On 02/17/16 17:33, Qin Long wrote: > OpenSSL has released version 1.0.2f with two security fixes > (http://www.openssl.org/news/secadv/20160128.txt) at 28-Jan-2016. > Upgrade the supported OpenSSL version in CryptoPkg/OpensslLib > to catch the latest release 1.0.2f. > (NOTE: The patch file was just re-generated, and no new source > changes was introduced for 1.0.2f enabling) > > Contributed-under: TianoCore Contribution Agreement 1.0 > Signed-off-by: Qin Long <[email protected]> > CC: Ting Ye <[email protected]> > --- > ...ssl-1.0.2e.patch => EDKII_openssl-1.0.2f.patch} | 63 > +++++++++++----------- > CryptoPkg/Library/OpensslLib/Install.cmd | 2 +- > CryptoPkg/Library/OpensslLib/Install.sh | 2 +- > CryptoPkg/Library/OpensslLib/OpensslLib.inf | 4 +- > CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt | 26 ++++----- > 5 files changed, 48 insertions(+), 49 deletions(-) > rename CryptoPkg/Library/OpensslLib/{EDKII_openssl-1.0.2e.patch => > EDKII_openssl-1.0.2f.patch} (89%) > > diff --git a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2e.patch > b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2f.patch > similarity index 89% > rename from CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2e.patch > rename to CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2f.patch > index e4eaff6..c42b776 100644 > --- a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2e.patch > +++ b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2f.patch > @@ -1,7 +1,7 @@ > diff U3 crypto/bio/bio.h crypto/bio/bio.h > ---- crypto/bio/bio.h Thu Jun 11 21:50:12 2015 > -+++ crypto/bio/bio.h Fri Jun 12 11:00:52 2015 > -@@ -646,10 +646,10 @@ > +--- crypto/bio/bio.h Thu Jan 28 21:56:08 2016 > ++++ crypto/bio/bio.h Wed Feb 17 16:43:40 2016 > +@@ -650,10 +650,10 @@ > int BIO_asn1_get_suffix(BIO *b, asn1_ps_func **psuffix, > asn1_ps_func **psuffix_free); > > @@ -14,8 +14,8 @@ diff U3 crypto/bio/bio.h crypto/bio/bio.h > # endif > BIO *BIO_new(BIO_METHOD *type); > diff U3 crypto/bio/bss_file.c crypto/bio/bss_file.c > ---- crypto/bio/bss_file.c Thu Jun 11 21:01:06 2015 > -+++ crypto/bio/bss_file.c Fri Jun 12 11:01:28 2015 > +--- crypto/bio/bss_file.c Thu Jan 28 21:38:30 2016 > ++++ crypto/bio/bss_file.c Wed Feb 17 16:01:02 2016 > @@ -467,6 +467,23 @@ > return (ret); > } > @@ -41,8 +41,8 @@ diff U3 crypto/bio/bss_file.c crypto/bio/bss_file.c > > #endif /* HEADER_BSS_FILE_C */ > diff U3 crypto/dh/dh_pmeth.c crypto/dh/dh_pmeth.c > ---- crypto/dh/dh_pmeth.c Thu Jun 11 21:50:12 2015 > -+++ crypto/dh/dh_pmeth.c Fri Jun 12 11:08:48 2015 > +--- crypto/dh/dh_pmeth.c Thu Jan 28 21:56:08 2016 > ++++ crypto/dh/dh_pmeth.c Wed Feb 17 16:15:58 2016 > @@ -449,6 +449,9 @@ > *keylen = ret; > return 1; > @@ -62,8 +62,8 @@ diff U3 crypto/dh/dh_pmeth.c crypto/dh/dh_pmeth.c > return 1; > } > diff U3 crypto/pem/pem.h crypto/pem/pem.h > ---- crypto/pem/pem.h Thu Jun 11 21:50:12 2015 > -+++ crypto/pem/pem.h Fri Jun 12 10:58:18 2015 > +--- crypto/pem/pem.h Thu Jan 28 21:56:08 2016 > ++++ crypto/pem/pem.h Wed Feb 17 15:56:26 2016 > @@ -324,6 +324,7 @@ > > # define DECLARE_PEM_read_fp(name, type) /**/ > @@ -73,8 +73,8 @@ diff U3 crypto/pem/pem.h crypto/pem/pem.h > # else > > diff U3 crypto/pkcs7/pk7_smime.c crypto/pkcs7/pk7_smime.c > ---- crypto/pkcs7/pk7_smime.c Thu Jun 11 21:01:06 