Re: [PATCH v4] CryptoPkg: Upgrade OpenSSL to 1.1.1d

["Wang, Jian J" <jian.j.wang@intel.com>]

Laszlo,

You're right. I'll do more tests for secure boot. I'll leave https boot to you.

Regards,
Jian

> -----Original Message-----
> From: Laszlo Ersek <lersek@redhat.com>
> Sent: Saturday, November 02, 2019 6:03 AM
> To: Wang, Jian J <jian.j.wang@intel.com>; Zhang, Shenglei
> <shenglei.zhang@intel.com>; devel@edk2.groups.io
> Cc: Lu, XiaoyuX <xiaoyux.lu@intel.com>; Gao, Liming <liming.gao@intel.com>
> Subject: Re: [PATCH v4] CryptoPkg: Upgrade OpenSSL to 1.1.1d
> 
> On 11/01/19 08:31, Wang, Jian J wrote:
> > Hi Laszlo,
> >
> > I did simple ovmf boot tests (shell, linux, windows) and all passed. Let me know
> if you have
> > any comments or want to do more tests against v4 before check in.
> >
> > Based on my review and tests,
> >    Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
> 
> I can get to this patch on next Monday (2019-Nov-04) the earliest. (Even
> today is a public holiday in my country, and I've only logged in now to
> quickly respond to Mike's email in another thread.) I had the v3 posting
> tagged earlier, and am learning of v4 only now.
> 
> I think the OpenSSL update should be tested with at least the following
> use cases:
> 
> - HTTPS boot
> - Secure Boot
> 
> Given that the HTTPS Boot CVE fix is also pending on the list, and that
> it was posted before the OpenSSL upgrade, and they both affect HTTPS
> Boot, I request that the OpenSSL upgrade be delayed until after the CVE
> fix is pushed. (I'll try to push the CVE fix this weekend, or next Monday.)
> 
> Thanks
> Laszlo
> 
> >> -----Original Message-----
> >> From: Zhang, Shenglei <shenglei.zhang@intel.com>
> >> Sent: Friday, November 01, 2019 2:56 PM
> >> To: devel@edk2.groups.io
> >> Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX
> <xiaoyux.lu@intel.com>;
> >> Gao, Liming <liming.gao@intel.com>
> >> Subject: [PATCH v4] CryptoPkg: Upgrade OpenSSL to 1.1.1d
> >>
> >> Update openssl from 1.1.1b to 1.1.1d.
> >> Something needs to be noticed is that, there is a bug existing in the
> >> released 1_1_1d version(894da2fb7ed5d314ee5c2fc9fd2d9b8b74111596),
> >> which causes build failure. So we switch the code base to a usable
> >> version, which is 2 commits later than the stable tag.
> >> Now we use the version c3656cc594daac8167721dde7220f0e59ae146fc.
> >> This log is to fix the build failure.
> >> https://bugzilla.tianocore.org/show_bug.cgi?id=2226
> >>
> >> Besides, the absense of "DSO_NONE" in dso_conf.h causes build failure
> >> in OvmfPkg. So update process_files.pl to generate information from
> >> "crypto/include/internal/dso_conf.h.in".
> >>
> >> shm.h and utsname.h are added to avoid GCC build failure.
> >>
> >> Cc: Jian J Wang <jian.j.wang@intel.com>
> >> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> >> Cc: Liming Gao <liming.gao@intel.com>
> >> Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
> >> ---
> >> v2: Revert the changes in OpensslLib.inf and OpensslLibCrypto.inf.
> >>     The removed header files could be auto-generated by process_files.pl now.
> >>
> >> v3: Add display information for dso_conf.h.
> >>
> >> v4: Add shm.h and utsname.h to avoid GCC build failure.
> >>
> >>  CryptoPkg/Library/Include/internal/dso_conf.h | 16 ++++++++++++++++
> >>  CryptoPkg/Library/Include/sys/shm.h           |  9 +++++++++
> >>  CryptoPkg/Library/Include/sys/utsname.h       | 10 ++++++++++
> >>  CryptoPkg/Library/OpensslLib/openssl          |  2 +-
> >>  CryptoPkg/Library/OpensslLib/process_files.pl | 15 ++++++++++++++-
> >>  5 files changed, 50 insertions(+), 2 deletions(-)
> >>  create mode 100644 CryptoPkg/Library/Include/sys/shm.h
> >>  create mode 100644 CryptoPkg/Library/Include/sys/utsname.h
> >>
> >> diff --git a/CryptoPkg/Library/Include/internal/dso_conf.h
> >> b/CryptoPkg/Library/Include/internal/dso_conf.h
> >> index e69de29bb2d1..43c891588bc2 100644
