Re: [PATCH v4] CryptoPkg: Upgrade OpenSSL to 1.1.1d

["Laszlo Ersek" <lersek@redhat.com>]

On 11/01/19 08:31, Wang, Jian J wrote:
> Hi Laszlo,
> 
> I did simple ovmf boot tests (shell, linux, windows) and all passed. Let me know if you have
> any comments or want to do more tests against v4 before check in.
> 
> Based on my review and tests,
>    Reviewed-by: Jian J Wang <jian.j.wang@intel.com>

I can get to this patch on next Monday (2019-Nov-04) the earliest. (Even
today is a public holiday in my country, and I've only logged in now to
quickly respond to Mike's email in another thread.) I had the v3 posting
tagged earlier, and am learning of v4 only now.

I think the OpenSSL update should be tested with at least the following
use cases:

- HTTPS boot
- Secure Boot

Given that the HTTPS Boot CVE fix is also pending on the list, and that
it was posted before the OpenSSL upgrade, and they both affect HTTPS
Boot, I request that the OpenSSL upgrade be delayed until after the CVE
fix is pushed. (I'll try to push the CVE fix this weekend, or next Monday.)

Thanks
Laszlo

>> -----Original Message-----
>> From: Zhang, Shenglei <shenglei.zhang@intel.com>
>> Sent: Friday, November 01, 2019 2:56 PM
>> To: devel@edk2.groups.io
>> Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>;
>> Gao, Liming <liming.gao@intel.com>
>> Subject: [PATCH v4] CryptoPkg: Upgrade OpenSSL to 1.1.1d
>>
>> Update openssl from 1.1.1b to 1.1.1d.
>> Something needs to be noticed is that, there is a bug existing in the
>> released 1_1_1d version(894da2fb7ed5d314ee5c2fc9fd2d9b8b74111596),
>> which causes build failure. So we switch the code base to a usable
>> version, which is 2 commits later than the stable tag.
>> Now we use the version c3656cc594daac8167721dde7220f0e59ae146fc.
>> This log is to fix the build failure.
>> https://bugzilla.tianocore.org/show_bug.cgi?id=2226
>>
>> Besides, the absense of "DSO_NONE" in dso_conf.h causes build failure
>> in OvmfPkg. So update process_files.pl to generate information from
>> "crypto/include/internal/dso_conf.h.in".
>>
>> shm.h and utsname.h are added to avoid GCC build failure.
>>
>> Cc: Jian J Wang <jian.j.wang@intel.com>
>> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
>> Cc: Liming Gao <liming.gao@intel.com>
>> Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
>> ---
>> v2: Revert the changes in OpensslLib.inf and OpensslLibCrypto.inf.
>>     The removed header files could be auto-generated by process_files.pl now.
>>
>> v3: Add display information for dso_conf.h.
>>
>> v4: Add shm.h and utsname.h to avoid GCC build failure.
>>
>>  CryptoPkg/Library/Include/internal/dso_conf.h | 16 ++++++++++++++++
>>  CryptoPkg/Library/Include/sys/shm.h           |  9 +++++++++
>>  CryptoPkg/Library/Include/sys/utsname.h       | 10 ++++++++++
>>  CryptoPkg/Library/OpensslLib/openssl          |  2 +-
>>  CryptoPkg/Library/OpensslLib/process_files.pl | 15 ++++++++++++++-
>>  5 files changed, 50 insertions(+), 2 deletions(-)
>>  create mode 100644 CryptoPkg/Library/Include/sys/shm.h
>>  create mode 100644 CryptoPkg/Library/Include/sys/utsname.h
>>
>> diff --git a/CryptoPkg/Library/Include/internal/dso_conf.h
>> b/CryptoPkg/Library/Include/internal/dso_conf.h
>> index e69de29bb2d1..43c891588bc2 100644
>> --- a/CryptoPkg/Library/Include/internal/dso_conf.h
>> +++ b/CryptoPkg/Library/Include/internal/dso_conf.h
>> @@ -0,0 +1,16 @@
>> +/* WARNING: do not edit! */
>> +/* Generated from crypto/include/internal/dso_conf.h.in */
>> +/*
>> + * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
>> + *
>> + * Licensed under the OpenSSL license (the "License").  You may not use
>> + * this file except in compliance with the License.  You can obtain a copy
>> + * in the file LICENSE in the source distribution or at
>> + * https://www.openssl.org/source/license.html
>> + */
>> +
>> +#ifndef HEADER_DSO_CONF_H
>> +# define HEADER_DSO_CONF_H
>> +# define DSO_NONE
>> +# define DSO_EXTENSION ".so"
>> +#endif
>> diff --git a/CryptoPkg/Library/Include/sys/shm.h
>> b/CryptoPkg/Library/Include/sys/shm.h
>> new file mode 100644
>> index 000000000000..dc0b8e81c8b0
>> --- /dev/null
>> +++ b/CryptoPkg/Library/Include/sys/shm.h
>> @@ -0,0 +1,9 @@
>> +/** @file
>> +  Include file to support building the third-party cryptographic library.
>> +
>> +Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
>> +SPDX-License-Identifier: BSD-2-Clause-Patent
>> +
>> +**/
>> +
>> +#include <CrtLibSupport.h>
>> diff --git a/CryptoPkg/Library/Include/sys/utsname.h
>> b/CryptoPkg/Library/Include/sys/utsname.h
>> new file mode 100644
>> index 000000000000..75955b0a4eb6
>> --- /dev/null
>> +++ b/CryptoPkg/Library/Include/sys/utsname.h
>> @@ -0,0 +1,10 @@
>> +/** @file
>> +  Include file to support building the third-party cryptographic library.
>> +
>> +Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
>> +SPDX-License-Identifier: BSD-2-Clause-Patent
>> +
>> +**/
>> +
>> +#include <CrtLibSupport.h>
>> +
>> diff --git a/CryptoPkg/Library/OpensslLib/openssl
>> b/CryptoPkg/Library/OpensslLib/openssl
>> index 50eaac9f3337..c3656cc594da 160000
>> --- a/CryptoPkg/Library/OpensslLib/openssl
>> +++ b/CryptoPkg/Library/OpensslLib/openssl
>> @@ -1 +1 @@
>> -Subproject commit 50eaac9f3337667259de725451f201e784599687
>> +Subproject commit c3656cc594daac8167721dde7220f0e59ae146fc
>> diff --git a/CryptoPkg/Library/OpensslLib/process_files.pl
>> b/CryptoPkg/Library/OpensslLib/process_files.pl
>> index 4fe54cd808a5..dd93bd84da22 100755
>> --- a/CryptoPkg/Library/OpensslLib/process_files.pl
>> +++ b/CryptoPkg/Library/OpensslLib/process_files.pl
>> @@ -106,6 +106,14 @@ BEGIN {
>>                  ) == 0 ||
>>                      die "Failed to generate opensslconf.h!\n";
>>
>> +            # Generate dso_conf.h per config data
>> +            system(
>> +                "perl -I. -Mconfigdata util/dofile.pl " .
>> +                "crypto/include/internal/dso_conf.h.in " .
>> +                "> include/internal/dso_conf.h"
>> +                ) == 0 ||
>> +                    die "Failed to generate dso_conf.h!\n";
>> +
>>              chdir($basedir) ||
>>                  die "Cannot change to base directory \"" . $basedir . "\"";
>>
>> @@ -249,12 +257,17 @@ rename( $new_inf_file, $inf_file ) ||
>>  print "Done!";
>>
>>  #
>> -# Copy opensslconf.h generated from OpenSSL Configuration
>> +# Copy opensslconf.h and dso_conf.h generated from OpenSSL Configuration
>>  #
>>  print "\n--> Duplicating opensslconf.h into Include/openssl ... ";
>>  copy($OPENSSL_PATH . "/include/openssl/opensslconf.h",
>>       $OPENSSL_PATH . "/../../Include/openssl/") ||
>>     die "Cannot copy opensslconf.h!";
>> +print "Done!";
>> +print "\n--> Duplicating dso_conf.h into Include/internal ... ";
>> +copy($OPENSSL_PATH . "/include/internal/dso_conf.h",
>> +     $OPENSSL_PATH . "/../../Include/internal/") ||
>> +   die "Cannot copy dso_conf.h!";
>>  print "Done!\n";
>>
>>  print "\nProcessing Files Done!\n";
>> --
>> 2.18.0.windows.1
>