| Message ID | 1436511256-31215-1-git-send-email-ard.biesheuvel@linaro.org |
|---|---|
| State | New |
| Headers | show |
On 10 July 2015 at 09:53, Ye, Ting <ting.ye@intel.com> wrote: > Looks good to me. > Reviewed-by: Ye Ting <ting.ye@intel.com> > @Qin: are you ok with this patch? I would like to get it submitted asap to fix our automated build (it is broken because 1.0.2c is no longer available for download) Thanks, Ard. > -----Original Message----- > From: Ard Biesheuvel [mailto:ard.biesheuvel@linaro.org] > Sent: Friday, July 10, 2015 2:54 PM > To: edk2-devel@lists.sourceforge.net; Long, Qin; Dong, Guo; Ye, Ting > Cc: Justen, Jordan L; Gao, Liming; Ard Biesheuvel > Subject: [PATCH] CryptoPkg: update OpenSSL dependency to version 1.0.2d > > Upstream OpenSSL version 1.0.2c contained a fatal flaw > [CVE-2015-1793] and is no longer available from the openssl.org > download servers. So upgrade to its replacement, version 1.0.2d. > > Contributed-under: TianoCore Contribution Agreement 1.0 > Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> > --- > CryptoPkg/Library/OpensslLib/{EDKII_openssl-1.0.2c.patch => EDKII_openssl-1.0.2d.patch} | 4 +-- > CryptoPkg/Library/OpensslLib/Install.cmd | 2 +- > CryptoPkg/Library/OpensslLib/Install.sh | 2 +- > CryptoPkg/Library/OpensslLib/OpensslLib.inf | 2 +- > CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt | 26 ++++++++++---------- > 5 files changed, 18 insertions(+), 18 deletions(-) > > diff --git a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2c.patch b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2d.patch > similarity index 96% > rename from CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2c.patch > rename to CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2d.patch > index 0d9575e94aef..72e5f3da54c4 100644 > --- a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2c.patch > +++ b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2d.patch > @@ -210,7 +210,7 @@ diff U3 crypto/rsa/rsa_ameth.c crypto/rsa/rsa_ameth.c > diff U3 crypto/x509/x509_vfy.c crypto/x509/x509_vfy.c > --- crypto/x509/x509_vfy.c Thu Jun 11 21:52:58 2015 > +++ crypto/x509/x509_vfy.c Fri Jun 12 11:29:37 2015 > -@@ -1647,6 +1647,10 @@ > +@@ -1653,6 +1653,10 @@ > > static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) > { > @@ -221,7 +221,7 @@ diff U3 crypto/x509/x509_vfy.c crypto/x509/x509_vfy.c > time_t *ptime; > int i; > > -@@ -1686,6 +1690,7 @@ > +@@ -1692,6 +1696,7 @@ > } > > return 1; > diff --git a/CryptoPkg/Library/OpensslLib/Install.cmd b/CryptoPkg/Library/OpensslLib/Install.cmd > index f8d8582d9ef6..ef0a4bdcebc9 100755 > --- a/CryptoPkg/Library/OpensslLib/Install.cmd > +++ b/CryptoPkg/Library/OpensslLib/Install.cmd > @@ -1,4 +1,4 @@ > -cd openssl-1.0.2c > +cd openssl-1.0.2d > copy e_os2.h ..\..\..\Include\openssl > copy crypto\crypto.h ..\..\..\Include\openssl > copy crypto\opensslv.h ..\..\..\Include\openssl > diff --git a/CryptoPkg/Library/OpensslLib/Install.sh b/CryptoPkg/Library/OpensslLib/Install.sh > index 087655d50e2a..877e775b81af 100755 > --- a/CryptoPkg/Library/OpensslLib/Install.sh > +++ b/CryptoPkg/Library/OpensslLib/Install.sh > @@ -1,6 +1,6 @@ > #!