[edk2] [Patch] CryptoPkg/OpensslLib: Upgrade OpenSSL version to 1.0.2k

Qin Long posted 1 patch 7 years, 1 month ago
Failed in applying to current master (apply log)
There is a newer version of this series
CryptoPkg/CryptoPkg.dec                            |  4 ++--
...ssl-1.0.2j.patch => EDKII_openssl-1.0.2k.patch} | 26 +++++++++++-----------
CryptoPkg/Library/OpensslLib/Install.cmd           |  2 +-
CryptoPkg/Library/OpensslLib/Install.sh            |  2 +-
CryptoPkg/Library/OpensslLib/OpensslLib.inf        |  7 +++---
CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt       | 26 +++++++++++-----------
CryptoPkg/Library/OpensslLib/opensslconf.h         |  6 -----
7 files changed, 34 insertions(+), 39 deletions(-)
rename CryptoPkg/Library/OpensslLib/{EDKII_openssl-1.0.2j.patch => EDKII_openssl-1.0.2k.patch} (96%)
[edk2] [Patch] CryptoPkg/OpensslLib: Upgrade OpenSSL version to 1.0.2k
Posted by Qin Long 7 years, 1 month ago
OpenSSL 1.0.2k was released with several severity fixes at
26-Jan-2017 (https://www.openssl.org/news/secadv/20170126.txt).
This patch is to upgrade the supported OpenSSL version in
CryptoPkg/OpensslLib to catch the latest release 1.0.2k.

Cc: Ye Ting <ting.ye@intel.com>
Cc: Wu Jiaxin <jiaxin.wu@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
---
 CryptoPkg/CryptoPkg.dec                            |  4 ++--
 ...ssl-1.0.2j.patch => EDKII_openssl-1.0.2k.patch} | 26 +++++++++++-----------
 CryptoPkg/Library/OpensslLib/Install.cmd           |  2 +-
 CryptoPkg/Library/OpensslLib/Install.sh            |  2 +-
 CryptoPkg/Library/OpensslLib/OpensslLib.inf        |  7 +++---
 CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt       | 26 +++++++++++-----------
 CryptoPkg/Library/OpensslLib/opensslconf.h         |  6 -----
 7 files changed, 34 insertions(+), 39 deletions(-)
 rename CryptoPkg/Library/OpensslLib/{EDKII_openssl-1.0.2j.patch => EDKII_openssl-1.0.2k.patch} (96%)

diff --git a/CryptoPkg/CryptoPkg.dec b/CryptoPkg/CryptoPkg.dec
index eee26cbccc..27c832707a 100644
--- a/CryptoPkg/CryptoPkg.dec
+++ b/CryptoPkg/CryptoPkg.dec
@@ -4,7 +4,7 @@
 #  This Package provides cryptographic-related libraries for UEFI security modules.
 #  It also provides a test application to test libraries.
 #
-#  Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>
+#  Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.<BR>
 #  This program and the accompanying materials
 #  are licensed and made available under the terms and conditions of the BSD License
 #  which accompanies this distribution.  The full text of the license may be found at
@@ -24,7 +24,7 @@
 
 [Includes]
   Include
-  Library/OpensslLib/openssl-1.0.2j/include
+  Library/OpensslLib/openssl-1.0.2k/include
 
 [LibraryClasses]
   ##  @libraryclass  Provides basic library functions for cryptographic primitives.
diff --git a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2j.patch b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2k.patch
similarity index 96%
rename from CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2j.patch
rename to CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2k.patch
index ecd13a9d5f..cc0ce6822e 100644
--- a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2j.patch
+++ b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2k.patch
@@ -1,8 +1,8 @@
 diff --git a/Configure b/Configure
-index c39f71a..98dd1d0 100755
+index 5da7cad..c2cc9c5 100755
 --- a/Configure
 +++ b/Configure
-@@ -609,6 +609,9 @@ my %table=(
+@@ -611,6 +611,9 @@ my %table=(
  # with itself, Applink is never engaged and can as well be omitted.
  "mingw64", "gcc:-mno-cygwin -DL_ENDIAN -O3 -Wall -DWIN32_LEAN_AND_MEAN -DUNICODE -D_UNICODE::-D_MT:MINGW64:-lws2_32 -lgdi32 -lcrypt32:SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:${x86_64_asm}:mingw64:win32:cygwin-shared:-D_WINDLL:-mno-cygwin:.dll.a",
  
@@ -12,7 +12,7 @@ index c39f71a..98dd1d0 100755
  # UWIN 
  "UWIN", "cc:-DTERMIOS -DL_ENDIAN -O -Wall:::UWIN::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:win32",
  
-@@ -1083,7 +1086,7 @@ if (defined($disabled{"md5"}) || defined($disabled{"sha"})
+@@ -1085,7 +1088,7 @@ if (defined($disabled{"md5"}) || defined($disabled{"sha"})
  	}
  
  if (defined($disabled{"ec"}) || defined($disabled{"dsa"})
@@ -22,10 +22,10 @@ index c39f71a..98dd1d0 100755
  	$disabled{"gost"} = "forced";
  	}
 diff --git a/apps/apps.c b/apps/apps.c
-index 9fdc3e0..6c183b0 100644
+index c487bd9..64ade15 100644
 --- a/apps/apps.c
 +++ b/apps/apps.c
-@@ -2375,6 +2375,8 @@ int args_verify(char ***pargs, int *pargc,
+@@ -2386,6 +2386,8 @@ int args_verify(char ***pargs, int *pargc,
          flags |= X509_V_FLAG_PARTIAL_CHAIN;
      else if (!strcmp(arg, "-no_alt_chains"))
          flags |= X509_V_FLAG_NO_ALT_CHAINS;
@@ -254,7 +254,7 @@ index d5a5514..bede55c 100644
          goto err;
  
 diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c
-index 1d25687..ad641c3 100644
+index 8177fd2..4dab3bb 100644
 --- a/crypto/bn/bn_prime.c
 +++ b/crypto/bn/bn_prime.c
 @@ -131,7 +131,7 @@
@@ -298,7 +298,7 @@ index 1d25687..ad641c3 100644
      if (ctx != NULL) {
          BN_CTX_end(ctx);
          BN_CTX_free(ctx);
-@@ -375,10 +380,9 @@ static int witness(BIGNUM *w, const BIGNUM *a, const BIGNUM *a1,
+@@ -376,10 +381,9 @@ static int witness(BIGNUM *w, const BIGNUM *a, const BIGNUM *a1,
      return 1;
  }
  
@@ -861,7 +861,7 @@ index 585aa8b..04c6cfc 100644
  /*
   * Borland C seems too stupid to be able to shift and do longs in the
 diff --git a/crypto/evp/evp.h b/crypto/evp/evp.h
-index 39ab793..ad1e350 100644
+index d258ef8..376f260 100644
 --- a/crypto/evp/evp.h
 +++ b/crypto/evp/evp.h
 @@ -602,11 +602,13 @@ int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in);
@@ -1470,7 +1470,7 @@ index bbc3189..29695f9 100644
 +
 +#endif /* OPENSSL_NO_STDIO */
 diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
-index 8334b3f..d075f66 100644
+index b147201..5bf3f07 100644
 --- a/crypto/x509/x509_vfy.c
 +++ b/crypto/x509/x509_vfy.c
 @@ -1064,6 +1064,8 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
@@ -1915,10 +1915,10 @@ index 499f0e8..5672f99 100644
              os.data = NULL;
              os.length = 0;
 diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
-index f48ebae..ac4f08c 100644
+index 1be6fb0..cbec97c 100644
 --- a/ssl/ssl_cert.c
 +++ b/ssl/ssl_cert.c
-@@ -857,12 +857,12 @@ int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x)
+@@ -855,12 +855,12 @@ int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x)
      return (add_client_CA(&(ctx->client_CA), x));
  }
  
@@ -1932,7 +1932,7 @@ index f48ebae..ac4f08c 100644
  /**
   * Load CA certs from a file into a ::STACK. Note that it is somewhat misnamed;
   * it doesn't really have anything to do with clients (except that a common use
-@@ -930,7 +930,6 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
+@@ -928,7 +928,6 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
          ERR_clear_error();
      return (ret);
  }
@@ -1940,7 +1940,7 @@ index f48ebae..ac4f08c 100644
  
  /**
   * Add a file of certs to a stack.
-@@ -1050,6 +1049,7 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
+@@ -1048,6 +1047,7 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
      CRYPTO_w_unlock(CRYPTO_LOCK_READDIR);
      return ret;
  }
diff --git a/CryptoPkg/Library/OpensslLib/Install.cmd b/CryptoPkg/Library/OpensslLib/Install.cmd
index 093414d4b8..e040cda259 100755
--- a/CryptoPkg/Library/OpensslLib/Install.cmd
+++ b/CryptoPkg/Library/OpensslLib/Install.cmd
@@ -1,4 +1,4 @@
-cd openssl-1.0.2j
+cd openssl-1.0.2k
 copy ..\opensslconf.h           crypto
 if not exist include\openssl mkdir include\openssl
 copy e_os2.h                    include\openssl
diff --git a/CryptoPkg/Library/OpensslLib/Install.sh b/CryptoPkg/Library/OpensslLib/Install.sh
index 7bd55f6ae3..40811e20a6 100755
--- a/CryptoPkg/Library/OpensslLib/Install.sh
+++ b/CryptoPkg/Library/OpensslLib/Install.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-cd openssl-1.0.2j
+cd openssl-1.0.2k
 cp ../opensslconf.h           crypto
 mkdir -p                      include/openssl
 cp e_os2.h                    include/openssl
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index c14e36d341..3acc397ace 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -1,7 +1,7 @@
 ## @file
 #  This module provides openSSL Library implementation.
 #
-#  Copyright (c) 2010 - 2016, Intel Corporation. All rights reserved.<BR>
+#  Copyright (c) 2010 - 2017, Intel Corporation. All rights reserved.<BR>
 #  This program and the accompanying materials
 #  are licensed and made available under the terms and conditions of the BSD License
 #  which accompanies this distribution.  The full text of the license may be found at
@@ -20,7 +20,7 @@
   MODULE_TYPE                    = BASE
   VERSION_STRING                 = 1.0
   LIBRARY_CLASS                  = OpensslLib
-  DEFINE OPENSSL_PATH            = openssl-1.0.2j
+  DEFINE OPENSSL_PATH            = openssl-1.0.2k
   DEFINE OPENSSL_FLAGS           = -DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE
 
 #
@@ -516,6 +516,7 @@
   $(OPENSSL_PATH)/ssl/ssl_asn1.c
   $(OPENSSL_PATH)/ssl/ssl_txt.c
   $(OPENSSL_PATH)/ssl/ssl_algs.c
+  $(OPENSSL_PATH)/ssl/ssl_conf.c
   $(OPENSSL_PATH)/ssl/bio_ssl.c
   $(OPENSSL_PATH)/ssl/ssl_err.c
   $(OPENSSL_PATH)/ssl/kssl.c
@@ -550,7 +551,7 @@
   # C4702: Potentially uninitialized local variable name used
   # C4311: pointer truncation from 'type' to 'type'
   #
-  MSFT:*_*_IA32_CC_FLAGS    = -U_WIN32 -U_WIN64 -U_MSC_VER $(OPENSSL_FLAGS) /wd4244 /wd4245 /wd4701 /wd4702 /wd4706
+  MSFT:*_*_IA32_CC_FLAGS    = -U_WIN32 -U_WIN64 -U_MSC_VER $(OPENSSL_FLAGS) /wd4244 /wd4245 /wd4267 /wd4701 /wd4702 /wd4706
   MSFT:*_*_X64_CC_FLAGS     = -U_WIN32 -U_WIN64 -U_MSC_VER $(OPENSSL_FLAGS) /wd4133 /wd4244 /wd4245 /wd4267 /wd4701 /wd4305 /wd4306 /wd4702 /wd4706 /wd4311
   MSFT:*_*_IPF_CC_FLAGS     = -U_WIN32 -U_WIN64 -U_MSC_VER $(OPENSSL_FLAGS) /wd4133 /wd4244 /wd4245 /wd4267 /wd4701 /wd4305 /wd4306 /wd4702 /wd4706
 
diff --git a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
index d7e3d9e875..8418802ac7 100644
--- a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
+++ b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
@@ -17,36 +17,36 @@ cryptography. This patch will enable openssl building under UEFI environment.
 ================================================================================
                                 OpenSSL-Version
 ================================================================================
-  Current supported OpenSSL version for UEFI Crypto Library is 1.0.2j.
-    http://www.openssl.org/source/openssl-1.0.2j.tar.gz
+  Current supported OpenSSL version for UEFI Crypto Library is 1.0.2k.
+    http://www.openssl.org/source/openssl-1.0.2k.tar.gz
 
 
 ================================================================================
                       HOW to Install Openssl for UEFI Building
 ================================================================================
-1.  Download OpenSSL 1.0.2j from official website:
-    http://www.openssl.org/source/openssl-1.0.2j.tar.gz
+1.  Download OpenSSL 1.0.2k from official website:
+    http://www.openssl.org/source/openssl-1.0.2k.tar.gz
 
-    NOTE: Some web browsers may rename the downloaded TAR file to openssl-1.0.2j.tar.tar.
-          When you do the download, rename the "openssl-1.0.2j.tar.tar" to
-          "openssl-1.0.2j.tar.gz" or rename the local downloaded file with ".tar.tar"
+    NOTE: Some web browsers may rename the downloaded TAR file to openssl-1.0.2k.tar.tar.
+          When you do the download, rename the "openssl-1.0.2k.tar.tar" to
+          "openssl-1.0.2k.tar.gz" or rename the local downloaded file with ".tar.tar"
           extension to ".tar.gz".
 