> >> --- a/CryptoPkg/Library/Include/internal/dso_conf.h
> >> +++ b/CryptoPkg/Library/Include/internal/dso_conf.h
> >> @@ -0,0 +1,16 @@
> >> +/* WARNING: do not edit! */
> >> +/* Generated from crypto/include/internal/dso_conf.h.in */
> >> +/*
> >> + * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
> >> + *
> >> + * Licensed under the OpenSSL license (the "License").  You may not use
> >> + * this file except in compliance with the License.  You can obtain a copy
> >> + * in the file LICENSE in the source distribution or at
> >> + * https://www.openssl.org/source/license.html
> >> + */
> >> +
> >> +#ifndef HEADER_DSO_CONF_H
> >> +# define HEADER_DSO_CONF_H
> >> +# define DSO_NONE
> >> +# define DSO_EXTENSION ".so"
> >> +#endif
> >> diff --git a/CryptoPkg/Library/Include/sys/shm.h
> >> b/CryptoPkg/Library/Include/sys/shm.h
> >> new file mode 100644
> >> index 000000000000..dc0b8e81c8b0
> >> --- /dev/null
> >> +++ b/CryptoPkg/Library/Include/sys/shm.h
> >> @@ -0,0 +1,9 @@
> >> +/** @file
> >> +  Include file to support building the third-party cryptographic library.
> >> +
> >> +Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> >> +SPDX-License-Identifier: BSD-2-Clause-Patent
> >> +
> >> +**/
> >> +
> >> +#include <CrtLibSupport.h>
> >> diff --git a/CryptoPkg/Library/Include/sys/utsname.h
> >> b/CryptoPkg/Library/Include/sys/utsname.h
> >> new file mode 100644
> >> index 000000000000..75955b0a4eb6
> >> --- /dev/null
> >> +++ b/CryptoPkg/Library/Include/sys/utsname.h
> >> @@ -0,0 +1,10 @@
> >> +/** @file
> >> +  Include file to support building the third-party cryptographic library.
> >> +
> >> +Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> >> +SPDX-License-Identifier: BSD-2-Clause-Patent
> >> +
> >> +**/
> >> +
> >> +#include <CrtLibSupport.h>
> >> +
> >> diff --git a/CryptoPkg/Library/OpensslLib/openssl
> >> b/CryptoPkg/Library/OpensslLib/openssl
> >> index 50eaac9f3337..c3656cc594da 160000
> >> --- a/CryptoPkg/Library/OpensslLib/openssl
> >> +++ b/CryptoPkg/Library/OpensslLib/openssl
> >> @@ -1 +1 @@
> >> -Subproject commit 50eaac9f3337667259de725451f201e784599687
> >> +Subproject commit c3656cc594daac8167721dde7220f0e59ae146fc
> >> diff --git a/CryptoPkg/Library/OpensslLib/process_files.pl
> >> b/CryptoPkg/Library/OpensslLib/process_files.pl
> >> index 4fe54cd808a5..dd93bd84da22 100755
> >> --- a/CryptoPkg/Library/OpensslLib/process_files.pl
> >> +++ b/CryptoPkg/Library/OpensslLib/process_files.pl
> >> @@ -106,6 +106,14 @@ BEGIN {
> >>                  ) == 0 ||
> >>                      die "Failed to generate opensslconf.h!\n";
> >>
> >> +            # Generate dso_conf.h per config data
> >> +            system(
> >> +                "perl -I. -Mconfigdata util/dofile.pl " .
> >> +                "crypto/include/internal/dso_conf.h.in " .
> >> +                "> include/internal/dso_conf.h"
> >> +                ) == 0 ||
> >> +                    die "Failed to generate dso_conf.h!\n";
> >> +
> >>              chdir($basedir) ||
> >>                  die "Cannot change to base directory \"" . $basedir . "\"";
> >>
> >> @@ -249,12 +257,17 @@ rename( $new_inf_file, $inf_file ) ||
> >>  print "Done!";
> >>
> >>  #
> >> -# Copy opensslconf.h generated from OpenSSL Configuration
> >> +# Copy opensslconf.h and dso_conf.h generated from OpenSSL
> Configuration
> >>  #
> >>  print "\n--> Duplicating opensslconf.h into Include/openssl ... ";
> >>  copy($OPENSSL_PATH . "/include/openssl/opensslconf.h",
> >>       $OPENSSL_PATH . "/../../Include/openssl/") ||
> >>     die "Cannot copy opensslconf.h!";
> >> +print "Done!";
> >> +print "\n--> Duplicating dso_conf.h into Include/internal ... ";
> >> +copy($OPENSSL_PATH . "/include/internal/dso_conf.h",
> >> +     $OPENSSL_PATH . "/../../Include/internal/") ||
> >> +   die "Cannot copy dso_conf.h!";
> >>  print "Done!\n";
> >>
> >>  print "\nProcessing Files Done!\n";
> >> --
> >> 2.18.0.windows.1
> >