From: tye1 Date: Mon, 7 May 2012 10:29:58 +0000 (+0000) Subject: Upgrade openssl version to 0.98w. X-Git-Tag: edk2-stable201903~13424 X-Git-Url: https://git.proxmox.com/?a=commitdiff_plain;h=5359174326a48e8392457e43484da84361cf7560;hp=7c9fbd79d1fc8b817acb72c61cc19605d2f24907;p=mirror_edk2.git Upgrade openssl version to 0.98w. Signed-off by: Ye Ting Reviewed-by: Dong Guo git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13289 6f19259b-4bc3-4df7-8a09-765794883524 --- diff --git a/CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8l.patch b/CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8l.patch deleted file mode 100644 index d14b08e770..0000000000 --- a/CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8l.patch +++ /dev/null @@ -1,159 +0,0 @@ ---- crypto/bio/bss_file.c Thu Jan 15 17:14:12 1970 -+++ crypto/bio/bss_file.c Thu Jan 15 17:14:12 1970 -@@ -421,6 +421,23 @@ - return(ret); - } - -+#else -+ -+BIO_METHOD *BIO_s_file(void) -+ { -+ return NULL; -+ } -+ -+BIO *BIO_new_file(const char *filename, const char *mode) -+ { -+ return NULL; -+ } -+ -+BIO *BIO_new_fp(FILE *stream, int close_flag) -+ { -+ return NULL; -+ } -+ - #endif /* OPENSSL_NO_STDIO */ - - #endif /* HEADER_BSS_FILE_C */ ---- crypto/err/err.c -+++ crypto/err/err.c -@@ -313,7 +313,12 @@ - es->err_data_flags[i]=flags; - } - -+/* Add EFIAPI for UEFI version. */ -+#if defined(OPENSSL_SYS_UEFI) -+void EFIAPI ERR_add_error_data(int num, ...) -+#else - void ERR_add_error_data(int num, ...) -+#endif - { - va_list args; - int i,n,s; ---- crypto/err/err.h -+++ crypto/err/err.h -@@ -286,8 +286,14 @@ - #endif - #ifndef OPENSSL_NO_BIO - void ERR_print_errors(BIO *bp); -+ -+/* Add EFIAPI for UEFI version. */ -+#if defined(OPENSSL_SYS_UEFI) -+void EFIAPI ERR_add_error_data(int num, ...); -+#else - void ERR_add_error_data(int num, ...); - #endif -+#endif - void ERR_load_strings(int lib,ERR_STRING_DATA str[]); - void ERR_unload_strings(int lib,ERR_STRING_DATA str[]); - void ERR_load_ERR_strings(void); ---- crypto/opensslconf.h -+++ crypto/opensslconf.h -@@ -162,6 +162,9 @@ - /* The prime number generation stuff may not work when - * EIGHT_BIT but I don't care since I've only used this mode - * for debuging the bignum libraries */ -+ -+/* Bypass following definition for UEFI version. */ -+#if !defined(OPENSSL_SYS_UEFI) - #undef SIXTY_FOUR_BIT_LONG - #undef SIXTY_FOUR_BIT - #define THIRTY_TWO_BIT -@@ -169,6 +172,8 @@ - #undef EIGHT_BIT - #endif - -+#endif -+ - #if defined(HEADER_RC4_LOCL_H) && !defined(CONFIG_HEADER_RC4_LOCL_H) - #define CONFIG_HEADER_RC4_LOCL_H - /* if this is defined data[i] is used instead of *data, this is a %20 ---- crypto/pkcs7/pk7_smime.c 2009-03-15 21:36:02.000000000 +0800 -+++ crypto/pkcs7/pk7_smime.c 2011-09-13 14:11:36.019454700 +0800 -@@ -88,7 +88,10 @@ - if (!PKCS7_content_new(p7, NID_pkcs7_data)) - goto err; - -- if (!(si = PKCS7_add_signature(p7,signcert,pkey,EVP_sha1()))) { -+ /* -+ NOTE: Update to SHA-256 digest algorithm for UEFI version. -+ */ -+ if (!(si = PKCS7_add_signature(p7,signcert,pkey,EVP_sha256()))) { - PKCS7err(PKCS7_F_PKCS7_SIGN,PKCS7_R_PKCS7_ADD_SIGNATURE_ERROR); - goto err; - } ---- crypto/rand/rand_egd.c Thu Jan 15 17:14:12 1970 -+++ crypto/rand/rand_egd.c Thu Jan 15 17:14:12 1970 -@@ -95,7 +95,7 @@ - * RAND_egd() is a wrapper for RAND_egd_bytes() with numbytes=255. - */ - --#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_VOS) -+#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_VOS) || defined(OPENSSL_SYS_UEFI) - int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes) - { - return(-1); ---- crypto/rand/rand_unix.c Thu Jan 15 17:14:12 1970 -+++ crypto/rand/rand_unix.c Thu Jan 15 17:14:12 1970 -@@ -116,7 +116,7 @@ - #include - #include "rand_lcl.h" - --#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE)) -+#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_UEFI)) - - #include - #include -@@ -322,7 +322,7 @@ - #endif /* !