-2.  Extract TAR into CryptoPkg/Library/OpensslLib/openssl-1.0.2j
+2.  Extract TAR into CryptoPkg/Library/OpensslLib/openssl-1.0.2k
 
     NOTE: If you use WinZip to unpack the openssl source in Windows, please
           uncheck the WinZip smart CR/LF conversion option (WINZIP: Options -->
           Configuration --> Miscellaneous --> "TAR file smart CR/LF conversion").
 
-3.  Apply this patch: EDKII_openssl-1.0.2j.patch, and make installation
+3.  Apply this patch: EDKII_openssl-1.0.2k.patch, and make installation
 
     For Windows Environment:
     ------------------------
     1) Make sure the patch utility has been installed in your machine.
        Install Cygwin or get the patch utility binary from
           http://gnuwin32.sourceforge.net/packages/patch.htm
-    2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2j
-    3) patch -p1 -i ..\EDKII_openssl-1.0.2j.patch
+    2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2k
+    3) patch -p1 -i ..\EDKII_openssl-1.0.2k.patch
     4) cd ..
     5) Install.cmd
 
@@ -54,8 +54,8 @@ cryptography. This patch will enable openssl building under UEFI environment.
     -----------------------
     1) Make sure the patch utility has been installed in your machine.
        Patch utility is available from http://directory.fsf.org/project/patch/
-    2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2j
-    3) patch -p1 -i ../EDKII_openssl-1.0.2j.patch
+    2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2k
+    3) patch -p1 -i ../EDKII_openssl-1.0.2k.patch
     4) cd ..
     5) ./Install.sh
 
diff --git a/CryptoPkg/Library/OpensslLib/opensslconf.h b/CryptoPkg/Library/OpensslLib/opensslconf.h
index adcaa01d6b..e0054a45fc 100644
--- a/CryptoPkg/Library/OpensslLib/opensslconf.h
+++ b/CryptoPkg/Library/OpensslLib/opensslconf.h
@@ -92,9 +92,6 @@ extern "C" {
 #ifndef OPENSSL_NO_POSIX_IO
 # define OPENSSL_NO_POSIX_IO
 #endif
-#ifndef OPENSSL_NO_PQUEUE
-# define OPENSSL_NO_PQUEUE
-#endif
 #ifndef OPENSSL_NO_RC2
 # define OPENSSL_NO_RC2
 #endif
@@ -263,9 +260,6 @@ extern "C" {
 # if defined(OPENSSL_NO_POSIX_IO) && !defined(NO_POSIX_IO)
 #  define NO_POSIX_IO
 # endif
-# if defined(OPENSSL_NO_PQUEUE) && !defined(NO_PQUEUE)
-#  define NO_PQUEUE
-# endif
 # if defined(OPENSSL_NO_RC2) && !defined(NO_RC2)
 #  define NO_RC2
 # endif
-- 
2.11.1.windows.1

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [Patch] CryptoPkg/OpensslLib: Upgrade OpenSSL version to 1.0.2k
Posted by Long, Qin 7 years, 1 month ago
Laszlo,

This upgrade may have some conflicts with your last patch series. It could be resolved /merged easily.
It will be better to have your validations based on this new openssl version. 

(And I just noticed two changes (ssl_conf.c & NO_PQUEUE) were duplicated in this patch.)


