On 07/10/15 08:54, Ard Biesheuvel wrote:
> Upstream OpenSSL version 1.0.2c contained a fatal flaw
> [CVE-2015-1793] and is no longer available from the openssl.org
> download servers. So upgrade to its replacement, version 1.0.2d.
>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
> ---
> CryptoPkg/Library/OpensslLib/{EDKII_openssl-1.0.2c.patch =>
> EDKII_openssl-1.0.2d.patch} | 4 +--
> CryptoPkg/Library/OpensslLib/Install.cmd
> | 2 +-
> CryptoPkg/Library/OpensslLib/Install.sh
> | 2 +-
> CryptoPkg/Library/OpensslLib/OpensslLib.inf
> | 2 +-
> CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
> | 26 ++++++++++----------
> 5 files changed, 18 insertions(+), 18 deletions(-)
>
> diff --git a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2c.patch
> b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2d.patch
> similarity index 96%
> rename from CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2c.patch
> rename to CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2d.patch
> index 0d9575e94aef..72e5f3da54c4 100644
> --- a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2c.patch
> +++ b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2d.patch
> @@ -210,7 +210,7 @@ diff U3 crypto/rsa/rsa_ameth.c crypto/rsa/rsa_ameth.c
> diff U3 crypto/x509/x509_vfy.c crypto/x509/x509_vfy.c
> --- crypto/x509/x509_vfy.c Thu Jun 11 21:52:58 2015
> +++ crypto/x509/x509_vfy.c Fri Jun 12 11:29:37 2015
> -@@ -1647,6 +1647,10 @@
> +@@ -1653,6 +1653,10 @@
>
> static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
> {
> @@ -221,7 +221,7 @@ diff U3 crypto/x509/x509_vfy.c crypto/x509/x509_vfy.c
> time_t *ptime;
> int i;
>
> -@@ -1686,6 +1690,7 @@
> +@@ -1692,6 +1696,7 @@
> }
>
> return 1;
> diff --git a/CryptoPkg/Library/OpensslLib/Install.cmd
> b/CryptoPkg/Library/OpensslLib/Install.cmd
> index f8d8582d9ef6..ef0a4bdcebc9 100755
> --- a/CryptoPkg/Library/OpensslLib/Install.cmd
> +++ b/CryptoPkg/Library/OpensslLib/Install.cmd
> @@ -1,4 +1,4 @@
> -cd openssl-1.0.2c
> +cd openssl-1.0.2d
> copy e_os2.h ..\..\..\Include\openssl
> copy crypto\crypto.h ..\..\..\Include\openssl
> copy crypto\opensslv.h ..\..\..\Include\openssl
> diff --git a/CryptoPkg/Library/OpensslLib/Install.sh
> b/CryptoPkg/Library/OpensslLib/Install.sh
> index 087655d50e2a..877e775b81af 100755
> --- a/CryptoPkg/Library/OpensslLib/Install.sh
> +++ b/CryptoPkg/Library/OpensslLib/Install.sh
> @@ -1,6 +1,6 @@
> #!/bin/sh
>
> -cd openssl-1.0.2c
> +cd openssl-1.0.2d
> cp e_os2.h ../../../Include/openssl
> cp crypto/crypto.h ../../../Include/openssl
> cp crypto/opensslv.h ../../../Include/openssl
> diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> index dbf8a9621732..28d3aec00e2a 100644
> --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> @@ -20,7 +20,7 @@ [Defines]
> MODULE_TYPE = BASE
> VERSION_STRING = 1.0
> LIBRARY_CLASS = OpensslLib
> - DEFINE OPENSSL_PATH = openssl-1.0.2c
> + DEFINE OPENSSL_PATH = openssl-1.0.2d
> DEFINE OPENSSL_FLAGS = -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI
> -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE
> -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2
> -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG
> -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE
> -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_POSIX_IO
> -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_ASM
> DEFINE OPENSSL_EXFLAGS = -DOPENSSL_SMALL_FOOTPRINT
> -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP
> -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_RIPEMD
> -DOPENSSL_NO_RC2 -DOPENSSL_NO_IDEA -DOPENSSL_NO_BF -DOPENSSL_NO_CAST
> -DOPENSSL_NO_WHIRLPOOL -DOPENSSL_NO_DSA -DOPENSSL_NO_EC -DOPENSSL_NO_ECDH
> -DOPENSSL_NO_ECDSA -DOPENSSL_NO_SRP -DOPENSSL_NO_ENGINE
>
> diff --git a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
> b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
> index 0ea7b8aa0ba5..59e74ee9b0d9 100644
> --- a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
> +++ b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
> @@ -17,36 +17,36 @@ cryptography. This patch will enable openssl building
> under UEFI environment.
