From patchwork Fri Jul 10 06:54:16 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 51008 Return-Path: X-Original-To: linaro@patches.linaro.org Delivered-To: linaro@patches.linaro.org Received: from mail-la0-f71.google.com (mail-la0-f71.google.com [209.85.215.71]) by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id 660EB2290A for ; Fri, 10 Jul 2015 06:54:52 +0000 (UTC) Received: by lagx9 with SMTP id x9sf80209218lag.2 for ; Thu, 09 Jul 2015 23:54:51 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:delivered-to:from:to:date:message-id:subject :precedence:list-id:list-unsubscribe:list-archive:list-post :list-help:list-subscribe:mime-version:content-type :content-transfer-encoding:errors-to:x-original-sender :x-original-authentication-results:mailing-list; bh=3GBdQ88qID6gTjoDVZUJBFdh+MWERfANB5KS+r3ZeLY=; b=PovGTVZRa+VNPECPF3ZkqhB8WK4caacrMLmeg56xcVtr4Dpm7apGhMbml8kL23E9wY Mxkd7bATk0ceSac/ebPH9t2WcZq4JNqgbCInVRuOrpDcdmPzgHBk71Sx60YJZ5g8oRsr PHMjFYYQeXs3NFpCebJh/kZHoAiNQXFeYIbzpFa68M+WbHmYVluCi9mW5wskIVF5ZFP0 HT12YQGPrr/mob+VW5gSSNO7TkKlMQweoYv7jAwjv2geg3VALqeyaolzylIKlwAng0Xy CPozRFo1vLhpgEiDUDhDqAZRCnXtE0WvRVttOhSIlQ/oePYXH2vTbt1RZSjD7RafFEVD ABRg== X-Gm-Message-State: ALoCoQkyQD2grjHR6YFQzedrms8pOdVV9aoATiiNCZTGc8rcaZR47E9q6+jxirEbvmzAyeKR0Idm X-Received: by 10.194.5.229 with SMTP id v5mr10079551wjv.0.1436511291053; Thu, 09 Jul 2015 23:54:51 -0700 (PDT) X-BeenThere: patchwork-forward@linaro.org Received: by 10.152.182.228 with SMTP id eh4ls1120152lac.45.gmail; Thu, 09 Jul 2015 23:54:50 -0700 (PDT) X-Received: by 10.152.28.73 with SMTP id z9mr18327351lag.93.1436511290878; Thu, 09 Jul 2015 23:54:50 -0700 (PDT) Received: from mail-la0-f45.google.com (mail-la0-f45.google.com. [209.85.215.45]) by mx.google.com with ESMTPS id nx8si6840372lbb.161.2015.07.09.23.54.50 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 09 Jul 2015 23:54:50 -0700 (PDT) Received-SPF: pass (google.com: domain of patch+caf_=patchwork-forward=linaro.org@linaro.org designates 209.85.215.45 as permitted sender) client-ip=209.85.215.45; Received: by lagx9 with SMTP id x9so259609616lag.1 for ; Thu, 09 Jul 2015 23:54:50 -0700 (PDT) X-Received: by 10.152.22.99 with SMTP id c3mr18861839laf.32.1436511290717; Thu, 09 Jul 2015 23:54:50 -0700 (PDT) X-Forwarded-To: patchwork-forward@linaro.org X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org Delivered-To: patch@linaro.org Received: by 10.112.108.230 with SMTP id hn6csp1158440lbb; Thu, 9 Jul 2015 23:54:49 -0700 (PDT) X-Received: by 10.50.39.66 with SMTP id n2mr1611602igk.71.1436511289184; Thu, 09 Jul 2015 23:54:49 -0700 (PDT) Received: from lists.sourceforge.net (lists.sourceforge.net. [216.34.181.88]) by mx.google.com with ESMTPS id v68si7211721ioi.40.2015.07.09.23.54.48 (version=TLSv1 cipher=RC4-SHA bits=128/128); Thu, 09 Jul 2015 23:54:49 -0700 (PDT) Received-SPF: pass (google.com: domain of edk2-devel-bounces@lists.sourceforge.net designates 216.34.181.88 as permitted sender) client-ip=216.34.181.88; Received: from localhost ([127.0.0.1] helo=sfs-ml-1.v29.ch3.sourceforge.com) by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1ZDSCj-0007Ai-OI; Fri, 10 Jul 2015 06:54:37 +0000 Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191] helo=mx.sourceforge.net) by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1ZDSCi-0007Aa-HY for edk2-devel@lists.sourceforge.net; Fri, 10 Jul 2015 06:54:36 +0000 Received-SPF: pass (sog-mx-1.v43.ch3.sourceforge.com: domain of linaro.org designates 74.125.82.43 as permitted sender) client-ip=74.125.82.43; envelope-from=ard.biesheuvel@linaro.org; helo=mail-wg0-f43.google.com; Received: from mail-wg0-f43.google.com ([74.125.82.43]) by sog-mx-1.