Best Regards & Thanks,
LONG, Qin

> -----Original Message-----
> From: Long, Qin
> Sent: Friday, February 24, 2017 9:39 PM
> To: edk2-devel@lists.01.org; Long, Qin <qin.long@intel.com>
> Cc: Ye, Ting <ting.ye@intel.com>; Wu, Jiaxin <jiaxin.wu@intel.com>;
> lersek@redhat.com
> Subject: [Patch] CryptoPkg/OpensslLib: Upgrade OpenSSL version to 1.0.2k
> 
> OpenSSL 1.0.2k was released with several severity fixes at
> 26-Jan-2017 (https://www.openssl.org/news/secadv/20170126.txt).
> This patch is to upgrade the supported OpenSSL version in
> CryptoPkg/OpensslLib to catch the latest release 1.0.2k.
> 
> Cc: Ye Ting <ting.ye@intel.com>
> Cc: Wu Jiaxin <jiaxin.wu@intel.com>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Qin Long <qin.long@intel.com>
> ---
>  CryptoPkg/CryptoPkg.dec                            |  4 ++--
>  ...ssl-1.0.2j.patch => EDKII_openssl-1.0.2k.patch} | 26 +++++++++++----------
> -
>  CryptoPkg/Library/OpensslLib/Install.cmd           |  2 +-
>  CryptoPkg/Library/OpensslLib/Install.sh            |  2 +-
>  CryptoPkg/Library/OpensslLib/OpensslLib.inf        |  7 +++---
>  CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt       | 26 +++++++++++------
> -----
>  CryptoPkg/Library/OpensslLib/opensslconf.h         |  6 -----
>  7 files changed, 34 insertions(+), 39 deletions(-)  rename
> CryptoPkg/Library/OpensslLib/{EDKII_openssl-1.0.2j.patch => EDKII_openssl-
> 1.0.2k.patch} (96%)
> 
> diff --git a/CryptoPkg/CryptoPkg.dec b/CryptoPkg/CryptoPkg.dec index
> eee26cbccc..27c832707a 100644
> --- a/CryptoPkg/CryptoPkg.dec
> +++ b/CryptoPkg/CryptoPkg.dec
> @@ -4,7 +4,7 @@
>  #  This Package provides cryptographic-related libraries for UEFI security
> modules.
>  #  It also provides a test application to test libraries.
>  #
> -#  Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>
> +#  Copyright (c) 2009 - 2017, Intel Corporation. All rights
> +reserved.<BR>
>  #  This program and the accompanying materials  #  are licensed and made
> available under the terms and conditions of the BSD License  #  which
> accompanies this distribution.  The full text of the license may be found at
> @@ -24,7 +24,7 @@
> 
>  [Includes]
>    Include
> -  Library/OpensslLib/openssl-1.0.2j/include
> +  Library/OpensslLib/openssl-1.0.2k/include
> 
>  [LibraryClasses]
>    ##  @libraryclass  Provides basic library functions for cryptographic
> primitives.
> diff --git a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2j.patch
> b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2k.patch
> similarity index 96%
> rename from CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2j.patch
> rename to CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2k.patch
> index ecd13a9d5f..cc0ce6822e 100644
> --- a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2j.patch
> +++ b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2k.patch
> @@ -1,8 +1,8 @@
>  diff --git a/Configure b/Configure
> -index c39f71a..98dd1d0 100755
> +index 5da7cad..c2cc9c5 100755
>  --- a/Configure
>  +++ b/Configure
> -@@ -609,6 +609,9 @@ my %table=(
> +@@ -611,6 +611,9 @@ my %table=(
>   # with itself, Applink is never engaged and can as well be omitted.
>   "mingw64", "gcc:-mno-cygwin -DL_ENDIAN -O3 -Wall -
> DWIN32_LEAN_AND_MEAN -DUNICODE -D_UNICODE::-D_MT:MINGW64:-
> lws2_32 -lgdi32 -lcrypt32:SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT
> EXPORT_VAR_AS_FN:${x86_64_asm}:mingw64:win32:cygwin-shared:-
> D_WINDLL:-mno-cygwin:.dll.a",
> 
> @@ -12,7 +12,7 @@ index c39f71a..98dd1d0 100755
>   # UWIN
>   "UWIN", "cc:-DTERMIOS -DL_ENDIAN -O -Wall:::UWIN::BN_LLONG
> ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:win32",
> 
> -@@ -1083,7 +1086,7 @@ if (defined($disabled{"md5"}) ||
> defined($disabled{"sha"})
> +@@ -1085,7 +1088,7 @@ if (defined($disabled{"md5"}) ||
> +defined($disabled{"sha"})
>   	}
> 
>   if (defined($disabled{"ec"}) || defined($disabled{"dsa"}) @@ -22,10 +22,10
> @@ index c39f71a..98dd1d0 100755
>   	$disabled{"gost"} = "forced";
>   	}
>  diff --git a/apps/apps.c b/apps/apps.c
> -index 9fdc3e0..6c183b0 100644
> +index c487bd9..64ade15 100644
>  --- a/apps/apps.c
>  +++ b/apps/apps.c
> -@@ -2375,6 +2375,8 @@ int args_verify(char ***pargs, int *pargc,
> +@@ -2386,6 +2386,8 @@ int args_verify(char ***pargs, int *pargc,
>           flags |= X509_V_FLAG_PARTIAL_CHAIN;
>       else if (!strcmp(arg, "-no_alt_chains"))
>           flags |= X509_V_FLAG_NO_ALT_CHAINS; @@ -254,7 +254,7 @@ index
> d5a5514..bede55c 100644
>           goto err;
> 
>  diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c -index
> 1d25687..ad641c3 100644
> +index 8177fd2..4dab3bb 100644
>  --- a/crypto/bn/bn_prime.c
>  +++ b/crypto/bn/bn_prime.c
>  @@ -131,7 +131,7 @@
> @@ -298,7 +298,7 @@ index 1d25687..ad641c3 100644
>       if (ctx != NULL) {
>           BN_CTX_end(ctx);
>           BN_CTX_free(ctx);
> -@@ -375,10 +380,9 @@ static int witness(BIGNUM *w, const BIGNUM *a,
> const BIGNUM *a1,
> +@@ -376,10 +381,9 @@ static int witness(BIGNUM *w, const BIGNUM *a,
> +const BIGNUM *a1,
>       return 1;
>   }
> 
> @@ -861,7 +861,7 @@ index 585aa8b..04c6cfc 100644
>   /*
>    * Borland C seems too stupid to be able to shift and do longs in the  diff --git
> a/crypto/evp/evp.h b/crypto/evp/evp.h -index 39ab793..ad1e350 100644
> +index d258ef8..376f260 100644
>  --- a/crypto/evp/evp.h
>  +++ b/crypto/evp/evp.h
>  @@ -602,11 +602,13 @@ int EVP_MD_CTX_copy(EVP_MD_CTX *out, const
> EVP_MD_CTX *in); @@ -1470,7 +1470,7 @@ index bbc3189..29695f9 100644
> +  +#endif /* OPENSSL_NO_STDIO */  diff --git a/crypto/x509/x509_vfy.c
> b/crypto/x509/x509_vfy.c -index 8334b3f..d075f66 100644
> +index b147201..5bf3f07 100644
>  --- a/crypto/x509/x509_vfy.c
>  +++ b/crypto/x509/x509_vfy.c
>  @@ -1064,6 +1064,8 @@ static int check_crl_time(X509_STORE_CTX *ctx,
> X509_CRL *crl, int notify) @@ -1915,10 +1915,10 @@ index 499f0e8..5672f99
> 100644
>               os.data = NULL;
>               os.length = 0;
>  diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c -index f48ebae..ac4f08c 100644
> +index 1be6fb0..cbec97c 100644
>  --- a/ssl/ssl_cert.c
>  +++ b/ssl/ssl_cert.c
> -@@ -857,12 +857,12 @@ int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x)
> +@@ -855,12 +855,12 @@ int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x)
>       return (add_client_CA(&(ctx->client_CA), x));
>   }
> 
> @@ -1932,7 +1932,7 @@ index f48ebae..ac4f08c 100644
>   /**
>    * Load CA certs from a file into a ::STACK. Note that it is somewhat
> misnamed;
>    * it doesn't really have anything to do with clients (except that a common
> use -@@ -930,7 +930,6 @@ STACK_OF(X509_NAME)
> *SSL_load_client_CA_file(const char *file)
> +@@ -928,7 +928,6 @@ STACK_OF(X509_NAME)
> *SSL_load_client_CA_file(const
> +char *file)
>           ERR_clear_error();
>       return (ret);
>   }
> @@ -1940,7 +1940,7 @@ index f48ebae..ac4f08c 100644
> 
>   /**
>    * Add a file of certs to a stack.
> -@@ -1050,6 +1049,7 @@ int
> SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
> +@@ -1048,6 +1047,7 @@ int
> +SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
>       CRYPTO_w_unlock(CRYPTO_LOCK_READDIR);
>       return ret;
>   }
> diff --git a/CryptoPkg/Library/OpensslLib/Install.cmd
> b/CryptoPkg/Library/OpensslLib/Install.cmd
> index 093414d4b8..e040cda259 100755
> --- a/CryptoPkg/Library/OpensslLib/Install.cmd
> +++ b/CryptoPkg/Library/OpensslLib/Install.cmd
> @@ -1,4 +1,4 @@
> -cd openssl-1.0.2j
> +cd openssl-1.0.2k
>  copy ..\opensslconf.h           crypto
>  if not exist include\openssl mkdir include\openssl
>  copy e_os2.h                    include\openssl
> diff --git a/CryptoPkg/Library/OpensslLib/Install.sh
> b/CryptoPkg/Library/OpensslLib/Install.sh
> index 7bd55f6ae3..40811e20a6 100755
> --- a/CryptoPkg/Library/OpensslLib/Install.sh
> +++ b/CryptoPkg/Library/OpensslLib/Install.sh
> @@ -1,6 +1,6 @@
>  #!/bin/sh
> 
> -cd openssl-1.0.2j
> +cd openssl-1.0.2k
>  cp ../opensslconf.h           crypto
>  mkdir -p                      include/openssl
>  cp e_os2.h                    include/openssl
> diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> index c14e36d341..3acc397ace 100644
> --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> @@ -1,7 +1,7 @@
>  ## @file
>  #  This module provides openSSL Library implementation.
>  #
> -#  Copyright (c) 2010 - 2016, Intel Corporation. All rights reserved.<BR>
> +#  Copyright (c) 2010 - 2017, Intel Corporation. All rights
> +reserved.<BR>
>  #  This program and the accompanying materials  #  are licensed and made
> available under the terms and conditions of the BSD License  #  which
> accompanies this distribution.  The full text of the license may be found at
> @@ -20,7 +20,7 @@
>    MODULE_TYPE                    = BASE
>    VERSION_STRING                 = 1.0
>    LIBRARY_CLASS                  = OpensslLib
> -  DEFINE OPENSSL_PATH            = openssl-1.0.2j
> +  DEFINE OPENSSL_PATH            = openssl-1.0.2k
>    DEFINE OPENSSL_FLAGS           = -DL_ENDIAN -
> DOPENSSL_SMALL_FOOTPRINT -D_CRT_SECURE_NO_DEPRECATE -
> D_CRT_NONSTDC_NO_DEPRECATE
> 
>  #
> @@ -516,6 +516,7 @@
>    $(OPENSSL_PATH)/ssl/ssl_asn1.c
>    $(OPENSSL_PATH)/ssl/ssl_txt.c
>    $(OPENSSL_PATH)/ssl/ssl_algs.c
> +  $(OPENSSL_PATH)/ssl/ssl_conf.c
>    $(OPENSSL_PATH)/ssl/bio_ssl.c
>    $(OPENSSL_PATH)/ssl/ssl_err.c
>    $(OPENSSL_PATH)/ssl/kssl.c
> @@ -550,7 +551,7 @@
>    # C4702: Potentially uninitialized local variable name used
>    # C4311: pointer truncation from 'type' to 'type'
>    #
> -  MSFT:*_*_IA32_CC_FLAGS    = -U_WIN32 -U_WIN64 -U_MSC_VER
> $(OPENSSL_FLAGS) /wd4244 /wd4245 /wd4701 /wd4702 /wd4706
> +  MSFT:*_*_IA32_CC_FLAGS    = -U_WIN32 -U_WIN64 -U_MSC_VER
> $(OPENSSL_FLAGS) /wd4244 /wd4245 /wd4267 /wd4701 /wd4702 /wd4706
>    MSFT:*_*_X64_CC_FLAGS     = -U_WIN32 -U_WIN64 -U_MSC_VER
> $(OPENSSL_FLAGS) /wd4133 /wd4244 /wd4245 /wd4267 /wd4701 /wd4305
> /wd4306 /wd4702 /wd4706 /wd4311
>    MSFT:*_*_IPF_CC_FLAGS     = -U_WIN32 -U_WIN64 -U_MSC_VER
> $(OPENSSL_FLAGS) /wd4133 /wd4244 /wd4245 /wd4267 /wd4701 /wd4305
> /wd4306 /wd4702 /wd4706
> 
> diff --git a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
> b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
> index d7e3d9e875..8418802ac7 100644
> --- a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
> +++ b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
> @@ -17,36 +17,36 @@ cryptography. This patch will enable openssl building
> under UEFI environment.
> 
> ==========================================================
> ======================
>                                  OpenSSL-Version
> ==========================================================
> ======================
> -  Current supported OpenSSL version for UEFI Crypto Library is 1.0.2j.
> -    http://www.openssl.org/source/openssl-1.0.2j.tar.gz
> +  Current supported OpenSSL version for UEFI Crypto Library is 1.0.2k.
> +    http://www.openssl.org/source/openssl-1.0.2k.tar.gz
> 
> 
> 
> ==========================================================
> ======================
>                        HOW to Install Openssl for UEFI Building
> ==========================================================
> ======================
> -1.  Download OpenSSL 1.0.2j from official website:
> -    http://www.openssl.org/source/openssl-1.0.2j.tar.gz
> +1.  Download OpenSSL 1.0.2k from official website:
> +    http://www.openssl.org/source/openssl-1.0.2k.tar.gz
> 
> -    NOTE: Some web browsers may rename the downloaded TAR file to
> openssl-1.0.2j.tar.tar.
> -          When you do the download, rename the "openssl-1.0.2j.tar.tar" to
> -          "openssl-1.0.2j.tar.gz" or rename the local downloaded file with
> ".tar.tar"
> +    NOTE: Some web browsers may rename the downloaded TAR file to
> openssl-1.0.2k.tar.tar.
> +          When you do the download, rename the "openssl-1.0.2k.tar.tar" to
> +          "openssl-1.0.2k.tar.gz" or rename the local downloaded file with
> ".tar.tar"
>            extension to ".tar.gz".
> 
> -2.  Extract TAR into CryptoPkg/Library/OpensslLib/openssl-1.0.2j
> +2.  Extract TAR into CryptoPkg/Library/OpensslLib/openssl-1.0.2k
> 
>      NOTE: If you use WinZip to unpack the openssl source in Windows, please
>            uncheck the WinZip smart CR/LF conversion option (WINZIP: Options -->
>            Configuration --> Miscellaneous --> "TAR file smart CR/LF conversion").
> 
> -3.  Apply this patch: EDKII_openssl-1.0.2j.patch, and make installation
> +3.  Apply this patch: EDKII_openssl-1.0.2k.patch, and make installation
> 
>      For Windows Environment:
>      ------------------------
>      1) Make sure the patch utility has been installed in your machine.
>         Install Cygwin or get the patch utility binary from
>            http://gnuwin32.sourceforge.net/packages/patch.htm
> -    2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2j
> -    3) patch -p1 -i ..\EDKII_openssl-1.0.2j.patch
> +    2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2k
> +    3) patch -p1 -i ..\EDKII_openssl-1.0.2k.patch
>      4) cd ..
>      5) Install.cmd
> 
> @@ -54,8 +54,8 @@ cryptography. This patch will enable openssl building
> under UEFI environment.
>      -----------------------
>      1) Make sure the patch utility has been installed in your machine.
>         Patch utility is available from http://directory.fsf.org/project/patch/
> -    2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2j
> -    3) patch -p1 -i ../EDKII_openssl-1.0.2j.patch
> +    2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2k
> +    3) patch -p1 -i ../EDKII_openssl-1.0.2k.patch
>      4) cd ..
>      5) ./Install.sh
> 
> diff --git a/CryptoPkg/Library/OpensslLib/opensslconf.h
> b/CryptoPkg/Library/OpensslLib/opensslconf.h
> index adcaa01d6b..e0054a45fc 100644
> --- a/CryptoPkg/Library/OpensslLib/opensslconf.h
> +++ b/CryptoPkg/Library/OpensslLib/opensslconf.h
> @@ -92,9 +92,6 @@ extern "C" {
>  #ifndef OPENSSL_NO_POSIX_IO
>  # define OPENSSL_NO_POSIX_IO
>  #endif
> -#ifndef OPENSSL_NO_PQUEUE
> -# define OPENSSL_NO_PQUEUE
> -#endif
>  #ifndef OPENSSL_NO_RC2
>  # define OPENSSL_NO_RC2
>  #endif
> @@ -263,9 +260,6 @@ extern "C" {
>  # if defined(OPENSSL_NO_POSIX_IO) && !defined(NO_POSIX_IO)  #  define
> NO_POSIX_IO  # endif -# if defined(OPENSSL_NO_PQUEUE)
> && !defined(NO_PQUEUE) -#  define NO_PQUEUE -# endif  # if
> defined(OPENSSL_NO_RC2) && !defined(NO_RC2)  #  define NO_RC2  #
> endif
> --
> 2.11.1.windows.1

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [Patch] CryptoPkg/OpensslLib: Upgrade OpenSSL version to 1.0.2k
Posted by Laszlo Ersek 7 years, 1 month ago
On 02/24/17 14:52, Long, Qin wrote:
> Laszlo,
> 
> This upgrade may have some conflicts with your last patch series. It could be resolved /merged easily.
> It will be better to have your validations based on this new openssl version. 

Why will it be better?

> (And I just noticed two changes (ssl_conf.c & NO_PQUEUE) were duplicated in this patch.)

Well, technically, I posted those patches first (two versions,
actually), and they are mostly reviewed by now (thanks to you as well).
So I think they should go in first, and this is the patch that should be
rebased.

Patches that are already on the list (and are ready to be merged
especially) should not be pre-empted by more recently posted patches
(especially if they still need review and/or testing).

