Ard Biesheuvel
2015-07-10 06:54:16 UTC
Upstream OpenSSL version 1.0.2c contained a fatal flaw
[CVE-2015-1793] and is no longer available from the openssl.org
download servers. So upgrade to its replacement, version 1.0.2d.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Ard Biesheuvel <***@linaro.org>
---
CryptoPkg/Library/OpensslLib/{EDKII_openssl-1.0.2c.patch => EDKII_openssl-1.0.2d.patch} | 4 +--
CryptoPkg/Library/OpensslLib/Install.cmd | 2 +-
CryptoPkg/Library/OpensslLib/Install.sh | 2 +-
CryptoPkg/Library/OpensslLib/OpensslLib.inf | 2 +-
CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt | 26 ++++++++++----------
5 files changed, 18 insertions(+), 18 deletions(-)
diff --git a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2c.patch b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2d.patch
similarity index 96%
rename from CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2c.patch
rename to CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2d.patch
index 0d9575e94aef..72e5f3da54c4 100644
--- a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2c.patch
+++ b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2d.patch
@@ -210,7 +210,7 @@ diff U3 crypto/rsa/rsa_ameth.c crypto/rsa/rsa_ameth.c
diff U3 crypto/x509/x509_vfy.c crypto/x509/x509_vfy.c
--- crypto/x509/x509_vfy.c Thu Jun 11 21:52:58 2015
+++ crypto/x509/x509_vfy.c Fri Jun 12 11:29:37 2015
-@@ -1647,6 +1647,10 @@
+@@ -1653,6 +1653,10 @@
static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
{
@@ -221,7 +221,7 @@ diff U3 crypto/x509/x509_vfy.c crypto/x509/x509_vfy.c
time_t *ptime;
int i;
-@@ -1686,6 +1690,7 @@
+@@ -1692,6 +1696,7 @@
}
return 1;
diff --git a/CryptoPkg/Library/OpensslLib/Install.cmd b/CryptoPkg/Library/OpensslLib/Install.cmd
index f8d8582d9ef6..ef0a4bdcebc9 100755
--- a/CryptoPkg/Library/OpensslLib/Install.cmd
+++ b/CryptoPkg/Library/OpensslLib/Install.cmd
@@ -1,4 +1,4 @@
-cd openssl-1.0.2c
+cd openssl-1.0.2d
copy e_os2.h ..\..\..\Include\openssl
copy crypto\crypto.h ..\..\..\Include\openssl
copy crypto\opensslv.h ..\..\..\Include\openssl
diff --git a/CryptoPkg/Library/OpensslLib/Install.sh b/CryptoPkg/Library/OpensslLib/Install.sh
index 087655d50e2a..877e775b81af 100755
--- a/CryptoPkg/Library/OpensslLib/Install.sh
+++ b/CryptoPkg/Library/OpensslLib/Install.sh
@@ -1,6 +1,6 @@
#!/bin/sh
-cd openssl-1.0.2c
+cd openssl-1.0.2d
cp e_os2.h ../../../Include/openssl
cp crypto/crypto.h ../../../Include/openssl
cp crypto/opensslv.h ../../../Include/openssl
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index dbf8a9621732..28d3aec00e2a 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -20,7 +20,7 @@ [Defines]
MODULE_TYPE = BASE
VERSION_STRING = 1.0
LIBRARY_CLASS = OpensslLib
- DEFINE OPENSSL_PATH = openssl-1.0.2c
+ DEFINE OPENSSL_PATH = openssl-1.0.2d
DEFINE OPENSSL_FLAGS = -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_POSIX_IO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_ASM
DEFINE OPENSSL_EXFLAGS = -DOPENSSL_SMALL_FOOTPRINT -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_RIPEMD -DOPENSSL_NO_RC2 -DOPENSSL_NO_IDEA -DOPENSSL_NO_BF -DOPENSSL_NO_CAST -DOPENSSL_NO_WHIRLPOOL -DOPENSSL_NO_DSA -DOPENSSL_NO_EC -DOPENSSL_NO_ECDH -DOPENSSL_NO_ECDSA -DOPENSSL_NO_SRP -DOPENSSL_NO_ENGINE
diff --git a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
index 0ea7b8aa0ba5..59e74ee9b0d9 100644
--- a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
+++ b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
@@ -17,36 +17,36 @@ cryptography. This patch will enable openssl building under UEFI environment.
================================================================================
OpenSSL-Version
================================================================================
- Current supported OpenSSL version for UEFI Crypto Library is 1.0.2c.
- http://www.openssl.org/source/openssl-1.0.2c.tar.gz
+ Current supported OpenSSL version for UEFI Crypto Library is 1.0.2d.