2015 > -+++ crypto/pkcs7/pk7_smime.c Fri Jun 12 11:23:38 2015 > +--- crypto/pkcs7/pk7_smime.c Thu Jan 28 21:56:08 2016 > ++++ crypto/pkcs7/pk7_smime.c Wed Feb 17 16:22:45 2016 > @@ -254,7 +254,8 @@ > STACK_OF(PKCS7_SIGNER_INFO) *sinfos; > PKCS7_SIGNER_INFO *si; > @@ -114,20 +114,19 @@ diff U3 crypto/pkcs7/pk7_smime.c > crypto/pkcs7/pk7_smime.c > if (i <= 0) > break; > if (tmpout) > -@@ -394,6 +394,10 @@ > +@@ -394,6 +394,9 @@ > } > BIO_free_all(p7bio); > sk_X509_free(signers); > -+ > + if (buf != NULL) { > -+ OPENSSL_free(buf); > ++ OPENSSL_free(buf); > + } > return ret; > } > > diff U3 crypto/rand/rand_unix.c crypto/rand/rand_unix.c > ---- crypto/rand/rand_unix.c Thu Jun 11 21:01:06 2015 > -+++ crypto/rand/rand_unix.c Fri Jun 12 10:51:21 2015 > +--- crypto/rand/rand_unix.c Thu Jan 28 21:38:32 2016 > ++++ crypto/rand/rand_unix.c Wed Feb 17 15:40:02 2016 > @@ -116,7 +116,7 @@ > #include <openssl/rand.h> > #include "rand_lcl.h" > @@ -147,8 +146,8 @@ diff U3 crypto/rand/rand_unix.c crypto/rand/rand_unix.c > { > return 0; > diff U3 crypto/rsa/rsa_ameth.c crypto/rsa/rsa_ameth.c > ---- crypto/rsa/rsa_ameth.c Thu Jun 11 21:50:12 2015 > -+++ crypto/rsa/rsa_ameth.c Fri Jun 12 10:45:38 2015 > +--- crypto/rsa/rsa_ameth.c Thu Jan 28 21:56:08 2016 > ++++ crypto/rsa/rsa_ameth.c Wed Feb 17 15:09:46 2016 > @@ -68,10 +68,12 @@ > #endif > #include "asn1_locl.h" > @@ -221,8 +220,8 @@ diff U3 crypto/rsa/rsa_ameth.c crypto/rsa/rsa_ameth.c > const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] = { > { > diff U3 crypto/x509/x509_vfy.c crypto/x509/x509_vfy.c > ---- crypto/x509/x509_vfy.c Thu Jun 11 21:52:58 2015 > -+++ crypto/x509/x509_vfy.c Fri Jun 12 11:29:37 2015 > +--- crypto/x509/x509_vfy.c Thu Jan 28 21:56:08 2016 > ++++ crypto/x509/x509_vfy.c Wed Feb 17 16:09:58 2016 > @@ -940,6 +940,8 @@ > ctx->current_crl = crl; > if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) > @@ -242,8 +241,8 @@ diff U3 crypto/x509/x509_vfy.c crypto/x509/x509_vfy.c > ptime = NULL; > > diff U3 crypto/x509/x509_vfy.h crypto/x509/x509_vfy.h > ---- crypto/x509/x509_vfy.h Thu Jul 09 19:57:16 2015 > -+++ crypto/x509/x509_vfy.h Thu Oct 29 14:05:57 2015 > +--- crypto/x509/x509_vfy.h Thu Jan 28 21:56:08 2016 > ++++ crypto/x509/x509_vfy.h Wed Feb 17 16:08:18 2016 > @@ -438,6 +438,8 @@ > * will force the behaviour to match that of previous versions. > */ > @@ -254,8 +253,8 @@ diff U3 crypto/x509/x509_vfy.h crypto/x509/x509_vfy.h > # define X509_VP_FLAG_DEFAULT 0x1 > # define X509_VP_FLAG_OVERWRITE 0x2 > diff U3 crypto/x509v3/ext_dat.h crypto/x509v3/ext_dat.h > ---- crypto/x509v3/ext_dat.h Thu Jun 11 21:50:12 2015 > -+++ crypto/x509v3/ext_dat.h Fri Jun 12 11:11:03 2015 > +--- crypto/x509v3/ext_dat.h Thu Jan 28 21:56:08 2016 > ++++ crypto/x509v3/ext_dat.h Wed Feb 17 16:13:30 2016 > @@ -127,8 +127,10 @@ > &v3_idp, > &v3_alt[2], > @@ -268,8 +267,8 @@ diff U3 crypto/x509v3/ext_dat.h crypto/x509v3/ext_dat.h > > /* Number of standard extensions */ > diff U3 crypto/crypto.h crypto/crypto.h > ---- crypto/crypto.h Thu Jun 11 21:01:06 2015 > -+++ crypto/crypto.h Fri Jun 12 11:33:27 2015 > +--- crypto/crypto.h Thu Jan 28 21:38:30 2016 > ++++ crypto/crypto.h Wed Feb 17 16:33:00 2016 > @@ -235,15 +235,15 @@ > # ifndef OPENSSL_NO_LOCKING > # ifndef CRYPTO_w_lock > @@ -353,8 +352,8 @@ diff