Thanks,
Laszlo

> 
> 
> Best Regards & Thanks,
> LONG, Qin
> 
>> -----Original Message-----
>> From: Long, Qin
>> Sent: Friday, February 24, 2017 9:39 PM
>> To: edk2-devel@lists.01.org; Long, Qin <qin.long@intel.com>
>> Cc: Ye, Ting <ting.ye@intel.com>; Wu, Jiaxin <jiaxin.wu@intel.com>;
>> lersek@redhat.com
>> Subject: [Patch] CryptoPkg/OpensslLib: Upgrade OpenSSL version to 1.0.2k
>>
>> OpenSSL 1.0.2k was released with several severity fixes at
>> 26-Jan-2017 (https://www.openssl.org/news/secadv/20170126.txt).
>> This patch is to upgrade the supported OpenSSL version in
>> CryptoPkg/OpensslLib to catch the latest release 1.0.2k.
>>
>> Cc: Ye Ting <ting.ye@intel.com>
>> Cc: Wu Jiaxin <jiaxin.wu@intel.com>
>> Cc: Laszlo Ersek <lersek@redhat.com>
>> Contributed-under: TianoCore Contribution Agreement 1.0
>> Signed-off-by: Qin Long <qin.long@intel.com>
>> ---
>>  CryptoPkg/CryptoPkg.dec                            |  4 ++--
>>  ...ssl-1.0.2j.patch => EDKII_openssl-1.0.2k.patch} | 26 +++++++++++----------
>> -
>>  CryptoPkg/Library/OpensslLib/Install.cmd           |  2 +-
>>  CryptoPkg/Library/OpensslLib/Install.sh            |  2 +-
>>  CryptoPkg/Library/OpensslLib/OpensslLib.inf        |  7 +++---
>>  CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt       | 26 +++++++++++------
>> -----
>>  CryptoPkg/Library/OpensslLib/opensslconf.h         |  6 -----
>>  7 files changed, 34 insertions(+), 39 deletions(-)  rename
>> CryptoPkg/Library/OpensslLib/{EDKII_openssl-1.0.2j.patch => EDKII_openssl-
>> 1.0.2k.patch} (96%)
>>
>> diff --git a/CryptoPkg/CryptoPkg.dec b/CryptoPkg/CryptoPkg.dec index
>> eee26cbccc..27c832707a 100644
>> --- a/CryptoPkg/CryptoPkg.dec
>> +++ b/CryptoPkg/CryptoPkg.dec
>> @@ -4,7 +4,7 @@
>>  #  This Package provides cryptographic-related libraries for UEFI security
>> modules.
>>  #  It also provides a test application to test libraries.
>>  #
>> -#  Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>
>> +#  Copyright (c) 2009 - 2017, Intel Corporation. All rights
>> +reserved.<BR>
>>  #  This program and the accompanying materials  #  are licensed and made
>> available under the terms and conditions of the BSD License  #  which
>> accompanies this distribution.  The full text of the license may be found at
>> @@ -24,7 +24,7 @@
>>
>>  [Includes]
>>    Include
>> -  Library/OpensslLib/openssl-1.0.2j/include
>> +  Library/OpensslLib/openssl-1.0.2k/include
>>
>>  [LibraryClasses]
>>    ##  @libraryclass  Provides basic library functions for cryptographic
>> primitives.
>> diff --git a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2j.patch
>> b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2k.patch
>> similarity index 96%
>> rename from CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2j.patch
>> rename to CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2k.patch
>> index ecd13a9d5f..cc0ce6822e 100644
>> --- a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2j.patch
>> +++ b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2k.patch
>> @@ -1,8 +1,8 @@
>>  diff --git a/Configure b/Configure
>> -index c39f71a..98dd1d0 100755
>> +index 5da7cad..c2cc9c5 100755
>>  --- a/Configure
>>  +++ b/Configure
>> -@@ -609,6 +609,9 @@ my %table=(
>> +@@ -611,6 +611,9 @@ my %table=(
>>   # with itself, Applink is never engaged and can as well be omitted.
>>   "mingw64", "gcc:-mno-cygwin -DL_ENDIAN -O3 -Wall -
>> DWIN32_LEAN_AND_MEAN -DUNICODE -D_UNICODE::-D_MT:MINGW64:-
>> lws2_32 -lgdi32 -lcrypt32:SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT
>> EXPORT_VAR_AS_FN:${x86_64_asm}:mingw64:win32:cygwin-shared:-
>> D_WINDLL:-mno-cygwin:.dll.a",
>>
>> @@ -12,7 +12,7 @@ index c39f71a..98dd1d0 100755
>>   # UWIN
>>   "UWIN", "cc:-DTERMIOS -DL_ENDIAN -O -Wall:::UWIN::BN_LLONG
>> ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:win32",
>>
>> -@@ -1083,7 +1086,7 @@ if (defined($disabled{"md5"}) ||
>> defined($disabled{"sha"})
>> +@@ -1085,7 +1088,7 @@ if (defined($disabled{"md5"}) ||
>> +defined($disabled{"sha"})
>>   	}
>>
>>   if (defined($disabled{"ec"}) || defined($disabled{"dsa"}) @@ -22,10 +22,10
>> @@ index c39f71a..98dd1d0 100755
>>   	$disabled{"gost"} = "forced";
>>   	}
>>  diff --git a/apps/apps.c b/apps/apps.c
>> -index 9fdc3e0..6c183b0 100644
>> +index c487bd9..64ade15 100644
>>  --- a/apps/apps.c
>>  +++ b/apps/apps.c
>> -@@ -2375,6 +2375,8 @@ int args_verify(char ***pargs, int *pargc,
>> +@@ -2386,6 +2386,8 @@ int args_verify(char ***pargs, int *pargc,
>>           flags |= X509_V_FLAG_PARTIAL_CHAIN;
>>       else if (!strcmp(arg, "-no_alt_chains"))
>>           flags |= X509_V_FLAG_NO_ALT_CHAINS; @@ -254,7 +254,7 @@ index
>> d5a5514..bede55c 100644
>>           goto err;
>>
>>  diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c -index
>> 1d25687..ad641c3 100644
>> +index 8177fd2..4dab3bb 100644
>>  --- a/crypto/bn/bn_prime.c
>>  +++ b/crypto/bn/bn_prime.c
>>  @@ -131,7 +131,7 @@
>> @@ -298,7 +298,7 @@ index 1d25687..ad641c3 100644
>>       if (ctx != NULL) {
>>           BN_CTX_end(ctx);
>>           BN_CTX_free(ctx);
>> -@@ -375,10 +380,9 @@ static int witness(BIGNUM *w, const BIGNUM *a,
>> const BIGNUM *a1,
>> +@@ -376,10 +381,9 @@ static int witness(BIGNUM *w, const BIGNUM *a,
>> +const BIGNUM *a1,
>>       return 1;
>>   }
>>
>> @@ -861,7 +861,7 @@ index 585aa8b..04c6cfc 100644
>>   /*
>>    * Borland C seems too stupid to be able to shift and do longs in the  diff --git
>> a/crypto/evp/evp.h b/crypto/evp/evp.h -index 39ab793..ad1e350 100644
>> +index d258ef8..376f260 100644
>>  --- a/crypto/evp/evp.h
>>  +++ b/crypto/evp/evp.h
>>  @@ -602,11 +602,13 @@ int EVP_MD_CTX_copy(EVP_MD_CTX *out, const
>> EVP_MD_CTX *in); @@ -1470,7 +1470,7 @@ index bbc3189..29695f9 100644
>> +  +#endif /* OPENSSL_NO_STDIO */  diff --git a/crypto/x509/x509_vfy.c
>> b/crypto/x509/x509_vfy.c -index 8334b3f..d075f66 100644
>> +index b147201..5bf3f07 100644
>>  --- a/crypto/x509/x509_vfy.c
>>  +++ b/crypto/x509/x509_vfy.c
>>  @@ -1064,6 +1064,8 @@ static int check_crl_time(X509_STORE_CTX *ctx,
>> X509_CRL *crl, int notify) @@ -1915,10 +1915,10 @@ index 499f0e8..5672f99
>> 100644
>>               os.data = NULL;
>>               os.length = 0;
>>  diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c -index f48ebae..ac4f08c 100644
>> +index 1be6fb0..cbec97c 100644
>>  --- a/ssl/ssl_cert.c
>>  +++ b/ssl/ssl_cert.c
>> -@@ -857,12 +857,12 @@ int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x)
>> +@@ -855,12 +855,12 @@ int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x)
>>       return (add_client_CA(&(ctx->client_CA), x));
>>   }
>>
>> @@ -1932,7 +1932,7 @@ index f48ebae..ac4f08c 100644
>>   /**
>>    * Load CA certs from a file into a ::STACK. Note that it is somewhat
>> misnamed;
>>    * it doesn't really have anything to do with clients (except that a common
>> use -@@ -930,7 +930,6 @@ STACK_OF(X509_NAME)
>> *SSL_load_client_CA_file(const char *file)
>> +@@ -928,7 +928,6 @@ STACK_OF(X509_NAME)
>> *SSL_load_client_CA_file(const
>> +char *file)
>>           ERR_clear_error();
>>       return (ret);
>>   }
>> @@ -1940,7 +1940,7 @@ index f48ebae..ac4f08c 100644
>>
>>   /**
>>    * Add a file of certs to a stack.
>> -@@ -1050,6 +1049,7 @@ int
>> SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
>> +@@ -1048,6 +1047,7 @@ int
>> +SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
>>       CRYPTO_w_unlock(CRYPTO_LOCK_READDIR);
>>       return ret;
>>   }
>> diff --git a/CryptoPkg/Library/OpensslLib/Install.cmd
>> b/CryptoPkg/Library/OpensslLib/Install.cmd
>> index 093414d4b8..e040cda259 100755
>> --- a/CryptoPkg/Library/OpensslLib/Install.cmd
>> +++ b/CryptoPkg/Library/OpensslLib/Install.cmd
>> @@ -1,4 +1,4 @@
>> -cd openssl-1.0.2j
>> +cd openssl-1.0.2k
>>  copy ..\opensslconf.h           crypto
>>  if not exist include\openssl mkdir include\openssl
>>  copy e_os2.h                    include\openssl
>> diff --git a/CryptoPkg/Library/OpensslLib/Install.sh
>> b/CryptoPkg/Library/OpensslLib/Install.sh
>> index 7bd55f6ae3..40811e20a6 100755
>> --- a/CryptoPkg/Library/OpensslLib/Install.sh
>> +++ b/CryptoPkg/Library/OpensslLib/Install.sh
>> @@ -1,6 +1,6 @@
>>  #!/bin/sh
>>
>> -cd openssl-1.0.2j
>> +cd openssl-1.0.2k
>>  cp ../opensslconf.h           crypto
>>  mkdir -p                      include/openssl
>>  cp e_os2.h                    include/openssl
>> diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
>> b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
>> index c14e36d341..3acc397ace 100644
>> --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
>> +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
>> @@ -1,7 +1,7 @@
>>  ## @file
>>  #  This module provides openSSL Library implementation.
>>  #
>> -#  Copyright (c) 2010 - 2016, Intel Corporation. All rights reserved.<BR>
>> +#  Copyright (c) 2010 - 2017, Intel Corporation. All rights
>> +reserved.<BR>
>>  #  This program and the accompanying materials  #  are licensed and made
>> available under the terms and conditions of the BSD License  #  which
>> accompanies this distribution.  The full text of the license may be found at
>> @@ -20,7 +20,7 @@
>>    MODULE_TYPE                    = BASE
>>    VERSION_STRING                 = 1.0
>>    LIBRARY_CLASS                  = OpensslLib
>> -  DEFINE OPENSSL_PATH            = openssl-1.0.2j
>> +  DEFINE OPENSSL_PATH            = openssl-1.0.2k
>>    DEFINE OPENSSL_FLAGS           = -DL_ENDIAN -
>> DOPENSSL_SMALL_FOOTPRINT -D_CRT_SECURE_NO_DEPRECATE -
>> D_CRT_NONSTDC_NO_DEPRECATE
>>
>>  #
>> @@ -516,6 +516,7 @@
>>    $(OPENSSL_PATH)/ssl/ssl_asn1.c
>>    $(OPENSSL_PATH)/ssl/ssl_txt.c
>>    $(OPENSSL_PATH)/ssl/ssl_algs.c
>> +  $(OPENSSL_PATH)/ssl/ssl_conf.c
>>    $(OPENSSL_PATH)/ssl/bio_ssl.c
>>    $(OPENSSL_PATH)/ssl/ssl_err.c
>>    $(OPENSSL_PATH)/ssl/kssl.c
>> @@ -550,7 +551,7 @@
>>    # C4702: Potentially uninitialized local variable name used
>>    # C4311: pointer truncation from 'type' to 'type'
>>    #
>> -  MSFT:*_*_IA32_CC_FLAGS    = -U_WIN32 -U_WIN64 -U_MSC_VER
>> $(OPENSSL_FLAGS) /wd4244 /wd4245 /wd4701 /wd4702 /wd4706
>> +  MSFT:*_*_IA32_CC_FLAGS    = -U_WIN32 -U_WIN64 -U_MSC_VER
>> $(OPENSSL_FLAGS) /wd4244 /wd4245 /wd4267 /wd4701 /wd4702 /wd4706
>>    MSFT:*_*_X64_CC_FLAGS     = -U_WIN32 -U_WIN64 -U_MSC_VER
>> $(OPENSSL_FLAGS) /wd4133 /wd4244 /wd4245 /wd4267 /wd4701 /wd4305
>> /wd4306 /wd4702 /wd4706 /wd4311
>>    MSFT:*_*_IPF_CC_FLAGS     = -U_WIN32 -U_WIN64 -U_MSC_VER
>> $(OPENSSL_FLAGS) /wd4133 /wd4244 /wd4245 /wd4267 /wd4701 /wd4305
>> /wd4306 /wd4702 /wd4706
>>
>> diff --git a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
>> b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
>> index d7e3d9e875..8418802ac7 100644
>> --- a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
>> +++ b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
>> @@ -17,36 +17,36 @@ cryptography. This patch will enable openssl building
>> under UEFI environment.
>>
>> ==========================================================
>> ======================
>>                                  OpenSSL-Version
>> ==========================================================
>> ======================
>> -  Current supported OpenSSL version for UEFI Crypto Library is 1.0.2j.
>> -    http://www.openssl.org/source/openssl-1.0.2j.tar.gz
>> +  Current supported OpenSSL version for UEFI Crypto Library is 1.0.2k.
>> +    http://www.openssl.org/source/openssl-1.0.2k.tar.gz
>>
>>
>>
>> ==========================================================
>> ======================
>>                        HOW to Install Openssl for UEFI Building
>> ==========================================================
>> ======================
>> -1.  Download OpenSSL 1.0.2j from official website:
>> -    http://www.openssl.org/source/openssl-1.0.2j.tar.gz
>> +1.  Download OpenSSL 1.0.2k from official website:
>> +    http://www.openssl.org/source/openssl-1.0.2k.tar.gz
>>
>> -    NOTE: Some web browsers may rename the downloaded TAR file to
>> openssl-1.0.2j.tar.tar.
>> -          When you do the download, rename the "openssl-1.0.2j.tar.tar" to
>> -          "openssl-1.0.2j.tar.gz" or rename the local downloaded file with
>> ".tar.tar"
>> +    NOTE: Some web browsers may rename the downloaded TAR file to
>> openssl-1.0.2k.tar.tar.
>> +          When you do the download, rename the "openssl-1.0.2k.tar.tar" to
>> +          "openssl-1.0.2k.tar.gz" or rename the local downloaded file with
>> ".tar.tar"
>>            extension to ".tar.gz".
>>
>> -2.  Extract TAR into CryptoPkg/Library/OpensslLib/openssl-1.0.2j
>> +2.  Extract TAR into CryptoPkg/Library/OpensslLib/openssl-1.0.2k
>>
>>      NOTE: If you use WinZip to unpack the openssl source in Windows, please
>>            uncheck the WinZip smart CR/LF conversion option (WINZIP: Options -->
>>            Configuration --> Miscellaneous --> "TAR file smart CR/LF conversion").
>>
>> -3.  Apply this patch: EDKII_openssl-1.0.2j.patch, and make installation
>> +3.  Apply this patch: EDKII_openssl-1.0.2k.patch, and make installation
>>
>>      For Windows Environment:
>>      ------------------------
>>      1) Make sure the patch utility has been installed in your machine.
>>         Install Cygwin or get the patch utility binary from
>>            http://gnuwin32.sourceforge.net/packages/patch.htm
>> -    2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2j
>> -    3) patch -p1 -i ..\EDKII_openssl-1.0.2j.patch
>> +    2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2k
>> +    3) patch -p1 -i ..\EDKII_openssl-1.0.2k.patch
>>      4) cd ..
>>      5) Install.cmd
>>
>> @@ -54,8 +54,8 @@ cryptography. This patch will enable openssl building
>> under UEFI environment.
>>      -----------------------
>>      1) Make sure the patch utility has been installed in your machine.
>>         Patch utility is available from http://directory.fsf.org/project/patch/
>> -    2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2j
>> -    3) patch -p1 -i ../EDKII_openssl-1.0.2j.patch
>> +    2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2k
>> +    3) patch -p1 -i ../EDKII_openssl-1.0.2k.patch
>>      4) cd ..
>>      5) ./Install.sh
>>
>> diff --git a/CryptoPkg/Library/OpensslLib/opensslconf.h
>> b/CryptoPkg/Library/OpensslLib/opensslconf.h
>> index adcaa01d6b..e0054a45fc 100644
>> --- a/CryptoPkg/Library/OpensslLib/opensslconf.h
>> +++ b/CryptoPkg/Library/OpensslLib/opensslconf.h
>> @@ -92,9 +92,6 @@ extern "C" {
>>  #ifndef OPENSSL_NO_POSIX_IO
>>  # define OPENSSL_NO_POSIX_IO
>>  #endif
>> -#ifndef OPENSSL_NO_PQUEUE
>> -# define OPENSSL_NO_PQUEUE
>> -#endif
>>  #ifndef OPENSSL_NO_RC2
>>  # define OPENSSL_NO_RC2
>>  #endif
>> @@ -263,9 +260,6 @@ extern "C" {
>>  # if defined(OPENSSL_NO_POSIX_IO) && !defined(NO_POSIX_IO)  #  define
>> NO_POSIX_IO  # endif -# if defined(OPENSSL_NO_PQUEUE)
>> && !defined(NO_PQUEUE) -#  define NO_PQUEUE -# endif  # if
>> defined(OPENSSL_NO_RC2) && !defined(NO_RC2)  #  define NO_RC2  #
>> endif
>> --
>> 2.11.1.windows.1
> 

