the error support routines are dynamically loaded at 
                  runtime.
-@@ -474,7 +474,7 @@ EOF
+@@ -482,7 +482,7 @@ EOF
  ${staticloader}void ERR_load_${lib}_strings(void);
  ${staticloader}void ERR_unload_${lib}_strings(void);
  ${staticloader}void ERR_${lib}_error(int function, int reason, char *file, int line);
diff --git a/CryptoPkg/Library/OpensslLib/Install.cmd b/CryptoPkg/Library/OpensslLib/Install.cmd
index 83d04d7..3d86bc7 100755
--- a/CryptoPkg/Library/OpensslLib/Install.cmd
+++ b/CryptoPkg/Library/OpensslLib/Install.cmd
@@ -1,4 +1,4 @@
-cd openssl-1.0.2h
+cd openssl-1.0.2j
 copy ..\opensslconf.h           crypto
 if not exist include\openssl mkdir include\openssl
 copy e_os2.h                    include\openssl
diff --git a/CryptoPkg/Library/OpensslLib/Install.sh b/CryptoPkg/Library/OpensslLib/Install.sh
index 95963ff..e6703d1 100755
--- a/CryptoPkg/Library/OpensslLib/Install.sh
+++ b/CryptoPkg/Library/OpensslLib/Install.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-cd openssl-1.0.2h
+cd openssl-1.0.2j
 cp ../opensslconf.h           crypto
 mkdir -p                      include/openssl
 cp e_os2.h                    include/openssl
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index 4c9f8aa..8121e83 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -20,7 +20,7 @@
   MODULE_TYPE                    = BASE
   VERSION_STRING                 = 1.0
   LIBRARY_CLASS                  = OpensslLib
-  DEFINE OPENSSL_PATH            = openssl-1.0.2h
+  DEFINE OPENSSL_PATH            = openssl-1.0.2j
   DEFINE OPENSSL_FLAGS           = -DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE
 
 #
diff --git a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
index 91098b9..d7e3d9e 100644
--- a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
+++ b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
@@ -17,36 +17,36 @@ cryptography. This patch will enable openssl building under UEFI environment.
 ================================================================================
                                 OpenSSL-Version
 ================================================================================
-  Current supported OpenSSL version for UEFI Crypto Library is 1.0.2h.
-    http://www.openssl.org/source/openssl-1.0.2h.tar.gz
+  Current supported OpenSSL version for UEFI Crypto Library is 1.0.2j.
+    http://www.openssl.org/source/openssl-1.0.2j.tar.gz
 
 
 ================================================================================
                       HOW to Install Openssl for UEFI Building
 ================================================================================
-1.  Download OpenSSL 1.0.2h from official website:
-    http://www.openssl.org/source/openssl-1.0.2h.tar.gz
+1.  Download OpenSSL 1.0.2j from official website:
+    http://www.openssl.org/source/openssl-1.0.2j.tar.gz
 
-    NOTE: Some web browsers may rename the downloaded TAR file to openssl-1.0.2h.tar.tar.
-          When you do the download, rename the "openssl-1.0.2h.tar.tar" to
-          "openssl-1.0.2h.tar.gz" or rename the local downloaded file with ".tar.tar"
+    NOTE: Some web browsers may rename the downloaded TAR file to openssl-1.0.2j.tar.tar.
+          When you do the download, rename the "openssl-1.0.2j.tar.tar" to
+          "openssl-1.0.2j.tar.gz" or rename the local downloaded file with ".tar.tar"
           extension to ".tar.gz".
 
-2.  Extract TAR into CryptoPkg/Library/OpensslLib/openssl-1.0.2h
+2.  Extract TAR into CryptoPkg/Library/OpensslLib/openssl-1.0.2j
 
     NOTE: If you use WinZip to unpack the openssl source in Windows, please
           uncheck the WinZip smart CR/LF conversion option (WINZIP: Options -->
           Configuration --> Miscellaneous --> "TAR file smart CR/LF conversion").
 
-3.  Apply this patch: EDKII_openssl-1.0.2h.patch, and make installation
+3.  Apply this patch: EDKII_openssl-1.0.2j.patch, and make installation
 
     For Windows Environment:
     ------------------------
     1) Make sure the patch utility has been installed in your machine.
        Install Cygwin or get the patch utility binary from
           http://gnuwin32.sourceforge.net/packages/patch.htm
-    2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2h
-    3) patch -p1 -i ..\EDKII_openssl-1.0.2h.patch
+    2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2j
+    3) patch -p1 -i ..\EDKII_openssl-1.0.2j.patch
     4) cd ..
     5) Install.cmd
 
@@ -54,8 +54,8 @@ cryptography. This patch will enable openssl building under UEFI environment.
     -----------------------
     1) Make sure the patch utility has been installed in your machine.
        Patch utility is available from http://directory.fsf.org/project/patch/
-    2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2h
-    3) patch -p1 -i ../EDKII_openssl-1.0.2h.patch
+    2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2j
+    3) patch -p1 -i ../EDKII_openssl-1.0.2j.patch
     4) cd ..
     5) ./Install.sh
 
-- 
2.10.0.windows.1



^ permalink raw reply related	[flat|nested] 7+ messages in thread

* Re: [Patch] CryptoPkg/OpensslLib: Upgrade OpenSSL version to 1.0.2j
  2016-09-29  6:09 [Patch] CryptoPkg/OpensslLib: Upgrade OpenSSL version to 1.0.2j Qin Long
@ 2016-09-29  6:45 ` Ye, Ting
  2016-09-29  9:22 ` Laszlo Ersek
       [not found] ` <1475140721.45169.500.camel@intel.com>
  2 siblings, 0 replies; 7+ messages in thread
From: Ye, Ting @ 2016-09-29  6:45 UTC (permalink / raw)
  To: Long, Qin, edk2-devel@lists.01.org; +Cc: Woodhouse, David

Reviewed-by: Ye Ting <ting.ye@intel.com> 

-----Original Message-----
From: Long, Qin 
Sent: Thursday, September 29, 2016 2:09 PM
To: edk2-devel@lists.01.org
Cc: Ye, Ting <ting.ye@intel.com>; Woodhouse, David <david.woodhouse@intel.com>
Subject: [Patch] CryptoPkg/OpensslLib: Upgrade OpenSSL version to 1.0.2j

Two official releases (OpenSSL 1.0.2i and 1.0.2j) were available with several severity fixes at 22-Sep-2016 and 26-Sep-2016 with several security fixes. Refer to https://www.openssl.org/news/secadv/20160922.txt and https://www.openssl.org/news/secadv/20160926.txt.
This patch is to upgrade the supported OpenSSL version in CryptoPkg/OpensslLib to catch the latest release 1.0.2j.

