Lee, I totally agree with you. And ever made some tries years ago, but no
result. :-(
>From OpenSSL community, there also were lots of requests about the supports to
>have smaller fingerprint for those embedded system (e.g. adding more MACRO to
>disable something). Also no positive feedback. That's why many derived
>projects were created, such as MatrixSSL, CyaSSL, etc. Looks OpenSSL Dev Team
>is still short of resource to do this.
Moreover, in current EDKII-OpenSSL patch, I believe some issues we patched are
really openssl issue: e.g.
Missed DECLARE_PEM_write_fp_const definition if OPENSSL_NO_FP_API was
used in pem.h
Wrong memory allocation for paramid in x509_vpm.c
......
At least, there should be valuable to upstream these changes, and we will have
smaller patch in future. :-)
Best Regards & Thanks,
LONG, Qin
-----Original Message-----
From: Blibbet [mailto:[email protected]]
Sent: Saturday, June 6, 2015 3:56 AM
To: [email protected]
Subject: Re: [edk2] [patch 3/3] [CryptoPkg] Updates some support header files
and wrapper files to support openssl-1.0.2a build, and correct some openssl API
usages when handling ASN.1 en/decoding.
Has there been any thought to upstream the libOpenSSL changes?
It would be nice to be able to grab a current OpenSSL tarball and have it
include UEFI support, and not have to patch it each time. Having the patches in
truck also makes the main OpenSSL developers aware of how their changes impact
UEFI-centric codepaths, which they are currently blind to.
The previous OpenSSL patch was apparently not acceptable to them. I hope some
consideration has been made for this patch.
Thanks,
Lee
On 06/05/2015 09:11 AM, Long, Qin wrote:
> Copy that. Thanks biesheuvel.
> I will double-check the GCC building.
>
>
> Best Regards & Thanks,
> LONG, Qin
>
> -----Original Message-----
> From: Ard Biesheuvel [mailto:[email protected]]
> Sent: Friday, June 5, 2015 5:20 PM
> To: [email protected]
> Subject: Re: [edk2] [patch 3/3] [CryptoPkg] Updates some support
header files and wrapper files to support openssl-1.0.2a build, and correct
some openssl API usages when handling ASN.1 en/decoding.
>
> Hello Long Qin,
>
> This patch breaks the build on GCC due to UINT8* variables being
passed as 'const unsigned char*' parameters.
> Please see below.
>
> On 5 June 2015 at 03:06, qlong <[email protected]> wrote:
>> Contributed-under: TianoCore Contribution Agreement 1.0
>> Signed-off-by: Long Qin <[email protected]>
>> Signed-off-by: qlong <[email protected]>
>> ---
>> CryptoPkg/Include/OpenSslSupport.h | 8 +++++++-
>> CryptoPkg/Include/memory.h | 16
++++++++++++++++
>> CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c | 6 ++++--
>> CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c | 10 +++++-----
>> CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c | 9 +++++----
>> CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c | 10 +++++++---
>> CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c | 6 ++++--
>> 7 files changed, 48 insertions(+), 17 deletions(-) create mode
>> 100644 CryptoPkg/Include/memory.h
>>
> [...]
>> diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c
>> b/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c
>> index 4ce2b06..9ace5e6 100644
>> --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c
>> +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c
>> @@ -9,7 +9,7 @@
>> AuthenticodeVerify() will get PE/COFF Authenticode and will do
basic check for
>> data structure.
>>
>> -Copyright (c) 2011 - 2014, Intel Corporation. All rights
>> reserved.<BR>
>> +Copyright (c) 2011 - 2015, Intel Corporation. All rights
>> +reserved.<BR>
>> This program and the accompanying materials are licensed and made
>> available under the terms and conditions of the BSD License which
>> accompanies this distribution. The full text of the license may be
>> found at @@ -72,6 +72,7 @@ AuthenticodeVerify ( {
>> BOOLEAN Status;
>> PKCS7 *Pkcs7;
>> + UINT8 *Temp;
>
> CONST UINT8 *Temp;
>
>> CONST UINT8 *OrigAuthData;
>> UINT8 *SpcIndirectDataContent;
>> UINT8 Asn1Byte;
>> @@ -96,7 +97,8 @@ AuthenticodeVerify (
>> //
>> // Retrieve & Parse PKCS#7 Data (DER encoding) from Authenticode
Signature
>> //
>> - Pkcs7 = d2i_PKCS7 (NULL, &AuthData, (int)DataSize);
>> + Temp = (UINT8 *)AuthData;
>> + Pkcs7 = d2i_PKCS7 (NULL, &Temp, (int)DataSize);
>> if (Pkcs7 == NULL) {
>> goto _Exit;
>> }
>
> [...]
>
>> diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
>> b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
>> index a9665d5..06e4bb2 100644
>> --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
>> +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
> [...]
>> @@ -618,7 +618,8 @@ Pkcs7Verify (
>> //
>> // Read DER-encoded root certificate and Construct X509 Certificate
>> //
>> - Cert = d2i_X509 (NULL, &TrustedCert, (long) CertLength);
>> + Temp = (UINT8 *)TrustedCert;
>> + Cert = d2i_X509 (NULL, &Temp, (long) CertLength);
>
> Same here: temp should be declared as CONST UINT8*
>
>> if (Cert == NULL) {
>> goto _Exit;
>> }
> [...]
>> diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
>> b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
>> index e4b5a84..7456755 100644
>> --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
>> +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
> [...]
>> @@ -441,6 +441,7 @@ TimestampTokenVerify (
>> CONST UINT8 *TokenTemp;
>> PKCS7 *Pkcs7;
>> X509 *Cert;
>> + UINT8 *CertTemp;
>
> Same here
>
>> X509_STORE *CertStore;
>> BIO *OutBio;
>> UINT8 *TstData;
>> @@ -490,7 +491,8 @@ TimestampTokenVerify (
>> //
>> // Read the trusted TSA certificate (DER-encoded), and Construct
X509 Certificate.
>> //
>> - Cert = d2i_X509 (NULL, &TsaCert, (long) CertSize);
>> + CertTemp = (UINT8 *)TsaCert;
>> + Cert = d2i_X509 (NULL, &CertTemp, (long) CertSize);
>> if (Cert == NULL) {
>> goto _Exit;
>> }
> [...]
>> diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
>> b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
>> index 29efc42..66f79da 100644
>> --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
>> +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
>> @@ -1,7 +1,7 @@
>> /** @file
>> X.509 Certificate Handler Wrapper Implementation over OpenSSL.
>>
>> -Copyright (c) 2010 - 2014, Intel Corporation. All rights
>> reserved.<BR>
>> +Copyright (c) 2010 - 2015, Intel Corporation. All rights
>> +reserved.<BR>
>> This program and the accompanying materials are licensed and made
>> available under the terms and conditions of the BSD License which
>> accompanies this distribution. The full text of the license may be
>> found at @@ -39,6 +39,7 @@ X509ConstructCertificate (
>> )
>> {
>> X509 *X509Cert;
>> + UINT8 *Temp;
>
> ... and here
>
>>
>> //
>> // Check input parameters.
>> @@ -50,7 +51,8 @@ X509ConstructCertificate (
>> //
>> // Read DER-encoded X509 Certificate and Construct X509 object.
>> //
>> - X509Cert = d2i_X509 (NULL, &Cert, (long) CertSize);
>> + Temp = (UINT8 *)Cert;
>> + X509Cert = d2i_X509 (NULL, &Temp, (long) CertSize);
>> if (X509Cert == NULL) {
>> return FALSE;
>> }
>
>
> Thanks,
> Ard.
>
>
------------------------------------------------------------------------------
> _______________________________________________
> edk2-devel mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/edk2-devel
>
>
------------------------------------------------------------------------------
> _______________________________________________
> edk2-devel mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/edk2-devel
>
------------------------------------------------------------------------------
_______________________________________________
edk2-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/edk2-devel
------------------------------------------------------------------------------
_______________________________________________
edk2-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/edk2-devel