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [Patch] CryptoPkg/OpensslLib: Upgrade OpenSSL version to 1.0.2k
Posted by Long, Qin 7 years, 1 month ago
> -----Original Message-----
> From: Laszlo Ersek [mailto:lersek@redhat.com]
> Sent: Saturday, February 25, 2017 7:29 AM
> To: Long, Qin <qin.long@intel.com>; edk2-devel@lists.01.org <edk2-
> devel@ml01.01.org>
> Cc: Ye, Ting <ting.ye@intel.com>; Wu, Jiaxin <jiaxin.wu@intel.com>
> Subject: Re: [Patch] CryptoPkg/OpensslLib: Upgrade OpenSSL version to
> 1.0.2k
> 
> On 02/24/17 14:52, Long, Qin wrote:
> > Laszlo,
> >
> > This upgrade may have some conflicts with your last patch series. It could
> be resolved /merged easily.
> > It will be better to have your validations based on this new openssl version.
> 
> Why will it be better?

Never mind. It's not the try to have any earlier integration. 
Just in case that you would like to catch more latest openssl release before
any deadline you mentioned. :-)
I will create the new patch after your patch was done.

> 
> > (And I just noticed two changes (ssl_conf.c & NO_PQUEUE) were
> > duplicated in this patch.)
> 
> Well, technically, I posted those patches first (two versions, actually), and
> they are mostly reviewed by now (thanks to you as well).
> So I think they should go in first, and this is the patch that should be rebased.
> 
> Patches that are already on the list (and are ready to be merged
> especially) should not be pre-empted by more recently posted patches
> (especially if they still need review and/or testing).

Of cause.
The duplication part was generated by my mistake. I will submit the V2.

