From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by mx.groups.io with SMTP id smtpd.web10.8528.1685697293262548624 for ; Fri, 02 Jun 2023 02:14:53 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=jhgwbbNr; spf=pass (domain: kernel.org, ip: 139.178.84.217, mailfrom: ardb@kernel.org) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id AEDFE61307 for ; Fri, 2 Jun 2023 09:14:52 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1EFC4C433D2 for ; Fri, 2 Jun 2023 09:14:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1685697292; bh=ATMCIojIUA+jET55svn8ciSi6DP5PzOJPtLjXyji4YA=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=jhgwbbNrHo/PWkSmWlr2+J1l3z8T8oWC/hv968Hvhr5QllmmbGX3fyFMqUnMPfniG Lrt8kpGH/OVUOBW85DJJJM1egyuBqPvOyngJGz668T3aCcyTSXColL208RUMBQoFm+ v+1lDp04CZI/nEKsKZsk8ytscnz1aKN9vtRpzeWclP8yqXh+veSKmCyYokmzj+hCLL 2Y8jtMb2ArXYZM+0liXtQSqTLOikclV+SSWFYATvALIQw3ltivz1lA+0u6z1L7fR5Z 6ovq9cNnedMMHDsK/l1SB7nXiKqBHPq8PRO3/W6gE/II2qKqXV5MTuZg9mgj1OlrO9 1ei116mMx14MA== Received: by mail-lf1-f54.google.com with SMTP id 2adb3069b0e04-4f004cc54f4so2448489e87.3 for ; Fri, 02 Jun 2023 02:14:51 -0700 (PDT) X-Gm-Message-State: AC+VfDxfy3bBLWfmiyam5GKNBQHejH2jMcuh2c2odr+UNlbJNbZtC4ys bk1bCF85m/cUIt0cUCcuLbE0ZTx/zFba6y39mdY= X-Google-Smtp-Source: ACHHUZ4SlcuH5zpwQYtLRnWpiMnoR0N2S1YoxqgpDBRZPqswO9CjUP9Fa3cVRk3VVXb+qCF9WfQiLMWwjc9y07UI9+8= X-Received: by 2002:a2e:8ed0:0:b0:2ac:7e64:ef8 with SMTP id e16-20020a2e8ed0000000b002ac7e640ef8mr1263688ljl.16.1685697290135; Fri, 02 Jun 2023 02:14:50 -0700 (PDT) MIME-Version: 1.0 References: <20230313083016.136448-1-kraxel@redhat.com> <20230313083016.136448-2-kraxel@redhat.com> <20230314081612.7dze46duc3dn6wrw@sirius.home.kraxel.org> In-Reply-To: From: "Ard Biesheuvel" Date: Fri, 2 Jun 2023 11:14:38 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [edk2-devel] [PATCH 01/22] CryptoPkg/openssl: update submodule to openssl-3.0.8 To: "Yao, Jiewen" Cc: "devel@edk2.groups.io" , "kraxel@redhat.com" , "Li, Yi1" , "Wang, Jian J" , Pawel Polawski , "Lu, Xiaoyu1" , "Jiang, Guomin" , Oliver Steffen , "Justen, Jordan L" Content-Type: text/plain; charset="UTF-8" On Fri, 2 Jun 2023 at 04:53, Yao, Jiewen wrote: > > Hi Ard > Would you please take a look at https://github.com/tianocore/edk2-staging/tree/OpenSSL30, which is our current working version? If you have any idea, please propose patch. > > Also, could you please try that on ARM/AARCH64 platform to see if there is anything broken? > > I think those are important to make sure we have a working version for next stable tag. > Agreed. With GCC5 and the tweak below [0], that branch builds OVMF/ArmVirtQemu fine for me on {X64,AARCH64,ARM} x {DEBUG,RELEASE,NOOPT}. I also built DeveloperBox.dsc and DeveloperBoxMm.dsc from edk2-platforms without problems, with SECURE_BOOT_ENABLE and TPM2_ENABLE both set. Clang seemed to work fine as well, but the branch still uses CLANG3x so we need to rebase this branch onto the latest stable tag first and retest. I did only a quick boot test to check whether secure boot verification was working, but all seemed to work fine. In any case, if we want to make the next stable tag, I think we should move quickly, so that we have enough time to fix any issues that may arise. [0] first hunk is based on 7880536fe17c2b54 in openssl upstream --- a/CryptoPkg/Library/OpensslLib/OpensslGen/openssl/x509v3.h +++ b/CryptoPkg/Library/OpensslLib/OpensslGen/openssl/x509v3.h @@ -177,7 +177,7 @@ typedef struct GENERAL_NAME_st { OTHERNAME *otherName; /* otherName */ ASN1_IA5STRING *rfc822Name; ASN1_IA5STRING *dNSName; - ASN1_TYPE *x400Address; + ASN1_STRING *x400Address; X509_NAME *directoryName; EDIPARTYNAME *ediPartyName; ASN1_IA5STRING *uniformResourceIdentifier; diff --git a/CryptoPkg/Library/OpensslLib/SslExtServNull.c b/CryptoPkg/Library/OpensslLib/SslExtServNull.c index c256f17667668866..a736dca8b73d27d5 100644 --- a/CryptoPkg/Library/OpensslLib/SslExtServNull.c +++ b/CryptoPkg/Library/OpensslLib/SslExtServNull.c @@ -177,12 +177,6 @@ int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context, return 0; } -static SSL_TICKET_STATUS tls_get_stateful_ticket(SSL *s, PACKET *tick, - SSL_SESSION **sess) -{ - return SSL_TICKET_NO_DECRYPT; -} - int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx) {