Cc: Ting Ye <ting.ye@intel.com>
Cc: David Woodhouse <David.Woodhouse@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
---
 CryptoPkg/CryptoPkg.dec                            |   2 +-
 ...ssl-1.0.2h.patch => EDKII_openssl-1.0.2j.patch} | 171 ++++++---------------
 CryptoPkg/Library/OpensslLib/Install.cmd           |   2 +-
 CryptoPkg/Library/OpensslLib/Install.sh            |   2 +-
 CryptoPkg/Library/OpensslLib/OpensslLib.inf        |   2 +-
 CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt       |  26 ++--
 6 files changed, 62 insertions(+), 143 deletions(-)  rename CryptoPkg/Library/OpensslLib/{EDKII_openssl-1.0.2h.patch => EDKII_openssl-1.0.2j.patch} (92%)

diff --git a/CryptoPkg/CryptoPkg.dec b/CryptoPkg/CryptoPkg.dec index c0885bb..80579b7 100644
--- a/CryptoPkg/CryptoPkg.dec
+++ b/CryptoPkg/CryptoPkg.dec
@@ -24,7 +24,7 @@
 
 [Includes]
   Include
-  Library/OpensslLib/openssl-1.0.2h/include
+  Library/OpensslLib/openssl-1.0.2j/include
 
 [LibraryClasses]
   ##  @libraryclass  Provides basic library functions for cryptographic primitives.
diff --git a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2h.patch b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2j.patch
similarity index 92%
rename from CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2h.patch
rename to CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2j.patch
index 559fc67..ecd13a9 100644
--- a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2h.patch
+++ b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2j.patch
@@ -1,5 +1,5 @@
 diff --git a/Configure b/Configure
-index c98107a..c122709 100755
+index c39f71a..98dd1d0 100755
 --- a/Configure
 +++ b/Configure
 @@ -609,6 +609,9 @@ my %table=(
@@ -12,7 +12,7 @@ index c98107a..c122709 100755
  # UWIN
  "UWIN", "cc:-DTERMIOS -DL_ENDIAN -O -Wall:::UWIN::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:win32",
  
-@@ -1088,7 +1091,7 @@ if (defined($disabled{"tls1"}))
+@@ -1083,7 +1086,7 @@ if (defined($disabled{"md5"}) || 
+defined($disabled{"sha"})
  	}
  
  if (defined($disabled{"ec"}) || defined($disabled{"dsa"}) @@ -22,20 +22,20 @@ index c98107a..c122709 100755
  	$disabled{"gost"} = "forced";
  	}
 diff --git a/apps/apps.c b/apps/apps.c
-index b1dd970..8278c28 100644
+index 9fdc3e0..6c183b0 100644
 --- a/apps/apps.c
 +++ b/apps/apps.c
-@@ -2374,6 +2374,8 @@ int args_verify(char ***pargs, int *pargc,
+@@ -2375,6 +2375,8 @@ int args_verify(char ***pargs, int *pargc,
          flags |= X509_V_FLAG_PARTIAL_CHAIN;
      else if (!strcmp(arg, "-no_alt_chains"))
          flags |= X509_V_FLAG_NO_ALT_CHAINS;
 +    else if (!strcmp(arg, "-no_check_time"))
 +        flags |= X509_V_FLAG_NO_CHECK_TIME;
+     else if (!strcmp(arg, "-allow_proxy_certs"))
+         flags |= X509_V_FLAG_ALLOW_PROXY_CERTS;
      else
-         return 0;
-
 diff --git a/crypto/asn1/a_strex.c b/crypto/asn1/a_strex.c -index 35fd44c..9f39bff 100644
+index 2d562f9..91203b7 100644
 --- a/crypto/asn1/a_strex.c
 +++ b/crypto/asn1/a_strex.c
 @@ -104,6 +104,7 @@ static int send_bio_chars(void *arg, const void *buf, int len) @@ -426,7 +426,7 @@ index 5281384..952b545 100644
  #ifndef OPENSSL_NO_FP_API
  int NCONF_load_fp(CONF *conf, FILE *fp, long *eline)  diff --git a/crypto/conf/conf_mod.c b/crypto/conf/conf_mod.c -index 9acfca4..5e0a482 100644
+index e0c9a67..13d93ea 100644
 --- a/crypto/conf/conf_mod.c
 +++ b/crypto/conf/conf_mod.c
 @@ -159,6 +159,7 @@ int CONF_modules_load(const CONF *cnf, const char *appname, @@ -747,21 +747,6 @@ index b58e3fa..926be98 100644
  }
  
  const EVP_PKEY_METHOD dh_pkey_meth = { -diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c -index 83e208c..4869098 100644
---- a/crypto/ec/ec_ameth.c
-+++ b/crypto/ec/ec_ameth.c
-@@ -67,8 +67,10 @@
- #include <openssl/asn1t.h>
- #include "asn1_locl.h"
- 
-+#ifndef OPENSSL_NO_CMS
- static int ecdh_cms_decrypt(CMS_RecipientInfo *ri);
- static int ecdh_cms_encrypt(CMS_RecipientInfo *ri);
-+#endif
-
- static int eckey_param2type(int *pptype, void **ppval, EC_KEY *ec_key)
- {
 diff --git a/crypto/engine/eng_int.h b/crypto/engine/eng_int.h  index 46f163b..b4a72a0 100644
 --- a/crypto/engine/eng_int.h
@@ -943,7 +928,7 @@ index 7a1c85d..7162c0f 100644
  #undef BN_LLONG
  