/bin/sh > > -cd openssl-1.0.2c > +cd openssl-1.0.2d > cp e_os2.h ../../../Include/openssl > cp crypto/crypto.h ../../../Include/openssl > cp crypto/opensslv.h ../../../Include/openssl > diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf > index dbf8a9621732..28d3aec00e2a 100644 > --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf > +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf > @@ -20,7 +20,7 @@ [Defines] > MODULE_TYPE = BASE > VERSION_STRING = 1.0 > LIBRARY_CLASS = OpensslLib > - DEFINE OPENSSL_PATH = openssl-1.0.2c > + DEFINE OPENSSL_PATH = openssl-1.0.2d > DEFINE OPENSSL_FLAGS = -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_POSIX_IO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_ASM > DEFINE OPENSSL_EXFLAGS = -DOPENSSL_SMALL_FOOTPRINT -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_RIPEMD -DOPENSSL_NO_RC2 -DOPENSSL_NO_IDEA -DOPENSSL_NO_BF -DOPENSSL_NO_CAST -DOPENSSL_NO_WHIRLPOOL -DOPENSSL_NO_DSA -DOPENSSL_NO_EC -DOPENSSL_NO_ECDH -DOPENSSL_NO_ECDSA -DOPENSSL_NO_SRP -DOPENSSL_NO_ENGINE > > diff --git a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt > index 0ea7b8aa0ba5..59e74ee9b0d9 100644 > --- a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt > +++ b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt > @@ -17,36 +17,36 @@ cryptography. This patch will enable openssl building under UEFI environment. > ================================================================================ > OpenSSL-Version > ================================================================================ > - Current supported OpenSSL version for UEFI Crypto Library is 1.0.2c. > - http://www.openssl.org/source/openssl-1.0.2c.tar.gz > + Current supported OpenSSL version for UEFI Crypto Library is 1.0.2d. > + http://www.openssl.org/source/openssl-1.0.2d.tar.gz > > > ================================================================================ > HOW to Install Openssl for UEFI Building > ================================================================================ > -1. Download OpenSSL 1.0.2c from official website: > - http://www.openssl.org/source/openssl-1.0.2c.tar.gz > +1. Download OpenSSL 1.0.2d from official website: > + http://www.openssl.org/source/openssl-1.0.2d.tar.gz > > - NOTE: Some web browsers may rename the downloaded TAR file to openssl-1.0.2c.tar.tar. > - When you do the download, rename the "openssl-1.0.2c.tar.tar" to > - "openssl-1.0.2c.tar.gz" or rename the local downloaded file with ".tar.tar" > + NOTE: Some web browsers may rename the downloaded TAR file to openssl-1.0.2d.tar.tar. > + When you do the download, rename the "openssl-1.0.2d.tar.tar" to > + "openssl-1.0.2d.tar.gz" or rename the local downloaded file with ".tar.tar" > extension to ".tar.gz". > > -2. Extract TAR into CryptoPkg/Library/OpenSslLib/openssl-1.0.2c > +2. Extract TAR into CryptoPkg/Library/OpenSslLib/openssl-1.0.2d > > NOTE: If you use WinZip to unpack the openssl source in Windows, please > uncheck the WinZip smart CR/LF conversion option (WINZIP: Options --> > Configuration --> Miscellaneous --> "TAR file smart CR/LF conversion"). > > -3. Apply this patch: EDKII_openssl-1.0.2c.patch, and make installation > +3. Apply this patch: EDKII_openssl-1.0.2d.patch, and make installation > > For Windows Environment: > ------------------------ > 1) Make sure the patch utility has been installed in your machine. > Install Cygwin or get the patch utility binary from > http://gnuwin32.sourceforge.net/packages/patch.htm > - 2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2c > - 3) patch -p0 -i ..\EDKII_openssl-1.0.2c.patch > + 2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2d > + 3) patch -p0 -i ..\EDKII_openssl-1.0.2d.patch > 4) cd .. > 5) Install.cmd > > @@ -54,8 +54,8 @@ cryptography. This patch will enable openssl building under UEFI environment. > ----------------------- > 1) Make sure the patch utility has been installed in your machine. > Patch utility is available from http://directory.fsf.org/project/patch/ > - 2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2c > - 3) patch -p0 -i ../EDKII_openssl-1.0.2c.patch > + 2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2d > + 3) patch -p0 -i ../EDKII_openssl-1.0.2d.patch > 4) cd .. > 5) ./Install.sh > > -- > 1.9.1 > ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/
