From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217])
 by mx.groups.io with SMTP id smtpd.web10.8528.1685697293262548624
 for <devel@edk2.groups.io>;
 Fri, 02 Jun 2023 02:14:53 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@kernel.org header.s=k20201202 header.b=jhgwbbNr;
 spf=pass (domain: kernel.org, ip: 139.178.84.217, mailfrom: ardb@kernel.org)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by dfw.source.kernel.org (Postfix) with ESMTPS id AEDFE61307
	for <devel@edk2.groups.io>; Fri,  2 Jun 2023 09:14:52 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1EFC4C433D2
	for <devel@edk2.groups.io>; Fri,  2 Jun 2023 09:14:52 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1685697292;
	bh=ATMCIojIUA+jET55svn8ciSi6DP5PzOJPtLjXyji4YA=;
	h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
	b=jhgwbbNrHo/PWkSmWlr2+J1l3z8T8oWC/hv968Hvhr5QllmmbGX3fyFMqUnMPfniG
	 Lrt8kpGH/OVUOBW85DJJJM1egyuBqPvOyngJGz668T3aCcyTSXColL208RUMBQoFm+
	 v+1lDp04CZI/nEKsKZsk8ytscnz1aKN9vtRpzeWclP8yqXh+veSKmCyYokmzj+hCLL
	 2Y8jtMb2ArXYZM+0liXtQSqTLOikclV+SSWFYATvALIQw3ltivz1lA+0u6z1L7fR5Z
	 6ovq9cNnedMMHDsK/l1SB7nXiKqBHPq8PRO3/W6gE/II2qKqXV5MTuZg9mgj1OlrO9
	 1ei116mMx14MA==
Received: by mail-lf1-f54.google.com with SMTP id 2adb3069b0e04-4f004cc54f4so2448489e87.3
        for <devel@edk2.groups.io>; Fri, 02 Jun 2023 02:14:51 -0700 (PDT)
X-Gm-Message-State: AC+VfDxfy3bBLWfmiyam5GKNBQHejH2jMcuh2c2odr+UNlbJNbZtC4ys
	bk1bCF85m/cUIt0cUCcuLbE0ZTx/zFba6y39mdY=
X-Google-Smtp-Source: ACHHUZ4SlcuH5zpwQYtLRnWpiMnoR0N2S1YoxqgpDBRZPqswO9CjUP9Fa3cVRk3VVXb+qCF9WfQiLMWwjc9y07UI9+8=
X-Received: by 2002:a2e:8ed0:0:b0:2ac:7e64:ef8 with SMTP id
 e16-20020a2e8ed0000000b002ac7e640ef8mr1263688ljl.16.1685697290135; Fri, 02
 Jun 2023 02:14:50 -0700 (PDT)
MIME-Version: 1.0
References: <20230313083016.136448-1-kraxel@redhat.com> <20230313083016.136448-2-kraxel@redhat.com>
 <SJ1PR11MB6227958F8645600B6F47F3C1C5B99@SJ1PR11MB6227.namprd11.prod.outlook.com>
 <20230314081612.7dze46duc3dn6wrw@sirius.home.kraxel.org> <CAMj1kXFqskVi-QApCA8qwhOV2wdvviX1cm8dyStgp9u6KZ+-aQ@mail.gmail.com>
 <MW4PR11MB5872DA8627C2702087C6C90E8C4EA@MW4PR11MB5872.namprd11.prod.outlook.com>
In-Reply-To: <MW4PR11MB5872DA8627C2702087C6C90E8C4EA@MW4PR11MB5872.namprd11.prod.outlook.com>
From: "Ard Biesheuvel" <ardb@kernel.org>
Date: Fri, 2 Jun 2023 11:14:38 +0200
X-Gmail-Original-Message-ID: <CAMj1kXHbg84VS30nX5Es_iHaaM=MdN6wTX9K1iCCgmjS+rCPBg@mail.gmail.com>
Message-ID: <CAMj1kXHbg84VS30nX5Es_iHaaM=MdN6wTX9K1iCCgmjS+rCPBg@mail.gmail.com>
Subject: Re: [edk2-devel] [PATCH 01/22] CryptoPkg/openssl: update submodule to openssl-3.0.8
To: "Yao, Jiewen" <jiewen.yao@intel.com>
Cc: "devel@edk2.groups.io" <devel@edk2.groups.io>, "kraxel@redhat.com" <kraxel@redhat.com>, 
	"Li, Yi1" <yi1.li@intel.com>, "Wang, Jian J" <jian.j.wang@intel.com>, 
	Pawel Polawski <ppolawsk@redhat.com>, "Lu, Xiaoyu1" <xiaoyu1.lu@intel.com>, 
	"Jiang, Guomin" <guomin.jiang@intel.com>, Oliver Steffen <osteffen@redhat.com>, 
	"Justen, Jordan L" <jordan.l.justen@intel.com>
Content-Type: text/plain; charset="UTF-8"

On Fri, 2 Jun 2023 at 04:53, Yao, Jiewen <jiewen.yao@intel.com> wrote:
>
> Hi Ard
> Would you please take a look at https://github.com/tianocore/edk2-staging/tree/OpenSSL30, which is our current working version? If you have any idea, please propose patch.
>
> Also, could you please try that on ARM/AARCH64 platform to see if there is anything broken?
>
> I think those are important to make sure we have a working version for next stable tag.
>

Agreed.

With GCC5 and the tweak below [0], that branch builds OVMF/ArmVirtQemu
fine for me on {X64,AARCH64,ARM} x {DEBUG,RELEASE,NOOPT}.

I also built DeveloperBox.dsc and DeveloperBoxMm.dsc from
edk2-platforms without problems, with SECURE_BOOT_ENABLE and
TPM2_ENABLE both set.

Clang seemed to work fine as well, but the branch still uses CLANG3x
so we need to rebase this branch onto the latest stable tag first and
retest.

I did only a quick boot test to check whether secure boot verification
was working, but all seemed to work fine.

In any case, if we want to make the next stable tag, I think we should
move quickly, so that we have enough time to fix any issues that may
arise.



[0] first hunk is based on 7880536fe17c2b54 in openssl upstream

--- a/CryptoPkg/Library/OpensslLib/OpensslGen/openssl/x509v3.h
+++ b/CryptoPkg/Library/OpensslLib/OpensslGen/openssl/x509v3.h
@@ -177,7 +177,7 @@ typedef struct GENERAL_NAME_st {
         OTHERNAME *otherName;   /* otherName */
         ASN1_IA5STRING *rfc822Name;
         ASN1_IA5STRING *dNSName;
-        ASN1_TYPE *x400Address;
+        ASN1_STRING *x400Address;
         X509_NAME *directoryName;
         EDIPARTYNAME *ediPartyName;
         ASN1_IA5STRING *uniformResourceIdentifier;
diff --git a/CryptoPkg/Library/OpensslLib/SslExtServNull.c
b/CryptoPkg/Library/OpensslLib/SslExtServNull.c
index c256f17667668866..a736dca8b73d27d5 100644
--- a/CryptoPkg/Library/OpensslLib/SslExtServNull.c
+++ b/CryptoPkg/Library/OpensslLib/SslExtServNull.c
@@ -177,12 +177,6 @@ int tls_parse_ctos_early_data(SSL *s, PACKET
*pkt, unsigned int context,
     return 0;
 }

-static SSL_TICKET_STATUS tls_get_stateful_ticket(SSL *s, PACKET *tick,
-                                                 SSL_SESSION **sess)
-{
-    return SSL_TICKET_NO_DECRYPT;
-}
-
 int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
                        size_t chainidx)
 {