Another open is: I know some companies / orgs will use the script to download / unpack / patch the openssl tar package for daily / automatic build testing. In before, OpenSSl put all releases (old and the latest) in one same folder, so no impacts to this process. In this year, OpenSSL only keep the latest version in source folder, and move the old releases into "old" folder. This means we have to catch every release even if this upgrade may not impact EDKII usage. In fact, we may update the main OpenSSL version in CryptoPkg based on the security risk evaluations and other impacts. So I would like to know if it's feasible to update those scripts (CURL?) to try two URLs (e.g. https://www.openssl.org/source/openssl-1.0.2d.tar.gz, and https://www.openssl.org/source/old/1.0.2/openssl-1.0.2d.tar.gz)
Of cause, this process may be optimized after 1.1 HEAD's release. We may be able to remove whole EDKII-openssl-xxx.patch, and have some native EFI configuration, INF generation, etc, if all patches were integrated into openssl head. :-) Best Regards & Thanks, LONG, Qin > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of Long, > Qin > Sent: Friday, December 4, 2015 10:25 PM > To: Ard Biesheuvel; edk2-devel@lists.01.org; dw...@infradead.org > Cc: Hale, Robert P; Zimmer, Vincent; Gao, Liming > Subject: Re: [edk2] [PATCH] CryptoPkg/OpensslLib: upgrade to openssl-1.0.2e > > Ard, > > Thanks for your quick response against this OpenSSL upgrade. Your patch was > ready when I am still evaluating the security impacts and > source changes. :-) > > The severity evaluation should be moderate / high for EDKII-CryptoPkg, since > there were potential vulnerabilities on big number > calculation (Montgomery Squaring Process), certificate verification, and > PKCS7 handling, which means it is better for us to catch this > upgrade. > > One issue is: Some code updates from 1.0.2e will break our Authenticode > verification. I did the trace and analysis. The root cause is > one corner case codes was removed from pk7_smime.c (as the following). > > ----pk7_smime.c---- > #if 0 --> This macro was removed from 1.0.2e > /* > * NB: this test commented out because some versions of Netscape > * illegally include zero length content when signing data. > */ > > /* Check for data and content: two sets of data */ > if (!PKCS7_get_detached(p7) && indata) { > PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_CONTENT_AND_DATA_PRESENT); > return 0; > } > #endif > ------------------------- > > This means pkcs7 routine will return error if we pass one pkcs7 data with > embedded content and detached data in openssl 1.0.2e. > For Authenticode, its format is one extended pkcs7 signed Data, and > verification behavior also differ. OpenSSL has no formal support > for Authenticode verification, so there are tricky handling when we enabled > Authenticode verification under UEFI. This old comment- > out macro for Netscape just helped us to support the Authenticode > verification process. > > The fix here can also be simple: We can add "#if !defined(OPENSSL_SYS_UEFI)" > here to keep the old behavior (which can be added in > our patch file). > > I would like to raise it as one open. > David, do you think it's valuable to feedback to OpenSSL community? > Personally, I think the old behavior (before 1.0.2e) can be > acceptable when two data (embedded and detached data) were supplied. > > > Best Regards & Thanks, > LONG, Qin > > > -----Original Message----- > > From: Ard Biesheuvel [mailto:ard.biesheu...@linaro.org] > > Sent: Friday, December 4, 2015 4:29 PM > > To: edk2-devel@lists.01.org; Long, Qin; dw...