 diff --git a/crypto/pem/pem.h b/crypto/pem/pem.h -index d3b23fc..5df6ffd 100644
+index aac72fb..d271ec8 100644
 --- a/crypto/pem/pem.h
 +++ b/crypto/pem/pem.h
 @@ -324,6 +324,7 @@ int PEM_write_bio_##name(BIO *bp, type *x, const EVP_CIPHER *enc, \ @@ -987,7 +972,7 @@ index d3b23fc..5df6ffd 100644
  EVP_PKEY *PEM_read_bio_Parameters(BIO *bp, EVP_PKEY **x);
  int PEM_write_bio_Parameters(BIO *bp, EVP_PKEY *x);  diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c -index fe881d6..e25cc68 100644
+index c82b3c0..56c77b1 100644
 --- a/crypto/pem/pem_lib.c
 +++ b/crypto/pem/pem_lib.c
 @@ -84,7 +84,7 @@ int pem_check_suffix(const char *pem_str, const char *suffix); @@ -1130,7 +1115,7 @@ index 737aebf..f23f348 100644
  {
      return (-1);
 diff --git a/crypto/rand/rand_unix.c b/crypto/rand/rand_unix.c -index 266111e..f60fac6 100644
+index 6c5b65d..11ee152 100644
 --- a/crypto/rand/rand_unix.c
 +++ b/crypto/rand/rand_unix.c
 @@ -116,7 +116,7 @@
@@ -1151,71 +1136,6 @@ index 266111e..f60fac6 100644
  int RAND_poll(void)
  {
      return 0;
-diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c -index 4e06218..ddead3d 100644
---- a/crypto/rsa/rsa_ameth.c
-+++ b/crypto/rsa/rsa_ameth.c
-@@ -68,10 +68,12 @@
- #endif
- #include "asn1_locl.h"
- 
-+#ifndef OPENSSL_NO_CMS
- static int rsa_cms_sign(CMS_SignerInfo *si);
- static int rsa_cms_verify(CMS_SignerInfo *si);
- static int rsa_cms_decrypt(CMS_RecipientInfo *ri);
- static int rsa_cms_encrypt(CMS_RecipientInfo *ri);
-+#endif
-
- static int rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
- {
-@@ -665,6 +667,7 @@ static int rsa_pss_to_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pkctx,
-     return rv;
- }
- 
-+#ifndef OPENSSL_NO_CMS
- static int rsa_cms_verify(CMS_SignerInfo *si)
- {
-     int nid, nid2;
-@@ -683,6 +686,7 @@ static int rsa_cms_verify(CMS_SignerInfo *si)
-     }
-     return 0;
- }
-+#endif
-
- /*
-  * Customised RSA item verification routine. This is called when a signature -@@ -705,6 +709,7 @@ static int rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
-     return -1;
- }
- 
-+#ifndef OPENSSL_NO_CMS
- static int rsa_cms_sign(CMS_SignerInfo *si)
- {
-     int pad_mode = RSA_PKCS1_PADDING;
-@@ -729,6 +734,7 @@ static int rsa_cms_sign(CMS_SignerInfo *si)
-     X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsassaPss), V_ASN1_SEQUENCE, os);
-     return 1;
- }
-+#endif
-
- static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
-                          X509_ALGOR *alg1, X509_ALGOR *alg2,
-@@ -762,6 +768,7 @@ static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
-     return 2;
- }
- 
-+#ifndef OPENSSL_NO_CMS
- static RSA_OAEP_PARAMS *rsa_oaep_decode(const X509_ALGOR *alg,
-                                         X509_ALGOR **pmaskHash)
- {
-@@ -920,6 +927,7 @@ static int rsa_cms_encrypt(CMS_RecipientInfo *ri)
-         ASN1_STRING_free(os);
-     return rv;
- }
-+#endif
-
- const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] = {
-     {
 diff --git a/crypto/srp/srp.h b/crypto/srp/srp.h  index 028892a..4ed4bfe 100644
 --- a/crypto/srp/srp.h
@@ -1231,10 +1151,10 @@ index 028892a..4ed4bfe 100644
  /* This method ignores the configured seed and fails for an unknown user. */
  SRP_user_pwd *SRP_VBASE_get_by_user(SRP_VBASE *vb, char *username);  diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c -index 26ad3e0..6be4cf2 100644
+index a8ec52a..ce20804 100644
 --- a/crypto/srp/srp_vfy.c
 +++ b/crypto/srp/srp_vfy.c
-@@ -225,6 +225,7 @@ static int SRP_user_pwd_set_ids(SRP_user_pwd *vinfo, const char *id,
+@@ -228,6 +228,7 @@ static int SRP_user_pwd_set_ids(SRP_user_pwd 
+*vinfo, const char *id,
      return (info == NULL || NULL != (vinfo->info = BUF_strdup(info)));
  }
  
@@ -1242,15 +1162,15 @@ index 26ad3e0..6be4cf2 100644
  static int SRP_user_pwd_set_sv(SRP_user_pwd *vinfo, const char *s,
                                 const char *v)
  {
-@@ -239,6 +240,7 @@ static int SRP_user_pwd_set_sv(SRP_user_pwd *vinfo, const char *s,
-     len = t_fromb64(tmp, s);
-     return ((vinfo->s = BN_bin2bn(tmp, len, NULL)) != NULL);
+@@ -254,6 +255,7 @@ static int SRP_user_pwd_set_sv(SRP_user_pwd *vinfo, const char *s,
+     vinfo->v = NULL;
+     return 0;
  }
 +#endif
  
  static int SRP_user_pwd_set_sv_BN(SRP_user_pwd *vinfo, BIGNUM *s, BIGNUM *v)
  {
-@@ -297,6 +299,7 @@ int SRP_VBASE_free(SRP_VBASE *vb)
+@@ -312,6 +314,7 @@ int SRP_VBASE_free(SRP_VBASE *vb)
      return 0;
  }
  