On 12 July 2015 at 19:34, Long, Qin <qin.long@intel.com> wrote: > Ard, > > This looks good to me. (And thanks for doing this. I was out of office this week, so sorry for late response.) > > Reviewed-by: Qin Long <qin.long@intel.com> > Thanks! Committed as SVN r17928 Regards, Ard. > -----Original Message----- > From: Ard Biesheuvel [mailto:ard.biesheuvel@linaro.org] > Sent: Friday, July 10, 2015 5:21 PM > To: Long, Qin > Cc: edk2-devel@lists.sourceforge.net; Ye, Ting; Dong, Guo; Justen, Jordan L; Gao, Liming > Subject: Re: [PATCH] CryptoPkg: update OpenSSL dependency to version 1.0.2d > > On 10 July 2015 at 09:53, Ye, Ting <ting.ye@intel.com> wrote: >> Looks good to me. >> Reviewed-by: Ye Ting <ting.ye@intel.com> >> > > @Qin: are you ok with this patch? I would like to get it submitted asap to fix our automated build (it is broken because 1.0.2c is no longer available for download) > > Thanks, > Ard. > > >> -----Original Message----- >> From: Ard Biesheuvel [mailto:ard.biesheuvel@linaro.org] >> Sent: Friday, July 10, 2015 2:54 PM >> To: edk2-devel@lists.sourceforge.net; Long, Qin; Dong, Guo; Ye, Ting >> Cc: Justen, Jordan L; Gao, Liming; Ard Biesheuvel >> Subject: [PATCH] CryptoPkg: update OpenSSL dependency to version >> 1.0.2d >> >> Upstream OpenSSL version 1.0.2c contained a fatal flaw [CVE-2015-1793] >> and is no longer available from the openssl.org download servers. So >> upgrade to its replacement, version 1.0.2d. >> >> Contributed-under: TianoCore Contribution Agreement 1.0 >> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> >> --- >> CryptoPkg/Library/OpensslLib/{EDKII_openssl-1.0.2c.patch => EDKII_openssl-1.0.2d.patch} | 4 +-- >> CryptoPkg/Library/OpensslLib/Install.cmd | 2 +- >> CryptoPkg/Library/OpensslLib/Install.sh | 2 +- >> CryptoPkg/Library/OpensslLib/OpensslLib.inf | 2 +- >> CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt | 26 ++++++++++---------- >> 5 files changed, 18 insertions(+), 18 deletions(-) >> >> diff --git a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2c.patch >> b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2d.patch >> similarity index 96% >> rename from CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2c.patch >> rename to CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2d.patch >> index 0d9575e94aef..72e5f3da54c4 100644 >> --- a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2c.patch >> +++ b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2d.patch >> @@ -210,7 +210,7 @@ diff U3 crypto/rsa/rsa_ameth.c >> crypto/rsa/rsa_ameth.c diff U3 crypto/x509/x509_vfy.c crypto/x509/x509_vfy.c >> --- crypto/x509/x509_vfy.c Thu Jun 11 21:52:58 2015 >> +++ crypto/x509/x509_vfy.c Fri Jun 12 11:29:37 2015 >> -@@ -1647,6 +1647,10 @@ >> +@@ -1653,6 +1653,10 @@ >> >> static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) >> { >> @@ -221,7 +221,7 @@ diff U3 crypto/x509/x509_vfy.c crypto/x509/x509_vfy.c >> time_t *ptime; >> int i; >> >> -@@ -1686,6 +1690,7 @@ >> +@@ -1692,6 +1696,7 @@ >> } >> >> return 1; >> diff --git a/CryptoPkg/Library/OpensslLib/Install.cmd >> b/CryptoPkg/Library/OpensslLib/Install.cmd >> index f8d8582d9ef6..ef0a4bdcebc9 100755 >> --- a/CryptoPkg/Library/OpensslLib/Install.cmd >> +++ b/CryptoPkg/Library/OpensslLib/Install.cmd >> @@ -1,4 +1,4 @@ >> -cd openssl-1.0.2c >> +cd openssl-1.0.2d >> copy e_os2.h ..\..\..\Include\openssl >> copy crypto\crypto.h ..\..\..\Include\openssl >> copy crypto\opensslv.h ..\..\..