@infradead.org > > Cc: Gao, Liming; Ard Biesheuvel > > Subject: [PATCH] CryptoPkg/OpensslLib: upgrade to openssl-1.0.2e > > > > Upstream OpenSSL has released version 1.0.2e with security fixes, and has > > pulled > > the previous version from the download servers. So upgrade our OpensslLib > > glue > > from 1.0.2d to 1.0.2e. > > > > Contributed-under: TianoCore Contribution Agreement 1.0 > > Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org> > > --- > > CryptoPkg/Library/OpensslLib/{EDKII_openssl-1.0.2d.patch => > > EDKII_openssl-1.0.2e.patch} | 18 +++++++------- > > CryptoPkg/Library/OpensslLib/Install.cmd > > | 2 +- > > CryptoPkg/Library/OpensslLib/Install.sh > > | 2 +- > > CryptoPkg/Library/OpensslLib/OpensslLib.inf > > | 2 +- > > CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt > > | 26 ++++++++++---------- > > 5 files changed, 25 insertions(+), 25 deletions(-) > > > > diff --git a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2d.patch > > b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2e.patch > > similarity index 95% > > rename from CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2d.patch > > rename to CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2e.patch > > index 6be397b8b959..e4a85bf95df3 100644 > > --- a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2d.patch > > +++ b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2e.patch > > @@ -16,7 +16,7 @@ diff U3 crypto/bio/bio.h crypto/bio/bio.h > > diff U3 crypto/bio/bss_file.c crypto/bio/bss_file.c > > --- crypto/bio/bss_file.c Thu Jun 11 21:01:06 2015 > > +++ crypto/bio/bss_file.c Fri Jun 12 11:01:28 2015 > > -@@ -460,6 +460,23 @@ > > +@@ -467,6 +467,23 @@ > > return (ret); > > } > > > > @@ -83,9 +83,9 @@ diff U3 crypto/pkcs7/pk7_smime.c crypto/pkcs7/pk7_smime.c > > + char *buf = NULL; > > + int bufsiz; > > int i, j = 0, k, ret = 0; > > - BIO *p7bio; > > - BIO *tmpin, *tmpout; > > -@@ -365,9 +366,14 @@ > > + BIO *p7bio = NULL; > > + BIO *tmpin = NULL, *tmpout = NULL; > > +@@ -355,9 +356,14 @@ > > } else > > tmpout = out; > > > > @@ -101,17 +101,17 @@ diff U3 crypto/pkcs7/pk7_smime.c > > crypto/pkcs7/pk7_smime.c > > if (i <= 0) > > break; > > if (tmpout) > > -@@ -406,6 +412,10 @@ > > +@@ -394,6 +400,10 @@ > > + } > > BIO_free_all(p7bio); > > - > > sk_X509_free(signers); > > + > > + if (buf != NULL) { > > + OPENSSL_free(buf); > > + } > > - > > return ret; > > } > > + > > diff U3 crypto/rand/rand_unix.c crypto/rand/rand_unix.c > > --- crypto/rand/rand_unix.c Thu Jun 11 21:01:06 2015 > > +++ crypto/rand/rand_unix.c Fri Jun 12 10:51:21 2015 > > @@ -210,7 +210,7 @@ diff U3 crypto/rsa/rsa_ameth.c crypto/rsa/rsa_ameth.c > > diff U3 crypto/x509/x509_vfy.c crypto/x509/x509_vfy.c > > --- crypto/x509/x509_vfy.c Thu Jun 11 21:52:58 2015 > > +++ crypto/x509/x509_vfy.c Fri Jun 12 11:29:37 2015 > > -@@ -935,6 +935,8 @@ > > +@@ -940,6 +940,8 @@ > > ctx->current_crl = crl; > > if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) > > ptime = &ctx->param->check_time; > > @@ -219,7 +219,7 @@ diff U3 crypto/x509/x509_vfy.c crypto/x509/x509_vfy.c > > else > > ptime = NULL; > > > > -@@ -1658,6 +1660,8 @@ > > +@@ -1663,6 +1665,8 @@ > > > > if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) > > ptime = &ctx->param->check_time; > > diff --git a/CryptoPkg/Library/OpensslLib/Install.cmd > > b/CryptoPkg/Library/OpensslLib/Install.cmd > > index ef0a4bdcebc9..b9b6fc6f7094 100755 > > --- a/CryptoPkg/Library/OpensslLib/Install.cmd > > +++ b/CryptoPkg/Library/OpensslLib/Install.cmd > > @@ -1,4 +1,4 @@ > > -cd openssl-1.0.2d > > +cd openssl-1.0.2e > > copy e_os2.h ..\..\..\Include\openssl > > copy crypto\crypto.h ..\..\..\Include\openssl > > copy crypto\opensslv.h ..\..\..\Include\openssl > > diff --git a/CryptoPkg/Library/OpensslLib/Install.sh > > b/CryptoPkg/Library/OpensslLib/Install.sh > > index 877e775b81af..543439529448 100755 > > --- a/CryptoPkg/Library/OpensslLib/Install.sh > > +++ b/CryptoPkg/Library/OpensslLib/Install.sh > > @@ -1,6 +1,6 @@ > > #!