U3 crypto/crypto.h crypto/crypto.h > > # else > diff U3 crypto/opensslconf.h crypto/opensslconf.h > ---- crypto/opensslconf.h Thu Jun 11 21:55:38 2015 > -+++ crypto/opensslconf.h Fri Jun 12 10:28:27 2015 > +--- crypto/opensslconf.h Thu Jan 28 21:57:22 2016 > ++++ crypto/opensslconf.h Wed Feb 17 14:58:26 2016 > @@ -5,15 +5,72 @@ > extern "C" { > #endif > @@ -675,8 +674,8 @@ diff U3 crypto/opensslconf.h crypto/opensslconf.h > #undef BN_LLONG > > diff U3 e_os.h e_os.h > ---- e_os.h Thu Jul 09 19:57:16 2015 > -+++ e_os.h Thu Oct 29 16:54:10 2015 > +--- e_os.h Thu Jan 28 21:56:08 2016 > ++++ e_os.h Wed Feb 17 15:52:08 2016 > @@ -136,7 +136,7 @@ > # define MSDOS > # endif > @@ -687,8 +686,8 @@ diff U3 e_os.h e_os.h > # endif > > diff U3 e_os2.h e_os2.h > ---- e_os2.h Thu Jul 09 19:57:16 2015 > -+++ e_os2.h Thu Oct 29 15:08:19 2015 > +--- e_os2.h Thu Jan 28 21:56:08 2016 > ++++ e_os2.h Wed Feb 17 15:53:08 2016 > @@ -97,7 +97,14 @@ > * For 32 bit environment, there seems to be the CygWin environment and then > * all the others that try to do the same thing Microsoft does... > diff --git a/CryptoPkg/Library/OpensslLib/Install.cmd > b/CryptoPkg/Library/OpensslLib/Install.cmd > index b9b6fc6..a96501c 100755 > --- a/CryptoPkg/Library/OpensslLib/Install.cmd > +++ b/CryptoPkg/Library/OpensslLib/Install.cmd > @@ -1,4 +1,4 @@ > -cd openssl-1.0.2e > +cd openssl-1.0.2f > copy e_os2.h ..\..\..\Include\openssl > copy crypto\crypto.h ..\..\..\Include\openssl > copy crypto\opensslv.h ..\..\..\Include\openssl > diff --git a/CryptoPkg/Library/OpensslLib/Install.sh > b/CryptoPkg/Library/OpensslLib/Install.sh > index 5434395..76648cd 100755 > --- a/CryptoPkg/Library/OpensslLib/Install.sh > +++ b/CryptoPkg/Library/OpensslLib/Install.sh > @@ -1,6 +1,6 @@ > #!/bin/sh > > -cd openssl-1.0.2e > +cd openssl-1.0.2f > cp e_os2.h ../../../Include/openssl > cp crypto/crypto.h ../../../Include/openssl > cp crypto/opensslv.h ../../../Include/openssl > diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf > b/CryptoPkg/Library/OpensslLib/OpensslLib.inf > index 54ac055..9b6e860 100644 > --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf > +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf > @@ -1,7 +1,7 @@ > ## @file > # This module provides openSSL Library implementation. > # > -# Copyright (c) 2010 - 2015, Intel Corporation. All rights reserved.<BR> > +# Copyright (c) 2010 - 2016, Intel Corporation. All rights reserved.<BR> > # This program and the accompanying materials > # are licensed and made available under the terms and conditions of the BSD > License > # which accompanies this distribution. The full text of the license may be > found at > @@ -20,7 +20,7 @@ > MODULE_TYPE = BASE > VERSION_STRING = 1.0 > LIBRARY_CLASS = OpensslLib > - DEFINE OPENSSL_PATH = openssl-1.0.2e > + DEFINE OPENSSL_PATH = openssl-1.0.2f > DEFINE OPENSSL_FLAGS = -DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT > -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE > > # > diff --git a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt > b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt > index f575d71..433f626 100644 > --- a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt > +++ b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt > @@ -17,36 +17,36 @@ cryptography. This patch will enable openssl building > under UEFI environment. > > ================================================================================ > OpenSSL-Version > > ================================================================================ > - Current supported OpenSSL version for UEFI Crypto Library is 1.0.2e. > - http://www.openssl.org/source/openssl-1.0.2e.tar.gz > + Current supported OpenSSL version for UEFI Crypto Library is 1.0.2f. > + http://www.openssl.org/source/openssl-1.0.2f.tar.gz > > > > ================================================================================ > HOW to Install Openssl for UEFI Building > > ================================================================================ > -1. Download OpenSSL 1.0.2e from official website: > - http://www.openssl.org/source/openssl-1.0.2e.tar.gz > +1. Download OpenSSL 1.0.2f from official website: > + http://www.openssl.org/source/openssl-1.0.2f.tar.gz > > - NOTE: Some web browsers may rename the downloaded TAR file to > openssl-1.0.2e.tar.tar. > - When you do the download, rename the "openssl-1.0.2e.tar.tar" to > - "openssl-1.0.2e.tar.gz" or rename the local downloaded file with > ".tar.tar" > + NOTE: Some web browsers may rename the downloaded TAR file to > openssl-1.0.2f.tar.tar. > + When you do the download, rename the "openssl-1.0.2f.tar.tar" to > + "openssl-1.0.2f.tar.gz" or rename the local downloaded file with > ".tar.tar" > extension to ".tar.gz". > > -2. Extract TAR into CryptoPkg/Library/OpenSslLib/openssl-1.0.2e > +2. Extract TAR into CryptoPkg/Library/OpenSslLib/openssl-1.0.2f > > NOTE: If you use WinZip to unpack the openssl source in Windows, please > uncheck the WinZip smart CR/LF conversion option (WINZIP: Options > --> > Configuration --> Miscellaneous --> "TAR file smart CR/LF > conversion"). > > -3. Apply this patch: EDKII_openssl-1.0.2e.patch, and make installation > +3. Apply this patch: EDKII_openssl-1.0.2f.patch, and make installation > > For Windows Environment: > ------------------------ > 1) Make sure the patch utility has been installed in your machine. > Install Cygwin or get the patch utility binary from > http://gnuwin32.sourceforge.net/packages/patch.htm > - 2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2e > - 3) patch -p0 -i ..\EDKII_openssl-1.0.2e.patch > + 2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2f > + 3) patch -p0 -i ..\EDKII_openssl-1.0.2f.patch > 4) cd .. > 5) Install.cmd > > @@ -54,8 +54,8 @@ cryptography. This patch will enable openssl building under > UEFI environment. > ----------------------- > 1) Make sure the patch utility has been installed in your machine. > Patch utility is available from > http://directory.fsf.org/project/patch/ > - 2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2e > - 3) patch -p0 -i ../EDKII_openssl-1.0.2e.patch > + 2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2f > + 3) patch -p0 -i ../EDKII_openssl-1.0.2f.patch > 4) cd .. > 5) ./Install.sh > >