> 
> Thanks,
> Laszlo
> 
> >
> >
> > Best Regards & Thanks,
> > LONG, Qin
> >
> >> -----Original Message-----
> >> From: Long, Qin
> >> Sent: Friday, February 24, 2017 9:39 PM
> >> To: edk2-devel@lists.01.org; Long, Qin <qin.long@intel.com>
> >> Cc: Ye, Ting <ting.ye@intel.com>; Wu, Jiaxin <jiaxin.wu@intel.com>;
> >> lersek@redhat.com
> >> Subject: [Patch] CryptoPkg/OpensslLib: Upgrade OpenSSL version to
> >> 1.0.2k
> >>
> >> OpenSSL 1.0.2k was released with several severity fixes at
> >> 26-Jan-2017 (https://www.openssl.org/news/secadv/20170126.txt).
> >> This patch is to upgrade the supported OpenSSL version in
> >> CryptoPkg/OpensslLib to catch the latest release 1.0.2k.
> >>
> >> Cc: Ye Ting <ting.ye@intel.com>
> >> Cc: Wu Jiaxin <jiaxin.wu@intel.com>
> >> Cc: Laszlo Ersek <lersek@redhat.com>
> >> Contributed-under: TianoCore Contribution Agreement 1.0
> >> Signed-off-by: Qin Long <qin.long@intel.com>
> >> ---
> >>  CryptoPkg/CryptoPkg.dec                            |  4 ++--
> >>  ...ssl-1.0.2j.patch => EDKII_openssl-1.0.2k.patch} | 26
> >> +++++++++++----------
> >> -
> >>  CryptoPkg/Library/OpensslLib/Install.cmd           |  2 +-
> >>  CryptoPkg/Library/OpensslLib/Install.sh            |  2 +-
> >>  CryptoPkg/Library/OpensslLib/OpensslLib.inf        |  7 +++---
> >>  CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt       | 26 +++++++++++---
> ---
> >> -----
> >>  CryptoPkg/Library/OpensslLib/opensslconf.h         |  6 -----
> >>  7 files changed, 34 insertions(+), 39 deletions(-)  rename
> >> CryptoPkg/Library/OpensslLib/{EDKII_openssl-1.0.2j.patch =>
> >> EDKII_openssl- 1.0.2k.patch} (96%)
> >>
> >> diff --git a/CryptoPkg/CryptoPkg.dec b/CryptoPkg/CryptoPkg.dec index
> >> eee26cbccc..27c832707a 100644
> >> --- a/CryptoPkg/CryptoPkg.dec
> >> +++ b/CryptoPkg/CryptoPkg.dec
> >> @@ -4,7 +4,7 @@
> >>  #  This Package provides cryptographic-related libraries for UEFI
> >> security modules.
> >>  #  It also provides a test application to test libraries.
> >>  #
> >> -#  Copyright (c) 2009 - 2016, Intel Corporation. All rights
> >> reserved.<BR>
> >> +#  Copyright (c) 2009 - 2017, Intel Corporation. All rights
> >> +reserved.<BR>
> >>  #  This program and the accompanying materials  #  are licensed and
> >> made available under the terms and conditions of the BSD License  #
> >> which accompanies this distribution.  The full text of the license
> >> may be found at @@ -24,7 +24,7 @@
> >>
> >>  [Includes]
> >>    Include
> >> -  Library/OpensslLib/openssl-1.0.2j/include
> >> +  Library/OpensslLib/openssl-1.0.2k/include
> >>
> >>  [LibraryClasses]
> >>    ##  @libraryclass  Provides basic library functions for
> >> cryptographic primitives.
> >> diff --git a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2j.patch
> >> b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2k.patch
> >> similarity index 96%
> >> rename from CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2j.patch
> >> rename to CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2k.patch
> >> index ecd13a9d5f..cc0ce6822e 100644
> >> --- a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2j.patch
> >> +++ b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2k.patch
> >> @@ -1,8 +1,8 @@
> >>  diff --git a/Configure b/Configure
> >> -index c39f71a..98dd1d0 100755
> >> +index 5da7cad..c2cc9c5 100755
> >>  --- a/Configure
> >>  +++ b/Configure
> >> -@@ -609,6 +609,9 @@ my %table=(
> >> +@@ -611,6 +611,9 @@ my %table=(
> >>   # with itself, Applink is never engaged and can as well be omitted.
> >>   "mingw64", "gcc:-mno-cygwin -DL_ENDIAN -O3 -Wall -
> >> DWIN32_LEAN_AND_MEAN -DUNICODE -D_UNICODE::-
> D_MT:MINGW64:-
> >> lws2_32 -lgdi32 -lcrypt32:SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT
> >> EXPORT_VAR_AS_FN:${x86_64_asm}:mingw64:win32:cygwin-shared:-
> >> D_WINDLL:-mno-cygwin:.dll.a",
> >>
> >> @@ -12,7 +12,7 @@ index c39f71a..98dd1d0 100755
> >>   # UWIN
> >>   "UWIN", "cc:-DTERMIOS -DL_ENDIAN -O -Wall:::UWIN::BN_LLONG
> >> ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:win32",
> >>
> >> -@@ -1083,7 +1086,7 @@ if (defined($disabled{"md5"}) ||
> >> defined($disabled{"sha"})
> >> +@@ -1085,7 +1088,7 @@ if (defined($disabled{"md5"}) ||
> >> +defined($disabled{"sha"})
> >>   	}
> >>
> >>   if (defined($disabled{"ec"}) || defined($disabled{"dsa"}) @@ -22,10
> >> +22,10 @@ index c39f71a..98dd1d0 100755
> >>   	$disabled{"gost"} = "forced";
> >>   	}
> >>  diff --git a/apps/apps.c b/apps/apps.c -index 9fdc3e0..6c183b0
> >> 100644
> >> +index c487bd9..64ade15 100644
> >>  --- a/apps/apps.c
> >>  +++ b/apps/apps.c
> >> -@@ -2375,6 +2375,8 @@ int args_verify(char ***pargs, int *pargc,
> >> +@@ -2386,6 +2386,8 @@ int args_verify(char ***pargs, int *pargc,
> >>           flags |= X509_V_FLAG_PARTIAL_CHAIN;
> >>       else if (!strcmp(arg, "-no_alt_chains"))
> >>           flags |= X509_V_FLAG_NO_ALT_CHAINS; @@ -254,7 +254,7 @@
> >> index d5a5514..bede55c 100644
> >>           goto err;
> >>
> >>  diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c -index
> >> 1d25687..ad641c3 100644
> >> +index 8177fd2..4dab3bb 100644
> >>  --- a/crypto/bn/bn_prime.c
> >>  +++ b/crypto/bn/bn_prime.c
> >>  @@ -131,7 +131,7 @@
> >> @@ -298,7 +298,7 @@ index 1d25687..ad641c3 100644
> >>       if (ctx != NULL) {
> >>           BN_CTX_end(ctx);
> >>           BN_CTX_free(ctx);
> >> -@@ -375,10 +380,9 @@ static int witness(BIGNUM *w, const BIGNUM
> *a,
> >> const BIGNUM *a1,
> >> +@@ -376,10 +381,9 @@ static int witness(BIGNUM *w, const BIGNUM
> *a,
> >> +const BIGNUM *a1,
> >>       return 1;
> >>   }
> >>
> >> @@ -861,7 +861,7 @@ index 585aa8b..04c6cfc 100644
> >>   /*
> >>    * Borland C seems too stupid to be able to shift and do longs in
> >> the  diff --git a/crypto/evp/evp.h b/crypto/evp/evp.h -index
> >> 39ab793..ad1e350 100644
> >> +index d258ef8..376f260 100644
> >>  --- a/crypto/evp/evp.h
> >>  +++ b/crypto/evp/evp.h
> >>  @@ -602,11 +602,13 @@ int EVP_MD_CTX_copy(EVP_MD_CTX *out,
> const
> >> EVP_MD_CTX *in); @@ -1470,7 +1470,7 @@ index bbc3189..29695f9
> 100644
> >> +  +#endif /* OPENSSL_NO_STDIO */  diff --git
> >> + a/crypto/x509/x509_vfy.c
> >> b/crypto/x509/x509_vfy.c -index 8334b3f..d075f66 100644
> >> +index b147201..5bf3f07 100644
> >>  --- a/crypto/x509/x509_vfy.c
> >>  +++ b/crypto/x509/x509_vfy.c
> >>  @@ -1064,6 +1064,8 @@ static int check_crl_time(X509_STORE_CTX *ctx,
> >> X509_CRL *crl, int notify) @@ -1915,10 +1915,10 @@ index
> >> 499f0e8..5672f99
> >> 100644
> >>               os.data = NULL;
> >>               os.length = 0;
> >>  diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c -index f48ebae..ac4f08c
> >> 100644
> >> +index 1be6fb0..cbec97c 100644
> >>  --- a/ssl/ssl_cert.c
> >>  +++ b/ssl/ssl_cert.c
> >> -@@ -857,12 +857,12 @@ int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509
> >> *x)
> >> +@@ -855,12 +855,12 @@ int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509
> >> +*x)
> >>       return (add_client_CA(&(ctx->client_CA), x));
> >>   }
> >>
> >> @@ -1932,7 +1932,7 @@ index f48ebae..ac4f08c 100644
> >>   /**
> >>    * Load CA certs from a file into a ::STACK. Note that it is
> >> somewhat misnamed;
> >>    * it doesn't really have anything to do with clients (except that
> >> a common use -@@ -930,7 +930,6 @@ STACK_OF(X509_NAME)
> >> *SSL_load_client_CA_file(const char *file)
> >> +@@ -928,7 +928,6 @@ STACK_OF(X509_NAME)
> >> *SSL_load_client_CA_file(const
> >> +char *file)
> >>           ERR_clear_error();
> >>       return (ret);
> >>   }
> >> @@ -1940,7 +1940,7 @@ index f48ebae..ac4f08c 100644
> >>
> >>   /**
> >>    * Add a file of certs to a stack.
> >> -@@ -1050,6 +1049,7 @@ int
> >> SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
> >> +@@ -1048,6 +1047,7 @@ int
> >> +SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
> >>       CRYPTO_w_unlock(CRYPTO_LOCK_READDIR);
> >>       return ret;
> >>   }
> >> diff --git a/CryptoPkg/Library/OpensslLib/Install.cmd
> >> b/CryptoPkg/Library/OpensslLib/Install.cmd
> >> index 093414d4b8..e040cda259 100755
> >> --- a/CryptoPkg/Library/OpensslLib/Install.cmd
> >> +++ b/CryptoPkg/Library/OpensslLib/Install.cmd
> >> @@ -1,4 +1,4 @@
> >> -cd openssl-1.0.2j
> >> +cd openssl-1.0.2k
> >>  copy ..\opensslconf.h           crypto
> >>  if not exist include\openssl mkdir include\openssl
> >>  copy e_os2.h                    include\openssl
> >> diff --git a/CryptoPkg/Library/OpensslLib/Install.sh
> >> b/CryptoPkg/Library/OpensslLib/Install.sh
> >> index 7bd55f6ae3..40811e20a6 100755
> >> --- a/CryptoPkg/Library/OpensslLib/Install.sh
> >> +++ b/CryptoPkg/Library/OpensslLib/Install.sh
> >> @@ -1,6 +1,6 @@
> >>  #!/bin/sh
> >>
> >> -cd openssl-1.0.2j
> >> +cd openssl-1.0.2k
> >>  cp ../opensslconf.h           crypto
> >>  mkdir -p                      include/openssl
> >>  cp e_os2.h                    include/openssl
> >> diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> >> b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> >> index c14e36d341..3acc397ace 100644
> >> --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> >> +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> >> @@ -1,7 +1,7 @@
> >>  ## @file
> >>  #  This module provides openSSL Library implementation.
> >>  #
> >> -#  Copyright (c) 2010 - 2016, Intel Corporation. All rights
> >> reserved.<BR>
> >> +#  Copyright (c) 2010 - 2017, Intel Corporation. All rights
> >> +reserved.<BR>
> >>  #  This program and the accompanying materials  #  are licensed and
> >> made available under the terms and conditions of the BSD License  #
> >> which accompanies this distribution.  The full text of the license
> >> may be found at @@ -20,7 +20,7 @@
> >>    MODULE_TYPE                    = BASE
> >>    VERSION_STRING                 = 1.0
> >>    LIBRARY_CLASS                  = OpensslLib
> >> -  DEFINE OPENSSL_PATH            = openssl-1.0.2j
> >> +  DEFINE OPENSSL_PATH            = openssl-1.0.2k
> >>    DEFINE OPENSSL_FLAGS           = -DL_ENDIAN -
> >> DOPENSSL_SMALL_FOOTPRINT -D_CRT_SECURE_NO_DEPRECATE -
> >> D_CRT_NONSTDC_NO_DEPRECATE
> >>
> >>  #
> >> @@ -516,6 +516,7 @@
> >>    $(OPENSSL_PATH)/ssl/ssl_asn1.c
> >>    $(OPENSSL_PATH)/ssl/ssl_txt.c
> >>    $(OPENSSL_PATH)/ssl/ssl_algs.c
> >> +  $(OPENSSL_PATH)/ssl/ssl_conf.c
> >>    $(OPENSSL_PATH)/ssl/bio_ssl.c
> >>    $(OPENSSL_PATH)/ssl/ssl_err.c
> >>    $(OPENSSL_PATH)/ssl/kssl.c
> >> @@ -550,7 +551,7 @@
> >>    # C4702: Potentially uninitialized local variable name used
> >>    # C4311: pointer truncation from 'type' to 'type'
> >>    #
> >> -  MSFT:*_*_IA32_CC_FLAGS    = -U_WIN32 -U_WIN64 -U_MSC_VER
> >> $(OPENSSL_FLAGS) /wd4244 /wd4245 /wd4701 /wd4702 /wd4706
> >> +  MSFT:*_*_IA32_CC_FLAGS    = -U_WIN32 -U_WIN64 -U_MSC_VER
> >> $(OPENSSL_FLAGS) /wd4244 /wd4245 /wd4267 /wd4701 /wd4702
> /wd4706
> >>    MSFT:*_*_X64_CC_FLAGS     = -U_WIN32 -U_WIN64 -U_MSC_VER
> >> $(OPENSSL_FLAGS) /wd4133 /wd4244 /wd4245 /wd4267 /wd4701
> /wd4305
> >> /wd4306 /wd4702 /wd4706 /wd4311
> >>    MSFT:*_*_IPF_CC_FLAGS     = -U_WIN32 -U_WIN64 -U_MSC_VER
> >> $(OPENSSL_FLAGS) /wd4133 /wd4244 /wd4245 /wd4267 /wd4701
> /wd4305
> >> /wd4306 /wd4702 /wd4706
> >>
> >> diff --git a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
> >> b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
> >> index d7e3d9e875..8418802ac7 100644
> >> --- a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
> >> +++ b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
> >> @@ -17,36 +17,36 @@ cryptography. This patch will enable openssl
> >> building under UEFI environment.
> >>
> >>
> ==========================================================
> >> ======================
> >>                                  OpenSSL-Version
> >>
> ==========================================================
> >> ======================
> >> -  Current supported OpenSSL version for UEFI Crypto Library is 1.0.2j.
> >> -    http://www.openssl.org/source/openssl-1.0.2j.tar.gz
> >> +  Current supported OpenSSL version for UEFI Crypto Library is 1.0.2k.
> >> +    http://www.openssl.org/source/openssl-1.0.2k.tar.gz
> >>
> >>
> >>
> >>
> ==========================================================
> >> ======================
> >>                        HOW to Install Openssl for UEFI Building
> >>
> ==========================================================
> >> ======================
> >> -1.  Download OpenSSL 1.0.2j from official website:
> >> -    http://www.openssl.org/source/openssl-1.0.2j.tar.gz
> >> +1.  Download OpenSSL 1.0.2k from official website:
> >> +    http://www.openssl.org/source/openssl-1.0.2k.tar.gz
> >>
> >> -    NOTE: Some web browsers may rename the downloaded TAR file to
> >> openssl-1.0.2j.tar.tar.
> >> -          When you do the download, rename the "openssl-1.0.2j.tar.tar" to
> >> -          "openssl-1.0.2j.tar.gz" or rename the local downloaded file with
> >> ".tar.tar"
> >> +    NOTE: Some web browsers may rename the downloaded TAR file to
> >> openssl-1.0.2k.tar.tar.
> >> +          When you do the download, rename the "openssl-1.0.2k.tar.tar" to
> >> +          "openssl-1.0.2k.tar.gz" or rename the local downloaded
> >> + file with
> >> ".tar.tar"
> >>            extension to ".tar.gz".
> >>
> >> -2.  Extract TAR into CryptoPkg/Library/OpensslLib/openssl-1.0.2j
> >> +2.  Extract TAR into CryptoPkg/Library/OpensslLib/openssl-1.0.2k
> >>
> >>      NOTE: If you use WinZip to unpack the openssl source in Windows,
> please
> >>            uncheck the WinZip smart CR/LF conversion option (WINZIP: Options
> -->
> >>            Configuration --> Miscellaneous --> "TAR file smart CR/LF
> conversion").
> >>
> >> -3.  Apply this patch: EDKII_openssl-1.0.2j.patch, and make
> >> installation
> >> +3.  Apply this patch: EDKII_openssl-1.0.2k.patch, and make
> >> +installation
> >>
> >>      For Windows Environment:
> >>      ------------------------
> >>      1) Make sure the patch utility has been installed in your machine.
> >>         Install Cygwin or get the patch utility binary from
> >>            http://gnuwin32.sourceforge.net/packages/patch.htm
> >> -    2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2j
> >> -    3) patch -p1 -i ..\EDKII_openssl-1.0.2j.patch
> >> +    2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2k
> >> +    3) patch -p1 -i ..\EDKII_openssl-1.0.2k.patch
> >>      4) cd ..
> >>      5) Install.cmd
> >>
> >> @@ -54,8 +54,8 @@ cryptography. This patch will enable openssl
> >> building under UEFI environment.
> >>      -----------------------
> >>      1) Make sure the patch utility has been installed in your machine.
> >>         Patch utility is available from http://directory.fsf.org/project/patch/
> >> -    2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2j
> >> -    3) patch -p1 -i ../EDKII_openssl-1.0.2j.patch
> >> +    2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2k
> >> +    3) patch -p1 -i ../EDKII_openssl-1.0.2k.patch
> >>      4) cd ..
> >>      5) ./Install.sh
> >>
> >> diff --git a/CryptoPkg/Library/OpensslLib/opensslconf.h
> >> b/CryptoPkg/Library/OpensslLib/opensslconf.h
> >> index adcaa01d6b..e0054a45fc 100644
> >> --- a/CryptoPkg/Library/OpensslLib/opensslconf.h
> >> +++ b/CryptoPkg/Library/OpensslLib/opensslconf.h
> >> @@ -92,9 +92,6 @@ extern "C" {
> >>  #ifndef OPENSSL_NO_POSIX_IO
> >>  # define OPENSSL_NO_POSIX_IO
> >>  #endif
> >> -#ifndef OPENSSL_NO_PQUEUE
> >> -# define OPENSSL_NO_PQUEUE
> >> -#endif
> >>  #ifndef OPENSSL_NO_RC2
> >>  # define OPENSSL_NO_RC2
> >>  #endif
> >> @@ -263,9 +260,6 @@ extern "C" {
> >>  # if defined(OPENSSL_NO_POSIX_IO) && !defined(NO_POSIX_IO)  #
> >> define NO_POSIX_IO  # endif -# if defined(OPENSSL_NO_PQUEUE) &&
> >> !defined(NO_PQUEUE) -#  define NO_PQUEUE -# endif  # if
> >> defined(OPENSSL_NO_RC2) && !defined(NO_RC2)  #  define NO_RC2  #
> >> endif
> >> --
> >> 2.11.1.windows.1
> >

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [Patch] CryptoPkg/OpensslLib: Upgrade OpenSSL version to 1.0.2k
Posted by Laszlo Ersek 7 years, 1 month ago
On 02/25/17 01:49, Long, Qin wrote:
> 
>> -----Original Message-----
>> From: Laszlo Ersek [mailto:lersek@redhat.com]
>> Sent: Saturday, February 25, 2017 7:29 AM
>> To: Long, Qin <qin.long@intel.com>; edk2-devel@lists.01.org <edk2-
>> devel@ml01.01.org>
>> Cc: Ye, Ting <ting.ye@intel.com>; Wu, Jiaxin <jiaxin.wu@intel.com>
>> Subject: Re: [Patch] CryptoPkg/OpensslLib: Upgrade OpenSSL version to
>> 1.0.2k
>>
>> On 02/24/17 14:52, Long, Qin wrote:
>>> Laszlo,
>>>
>>> This upgrade may have some conflicts with your last patch series. It could
>> be resolved /merged easily.
>>> It will be better to have your validations based on this new openssl version.
>>
>> Why will it be better?
> 
> Never mind. It's not the try to have any earlier integration. 
> Just in case that you would like to catch more latest openssl release before
> any deadline you mentioned. :-)

In fact I greatly appreciate that! 1.0.2k has been out for a while now,
and I've been silently wondering when you'd like to bump edk2's version
as well :) This update comes at the best possible time, for me anyway. I
will definitely assist you with testing this, so it can be integrated
quickly.