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1ZDSCg-00039O-UN for edk2-devel@lists.sourceforge.net; Fri, 10 Jul 2015 06:54:36 +0000 Received: by wgck11 with SMTP id k11so241451094wgc.0 for ; Thu, 09 Jul 2015 23:54:28 -0700 (PDT) X-Received: by 10.195.17.199 with SMTP id gg7mr40052504wjd.121.1436511268826; Thu, 09 Jul 2015 23:54:28 -0700 (PDT) Received: from localhost.localdomain ([185.13.106.75]) by smtp.gmail.com with ESMTPSA id ul1sm12138569wjc.30.2015.07.09.23.54.26 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 09 Jul 2015 23:54:27 -0700 (PDT) From: Ard Biesheuvel To: edk2-devel@lists.sourceforge.net, qin.long@intel.com, guo.dong@intel.com, ting.ye@intel.com Date: Fri, 10 Jul 2015 08:54:16 +0200 Message-Id: <1436511256-31215-1-git-send-email-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 1.9.1 X-Spam-Score: -1.5 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1ZDSCg-00039O-UN Subject: [edk2] [PATCH] CryptoPkg: update OpenSSL dependency to version 1.0.2d X-BeenThere: edk2-devel@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: , List-Help: , List-Subscribe: , MIME-Version: 1.0 Errors-To: edk2-devel-bounces@lists.sourceforge.net X-Removed-Original-Auth: Dkim didn't pass. X-Original-Sender: ard.biesheuvel@linaro.org X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: domain of patch+caf_=patchwork-forward=linaro.org@linaro.org designates 209.85.215.45 as permitted sender) smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org Mailing-list: list patchwork-forward@linaro.org; contact patchwork-forward+owners@linaro.org X-Google-Group-Id: 836684582541 Upstream OpenSSL version 1.0.2c contained a fatal flaw [CVE-2015-1793] and is no longer available from the openssl.org download servers. So upgrade to its replacement, version 1.0.2d. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Ard Biesheuvel --- CryptoPkg/Library/OpensslLib/{EDKII_openssl-1.0.2c.patch => EDKII_openssl-1.0.2d.patch} | 4 +-- CryptoPkg/Library/OpensslLib/Install.cmd | 2 +- CryptoPkg/Library/OpensslLib/Install.sh | 2 +- CryptoPkg/Library/OpensslLib/OpensslLib.inf | 2 +- CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt | 26 ++++++++++---------- 5 files changed, 18 insertions(+), 18 deletions(-) diff --git a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2c.patch b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2d.patch similarity index 96% rename from CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2c.patch rename to CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2d.patch index 0d9575e94aef..72e5f3da54c4 100644 --- a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2c.patch +++ b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2d.patch @@ -210,7 +210,7 @@ diff U3 crypto/rsa/rsa_ameth.c crypto/rsa/rsa_ameth.c diff U3 crypto/x509/x509_vfy.c crypto/x509/x509_vfy.c --- crypto/x509/x509_vfy.c Thu Jun 11 21:52:58 2015 +++ crypto/x509/x509_vfy.c Fri Jun 12 11:29:37 2015 -@@ -1647,6 +1647,10 @@ +@@ -1653,6 +1653,10 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) { @@ -221,7 +221,7 @@ diff U3 crypto/x509/x509_vfy.c crypto/x509/x509_vfy.c time_t *ptime; int i; -@@ -1686,6 +1690,7 @@ +@@ -1692,6 +1696,7 @@ } return 1; diff --git a/CryptoPkg/Library/OpensslLib/Install.cmd b/CryptoPkg/Library/OpensslLib/Install.cmd index f8d8582d9ef6..ef0a4bdcebc9 100755 --- a/CryptoPkg/Library/OpensslLib/Install.cmd +++ b/CryptoPkg/Library/OpensslLib/Install.cmd @@ -1,4 +1,4 @@ -cd openssl-1.0.2c +cd openssl-1.0.2d copy e_os2.h ..\..\..\Include\openssl copy crypto\crypto.h ..\..\..\Include\openssl copy crypto\opensslv.h ..\..\..\Include\openssl diff --git a/CryptoPkg/Library/OpensslLib/Install.sh b/CryptoPkg/Library/OpensslLib/Install.sh index 087655d50e2a..877e775b81af 100755 --- a/CryptoPkg/Library/OpensslLib/Install.sh +++ b/CryptoPkg/Library/OpensslLib/Install.sh @@ -1,6 +1,6 @@ #!