From 65202874a4a0e576f5d18287a9e4821440faeec4 Mon Sep 17 00:00:00 2001 From: Qin Long Date: Fri, 11 Dec 2015 02:29:05 +0000 Subject: [PATCH] CryptoPkg/OpensslLib: upgrade OpenSSL version to 1.0.2e OpenSSL has released version 1.0.2e with security fixes. Upgrade the supported OpenSSL version in CryptoPkg/OpensslLib from 1.0.2d to 1.0.2e. (Note: This is based on Ard's previous patch with extra fix https://rt.openssl.org/Ticket/Display.html?id=4175) Contributed-under: TianoCore Contribution Agreement 1.0 Singed-off-by: Ard Biesheuvel Signed-off-by: Qin Long Reviewed-by: Chao Zhang git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@19218 6f19259b-4bc3-4df7-8a09-765794883524 --- ....0.2d.patch => EDKII_openssl-1.0.2e.patch} | 31 +++++++++++++------ CryptoPkg/Library/OpensslLib/Install.cmd | 2 +- CryptoPkg/Library/OpensslLib/Install.sh | 2 +- CryptoPkg/Library/OpensslLib/OpensslLib.inf | 2 +- CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt | 26 ++++++++-------- 5 files changed, 38 insertions(+), 25 deletions(-) rename CryptoPkg/Library/OpensslLib/{EDKII_openssl-1.0.2d.patch => EDKII_openssl-1.0.2e.patch} (94%) diff --git a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2d.patch b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2e.patch similarity index 94% rename from CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2d.patch rename to CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2e.patch index 6be397b8b9..e4eaff6ead 100644 --- a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2d.patch +++ b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2e.patch @@ -16,7 +16,7 @@ diff U3 crypto/bio/bio.h crypto/bio/bio.h diff U3 crypto/bio/bss_file.c crypto/bio/bss_file.c --- crypto/bio/bss_file.c Thu Jun 11 21:01:06 2015 +++ crypto/bio/bss_file.c Fri Jun 12 11:01:28 2015 -@@ -460,6 +460,23 @@ +@@ -467,6 +467,23 @@ return (ret); } @@ -83,9 +83,22 @@ diff U3 crypto/pkcs7/pk7_smime.c crypto/pkcs7/pk7_smime.c + char *buf = NULL; + int bufsiz; int i, j = 0, k, ret = 0; - BIO *p7bio; - BIO *tmpin, *tmpout; -@@ -365,9 +366,14 @@ + BIO *p7bio = NULL; + BIO *tmpin = NULL, *tmpout = NULL; +@@ -275,12 +276,6 @@ + return 0; + } + +- /* Check for data and content: two sets of data */ +- if (!PKCS7_get_detached(p7) && indata) { +- PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_CONTENT_AND_DATA_PRESENT); +- return 0; +- } +- + sinfos = PKCS7_get_signer_info(p7); + + if (!sinfos || !sk_PKCS7_SIGNER_INFO_num(sinfos)) { +@@ -355,9 +350,14 @@ } else tmpout = out; @@ -101,17 +114,17 @@ diff U3 crypto/pkcs7/pk7_smime.c crypto/pkcs7/pk7_smime.c if (i <= 0) break; if (tmpout) -@@ -406,6 +412,10 @@ +@@ -394,6 +394,10 @@ + } BIO_free_all(p7bio); - sk_X509_free(signers); + + if (buf != NULL) { + OPENSSL_free(buf); + } - return ret; } + diff U3 crypto/rand/rand_unix.c crypto/rand/rand_unix.c --- crypto/rand/rand_unix.c Thu Jun 11 21:01:06 2015 +++ crypto/rand/rand_unix.c Fri Jun 12 10:51:21 2015 @@ -210,7 +223,7 @@ diff U3 crypto/rsa/rsa_ameth.c crypto/rsa/rsa_ameth.c diff U3 crypto/x509/x509_vfy.c crypto/x509/x509_vfy.c --- crypto/x509/x509_vfy.c Thu Jun 11 21:52:58 2015 +++ crypto/x509/x509_vfy.c Fri Jun 12 11:29:37 2015 -@@ -935,6 +935,8 @@ +@@ -940,6 +940,8 @@ ctx->current_crl = crl; if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) ptime = &ctx->param->check_time; @@ -219,7 +232,7 @@ diff U3 crypto/x509/x509_vfy.c crypto/x509/x509_vfy.c else ptime = NULL; -@@ -1658,6 +1660,8 @@ +@@ -1663,6 +1665,8 @@ if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) ptime = &ctx->param->check_time; diff --git a/CryptoPkg/Library/OpensslLib/Install.cmd b/CryptoPkg/Library/OpensslLib/Install.cmd index ef0a4bdceb..b9b6fc6f70 100755 --- a/CryptoPkg/Library/OpensslLib/Install.cmd +++ b/CryptoPkg/Library/OpensslLib/Install.cmd @@ -1,4 +1,4 @@ -cd openssl-1.0.2d +cd openssl-1.0.2e copy e_os2.h ..\..\..\Include\openssl copy crypto\crypto.h ..\..\..\Include\openssl copy crypto\opensslv.h ..\..\..\Include\openssl diff --git a/CryptoPkg/Library/OpensslLib/Install.sh b/CryptoPkg/Library/OpensslLib/Install.sh index 877e775b81..5434395294 100755 --- a/CryptoPkg/Library/OpensslLib/Install.sh +++ b/CryptoPkg/Library/OpensslLib/Install.sh @@ -1,6 +1,6 @@ #!/bin/sh -cd openssl-1.0.2d +cd openssl-1.0.2e cp e_os2.h ../../../Include/openssl cp crypto/crypto.h ../../../Include/openssl cp crypto/opensslv.h ../../../Include/openssl diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf index b54a173845..216c1bb764 100644 --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf @@ -20,7 +20,7 @@ MODULE_TYPE = BASE VERSION_STRING = 1.0 LIBRARY_CLASS = OpensslLib - DEFINE OPENSSL_PATH = openssl-1.0.2d + DEFINE OPENSSL_PATH = openssl-1.0.2e DEFINE OPENSSL_FLAGS = -DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE # diff --git a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt index 59e74ee9b0..f575d7147b 100644 --- a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt +++ b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt @@ -17,36 +17,36 @@ cryptography. This patch will enable openssl building under UEFI environment. ================================================================================ OpenSSL-Version ================================================================================ - Current supported OpenSSL version for UEFI Crypto Library is 1.0.2d. - http://www.openssl.org/source/openssl-1.0.2d.tar.gz + Current supported OpenSSL version for UEFI Crypto Library is 1.0.2e. + http://www.openssl.org/source/openssl-1.0.2e.tar.gz ================================================================================ HOW to Install Openssl for UEFI Building ================================================================================ -1. Download OpenSSL 1.0.2d from official website: - http://www.openssl.org/source/openssl-1.0.2d.tar.gz +1. Download OpenSSL 1.0.2e from official website: + http://www.openssl.org/source/openssl-1.0.2e.tar.gz - NOTE: Some web browsers may rename the downloaded TAR file to openssl-1.0.2d.tar.tar. - When you do the download, rename the "openssl-1.0.2d.tar.tar" to - "openssl-1.0.2d.tar.gz" or rename the local downloaded file with ".tar.tar" + NOTE: Some web browsers may rename the downloaded TAR file to openssl-1.0.2e.tar.tar. + When you do the download, rename the "openssl-1.0.2e.tar.tar" to + "openssl-1.0.2e.tar.gz" or rename the local downloaded file with ".tar.tar" extension to ".tar.gz". -2. Extract TAR into CryptoPkg/Library/OpenSslLib/openssl-1.0.2d +2. Extract TAR into CryptoPkg/Library/OpenSslLib/openssl-1.0.2e NOTE: If you use WinZip to unpack the openssl source in Windows, please uncheck the WinZip smart CR/LF conversion option (WINZIP: Options --> Configuration --> Miscellaneous --> "TAR file smart CR/LF conversion"). -3. Apply this patch: EDKII_openssl-1.0.2d.patch, and make installation +3. Apply this patch: EDKII_openssl-1.0.2e.patch, and make installation For Windows Environment: ------------------------ 1) Make sure the patch utility has been installed in your machine. Install Cygwin or get the patch utility binary from http://gnuwin32.sourceforge.net/packages/patch.htm - 2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2d - 3) patch -p0 -i ..\EDKII_openssl-1.0.2d.patch + 2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2e + 3) patch -p0 -i ..\EDKII_openssl-1.0.2e.patch 4) cd .. 5) Install.cmd @@ -54,8 +54,8 @@ cryptography. This patch will enable openssl building under UEFI environment. ----------------------- 1) Make sure the patch utility has been installed in your machine. Patch utility is available from http://directory.fsf.org/project/patch/ - 2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2d - 3) patch -p0 -i ../EDKII_openssl-1.0.2d.patch + 2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2e + 3) patch -p0 -i ../EDKII_openssl-1.0.2e.patch 4) cd .. 5) ./Install.sh