Ard,
Thanks for your quick response against this OpenSSL upgrade. Your patch was
ready when I am still evaluating the security impacts and source changes. :-)
The severity evaluation should be moderate / high for EDKII-CryptoPkg, since
there were potential vulnerabilities on big number calculation (Montgomery
Squaring Process), certificate verification, and PKCS7 handling, which means it
is better for us to catch this upgrade.
One issue is: Some code updates from 1.0.2e will break our Authenticode
verification. I did the trace and analysis. The root cause is one corner case
codes was removed from pk7_smime.c (as the following).
----pk7_smime.c----
#if 0 --> This macro was removed from 1.0.2e
/*
* NB: this test commented out because some versions of Netscape
* illegally include zero length content when signing data.
*/
/* Check for data and content: two sets of data */
if (!PKCS7_get_detached(p7) && indata) {
PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_CONTENT_AND_DATA_PRESENT);
return 0;
}
#endif
-------------------------
This means pkcs7 routine will return error if we pass one pkcs7 data with
embedded content and detached data in openssl 1.0.2e.
For Authenticode, its format is one extended pkcs7 signed Data, and
verification behavior also differ. OpenSSL has no formal support for
Authenticode verification, so there are tricky handling when we enabled
Authenticode verification under UEFI. This old comment-out macro for Netscape
just helped us to support the Authenticode verification process.
The fix here can also be simple: We can add "#if !defined(OPENSSL_SYS_UEFI)"
here to keep the old behavior (which can be added in our patch file).
I would like to raise it as one open.
David, do you think it's valuable to feedback to OpenSSL community? Personally,
I think the old behavior (before 1.0.2e) can be acceptable when two data
(embedded and detached data) were supplied.
Best Regards & Thanks,
LONG, Qin
> -----Original Message-----
> From: Ard Biesheuvel [mailto:[email protected]]
> Sent: Friday, December 4, 2015 4:29 PM
> To: [email protected]; Long, Qin; [email protected]
> Cc: Gao, Liming; Ard Biesheuvel
> Subject: [PATCH] CryptoPkg/OpensslLib: upgrade to openssl-1.0.2e
>
> Upstream OpenSSL has released version 1.0.2e with security fixes, and has
> pulled
> the previous version from the download servers. So upgrade our OpensslLib glue
> from 1.0.2d to 1.0.2e.
>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Ard Biesheuvel <[email protected]>
> ---
> CryptoPkg/Library/OpensslLib/{EDKII_openssl-1.0.2d.patch =>
> EDKII_openssl-1.0.2e.patch} | 18 +++++++-------
> CryptoPkg/Library/OpensslLib/Install.cmd
> | 2 +-
> CryptoPkg/Library/OpensslLib/Install.sh
> | 2 +-
> CryptoPkg/Library/OpensslLib/OpensslLib.inf
> | 2 +-
> CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
> | 26 ++++++++++----------
> 5 files changed, 25 insertions(+), 25 deletions(-)
>
> diff --git a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2d.patch
> b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2e.patch
> similarity index 95%
> rename from CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2d.patch
> rename to CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2e.patch
> index 6be397b8b959..e4a85bf95df3 100644
> --- a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2d.patch
> +++ b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2e.patch
> @@ -16,7 +16,7 @@ diff U3 crypto/bio/bio.h crypto/bio/bio.h
> diff U3 crypto/bio/bss_file.c crypto/bio/bss_file.c
> --- crypto/bio/bss_file.c Thu Jun 11 21:01:06 2015
> +++ crypto/bio/bss_file.c Fri Jun 12 11:01:28 2015
> -@@ -460,6 +460,23 @@
> +@@ -467,6 +467,23 @@
> return (ret);
> }
>
> @@ -83,9 +83,9 @@ diff U3 crypto/pkcs7/pk7_smime.c crypto/pkcs7/pk7_smime.c
> + char *buf = NULL;
> + int bufsiz;
> int i, j = 0, k, ret = 0;
> - BIO *p7bio;
> - BIO *tmpin, *tmpout;
> -@@ -365,9 +366,14 @@
> + BIO *p7bio = NULL;
> + BIO *tmpin = NULL, *tmpout = NULL;
> +@@ -355,9 +356,14 @@
> } else
> tmpout = out;
>
> @@ -101,17 +101,17 @@ diff U3 crypto/pkcs7/pk7_smime.c
> crypto/pkcs7/pk7_smime.c
> if (i <= 0)
> break;
> if (tmpout)
> -@@ -406,6 +412,10 @@
> +@@ -394,6 +400,10 @@
> + }
> BIO_free_all(p7bio);
> -
> sk_X509_free(signers);
> +
> + if (buf != NULL) {
> + OPENSSL_free(buf);
> + }
> -
> return ret;
> }
> +
> diff U3 crypto/rand/rand_unix.c crypto/rand/rand_unix.c
> --- crypto/rand/rand_unix.c Thu Jun 11 21:01:06 2015
> +++ crypto/rand/rand_unix.c Fri Jun 12 10:51:21 2015
> @@ -210,7 +210,7 @@ diff U3 crypto/rsa/rsa_ameth.c crypto/rsa/rsa_ameth.c
> diff U3 crypto/x509/x509_vfy.c crypto/x509/x509_vfy.c
> --- crypto/x509/x509_vfy.c Thu Jun 11 21:52:58 2015
> +++ crypto/x509/x509_vfy.c Fri Jun 12 11:29:37 2015
> -@@ -935,6 +935,8 @@
> +@@ -940,6 +940,8 @@
> ctx->current_crl = crl;
> if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
> ptime = &ctx->param->check_time;
> @@ -219,7 +219,7 @@ diff U3 crypto/x509/x509_vfy.c crypto/x509/x509_vfy.c
> else