>
> ================================================================================
> OpenSSL-Version
>
> ================================================================================
> - Current supported OpenSSL version for UEFI Crypto Library is 1.0.2c.
> - http://www.openssl.org/source/openssl-1.0.2c.tar.gz
> + Current supported OpenSSL version for UEFI Crypto Library is 1.0.2d.
> + http://www.openssl.org/source/openssl-1.0.2d.tar.gz
>
>
>
> ================================================================================
> HOW to Install Openssl for UEFI Building
>
> ================================================================================
> -1. Download OpenSSL 1.0.2c from official website:
> - http://www.openssl.org/source/openssl-1.0.2c.tar.gz
> +1. Download OpenSSL 1.0.2d from official website:
> + http://www.openssl.org/source/openssl-1.0.2d.tar.gz
>
> - NOTE: Some web browsers may rename the downloaded TAR file to
> openssl-1.0.2c.tar.tar.
> - When you do the download, rename the "openssl-1.0.2c.tar.tar" to
> - "openssl-1.0.2c.tar.gz" or rename the local downloaded file with
> ".tar.tar"
> + NOTE: Some web browsers may rename the downloaded TAR file to
> openssl-1.0.2d.tar.tar.
> + When you do the download, rename the "openssl-1.0.2d.tar.tar" to
> + "openssl-1.0.2d.tar.gz" or rename the local downloaded file with
> ".tar.tar"
> extension to ".tar.gz".
>
> -2. Extract TAR into CryptoPkg/Library/OpenSslLib/openssl-1.0.2c
> +2. Extract TAR into CryptoPkg/Library/OpenSslLib/openssl-1.0.2d
>
> NOTE: If you use WinZip to unpack the openssl source in Windows, please
> uncheck the WinZip smart CR/LF conversion option (WINZIP: Options
> -->
> Configuration --> Miscellaneous --> "TAR file smart CR/LF
> conversion").
>
> -3. Apply this patch: EDKII_openssl-1.0.2c.patch, and make installation
> +3. Apply this patch: EDKII_openssl-1.0.2d.patch, and make installation
>
> For Windows Environment:
> ------------------------
> 1) Make sure the patch utility has been installed in your machine.
> Install Cygwin or get the patch utility binary from
> http://gnuwin32.sourceforge.net/packages/patch.htm
> - 2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2c
> - 3) patch -p0 -i ..\EDKII_openssl-1.0.2c.patch
> + 2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2d
> + 3) patch -p0 -i ..\EDKII_openssl-1.0.2d.patch
> 4) cd ..
> 5) Install.cmd
>
> @@ -54,8 +54,8 @@ cryptography. This patch will enable openssl building under
> UEFI environment.
> -----------------------
> 1) Make sure the patch utility has been installed in your machine.
> Patch utility is available from
> http://directory.fsf.org/project/patch/
> - 2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2c
> - 3) patch -p0 -i ../EDKII_openssl-1.0.2c.patch
> + 2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2d
> + 3) patch -p0 -i ../EDKII_openssl-1.0.2d.patch
> 4) cd ..
> 5) ./Install.sh
>
>
Reviewed-by: Laszlo Ersek <ler...@redhat.com>
------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/edk2-devel