@@ -1258,7 +1178,7 @@ index 26ad3e0..6be4cf2 100644
  static SRP_gN_cache *SRP_gN_new_init(const char *ch)
  {
      unsigned char tmp[MAX_LEN];
-@@ -328,6 +331,7 @@ static void SRP_gN_free(SRP_gN_cache *gN_cache)
+@@ -346,6 +349,7 @@ static void SRP_gN_free(SRP_gN_cache *gN_cache)
      BN_free(gN_cache->bn);
      OPENSSL_free(gN_cache);
  }
@@ -1266,7 +1186,7 @@ index 26ad3e0..6be4cf2 100644
  
  static SRP_gN *SRP_get_gN_by_id(const char *id, STACK_OF(SRP_gN) *gN_tab)
  {
-@@ -344,6 +348,7 @@ static SRP_gN *SRP_get_gN_by_id(const char *id, STACK_OF(SRP_gN) *gN_tab)
+@@ -362,6 +366,7 @@ static SRP_gN *SRP_get_gN_by_id(const char *id, 
+STACK_OF(SRP_gN) *gN_tab)
      return SRP_get_default_gN(id);
  }
  
@@ -1274,7 +1194,7 @@ index 26ad3e0..6be4cf2 100644
  static BIGNUM *SRP_gN_place_bn(STACK_OF(SRP_gN_cache) *gN_cache, char *ch)
  {
      int i;
-@@ -485,6 +490,7 @@ int SRP_VBASE_init(SRP_VBASE *vb, char *verifier_file)
+@@ -503,6 +508,7 @@ int SRP_VBASE_init(SRP_VBASE *vb, char 
+*verifier_file)
      return error_code;
  
  }
@@ -1283,7 +1203,7 @@ index 26ad3e0..6be4cf2 100644
  static SRP_user_pwd *find_user(SRP_VBASE *vb, char *username)
  {
 diff --git a/crypto/ts/ts.h b/crypto/ts/ts.h -index 16eccbb..a9fe40e 100644
+index 2daa1b2..5205bc5 100644
 --- a/crypto/ts/ts.h
 +++ b/crypto/ts/ts.h
 @@ -281,8 +281,10 @@ TS_REQ *d2i_TS_REQ(TS_REQ **a, const unsigned char **pp, long length); @@ -1342,7 +1262,7 @@ index 16eccbb..a9fe40e 100644
  
  TS_ACCURACY *TS_ACCURACY_new(void);
  void TS_ACCURACY_free(TS_ACCURACY *a); -@@ -728,15 +736,18 @@ int TS_MSG_IMPRINT_print_bio(BIO *bio, TS_MSG_IMPRINT *msg);
+@@ -731,15 +739,18 @@ int TS_MSG_IMPRINT_print_bio(BIO *bio, 
+TS_MSG_IMPRINT *msg);
   * ts/ts_conf.c
   */
  
@@ -1361,7 +1281,7 @@ index 16eccbb..a9fe40e 100644
  int TS_CONF_set_signer_cert(CONF *conf, const char *section,
                              const char *cert, TS_RESP_CTX *ctx);
  int TS_CONF_set_certs(CONF *conf, const char *section, const char *certs, -@@ -744,6 +755,7 @@ int TS_CONF_set_certs(CONF *conf, const char *section, const char *certs,
+@@ -747,6 +758,7 @@ int TS_CONF_set_certs(CONF *conf, const char 
+*section, const char *certs,
  int TS_CONF_set_signer_key(CONF *conf, const char *section,
                             const char *key, const char *pass,
                             TS_RESP_CTX *ctx); @@ -1369,7 +1289,7 @@ index 16eccbb..a9fe40e 100644
  int TS_CONF_set_def_policy(CONF *conf, const char *section,
                             const char *policy, TS_RESP_CTX *ctx);
  int TS_CONF_set_policies(CONF *conf, const char *section, TS_RESP_CTX *ctx); -@@ -784,6 +796,11 @@ void ERR_load_TS_strings(void);
+@@ -787,6 +799,11 @@ void ERR_load_TS_strings(void);
  # define TS_F_TS_CHECK_SIGNING_CERTS                      103
  # define TS_F_TS_CHECK_STATUS_INFO                        104
  # define TS_F_TS_COMPUTE_IMPRINT                          145
@@ -1381,7 +1301,7 @@ index 16eccbb..a9fe40e 100644
  # define TS_F_TS_CONF_SET_DEFAULT_ENGINE                  146
  # define TS_F_TS_GET_STATUS_TEXT                          105
  # define TS_F_TS_MSG_IMPRINT_SET_ALGO                     118
-@@ -822,6 +839,8 @@ void ERR_load_TS_strings(void);
+@@ -825,6 +842,8 @@ void ERR_load_TS_strings(void);
  /* Reason codes. */
  # define TS_R_BAD_PKCS7_TYPE                              132
  # define TS_R_BAD_TYPE                                    133
@@ -1390,7 +1310,7 @@ index 16eccbb..a9fe40e 100644
  # define TS_R_CERTIFICATE_VERIFY_ERROR                    100
  # define TS_R_COULD_NOT_SET_ENGINE                        127
  # define TS_R_COULD_NOT_SET_TIME                          115
-@@ -854,6 +873,8 @@ void ERR_load_TS_strings(void);
+@@ -857,6 +876,8 @@ void ERR_load_TS_strings(void);
  # define TS_R_UNACCEPTABLE_POLICY                         125
  # define TS_R_UNSUPPORTED_MD_ALGORITHM                    126
  # define TS_R_UNSUPPORTED_VERSION                         113
@@ -1531,7 +1451,7 @@ index 0f29011..80dd40e 100644
                             int verify)
  {
 diff --git a/crypto/x509/by_dir.c b/crypto/x509/by_dir.c -index 9ee8f8d..64b052e 100644
+index bbc3189..29695f9 100644
 --- a/crypto/x509/by_dir.c
 +++ b/crypto/x509/by_dir.c
 @@ -69,6 +69,8 @@
@@ -1543,17 +1463,17 @@ index 9ee8f8d..64b052e 100644
  #include <openssl/lhash.h>
  #include <openssl/x509.h>
  
-@@ -434,3 +436,5 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name,
+@@ -438,3 +440,5 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int 
+type, X509_NAME *name,
          BUF_MEM_free(b);
      return (ok);
  }
 +
 +#endif /* OPENSSL_NO_STDIO */
 diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c -index 4d34dba..25e8a89 100644
+index 8334b3f..d075f66 100644
 --- a/crypto/x509/x509_vfy.c
 +++ b/crypto/x509/x509_vfy.c
-@@ -950,6 +950,8 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
+@@ -1064,6 +1064,8 @@ static int check_crl_time(X509_STORE_CTX *ctx, 
+X509_CRL *crl, int notify)
          ctx->current_crl = crl;
      if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
          ptime = &ctx->param->check_time; @@ -1562,7 +1482,7 @@ index 4d34dba..25e8a89 100644
      else
          ptime = NULL;
  