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE)) */ - - --#if defined(OPENSSL_SYS_VXWORKS) -+#if defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_UEFI) - int RAND_poll(void) - { - return 0; ---- crypto/x509/x509_vfy.c Thu Jan 15 17:14:12 1970 -+++ crypto/x509/x509_vfy.c Thu Jan 15 17:14:12 1970 -@@ -391,7 +391,12 @@ - - static int check_chain_extensions(X509_STORE_CTX *ctx) - { --#ifdef OPENSSL_NO_CHAIN_VERIFY -+//#ifdef OPENSSL_NO_CHAIN_VERIFY -+#if defined(OPENSSL_NO_CHAIN_VERIFY) || defined(OPENSSL_SYS_UEFI) -+ /* -+ NOTE: Bypass KU Flags Checking for UEFI version. There are incorrect KU flag setting -+ in Authenticode Signing Certificates. -+ */ - return 1; - #else - int i, ok=0, must_be_ca, plen = 0; -@@ -904,6 +909,10 @@ - - static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) - { -+#if defined(OPENSSL_SYS_UEFI) -+ /* Bypass Certificate Time Checking for UEFI version. */ -+ return 1; -+#else - time_t *ptime; - int i; - -@@ -947,6 +956,7 @@ - } - - return 1; -+#endif - } - - static int internal_verify(X509_STORE_CTX *ctx) diff --git a/CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8w.patch b/CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8w.patch new file mode 100644 index 0000000000..3b312482ee --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8w.patch @@ -0,0 +1,174 @@ +Index: crypto/bio/bss_file.c +=================================================================== +--- crypto/bio/bss_file.c (revision 1) ++++ crypto/bio/bss_file.c (working copy) +@@ -428,6 +428,23 @@ + return(ret); + } + ++#else ++ ++BIO_METHOD *BIO_s_file(void) ++ { ++ return NULL; ++ } ++ ++BIO *BIO_new_file(const char *filename, const char *mode) ++ { ++ return NULL; ++ } ++ ++BIO *BIO_new_fp(FILE *stream, int close_flag) ++ { ++ return NULL; ++ } ++ + #endif /* OPENSSL_NO_STDIO */ + + #endif /* HEADER_BSS_FILE_C */ +Index: crypto/err/err.c +=================================================================== +--- crypto/err/err.c (revision 1) ++++ crypto/err/err.c (working copy) +@@ -313,7 +313,12 @@ + es->err_data_flags[i]=flags; + } + ++/* Add EFIAPI for UEFI version. */ ++#if defined(OPENSSL_SYS_UEFI) ++void EFIAPI ERR_add_error_data(int num, ...) ++#else + void ERR_add_error_data(int num, ...) ++#endif + { + va_list args; + int i,n,s; +Index: crypto/err/err.h +=================================================================== +--- crypto/err/err.h (revision 1) ++++ crypto/err/err.h (working copy) +@@ -286,8 +286,14 @@ + #endif + #ifndef OPENSSL_NO_BIO + void ERR_print_errors(BIO *bp); ++ ++/* Add EFIAPI for UEFI version. */ ++#if defined(OPENSSL_SYS_UEFI) ++void EFIAPI ERR_add_error_data(int num, ...); ++#else + void ERR_add_error_data(int num, ...); + #endif ++#endif + void ERR_load_strings(int lib,ERR_STRING_DATA str[]); + void ERR_unload_strings(int lib,ERR_STRING_DATA str[]); + void ERR_load_ERR_strings(void); +Index: crypto/opensslconf.h +=================================================================== +--- crypto/opensslconf.h (revision 1) ++++ crypto/opensslconf.h (working copy) +@@ -162,6 +162,9 @@ + /* The prime number generation stuff may not work when + * EIGHT_BIT but I don't care since I've only used this mode + * for debuging the bignum libraries */ ++ ++/* Bypass following definition for UEFI version. */ ++#if !defined(OPENSSL_SYS_UEFI) + #undef SIXTY_FOUR_BIT_LONG + #undef SIXTY_FOUR_BIT + #define THIRTY_TWO_BIT +@@ -169,6 +172,8 @@ + #undef EIGHT_BIT + #endif + ++#endif ++ + #if defined(HEADER_RC4_LOCL_H) && !defined(CONFIG_HEADER_RC4_LOCL_H) + #define CONFIG_HEADER_RC4_LOCL_H + /* if this is defined data[i] is used instead of *data, this is a %20 +Index: crypto/pkcs7/pk7_smime.c +=================================================================== +--- crypto/pkcs7/pk7_smime.c (revision 1) ++++ crypto/pkcs7/pk7_smime.c (working copy) +@@ -88,7 +88,10 @@ + if (!PKCS7_content_new(p7, NID_pkcs7_data)) + goto err; + +- if (!