/bin/sh -cd openssl-1.0.2c +cd openssl-1.0.2d cp e_os2.h ../../../Include/openssl cp crypto/crypto.h ../../../Include/openssl cp crypto/opensslv.h ../../../Include/openssl diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf index dbf8a9621732..28d3aec00e2a 100644 --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf @@ -20,7 +20,7 @@ [Defines] MODULE_TYPE = BASE VERSION_STRING = 1.0 LIBRARY_CLASS = OpensslLib - DEFINE OPENSSL_PATH = openssl-1.0.2c + DEFINE OPENSSL_PATH = openssl-1.0.2d DEFINE OPENSSL_FLAGS = -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_POSIX_IO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_ASM DEFINE OPENSSL_EXFLAGS = -DOPENSSL_SMALL_FOOTPRINT -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_RIPEMD -DOPENSSL_NO_RC2 -DOPENSSL_NO_IDEA -DOPENSSL_NO_BF -DOPENSSL_NO_CAST -DOPENSSL_NO_WHIRLPOOL -DOPENSSL_NO_DSA -DOPENSSL_NO_EC -DOPENSSL_NO_ECDH -DOPENSSL_NO_ECDSA -DOPENSSL_NO_SRP -DOPENSSL_NO_ENGINE diff --git a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt index 0ea7b8aa0ba5..59e74ee9b0d9 100644 --- a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt +++ b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt @@ -17,36 +17,36 @@ cryptography. This patch will enable openssl building under UEFI environment. ================================================================================ OpenSSL-Version ================================================================================ - Current supported OpenSSL version for UEFI Crypto Library is 1.0.2c. - http://www.openssl.org/source/openssl-1.0.2c.tar.gz + Current supported OpenSSL version for UEFI Crypto Library is 1.0.2d. + http://www.openssl.org/source/openssl-1.0.2d.tar.gz ================================================================================ HOW to Install Openssl for UEFI Building ================================================================================ -1. Download OpenSSL 1.0.2c from official website: - http://www.openssl.org/source/openssl-1.0.2c.tar.gz +1. Download OpenSSL 1.0.2d from official website: + http://www.openssl.org/source/openssl-1.0.2d.tar.gz - NOTE: Some web browsers may rename the downloaded TAR file to openssl-1.0.2c.tar.tar. - When you do the download, rename the "openssl-1.0.2c.tar.tar" to - "openssl-1.0.2c.tar.gz" or rename the local downloaded file with ".tar.tar" + NOTE: Some web browsers may rename the downloaded TAR file to openssl-1.0.2d.tar.tar. + When you do the download, rename the "openssl-1.0.2d.tar.tar" to + "openssl-1.0.2d.tar.gz" or rename the local downloaded file with ".tar.tar" extension to ".tar.gz". -2. Extract TAR into CryptoPkg/Library/OpenSslLib/openssl-1.0.2c +2. Extract TAR into CryptoPkg/Library/OpenSslLib/openssl-1.0.2d NOTE: If you use WinZip to unpack the openssl source in Windows, please uncheck the WinZip smart CR/LF conversion option (WINZIP: Options --> Configuration --> Miscellaneous --> "TAR file smart CR/LF conversion"). -3. Apply this patch: EDKII_openssl-1.0.2c.patch, and make installation +3. Apply this patch: EDKII_openssl-1.0.2d.patch, and make installation For Windows Environment: ------------------------ 1) Make sure the patch utility has been installed in your machine. Install Cygwin or get the patch utility binary from http://gnuwin32.sourceforge.net/packages/patch.htm - 2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2c - 3) patch -p0 -i ..\EDKII_openssl-1.0.2c.patch + 2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2d + 3) patch -p0 -i ..\EDKII_openssl-1.0.2d.patch 4) cd .. 5) Install.cmd @@ -54,8 +54,8 @@ cryptography. This patch will enable openssl building under UEFI environment. ----------------------- 1) Make sure the patch utility has been installed in your machine. Patch utility is available from http://directory.fsf.org/project/patch/ - 2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2c - 3) patch -p0 -i ../EDKII_openssl-1.0.2c.patch + 2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2d + 3) patch -p0 -i ../EDKII_openssl-1.0.2d.patch 4) cd .. 5) ./Install.sh