+ http://www.openssl.org/source/openssl-1.0.2d.tar.gz
================================================================================
HOW to Install Openssl for UEFI Building
================================================================================
-1. Download OpenSSL 1.0.2c from official website:
- http://www.openssl.org/source/openssl-1.0.2c.tar.gz
+1. Download OpenSSL 1.0.2d from official website:
+ http://www.openssl.org/source/openssl-1.0.2d.tar.gz
- NOTE: Some web browsers may rename the downloaded TAR file to openssl-1.0.2c.tar.tar.
- When you do the download, rename the "openssl-1.0.2c.tar.tar" to
- "openssl-1.0.2c.tar.gz" or rename the local downloaded file with ".tar.tar"
+ NOTE: Some web browsers may rename the downloaded TAR file to openssl-1.0.2d.tar.tar.
+ When you do the download, rename the "openssl-1.0.2d.tar.tar" to
+ "openssl-1.0.2d.tar.gz" or rename the local downloaded file with ".tar.tar"
extension to ".tar.gz".
-2. Extract TAR into CryptoPkg/Library/OpenSslLib/openssl-1.0.2c
+2. Extract TAR into CryptoPkg/Library/OpenSslLib/openssl-1.0.2d
NOTE: If you use WinZip to unpack the openssl source in Windows, please
uncheck the WinZip smart CR/LF conversion option (WINZIP: Options -->
Configuration --> Miscellaneous --> "TAR file smart CR/LF conversion").
-3. Apply this patch: EDKII_openssl-1.0.2c.patch, and make installation
+3. Apply this patch: EDKII_openssl-1.0.2d.patch, and make installation
For Windows Environment:
------------------------
1) Make sure the patch utility has been installed in your machine.
Install Cygwin or get the patch utility binary from
http://gnuwin32.sourceforge.net/packages/patch.htm
- 2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2c
- 3) patch -p0 -i ..\EDKII_openssl-1.0.2c.patch
+ 2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2d
+ 3) patch -p0 -i ..\EDKII_openssl-1.0.2d.patch
4) cd ..
5) Install.cmd
@@ -54,8 +54,8 @@ cryptography. This patch will enable openssl building under UEFI environment.
-----------------------
1) Make sure the patch utility has been installed in your machine.
Patch utility is available from http://directory.fsf.org/project/patch/
- 2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2c
- 3) patch -p0 -i ../EDKII_openssl-1.0.2c.patch
+ 2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2d
+ 3) patch -p0 -i ../EDKII_openssl-1.0.2d.patch
4) cd ..
5) ./Install.sh
[CVE-2015-1793] and is no longer available from the openssl.org
download servers. So upgrade to its replacement, version 1.0.2d.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Ard Biesheuvel <***@linaro.org>
---
CryptoPkg/Library/OpensslLib/{EDKII_openssl-1.0.2c.patch => EDKII_openssl-1.0.2d.patch} | 4 +--
CryptoPkg/Library/OpensslLib/Install.cmd | 2 +-
CryptoPkg/Library/OpensslLib/Install.sh | 2 +-
CryptoPkg/Library/OpensslLib/OpensslLib.inf | 2 +-
CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt | 26 ++++++++++----------
5 files changed, 18 insertions(+), 18 deletions(-)
diff --git a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2c.patch b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2d.patch
similarity index 96%
rename from CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2c.patch
rename to CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2d.patch
index 0d9575e94aef..72e5f3da54c4 100644
--- a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2c.patch
+++ b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2d.patch
@@ -210,7 +210,7 @@ diff U3 crypto/rsa/rsa_ameth.c crypto/rsa/rsa_ameth.c
diff U3 crypto/x509/x509_vfy.c crypto/x509/x509_vfy.c
--- crypto/x509/x509_vfy.c Thu Jun 11 21:52:58 2015
+++ crypto/x509/x509_vfy.c Fri Jun 12 11:29:37 2015
-@@ -1647,6 +1647,10 @@
+@@ -1653,6 +1653,10 @@
static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
{
@@ -221,7 +221,7 @@ diff U3 crypto/x509/x509_vfy.c crypto/x509/x509_vfy.c
time_t *ptime;
int i;
-@@ -1686,6 +1690,7 @@
+@@ -1692,6 +1696,7 @@
}
return 1;
diff --git a/CryptoPkg/Library/OpensslLib/Install.cmd b/CryptoPkg/Library/OpensslLib/Install.cmd
index f8d8582d9ef6..ef0a4bdcebc9 100755
--- a/CryptoPkg/Library/OpensslLib/Install.cmd
+++ b/CryptoPkg/Library/OpensslLib/Install.cmd
@@ -1,4 +1,4 @@
-cd openssl-1.0.2c
+cd openssl-1.0.2d
copy e_os2.h ..\..\..\Include\openssl
copy crypto\crypto.h ..\..\..\Include\openssl