(si = PKCS7_add_signature(p7,signcert,pkey,EVP_sha1()))) { ++ /* ++ NOTE: Update to SHA-256 digest algorithm for UEFI version. ++ */ ++ if (!(si = PKCS7_add_signature(p7,signcert,pkey,EVP_sha256()))) { + PKCS7err(PKCS7_F_PKCS7_SIGN,PKCS7_R_PKCS7_ADD_SIGNATURE_ERROR); + goto err; + } +Index: crypto/rand/rand_egd.c +=================================================================== +--- crypto/rand/rand_egd.c (revision 1) ++++ crypto/rand/rand_egd.c (working copy) +@@ -95,7 +95,7 @@ + * RAND_egd() is a wrapper for RAND_egd_bytes() with numbytes=255. + */ + +-#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_VOS) ++#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_VOS) || defined(OPENSSL_SYS_UEFI) + int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes) + { + return(-1); +Index: crypto/rand/rand_unix.c +=================================================================== +--- crypto/rand/rand_unix.c (revision 1) ++++ crypto/rand/rand_unix.c (working copy) +@@ -116,7 +116,7 @@ + #include + #include "rand_lcl.h" + +-#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE)) ++#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_UEFI)) + + #include + #include +@@ -322,7 +322,7 @@ + #endif /* !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE)) */ + + +-#if defined(OPENSSL_SYS_VXWORKS) ++#if defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_UEFI) + int RAND_poll(void) + { + return 0; +Index: crypto/x509/x509_vfy.c +=================================================================== +--- crypto/x509/x509_vfy.c (revision 1) ++++ crypto/x509/x509_vfy.c (working copy) +@@ -386,7 +386,11 @@ + + static int check_chain_extensions(X509_STORE_CTX *ctx) + { +-#ifdef OPENSSL_NO_CHAIN_VERIFY ++#if defined(OPENSSL_NO_CHAIN_VERIFY) || defined(OPENSSL_SYS_UEFI) ++ /* ++ NOTE: Bypass KU Flags Checking for UEFI version. There are incorrect KU flag setting ++ in Authenticode Signing Certificates. ++ */ + return 1; + #else + int i, ok=0, must_be_ca, plen = 0; +@@ -899,6 +903,10 @@ + + static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) + { ++#if defined(OPENSSL_SYS_UEFI) ++ /* Bypass Certificate Time Checking for UEFI version. */ ++ return 1; ++#else + time_t *ptime; + int i; + +@@ -942,6 +950,7 @@ + } + + return 1; ++#endif + } + + static int internal_verify(X509_STORE_CTX *ctx) diff --git a/CryptoPkg/Library/OpensslLib/Install.cmd b/CryptoPkg/Library/OpensslLib/Install.cmd index 8dd91c0ab1..a2a88e44e5 100644 --- a/CryptoPkg/Library/OpensslLib/Install.cmd +++ b/CryptoPkg/Library/OpensslLib/Install.cmd @@ -1,4 +1,4 @@ -cd openssl-0.9.8l +cd openssl-0.9.8w copy e_os2.h ..\..\..\Include\openssl copy crypto\crypto.h ..\..\..\Include\openssl copy crypto\tmdiff.h ..\..\..\Include\openssl diff --git a/CryptoPkg/Library/OpensslLib/Install.sh b/CryptoPkg/Library/OpensslLib/Install.sh index 43b6cb4946..fa910b2d7d 100644 --- a/CryptoPkg/Library/OpensslLib/Install.sh +++ b/CryptoPkg/Library/OpensslLib/Install.sh @@ -1,6 +1,6 @@ #!/bin/sh -cd openssl-0.9.8l +cd openssl-0.9.8w cp e_os2.h ../../../Include/openssl cp crypto/crypto.h ../../../Include/openssl cp crypto/tmdiff.h ../../../Include/openssl diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf index 2034457367..e8bec20fb3 100644 --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf @@ -1,7 +1,7 @@ ## @file # OpenSSL Library implementation. # -# Copyright (c) 2010 - 2011, Intel Corporation. All rights reserved.