\Include\openssl >> diff --git a/CryptoPkg/Library/OpensslLib/Install.sh >> b/CryptoPkg/Library/OpensslLib/Install.sh >> index 087655d50e2a..877e775b81af 100755 >> --- a/CryptoPkg/Library/OpensslLib/Install.sh >> +++ b/CryptoPkg/Library/OpensslLib/Install.sh >> @@ -1,6 +1,6 @@ >> #!/bin/sh >> >> -cd openssl-1.0.2c >> +cd openssl-1.0.2d >> cp e_os2.h ../../../Include/openssl >> cp crypto/crypto.h ../../../Include/openssl >> cp crypto/opensslv.h ../../../Include/openssl >> diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf >> b/CryptoPkg/Library/OpensslLib/OpensslLib.inf >> index dbf8a9621732..28d3aec00e2a 100644 >> --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf >> +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf >> @@ -20,7 +20,7 @@ [Defines] >> MODULE_TYPE = BASE >> VERSION_STRING = 1.0 >> LIBRARY_CLASS = OpensslLib >> - DEFINE OPENSSL_PATH = openssl-1.0.2c >> + DEFINE OPENSSL_PATH = openssl-1.0.2d >> DEFINE OPENSSL_FLAGS = -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_POSIX_IO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_ASM >> DEFINE OPENSSL_EXFLAGS = -DOPENSSL_SMALL_FOOTPRINT -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_RIPEMD -DOPENSSL_NO_RC2 -DOPENSSL_NO_IDEA -DOPENSSL_NO_BF -DOPENSSL_NO_CAST -DOPENSSL_NO_WHIRLPOOL -DOPENSSL_NO_DSA -DOPENSSL_NO_EC -DOPENSSL_NO_ECDH -DOPENSSL_NO_ECDSA -DOPENSSL_NO_SRP -DOPENSSL_NO_ENGINE >> >> diff --git a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt >> b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt >> index 0ea7b8aa0ba5..59e74ee9b0d9 100644 >> --- a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt >> +++ b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt >> @@ -17,36 +17,36 @@ cryptography. This patch will enable openssl building under UEFI environment. >> ================================================================================ >> OpenSSL-Version >> ====================================================================== >> ========== >> - Current supported OpenSSL version for UEFI Crypto Library is 1.0.2c. >> - http://www.openssl.org/source/openssl-1.0.2c.tar.gz >> + Current supported OpenSSL version for UEFI Crypto Library is 1.0.2d. >> + http://www.openssl.org/source/openssl-1.0.2d.tar.gz >> >> >> ================================================================================ >> HOW to Install Openssl for UEFI Building >> ====================================================================== >> ========== -1. Download OpenSSL 1.0.2c from official website: >> - http://www.openssl.org/source/openssl-1.0.2c.tar.gz >> +1. Download OpenSSL 1.0.2d from official website: >> + http://www.openssl.org/source/openssl-1.0.2d.tar.gz >> >> - NOTE: Some web browsers may rename the downloaded TAR file to openssl-1.0.2c.tar.tar. >> - When you do the download, rename the "openssl-1.0.2c.tar.tar" to >> - "openssl-1.0.2c.tar.gz" or rename the local downloaded file with ".tar.tar" >> + NOTE: Some web browsers may rename the downloaded TAR file to openssl-1.0.2d.tar.tar. >> + When you do the download, rename the "openssl-1.0.2d.tar.tar" to >> + "openssl-1.0.2d.tar.gz" or rename the local downloaded file with ".tar.tar" >> extension to ".tar.gz". >> >> -2. Extract TAR into CryptoPkg/Library/OpenSslLib/openssl-1.0.2c >> +2. Extract TAR into CryptoPkg/Library/OpenSslLib/openssl-1.0.2d >> >> NOTE: If you use WinZip to unpack the openssl source in Windows, please >> uncheck the WinZip smart CR/LF conversion option (WINZIP: Options --> >> Configuration --> Miscellaneous --> "TAR file smart CR/LF conversion"). >> >> -3. Apply this patch: EDKII_openssl-1.0.2c.patch, and make >> installation >> +3. Apply this patch: EDKII_openssl-1.0.2d.patch, and make >> +installation >> >> For Windows Environment: >> ------------------------ >> 1) Make sure the patch utility has been installed in your machine. >> Install Cygwin or get the patch utility binary from >> http://gnuwin32.sourceforge.net/packages/patch.htm >> - 2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2c >> - 3) patch -p0 -i ..