On 10 July 2015 at 09:53, Ye, Ting <ting...@intel.com> wrote: > Looks good to me. > Reviewed-by: Ye Ting <ting...@intel.com> >
@Qin: are you ok with this patch? I would like to get it submitted asap to fix our automated build (it is broken because 1.0.2c is no longer available for download) Thanks, Ard. > -----Original Message----- > From: Ard Biesheuvel [mailto:ard.biesheu...@linaro.org] > Sent: Friday, July 10, 2015 2:54 PM > To: edk2-devel@lists.sourceforge.net; Long, Qin; Dong, Guo; Ye, Ting > Cc: Justen, Jordan L; Gao, Liming; Ard Biesheuvel > Subject: [PATCH] CryptoPkg: update OpenSSL dependency to version 1.0.2d > > Upstream OpenSSL version 1.0.2c contained a fatal flaw > [CVE-2015-1793] and is no longer available from the openssl.org > download servers. So upgrade to its replacement, version 1.0.2d. > > Contributed-under: TianoCore Contribution Agreement 1.0 > Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org> > --- > CryptoPkg/Library/OpensslLib/{EDKII_openssl-1.0.2c.patch => > EDKII_openssl-1.0.2d.patch} | 4 +-- > CryptoPkg/Library/OpensslLib/Install.cmd > | 2 +- > CryptoPkg/Library/OpensslLib/Install.sh > | 2 +- > CryptoPkg/Library/OpensslLib/OpensslLib.inf > | 2 +- > CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt > | 26 ++++++++++---------- > 5 files changed, 18 insertions(+), 18 deletions(-) > > diff --git a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2c.patch > b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2d.patch > similarity index 96% > rename from CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2c.patch > rename to CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2d.patch > index 0d9575e94aef..72e5f3da54c4 100644 > --- a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2c.patch > +++ b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2d.patch > @@ -210,7 +210,7 @@ diff U3 crypto/rsa/rsa_ameth.c crypto/rsa/rsa_ameth.c > diff U3 crypto/x509/x509_vfy.c crypto/x509/x509_vfy.c > --- crypto/x509/x509_vfy.c Thu Jun 11 21:52:58 2015 > +++ crypto/x509/x509_vfy.c Fri Jun 12 11:29:37 2015 > -@@ -1647,6 +1647,10 @@ > +@@ -1653,6 +1653,10 @@ > > static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) > { > @@ -221,7 +221,7 @@ diff U3 crypto/x509/x509_vfy.c crypto/x509/x509_vfy.c > time_t *ptime; > int i; > > -@@ -1686,6 +1690,7 @@ > +@@ -1692,6 +1696,7 @@ > } > > return 1; > diff --git a/CryptoPkg/Library/OpensslLib/Install.cmd > b/CryptoPkg/Library/OpensslLib/Install.cmd > index f8d8582d9ef6..ef0a4bdcebc9 100755 > --- a/CryptoPkg/Library/OpensslLib/Install.cmd > +++ b/CryptoPkg/Library/OpensslLib/Install.cmd > @@ -1,4 +1,4 @@ > -cd openssl-1.0.2c > +cd openssl-1.0.2d > copy e_os2.h ..\..\..\Include\openssl > copy crypto\crypto.h ..\..\..\Include\openssl > copy crypto\opensslv.h ..\..\..\Include\openssl > diff --git a/CryptoPkg/Library/OpensslLib/Install.sh > b/CryptoPkg/Library/OpensslLib/Install.sh > index 087655d50e2a..877e775b81af 100755 > --- a/CryptoPkg/Library/OpensslLib/Install.sh > +++ b/CryptoPkg/Library/OpensslLib/Install.sh > @@ -1,6 +1,6 @@ > #!/bin/sh > > -cd openssl-1.0.2c > +cd openssl-1.0.2d > cp e_os2.h ../../../Include/openssl > cp crypto/crypto.h ../../../Include/openssl > cp crypto/opensslv.h ../../../Include/openssl > diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf > b/CryptoPkg/Library/OpensslLib/OpensslLib.inf > index dbf8a9621732..28d3aec00e2a 100644 > --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf > +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf > @@ -20,7 +20,7 @@ [Defines] > MODULE_TYPE = BASE > VERSION_STRING = 1.0 > LIBRARY_CLASS = OpensslLib > - DEFINE OPENSSL_PATH = openssl-1.0.2c > + DEFINE OPENSSL_PATH = openssl-1.0.2d > DEFINE OPENSSL_FLAGS = -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI > -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE > -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 > -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG > -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE > -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_POSIX_IO > -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_ASM > DEFINE OPENSSL_EXFLAGS = -DOPENSSL_SMALL_FOOTPRINT > -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP > -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_RIPEMD > -DOPENSSL_NO_RC2 -DOPENSSL_NO_IDEA -DOPENSSL_NO_BF -DOPENSSL_NO_CAST > -DOPENSSL_NO_WHIRLPOOL -DOPENSSL_NO_DSA -DOPENSSL_NO_EC -DOPENSSL_NO_ECDH > -DOPENSSL_NO_ECDSA -DOPENSSL_NO_SRP -DOPENSSL_NO_ENGINE > > diff --git a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt > b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt > index 0ea7b8aa0ba5..59e74ee9b0d9 100644 > --- a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt > +++ b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt > @@ -17,36 +17,36 @@ cryptography. This patch will enable openssl building > under UEFI environment. > > ================================================================================ > OpenSSL-Version > > ================================================================================ > - Current supported OpenSSL version for UEFI Crypto Library is 1.0.2c. > - http://www.openssl.org/source/openssl-1.0.2c.tar.gz > + Current supported OpenSSL version for UEFI Crypto Library is 1.0.2d. > + http://www.openssl.org/source/openssl-1.0.2d.tar.gz > > > > ================================================================================ > HOW to Install Openssl for UEFI Building > > ================================================================================ > -1. Download OpenSSL 1.0.2c from official website: > - http://www.openssl.org/source/openssl-1.0.2c.tar.gz > +1. Download OpenSSL 1.0.2d from official website: > + http://www.openssl.org/source/openssl-1.0.2d.tar.gz > > - NOTE: Some web browsers may rename the downloaded TAR file to > openssl-1.0.2c.tar.tar. > - When you do the download, rename the "openssl-1.0.2c.tar.tar" to > - "openssl-1.0.2c.tar.gz" or rename the local downloaded file with > ".tar.tar" > + NOTE: Some web browsers may rename the downloaded TAR file to > openssl-1.0.2d.tar.tar. > + When you do the download, rename the "openssl-1.0.2d.tar.tar" to > + "openssl-1.0.2d.tar.gz" or rename the local downloaded file with > ".tar.tar" > extension to ".tar.gz". > > -2. Extract TAR into CryptoPkg/Library/OpenSslLib/openssl-1.0.2c > +2. Extract TAR into CryptoPkg/Library/OpenSslLib/openssl-1.0.2d > > NOTE: If you use WinZip to unpack the openssl source in Windows, please > uncheck the WinZip smart CR/LF conversion option (WINZIP: Options > --> > Configuration --> Miscellaneous --> "TAR file smart CR/LF > conversion"). > > -3. Apply this patch: EDKII_openssl-1.0.2c.patch, and make installation > +3. Apply this patch: EDKII_openssl-1.0.2d.patch, and make installation > > For Windows Environment: > ------------------------ > 1) Make sure the patch utility has been installed in your machine. > Install Cygwin or get the patch utility binary from > http://gnuwin32.sourceforge.net/packages/patch.htm > - 2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2c > - 3) patch -p0 -i ..\EDKII_openssl-1.0.2c.patch > + 2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2d > + 3) patch -p0 -i ..\EDKII_openssl-1.0.2d.patch > 4) cd .. > 5) Install.cmd > > @@ -54,8 +54,8 @@ cryptography. This patch will enable openssl building under > UEFI environment. > ----------------------- > 1) Make sure the patch utility has been installed in your machine. > Patch utility is available from > http://directory.fsf.org/project/patch/ > - 2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2c > - 3) patch -p0 -i ../EDKII_openssl-1.0.2c.patch > + 2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2d > + 3) patch -p0 -i ../EDKII_openssl-1.0.2d.patch > 4) cd .. > 5) ./Install.sh > > -- > 1.9.1 > ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ _______________________________________________ edk2-devel mailing list edk2-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/edk2-devel