> ptime = NULL;
>
> -@@ -1658,6 +1660,8 @@
> +@@ -1663,6 +1665,8 @@
>
> if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
> ptime = &ctx->param->check_time;
> diff --git a/CryptoPkg/Library/OpensslLib/Install.cmd
> b/CryptoPkg/Library/OpensslLib/Install.cmd
> index ef0a4bdcebc9..b9b6fc6f7094 100755
> --- a/CryptoPkg/Library/OpensslLib/Install.cmd
> +++ b/CryptoPkg/Library/OpensslLib/Install.cmd
> @@ -1,4 +1,4 @@
> -cd openssl-1.0.2d
> +cd openssl-1.0.2e
> copy e_os2.h ..\..\..\Include\openssl
> copy crypto\crypto.h ..\..\..\Include\openssl
> copy crypto\opensslv.h ..\..\..\Include\openssl
> diff --git a/CryptoPkg/Library/OpensslLib/Install.sh
> b/CryptoPkg/Library/OpensslLib/Install.sh
> index 877e775b81af..543439529448 100755
> --- a/CryptoPkg/Library/OpensslLib/Install.sh
> +++ b/CryptoPkg/Library/OpensslLib/Install.sh
> @@ -1,6 +1,6 @@
> #!/bin/sh
>
> -cd openssl-1.0.2d
> +cd openssl-1.0.2e
> cp e_os2.h ../../../Include/openssl
> cp crypto/crypto.h ../../../Include/openssl
> cp crypto/opensslv.h ../../../Include/openssl
> diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> index a6d511e83922..a1dcc3257fa8 100644
> --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> @@ -20,7 +20,7 @@ [Defines]
> MODULE_TYPE = BASE
> VERSION_STRING = 1.0
> LIBRARY_CLASS = OpensslLib
> - DEFINE OPENSSL_PATH = openssl-1.0.2d
> + DEFINE OPENSSL_PATH = openssl-1.0.2e
> DEFINE OPENSSL_FLAGS = -DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT
> -D_CRT_SECURE_NO_DEPRECATE -
> D_CRT_NONSTDC_NO_DEPRECATE
>
> #
> diff --git a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
> b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
> index 59e74ee9b0d9..f575d7147bdf 100644
> --- a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
> +++ b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
> @@ -17,36 +17,36 @@ cryptography. This patch will enable openssl building
> under UEFI environment.
>
> ================================================================================
> OpenSSL-Version
>
> ================================================================================
> - Current supported OpenSSL version for UEFI Crypto Library is 1.0.2d.
> - http://www.openssl.org/source/openssl-1.0.2d.tar.gz
> + Current supported OpenSSL version for UEFI Crypto Library is 1.0.2e.
> + http://www.openssl.org/source/openssl-1.0.2e.tar.gz
>
>
>
> ================================================================================
> HOW to Install Openssl for UEFI Building
>
> ================================================================================
> -1. Download OpenSSL 1.0.2d from official website:
> - http://www.openssl.org/source/openssl-1.0.2d.tar.gz
> +1. Download OpenSSL 1.0.2e from official website:
> + http://www.openssl.org/source/openssl-1.0.2e.tar.gz
>
> - NOTE: Some web browsers may rename the downloaded TAR file to
> openssl-1.0.2d.tar.tar.
> - When you do the download, rename the "openssl-1.0.2d.tar.tar" to
> - "openssl-1.0.2d.tar.gz" or rename the local downloaded file with
> ".tar.tar"
> + NOTE: Some web browsers may rename the downloaded TAR file to
> openssl-1.0.2e.tar.tar.
> + When you do the download, rename the "openssl-1.0.2e.tar.tar" to
> + "openssl-1.0.2e.tar.gz" or rename the local downloaded file with
> ".tar.tar"
> extension to ".tar.gz".
>
> -2. Extract TAR into CryptoPkg/Library/OpenSslLib/openssl-1.0.2d
> +2. Extract TAR into CryptoPkg/Library/OpenSslLib/openssl-1.0.2e
>
> NOTE: If you use WinZip to unpack the openssl source in Windows, please
> uncheck the WinZip smart CR/LF conversion option (WINZIP: Options
> -->
> Configuration --> Miscellaneous --> "TAR file smart CR/LF
> conversion").
>
> -3. Apply this patch: EDKII_openssl-1.0.2d.patch, and make installation
> +3. Apply this patch: EDKII_openssl-1.0.2e.patch, and make installation
>
> For Windows Environment:
> ------------------------
> 1) Make sure the patch utility has been installed in your machine.
> Install Cygwin or get the patch utility binary from
> http://gnuwin32.sourceforge.net/packages/patch.htm
> - 2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2d
> - 3) patch -p0 -i ..\EDKII_openssl-1.0.2d.patch
> + 2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2e
> + 3) patch -p0 -i ..\EDKII_openssl-1.0.2e.patch
> 4) cd ..
> 5) Install.cmd
>
> @@ -54,8 +54,8 @@ cryptography. This patch will enable openssl building under
> UEFI environment.
> -----------------------
> 1) Make sure the patch utility has been installed in your machine.
> Patch utility is available from
> http://directory.fsf.org/project/patch/
> - 2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2d
> - 3) patch -p0 -i ../EDKII_openssl-1.0.2d.patch
> + 2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2e
> + 3) patch -p0 -i ../EDKII_openssl-1.0.2e.patch
> 4) cd ..
> 5) ./Install.sh
>
> --
> 1.9.1
_______________________________________________
edk2-devel mailing list
[email protected]
https://lists.01.org/mailman/listinfo/edk2-devel