> I will create the new patch after your patch was done.

Thank you. I committed the CryptoPkg, ArmVirtPkg, and OvmfPkg patches
(which had been reviewed) from the series

[edk2] [PATCH v2 0/5] ArmVirt- Nt32- Ovmf- CryptoPkg: conditionalize
                      libssl presence in OpensslLib

The Nt32Pkg patch will have to wait until Ray's & Jiaxin's R-b, but
delaying that patch for a while should be no problem -- the package will
just continue using the full OpensslLib instance for a few more days.

Either way, by committing the CryptoPkg patches today -- I usually don't
work on weekends --, I'm hoping to enable you to post v2 of the 1.0.2k
update on Monday. I believe your Monday (UTC+08:00 I think) starts quite
a bit earlier than my Monday (UTC+01:00) :), so by the time I log in,
you could have the v2 patch on the list, and testing it could be the
first thing I do next week.

> 
>>
>>> (And I just noticed two changes (ssl_conf.c & NO_PQUEUE) were
>>> duplicated in this patch.)
>>
>> Well, technically, I posted those patches first (two versions, actually), and
>> they are mostly reviewed by now (thanks to you as well).
>> So I think they should go in first, and this is the patch that should be rebased.
>>
>> Patches that are already on the list (and are ready to be merged
>> especially) should not be pre-empted by more recently posted patches
>> (especially if they still need review and/or testing).
> 
> Of cause.
> The duplication part was generated by my mistake. I will submit the V2.

I don't think it was a mistake. In general, everyone works (and should
work) off the master branch, unless work items are known in advance to
overlap (and then people can agree to base work X on top of work Y,
fetching patches from each other's private repos, for example -- I think
the edk2-staging repo is an example for this as well). In such cases,
the dependent series' cover letter generally spells out "this series
depends on that other series". However, such dependencies are quite
rare, and conflicts between otherwise independent patches are
occasionally unavoidable.

In other distributed development projects, sometimes a higher level
maintainer (if there is such a position) resolves the conflict
autonomously, when picking up the second set. Or else, if such a
resolution would be too complex / too risky on his/her side, the
maintainer asks one of the two contributors to rebase & resubmit. And,
as far as I'm aware, the default workflow is to ask the one contributor
to rebase & resubmit whose patches hit the list second. I'm sure there
are exceptions (for example if the second series gets reviewed & tested
very quickly, and the first series shows problems and needs further
iterations anyway), but such cases are again quite rare in my experience.

In summary, I think the conflict is not a problem, and not anybody's
fault; we just have to follow a (flexible) protocol to resolve the
occasional conflict.

(Of course this is just my opinion again.)