\EDKII_openssl-1.0.2c.patch >> + 2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2d >> + 3) patch -p0 -i ..\EDKII_openssl-1.0.2d.patch >> 4) cd .. >> 5) Install.cmd >> >> @@ -54,8 +54,8 @@ cryptography. This patch will enable openssl building under UEFI environment. >> ----------------------- >> 1) Make sure the patch utility has been installed in your machine. >> Patch utility is available from http://directory.fsf.org/project/patch/ >> - 2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2c >> - 3) patch -p0 -i ../EDKII_openssl-1.0.2c.patch >> + 2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2d >> + 3) patch -p0 -i ../EDKII_openssl-1.0.2d.patch >> 4) cd .. >> 5) ./Install.sh >> >> -- >> 1.9.1 >> ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/
diff --git a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2c.patch b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2d.patch similarity index 96% rename from CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2c.patch rename to CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2d.patch index 0d9575e94aef..72e5f3da54c4 100644 --- a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2c.patch +++ b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2d.patch @@ -210,7 +210,7 @@ diff U3 crypto/rsa/rsa_ameth.c crypto/rsa/rsa_ameth.c diff U3 crypto/x509/x509_vfy.c crypto/x509/x509_vfy.c --- crypto/x509/x509_vfy.c Thu Jun 11 21:52:58 2015 +++ crypto/x509/x509_vfy.c Fri Jun 12 11:29:37 2015 -@@ -1647,6 +1647,10 @@ +@@ -1653,6 +1653,10 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) { @@ -221,7 +221,7 @@ diff U3 crypto/x509/x509_vfy.c crypto/x509/x509_vfy.c time_t *ptime; int i; -@@ -1686,6 +1690,7 @@ +@@ -1692,6 +1696,7 @@ } return 1; diff --git a/CryptoPkg/Library/OpensslLib/Install.cmd b/CryptoPkg/Library/OpensslLib/Install.cmd index f8d8582d9ef6..ef0a4bdcebc9 100755 --- a/CryptoPkg/Library/OpensslLib/Install.cmd +++ b/CryptoPkg/Library/OpensslLib/Install.cmd @@ -1,4 +1,4 @@ -cd openssl-1.0.2c +cd openssl-1.0.2d copy e_os2.h ..\..\..\Include\openssl copy crypto\crypto.h ..\..\..\Include\openssl copy crypto\opensslv.h ..\..\..\Include\openssl diff --git a/CryptoPkg/Library/OpensslLib/Install.sh b/CryptoPkg/Library/OpensslLib/Install.sh index 087655d50e2a..877e775b81af 100755 --- a/CryptoPkg/Library/OpensslLib/Install.sh +++ b/CryptoPkg/Library/OpensslLib/Install.sh @@ -1,6 +1,6 @@ #!/bin/sh -cd openssl-1.0.2c +cd openssl-1.0.2d cp e_os2.h ../../../Include/openssl cp crypto/crypto.h ../../../Include/openssl cp crypto/opensslv.h ../../../Include/openssl diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf index dbf8a9621732..28d3aec00e2a 100644 --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf @@ -20,7 +20,7 @@ [Defines] MODULE_TYPE = BASE VERSION_STRING = 1.0 LIBRARY_CLASS = OpensslLib - DEFINE OPENSSL_PATH = openssl-1.0.2c + DEFINE OPENSSL_PATH = openssl-1.0.2d DEFINE OPENSSL_FLAGS = -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_POSIX_IO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_ASM DEFINE OPENSSL_EXFLAGS = -DOPENSSL_SMALL_FOOTPRINT -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_RIPEMD -DOPENSSL_NO_RC2 -DOPENSSL_NO_IDEA -DOPENSSL_NO_BF -DOPENSSL_NO_CAST -DOPENSSL_NO_WHIRLPOOL -DOPENSSL_NO_DSA -DOPENSSL_NO_EC -DOPENSSL_NO_ECDH -DOPENSSL_NO_ECDSA -DOPENSSL_NO_SRP -DOPENSSL_NO_ENGINE diff --git