-@@ -1673,6 +1675,8 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
+@@ -1805,6 +1807,8 @@ static int check_cert_time(X509_STORE_CTX *ctx, 
+X509 *x)
  
      if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
          ptime = &ctx->param->check_time; @@ -1572,10 +1492,10 @@ index 4d34dba..25e8a89 100644
          ptime = NULL;
  
 diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h -index 2663e1c..3790ef5 100644
+index 5062682..e90d931 100644
 --- a/crypto/x509/x509_vfy.h
 +++ b/crypto/x509/x509_vfy.h
-@@ -438,6 +438,8 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
+@@ -443,6 +443,8 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, 
+int depth);
   * will force the behaviour to match that of previous versions.
   */
  # define X509_V_FLAG_NO_ALT_CHAINS               0x100000
@@ -1584,11 +1504,10 @@ index 2663e1c..3790ef5 100644
  
  # define X509_VP_FLAG_DEFAULT                    0x1
  # define X509_VP_FLAG_OVERWRITE                  0x2
-@@ -490,9 +492,10 @@ void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx);
- X509_STORE *X509_STORE_CTX_get0_store(X509_STORE_CTX *ctx);
+@@ -496,8 +498,10 @@ X509_STORE 
+*X509_STORE_CTX_get0_store(X509_STORE_CTX *ctx);
  
  X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m);
--
+ 
 +#ifndef OPENSSL_NO_STDIO
  X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void);
  X509_LOOKUP_METHOD *X509_LOOKUP_file(void); @@ -1944,10 +1863,10 @@ index f6b3ff2..1dcbe36 100755
  		     SEED,-
  		     SHA,-
 diff --git a/ssl/d1_both.c b/ssl/d1_both.c -index 5d26c94..ee3f49b 100644
+index 9bc6153..b5648eb 100644
 --- a/ssl/d1_both.c
 +++ b/ssl/d1_both.c
-@@ -1053,7 +1053,7 @@ int dtls1_send_change_cipher_spec(SSL *s, int a, int b)
+@@ -1068,7 +1068,7 @@ int dtls1_send_change_cipher_spec(SSL *s, int a, 
+int b)
  int dtls1_read_failed(SSL *s, int code)
  {
      if (code > 0) {
@@ -1957,7 +1876,7 @@ index 5d26c94..ee3f49b 100644
      }
  
 diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c -index 35cc27c..a1f5335 100644
+index 499f0e8..5672f99 100644
 --- a/ssl/ssl_asn1.c
 +++ b/ssl/ssl_asn1.c
 @@ -418,7 +418,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, @@ -1992,9 +1911,9 @@ index 35cc27c..a1f5335 100644
              c.error = SSL_R_BAD_LENGTH;
 -            c.line = __LINE__;
 +            c.line = OPENSSL_LINE;
-             goto err;
-         } else {
-             ret->sid_ctx_length = os.length;
+             OPENSSL_free(os.data);
+             os.data = NULL;
+             os.length = 0;
 diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c  index f48ebae..ac4f08c 100644
 --- a/ssl/ssl_cert.c
@@ -2068,10 +1987,10 @@ index 8d3709d..2bb403b 100644
  
  static int ssl_conf_cmd_skip_prefix(SSL_CONF_CTX *cctx, const char **pcmd)  diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c -index 514fcb3..2a54cc9 100644
+index b6d1ee9..75f38cd 100644
 --- a/ssl/t1_enc.c
 +++ b/ssl/t1_enc.c
-@@ -780,9 +780,7 @@ int tls1_enc(SSL *s, int send)
+@@ -779,9 +779,7 @@ int tls1_enc(SSL *s, int send)
                       * we can't write into the input stream: Can this ever
                       * happen?? (steve)
                       */
@@ -2152,7 +2071,7 @@ index b9b159a..9841498 100755
  			if ($keyword eq "TLSEXT" && $no_tlsext) { return 0; }
  			if ($keyword eq "PSK" && $no_psk) { return 0; }  diff --git a/util/mkerr.pl b/util/mkerr.pl -index 09ebebe..cd57ade 100644
+index c197f3a..97b295c 100644
 --- a/util/mkerr.pl
 +++ b/util/mkerr.pl
 @@ -89,7 +89,7 @@ Options:
@@ -2164,7 +2083,7 @@ index 09ebebe..cd57ade 100644
                  while the code facilitates the use of these in an environment
                  where the error support routines are dynamically loaded at 
                  runtime.
-@@ -474,7 +474,7 @@ EOF
+@@ -482,7 +482,7 @@ EOF
  ${staticloader}void ERR_load_${lib}_strings(void);
  ${staticloader}void ERR_unload_${lib}_strings(void);
  ${staticloader}void ERR_${lib}_error(int function, int reason, char *file, int line); diff --git a/CryptoPkg/Library/OpensslLib/Install.cmd b/CryptoPkg/Library/OpensslLib/Install.cmd
index 83d04d7..3d86bc7 100755
--- a/CryptoPkg/Library/OpensslLib/Install.cmd
+++ b/CryptoPkg/Library/OpensslLib/Install.cmd
@@ -1,4 +1,4 @@
-cd openssl-1.0.2h
+cd openssl-1.0.2j
 copy ..\opensslconf.h           crypto
 if not exist include\openssl mkdir include\openssl
 copy e_os2.h                    include\openssl
diff --git a/CryptoPkg/Library/OpensslLib/Install.sh b/CryptoPkg/Library/OpensslLib/Install.sh
index 95963ff..e6703d1 100755
--- a/CryptoPkg/Library/OpensslLib/Install.sh
+++ b/CryptoPkg/Library/OpensslLib/Install.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-cd openssl-1.0.2h
+cd openssl-1.0.2j
 cp ../opensslconf.h           crypto
 mkdir -p                      include/openssl
 cp e_os2.h                    include/openssl
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index 4c9f8aa..8121e83 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -20,7 +20,7 @@
   MODULE_TYPE                    = BASE
   VERSION_STRING                 = 1.0
   LIBRARY_CLASS                  = OpensslLib
-  DEFINE OPENSSL_PATH            = openssl-1.0.2h
+  DEFINE OPENSSL_PATH            = openssl-1.0.2j
   DEFINE OPENSSL_FLAGS           = -DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE
 