This patch seems right. I also tried to diff the "openssl-1.0.2e" and "openssl-1.0.2f" trees against each other, to see if "no new source changes [...] introduced for 1.0.2f enabling" is indeed the right thing to do. The result of that diffing is a 3000 line patch, with the following diffstat: 144 files changed, 815 insertions(+), 476 deletions(-) The release strategy for OpenSSL <http://www.openssl.org/policies/releasestrat.html> writes: [...] Letter releases, such as 1.0.1a, exclusively contain bug and security fixes and no new features. [...] So, since we're going from 1.0.2e to 1.0.2f, one would expect a full tree diff that reflects "exclusively bug and security fixes" -- such fixes in particular that have been announced in the 1.0.2e -> 1.0.2f release notes: https://www.openssl.org/news/changelog.html#x1 While I'm absolutely no crypto expert, I have a hard time believing that fixing the two major issues listed by the release notes required touching *144 files*! So, I hereby declare the OpenSSL updates practically un-review-able, even just for *scope* -- i.e., in order to see how far those changes extend. I also claim that the OpenSSL release strategy is not being implemented in reality -- the "letter releases" actually seem to be vulnerability-triggered *snapshots* of the 1.0.2 tree, where the code influx, albeit low volume, definitely meanders outside of bug and security fixes. Here's an example hunk: > diff -Naurp openssl-1.0.2e/crypto/ui/ui_lib.c > openssl-1.0.2f/crypto/ui/ui_lib.c > --- openssl-1.0.2e/crypto/ui/ui_lib.c 2015-12-03 15:04:23.000000000 +0100 > +++ openssl-1.0.2f/crypto/ui/ui_lib.c 2016-01-28 14:38:31.000000000 +0100 > @@ -1,4 +1,4 @@ > -/* crypto/ui/ui_lib.c -*- mode:C; c-file-style: "eay" -*- */ > +/* crypto/ui/ui_lib.c */ > /* > * Written by Richard Levitte ([email protected]) for the OpenSSL project > * 2001. Seriously? Now, one might ask why I care. I care because for some downstreams of edk2 at least, the situation that openssl has to be patched in before a secure boot enabled build is completely unacceptable. That makes it super-unwieldy to bisect a secure boot enabled build for example. It also requires all people who clone your tree to patch in OpenSSL manually. Importing openssl should be a run-of-the-mill *commit* in the git history (and it is, for us). Then you can understand why I care about actual OpenSSL differences -- because when the OpenSSL addition is an actual commit in your repo, the upgrade looks like this: - revert the commit that captured the execution of the previous Patch-HOWTO.txt - perform the current Patch-HOWTO.txt, commit the results as a new commit - *squash* these two commits (unless you are happy with two, several MB long patches -- good luck to your mailing list!) - now you have an incremental patch in your history that takes you from 1.0.2e to 1.0.2f Except, of course, that patch is fully unreviewable -- it is no better than a binary-only code drop. Honestly, edk2 should either incorporate OpenSSL permanently, or build it 100% from an external, unmodified upstream tarball (I think this is what David has been working on, right?) Anyway, my point is, I'm unable to verify the claim of this edk2 patch that says no new (edk2) source changes are necessary for 1.0.2f enablement. I hope it's true. (Well, that's the general MO with crypto software anyway -- "we hope it's correct".) Okay, I'm done ranting. Reviewed-by: Laszlo Ersek <[email protected]> _______________________________________________ edk2-devel mailing list [email protected] https://lists.01.org/mailman/listinfo/edk2-devel