a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt index 0ea7b8aa0ba5..59e74ee9b0d9 100644 --- a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt +++ b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt @@ -17,36 +17,36 @@ cryptography. This patch will enable openssl building under UEFI environment. ================================================================================ OpenSSL-Version ================================================================================ - Current supported OpenSSL version for UEFI Crypto Library is 1.0.2c. - http://www.openssl.org/source/openssl-1.0.2c.tar.gz + Current supported OpenSSL version for UEFI Crypto Library is 1.0.2d. + http://www.openssl.org/source/openssl-1.0.2d.tar.gz ================================================================================ HOW to Install Openssl for UEFI Building ================================================================================ -1. Download OpenSSL 1.0.2c from official website: - http://www.openssl.org/source/openssl-1.0.2c.tar.gz +1. Download OpenSSL 1.0.2d from official website: + http://www.openssl.org/source/openssl-1.0.2d.tar.gz - NOTE: Some web browsers may rename the downloaded TAR file to openssl-1.0.2c.tar.tar. - When you do the download, rename the "openssl-1.0.2c.tar.tar" to - "openssl-1.0.2c.tar.gz" or rename the local downloaded file with ".tar.tar" + NOTE: Some web browsers may rename the downloaded TAR file to openssl-1.0.2d.tar.tar. + When you do the download, rename the "openssl-1.0.2d.tar.tar" to + "openssl-1.0.2d.tar.gz" or rename the local downloaded file with ".tar.tar" extension to ".tar.gz". -2. Extract TAR into CryptoPkg/Library/OpenSslLib/openssl-1.0.2c +2. Extract TAR into CryptoPkg/Library/OpenSslLib/openssl-1.0.2d NOTE: If you use WinZip to unpack the openssl source in Windows, please uncheck the WinZip smart CR/LF conversion option (WINZIP: Options --> Configuration --> Miscellaneous --> "TAR file smart CR/LF conversion"). -3. Apply this patch: EDKII_openssl-1.0.2c.patch, and make installation +3. Apply this patch: EDKII_openssl-1.0.2d.patch, and make installation For Windows Environment: ------------------------ 1) Make sure the patch utility has been installed in your machine. Install Cygwin or get the patch utility binary from http://gnuwin32.sourceforge.net/packages/patch.htm - 2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2c - 3) patch -p0 -i ..\EDKII_openssl-1.0.2c.patch + 2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2d + 3) patch -p0 -i ..\EDKII_openssl-1.0.2d.patch 4) cd .. 5) Install.cmd @@ -54,8 +54,8 @@ cryptography. This patch will enable openssl building under UEFI environment. ----------------------- 1) Make sure the patch utility has been installed in your machine. Patch utility is available from http://directory.fsf.org/project/patch/ - 2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2c - 3) patch -p0 -i ../EDKII_openssl-1.0.2c.patch + 2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2d + 3) patch -p0 -i ../EDKII_openssl-1.0.2d.patch 4) cd .. 5) ./Install.sh
Upstream OpenSSL version 1.0.2c contained a fatal flaw [CVE-2015-1793] and is no longer available from the openssl.org download servers. So upgrade to its replacement, version 1.0.2d. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> --- CryptoPkg/Library/OpensslLib/{EDKII_openssl-1.0.2c.patch => EDKII_openssl-1.0.2d.patch} | 4 +-- CryptoPkg/Library/OpensslLib/Install.cmd | 2 +- CryptoPkg/Library/OpensslLib/Install.sh | 2 +- CryptoPkg/Library/OpensslLib/OpensslLib.inf | 2 +- CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt | 26 ++++++++++---------- 5 files changed, 18 insertions(+), 18 deletions(-)