Thank you very much!
Laszlo

> 
>>
>> Thanks,
>> Laszlo
>>
>>>
>>>
>>> Best Regards & Thanks,
>>> LONG, Qin
>>>
>>>> -----Original Message-----
>>>> From: Long, Qin
>>>> Sent: Friday, February 24, 2017 9:39 PM
>>>> To: edk2-devel@lists.01.org; Long, Qin <qin.long@intel.com>
>>>> Cc: Ye, Ting <ting.ye@intel.com>; Wu, Jiaxin <jiaxin.wu@intel.com>;
>>>> lersek@redhat.com
>>>> Subject: [Patch] CryptoPkg/OpensslLib: Upgrade OpenSSL version to
>>>> 1.0.2k
>>>>
>>>> OpenSSL 1.0.2k was released with several severity fixes at
>>>> 26-Jan-2017 (https://www.openssl.org/news/secadv/20170126.txt).
>>>> This patch is to upgrade the supported OpenSSL version in
>>>> CryptoPkg/OpensslLib to catch the latest release 1.0.2k.
>>>>
>>>> Cc: Ye Ting <ting.ye@intel.com>
>>>> Cc: Wu Jiaxin <jiaxin.wu@intel.com>
>>>> Cc: Laszlo Ersek <lersek@redhat.com>
>>>> Contributed-under: TianoCore Contribution Agreement 1.0
>>>> Signed-off-by: Qin Long <qin.long@intel.com>
>>>> ---
>>>>  CryptoPkg/CryptoPkg.dec                            |  4 ++--
>>>>  ...ssl-1.0.2j.patch => EDKII_openssl-1.0.2k.patch} | 26
>>>> +++++++++++----------
>>>> -
>>>>  CryptoPkg/Library/OpensslLib/Install.cmd           |  2 +-
>>>>  CryptoPkg/Library/OpensslLib/Install.sh            |  2 +-
>>>>  CryptoPkg/Library/OpensslLib/OpensslLib.inf        |  7 +++---
>>>>  CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt       | 26 +++++++++++---
>> ---
>>>> -----
>>>>  CryptoPkg/Library/OpensslLib/opensslconf.h         |  6 -----
>>>>  7 files changed, 34 insertions(+), 39 deletions(-)  rename
>>>> CryptoPkg/Library/OpensslLib/{EDKII_openssl-1.0.2j.patch =>
>>>> EDKII_openssl- 1.0.2k.patch} (96%)
>>>>
>>>> diff --git a/CryptoPkg/CryptoPkg.dec b/CryptoPkg/CryptoPkg.dec index
>>>> eee26cbccc..27c832707a 100644
>>>> --- a/CryptoPkg/CryptoPkg.dec
>>>> +++ b/CryptoPkg/CryptoPkg.dec
>>>> @@ -4,7 +4,7 @@
>>>>  #  This Package provides cryptographic-related libraries for UEFI
>>>> security modules.
>>>>  #  It also provides a test application to test libraries.
>>>>  #
>>>> -#  Copyright (c) 2009 - 2016, Intel Corporation. All rights
>>>> reserved.<BR>
>>>> +#  Copyright (c) 2009 - 2017, Intel Corporation. All rights
>>>> +reserved.<BR>
>>>>  #  This program and the accompanying materials  #  are licensed and
>>>> made available under the terms and conditions of the BSD License  #
>>>> which accompanies this distribution.  The full text of the license
>>>> may be found at @@ -24,7 +24,7 @@
>>>>
>>>>  [Includes]
>>>>    Include
>>>> -  Library/OpensslLib/openssl-1.0.2j/include
>>>> +  Library/OpensslLib/openssl-1.0.2k/include
>>>>
>>>>  [LibraryClasses]
>>>>    ##  @libraryclass  Provides basic library functions for
>>>> cryptographic primitives.
>>>> diff --git a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2j.patch
>>>> b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2k.patch
>>>> similarity index 96%
>>>> rename from CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2j.patch
>>>> rename to CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2k.patch
>>>> index ecd13a9d5f..cc0ce6822e 100644
>>>> --- a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2j.patch
>>>> +++ b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2k.patch
>>>> @@ -1,8 +1,8 @@
>>>>  diff --git a/Configure b/Configure
>>>> -index c39f71a..98dd1d0 100755
>>>> +index 5da7cad..c2cc9c5 100755
>>>>  --- a/Configure
>>>>  +++ b/Configure
>>>> -@@ -609,6 +609,9 @@ my %table=(
>>>> +@@ -611,6 +611,9 @@ my %table=(
>>>>   # with itself, Applink is never engaged and can as well be omitted.
>>>>   "mingw64", "gcc:-mno-cygwin -DL_ENDIAN -O3 -Wall -
>>>> DWIN32_LEAN_AND_MEAN -DUNICODE -D_UNICODE::-
>> D_MT:MINGW64:-
>>>> lws2_32 -lgdi32 -lcrypt32:SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT
>>>> EXPORT_VAR_AS_FN:${x86_64_asm}:mingw64:win32:cygwin-shared:-
>>>> D_WINDLL:-mno-cygwin:.dll.a",
>>>>
>>>> @@ -12,7 +12,7 @@ index c39f71a..98dd1d0 100755
>>>>   # UWIN
>>>>   "UWIN", "cc:-DTERMIOS -DL_ENDIAN -O -Wall:::UWIN::BN_LLONG
>>>> ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:win32",
>>>>
>>>> -@@ -1083,7 +1086,7 @@ if (defined($disabled{"md5"}) ||
>>>> defined($disabled{"sha"})
>>>> +@@ -1085,7 +1088,7 @@ if (defined($disabled{"md5"}) ||
>>>> +defined($disabled{"sha"})
>>>>   	}
>>>>
>>>>   if (defined($disabled{"ec"}) || defined($disabled{"dsa"}) @@ -22,10
>>>> +22,10 @@ index c39f71a..98dd1d0 100755
>>>>   	$disabled{"gost"} = "forced";
>>>>   	}
>>>>  diff --git a/apps/apps.c b/apps/apps.c -index 9fdc3e0..6c183b0
>>>> 100644
>>>> +index c487bd9..64ade15 100644
>>>>  --- a/apps/apps.c
>>>>  +++ b/apps/apps.c
>>>> -@@ -2375,6 +2375,8 @@ int args_verify(char ***pargs, int *pargc,
>>>> +@@ -2386,6 +2386,8 @@ int args_verify(char ***pargs, int *pargc,
>>>>           flags |= X509_V_FLAG_PARTIAL_CHAIN;
>>>>       else if (!strcmp(arg, "-no_alt_chains"))
>>>>           flags |= X509_V_FLAG_NO_ALT_CHAINS; @@ -254,7 +254,7 @@
>>>> index d5a5514..bede55c 100644
>>>>           goto err;
>>>>
>>>>  diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c -index
>>>> 1d25687..ad641c3 100644
>>>> +index 8177fd2..4dab3bb 100644
>>>>  --- a/crypto/bn/bn_prime.c
>>>>  +++ b/crypto/bn/bn_prime.c
>>>>  @@ -131,7 +131,7 @@
>>>> @@ -298,7 +298,7 @@ index 1d25687..ad641c3 100644
>>>>       if (ctx != NULL) {
>>>>           BN_CTX_end(ctx);
>>>>           BN_CTX_free(ctx);
>>>> -@@ -375,10 +380,9 @@ static int witness(BIGNUM *w, const BIGNUM
>> *a,
>>>> const BIGNUM *a1,
>>>> +@@ -376,10 +381,9 @@ static int witness(BIGNUM *w, const BIGNUM
>> *a,
>>>> +const BIGNUM *a1,
>>>>       return 1;
>>>>   }
>>>>
>>>> @@ -861,7 +861,7 @@ index 585aa8b..04c6cfc 100644
>>>>   /*
>>>>    * Borland C seems too stupid to be able to shift and do longs in
>>>> the  diff --git a/crypto/evp/evp.h b/crypto/evp/evp.h -index
>>>> 39ab793..ad1e350 100644
>>>> +index d258ef8..376f260 100644
>>>>  --- a/crypto/evp/evp.h
>>>>  +++ b/crypto/evp/evp.h
>>>>  @@ -602,11 +602,13 @@ int EVP_MD_CTX_copy(EVP_MD_CTX *out,
>> const
>>>> EVP_MD_CTX *in); @@ -1470,7 +1470,7 @@ index bbc3189..29695f9
>> 100644
>>>> +  +#endif /* OPENSSL_NO_STDIO */  diff --git
>>>> + a/crypto/x509/x509_vfy.c
>>>> b/crypto/x509/x509_vfy.c -index 8334b3f..d075f66 100644
>>>> +index b147201..5bf3f07 100644
>>>>  --- a/crypto/x509/x509_vfy.c
>>>>  +++ b/crypto/x509/x509_vfy.c
>>>>  @@ -1064,6 +1064,8 @@ static int check_crl_time(X509_STORE_CTX *ctx,
>>>> X509_CRL *crl, int notify) @@ -1915,10 +1915,10 @@ index
>>>> 499f0e8..5672f99
>>>> 100644
>>>>               os.data = NULL;
>>>>               os.length = 0;
>>>>  diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c -index f48ebae..ac4f08c
>>>> 100644
>>>> +index 1be6fb0..cbec97c 100644
>>>>  --- a/ssl/ssl_cert.c
>>>>  +++ b/ssl/ssl_cert.c
>>>> -@@ -857,12 +857,12 @@ int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509
>>>> *x)
>>>> +@@ -855,12 +855,12 @@ int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509
>>>> +*x)
>>>>       return (add_client_CA(&(ctx->client_CA), x));
>>>>   }
>>>>
>>>> @@ -1932,7 +1932,7 @@ index f48ebae..ac4f08c 100644
>>>>   /**
>>>>    * Load CA certs from a file into a ::STACK. Note that it is
>>>> somewhat misnamed;
>>>>    * it doesn't really have anything to do with clients (except that
>>>> a common use -@@ -930,7 +930,6 @@ STACK_OF(X509_NAME)
>>>> *SSL_load_client_CA_file(const char *file)
>>>> +@@ -928,7 +928,6 @@ STACK_OF(X509_NAME)
>>>> *SSL_load_client_CA_file(const
>>>> +char *file)
>>>>           ERR_clear_error();
>>>>       return (ret);
>>>>   }
>>>> @@ -1940,7 +1940,7 @@ index f48ebae..ac4f08c 100644
>>>>
>>>>   /**
>>>>    * Add a file of certs to a stack.
>>>> -@@ -1050,6 +1049,7 @@ int
>>>> SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
>>>> +@@ -1048,6 +1047,7 @@ int
>>>> +SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
>>>>       CRYPTO_w_unlock(CRYPTO_LOCK_READDIR);
>>>>       return ret;
>>>>   }
>>>> diff --git a/CryptoPkg/Library/OpensslLib/Install.cmd
>>>> b/CryptoPkg/Library/OpensslLib/Install.cmd
>>>> index 093414d4b8..e040cda259 100755
>>>> --- a/CryptoPkg/Library/OpensslLib/Install.cmd
>>>> +++ b/CryptoPkg/Library/OpensslLib/Install.cmd
>>>> @@ -1,4 +1,4 @@
>>>> -cd openssl-1.0.2j
>>>> +cd openssl-1.0.2k
>>>>  copy ..\opensslconf.h           crypto
>>>>  if not exist include\openssl mkdir include\openssl
>>>>  copy e_os2.h                    include\openssl
>>>> diff --git a/CryptoPkg/Library/OpensslLib/Install.sh
>>>> b/CryptoPkg/Library/OpensslLib/Install.sh
>>>> index 7bd55f6ae3..40811e20a6 100755
>>>> --- a/CryptoPkg/Library/OpensslLib/Install.sh
>>>> +++ b/CryptoPkg/Library/OpensslLib/Install.sh
>>>> @@ -1,6 +1,6 @@
>>>>  #!/bin/sh
>>>>
>>>> -cd openssl-1.0.2j
>>>> +cd openssl-1.0.2k
>>>>  cp ../opensslconf.h           crypto
>>>>  mkdir -p                      include/openssl
>>>>  cp e_os2.h                    include/openssl
>>>> diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
>>>> b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
>>>> index c14e36d341..3acc397ace 100644
>>>> --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
>>>> +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
>>>> @@ -1,7 +1,7 @@
>>>>  ## @file
>>>>  #  This module provides openSSL Library implementation.
>>>>  #
>>>> -#  Copyright (c) 2010 - 2016, Intel Corporation. All rights
>>>> reserved.<BR>
>>>> +#  Copyright (c) 2010 - 2017, Intel Corporation. All rights
>>>> +reserved.<BR>
>>>>  #  This program and the accompanying materials  #  are licensed and
>>>> made available under the terms and conditions of the BSD License  #
>>>> which accompanies this distribution.  The full text of the license
>>>> may be found at @@ -20,7 +20,7 @@
>>>>    MODULE_TYPE                    = BASE
>>>>    VERSION_STRING                 = 1.0
>>>>    LIBRARY_CLASS                  = OpensslLib
>>>> -  DEFINE OPENSSL_PATH            = openssl-1.0.2j
>>>> +  DEFINE OPENSSL_PATH            = openssl-1.0.2k
>>>>    DEFINE OPENSSL_FLAGS           = -DL_ENDIAN -
>>>> DOPENSSL_SMALL_FOOTPRINT -D_CRT_SECURE_NO_DEPRECATE -
>>>> D_CRT_NONSTDC_NO_DEPRECATE
>>>>
>>>>  #
>>>> @@ -516,6 +516,7 @@
>>>>    $(OPENSSL_PATH)/ssl/ssl_asn1.c
>>>>    $(OPENSSL_PATH)/ssl/ssl_txt.c
>>>>    $(OPENSSL_PATH)/ssl/ssl_algs.c
>>>> +  $(OPENSSL_PATH)/ssl/ssl_conf.c
>>>>    $(OPENSSL_PATH)/ssl/bio_ssl.c
>>>>    $(OPENSSL_PATH)/ssl/ssl_err.c
>>>>    $(OPENSSL_PATH)/ssl/kssl.c
>>>> @@ -550,7 +551,7 @@
>>>>    # C4702: Potentially uninitialized local variable name used
>>>>    # C4311: pointer truncation from 'type' to 'type'
>>>>    #
>>>> -  MSFT:*_*_IA32_CC_FLAGS    = -U_WIN32 -U_WIN64 -U_MSC_VER
>>>> $(OPENSSL_FLAGS) /wd4244 /wd4245 /wd4701 /wd4702 /wd4706
>>>> +  MSFT:*_*_IA32_CC_FLAGS    = -U_WIN32 -U_WIN64 -U_MSC_VER
>>>> $(OPENSSL_FLAGS) /wd4244 /wd4245 /wd4267 /wd4701 /wd4702
>> /wd4706
>>>>    MSFT:*_*_X64_CC_FLAGS     = -U_WIN32 -U_WIN64 -U_MSC_VER
>>>> $(OPENSSL_FLAGS) /wd4133 /wd4244 /wd4245 /wd4267 /wd4701
>> /wd4305
>>>> /wd4306 /wd4702 /wd4706 /wd4311
>>>>    MSFT:*_*_IPF_CC_FLAGS     = -U_WIN32 -U_WIN64 -U_MSC_VER
>>>> $(OPENSSL_FLAGS) /wd4133 /wd4244 /wd4245 /wd4267 /wd4701
>> /wd4305
>>>> /wd4306 /wd4702 /wd4706
>>>>
>>>> diff --git a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
>>>> b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
>>>> index d7e3d9e875..8418802ac7 100644
>>>> --- a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
>>>> +++ b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
>>>> @@ -17,36 +17,36 @@ cryptography. This patch will enable openssl
>>>> building under UEFI environment.
>>>>
>>>>
>> ==========================================================
>>>> ======================
>>>>                                  OpenSSL-Version
>>>>
>> ==========================================================
>>>> ======================
>>>> -  Current supported OpenSSL version for UEFI Crypto Library is 1.0.2j.
>>>> -    http://www.openssl.org/source/openssl-1.0.2j.tar.gz
>>>> +  Current supported OpenSSL version for UEFI Crypto Library is 1.0.2k.
>>>> +    http://www.openssl.org/source/openssl-1.0.2k.tar.gz
>>>>
>>>>
>>>>
>>>>
>> ==========================================================
>>>> ======================
>>>>                        HOW to Install Openssl for UEFI Building
>>>>
>> ==========================================================
>>>> ======================
>>>> -1.  Download OpenSSL 1.0.2j from official website:
>>>> -    http://www.openssl.org/source/openssl-1.0.2j.tar.gz
>>>> +1.  Download OpenSSL 1.0.2k from official website:
>>>> +    http://www.openssl.org/source/openssl-1.0.2k.tar.gz
>>>>
>>>> -    NOTE: Some web browsers may rename the downloaded TAR file to
>>>> openssl-1.0.2j.tar.tar.
>>>> -          When you do the download, rename the "openssl-1.0.2j.tar.tar" to
>>>> -          "openssl-1.0.2j.tar.gz" or rename the local downloaded file with
>>>> ".tar.tar"
>>>> +    NOTE: Some web browsers may rename the downloaded TAR file to
>>>> openssl-1.0.2k.tar.tar.
>>>> +          When you do the download, rename the "openssl-1.0.2k.tar.tar" to
>>>> +          "openssl-1.0.2k.tar.gz" or rename the local downloaded
>>>> + file with
>>>> ".tar.tar"
>>>>            extension to ".tar.gz".
>>>>
>>>> -2.  Extract TAR into CryptoPkg/Library/OpensslLib/openssl-1.0.2j
>>>> +2.  Extract TAR into CryptoPkg/Library/OpensslLib/openssl-1.0.2k
>>>>
>>>>      NOTE: If you use WinZip to unpack the openssl source in Windows,
>> please
>>>>            uncheck the WinZip smart CR/LF conversion option (WINZIP: Options
>> -->
>>>>            Configuration --> Miscellaneous --> "TAR file smart CR/LF
>> conversion").
>>>>
>>>> -3.  Apply this patch: EDKII_openssl-1.0.2j.patch, and make
>>>> installation
>>>> +3.  Apply this patch: EDKII_openssl-1.0.2k.patch, and make
>>>> +installation
>>>>
>>>>      For Windows Environment:
>>>>      ------------------------
>>>>      1) Make sure the patch utility has been installed in your machine.
>>>>         Install Cygwin or get the patch utility binary from
>>>>            http://gnuwin32.sourceforge.net/packages/patch.htm
>>>> -    2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2j
>>>> -    3) patch -p1 -i ..\EDKII_openssl-1.0.2j.patch
>>>> +    2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2k
>>>> +    3) patch -p1 -i ..\EDKII_openssl-1.0.2k.patch
>>>>      4) cd ..
>>>>      5) Install.cmd
>>>>
>>>> @@ -54,8 +54,8 @@ cryptography. This patch will enable openssl
>>>> building under UEFI environment.
>>>>      -----------------------
>>>>      1) Make sure the patch utility has been installed in your machine.
>>>>         Patch utility is available from http://directory.fsf.org/project/patch/
>>>> -    2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2j
>>>> -    3) patch -p1 -i ../EDKII_openssl-1.0.2j.patch
>>>> +    2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2k
>>>> +    3) patch -p1 -i ../EDKII_openssl-1.0.2k.patch
>>>>      4) cd ..
>>>>      5) ./Install.sh
>>>>
>>>> diff --git a/CryptoPkg/Library/OpensslLib/opensslconf.h
>>>> b/CryptoPkg/Library/OpensslLib/opensslconf.h
>>>> index adcaa01d6b..e0054a45fc 100644
>>>> --- a/CryptoPkg/Library/OpensslLib/opensslconf.h
>>>> +++ b/CryptoPkg/Library/OpensslLib/opensslconf.h
>>>> @@ -92,9 +92,6 @@ extern "C" {
>>>>  #ifndef OPENSSL_NO_POSIX_IO
>>>>  # define OPENSSL_NO_POSIX_IO
>>>>  #endif
>>>> -#ifndef OPENSSL_NO_PQUEUE
>>>> -# define OPENSSL_NO_PQUEUE
>>>> -#endif
>>>>  #ifndef OPENSSL_NO_RC2
>>>>  # define OPENSSL_NO_RC2
>>>>  #endif
>>>> @@ -263,9 +260,6 @@ extern "C" {
>>>>  # if defined(OPENSSL_NO_POSIX_IO) && !defined(NO_POSIX_IO)  #
>>>> define NO_POSIX_IO  # endif -# if defined(OPENSSL_NO_PQUEUE) &&
>>>> !defined(NO_PQUEUE) -#  define NO_PQUEUE -# endif  # if
>>>> defined(OPENSSL_NO_RC2) && !defined(NO_RC2)  #  define NO_RC2  #
>>>> endif
>>>> --
>>>> 2.11.1.windows.1
>>>
> 
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
> 

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel