Re: [PATCH v4] CryptoPkg: Upgrade OpenSSL to 1.1.1d


Wang, Jian J
 

Laszlo,

You're right. I'll do more tests for secure boot. I'll leave https boot to you.

Regards,
Jian

-----Original Message-----
From: Laszlo Ersek <lersek@redhat.com>
Sent: Saturday, November 02, 2019 6:03 AM
To: Wang, Jian J <jian.j.wang@intel.com>; Zhang, Shenglei
<shenglei.zhang@intel.com>; devel@edk2.groups.io
Cc: Lu, XiaoyuX <xiaoyux.lu@intel.com>; Gao, Liming <liming.gao@intel.com>
Subject: Re: [PATCH v4] CryptoPkg: Upgrade OpenSSL to 1.1.1d

On 11/01/19 08:31, Wang, Jian J wrote:
Hi Laszlo,

I did simple ovmf boot tests (shell, linux, windows) and all passed. Let me know
if you have
any comments or want to do more tests against v4 before check in.

Based on my review and tests,
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
I can get to this patch on next Monday (2019-Nov-04) the earliest. (Even
today is a public holiday in my country, and I've only logged in now to
quickly respond to Mike's email in another thread.) I had the v3 posting
tagged earlier, and am learning of v4 only now.

I think the OpenSSL update should be tested with at least the following
use cases:

- HTTPS boot
- Secure Boot

Given that the HTTPS Boot CVE fix is also pending on the list, and that
it was posted before the OpenSSL upgrade, and they both affect HTTPS
Boot, I request that the OpenSSL upgrade be delayed until after the CVE
fix is pushed. (I'll try to push the CVE fix this weekend, or next Monday.)

Thanks
Laszlo

-----Original Message-----
From: Zhang, Shenglei <shenglei.zhang@intel.com>
Sent: Friday, November 01, 2019 2:56 PM
To: devel@edk2.groups.io
Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX
<xiaoyux.lu@intel.com>;
Gao, Liming <liming.gao@intel.com>
Subject: [PATCH v4] CryptoPkg: Upgrade OpenSSL to 1.1.1d

Update openssl from 1.1.1b to 1.1.1d.
Something needs to be noticed is that, there is a bug existing in the
released 1_1_1d version(894da2fb7ed5d314ee5c2fc9fd2d9b8b74111596),
which causes build failure. So we switch the code base to a usable
version, which is 2 commits later than the stable tag.
Now we use the version c3656cc594daac8167721dde7220f0e59ae146fc.
This log is to fix the build failure.
https://bugzilla.tianocore.org/show_bug.cgi?id=2226

Besides, the absense of "DSO_NONE" in dso_conf.h causes build failure
in OvmfPkg. So update process_files.pl to generate information from
"crypto/include/internal/dso_conf.h.in".

shm.h and utsname.h are added to avoid GCC build failure.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
---
v2: Revert the changes in OpensslLib.inf and OpensslLibCrypto.inf.
The removed header files could be auto-generated by process_files.pl now.

v3: Add display information for dso_conf.h.

v4: Add shm.h and utsname.h to avoid GCC build failure.

CryptoPkg/Library/Include/internal/dso_conf.h | 16 ++++++++++++++++
CryptoPkg/Library/Include/sys/shm.h | 9 +++++++++
CryptoPkg/Library/Include/sys/utsname.h | 10 ++++++++++
CryptoPkg/Library/OpensslLib/openssl | 2 +-
CryptoPkg/Library/OpensslLib/process_files.pl | 15 ++++++++++++++-
5 files changed, 50 insertions(+), 2 deletions(-)
create mode 100644 CryptoPkg/Library/Include/sys/shm.h
create mode 100644 CryptoPkg/Library/Include/sys/utsname.h

diff --git a/CryptoPkg/Library/Include/internal/dso_conf.h
b/CryptoPkg/Library/Include/internal/dso_conf.h
index e69de29bb2d1..43c891588bc2 100644
--- a/CryptoPkg/Library/Include/internal/dso_conf.h
+++ b/CryptoPkg/Library/Include/internal/dso_conf.h
@@ -0,0 +1,16 @@
+/* WARNING: do not edit! */
+/* Generated from crypto/include/internal/dso_conf.h.in */
+/*
+ * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef HEADER_DSO_CONF_H
+# define HEADER_DSO_CONF_H
+# define DSO_NONE
+# define DSO_EXTENSION ".so"
+#endif
diff --git a/CryptoPkg/Library/Include/sys/shm.h
b/CryptoPkg/Library/Include/sys/shm.h
new file mode 100644
index 000000000000..dc0b8e81c8b0
--- /dev/null
+++ b/CryptoPkg/Library/Include/sys/shm.h
@@ -0,0 +1,9 @@
+/** @file
+ Include file to support building the third-party cryptographic library.
+
+Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <CrtLibSupport.h>
diff --git a/CryptoPkg/Library/Include/sys/utsname.h
b/CryptoPkg/Library/Include/sys/utsname.h
new file mode 100644
index 000000000000..75955b0a4eb6
--- /dev/null
+++ b/CryptoPkg/Library/Include/sys/utsname.h
@@ -0,0 +1,10 @@
+/** @file
+ Include file to support building the third-party cryptographic library.
+
+Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <CrtLibSupport.h>
+
diff --git a/CryptoPkg/Library/OpensslLib/openssl
b/CryptoPkg/Library/OpensslLib/openssl
index 50eaac9f3337..c3656cc594da 160000
--- a/CryptoPkg/Library/OpensslLib/openssl
+++ b/CryptoPkg/Library/OpensslLib/openssl
@@ -1 +1 @@
-Subproject commit 50eaac9f3337667259de725451f201e784599687
+Subproject commit c3656cc594daac8167721dde7220f0e59ae146fc
diff --git a/CryptoPkg/Library/OpensslLib/process_files.pl
b/CryptoPkg/Library/OpensslLib/process_files.pl
index 4fe54cd808a5..dd93bd84da22 100755
--- a/CryptoPkg/Library/OpensslLib/process_files.pl
+++ b/CryptoPkg/Library/OpensslLib/process_files.pl
@@ -106,6 +106,14 @@ BEGIN {
) == 0 ||
die "Failed to generate opensslconf.h!\n";

+ # Generate dso_conf.h per config data
+ system(
+ "perl -I. -Mconfigdata util/dofile.pl " .
+ "crypto/include/internal/dso_conf.h.in " .
+ "> include/internal/dso_conf.h"
+ ) == 0 ||
+ die "Failed to generate dso_conf.h!\n";
+
chdir($basedir) ||
die "Cannot change to base directory \"" . $basedir . "\"";

@@ -249,12 +257,17 @@ rename( $new_inf_file, $inf_file ) ||
print "Done!";

#
-# Copy opensslconf.h generated from OpenSSL Configuration
+# Copy opensslconf.h and dso_conf.h generated from OpenSSL
Configuration
#
print "\n--> Duplicating opensslconf.h into Include/openssl ... ";
copy($OPENSSL_PATH . "/include/openssl/opensslconf.h",
$OPENSSL_PATH . "/../../Include/openssl/") ||
die "Cannot copy opensslconf.h!";
+print "Done!";
+print "\n--> Duplicating dso_conf.h into Include/internal ... ";
+copy($OPENSSL_PATH . "/include/internal/dso_conf.h",
+ $OPENSSL_PATH . "/../../Include/internal/") ||
+ die "Cannot copy dso_conf.h!";
print "Done!\n";

print "\nProcessing Files Done!\n";
--
2.18.0.windows.1

Join devel@edk2.groups.io to automatically receive all group messages.