+# Copyright (c) 2010 - 2012, Intel Corporation. All rights reserved.
# This program and the accompanying materials # are licensed and made available under the terms and conditions of the BSD License # which accompanies this distribution. The full text of the license may be found at @@ -19,7 +19,7 @@ MODULE_TYPE = BASE VERSION_STRING = 1.0 LIBRARY_CLASS = OpensslLib - DEFINE OPENSSL_PATH = openssl-0.9.8l + DEFINE OPENSSL_PATH = openssl-0.9.8w DEFINE OPENSSL_FLAGS = -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_ASM DEFINE OPENSSL_EXFLAGS = -DOPENSSL_SMALL_FOOTPRINT -DOPENSSL_NO_SHA0 -DOPENSSL_NO_SHA512 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED diff --git a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt index c35f88d55e..7641da8e4a 100644 --- a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt +++ b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt @@ -17,45 +17,45 @@ cryptography. This patch will enable openssl building under UEFI environment. ================================================================================ OpenSSL-Version ================================================================================ - Current supported OpenSSL version for UEFI Crypto Library is 0.9.8l. - http://www.openssl.org/source/openssl-0.9.8l.tar.gz + Current supported OpenSSL version for UEFI Crypto Library is 0.9.8w. + http://www.openssl.org/source/openssl-0.9.8w.tar.gz ================================================================================ HOW to Install Openssl for UEFI Building ================================================================================ -1. Download OpenSSL 0.9.8l from official website: - http://www.openssl.org/source/openssl-0.9.8l.tar.gz +1. Download OpenSSL 0.9.8w from official website: + http://www.openssl.org/source/openssl-0.9.8w.tar.gz - NOTE: Some web browsers may rename the downloaded TAR file to openssl-0.9.8l.tar.tar. - When you do the download, rename the "openssl-0.9.8l.tar.tar" to - "openssl-0.9.8l.tar.gz" or rename the local downloaded file with ".tar.tar" + NOTE: Some web browsers may rename the downloaded TAR file to openssl-0.9.8w.tar.tar. + When you do the download, rename the "openssl-0.9.8w.tar.tar" to + "openssl-0.9.8w.tar.gz" or rename the local downloaded file with ".tar.tar" extension to ".tar.gz". -2. Extract TAR into CryptoPkg/Library/OpenSslLib/openssl-0.9.8l +2. Extract TAR into CryptoPkg/Library/OpenSslLib/openssl-0.9.8w NOTE: If you use WinZip to unpack the openssl source in Windows, please uncheck the WinZip smart CR/LF conversion option (WINZIP: Options --> Configuration --> Miscellaneous --> "TAR file smart CR/LF conversion"). -3. Apply this patch: EDKII_openssl-0.9.8l.patch, and make installation +3. Apply this patch: EDKII_openssl-0.9.8w.patch, and make installation For Windows Environment: ------------------------ 1) Make sure the patch utility has been installed in your machine. Install Cygwin or get the patch utility binary from http://gnuwin32.sourceforge.net/packages/patch.htm - 2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-0.9.8l - 3) patch -p0 -i ..\EDKII_openssl-0.9.8l.patch + 2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-0.9.8w + 3) patch -p0 -i ..\EDKII_openssl-0.9.8w.patch 4) cd .. - 5) install.cmd + 5) Install.cmd For Linux* Environment: ----------------------- 1) Make sure the patch utility has been installed in your machine. Patch utility is available from http://directory.fsf.org/project/patch/ - 2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-0.9.8l - 3) patch -p0 -i ../EDKII_openssl-0.9.8l.patch + 2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-0.9.8w + 3) patch -p0 -i ../EDKII_openssl-0.9.8w.patch 4) cd .. - 5) ./install.sh + 5) ./Install.sh