 #
diff --git a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
index 91098b9..d7e3d9e 100644
--- a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
+++ b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
@@ -17,36 +17,36 @@ cryptography. This patch will enable openssl building under UEFI environment.
 ================================================================================
                                 OpenSSL-Version  ================================================================================
-  Current supported OpenSSL version for UEFI Crypto Library is 1.0.2h.
-    http://www.openssl.org/source/openssl-1.0.2h.tar.gz
+  Current supported OpenSSL version for UEFI Crypto Library is 1.0.2j.
+    http://www.openssl.org/source/openssl-1.0.2j.tar.gz
 
 
 ================================================================================
                       HOW to Install Openssl for UEFI Building  ================================================================================
-1.  Download OpenSSL 1.0.2h from official website:
-    http://www.openssl.org/source/openssl-1.0.2h.tar.gz
+1.  Download OpenSSL 1.0.2j from official website:
+    http://www.openssl.org/source/openssl-1.0.2j.tar.gz
 
-    NOTE: Some web browsers may rename the downloaded TAR file to openssl-1.0.2h.tar.tar.
-          When you do the download, rename the "openssl-1.0.2h.tar.tar" to
-          "openssl-1.0.2h.tar.gz" or rename the local downloaded file with ".tar.tar"
+    NOTE: Some web browsers may rename the downloaded TAR file to openssl-1.0.2j.tar.tar.
+          When you do the download, rename the "openssl-1.0.2j.tar.tar" to
+          "openssl-1.0.2j.tar.gz" or rename the local downloaded file with ".tar.tar"
           extension to ".tar.gz".
 
-2.  Extract TAR into CryptoPkg/Library/OpensslLib/openssl-1.0.2h
+2.  Extract TAR into CryptoPkg/Library/OpensslLib/openssl-1.0.2j
 
     NOTE: If you use WinZip to unpack the openssl source in Windows, please
           uncheck the WinZip smart CR/LF conversion option (WINZIP: Options -->
           Configuration --> Miscellaneous --> "TAR file smart CR/LF conversion").
 
-3.  Apply this patch: EDKII_openssl-1.0.2h.patch, and make installation
+3.  Apply this patch: EDKII_openssl-1.0.2j.patch, and make installation
 
     For Windows Environment:
     ------------------------
     1) Make sure the patch utility has been installed in your machine.
        Install Cygwin or get the patch utility binary from
           http://gnuwin32.sourceforge.net/packages/patch.htm
-    2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2h
-    3) patch -p1 -i ..\EDKII_openssl-1.0.2h.patch
+    2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2j
+    3) patch -p1 -i ..\EDKII_openssl-1.0.2j.patch
     4) cd ..
     5) Install.cmd
 
@@ -54,8 +54,8 @@ cryptography. This patch will enable openssl building under UEFI environment.
     -----------------------
     1) Make sure the patch utility has been installed in your machine.
        Patch utility is available from http://directory.fsf.org/project/patch/
-    2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2h
-    3) patch -p1 -i ../EDKII_openssl-1.0.2h.patch
+    2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2j
+    3) patch -p1 -i ../EDKII_openssl-1.0.2j.patch
     4) cd ..
     5) ./Install.sh
 
--
2.10.0.windows.1



^ permalink raw reply related	[flat|nested] 7+ messages in thread

* Re: [Patch] CryptoPkg/OpensslLib: Upgrade OpenSSL version to 1.0.2j
  2016-09-29  6:09 [Patch] CryptoPkg/OpensslLib: Upgrade OpenSSL version to 1.0.2j Qin Long
  2016-09-29  6:45 ` Ye, Ting
@ 2016-09-29  9:22 ` Laszlo Ersek
  2016-09-29 14:22   ` Long, Qin
       [not found] ` <1475140721.45169.500.camel@intel.com>
  2 siblings, 1 reply; 7+ messages in thread
From: Laszlo Ersek @ 2016-09-29  9:22 UTC (permalink / raw)
  To: Qin Long; +Cc: edk2-devel, ting.ye, David.Woodhouse

On 09/29/16 08:09, Qin Long wrote:
> Two official releases (OpenSSL 1.0.2i and 1.0.2j) were available
> with several severity fixes at 22-Sep-2016 and 26-Sep-2016 with
> several security fixes. Refer to
> https://www.openssl.org/news/secadv/20160922.txt and
> https://www.openssl.org/news/secadv/20160926.txt.
> This patch is to upgrade the supported OpenSSL version in
> CryptoPkg/OpensslLib to catch the latest release 1.0.2j.
> 
> Cc: Ting Ye <ting.ye@intel.com>
> Cc: David Woodhouse <David.Woodhouse@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Qin Long <qin.long@intel.com>
> ---
>  CryptoPkg/CryptoPkg.dec                            |   2 +-
>  ...ssl-1.0.2h.patch => EDKII_openssl-1.0.2j.patch} | 171 ++++++---------------
>  CryptoPkg/Library/OpensslLib/Install.cmd           |   2 +-
>  CryptoPkg/Library/OpensslLib/Install.sh            |   2 +-
>  CryptoPkg/Library/OpensslLib/OpensslLib.inf        |   2 +-
>  CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt       |  26 ++--
>  6 files changed, 62 insertions(+), 143 deletions(-)
>  rename CryptoPkg/Library/OpensslLib/{EDKII_openssl-1.0.2h.patch => EDKII_openssl-1.0.2j.patch} (92%)

Can you please push this patch to a personal git repo of yours, and
publish the URL and branch name on the list? I'd like to test the patch.

Thanks!
Laszlo



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [Patch] CryptoPkg/OpensslLib: Upgrade OpenSSL version to 1.0.2j
  2016-09-29  9:22 ` Laszlo Ersek
@ 2016-09-29 14:22   ` Long, Qin
  2016-09-29 19:26     ` Laszlo Ersek
  0 siblings, 1 reply; 7+ messages in thread
From: Long, Qin @ 2016-09-29 14:22 UTC (permalink / raw)
  To: Laszlo Ersek; +Cc: edk2-devel@ml01.01.org, Ye, Ting, Woodhouse, David

Sure, refer to https://github.com/qloong/edk2/tree/dev-openssl-1.0.2j
Thanks, Laszlo.