copy crypto\opensslv.h ..\..\..\Include\openssl
diff --git a/CryptoPkg/Library/OpensslLib/Install.sh b/CryptoPkg/Library/OpensslLib/Install.sh
index 087655d50e2a..877e775b81af 100755
--- a/CryptoPkg/Library/OpensslLib/Install.sh
+++ b/CryptoPkg/Library/OpensslLib/Install.sh
@@ -1,6 +1,6 @@
#!/bin/sh
-cd openssl-1.0.2c
+cd openssl-1.0.2d
cp e_os2.h ../../../Include/openssl
cp crypto/crypto.h ../../../Include/openssl
cp crypto/opensslv.h ../../../Include/openssl
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index dbf8a9621732..28d3aec00e2a 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -20,7 +20,7 @@ [Defines]
MODULE_TYPE = BASE
VERSION_STRING = 1.0
LIBRARY_CLASS = OpensslLib
- DEFINE OPENSSL_PATH = openssl-1.0.2c
+ DEFINE OPENSSL_PATH = openssl-1.0.2d
DEFINE OPENSSL_FLAGS = -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_POSIX_IO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_ASM
DEFINE OPENSSL_EXFLAGS = -DOPENSSL_SMALL_FOOTPRINT -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_RIPEMD -DOPENSSL_NO_RC2 -DOPENSSL_NO_IDEA -DOPENSSL_NO_BF -DOPENSSL_NO_CAST -DOPENSSL_NO_WHIRLPOOL -DOPENSSL_NO_DSA -DOPENSSL_NO_EC -DOPENSSL_NO_ECDH -DOPENSSL_NO_ECDSA -DOPENSSL_NO_SRP -DOPENSSL_NO_ENGINE
diff --git a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
index 0ea7b8aa0ba5..59e74ee9b0d9 100644
--- a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
+++ b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
@@ -17,36 +17,36 @@ cryptography. This patch will enable openssl building under UEFI environment.
================================================================================
OpenSSL-Version
================================================================================
- Current supported OpenSSL version for UEFI Crypto Library is 1.0.2c.
- http://www.openssl.org/source/openssl-1.0.2c.tar.gz
+ Current supported OpenSSL version for UEFI Crypto Library is 1.0.2d.
+ http://www.openssl.org/source/openssl-1.0.2d.tar.gz
================================================================================
HOW to Install Openssl for UEFI Building
================================================================================
-1. Download OpenSSL 1.0.2c from official website:
- http://www.openssl.org/source/openssl-1.0.2c.tar.gz
+1. Download OpenSSL 1.0.2d from official website:
+ http://www.openssl.org/source/openssl-1.0.2d.tar.gz
- NOTE: Some web browsers may rename the downloaded TAR file to openssl-1.0.2c.tar.tar.
- When you do the download, rename the "openssl-1.0.2c.tar.tar" to
- "openssl-1.0.2c.tar.gz" or rename the local downloaded file with ".tar.tar"
+ NOTE: Some web browsers may rename the downloaded TAR file to openssl-1.0.2d.tar.tar.
+ When you do the download, rename the "openssl-1.0.2d.tar.tar" to
+ "openssl-1.0.2d.tar.gz" or rename the local downloaded file with ".tar.tar"
extension to ".tar.gz".
-2. Extract TAR into CryptoPkg/Library/OpenSslLib/openssl-1.0.2c
+2. Extract TAR into CryptoPkg/Library/OpenSslLib/openssl-1.0.2d
NOTE: If you use WinZip to unpack the openssl source in Windows, please
uncheck the WinZip smart CR/LF conversion option (WINZIP: Options -->
Configuration --> Miscellaneous --> "TAR file smart CR/LF conversion").
-3. Apply this patch: EDKII_openssl-1.0.2c.patch, and make installation
+3. Apply this patch: EDKII_openssl-1.0.2d.patch, and make installation
For Windows Environment:
------------------------
1) Make sure the patch utility has been installed in your machine.
Install Cygwin or get the patch utility binary from
http://gnuwin32.sourceforge.net/packages/patch.htm
- 2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2c
- 3) patch -p0 -i ..\EDKII_openssl-1.0.2c.patch
+ 2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2d
+ 3) patch -p0 -i ..\EDKII_openssl-1.0.2d.patch
4) cd ..
5) Install.cmd
@@ -54,8 +54,8 @@ cryptography. This patch will enable openssl building under UEFI environment.
-----------------------
1) Make sure the patch utility has been installed in your machine.
Patch utility is available from http://directory.fsf.org/project/patch/
- 2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2c
- 3) patch -p0 -i ../EDKII_openssl-1.0.2c.patch
+ 2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2d
+ 3) patch -p0 -i ../EDKII_openssl-1.0.2d.patch
4) cd ..
5) ./Install.sh
--
1.9.1
1.9.1