/bin/sh > > > > -cd openssl-1.0.2d > > +cd openssl-1.0.2e > > cp e_os2.h ../../../Include/openssl > > cp crypto/crypto.h ../../../Include/openssl > > cp crypto/opensslv.h ../../../Include/openssl > > diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf > > b/CryptoPkg/Library/OpensslLib/OpensslLib.inf > > index a6d511e83922..a1dcc3257fa8 100644 > > --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf > > +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf > > @@ -20,7 +20,7 @@ [Defines] > > MODULE_TYPE = BASE > > VERSION_STRING = 1.0 > > LIBRARY_CLASS = OpensslLib > > - DEFINE OPENSSL_PATH = openssl-1.0.2d > > + DEFINE OPENSSL_PATH = openssl-1.0.2e > > DEFINE OPENSSL_FLAGS = -DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT > > -D_CRT_SECURE_NO_DEPRECATE - > > D_CRT_NONSTDC_NO_DEPRECATE > > > > # > > diff --git a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt > > b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt > > index 59e74ee9b0d9..f575d7147bdf 100644 > > --- a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt > > +++ b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt > > @@ -17,36 +17,36 @@ cryptography. This patch will enable openssl building > > under UEFI environment. > > > > ================================================================================ > > OpenSSL-Version > > > > ================================================================================ > > - Current supported OpenSSL version for UEFI Crypto Library is 1.0.2d. > > - http://www.openssl.org/source/openssl-1.0.2d.tar.gz > > + Current supported OpenSSL version for UEFI Crypto Library is 1.0.2e. > > + http://www.openssl.org/source/openssl-1.0.2e.tar.gz > > > > > > > > ================================================================================ > > HOW to Install Openssl for UEFI Building > > > > ================================================================================ > > -1. Download OpenSSL 1.0.2d from official website: > > - http://www.openssl.org/source/openssl-1.0.2d.tar.gz > > +1. Download OpenSSL 1.0.2e from official website: > > + http://www.openssl.org/source/openssl-1.0.2e.tar.gz > > > > - NOTE: Some web browsers may rename the downloaded TAR file to > > openssl-1.0.2d.tar.tar. > > - When you do the download, rename the "openssl-1.0.2d.tar.tar" to > > - "openssl-1.0.2d.tar.gz" or rename the local downloaded file with > > ".tar.tar" > > + NOTE: Some web browsers may rename the downloaded TAR file to > > openssl-1.0.2e.tar.tar. > > + When you do the download, rename the "openssl-1.0.2e.tar.tar" to > > + "openssl-1.0.2e.tar.gz" or rename the local downloaded file with > > ".tar.tar" > > extension to ".tar.gz". > > > > -2. Extract TAR into CryptoPkg/Library/OpenSslLib/openssl-1.0.2d > > +2. Extract TAR into CryptoPkg/Library/OpenSslLib/openssl-1.0.2e > > > > NOTE: If you use WinZip to unpack the openssl source in Windows, please > > uncheck the WinZip smart CR/LF conversion option (WINZIP: > > Options --> > > Configuration --> Miscellaneous --> "TAR file smart CR/LF > > conversion"). > > > > -3. Apply this patch: EDKII_openssl-1.0.2d.patch, and make installation > > +3. Apply this patch: EDKII_openssl-1.0.2e.patch, and make installation > > > > For Windows Environment: > > ------------------------ > > 1) Make sure the patch utility has been installed in your machine. > > Install Cygwin or get the patch utility binary from > > http://gnuwin32.sourceforge.net/packages/patch.htm > > - 2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2d > > - 3) patch -p0 -i ..\EDKII_openssl-1.0.2d.patch > > + 2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2e > > + 3) patch -p0 -i ..\EDKII_openssl-1.0.2e.patch > > 4) cd .. > > 5) Install.cmd > > > > @@ -54,8 +54,8 @@ cryptography. This patch will enable openssl building > > under UEFI environment. > > ----------------------- > > 1) Make sure the patch utility has been installed in your machine. > > Patch utility is available from > > http://directory.fsf.org/project/patch/ > > - 2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2d > > - 3) patch -p0 -i ../EDKII_openssl-1.0.2d.patch > > + 2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2e > > + 3) patch -p0 -i ../EDKII_openssl-1.0.2e.patch > > 4) cd .. > > 5) ./Install.sh > > > > -- > > 1.9.1 > > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