Best Regards & Thanks,
LONG, Qin

-----Original Message-----
From: Laszlo Ersek [mailto:lersek@redhat.com] 
Sent: Thursday, September 29, 2016 5:23 PM
To: Long, Qin <qin.long@intel.com>
Cc: edk2-devel@ml01.01.org; Ye, Ting <ting.ye@intel.com>; Woodhouse, David <david.woodhouse@intel.com>
Subject: Re: [edk2] [Patch] CryptoPkg/OpensslLib: Upgrade OpenSSL version to 1.0.2j

On 09/29/16 08:09, Qin Long wrote:
> Two official releases (OpenSSL 1.0.2i and 1.0.2j) were available with 
> several severity fixes at 22-Sep-2016 and 26-Sep-2016 with several 
> security fixes. Refer to 
> https://www.openssl.org/news/secadv/20160922.txt and 
> https://www.openssl.org/news/secadv/20160926.txt.
> This patch is to upgrade the supported OpenSSL version in 
> CryptoPkg/OpensslLib to catch the latest release 1.0.2j.
> 
> Cc: Ting Ye <ting.ye@intel.com>
> Cc: David Woodhouse <David.Woodhouse@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Qin Long <qin.long@intel.com>
> ---
>  CryptoPkg/CryptoPkg.dec                            |   2 +-
>  ...ssl-1.0.2h.patch => EDKII_openssl-1.0.2j.patch} | 171 ++++++---------------
>  CryptoPkg/Library/OpensslLib/Install.cmd           |   2 +-
>  CryptoPkg/Library/OpensslLib/Install.sh            |   2 +-
>  CryptoPkg/Library/OpensslLib/OpensslLib.inf        |   2 +-
>  CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt       |  26 ++--
>  6 files changed, 62 insertions(+), 143 deletions(-)  rename 
> CryptoPkg/Library/OpensslLib/{EDKII_openssl-1.0.2h.patch => 
> EDKII_openssl-1.0.2j.patch} (92%)

Can you please push this patch to a personal git repo of yours, and publish the URL and branch name on the list? I'd like to test the patch.

Thanks!
Laszlo



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [Patch] CryptoPkg/OpensslLib: Upgrade OpenSSL version to 1.0.2j
       [not found] ` <1475140721.45169.500.camel@intel.com>
@ 2016-09-29 14:30   ` Long, Qin
  0 siblings, 0 replies; 7+ messages in thread
From: Long, Qin @ 2016-09-29 14:30 UTC (permalink / raw)
  To: Woodhouse, David, edk2-devel@lists.01.org; +Cc: Ye, Ting

> -----Original Message-----
> From: Woodhouse, David
> Sent: Thursday, September 29, 2016 5:19 PM
> To: Long, Qin <qin.long@intel.com>; edk2-devel@lists.01.org
> Cc: Ye, Ting <ting.ye@intel.com>
> Subject: Re: [Patch] CryptoPkg/OpensslLib: Upgrade OpenSSL version to
> 1.0.2j
> 
> On Thu, 2016-09-29 at 14:09 +0800, Qin Long wrote:
> > Two official releases (OpenSSL 1.0.2i and 1.0.2j) were available
> > with several severity fixes at 22-Sep-2016 and 26-Sep-2016 with
> > several security fixes. Refer to
> > https://www.openssl.org/news/secadv/20160922.txt and
> > https://www.openssl.org/news/secadv/20160926.txt.
> > This patch is to upgrade the supported OpenSSL version in
> > CryptoPkg/OpensslLib to catch the latest release 1.0.2j.
> 
> Hm, we're ready to move to 1.1.0 now aren't we?
> 

Yeah, the internal evaluations is still on process. I plan to make this at Q4.
(https://github.com/qloong/edk2/tree/dev-openssl-1.1.0xx for more validations)

Before the formal move, we still  use this patch to catch the latest openssl-1.0.2 fixes.

> --
>                   Sent with Evolution's ActiveSync support.
> 
> David Woodhouse                            Open Source Technology Centre
> David.Woodhouse@intel.com                              Intel Corporation

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [Patch] CryptoPkg/OpensslLib: Upgrade OpenSSL version to 1.0.2j
  2016-09-29 14:22   ` Long, Qin
@ 2016-09-29 19:26     ` Laszlo Ersek
  2016-09-30  1:07       ` Long, Qin
  0 siblings, 1 reply; 7+ messages in thread
From: Laszlo Ersek @ 2016-09-29 19:26 UTC (permalink / raw)
  To: Long, Qin; +Cc: Ye, Ting, edk2-devel@ml01.01.org, Woodhouse, David

On 09/29/16 16:22, Long, Qin wrote:
> Sure, refer to https://github.com/qloong/edk2/tree/dev-openssl-1.0.2j
> Thanks, Laszlo.

I used the Ia32X64 build of OVMF with a Fedora guest to test this
update. I checked:
- boot with Secure Boot having been enabled previously (using 1.0.2h)
- clearing Secure Boot and booting an unsigned binary
- enrolling certificates again and booting with SB enabled (checking
both unsigned and signed)

Tested-by: Laszlo Ersek <lersek@redhat.com>

Thanks
Laszlo


> -----Original Message-----
> From: Laszlo Ersek [mailto:lersek@redhat.com] 
> Sent: Thursday, September 29, 2016 5:23 PM
> To: Long, Qin <qin.long@intel.com>
> Cc: edk2-devel@ml01.01.org; Ye, Ting <ting.ye@intel.com>; Woodhouse, David <david.woodhouse@intel.com>
> Subject: Re: [edk2] [Patch] CryptoPkg/OpensslLib: Upgrade OpenSSL version to 1.0.2j
> 
> On 09/29/16 08:09, Qin Long wrote:
>> Two official releases (OpenSSL 1.0.2i and 1.0.2j) were available with 
>> several severity fixes at 22-Sep-2016 and 26-Sep-2016 with several 
>> security fixes. Refer to 
>> https://www.openssl.org/news/secadv/20160922.txt and 
>> https://www.openssl.org/news/secadv/20160926.txt.
>> This patch is to upgrade the supported OpenSSL version in 
>> CryptoPkg/OpensslLib to catch the latest release 1.0.2j.
>>
>> Cc: Ting Ye <ting.ye@intel.com>
>> Cc: David Woodhouse <David.Woodhouse@intel.com>
>> Contributed-under: TianoCore Contribution Agreement 1.0
>> Signed-off-by: Qin Long <qin.long@intel.com>
>> ---
>>  CryptoPkg/CryptoPkg.dec                            |   2 +-
>>  ...ssl-1.0.2h.patch => EDKII_openssl-1.0.2j.patch} | 171 ++++++---------------
>>  CryptoPkg/Library/OpensslLib/Install.cmd           |   2 +-
>>  CryptoPkg/Library/OpensslLib/Install.sh            |   2 +-
>>  CryptoPkg/Library/OpensslLib/OpensslLib.inf        |   2 +-
>>  CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt       |  26 ++--
>>  6 files changed, 62 insertions(+), 143 deletions(-)  rename 
>> CryptoPkg/Library/OpensslLib/{EDKII_openssl-1.0.2h.patch => 
>> EDKII_openssl-1.0.2j.patch} (92%)
> 
> Can you please push this patch to a personal git repo of yours, and publish the URL and branch name on the list? I'd like to test the patch.
> 
> Thanks!
> Laszlo
> 
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
> 



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [Patch] CryptoPkg/OpensslLib: Upgrade OpenSSL version to 1.0.2j
  2016-09-29 19:26     ` Laszlo Ersek
@ 2016-09-30  1:07       ` Long, Qin
  0 siblings, 0 replies; 7+ messages in thread
From: Long, Qin @ 2016-09-30  1:07 UTC (permalink / raw)
  To: Laszlo Ersek; +Cc: Ye, Ting, edk2-devel@ml01.01.org, Woodhouse, David

Copy that. Thanks, Laszlo.


> -----Original Message-----
> From: Laszlo Ersek [mailto:lersek@redhat.com]
> Sent: Friday, September 30, 2016 3:27 AM
> To: Long, Qin <qin.long@intel.com>
> Cc: Ye, Ting <ting.ye@intel.com>; edk2-devel@ml01.01.org; Woodhouse,
> David <david.woodhouse@intel.com>
> Subject: Re: [edk2] [Patch] CryptoPkg/OpensslLib: Upgrade OpenSSL version
> to 1.0.2j
> 
> On 09/29/16 16:22, Long, Qin wrote:
> > Sure, refer to https://github.com/qloong/edk2/tree/dev-openssl-1.0.2j
> > Thanks, Laszlo.
> 
> I used the Ia32X64 build of OVMF with a Fedora guest to test this update. I
> checked:
> - boot with Secure Boot having been enabled previously (using 1.0.2h)
> - clearing Secure Boot and booting an unsigned binary
> - enrolling certificates again and booting with SB enabled (checking both
> unsigned and signed)
> 
> Tested-by: Laszlo Ersek <lersek@redhat.com>
> 
> Thanks
> Laszlo
> 
> 
> > -----Original Message-----
> > From: Laszlo Ersek [mailto:lersek@redhat.com]
> > Sent: Thursday, September 29, 2016 5:23 PM
> > To: Long, Qin <qin.long@intel.com>
> > Cc: edk2-devel@ml01.01.org; Ye, Ting <ting.ye@intel.com>; Woodhouse,
> > David <david.woodhouse@intel.com>
> > Subject: Re: [edk2] [Patch] CryptoPkg/OpensslLib: Upgrade OpenSSL
> > version to 1.0.2j
> >
> > On 09/29/16 08:09, Qin Long wrote:
> >> Two official releases (OpenSSL 1.0.2i and 1.0.2j) were available with
> >> several severity fixes at 22-Sep-2016 and 26-Sep-2016 with several
> >> security fixes. Refer to
> >> https://www.openssl.org/news/secadv/20160922.txt and
> >> https://www.openssl.org/news/secadv/20160926.txt.
> >> This patch is to upgrade the supported OpenSSL version in
> >> CryptoPkg/OpensslLib to catch the latest release 1.0.2j.
> >>
> >> Cc: Ting Ye <ting.ye@intel.com>
> >> Cc: David Woodhouse <David.Woodhouse@intel.com>
> >> Contributed-under: TianoCore Contribution Agreement 1.0
> >> Signed-off-by: Qin Long <qin.long@intel.com>
> >> ---
> >>  CryptoPkg/CryptoPkg.dec                            |   2 +-
> >>  ...ssl-1.0.2h.patch => EDKII_openssl-1.0.2j.patch} | 171 ++++++-------------
> --
> >>  CryptoPkg/Library/OpensslLib/Install.cmd           |   2 +-
> >>  CryptoPkg/Library/OpensslLib/Install.sh            |   2 +-
> >>  CryptoPkg/Library/OpensslLib/OpensslLib.inf        |   2 +-
> >>  CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt       |  26 ++--
> >>  6 files changed, 62 insertions(+), 143 deletions(-)  rename
> >> CryptoPkg/Library/OpensslLib/{EDKII_openssl-1.0.2h.patch =>
> >> EDKII_openssl-1.0.2j.patch} (92%)
> >
> > Can you please push this patch to a personal git repo of yours, and publish
> the URL and branch name on the list? I'd like to test the patch.
> >
> > Thanks!
> > Laszlo
> >
> > _______________________________________________
> > edk2-devel mailing list
> > edk2-devel@lists.01.org
> > https://lists.01.org/mailman/listinfo/edk2-devel
> >



^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2016-09-30  1:07 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-09-29  6:09 [Patch] CryptoPkg/OpensslLib: Upgrade OpenSSL version to 1.0.2j Qin Long
2016-09-29  6:45 ` Ye, Ting
2016-09-29  9:22 ` Laszlo Ersek
2016-09-29 14:22   ` Long, Qin
2016-09-29 19:26     ` Laszlo Ersek
2016-09-30  1:07       ` Long, Qin
     [not found] ` <1475140721.45169.500.camel@intel.com>
2016-09-29 14:30   ` Long, Qin

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox