Discussion:
[edk2] [patch 0/3] *** Update OpenSSL support to 1.0.2c release ***
Long, Qin
2015-06-14 16:54:19 UTC
Permalink
[NOTE]
Just one day after 1.0.2b release, one new upgrade (1.0.2c) was released
to resolve ABI compatibility problems. This patch has to be updated to
catch this latest release.
No actual changes between this 1.0.2c-patch and the last 1.0.2b-patch series.
================================================================
OpenSSL 1.0.2b was just released at 11-Jun-2015. This patch is updated to
catch this latest release.
One memory allocation bug was already fixed in 1.0.2b codes (x509_vpm.c)
Then remove the fix codes from EDKII-openssl-1.0.2b.patch
Add few missed boundary check in CryptX509.c
================================================================
Update the EDKII crypto provider from openssl 0.9.8zf to 1.0.2b.
The OpenSSL Project announced that the support for version 0.9.8 will cease
on 31st December 2015. This patch updates the EDKII openssl support to the
latest 1.0.2 branch.

Long, Qin (3):
CryptoPkg: Update openssl patch file from 0.9.8zf to 1.0.2c
CryptoPkg: Update OpensslLib module files for openssl-1.0.2c support
CryptoPkg: Wrapper files updates to support openssl-1.0.2c

CryptoPkg/Include/OpenSslSupport.h | 8 +-
CryptoPkg/Include/memory.h | 16 +
.../Library/BaseCryptLib/Pk/CryptAuthenticode.c | 6 +-
CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c | 10 +-
.../Library/BaseCryptLib/Pk/CryptPkcs7Verify.c | 11 +-
CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c | 12 +-
CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c | 18 +-
.../Library/OpensslLib/EDKII_openssl-0.9.8zf.patch | 279 ----------
.../Library/OpensslLib/EDKII_openssl-1.0.2c.patch | 346 ++++++++++++
CryptoPkg/Library/OpensslLib/Install.cmd | 146 ++---
CryptoPkg/Library/OpensslLib/Install.sh | 146 ++---
CryptoPkg/Library/OpensslLib/OpensslLib.inf | 620 ++++++++++++++-------
CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt | 46 +-
13 files changed, 1013 insertions(+), 651 deletions(-)
create mode 100644 CryptoPkg/Include/memory.h
delete mode 100644 CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8zf.patch
create mode 100644 CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2c.patch
--
1.9.5.msysgit.1


------------------------------------------------------------------------------
Long, Qin
2015-06-14 16:54:20 UTC
Permalink
This patch adds a patch file for openssl-1.0.2c, and removes
the patch file for openssl-0.9.8zf.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Long, Qin <***@intel.com>
---
.../Library/OpensslLib/EDKII_openssl-0.9.8zf.patch | 279 -----------------
.../Library/OpensslLib/EDKII_openssl-1.0.2c.patch | 346 +++++++++++++++++++++
2 files changed, 346 insertions(+), 279 deletions(-)
delete mode 100644 CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8zf.patch
create mode 100644 CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2c.patch

diff --git a/CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8zf.patch b/CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8zf.patch
deleted file mode 100644
index 4abe62c..0000000
--- a/CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8zf.patch
+++ /dev/null
@@ -1,279 +0,0 @@
-Index: crypto/bio/bss_file.c
-===================================================================
---- crypto/bio/bss_file.c (revision 1)
-+++ crypto/bio/bss_file.c (working copy)
-@@ -418,6 +418,23 @@
- return (ret);
- }
-
-+#else
-+
-+BIO_METHOD *BIO_s_file(void)
-+{
-+ return NULL;
-+}
-+
-+BIO *BIO_new_file(const char *filename, const char *mode)
-+{
-+ return NULL;
-+}
-+
-+BIO *BIO_new_fp(FILE *stream, int close_flag)
-+{
-+ return NULL;
-+}
-+
- # endif /* OPENSSL_NO_STDIO */
-
- #endif /* HEADER_BSS_FILE_C */
-Index: crypto/crypto.h
-===================================================================
---- crypto/crypto.h (revision 1)
-+++ crypto/crypto.h (working copy)
-@@ -239,15 +239,15 @@
- # ifndef OPENSSL_NO_LOCKING
- # ifndef CRYPTO_w_lock
- # define CRYPTO_w_lock(type) \
-- CRYPTO_lock(CRYPTO_LOCK|CRYPTO_WRITE,type,__FILE__,__LINE__)
-+ CRYPTO_lock(CRYPTO_LOCK|CRYPTO_WRITE,type,NULL,0)
- # define CRYPTO_w_unlock(type) \
-- CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_WRITE,type,__FILE__,__LINE__)
-+ CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_WRITE,type,NULL,0)
- # define CRYPTO_r_lock(type) \
-- CRYPTO_lock(CRYPTO_LOCK|CRYPTO_READ,type,__FILE__,__LINE__)
-+ CRYPTO_lock(CRYPTO_LOCK|CRYPTO_READ,type,NULL,0)
- # define CRYPTO_r_unlock(type) \
-- CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_READ,type,__FILE__,__LINE__)
-+ CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_READ,type,NULL,0)
- # define CRYPTO_add(addr,amount,type) \
-- CRYPTO_add_lock(addr,amount,type,__FILE__,__LINE__)
-+ CRYPTO_add_lock(addr,amount,type,NULL,0)
- # endif
- # else
- # define CRYPTO_w_lock(a)
-@@ -374,19 +374,19 @@
- # define MemCheck_off() CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE)
- # define is_MemCheck_on() CRYPTO_is_mem_check_on()
-
--# define OPENSSL_malloc(num) CRYPTO_malloc((int)num,__FILE__,__LINE__)
--# define OPENSSL_strdup(str) CRYPTO_strdup((str),__FILE__,__LINE__)
-+# define OPENSSL_malloc(num) CRYPTO_malloc((int)num,NULL,0)
-+# define OPENSSL_strdup(str) CRYPTO_strdup((str),NULL,0)
- # define OPENSSL_realloc(addr,num) \
-- CRYPTO_realloc((char *)addr,(int)num,__FILE__,__LINE__)
-+ CRYPTO_realloc((char *)addr,(int)num,NULL,0)
- # define OPENSSL_realloc_clean(addr,old_num,num) \
-- CRYPTO_realloc_clean(addr,old_num,num,__FILE__,__LINE__)
-+ CRYPTO_realloc_clean(addr,old_num,num,NULL,0)
- # define OPENSSL_remalloc(addr,num) \
-- CRYPTO_remalloc((char **)addr,(int)num,__FILE__,__LINE__)
-+ CRYPTO_remalloc((char **)addr,(int)num,NULL,0)
- # define OPENSSL_freeFunc CRYPTO_free
- # define OPENSSL_free(addr) CRYPTO_free(addr)
-
- # define OPENSSL_malloc_locked(num) \
-- CRYPTO_malloc_locked((int)num,__FILE__,__LINE__)
-+ CRYPTO_malloc_locked((int)num,NULL,0)
- # define OPENSSL_free_locked(addr) CRYPTO_free_locked(addr)
-
- const char *SSLeay_version(int type);
-@@ -531,7 +531,7 @@
- long CRYPTO_get_mem_debug_options(void);
-
- # define CRYPTO_push_info(info) \
-- CRYPTO_push_info_(info, __FILE__, __LINE__);
-+ CRYPTO_push_info_(info, NULL, 0);
- int CRYPTO_push_info_(const char *info, const char *file, int line);
- int CRYPTO_pop_info(void);
- int CRYPTO_remove_all_info(void);
-@@ -578,7 +578,7 @@
-
- /* die if we have to */
- void OpenSSLDie(const char *file, int line, const char *assertion);
--# define OPENSSL_assert(e) (void)((e) ? 0 : (OpenSSLDie(__FILE__, __LINE__, #e),1))
-+# define OPENSSL_assert(e) (void)((e) ? 0 : (OpenSSLDie(NULL, 0, #e),1))
-
- unsigned long *OPENSSL_ia32cap_loc(void);
- # define OPENSSL_ia32cap (*(OPENSSL_ia32cap_loc()))
-@@ -585,10 +585,10 @@
- int OPENSSL_isservice(void);
-
- # ifdef OPENSSL_FIPS
--# define FIPS_ERROR_IGNORED(alg) OpenSSLDie(__FILE__, __LINE__, \
-+# define FIPS_ERROR_IGNORED(alg) OpenSSLDie(NULL, 0, \
- alg " previous FIPS forbidden algorithm error ignored");
-
--# define FIPS_BAD_ABORT(alg) OpenSSLDie(__FILE__, __LINE__, \
-+# define FIPS_BAD_ABORT(alg) OpenSSLDie(NULL, 0, \
- #alg " Algorithm forbidden in FIPS mode");
-
- # ifdef OPENSSL_FIPS_STRICT
-Index: crypto/err/err.c
-===================================================================
---- crypto/err/err.c (revision 1)
-+++ crypto/err/err.c (working copy)
-@@ -321,7 +321,12 @@
- es->err_data_flags[i] = flags;
- }
-
-+/* Add EFIAPI for UEFI version. */
-+#if defined(OPENSSL_SYS_UEFI)
-+void EFIAPI ERR_add_error_data(int num, ...)
-+#else
- void ERR_add_error_data(int num, ...)
-+#endif
- {
- va_list args;
- int i, n, s;
-Index: crypto/err/err.h
-===================================================================
---- crypto/err/err.h (revision 1)
-+++ crypto/err/err.h (working copy)
-@@ -285,7 +285,13 @@
- # endif
- # ifndef OPENSSL_NO_BIO
- void ERR_print_errors(BIO *bp);
-+
-+/* Add EFIAPI for UEFI version. */
-+#if defined(OPENSSL_SYS_UEFI)
-+void EFIAPI ERR_add_error_data(int num, ...);
-+#else
- void ERR_add_error_data(int num, ...);
-+#endif
- # endif
- void ERR_load_strings(int lib, ERR_STRING_DATA str[]);
- void ERR_unload_strings(int lib, ERR_STRING_DATA str[]);
-Index: crypto/opensslconf.h
-===================================================================
---- crypto/opensslconf.h (revision 1)
-+++ crypto/opensslconf.h (working copy)
-@@ -162,6 +162,9 @@
- /* The prime number generation stuff may not work when
- * EIGHT_BIT but I don't care since I've only used this mode
- * for debuging the bignum libraries */
-+
-+/* Bypass following definition for UEFI version. */
-+#if !defined(OPENSSL_SYS_UEFI)
- #undef SIXTY_FOUR_BIT_LONG
- #undef SIXTY_FOUR_BIT
- #define THIRTY_TWO_BIT
-@@ -169,6 +172,8 @@
- #undef EIGHT_BIT
- #endif
-
-+#endif
-+
- #if defined(HEADER_RC4_LOCL_H) && !defined(CONFIG_HEADER_RC4_LOCL_H)
- #define CONFIG_HEADER_RC4_LOCL_H
- /* if this is defined data[i] is used instead of *data, this is a %20
-Index: crypto/pkcs7/pk7_smime.c
-===================================================================
---- crypto/pkcs7/pk7_smime.c (revision 1)
-+++ crypto/pkcs7/pk7_smime.c (working copy)
-@@ -90,7 +90,14 @@
- if (!PKCS7_content_new(p7, NID_pkcs7_data))
- goto err;
-
-+#if defined(OPENSSL_SYS_UEFI)
-+ /*
-+ * NOTE: Update to SHA-256 digest algorithm for UEFI version.
-+ */
-+ if (!(si = PKCS7_add_signature(p7, signcert, pkey, EVP_sha256()))) {
-+#else
- if (!(si = PKCS7_add_signature(p7, signcert, pkey, EVP_sha1()))) {
-+#endif
- PKCS7err(PKCS7_F_PKCS7_SIGN, PKCS7_R_PKCS7_ADD_SIGNATURE_ERROR);
- goto err;
- }
-@@ -175,7 +182,8 @@
- STACK_OF(PKCS7_SIGNER_INFO) *sinfos;
- PKCS7_SIGNER_INFO *si;
- X509_STORE_CTX cert_ctx;
-- char buf[4096];
-+ char *buf = NULL;
-+ int bufsiz;
- int i, j = 0, k, ret = 0;
- BIO *p7bio;
- BIO *tmpin, *tmpout;
-@@ -286,6 +294,12 @@
- } else
- tmpout = out;
-
-+ bufsiz = 4096;
-+ buf = OPENSSL_malloc (bufsiz);
-+ if (buf == NULL) {
-+ goto err;
-+ }
-+
- /* We now have to 'read' from p7bio to calculate digests etc. */
- for (;;) {
- i = BIO_read(p7bio, buf, sizeof(buf));
-@@ -328,6 +342,10 @@
-
- sk_X509_free(signers);
-
-+ if (buf != NULL) {
-+ OPENSSL_free (buf);
-+ }
-+
- return ret;
- }
-
-Index: crypto/rand/rand_egd.c
-===================================================================
---- crypto/rand/rand_egd.c (revision 1)
-+++ crypto/rand/rand_egd.c (working copy)
-@@ -95,7 +95,7 @@
- * RAND_egd() is a wrapper for RAND_egd_bytes() with numbytes=255.
- */
-
--#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_VOS)
-+#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_VOS) || defined(OPENSSL_SYS_UEFI)
- int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes)
- {
- return (-1);
-Index: crypto/rand/rand_unix.c
-===================================================================
---- crypto/rand/rand_unix.c (revision 1)
-+++ crypto/rand/rand_unix.c (working copy)
-@@ -116,7 +116,7 @@
- #include <openssl/rand.h>
- #include "rand_lcl.h"
-
--#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE))
-+#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_UEFI))
-
- # include <sys/types.h>
- # include <sys/time.h>
-@@ -332,7 +332,7 @@
- * defined(OPENSSL_SYS_VXWORKS) ||
- * defined(OPENSSL_SYS_NETWARE)) */
-
--#if defined(OPENSSL_SYS_VXWORKS)
-+#if defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_UEFI)
- int RAND_poll(void)
- {
- return 0;
-Index: crypto/x509/x509_vfy.c
-===================================================================
---- crypto/x509/x509_vfy.c (revision 1)
-+++ crypto/x509/x509_vfy.c (working copy)
-@@ -871,6 +871,10 @@
-
- static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
- {
-+#if defined(OPENSSL_SYS_UEFI)
-+ /* Bypass Certificate Time Checking for UEFI version. */
-+ return 1;
-+#else
- time_t *ptime;
- int i;
-
-@@ -910,6 +914,7 @@
- }
-
- return 1;
-+#endif
- }
-
- static int internal_verify(X509_STORE_CTX *ctx)
diff --git a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2c.patch b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2c.patch
new file mode 100644
index 0000000..54e14d8
--- /dev/null
+++ b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2c.patch
@@ -0,0 +1,346 @@
+diff U3 crypto/bio/bio.h crypto/bio/bio.h
+--- crypto/bio/bio.h Thu Jun 11 21:50:12 2015
++++ crypto/bio/bio.h Fri Jun 12 11:00:52 2015
+@@ -646,10 +646,10 @@
+ int BIO_asn1_get_suffix(BIO *b, asn1_ps_func **psuffix,
+ asn1_ps_func **psuffix_free);
+
+-# ifndef OPENSSL_NO_FP_API
+ BIO_METHOD *BIO_s_file(void);
+ BIO *BIO_new_file(const char *filename, const char *mode);
+ BIO *BIO_new_fp(FILE *stream, int close_flag);
++# ifndef OPENSSL_NO_FP_API
+ # define BIO_s_file_internal BIO_s_file
+ # endif
+ BIO *BIO_new(BIO_METHOD *type);
+diff U3 crypto/bio/bss_file.c crypto/bio/bss_file.c
+--- crypto/bio/bss_file.c Thu Jun 11 21:01:06 2015
++++ crypto/bio/bss_file.c Fri Jun 12 11:01:28 2015
+@@ -460,6 +460,23 @@
+ return (ret);
+ }
+
++# else
++
++BIO_METHOD *BIO_s_file(void)
++{
++ return NULL;
++}
++
++BIO *BIO_new_file(const char *filename, const char *mode)
++{
++ return NULL;
++}
++
++BIO *BIO_new_fp(FILE *stream, int close_flag)
++{
++ return NULL;
++}
++
+ # endif /* OPENSSL_NO_STDIO */
+
+ #endif /* HEADER_BSS_FILE_C */
+diff U3 crypto/dh/dh_pmeth.c crypto/dh/dh_pmeth.c
+--- crypto/dh/dh_pmeth.c Thu Jun 11 21:50:12 2015
++++ crypto/dh/dh_pmeth.c Fri Jun 12 11:08:48 2015
+@@ -449,6 +449,9 @@
+ *keylen = ret;
+ return 1;
+ } else if (dctx->kdf_type == EVP_PKEY_DH_KDF_X9_42) {
++#ifdef OPENSSL_NO_CMS
++ return 0;
++#else
+ unsigned char *Z = NULL;
+ size_t Zlen = 0;
+ if (!dctx->kdf_outlen || !dctx->kdf_oid)
+@@ -478,6 +481,7 @@
+ OPENSSL_free(Z);
+ }
+ return ret;
++#endif
+ }
+ return 1;
+ }
+diff U3 crypto/pem/pem.h crypto/pem/pem.h
+--- crypto/pem/pem.h Thu Jun 11 21:50:12 2015
++++ crypto/pem/pem.h Fri Jun 12 10:58:18 2015
+@@ -324,6 +324,7 @@
+
+ # define DECLARE_PEM_read_fp(name, type) /**/
+ # define DECLARE_PEM_write_fp(name, type) /**/
++# define DECLARE_PEM_write_fp_const(name, type) /**/
+ # define DECLARE_PEM_write_cb_fp(name, type) /**/
+ # else
+
+diff U3 crypto/pkcs7/pk7_smime.c crypto/pkcs7/pk7_smime.c
+--- crypto/pkcs7/pk7_smime.c Thu Jun 11 21:01:06 2015
++++ crypto/pkcs7/pk7_smime.c Fri Jun 12 11:23:38 2015
+@@ -254,7 +254,8 @@
+ STACK_OF(PKCS7_SIGNER_INFO) *sinfos;
+ PKCS7_SIGNER_INFO *si;
+ X509_STORE_CTX cert_ctx;
+- char buf[4096];
++ char *buf = NULL;
++ int bufsiz;
+ int i, j = 0, k, ret = 0;
+ BIO *p7bio;
+ BIO *tmpin, *tmpout;
+@@ -365,9 +366,14 @@
+ } else
+ tmpout = out;
+
++ bufsiz = 4096;
++ buf = OPENSSL_malloc(bufsiz);
++ if (buf == NULL) {
++ goto err;
++ }
+ /* We now have to 'read' from p7bio to calculate digests etc. */
+ for (;;) {
+- i = BIO_read(p7bio, buf, sizeof(buf));
++ i = BIO_read(p7bio, buf, bufsiz);
+ if (i <= 0)
+ break;
+ if (tmpout)
+@@ -406,6 +412,10 @@
+ BIO_free_all(p7bio);
+
+ sk_X509_free(signers);
++
++ if (buf != NULL) {
++ OPENSSL_free(buf);
++ }
+
+ return ret;
+ }
+diff U3 crypto/rand/rand_unix.c crypto/rand/rand_unix.c
+--- crypto/rand/rand_unix.c Thu Jun 11 21:01:06 2015
++++ crypto/rand/rand_unix.c Fri Jun 12 10:51:21 2015
+@@ -116,7 +116,7 @@
+ #include <openssl/rand.h>
+ #include "rand_lcl.h"
+
+-#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE))
++#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_UEFI))
+
+ # include <sys/types.h>
+ # include <sys/time.h>
+@@ -439,7 +439,7 @@
+ * defined(OPENSSL_SYS_VXWORKS) ||
+ * defined(OPENSSL_SYS_NETWARE)) */
+
+-#if defined(OPENSSL_SYS_VXWORKS)
++#if defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_UEFI)
+ int RAND_poll(void)
+ {
+ return 0;
+diff U3 crypto/rsa/rsa_ameth.c crypto/rsa/rsa_ameth.c
+--- crypto/rsa/rsa_ameth.c Thu Jun 11 21:50:12 2015
++++ crypto/rsa/rsa_ameth.c Fri Jun 12 10:45:38 2015
+@@ -68,10 +68,12 @@
+ #endif
+ #include "asn1_locl.h"
+
++#ifndef OPENSSL_NO_CMS
+ static int rsa_cms_sign(CMS_SignerInfo *si);
+ static int rsa_cms_verify(CMS_SignerInfo *si);
+ static int rsa_cms_decrypt(CMS_RecipientInfo *ri);
+ static int rsa_cms_encrypt(CMS_RecipientInfo *ri);
++#endif
+
+ static int rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
+ {
+@@ -665,6 +667,7 @@
+ return rv;
+ }
+
++#ifndef OPENSSL_NO_CMS
+ static int rsa_cms_verify(CMS_SignerInfo *si)
+ {
+ int nid, nid2;
+@@ -683,6 +686,7 @@
+ }
+ return 0;
+ }
++#endif
+
+ /*
+ * Customised RSA item verification routine. This is called when a signature
+@@ -705,6 +709,7 @@
+ return -1;
+ }
+
++#ifndef OPENSSL_NO_CMS
+ static int rsa_cms_sign(CMS_SignerInfo *si)
+ {
+ int pad_mode = RSA_PKCS1_PADDING;
+@@ -729,6 +734,7 @@
+ X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsassaPss), V_ASN1_SEQUENCE, os);
+ return 1;
+ }
++#endif
+
+ static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
+ X509_ALGOR *alg1, X509_ALGOR *alg2,
+@@ -785,6 +791,7 @@
+ return pss;
+ }
+
++#ifndef OPENSSL_NO_CMS
+ static int rsa_cms_decrypt(CMS_RecipientInfo *ri)
+ {
+ EVP_PKEY_CTX *pkctx;
+@@ -857,7 +864,9 @@
+ X509_ALGOR_free(maskHash);
+ return rv;
+ }
++#endif
+
++#ifndef OPENSSL_NO_CMS
+ static int rsa_cms_encrypt(CMS_RecipientInfo *ri)
+ {
+ const EVP_MD *md, *mgf1md;
+@@ -920,6 +929,7 @@
+ ASN1_STRING_free(os);
+ return rv;
+ }
++#endif
+
+ const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] = {
+ {
+diff U3 crypto/x509/x509_vfy.c crypto/x509/x509_vfy.c
+--- crypto/x509/x509_vfy.c Thu Jun 11 21:52:58 2015
++++ crypto/x509/x509_vfy.c Fri Jun 12 11:29:37 2015
+@@ -1647,6 +1647,10 @@
+
+ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
+ {
++#ifdef OPENSSL_SYS_UEFI
++ /* Bypass Certificate Time Checking for UEFI version. */
++ return 1;
++#else
+ time_t *ptime;
+ int i;
+
+@@ -1686,6 +1690,7 @@
+ }
+
+ return 1;
++#endif
+ }
+
+ static int internal_verify(X509_STORE_CTX *ctx)
+diff U3 crypto/x509v3/ext_dat.h crypto/x509v3/ext_dat.h
+--- crypto/x509v3/ext_dat.h Thu Jun 11 21:50:12 2015
++++ crypto/x509v3/ext_dat.h Fri Jun 12 11:11:03 2015
+@@ -127,8 +127,10 @@
+ &v3_idp,
+ &v3_alt[2],
+ &v3_freshest_crl,
++#ifndef OPENSSL_SYS_UEFI
+ &v3_ct_scts[0],
+ &v3_ct_scts[1],
++#endif
+ };
+
+ /* Number of standard extensions */
+diff U3 crypto/crypto.h crypto/crypto.h
+--- crypto/crypto.h Thu Jun 11 21:01:06 2015
++++ crypto/crypto.h Fri Jun 12 11:33:27 2015
+@@ -235,15 +235,15 @@
+ # ifndef OPENSSL_NO_LOCKING
+ # ifndef CRYPTO_w_lock
+ # define CRYPTO_w_lock(type) \
+- CRYPTO_lock(CRYPTO_LOCK|CRYPTO_WRITE,type,__FILE__,__LINE__)
++ CRYPTO_lock(CRYPTO_LOCK|CRYPTO_WRITE,type,NULL,0)
+ # define CRYPTO_w_unlock(type) \
+- CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_WRITE,type,__FILE__,__LINE__)
++ CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_WRITE,type,NULL,0)
+ # define CRYPTO_r_lock(type) \
+- CRYPTO_lock(CRYPTO_LOCK|CRYPTO_READ,type,__FILE__,__LINE__)
++ CRYPTO_lock(CRYPTO_LOCK|CRYPTO_READ,type,NULL,0)
+ # define CRYPTO_r_unlock(type) \
+- CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_READ,type,__FILE__,__LINE__)
++ CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_READ,type,NULL,0)
+ # define CRYPTO_add(addr,amount,type) \
+- CRYPTO_add_lock(addr,amount,type,__FILE__,__LINE__)
++ CRYPTO_add_lock(addr,amount,type,NULL,0)
+ # endif
+ # else
+ # define CRYPTO_w_lock(a)
+@@ -378,19 +378,19 @@
+ # define MemCheck_off() CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE)
+ # define is_MemCheck_on() CRYPTO_is_mem_check_on()
+
+-# define OPENSSL_malloc(num) CRYPTO_malloc((int)num,__FILE__,__LINE__)
+-# define OPENSSL_strdup(str) CRYPTO_strdup((str),__FILE__,__LINE__)
++# define OPENSSL_malloc(num) CRYPTO_malloc((int)num,NULL,0)
++# define OPENSSL_strdup(str) CRYPTO_strdup((str),NULL,0)
+ # define OPENSSL_realloc(addr,num) \
+- CRYPTO_realloc((char *)addr,(int)num,__FILE__,__LINE__)
++ CRYPTO_realloc((char *)addr,(int)num,NULL,0)
+ # define OPENSSL_realloc_clean(addr,old_num,num) \
+- CRYPTO_realloc_clean(addr,old_num,num,__FILE__,__LINE__)
++ CRYPTO_realloc_clean(addr,old_num,num,NULL,0)
+ # define OPENSSL_remalloc(addr,num) \
+- CRYPTO_remalloc((char **)addr,(int)num,__FILE__,__LINE__)
++ CRYPTO_remalloc((char **)addr,(int)num,NULL,0)
+ # define OPENSSL_freeFunc CRYPTO_free
+ # define OPENSSL_free(addr) CRYPTO_free(addr)
+
+ # define OPENSSL_malloc_locked(num) \
+- CRYPTO_malloc_locked((int)num,__FILE__,__LINE__)
++ CRYPTO_malloc_locked((int)num,NULL,0)
+ # define OPENSSL_free_locked(addr) CRYPTO_free_locked(addr)
+
+ const char *SSLeay_version(int type);
+@@ -545,7 +545,7 @@
+ long CRYPTO_get_mem_debug_options(void);
+
+ # define CRYPTO_push_info(info) \
+- CRYPTO_push_info_(info, __FILE__, __LINE__);
++ CRYPTO_push_info_(info, NULL, 0);
+ int CRYPTO_push_info_(const char *info, const char *file, int line);
+ int CRYPTO_pop_info(void);
+ int CRYPTO_remove_all_info(void);
+@@ -588,7 +588,7 @@
+
+ /* die if we have to */
+ void OpenSSLDie(const char *file, int line, const char *assertion);
+-# define OPENSSL_assert(e) (void)((e) ? 0 : (OpenSSLDie(__FILE__, __LINE__, #e),1))
++# define OPENSSL_assert(e) (void)((e) ? 0 : (OpenSSLDie(NULL, 0, #e),1))
+
+ unsigned long *OPENSSL_ia32cap_loc(void);
+ # define OPENSSL_ia32cap (*(OPENSSL_ia32cap_loc()))
+@@ -605,14 +605,14 @@
+ # define fips_md_init_ctx(alg, cx) \
+ int alg##_Init(cx##_CTX *c) \
+ { \
+- if (FIPS_mode()) OpenSSLDie(__FILE__, __LINE__, \
++ if (FIPS_mode()) OpenSSLDie(NULL, 0, \
+ "Low level API call to digest " #alg " forbidden in FIPS mode!"); \
+ return private_##alg##_Init(c); \
+ } \
+ int private_##alg##_Init(cx##_CTX *c)
+
+ # define fips_cipher_abort(alg) \
+- if (FIPS_mode()) OpenSSLDie(__FILE__, __LINE__, \
++ if (FIPS_mode()) OpenSSLDie(NULL, 0, \
+ "Low level API call to cipher " #alg " forbidden in FIPS mode!")
+
+ # else
+diff U3 crypto/opensslconf.h crypto/opensslconf.h
+--- crypto/opensslconf.h Thu Jun 11 21:55:38 2015
++++ crypto/opensslconf.h Fri Jun 12 10:28:27 2015
+@@ -159,9 +159,12 @@
+ /* Should we define BN_DIV2W here? */
+
+ /* Only one for the following should be defined */
++/* Bypass the following definitions for UEFI version. */
++#if !defined(OPENSSL_SYS_UEFI)
+ #undef SIXTY_FOUR_BIT_LONG
+ #undef SIXTY_FOUR_BIT
+ #define THIRTY_TWO_BIT
++#endif
+ #endif
+
+ #if defined(HEADER_RC4_LOCL_H) && !defined(CONFIG_HEADER_RC4_LOCL_H)
--
1.9.5.msysgit.1


------------------------------------------------------------------------------
Long, Qin
2015-06-14 16:54:22 UTC
Permalink
This patch updates some support header and wrapper files to support
openssl-1.0.2c build, and correct some openssl API usages and
boundary check.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Long, Qin <***@intel.com>
---
CryptoPkg/Include/OpenSslSupport.h | 8 +++++++-
CryptoPkg/Include/memory.h | 16 ++++++++++++++++
CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c | 6 ++++--
CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c | 10 +++++-----
CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c | 11 ++++++-----
CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c | 12 ++++++++----
CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c | 18 +++++++++++++-----
7 files changed, 59 insertions(+), 22 deletions(-)
create mode 100644 CryptoPkg/Include/memory.h

diff --git a/CryptoPkg/Include/OpenSslSupport.h b/CryptoPkg/Include/OpenSslSupport.h
index ed889e9..b5a8b58 100644
--- a/CryptoPkg/Include/OpenSslSupport.h
+++ b/CryptoPkg/Include/OpenSslSupport.h
@@ -1,7 +1,7 @@
/** @file
Root include file to support building OpenSSL Crypto Library.

-Copyright (c) 2010 - 2011, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2010 - 2015, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -109,6 +109,11 @@ struct tm {
char *tm_zone; /* timezone abbreviation */
};

+struct timeval {
+ long tv_sec; /* time value, in seconds */
+ long tv_usec; /* time value, in microseconds */
+} timeval;
+
struct dirent {
UINT32 d_fileno; /* file number of entry */
UINT16 d_reclen; /* length of this record */
@@ -240,5 +245,6 @@ extern FILE *stdout;
#define assert(expression)
#define localtime(timer) NULL
#define gmtime_r(timer,result) (result = NULL)
+#define atoi(nptr) AsciiStrDecimalToUintn(nptr)

#endif
diff --git a/CryptoPkg/Include/memory.h b/CryptoPkg/Include/memory.h
new file mode 100644
index 0000000..092b3cd
--- /dev/null
+++ b/CryptoPkg/Include/memory.h
@@ -0,0 +1,16 @@
+/** @file
+ Include file to support building OpenSSL Crypto Library.
+
+Copyright (c) 2015, Intel Corporation. All rights reserved.<BR>
+This program and the accompanying materials
+are licensed and made available under the terms and conditions of the BSD License
+which accompanies this distribution. The full text of the license may be found at
+http://opensource.org/licenses/bsd-license.php
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#include <OpenSslSupport.h>
+
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c
index 4ce2b06..9e93355 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c
@@ -9,7 +9,7 @@
AuthenticodeVerify() will get PE/COFF Authenticode and will do basic check for
data structure.

-Copyright (c) 2011 - 2014, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2011 - 2015, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -72,6 +72,7 @@ AuthenticodeVerify (
{
BOOLEAN Status;
PKCS7 *Pkcs7;
+ CONST UINT8 *Temp;
CONST UINT8 *OrigAuthData;
UINT8 *SpcIndirectDataContent;
UINT8 Asn1Byte;
@@ -96,7 +97,8 @@ AuthenticodeVerify (
//
// Retrieve & Parse PKCS#7 Data (DER encoding) from Authenticode Signature
//
- Pkcs7 = d2i_PKCS7 (NULL, &AuthData, (int)DataSize);
+ Temp = AuthData;
+ Pkcs7 = d2i_PKCS7 (NULL, &Temp, (int)DataSize);
if (Pkcs7 == NULL) {
goto _Exit;
}
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c
index 63fe78f..704eb4e 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c
@@ -1,7 +1,7 @@
/** @file
PKCS#7 SignedData Sign Wrapper Implementation over OpenSSL.

-Copyright (c) 2009 - 2013, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -116,9 +116,9 @@ Pkcs7Sign (
if (Key == NULL) {
goto _Exit;
}
- Key->save_type = EVP_PKEY_RSA;
- Key->type = EVP_PKEY_type (EVP_PKEY_RSA);
- Key->pkey.rsa = (RSA *) RsaContext;
+ if (EVP_PKEY_assign_RSA (Key, (RSA *) RsaContext) == 0) {
+ goto _Exit;
+ }

//
// Convert the data to be signed to BIO format.
@@ -175,7 +175,7 @@ Pkcs7Sign (
}

CopyMem (*SignedData, P7Data + 19, *SignedDataSize);
-
+
OPENSSL_free (P7Data);

Status = TRUE;
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
index a9665d5..a1bab8a 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
@@ -10,7 +10,7 @@
WrapPkcs7Data(), Pkcs7GetSigners(), Pkcs7Verify() will get UEFI Authenticated
Variable and will do basic check for data structure.

-Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -273,7 +273,7 @@ X509PopCertificate (
goto _Exit;
}

- Length = ((BUF_MEM *) CertBio->ptr)->length;
+ Length = (INT32)(((BUF_MEM *) CertBio->ptr)->length);
if (Length <= 0) {
goto _Exit;
}
@@ -343,7 +343,7 @@ Pkcs7GetSigners (
PKCS7 *Pkcs7;
BOOLEAN Status;
UINT8 *SignedData;
- UINT8 *Temp;
+ CONST UINT8 *Temp;
UINTN SignedDataSize;
BOOLEAN Wrapped;
STACK_OF(X509) *Stack;
@@ -549,7 +549,7 @@ Pkcs7Verify (
X509 *Cert;
X509_STORE *CertStore;
UINT8 *SignedData;
- UINT8 *Temp;
+ CONST UINT8 *Temp;
UINTN SignedDataSize;
BOOLEAN Wrapped;

@@ -618,7 +618,8 @@ Pkcs7Verify (
//
// Read DER-encoded root certificate and Construct X509 Certificate
//
- Cert = d2i_X509 (NULL, &TrustedCert, (long) CertLength);
+ Temp = TrustedCert;
+ Cert = d2i_X509 (NULL, &Temp, (long) CertLength);
if (Cert == NULL) {
goto _Exit;
}
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
index e4b5a84..7d269b0 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
@@ -5,7 +5,7 @@
the lifetime of the signature when a signing certificate expires or is later
revoked.

-Copyright (c) 2014, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2014 - 2015, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -441,11 +441,12 @@ TimestampTokenVerify (
CONST UINT8 *TokenTemp;
PKCS7 *Pkcs7;
X509 *Cert;
+ CONST UINT8 *CertTemp;
X509_STORE *CertStore;
BIO *OutBio;
UINT8 *TstData;
UINTN TstSize;
- UINT8 *TstTemp;
+ CONST UINT8 *TstTemp;
TS_TST_INFO *TstInfo;

Status = FALSE;
@@ -490,7 +491,8 @@ TimestampTokenVerify (
//
// Read the trusted TSA certificate (DER-encoded), and Construct X509 Certificate.
//
- Cert = d2i_X509 (NULL, &TsaCert, (long) CertSize);
+ CertTemp = TsaCert;
+ Cert = d2i_X509 (NULL, &CertTemp, (long) CertSize);
if (Cert == NULL) {
goto _Exit;
}
@@ -605,6 +607,7 @@ ImageTimestampVerify (
{
BOOLEAN Status;
PKCS7 *Pkcs7;
+ CONST UINT8 *Temp;
STACK_OF(PKCS7_SIGNER_INFO) *SignerInfos;
PKCS7_SIGNER_INFO *SignInfo;
UINTN Index;
@@ -644,7 +647,8 @@ ImageTimestampVerify (
//
// Decode ASN.1-encoded Authenticode data into PKCS7 structure.
//
- Pkcs7 = d2i_PKCS7 (NULL, (const unsigned char **) &AuthData, (int) DataSize);
+ Temp = AuthData;
+ Pkcs7 = d2i_PKCS7 (NULL, (const unsigned char **) &Temp, (int) DataSize);
if (Pkcs7 == NULL) {
goto _Exit;
}
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
index 29efc42..02851d5 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
@@ -1,7 +1,7 @@
/** @file
X.509 Certificate Handler Wrapper Implementation over OpenSSL.

-Copyright (c) 2010 - 2014, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2010 - 2015, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -38,7 +38,8 @@ X509ConstructCertificate (
OUT UINT8 **SingleX509Cert
)
{
- X509 *X509Cert;
+ X509 *X509Cert;
+ CONST UINT8 *Temp;

//
// Check input parameters.
@@ -50,7 +51,8 @@ X509ConstructCertificate (
//
// Read DER-encoded X509 Certificate and Construct X509 object.
//
- X509Cert = d2i_X509 (NULL, &Cert, (long) CertSize);
+ Temp = Cert;
+ X509Cert = d2i_X509 (NULL, &Temp, (long) CertSize);
if (X509Cert == NULL) {
return FALSE;
}
@@ -123,6 +125,9 @@ X509ConstructCertificateStack (
}

CertSize = VA_ARG (Args, UINTN);
+ if (CertSize == 0) {
+ break;
+ }

//
// Construct X509 Object from the given DER-encoded certificate data.
@@ -133,7 +138,9 @@ X509ConstructCertificateStack (
(UINT8 **) &X509Cert
);
if (!Status) {
- X509_free (X509Cert);
+ if (X509Cert != NULL) {
+ X509_free (X509Cert);
+ }
break;
}

@@ -518,7 +525,8 @@ X509GetTBSCert (
//
// Check input parameters.
//
- if ((Cert == NULL) || (TBSCert == NULL) || (TBSCertSize == NULL)) {
+ if ((Cert == NULL) || (TBSCert == NULL) ||
+ (TBSCertSize == NULL) || (CertSize > INT_MAX)) {
return FALSE;
}
--
1.9.5.msysgit.1


------------------------------------------------------------------------------
Long, Qin
2015-06-14 16:54:21 UTC
Permalink
This patch updates the INF file, installation scripts and HOWTO file
in OpensslLib for openssl-1.0.2c support.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Long, Qin <***@intel.com>
---
CryptoPkg/Library/OpensslLib/Install.cmd | 146 ++++---
CryptoPkg/Library/OpensslLib/Install.sh | 146 ++++---
CryptoPkg/Library/OpensslLib/OpensslLib.inf | 620 +++++++++++++++++++--------
CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt | 46 +-
4 files changed, 608 insertions(+), 350 deletions(-)

diff --git a/CryptoPkg/Library/OpensslLib/Install.cmd b/CryptoPkg/Library/OpensslLib/Install.cmd
index 8f1d016..f8d8582 100755
--- a/CryptoPkg/Library/OpensslLib/Install.cmd
+++ b/CryptoPkg/Library/OpensslLib/Install.cmd
@@ -1,71 +1,77 @@
-cd openssl-0.9.8zf
-copy e_os2.h ..\..\..\Include\openssl
-copy crypto\crypto.h ..\..\..\Include\openssl
-copy crypto\tmdiff.h ..\..\..\Include\openssl
-copy crypto\opensslv.h ..\..\..\Include\openssl
-copy crypto\opensslconf.h ..\..\..\Include\openssl
-copy crypto\ebcdic.h ..\..\..\Include\openssl
-copy crypto\symhacks.h ..\..\..\Include\openssl
-copy crypto\ossl_typ.h ..\..\..\Include\openssl
-copy crypto\md2\md2.h ..\..\..\Include\openssl
-copy crypto\md4\md4.h ..\..\..\Include\openssl
-copy crypto\md5\md5.h ..\..\..\Include\openssl
-copy crypto\sha\sha.h ..\..\..\Include\openssl
-copy crypto\hmac\hmac.h ..\..\..\Include\openssl
-copy crypto\ripemd\ripemd.h ..\..\..\Include\openssl
-copy crypto\des\des.h ..\..\..\Include\openssl
-copy crypto\des\des_old.h ..\..\..\Include\openssl
-copy crypto\rc2\rc2.h ..\..\..\Include\openssl
-copy crypto\rc4\rc4.h ..\..\..\Include\openssl
-copy crypto\idea\idea.h ..\..\..\Include\openssl
-copy crypto\bf\blowfish.h ..\..\..\Include\openssl
-copy crypto\cast\cast.h ..\..\..\Include\openssl
-copy crypto\aes\aes.h ..\..\..\Include\openssl
-copy crypto\bn\bn.h ..\..\..\Include\openssl
-copy crypto\rsa\rsa.h ..\..\..\Include\openssl
-copy crypto\dsa\dsa.h ..\..\..\Include\openssl
-copy crypto\dso\dso.h ..\..\..\Include\openssl
-copy crypto\dh\dh.h ..\..\..\Include\openssl
-copy crypto\ec\ec.h ..\..\..\Include\openssl
-copy crypto\ecdh\ecdh.h ..\..\..\Include\openssl
-copy crypto\ecdsa\ecdsa.h ..\..\..\Include\openssl
-copy crypto\buffer\buffer.h ..\..\..\Include\openssl
-copy crypto\bio\bio.h ..\..\..\Include\openssl
-copy crypto\stack\stack.h ..\..\..\Include\openssl
-copy crypto\stack\safestack.h ..\..\..\Include\openssl
-copy crypto\lhash\lhash.h ..\..\..\Include\openssl
-copy crypto\rand\rand.h ..\..\..\Include\openssl
-copy crypto\err\err.h ..\..\..\Include\openssl
-copy crypto\objects\objects.h ..\..\..\Include\openssl
-copy crypto\objects\obj_mac.h ..\..\..\Include\openssl
-copy crypto\evp\evp.h ..\..\..\Include\openssl
-copy crypto\asn1\asn1.h ..\..\..\Include\openssl
-copy crypto\asn1\asn1_mac.h ..\..\..\Include\openssl
-copy crypto\asn1\asn1t.h ..\..\..\Include\openssl
-copy crypto\pem\pem.h ..\..\..\Include\openssl
-copy crypto\pem\pem2.h ..\..\..\Include\openssl
-copy crypto\x509\x509.h ..\..\..\Include\openssl
-copy crypto\x509\x509_vfy.h ..\..\..\Include\openssl
-copy crypto\x509v3\x509v3.h ..\..\..\Include\openssl
-copy crypto\conf\conf.h ..\..\..\Include\openssl
-copy crypto\conf\conf_api.h ..\..\..\Include\openssl
-copy crypto\txt_db\txt_db.h ..\..\..\Include\openssl
-copy crypto\pkcs7\pkcs7.h ..\..\..\Include\openssl
-copy crypto\pkcs12\pkcs12.h ..\..\..\Include\openssl
-copy crypto\comp\comp.h ..\..\..\Include\openssl
-copy crypto\engine\engine.h ..\..\..\Include\openssl
-copy crypto\ocsp\ocsp.h ..\..\..\Include\openssl
-copy crypto\ui\ui.h ..\..\..\Include\openssl
-copy crypto\ui\ui_compat.h ..\..\..\Include\openssl
-copy crypto\krb5\krb5_asn.h ..\..\..\Include\openssl
-copy crypto\store\store.h ..\..\..\Include\openssl
-copy crypto\pqueue\pqueue.h ..\..\..\Include\openssl
-copy crypto\pqueue\pq_compat.h ..\..\..\Include\openssl
-copy ssl\ssl.h ..\..\..\Include\openssl
-copy ssl\ssl2.h ..\..\..\Include\openssl
-copy ssl\ssl3.h ..\..\..\Include\openssl
-copy ssl\ssl23.h ..\..\..\Include\openssl
-copy ssl\tls1.h ..\..\..\Include\openssl
-copy ssl\dtls1.h ..\..\..\Include\openssl
-copy ssl\kssl.h ..\..\..\Include\openssl
+cd openssl-1.0.2c
+copy e_os2.h ..\..\..\Include\openssl
+copy crypto\crypto.h ..\..\..\Include\openssl
+copy crypto\opensslv.h ..\..\..\Include\openssl
+copy crypto\opensslconf.h ..\..\..\Include\openssl
+copy crypto\ebcdic.h ..\..\..\Include\openssl
+copy crypto\symhacks.h ..\..\..\Include\openssl
+copy crypto\ossl_typ.h ..\..\..\Include\openssl
+copy crypto\objects\objects.h ..\..\..\Include\openssl
+copy crypto\objects\obj_mac.h ..\..\..\Include\openssl
+copy crypto\md4\md4.h ..\..\..\Include\openssl
+copy crypto\md5\md5.h ..\..\..\Include\openssl
+copy crypto\sha\sha.h ..\..\..\Include\openssl
+copy crypto\mdc2\mdc2.h ..\..\..\Include\openssl
+copy crypto\hmac\hmac.h ..\..\..\Include\openssl
+copy crypto\ripemd\ripemd.h ..\..\..\Include\openssl
+copy crypto\whrlpool\whrlpool.h ..\..\..\Include\openssl
+copy crypto\des\des.h ..\..\..\Include\openssl
+copy crypto\des\des_old.h ..\..\..\Include\openssl
+copy crypto\aes\aes.h ..\..\..\Include\openssl
+copy crypto\rc2\rc2.h ..\..\..\Include\openssl
+copy crypto\rc4\rc4.h ..\..\..\Include\openssl
+copy crypto\idea\idea.h ..\..\..\Include\openssl
+copy crypto\bf\blowfish.h ..\..\..\Include\openssl
+copy crypto\cast\cast.h ..\..\..\Include\openssl
+copy crypto\camellia\camellia.h ..\..\..\Include\openssl
+copy crypto\seed\seed.h ..\..\..\Include\openssl
+copy crypto\modes\modes.h ..\..\..\Include\openssl
+copy crypto\bn\bn.h ..\..\..\Include\openssl
+copy crypto\ec\ec.h ..\..\..\Include\openssl
+copy crypto\rsa\rsa.h ..\..\..\Include\openssl
+copy crypto\dsa\dsa.h ..\..\..\Include\openssl
+copy crypto\ecdsa\ecdsa.h ..\..\..\Include\openssl
+copy crypto\dh\dh.h ..\..\..\Include\openssl
+copy crypto\ecdh\ecdh.h ..\..\..\Include\openssl
+copy crypto\dso\dso.h ..\..\..\Include\openssl
+copy crypto\engine\engine.h ..\..\..\Include\openssl
+copy crypto\buffer\buffer.h ..\..\..\Include\openssl
+copy crypto\bio\bio.h ..\..\..\Include\openssl
+copy crypto\stack\stack.h ..\..\..\Include\openssl
+copy crypto\stack\safestack.h ..\..\..\Include\openssl
+copy crypto\lhash\lhash.h ..\..\..\Include\openssl
+copy crypto\rand\rand.h ..\..\..\Include\openssl
+copy crypto\err\err.h ..\..\..\Include\openssl
+copy crypto\evp\evp.h ..\..\..\Include\openssl
+copy crypto\asn1\asn1.h ..\..\..\Include\openssl
+copy crypto\asn1\asn1_mac.h ..\..\..\Include\openssl
+copy crypto\asn1\asn1t.h ..\..\..\Include\openssl
+copy crypto\pem\pem.h ..\..\..\Include\openssl
+copy crypto\pem\pem2.h ..\..\..\Include\openssl
+copy crypto\x509\x509.h ..\..\..\Include\openssl
+copy crypto\x509\x509_vfy.h ..\..\..\Include\openssl
+copy crypto\x509v3\x509v3.h ..\..\..\Include\openssl
+copy crypto\conf\conf.h ..\..\..\Include\openssl
+copy crypto\conf\conf_api.h ..\..\..\Include\openssl
+copy crypto\txt_db\txt_db.h ..\..\..\Include\openssl
+copy crypto\pkcs7\pkcs7.h ..\..\..\Include\openssl
+copy crypto\pkcs12\pkcs12.h ..\..\..\Include\openssl
+copy crypto\comp\comp.h ..\..\..\Include\openssl
+copy crypto\ocsp\ocsp.h ..\..\..\Include\openssl
+copy crypto\ui\ui.h ..\..\..\Include\openssl
+copy crypto\ui\ui_compat.h ..\..\..\Include\openssl
+copy crypto\krb5\krb5_asn.h ..\..\..\Include\openssl
+copy crypto\cms\cms.h ..\..\..\Include\openssl
+copy crypto\pqueue\pqueue.h ..\..\..\Include\openssl
+copy crypto\ts\ts.h ..\..\..\Include\openssl
+copy crypto\srp\srp.h ..\..\..\Include\openssl
+copy crypto\cmac\cmac.h ..\..\..\Include\openssl
+copy ssl\ssl.h ..\..\..\Include\openssl
+copy ssl\ssl2.h ..\..\..\Include\openssl
+copy ssl\ssl3.h ..\..\..\Include\openssl
+copy ssl\ssl23.h ..\..\..\Include\openssl
+copy ssl\tls1.h ..\..\..\Include\openssl
+copy ssl\dtls1.h ..\..\..\Include\openssl
+copy ssl\kssl.h ..\..\..\Include\openssl
+copy ssl\srtp.h ..\..\..\Include\openssl
cd ..
diff --git a/CryptoPkg/Library/OpensslLib/Install.sh b/CryptoPkg/Library/OpensslLib/Install.sh
index 4a022e6..087655d 100755
--- a/CryptoPkg/Library/OpensslLib/Install.sh
+++ b/CryptoPkg/Library/OpensslLib/Install.sh
@@ -1,73 +1,79 @@
#!/bin/sh

-cd openssl-0.9.8zf
-cp e_os2.h ../../../Include/openssl
-cp crypto/crypto.h ../../../Include/openssl
-cp crypto/tmdiff.h ../../../Include/openssl
-cp crypto/opensslv.h ../../../Include/openssl
-cp crypto/opensslconf.h ../../../Include/openssl
-cp crypto/ebcdic.h ../../../Include/openssl
-cp crypto/symhacks.h ../../../Include/openssl
-cp crypto/ossl_typ.h ../../../Include/openssl
-cp crypto/md2/md2.h ../../../Include/openssl
-cp crypto/md4/md4.h ../../../Include/openssl
-cp crypto/md5/md5.h ../../../Include/openssl
-cp crypto/sha/sha.h ../../../Include/openssl
-cp crypto/hmac/hmac.h ../../../Include/openssl
-cp crypto/ripemd/ripemd.h ../../../Include/openssl
-cp crypto/des/des.h ../../../Include/openssl
-cp crypto/des/des_old.h ../../../Include/openssl
-cp crypto/rc2/rc2.h ../../../Include/openssl
-cp crypto/rc4/rc4.h ../../../Include/openssl
-cp crypto/idea/idea.h ../../../Include/openssl
-cp crypto/bf/blowfish.h ../../../Include/openssl
-cp crypto/cast/cast.h ../../../Include/openssl
-cp crypto/aes/aes.h ../../../Include/openssl
-cp crypto/bn/bn.h ../../../Include/openssl
-cp crypto/rsa/rsa.h ../../../Include/openssl
-cp crypto/dsa/dsa.h ../../../Include/openssl
-cp crypto/dso/dso.h ../../../Include/openssl
-cp crypto/dh/dh.h ../../../Include/openssl
-cp crypto/ec/ec.h ../../../Include/openssl
-cp crypto/ecdh/ecdh.h ../../../Include/openssl
-cp crypto/ecdsa/ecdsa.h ../../../Include/openssl
-cp crypto/buffer/buffer.h ../../../Include/openssl
-cp crypto/bio/bio.h ../../../Include/openssl
-cp crypto/stack/stack.h ../../../Include/openssl
-cp crypto/stack/safestack.h ../../../Include/openssl
-cp crypto/lhash/lhash.h ../../../Include/openssl
-cp crypto/rand/rand.h ../../../Include/openssl
-cp crypto/err/err.h ../../../Include/openssl
-cp crypto/objects/objects.h ../../../Include/openssl
-cp crypto/objects/obj_mac.h ../../../Include/openssl
-cp crypto/evp/evp.h ../../../Include/openssl
-cp crypto/asn1/asn1.h ../../../Include/openssl
-cp crypto/asn1/asn1_mac.h ../../../Include/openssl
-cp crypto/asn1/asn1t.h ../../../Include/openssl
-cp crypto/pem/pem.h ../../../Include/openssl
-cp crypto/pem/pem2.h ../../../Include/openssl
-cp crypto/x509/x509.h ../../../Include/openssl
-cp crypto/x509/x509_vfy.h ../../../Include/openssl
-cp crypto/x509v3/x509v3.h ../../../Include/openssl
-cp crypto/conf/conf.h ../../../Include/openssl
-cp crypto/conf/conf_api.h ../../../Include/openssl
-cp crypto/txt_db/txt_db.h ../../../Include/openssl
-cp crypto/pkcs7/pkcs7.h ../../../Include/openssl
-cp crypto/pkcs12/pkcs12.h ../../../Include/openssl
-cp crypto/comp/comp.h ../../../Include/openssl
-cp crypto/engine/engine.h ../../../Include/openssl
-cp crypto/ocsp/ocsp.h ../../../Include/openssl
-cp crypto/ui/ui.h ../../../Include/openssl
-cp crypto/ui/ui_compat.h ../../../Include/openssl
-cp crypto/krb5/krb5_asn.h ../../../Include/openssl
-cp crypto/store/store.h ../../../Include/openssl
-cp crypto/pqueue/pqueue.h ../../../Include/openssl
-cp crypto/pqueue/pq_compat.h ../../../Include/openssl
-cp ssl/ssl.h ../../../Include/openssl
-cp ssl/ssl2.h ../../../Include/openssl
-cp ssl/ssl3.h ../../../Include/openssl
-cp ssl/ssl23.h ../../../Include/openssl
-cp ssl/tls1.h ../../../Include/openssl
-cp ssl/dtls1.h ../../../Include/openssl
-cp ssl/kssl.h ../../../Include/openssl
+cd openssl-1.0.2c
+cp e_os2.h ../../../Include/openssl
+cp crypto/crypto.h ../../../Include/openssl
+cp crypto/opensslv.h ../../../Include/openssl
+cp crypto/opensslconf.h ../../../Include/openssl
+cp crypto/ebcdic.h ../../../Include/openssl
+cp crypto/symhacks.h ../../../Include/openssl
+cp crypto/ossl_typ.h ../../../Include/openssl
+cp crypto/objects/objects.h ../../../Include/openssl
+cp crypto/objects/obj_mac.h ../../../Include/openssl
+cp crypto/md4/md4.h ../../../Include/openssl
+cp crypto/md5/md5.h ../../../Include/openssl
+cp crypto/sha/sha.h ../../../Include/openssl
+cp crypto/mdc2/mdc2.h ../../../Include/openssl
+cp crypto/hmac/hmac.h ../../../Include/openssl
+cp crypto/ripemd/ripemd.h ../../../Include/openssl
+cp crypto/whrlpool/whrlpool.h ../../../Include/openssl
+cp crypto/des/des.h ../../../Include/openssl
+cp crypto/des/des_old.h ../../../Include/openssl
+cp crypto/aes/aes.h ../../../Include/openssl
+cp crypto/rc2/rc2.h ../../../Include/openssl
+cp crypto/rc4/rc4.h ../../../Include/openssl
+cp crypto/idea/idea.h ../../../Include/openssl
+cp crypto/bf/blowfish.h ../../../Include/openssl
+cp crypto/cast/cast.h ../../../Include/openssl
+cp crypto/camellia/camellia.h ../../../Include/openssl
+cp crypto/seed/seed.h ../../../Include/openssl
+cp crypto/modes/modes.h ../../../Include/openssl
+cp crypto/bn/bn.h ../../../Include/openssl
+cp crypto/ec/ec.h ../../../Include/openssl
+cp crypto/rsa/rsa.h ../../../Include/openssl
+cp crypto/dsa/dsa.h ../../../Include/openssl
+cp crypto/ecdsa/ecdsa.h ../../../Include/openssl
+cp crypto/dh/dh.h ../../../Include/openssl
+cp crypto/ecdh/ecdh.h ../../../Include/openssl
+cp crypto/dso/dso.h ../../../Include/openssl
+cp crypto/engine/engine.h ../../../Include/openssl
+cp crypto/buffer/buffer.h ../../../Include/openssl
+cp crypto/bio/bio.h ../../../Include/openssl
+cp crypto/stack/stack.h ../../../Include/openssl
+cp crypto/stack/safestack.h ../../../Include/openssl
+cp crypto/lhash/lhash.h ../../../Include/openssl
+cp crypto/rand/rand.h ../../../Include/openssl
+cp crypto/err/err.h ../../../Include/openssl
+cp crypto/evp/evp.h ../../../Include/openssl
+cp crypto/asn1/asn1.h ../../../Include/openssl
+cp crypto/asn1/asn1_mac.h ../../../Include/openssl
+cp crypto/asn1/asn1t.h ../../../Include/openssl
+cp crypto/pem/pem.h ../../../Include/openssl
+cp crypto/pem/pem2.h ../../../Include/openssl
+cp crypto/x509/x509.h ../../../Include/openssl
+cp crypto/x509/x509_vfy.h ../../../Include/openssl
+cp crypto/x509v3/x509v3.h ../../../Include/openssl
+cp crypto/conf/conf.h ../../../Include/openssl
+cp crypto/conf/conf_api.h ../../../Include/openssl
+cp crypto/txt_db/txt_db.h ../../../Include/openssl
+cp crypto/pkcs7/pkcs7.h ../../../Include/openssl
+cp crypto/pkcs12/pkcs12.h ../../../Include/openssl
+cp crypto/comp/comp.h ../../../Include/openssl
+cp crypto/ocsp/ocsp.h ../../../Include/openssl
+cp crypto/ui/ui.h ../../../Include/openssl
+cp crypto/ui/ui_compat.h ../../../Include/openssl
+cp crypto/krb5/krb5_asn.h ../../../Include/openssl
+cp crypto/cms/cms.h ../../../Include/openssl
+cp crypto/pqueue/pqueue.h ../../../Include/openssl
+cp crypto/ts/ts.h ../../../Include/openssl
+cp crypto/srp/srp.h ../../../Include/openssl
+cp crypto/cmac/cmac.h ../../../Include/openssl
+cp ssl/ssl.h ../../../Include/openssl
+cp ssl/ssl2.h ../../../Include/openssl
+cp ssl/ssl3.h ../../../Include/openssl
+cp ssl/ssl23.h ../../../Include/openssl
+cp ssl/tls1.h ../../../Include/openssl
+cp ssl/dtls1.h ../../../Include/openssl
+cp ssl/kssl.h ../../../Include/openssl
+cp ssl/srtp.h ../../../Include/openssl
cd ..
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index f564145..dbf8a96 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -20,9 +20,9 @@
MODULE_TYPE = BASE
VERSION_STRING = 1.0
LIBRARY_CLASS = OpensslLib
- DEFINE OPENSSL_PATH = openssl-0.9.8zf
- DEFINE OPENSSL_FLAGS = -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_ASM
- DEFINE OPENSSL_EXFLAGS = -DOPENSSL_SMALL_FOOTPRINT -DOPENSSL_NO_MD2 -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_RIPEMD -DOPENSSL_NO_RC2 -DOPENSSL_NO_IDEA -DOPENSSL_NO_BF -DOPENSSL_NO_CAST -DOPENSSL_NO_WHIRLPOOL -DOPENSSL_NO_DSA -DOPENSSL_NO_EC -DOPENSSL_NO_ECDH -DOPENSSL_NO_ECDSA -DOPENSSL_NO_ENGINE
+ DEFINE OPENSSL_PATH = openssl-1.0.2c
+ DEFINE OPENSSL_FLAGS = -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_POSIX_IO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_ASM
+ DEFINE OPENSSL_EXFLAGS = -DOPENSSL_SMALL_FOOTPRINT -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_RIPEMD -DOPENSSL_NO_RC2 -DOPENSSL_NO_IDEA -DOPENSSL_NO_BF -DOPENSSL_NO_CAST -DOPENSSL_NO_WHIRLPOOL -DOPENSSL_NO_DSA -DOPENSSL_NO_EC -DOPENSSL_NO_ECDH -DOPENSSL_NO_ECDSA -DOPENSSL_NO_SRP -DOPENSSL_NO_ENGINE

#
# OPENSSL_FLAGS is set to define the following flags to be compatible with
@@ -46,6 +46,7 @@
# OPENSSL_NO_DYNAMIC_ENGINE
# GETPID_IS_MEANINGLESS
# OPENSSL_NO_STDIO
+# OPENSSL_NO_POSIX_IO
# OPENSSL_NO_FP_API
# OPENSSL_NO_DGRAM
# OPENSSL_NO_ASM
@@ -58,80 +59,122 @@
[Sources]
$(OPENSSL_PATH)/e_os.h
$(OPENSSL_PATH)/crypto/cryptlib.c
- $(OPENSSL_PATH)/crypto/dyn_lck.c
$(OPENSSL_PATH)/crypto/mem.c
$(OPENSSL_PATH)/crypto/mem_clr.c
$(OPENSSL_PATH)/crypto/mem_dbg.c
$(OPENSSL_PATH)/crypto/cversion.c
$(OPENSSL_PATH)/crypto/ex_data.c
-
- #
- # Not required for UEFI.
- #
- # $(OPENSSL_PATH)/crypto/tmdiff.c
-
$(OPENSSL_PATH)/crypto/cpt_err.c
$(OPENSSL_PATH)/crypto/ebcdic.c
$(OPENSSL_PATH)/crypto/uid.c
$(OPENSSL_PATH)/crypto/o_time.c
$(OPENSSL_PATH)/crypto/o_str.c
$(OPENSSL_PATH)/crypto/o_dir.c
+ $(OPENSSL_PATH)/crypto/o_fips.c
$(OPENSSL_PATH)/crypto/o_init.c
- $(OPENSSL_PATH)/crypto/fips_err.c
+ $(OPENSSL_PATH)/crypto/fips_ers.c

#
- # DIsabled by OPENSSL_NO_MD2
+ # OBJECTS
+ #
+ $(OPENSSL_PATH)/crypto/objects/o_names.c
+ $(OPENSSL_PATH)/crypto/objects/obj_dat.c
+ $(OPENSSL_PATH)/crypto/objects/obj_lib.c
+ $(OPENSSL_PATH)/crypto/objects/obj_err.c
+ $(OPENSSL_PATH)/crypto/objects/obj_xref.c
+
+ #
+ # MD4
#
- # $(OPENSSL_PATH)/crypto/md2/md2_dgst.c
- # $(OPENSSL_PATH)/crypto/md2/md2_one.c
$(OPENSSL_PATH)/crypto/md4/md4_dgst.c
$(OPENSSL_PATH)/crypto/md4/md4_one.c
+
+ #
+ # MD5
+ #
$(OPENSSL_PATH)/crypto/md5/md5_dgst.c
$(OPENSSL_PATH)/crypto/md5/md5_one.c
+
+ #
+ # SHA
+ #
$(OPENSSL_PATH)/crypto/sha/sha_dgst.c
$(OPENSSL_PATH)/crypto/sha/sha1dgst.c
$(OPENSSL_PATH)/crypto/sha/sha_one.c
$(OPENSSL_PATH)/crypto/sha/sha1_one.c
$(OPENSSL_PATH)/crypto/sha/sha256.c
$(OPENSSL_PATH)/crypto/sha/sha512.c
+
+ #
+ # MDC2 - Disabled by OPENSSL_NO_MDC2
+ #
+ # $(OPENSSL_PATH)/crypto/mdc2/mdc2dgst.c
+ # $(OPENSSL_PATH)/crypto/mdc2/mdc2_one.c
+
+ #
+ # HMAC
+ #
$(OPENSSL_PATH)/crypto/hmac/hmac.c
+ $(OPENSSL_PATH)/crypto/hmac/hm_ameth.c
+ $(OPENSSL_PATH)/crypto/hmac/hm_pmeth.c

#
- # Disabled by OPENSSL_NO_RIPEMD
+ # RIPEMD - Disabled by OPENSSL_NO_RIPEMD
#
# $(OPENSSL_PATH)/crypto/ripemd/rmd_dgst.c
# $(OPENSSL_PATH)/crypto/ripemd/rmd_one.c

- $(OPENSSL_PATH)/crypto/des/des_lib.c
- $(OPENSSL_PATH)/crypto/des/set_key.c
- $(OPENSSL_PATH)/crypto/des/ecb_enc.c
+ #
+ # WHIRLPOOL - Disabled by OPENSSL_NO_WHIRLPOOL
+ #
+ # $(OPENSSL_PATH)/crypto/whrlpool/wp_dgst.c
+ # $(OPENSSL_PATH)/crypto/whrlpool/wp_block.c
+
+ #
+ # DES
+ #
+ $(OPENSSL_PATH)/crypto/des/cbc_cksm.c
$(OPENSSL_PATH)/crypto/des/cbc_enc.c
- $(OPENSSL_PATH)/crypto/des/ecb3_enc.c
$(OPENSSL_PATH)/crypto/des/cfb64enc.c
- $(OPENSSL_PATH)/crypto/des/cfb64ede.c
$(OPENSSL_PATH)/crypto/des/cfb_enc.c
- $(OPENSSL_PATH)/crypto/des/ofb64ede.c
+ $(OPENSSL_PATH)/crypto/des/ecb3_enc.c
+ $(OPENSSL_PATH)/crypto/des/ecb_enc.c
$(OPENSSL_PATH)/crypto/des/enc_read.c
$(OPENSSL_PATH)/crypto/des/enc_writ.c
+ $(OPENSSL_PATH)/crypto/des/fcrypt.c
$(OPENSSL_PATH)/crypto/des/ofb64enc.c
$(OPENSSL_PATH)/crypto/des/ofb_enc.c
- $(OPENSSL_PATH)/crypto/des/str2key.c
$(OPENSSL_PATH)/crypto/des/pcbc_enc.c
$(OPENSSL_PATH)/crypto/des/qud_cksm.c
$(OPENSSL_PATH)/crypto/des/rand_key.c
+ $(OPENSSL_PATH)/crypto/des/rpc_enc.c
+ $(OPENSSL_PATH)/crypto/des/set_key.c
$(OPENSSL_PATH)/crypto/des/des_enc.c
$(OPENSSL_PATH)/crypto/des/fcrypt_b.c
- $(OPENSSL_PATH)/crypto/des/fcrypt.c
$(OPENSSL_PATH)/crypto/des/xcbc_enc.c
- $(OPENSSL_PATH)/crypto/des/rpc_enc.c
- $(OPENSSL_PATH)/crypto/des/cbc_cksm.c
+ $(OPENSSL_PATH)/crypto/des/str2key.c
+ $(OPENSSL_PATH)/crypto/des/cfb64ede.c
+ $(OPENSSL_PATH)/crypto/des/ofb64ede.c
$(OPENSSL_PATH)/crypto/des/ede_cbcm_enc.c
$(OPENSSL_PATH)/crypto/des/des_old.c
$(OPENSSL_PATH)/crypto/des/des_old2.c
$(OPENSSL_PATH)/crypto/des/read2pwd.c

#
- # Disabled by OPENSSL_NO_RC2
+ # AES
+ #
+ $(OPENSSL_PATH)/crypto/aes/aes_core.c
+ $(OPENSSL_PATH)/crypto/aes/aes_misc.c
+ $(OPENSSL_PATH)/crypto/aes/aes_ecb.c
+ $(OPENSSL_PATH)/crypto/aes/aes_cbc.c
+ $(OPENSSL_PATH)/crypto/aes/aes_cfb.c
+ $(OPENSSL_PATH)/crypto/aes/aes_ofb.c
+ $(OPENSSL_PATH)/crypto/aes/aes_ctr.c
+ $(OPENSSL_PATH)/crypto/aes/aes_ige.c
+ $(OPENSSL_PATH)/crypto/aes/aes_wrap.c
+
+ #
+ # RC2 - Disabled by OPENSSL_NO_RC2
#
# $(OPENSSL_PATH)/crypto/rc2/rc2_ecb.c
# $(OPENSSL_PATH)/crypto/rc2/rc2_skey.c
@@ -139,28 +182,42 @@
# $(OPENSSL_PATH)/crypto/rc2/rc2cfb64.c
# $(OPENSSL_PATH)/crypto/rc2/rc2ofb64.c

- $(OPENSSL_PATH)/crypto/rc4/rc4_enc.c
+ #
+ # RC4
+ #
$(OPENSSL_PATH)/crypto/rc4/rc4_skey.c
- $(OPENSSL_PATH)/crypto/rc4/rc4_fblk.c
+ $(OPENSSL_PATH)/crypto/rc4/rc4_enc.c
+ $(OPENSSL_PATH)/crypto/rc4/rc4_utl.c
+
+ #
+ # RC5 - Disabled by OPENSSL_NO_RC5
+ #
+ # $(OPENSSL_PATH)/crypto/rc5/rc5_skey.c
+ # $(OPENSSL_PATH)/crypto/rc5/rc5_ecb.c
+ # $(OPENSSL_PATH)/crypto/rc5/rc5_enc.c
+ # $(OPENSSL_PATH)/crypto/rc5/rc5cfb64.c
+ # $(OPENSSL_PATH)/crypto/rc5/rc5ofb64.c

#
- # Disabled by OPENSSL_NO_IDEA
+ # IDEA - Disabled by OPENSSL_NO_IDEA
#
# $(OPENSSL_PATH)/crypto/idea/i_cbc.c
# $(OPENSSL_PATH)/crypto/idea/i_cfb64.c
# $(OPENSSL_PATH)/crypto/idea/i_ofb64.c
# $(OPENSSL_PATH)/crypto/idea/i_ecb.c
# $(OPENSSL_PATH)/crypto/idea/i_skey.c
+
#
- # Disabled by OPENSSL_NO_BF
+ # BLOWFISH - Disabled by OPENSSL_NO_BF
#
# $(OPENSSL_PATH)/crypto/bf/bf_skey.c
# $(OPENSSL_PATH)/crypto/bf/bf_ecb.c
# $(OPENSSL_PATH)/crypto/bf/bf_enc.c
# $(OPENSSL_PATH)/crypto/bf/bf_cfb64.c
# $(OPENSSL_PATH)/crypto/bf/bf_ofb64.c
+
#
- # Disabled by OPENSSL_NO_CAST
+ # CAST - Disabled by OPENSSL_NO_CAST
#
# $(OPENSSL_PATH)/crypto/cast/c_skey.c
# $(OPENSSL_PATH)/crypto/cast/c_ecb.c
@@ -168,15 +225,43 @@
# $(OPENSSL_PATH)/crypto/cast/c_cfb64.c
# $(OPENSSL_PATH)/crypto/cast/c_ofb64.c

- $(OPENSSL_PATH)/crypto/aes/aes_misc.c
- $(OPENSSL_PATH)/crypto/aes/aes_ecb.c
- $(OPENSSL_PATH)/crypto/aes/aes_cfb.c
- $(OPENSSL_PATH)/crypto/aes/aes_ofb.c
- $(OPENSSL_PATH)/crypto/aes/aes_ctr.c
- $(OPENSSL_PATH)/crypto/aes/aes_ige.c
- $(OPENSSL_PATH)/crypto/aes/aes_wrap.c
- $(OPENSSL_PATH)/crypto/aes/aes_core.c
- $(OPENSSL_PATH)/crypto/aes/aes_cbc.c
+ #
+ # CAMELLIA - Disabled by OPENSSL_NO_CAMELLIA
+ #
+ # $(OPENSSL_PATH)/crypto/camellia/camellia.c
+ # $(OPENSSL_PATH)/crypto/camellia/cmll_misc.c
+ # $(OPENSSL_PATH)/crypto/camellia/cmll_ecb.c
+ # $(OPENSSL_PATH)/crypto/camellia/cmll_cbc.c
+ # $(OPENSSL_PATH)/crypto/camellia/cmll_ofb.c
+ # $(OPENSSL_PATH)/crypto/camellia/cmll_cfb.c
+ # $(OPENSSL_PATH)/crypto/camellia/cmll_ctr.c
+ # $(OPENSSL_PATH)/crypto/camellia/cmll_utl.c
+
+ #
+ # SEED - Disabled by OPENSSL_NO_SEED
+ #
+ # $(OPENSSL_PATH)/crypto/seed/seed.c
+ # $(OPENSSL_PATH)/crypto/seed/seed_ecb.c
+ # $(OPENSSL_PATH)/crypto/seed/seed_cbc.c
+ # $(OPENSSL_PATH)/crypto/seed/seed_cfb.c
+ # $(OPENSSL_PATH)/crypto/seed/seed_ofb.c
+
+ #
+ # MODES
+ #
+ $(OPENSSL_PATH)/crypto/modes/cbc128.c
+ $(OPENSSL_PATH)/crypto/modes/ctr128.c
+ $(OPENSSL_PATH)/crypto/modes/cts128.c
+ $(OPENSSL_PATH)/crypto/modes/cfb128.c
+ $(OPENSSL_PATH)/crypto/modes/ofb128.c
+ $(OPENSSL_PATH)/crypto/modes/gcm128.c
+ $(OPENSSL_PATH)/crypto/modes/ccm128.c
+ $(OPENSSL_PATH)/crypto/modes/xts128.c
+ $(OPENSSL_PATH)/crypto/modes/wrap128.c
+
+ #
+ # BIGNUM
+ #
$(OPENSSL_PATH)/crypto/bn/bn_add.c
$(OPENSSL_PATH)/crypto/bn/bn_div.c
$(OPENSSL_PATH)/crypto/bn/bn_exp.c
@@ -203,9 +288,40 @@
$(OPENSSL_PATH)/crypto/bn/bn_gf2m.c
$(OPENSSL_PATH)/crypto/bn/bn_nist.c
$(OPENSSL_PATH)/crypto/bn/bn_depr.c
- $(OPENSSL_PATH)/crypto/bn/bn_x931p.c
$(OPENSSL_PATH)/crypto/bn/bn_const.c
- $(OPENSSL_PATH)/crypto/bn/bn_opt.c
+ $(OPENSSL_PATH)/crypto/bn/bn_x931p.c
+
+ #
+ # ELLIPTIC CURVE - Disabled by OPENSSL_NO_EC
+ #
+ # $(OPENSSL_PATH)/crypto/ec/ec_lib.c
+ # $(OPENSSL_PATH)/crypto/ec/ecp_smpl.c
+ # $(OPENSSL_PATH)/crypto/ec/ecp_mont.c
+ # $(OPENSSL_PATH)/crypto/ec/ecp_nist.c
+ # $(OPENSSL_PATH)/crypto/ec/ec_cvt.c
+ # $(OPENSSL_PATH)/crypto/ec/ec_mult.c
+ # $(OPENSSL_PATH)/crypto/ec/ec_err.c
+ # $(OPENSSL_PATH)/crypto/ec/ec_curve.c
+ # $(OPENSSL_PATH)/crypto/ec/ec_check.c
+ # $(OPENSSL_PATH)/crypto/ec/ec_print.c
+ # $(OPENSSL_PATH)/crypto/ec/ec_asn1.c
+ # $(OPENSSL_PATH)/crypto/ec/ec_key.c
+ # $(OPENSSL_PATH)/crypto/ec/ec2_smpl.c
+ # $(OPENSSL_PATH)/crypto/ec/ec2_mult.c
+ # $(OPENSSL_PATH)/crypto/ec/ec_ameth.c
+ # $(OPENSSL_PATH)/crypto/ec/ec_pmeth.c
+ # $(OPENSSL_PATH)/crypto/ec/eck_prn.c
+ # $(OPENSSL_PATH)/crypto/ec/ecp_nistp224.c
+ # $(OPENSSL_PATH)/crypto/ec/ecp_nistp256.c
+ # $(OPENSSL_PATH)/crypto/ec/ecp_nistp521.c
+ # $(OPENSSL_PATH)/crypto/ec/ecp_nistputil.c
+ # $(OPENSSL_PATH)/crypto/ec/ecp_oct.c
+ # $(OPENSSL_PATH)/crypto/ec/ec2_oct.c
+ # $(OPENSSL_PATH)/crypto/ec/ec_oct.c
+
+ #
+ # RSA
+ #
$(OPENSSL_PATH)/crypto/rsa/rsa_eay.c
$(OPENSSL_PATH)/crypto/rsa/rsa_gen.c
$(OPENSSL_PATH)/crypto/rsa/rsa_lib.c
@@ -220,13 +336,15 @@
$(OPENSSL_PATH)/crypto/rsa/rsa_null.c
$(OPENSSL_PATH)/crypto/rsa/rsa_pss.c
$(OPENSSL_PATH)/crypto/rsa/rsa_x931.c
- $(OPENSSL_PATH)/crypto/rsa/rsa_x931g.c
$(OPENSSL_PATH)/crypto/rsa/rsa_asn1.c
$(OPENSSL_PATH)/crypto/rsa/rsa_depr.c
- $(OPENSSL_PATH)/crypto/rsa/rsa_eng.c
+ $(OPENSSL_PATH)/crypto/rsa/rsa_ameth.c
+ $(OPENSSL_PATH)/crypto/rsa/rsa_prn.c
+ $(OPENSSL_PATH)/crypto/rsa/rsa_pmeth.c
+ $(OPENSSL_PATH)/crypto/rsa/rsa_crpt.c

#
- # Disabled by OPENSSL_NO_DSA
+ # DSA - Disabled by OPENSSL_NO_DSA
#
# $(OPENSSL_PATH)/crypto/dsa/dsa_gen.c
# $(OPENSSL_PATH)/crypto/dsa/dsa_key.c
@@ -237,16 +355,23 @@
# $(OPENSSL_PATH)/crypto/dsa/dsa_err.c
# $(OPENSSL_PATH)/crypto/dsa/dsa_ossl.c
# $(OPENSSL_PATH)/crypto/dsa/dsa_depr.c
- # $(OPENSSL_PATH)/crypto/dsa/dsa_utl.c
+ # $(OPENSSL_PATH)/crypto/dsa/dsa_ameth.c
+ # $(OPENSSL_PATH)/crypto/dsa/dsa_pmeth.c
+ # $(OPENSSL_PATH)/crypto/dsa/dsa_prn.c

- $(OPENSSL_PATH)/crypto/dso/dso_dl.c
- $(OPENSSL_PATH)/crypto/dso/dso_dlfcn.c
- $(OPENSSL_PATH)/crypto/dso/dso_err.c
- $(OPENSSL_PATH)/crypto/dso/dso_lib.c
- $(OPENSSL_PATH)/crypto/dso/dso_null.c
- $(OPENSSL_PATH)/crypto/dso/dso_openssl.c
- $(OPENSSL_PATH)/crypto/dso/dso_win32.c
- $(OPENSSL_PATH)/crypto/dso/dso_vms.c
+ #
+ # ECDSA - Disabled by OPENSSL_NO_ECDSA
+ #
+ # $(OPENSSL_PATH)/crypto/ecdsa/ecs_lib.c
+ # $(OPENSSL_PATH)/crypto/ecdsa/ecs_asn1.c
+ # $(OPENSSL_PATH)/crypto/ecdsa/ecs_ossl.c
+ # $(OPENSSL_PATH)/crypto/ecdsa/ecs_sign.c
+ # $(OPENSSL_PATH)/crypto/ecdsa/ecs_vrf.c
+ # $(OPENSSL_PATH)/crypto/ecdsa/ecs_err.c
+
+ #
+ # DIFFIE-HELLMAN
+ #
$(OPENSSL_PATH)/crypto/dh/dh_asn1.c
$(OPENSSL_PATH)/crypto/dh/dh_gen.c
$(OPENSSL_PATH)/crypto/dh/dh_key.c
@@ -254,44 +379,73 @@
$(OPENSSL_PATH)/crypto/dh/dh_check.c
$(OPENSSL_PATH)/crypto/dh/dh_err.c
$(OPENSSL_PATH)/crypto/dh/dh_depr.c
+ $(OPENSSL_PATH)/crypto/dh/dh_ameth.c
+ $(OPENSSL_PATH)/crypto/dh/dh_pmeth.c
+ $(OPENSSL_PATH)/crypto/dh/dh_prn.c
+ $(OPENSSL_PATH)/crypto/dh/dh_rfc5114.c
+ # $(OPENSSL_PATH)/crypto/dh/dh_kdf.c

#
- # Disabled by OPENSSL_NO_EC
- #
- # $(OPENSSL_PATH)/crypto/ec/ec_lib.c
- # $(OPENSSL_PATH)/crypto/ec/ecp_smpl.c
- # $(OPENSSL_PATH)/crypto/ec/ecp_mont.c
- # $(OPENSSL_PATH)/crypto/ec/ecp_nist.c
- # $(OPENSSL_PATH)/crypto/ec/ec_cvt.c
- # $(OPENSSL_PATH)/crypto/ec/ec_mult.c
- # $(OPENSSL_PATH)/crypto/ec/ec_err.c
- # $(OPENSSL_PATH)/crypto/ec/ec_curve.c
- # $(OPENSSL_PATH)/crypto/ec/ec_check.c
- # $(OPENSSL_PATH)/crypto/ec/ec_print.c
- # $(OPENSSL_PATH)/crypto/ec/ec_asn1.c
- # $(OPENSSL_PATH)/crypto/ec/ec_key.c
- # $(OPENSSL_PATH)/crypto/ec/ec2_smpl.c
- # $(OPENSSL_PATH)/crypto/ec/ec2_mult.c
- #
- # Disabled by OPENSSL_NO_ECDH
+ # ECDH - Disabled by OPENSSL_NO_ECDH
#
# $(OPENSSL_PATH)/crypto/ecdh/ech_lib.c
# $(OPENSSL_PATH)/crypto/ecdh/ech_ossl.c
# $(OPENSSL_PATH)/crypto/ecdh/ech_key.c
# $(OPENSSL_PATH)/crypto/ecdh/ech_err.c
+ # $(OPENSSL_PATH)/crypto/ecdh/ech_kdf.c
+
#
- # Disabled by OPENSSL_NO_ECDSA
+ # DSO
#
- # $(OPENSSL_PATH)/crypto/ecdsa/ecs_lib.c
- # $(OPENSSL_PATH)/crypto/ecdsa/ecs_asn1.c
- # $(OPENSSL_PATH)/crypto/ecdsa/ecs_ossl.c
- # $(OPENSSL_PATH)/crypto/ecdsa/ecs_sign.c
- # $(OPENSSL_PATH)/crypto/ecdsa/ecs_vrf.c
- # $(OPENSSL_PATH)/crypto/ecdsa/ecs_err.c
+ $(OPENSSL_PATH)/crypto/dso/dso_dl.c
+ $(OPENSSL_PATH)/crypto/dso/dso_dlfcn.c
+ $(OPENSSL_PATH)/crypto/dso/dso_err.c
+ $(OPENSSL_PATH)/crypto/dso/dso_lib.c
+ $(OPENSSL_PATH)/crypto/dso/dso_null.c
+ $(OPENSSL_PATH)/crypto/dso/dso_openssl.c
+ $(OPENSSL_PATH)/crypto/dso/dso_win32.c
+ $(OPENSSL_PATH)/crypto/dso/dso_vms.c
+ $(OPENSSL_PATH)/crypto/dso/dso_beos.c
+
+ #
+ # ENGINE - Disabled by OPENSSL_NO_ENGINE
+ #
+ # $(OPENSSL_PATH)/crypto/engine/eng_err.c
+ # $(OPENSSL_PATH)/crypto/engine/eng_lib.c
+ # $(OPENSSL_PATH)/crypto/engine/eng_list.c
+ # $(OPENSSL_PATH)/crypto/engine/eng_init.c
+ # $(OPENSSL_PATH)/crypto/engine/eng_ctrl.c
+ # $(OPENSSL_PATH)/crypto/engine/eng_table.c
+ # $(OPENSSL_PATH)/crypto/engine/eng_pkey.c
+ # $(OPENSSL_PATH)/crypto/engine/eng_fat.c
+ # $(OPENSSL_PATH)/crypto/engine/eng_all.c
+ # $(OPENSSL_PATH)/crypto/engine/tb_rsa.c
+ # $(OPENSSL_PATH)/crypto/engine/tb_dsa.c
+ # $(OPENSSL_PATH)/crypto/engine/tb_ecdsa.c
+ # $(OPENSSL_PATH)/crypto/engine/tb_dh.c
+ # $(OPENSSL_PATH)/crypto/engine/tb_ecdh.c
+ # $(OPENSSL_PATH)/crypto/engine/tb_rand.c
+ # $(OPENSSL_PATH)/crypto/engine/tb_store.c
+ # $(OPENSSL_PATH)/crypto/engine/tb_cipher.c
+ # $(OPENSSL_PATH)/crypto/engine/tb_digest.c
+ # $(OPENSSL_PATH)/crypto/engine/tb_pkmeth.c
+ # $(OPENSSL_PATH)/crypto/engine/tb_asnmth.c
+ # $(OPENSSL_PATH)/crypto/engine/eng_openssl.c
+ # $(OPENSSL_PATH)/crypto/engine/eng_cnf.c
+ # $(OPENSSL_PATH)/crypto/engine/eng_dyn.c
+ # $(OPENSSL_PATH)/crypto/engine/eng_cryptodev.c
+ # $(OPENSSL_PATH)/crypto/engine/eng_rdrand.c

+ #
+ # BUFFER
+ #
$(OPENSSL_PATH)/crypto/buffer/buffer.c
$(OPENSSL_PATH)/crypto/buffer/buf_str.c
$(OPENSSL_PATH)/crypto/buffer/buf_err.c
+
+ #
+ # BIO
+ #
$(OPENSSL_PATH)/crypto/bio/bio_lib.c
$(OPENSSL_PATH)/crypto/bio/bio_cb.c
$(OPENSSL_PATH)/crypto/bio/bio_err.c
@@ -299,45 +453,58 @@
$(OPENSSL_PATH)/crypto/bio/bss_null.c
$(OPENSSL_PATH)/crypto/bio/bss_fd.c
$(OPENSSL_PATH)/crypto/bio/bss_file.c
+ $(OPENSSL_PATH)/crypto/bio/bss_sock.c
+ $(OPENSSL_PATH)/crypto/bio/bss_conn.c
$(OPENSSL_PATH)/crypto/bio/bf_null.c
$(OPENSSL_PATH)/crypto/bio/bf_buff.c
-
#
- # Not required for UEFI.
+ # Not Required by UEFI.
#
# $(OPENSSL_PATH)/crypto/bio/b_print.c
-
$(OPENSSL_PATH)/crypto/bio/b_dump.c
+ $(OPENSSL_PATH)/crypto/bio/b_sock.c
+ $(OPENSSL_PATH)/crypto/bio/bss_acpt.c
$(OPENSSL_PATH)/crypto/bio/bf_nbio.c
$(OPENSSL_PATH)/crypto/bio/bss_log.c
$(OPENSSL_PATH)/crypto/bio/bss_bio.c
$(OPENSSL_PATH)/crypto/bio/bss_dgram.c
+
+ #
+ # STACK
+ #
$(OPENSSL_PATH)/crypto/stack/stack.c
+
+ #
+ # LHASH
+ #
$(OPENSSL_PATH)/crypto/lhash/lhash.c
$(OPENSSL_PATH)/crypto/lhash/lh_stats.c
+
+ #
+ # RAND
+ #
$(OPENSSL_PATH)/crypto/rand/md_rand.c
$(OPENSSL_PATH)/crypto/rand/randfile.c
$(OPENSSL_PATH)/crypto/rand/rand_lib.c
- $(OPENSSL_PATH)/crypto/rand/rand_eng.c
$(OPENSSL_PATH)/crypto/rand/rand_err.c
- $(OPENSSL_PATH)/crypto/rand/rand_egd.c
- $(OPENSSL_PATH)/crypto/rand/rand_win.c
+ # $(OPENSSL_PATH)/crypto/rand/rand_egd.c
+ # $(OPENSSL_PATH)/crypto/rand/rand_win.c
$(OPENSSL_PATH)/crypto/rand/rand_unix.c
- $(OPENSSL_PATH)/crypto/rand/rand_os2.c
- $(OPENSSL_PATH)/crypto/rand/rand_nw.c
+ # $(OPENSSL_PATH)/crypto/rand/rand_os2.c
+ # $(OPENSSL_PATH)/crypto/rand/rand_nw.c
+
+ #
+ # ERR
+ #
$(OPENSSL_PATH)/crypto/err/err.c
- $(OPENSSL_PATH)/crypto/err/err_def.c
$(OPENSSL_PATH)/crypto/err/err_all.c
$(OPENSSL_PATH)/crypto/err/err_prn.c
- $(OPENSSL_PATH)/crypto/err/err_str.c
- $(OPENSSL_PATH)/crypto/err/err_bio.c
- $(OPENSSL_PATH)/crypto/objects/o_names.c
- $(OPENSSL_PATH)/crypto/objects/obj_dat.c
- $(OPENSSL_PATH)/crypto/objects/obj_lib.c
- $(OPENSSL_PATH)/crypto/objects/obj_err.c
+
+ #
+ # EVP
+ #
$(OPENSSL_PATH)/crypto/evp/encode.c
$(OPENSSL_PATH)/crypto/evp/digest.c
- $(OPENSSL_PATH)/crypto/evp/dig_eng.c
$(OPENSSL_PATH)/crypto/evp/evp_enc.c
$(OPENSSL_PATH)/crypto/evp/evp_key.c
$(OPENSSL_PATH)/crypto/evp/evp_acnf.c
@@ -346,22 +513,25 @@
$(OPENSSL_PATH)/crypto/evp/e_bf.c
$(OPENSSL_PATH)/crypto/evp/e_idea.c
$(OPENSSL_PATH)/crypto/evp/e_des3.c
+ $(OPENSSL_PATH)/crypto/evp/e_camellia.c
$(OPENSSL_PATH)/crypto/evp/e_rc4.c
$(OPENSSL_PATH)/crypto/evp/e_aes.c
$(OPENSSL_PATH)/crypto/evp/names.c
+ $(OPENSSL_PATH)/crypto/evp/e_seed.c
$(OPENSSL_PATH)/crypto/evp/e_xcbc_d.c
$(OPENSSL_PATH)/crypto/evp/e_rc2.c
$(OPENSSL_PATH)/crypto/evp/e_cast.c
$(OPENSSL_PATH)/crypto/evp/e_rc5.c
- $(OPENSSL_PATH)/crypto/evp/enc_min.c
$(OPENSSL_PATH)/crypto/evp/m_null.c
$(OPENSSL_PATH)/crypto/evp/m_md2.c
$(OPENSSL_PATH)/crypto/evp/m_md4.c
$(OPENSSL_PATH)/crypto/evp/m_md5.c
$(OPENSSL_PATH)/crypto/evp/m_sha.c
$(OPENSSL_PATH)/crypto/evp/m_sha1.c
+ $(OPENSSL_PATH)/crypto/evp/m_wp.c
$(OPENSSL_PATH)/crypto/evp/m_dss.c
$(OPENSSL_PATH)/crypto/evp/m_dss1.c
+ $(OPENSSL_PATH)/crypto/evp/m_mdc2.c
$(OPENSSL_PATH)/crypto/evp/m_ripemd.c
$(OPENSSL_PATH)/crypto/evp/m_ecdsa.c
$(OPENSSL_PATH)/crypto/evp/p_open.c
@@ -386,6 +556,17 @@
$(OPENSSL_PATH)/crypto/evp/p5_crpt.c
$(OPENSSL_PATH)/crypto/evp/p5_crpt2.c
$(OPENSSL_PATH)/crypto/evp/e_old.c
+ $(OPENSSL_PATH)/crypto/evp/pmeth_lib.c
+ $(OPENSSL_PATH)/crypto/evp/pmeth_fn.c
+ $(OPENSSL_PATH)/crypto/evp/pmeth_gn.c
+ $(OPENSSL_PATH)/crypto/evp/m_sigver.c
+ $(OPENSSL_PATH)/crypto/evp/e_aes_cbc_hmac_sha1.c
+ $(OPENSSL_PATH)/crypto/evp/e_aes_cbc_hmac_sha256.c
+ $(OPENSSL_PATH)/crypto/evp/e_rc4_hmac_md5.c
+
+ #
+ # ASN1
+ #
$(OPENSSL_PATH)/crypto/asn1/a_object.c
$(OPENSSL_PATH)/crypto/asn1/a_bitstr.c
$(OPENSSL_PATH)/crypto/asn1/a_utctm.c
@@ -421,6 +602,7 @@
$(OPENSSL_PATH)/crypto/asn1/x_info.c
$(OPENSSL_PATH)/crypto/asn1/x_spki.c
$(OPENSSL_PATH)/crypto/asn1/nsseq.c
+ $(OPENSSL_PATH)/crypto/asn1/x_nx509.c
$(OPENSSL_PATH)/crypto/asn1/d2i_pu.c
$(OPENSSL_PATH)/crypto/asn1/d2i_pr.c
$(OPENSSL_PATH)/crypto/asn1/i2d_pu.c
@@ -438,20 +620,22 @@
$(OPENSSL_PATH)/crypto/asn1/tasn_dec.c
$(OPENSSL_PATH)/crypto/asn1/tasn_utl.c
$(OPENSSL_PATH)/crypto/asn1/tasn_typ.c
+ $(OPENSSL_PATH)/crypto/asn1/tasn_prn.c
+ $(OPENSSL_PATH)/crypto/asn1/ameth_lib.c
$(OPENSSL_PATH)/crypto/asn1/f_int.c
$(OPENSSL_PATH)/crypto/asn1/f_string.c
$(OPENSSL_PATH)/crypto/asn1/n_pkey.c
$(OPENSSL_PATH)/crypto/asn1/f_enum.c
- $(OPENSSL_PATH)/crypto/asn1/a_hdr.c
$(OPENSSL_PATH)/crypto/asn1/x_pkey.c
$(OPENSSL_PATH)/crypto/asn1/a_bool.c
$(OPENSSL_PATH)/crypto/asn1/x_exten.c
+ $(OPENSSL_PATH)/crypto/asn1/bio_asn1.c
+ $(OPENSSL_PATH)/crypto/asn1/bio_ndef.c
$(OPENSSL_PATH)/crypto/asn1/asn_mime.c
$(OPENSSL_PATH)/crypto/asn1/asn1_gen.c
$(OPENSSL_PATH)/crypto/asn1/asn1_par.c
$(OPENSSL_PATH)/crypto/asn1/asn1_lib.c
$(OPENSSL_PATH)/crypto/asn1/asn1_err.c
- $(OPENSSL_PATH)/crypto/asn1/a_meth.c
$(OPENSSL_PATH)/crypto/asn1/a_bytes.c
$(OPENSSL_PATH)/crypto/asn1/a_strnid.c
$(OPENSSL_PATH)/crypto/asn1/evp_asn1.c
@@ -460,6 +644,10 @@
$(OPENSSL_PATH)/crypto/asn1/p5_pbev2.c
$(OPENSSL_PATH)/crypto/asn1/p8_pkey.c
$(OPENSSL_PATH)/crypto/asn1/asn_moid.c
+
+ #
+ # PEM
+ #
$(OPENSSL_PATH)/crypto/pem/pem_sign.c
$(OPENSSL_PATH)/crypto/pem/pem_seal.c
$(OPENSSL_PATH)/crypto/pem/pem_info.c
@@ -471,6 +659,11 @@
$(OPENSSL_PATH)/crypto/pem/pem_oth.c
$(OPENSSL_PATH)/crypto/pem/pem_pk8.c
$(OPENSSL_PATH)/crypto/pem/pem_pkey.c
+ $(OPENSSL_PATH)/crypto/pem/pvkfmt.c
+
+ #
+ # X509
+ #
$(OPENSSL_PATH)/crypto/x509/x509_def.c
$(OPENSSL_PATH)/crypto/x509/x509_d2.c
$(OPENSSL_PATH)/crypto/x509/x509_r2x.c
@@ -492,9 +685,16 @@
$(OPENSSL_PATH)/crypto/x509/x_all.c
$(OPENSSL_PATH)/crypto/x509/x509_txt.c
$(OPENSSL_PATH)/crypto/x509/x509_trs.c
- $(OPENSSL_PATH)/crypto/x509/by_file.c
- $(OPENSSL_PATH)/crypto/x509/by_dir.c
+ #
+ # Not Required by UEFI.
+ #
+ # $(OPENSSL_PATH)/crypto/x509/by_file.c
+ # $(OPENSSL_PATH)/crypto/x509/by_dir.c
$(OPENSSL_PATH)/crypto/x509/x509_vpm.c
+
+ #
+ # X509v3
+ #
$(OPENSSL_PATH)/crypto/x509v3/v3_bcons.c
$(OPENSSL_PATH)/crypto/x509v3/v3_bitst.c
$(OPENSSL_PATH)/crypto/x509v3/v3_conf.c
@@ -531,6 +731,14 @@
$(OPENSSL_PATH)/crypto/x509v3/pcy_lib.c
$(OPENSSL_PATH)/crypto/x509v3/v3_asid.c
$(OPENSSL_PATH)/crypto/x509v3/v3_addr.c
+ #
+ # Not Required by UEFI.
+ #
+ # $(OPENSSL_PATH)/crypto/x509v3/v3_scts.c
+
+ #
+ # CONF
+ #
$(OPENSSL_PATH)/crypto/conf/conf_err.c
$(OPENSSL_PATH)/crypto/conf/conf_lib.c
$(OPENSSL_PATH)/crypto/conf/conf_api.c
@@ -538,7 +746,15 @@
$(OPENSSL_PATH)/crypto/conf/conf_mod.c
$(OPENSSL_PATH)/crypto/conf/conf_mall.c
$(OPENSSL_PATH)/crypto/conf/conf_sap.c
+
+ #
+ # TXT_DB
+ #
$(OPENSSL_PATH)/crypto/txt_db/txt_db.c
+
+ #
+ # PKCS7
+ #
$(OPENSSL_PATH)/crypto/pkcs7/pk7_asn1.c
$(OPENSSL_PATH)/crypto/pkcs7/pk7_lib.c
$(OPENSSL_PATH)/crypto/pkcs7/pkcs7err.c
@@ -546,6 +762,11 @@
$(OPENSSL_PATH)/crypto/pkcs7/pk7_smime.c
$(OPENSSL_PATH)/crypto/pkcs7/pk7_attr.c
$(OPENSSL_PATH)/crypto/pkcs7/pk7_mime.c
+ $(OPENSSL_PATH)/crypto/pkcs7/bio_pk7.c
+
+ #
+ # PKCS12
+ #
$(OPENSSL_PATH)/crypto/pkcs12/p12_add.c
$(OPENSSL_PATH)/crypto/pkcs12/p12_asn.c
$(OPENSSL_PATH)/crypto/pkcs12/p12_attr.c
@@ -561,68 +782,96 @@
$(OPENSSL_PATH)/crypto/pkcs12/pk12err.c
$(OPENSSL_PATH)/crypto/pkcs12/p12_p8d.c
$(OPENSSL_PATH)/crypto/pkcs12/p12_p8e.c
+
+ #
+ # COMP
+ #
$(OPENSSL_PATH)/crypto/comp/comp_lib.c
$(OPENSSL_PATH)/crypto/comp/comp_err.c
$(OPENSSL_PATH)/crypto/comp/c_rle.c
$(OPENSSL_PATH)/crypto/comp/c_zlib.c

#
- # Disabled by OPENSSL_NO_ENGINE
+ # OCSP - Disabled by OPENSSL_NO_OCSP
#
- # $(OPENSSL_PATH)/crypto/engine/eng_err.c
- # $(OPENSSL_PATH)/crypto/engine/eng_lib.c
- # $(OPENSSL_PATH)/crypto/engine/eng_list.c
- # $(OPENSSL_PATH)/crypto/engine/eng_init.c
- # $(OPENSSL_PATH)/crypto/engine/eng_ctrl.c
- # $(OPENSSL_PATH)/crypto/engine/eng_table.c
- # $(OPENSSL_PATH)/crypto/engine/eng_pkey.c
- # $(OPENSSL_PATH)/crypto/engine/eng_fat.c
- # $(OPENSSL_PATH)/crypto/engine/eng_all.c
- # $(OPENSSL_PATH)/crypto/engine/tb_rsa.c
- # $(OPENSSL_PATH)/crypto/engine/tb_dsa.c
- # $(OPENSSL_PATH)/crypto/engine/tb_ecdsa.c
- # $(OPENSSL_PATH)/crypto/engine/tb_dh.c
- # $(OPENSSL_PATH)/crypto/engine/tb_ecdh.c
- # $(OPENSSL_PATH)/crypto/engine/tb_rand.c
- # $(OPENSSL_PATH)/crypto/engine/tb_store.c
- # $(OPENSSL_PATH)/crypto/engine/tb_cipher.c
- # $(OPENSSL_PATH)/crypto/engine/tb_digest.c
- # $(OPENSSL_PATH)/crypto/engine/eng_openssl.c
- # $(OPENSSL_PATH)/crypto/engine/eng_cnf.c
- # $(OPENSSL_PATH)/crypto/engine/eng_dyn.c
- # $(OPENSSL_PATH)/crypto/engine/eng_cryptodev.c
- # $(OPENSSL_PATH)/crypto/engine/eng_padlock.c
+ $(OPENSSL_PATH)/crypto/ocsp/ocsp_asn.c
+ $(OPENSSL_PATH)/crypto/ocsp/ocsp_ext.c
+ $(OPENSSL_PATH)/crypto/ocsp/ocsp_ht.c
+ $(OPENSSL_PATH)/crypto/ocsp/ocsp_lib.c
+ $(OPENSSL_PATH)/crypto/ocsp/ocsp_cl.c
+ $(OPENSSL_PATH)/crypto/ocsp/ocsp_srv.c
+ $(OPENSSL_PATH)/crypto/ocsp/ocsp_prn.c
+ $(OPENSSL_PATH)/crypto/ocsp/ocsp_vfy.c
+ $(OPENSSL_PATH)/crypto/ocsp/ocsp_err.c

#
- # Disabled by OPENSSL_NO_OCSP
+ # UI
#
- # $(OPENSSL_PATH)/crypto/ocsp/ocsp_asn.c
- # $(OPENSSL_PATH)/crypto/ocsp/ocsp_ext.c
- # $(OPENSSL_PATH)/crypto/ocsp/ocsp_ht.c
- # $(OPENSSL_PATH)/crypto/ocsp/ocsp_lib.c
- # $(OPENSSL_PATH)/crypto/ocsp/ocsp_cl.c
- # $(OPENSSL_PATH)/crypto/ocsp/ocsp_srv.c
- # $(OPENSSL_PATH)/crypto/ocsp/ocsp_prn.c
- # $(OPENSSL_PATH)/crypto/ocsp/ocsp_vfy.c
- # $(OPENSSL_PATH)/crypto/ocsp/ocsp_err.c
-
- $(OPENSSL_PATH)/crypto/ui/ui_err.c
$(OPENSSL_PATH)/crypto/ui/ui_lib.c
-
#
- # Not required when OPENSSL_NO_STDIO is set, which is is for UEFI.
+ # Not Required by UEFI.
#
+ # $(OPENSSL_PATH)/crypto/ui/ui_err.c
# $(OPENSSL_PATH)/crypto/ui/ui_openssl.c
-
$(OPENSSL_PATH)/crypto/ui/ui_util.c
$(OPENSSL_PATH)/crypto/ui/ui_compat.c
+
+ #
+ # KRB5
+ #
$(OPENSSL_PATH)/crypto/krb5/krb5_asn.c
- $(OPENSSL_PATH)/crypto/store/str_err.c
- $(OPENSSL_PATH)/crypto/store/str_lib.c
- $(OPENSSL_PATH)/crypto/store/str_meth.c
- $(OPENSSL_PATH)/crypto/store/str_mem.c
+
+ #
+ # CMS - Disabled by OPENSSL_NO_CMS
+ #
+ # $(OPENSSL_PATH)/crypto/cms/cms_lib.c
+ # $(OPENSSL_PATH)/crypto/cms/cms_asn1.c
+ # $(OPENSSL_PATH)/crypto/cms/cms_att.c
+ # $(OPENSSL_PATH)/crypto/cms/cms_io.c
+ # $(OPENSSL_PATH)/crypto/cms/cms_smime.c
+ # $(OPENSSL_PATH)/crypto/cms/cms_err.c
+ # $(OPENSSL_PATH)/crypto/cms/cms_sd.c
+ # $(OPENSSL_PATH)/crypto/cms/cms_dd.c
+ # $(OPENSSL_PATH)/crypto/cms/cms_cd.c
+ # $(OPENSSL_PATH)/crypto/cms/cms_env.c
+ # $(OPENSSL_PATH)/crypto/cms/cms_enc.c
+ # $(OPENSSL_PATH)/crypto/cms/cms_ess.c
+ # $(OPENSSL_PATH)/crypto/cms/cms_pwri.c
+ # $(OPENSSL_PATH)/crypto/cms/cms_kari.c
+
+ #
+ # PQUEUE
+ #
$(OPENSSL_PATH)/crypto/pqueue/pqueue.c

+ #
+ # TS
+ #
+ $(OPENSSL_PATH)/crypto/ts/ts_err.c
+ $(OPENSSL_PATH)/crypto/ts/ts_req_utils.c
+ $(OPENSSL_PATH)/crypto/ts/ts_req_print.c
+ $(OPENSSL_PATH)/crypto/ts/ts_rsp_utils.c
+ $(OPENSSL_PATH)/crypto/ts/ts_rsp_print.c
+ $(OPENSSL_PATH)/crypto/ts/ts_rsp_sign.c
+ $(OPENSSL_PATH)/crypto/ts/ts_rsp_verify.c
+ $(OPENSSL_PATH)/crypto/ts/ts_verify_ctx.c
+ $(OPENSSL_PATH)/crypto/ts/ts_lib.c
+ $(OPENSSL_PATH)/crypto/ts/ts_conf.c
+ $(OPENSSL_PATH)/crypto/ts/ts_asn1.c
+
+ #
+ # SRP - Disabled by OPENSSL_NO_SRP
+ #
+ # $(OPENSSL_PATH)/crypto/srp/srp_lib.c
+ # $(OPENSSL_PATH)/crypto/srp/srp_vfy.c
+
+ #
+ # CMAS
+ #
+ $(OPENSSL_PATH)/crypto/cmac/cmac.c
+ $(OPENSSL_PATH)/crypto/cmac/cm_ameth.c
+ $(OPENSSL_PATH)/crypto/cmac/cm_pmeth.c
+
[Packages]
MdePkg/MdePkg.dec
CryptoPkg/CryptoPkg.dec
@@ -631,47 +880,44 @@
DebugLib

[BuildOptions]
- #
- # Override MSFT build option to remove /W4 (to silence warning messages when building OpenSSL).
- #
- MSFT:DEBUG_VS2003_IA32_CC_FLAGS == /nologo /c /WX /Gs32768 /Gy /D UNICODE /O1ib2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /GX- /Zi /Gm -U_WIN32 -U_WIN64 -U_MSC_VER $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) /w -DTHIRTY_TWO_BIT
- MSFT:RELEASE_VS2003_IA32_CC_FLAGS == /nologo /c /WX /Gs32768 /Gy /D UNICODE /O1ib2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /GX- -U_WIN32 -U_WIN64 -U_MSC_VER $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) /w -DTHIRTY_TWO_BIT
- MSFT:DEBUG_VS2003xASL_IA32_CC_FLAGS == /nologo /c /WX /Gs32768 /Gy /D UNICODE /O1ib2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /GX- /Zi /Gm -U_WIN32 -U_WIN64 -U_MSC_VER $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) /w -DTHIRTY_TWO_BIT
- MSFT:RELEASE_VS2003xASL_IA32_CC_FLAGS == /nologo /c /WX /Gs32768 /Gy /D UNICODE /O1ib2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /GX- -U_WIN32 -U_WIN64 -U_MSC_VER $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) /w -DTHIRTY_TWO_BIT
- MSFT:DEBUG_DDK3790_IA32_CC_FLAGS == /nologo /c /WX /Gy /Gs32768 /D UNICODE /O1ib2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Zi /Gm -U_WIN32 -U_WIN64 -U_MSC_VER $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) /w -DTHIRTY_TWO_BIT
- MSFT:RELEASE_DDK3790_IA32_CC_FLAGS == /nologo /c /WX /Gy /Gs32768 /D UNICODE /O1ib2 /GL /FIAutoGen.h /EHs-c- /GR- /GF -U_WIN32 -U_WIN64 -U_MSC_VER $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) /w -DTHIRTY_TWO_BIT
- MSFT:DEBUG_DDK3790xASL_IA32_CC_FLAGS == /nologo /c /WX /Gy /Gs32768 /D UNICODE /O1ib2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Zi /Gm -U_WIN32 -U_WIN64 -U_MSC_VER $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) /w -DTHIRTY_TWO_BIT
- MSFT:RELEASE_DDK3790xASL_IA32_CC_FLAGS == /nologo /c /WX /Gy /Gs32768 /D UNICODE /O1ib2 /GL /FIAutoGen.h /EHs-c- /GR- /GF -U_WIN32 -U_WIN64 -U_MSC_VER $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) /w -DTHIRTY_TWO_BIT
- MSFT:DEBUG_*_IA32_CC_FLAGS == /nologo /c /WX /GS- /Gs32768 /D UNICODE /O1ib2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Gm -U_WIN32 -U_WIN64 -U_MSC_VER $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) /w -DTHIRTY_TWO_BIT
- MSFT:RELEASE_*_IA32_CC_FLAGS == /nologo /c /WX /GS- /Gs32768 /D UNICODE /O1ib2 /GL /FIAutoGen.h /EHs-c- /GR- /GF -U_WIN32 -U_WIN64 -U_MSC_VER $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) /w -DTHIRTY_TWO_BIT
- MSFT:NOOPT_*_IA32_CC_FLAGS == /nologo /c /WX /GS- /Gs32768 /D UNICODE /Od /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Gm -U_WIN32 -U_WIN64 -U_MSC_VER $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) /w -DTHIRTY_TWO_BIT
- MSFT:DEBUG_*_X64_CC_FLAGS == /nologo /c /WX /GS- /X /Gs32768 /D UNICODE /O1ib2s /GL /Gy /FIAutoGen.h /EHs-c- /GR- /GF /Zi /Gm -U_WIN32 -U_WIN64 -U_MSC_VER $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) /w -DSIXTY_FOUR_BIT
- MSFT:RELEASE_*_X64_CC_FLAGS == /nologo /c /WX /GS- /X /Gs32768 /D UNICODE /O1ib2s /GL /Gy /FIAutoGen.h /EHs-c- /GR- /GF -U_WIN32 -U_WIN64 -U_MSC_VER $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) /w -DSIXTY_FOUR_BIT
- MSFT:NOOPT_*_X64_CC_FLAGS == /nologo /c /WX /GS- /X /Gs32768 /D UNICODE /Od /Gy /FIAutoGen.h /EHs-c- /GR- /GF /Zi /Gm -U_WIN32 -U_WIN64 -U_MSC_VER $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) /w -DSIXTY_FOUR_BIT
- MSFT:DEBUG_*_IPF_CC_FLAGS == /nologo /c /WX /GS- /X /EHs-c- /GR- /Gy /Os /GL /FIAutoGen.h /QIPF_fr32 /Zi -U_WIN32 -U_WIN64 -U_MSC_VER $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) /w -DSIXTY_FOUR_BIT
- MSFT:RELEASE_*_IPF_CC_FLAGS == /nologo /c /WX /GS- /X /EHs-c- /GR- /Gy /Os /GL /FIAutoGen.h /QIPF_fr32 -U_WIN32 -U_WIN64 -U_MSC_VER $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) /w -DSIXTY_FOUR_BIT
- MSFT:NOOPT_*_IPF_CC_FLAGS == /nologo /c /WX /GS- /X /EHs-c- /GR- /Gy /Od /FIAutoGen.h /QIPF_fr32 /Zi -U_WIN32 -U_WIN64 -U_MSC_VER $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) /w -DSIXTY_FOUR_BIT
- INTEL:*_*_IA32_CC_FLAGS = -U_WIN32 -U_WIN64 -U_MSC_VER -U__ICC $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) /w -DTHIRTY_TWO_BIT
- INTEL:*_*_X64_CC_FLAGS = -U_WIN32 -U_WIN64 -U_MSC_VER -U__ICC $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) /w -DSIXTY_FOUR_BIT
- INTEL:*_*_IPF_CC_FLAGS = -U_WIN32 -U_WIN64 -U_MSC_VER -U__ICC $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) /w -DSIXTY_FOUR_BIT
- GCC:*_*_IA32_CC_FLAGS = -U_WIN32 -U_WIN64 $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) -w -DTHIRTY_TWO_BIT
- GCC:*_*_X64_CC_FLAGS = -U_WIN32 -U_WIN64 $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) -w -DSIXTY_FOUR_BIT_LONG
- GCC:*_*_IPF_CC_FLAGS = -U_WIN32 -U_WIN64 $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) -w -DSIXTY_FOUR_BIT_LONG
- GCC:*_*_ARM_CC_FLAGS = $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) -w -DTHIRTY_TWO_BIT
- GCC:*_*_AARCH64_CC_FLAGS = $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) -w -DSIXTY_FOUR_BIT_LONG
-
- # suppress the following warnings in openssl so we don't break the build with warnings-as-errors:
- # 1295: Deprecated declaration <entity> - give arg types
- # 550: <entity> was set but never used
- # 1293: assignment in condition
- # 111: statement is unreachable (invariably "break;" after "return X;" in case statement)
- # 68: integer conversion resulted in a change of sign ("if (Status == -1)")
- # 177: <entity> was declared but never referenced
- # 223: function <entity> declared implicitly
- # 144: a value of type <type> cannot be used to initialize an entity of type <type>
- # 513: a value of type <type> cannot be assigned to an entity of type <type>
- # 188: enumerated type mixed with another type (i.e. passing an integer as an enum without a cast)
- # 1296: Extended constant initialiser used
- RVCT:*_*_ARM_CC_FLAGS = $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) --library_interface=aeabi_clib99 --fpu=vfpv3 -DTHIRTY_TWO_BIT --diag_suppress=1296,1295,550,1293,111,68,177,223,144,513,188
- XCODE:*_*_IA32_CC_FLAGS = -mmmx -msse -U_WIN32 -U_WIN64 $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) -w -DTHIRTY_TWO_BIT
- XCODE:*_*_X64_CC_FLAGS = -mmmx -msse -U_WIN32 -U_WIN64 $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) -w -DSIXTY_FOUR_BIT_LONG
\ No newline at end of file
+ #
+ # Disables the following Visual Studio compiler warnings brought by openssl source, so we do not break the build with /WX option:
+ # C4244: conversion from type1 to type2, possible loss of data
+ # C4702: unreachable code
+ # C4706: assignment within conditional expression
+ # C4133: incompatible types - from type1 to type2
+ # C4245: conversion from type1 to type2, signed/unsigned mismatch
+ # C4267: conversion from size_t to type, possible loss of data
+ # C4305: truncation from type1 to type2 of smaller size
+ # C4306: conversion from type1 to type2 of greater size
+ # C4702: Potentially uninitialized local variable name used
+ #
+ MSFT:*_*_IA32_CC_FLAGS = -U_WIN32 -U_WIN64 -U_MSC_VER $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) -DTHIRTY_TWO_BIT /wd4244 /wd4701 /wd4702 /wd4706
+ MSFT:*_*_X64_CC_FLAGS = -U_WIN32 -U_WIN64 -U_MSC_VER $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) -DSIXTY_FOUR_BIT /wd4133 /wd4244 /wd4245 /wd4267 /wd4701 /wd4305 /wd4306 /wd4702 /wd4706
+ MSFT:*_*_IPF_CC_FLAGS = -U_WIN32 -U_WIN64 -U_MSC_VER $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) -DSIXTY_FOUR_BIT /wd4133 /wd4244 /wd4245 /wd4267 /wd4701 /wd4305 /wd4306 /wd4702 /wd4706
+
+ INTEL:*_*_IA32_CC_FLAGS = -U_WIN32 -U_WIN64 -U_MSC_VER -U__ICC $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) /w -DTHIRTY_TWO_BIT
+ INTEL:*_*_X64_CC_FLAGS = -U_WIN32 -U_WIN64 -U_MSC_VER -U__ICC $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) /w -DSIXTY_FOUR_BIT
+ INTEL:*_*_IPF_CC_FLAGS = -U_WIN32 -U_WIN64 -U_MSC_VER -U__ICC $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) /w -DSIXTY_FOUR_BIT
+
+ GCC:*_*_IA32_CC_FLAGS = -U_WIN32 -U_WIN64 $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) -w -DTHIRTY_TWO_BIT
+ GCC:*_*_X64_CC_FLAGS = -U_WIN32 -U_WIN64 $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) -w -DSIXTY_FOUR_BIT_LONG
+ GCC:*_*_IPF_CC_FLAGS = -U_WIN32 -U_WIN64 $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) -w -DSIXTY_FOUR_BIT_LONG
+ GCC:*_*_ARM_CC_FLAGS = $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) -w -DTHIRTY_TWO_BIT
+ GCC:*_*_AARCH64_CC_FLAGS = $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) -w -DSIXTY_FOUR_BIT_LONG
+
+ # suppress the following warnings in openssl so we don't break the build with warnings-as-errors:
+ # 1295: Deprecated declaration <entity> - give arg types
+ # 550: <entity> was set but never used
+ # 1293: assignment in condition
+ # 111: statement is unreachable (invariably "break;" after "return X;" in case statement)
+ # 68: integer conversion resulted in a change of sign ("if (Status == -1)")
+ # 177: <entity> was declared but never referenced
+ # 223: function <entity> declared implicitly
+ # 144: a value of type <type> cannot be used to initialize an entity of type <type>
+ # 513: a value of type <type> cannot be assigned to an entity of type <type>
+ # 188: enumerated type mixed with another type (i.e. passing an integer as an enum without a cast)
+ # 1296: Extended constant initialiser used
+ RVCT:*_*_ARM_CC_FLAGS = $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) --library_interface=aeabi_clib99 --fpu=vfpv3 -DTHIRTY_TWO_BIT --diag_suppress=1296,1295,550,1293,111,68,177,223,144,513,188
+ XCODE:*_*_IA32_CC_FLAGS = -mmmx -msse -U_WIN32 -U_WIN64 $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) -w -DTHIRTY_TWO_BIT
+ XCODE:*_*_X64_CC_FLAGS = -mmmx -msse -U_WIN32 -U_WIN64 $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) -w -DSIXTY_FOUR_BIT_LONG
diff --git a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
index de60a5f..0ea7b8a 100644
--- a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
+++ b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
@@ -4,49 +4,49 @@
================================================================================
OpenSSL is a well-known open source implementation of SSL and TLS protocols.
The core library implements the basic cryptographic functions and provides various
-utility functions. The OpenSSL library is widely used in variety of security
-products development as base crypto provider. (See http://www.openssl.org for more
+utility functions. The OpenSSL library is widely used in variety of security
+products development as base crypto provider. (See http://www.openssl.org for more
information for OpenSSL).
- UEFI (Unified Extensible Firmware Interface) is a specification detailing the
-interfaces between OS and platform firmware. Several security features were
-introduced (e.g. Authenticated Variable Service, Driver Signing, etc) from UEFI
-2.2 (http://www.uefi.org). These security features highly depends on the
+ UEFI (Unified Extensible Firmware Interface) is a specification detailing the
+interfaces between OS and platform firmware. Several security features were
+introduced (e.g. Authenticated Variable Service, Driver Signing, etc) from UEFI
+2.2 (http://www.uefi.org). These security features highly depends on the
cryptography. This patch will enable openssl building under UEFI environment.


================================================================================
OpenSSL-Version
================================================================================
- Current supported OpenSSL version for UEFI Crypto Library is 0.9.8zf.
- http://www.openssl.org/source/openssl-0.9.8zf.tar.gz
+ Current supported OpenSSL version for UEFI Crypto Library is 1.0.2c.
+ http://www.openssl.org/source/openssl-1.0.2c.tar.gz


================================================================================
HOW to Install Openssl for UEFI Building
================================================================================
-1. Download OpenSSL 0.9.8zf from official website:
- http://www.openssl.org/source/openssl-0.9.8zf.tar.gz
+1. Download OpenSSL 1.0.2c from official website:
+ http://www.openssl.org/source/openssl-1.0.2c.tar.gz

- NOTE: Some web browsers may rename the downloaded TAR file to openssl-0.9.8zf.tar.tar.
- When you do the download, rename the "openssl-0.9.8zf.tar.tar" to
- "openssl-0.9.8zf.tar.gz" or rename the local downloaded file with ".tar.tar"
+ NOTE: Some web browsers may rename the downloaded TAR file to openssl-1.0.2c.tar.tar.
+ When you do the download, rename the "openssl-1.0.2c.tar.tar" to
+ "openssl-1.0.2c.tar.gz" or rename the local downloaded file with ".tar.tar"
extension to ".tar.gz".

-2. Extract TAR into CryptoPkg/Library/OpenSslLib/openssl-0.9.8zf
+2. Extract TAR into CryptoPkg/Library/OpenSslLib/openssl-1.0.2c

- NOTE: If you use WinZip to unpack the openssl source in Windows, please
- uncheck the WinZip smart CR/LF conversion option (WINZIP: Options -->
+ NOTE: If you use WinZip to unpack the openssl source in Windows, please
+ uncheck the WinZip smart CR/LF conversion option (WINZIP: Options -->
Configuration --> Miscellaneous --> "TAR file smart CR/LF conversion").
-
-3. Apply this patch: EDKII_openssl-0.9.8zf.patch, and make installation
+
+3. Apply this patch: EDKII_openssl-1.0.2c.patch, and make installation

For Windows Environment:
------------------------
1) Make sure the patch utility has been installed in your machine.
- Install Cygwin or get the patch utility binary from
+ Install Cygwin or get the patch utility binary from
http://gnuwin32.sourceforge.net/packages/patch.htm
- 2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-0.9.8zf
- 3) patch -p0 -i ..\EDKII_openssl-0.9.8zf.patch
+ 2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2c
+ 3) patch -p0 -i ..\EDKII_openssl-1.0.2c.patch
4) cd ..
5) Install.cmd

@@ -54,8 +54,8 @@ cryptography. This patch will enable openssl building under UEFI environment.
-----------------------
1) Make sure the patch utility has been installed in your machine.
Patch utility is available from http://directory.fsf.org/project/patch/
- 2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-0.9.8zf
- 3) patch -p0 -i ../EDKII_openssl-0.9.8zf.patch
+ 2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2c
+ 3) patch -p0 -i ../EDKII_openssl-1.0.2c.patch
4) cd ..
5) ./Install.sh
--
1.9.5.msysgit.1


------------------------------------------------------------------------------
Long, Qin
2015-06-14 17:17:49 UTC
Permalink
Sorry for the boring update series for CryptoPkg recently (1.0.2a -> 1.0.2b -> 1.0.2c).
Just one day after 1.0.2b was available, OpenSSL team released a new one (1.0.2c) to fix compatibility issue. I have to update this patch series to catch this upgrade. :-(. OK, it may be good for me to correct the patch format per Jordon's comments directly.

Ard & Ting, this update for 1.0.2c is almost same with 1.0.2b-patch, except letter changes ("b"->"c"). :-)


Best Regards & Thanks,
LONG, Qin

-----Original Message-----
From: Long, Qin [mailto:***@intel.com]
Sent: Monday, June 15, 2015 12:54 AM
To: ***@linaro.org; Ye, Ting
Cc: edk2-***@lists.sourceforge.net
Subject: [edk2] [patch 0/3] *** Update OpenSSL support to 1.0.2c release ***

[NOTE]
Just one day after 1.0.2b release, one new upgrade (1.0.2c) was released to resolve ABI compatibility problems. This patch has to be updated to catch this latest release.
No actual changes between this 1.0.2c-patch and the last 1.0.2b-patch series.
================================================================
OpenSSL 1.0.2b was just released at 11-Jun-2015. This patch is updated to catch this latest release.
One memory allocation bug was already fixed in 1.0.2b codes (x509_vpm.c)
Then remove the fix codes from EDKII-openssl-1.0.2b.patch
Add few missed boundary check in CryptX509.c ================================================================
Update the EDKII crypto provider from openssl 0.9.8zf to 1.0.2b.
The OpenSSL Project announced that the support for version 0.9.8 will cease on 31st December 2015. This patch updates the EDKII openssl support to the latest 1.0.2 branch.

Long, Qin (3):
CryptoPkg: Update openssl patch file from 0.9.8zf to 1.0.2c
CryptoPkg: Update OpensslLib module files for openssl-1.0.2c support
CryptoPkg: Wrapper files updates to support openssl-1.0.2c

CryptoPkg/Include/OpenSslSupport.h | 8 +-
CryptoPkg/Include/memory.h | 16 +
.../Library/BaseCryptLib/Pk/CryptAuthenticode.c | 6 +-
CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c | 10 +-
.../Library/BaseCryptLib/Pk/CryptPkcs7Verify.c | 11 +-
CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c | 12 +-
CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c | 18 +-
.../Library/OpensslLib/EDKII_openssl-0.9.8zf.patch | 279 ---------- .../Library/OpensslLib/EDKII_openssl-1.0.2c.patch | 346 ++++++++++++
CryptoPkg/Library/OpensslLib/Install.cmd | 146 ++---
CryptoPkg/Library/OpensslLib/Install.sh | 146 ++---
CryptoPkg/Library/OpensslLib/OpensslLib.inf | 620 ++++++++++++++-------
CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt | 46 +-
13 files changed, 1013 insertions(+), 651 deletions(-) create mode 100644 CryptoPkg/Include/memory.h delete mode 100644 CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8zf.patch
create mode 100644 CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2c.patch

--
1.9.5.msysgit.1
Ard Biesheuvel
2015-06-15 07:28:17 UTC
Permalink
Post by Long, Qin
Sorry for the boring update series for CryptoPkg recently (1.0.2a -> 1.0.2b -> 1.0.2c).
Just one day after 1.0.2b was available, OpenSSL team released a new one (1.0.2c) to fix compatibility issue. I have to update this patch series to catch this upgrade. :-(. OK, it may be good for me to correct the patch format per Jordon's comments directly.
Ard & Ting, this update for 1.0.2c is almost same with 1.0.2b-patch, except letter changes ("b"->"c"). :-)
Looks great. Built and tested and working fine for QEMU/AArch64
Post by Long, Qin
-----Original Message-----
Sent: Monday, June 15, 2015 12:54 AM
Subject: [edk2] [patch 0/3] *** Update OpenSSL support to 1.0.2c release ***
[NOTE]
Just one day after 1.0.2b release, one new upgrade (1.0.2c) was released to resolve ABI compatibility problems. This patch has to be updated to catch this latest release.
No actual changes between this 1.0.2c-patch and the last 1.0.2b-patch series.
================================================================
OpenSSL 1.0.2b was just released at 11-Jun-2015. This patch is updated to catch this latest release.
One memory allocation bug was already fixed in 1.0.2b codes (x509_vpm.c)
Then remove the fix codes from EDKII-openssl-1.0.2b.patch
Add few missed boundary check in CryptX509.c ================================================================
Update the EDKII crypto provider from openssl 0.9.8zf to 1.0.2b.
The OpenSSL Project announced that the support for version 0.9.8 will cease on 31st December 2015. This patch updates the EDKII openssl support to the latest 1.0.2 branch.
CryptoPkg: Update openssl patch file from 0.9.8zf to 1.0.2c
CryptoPkg: Update OpensslLib module files for openssl-1.0.2c support
CryptoPkg: Wrapper files updates to support openssl-1.0.2c
CryptoPkg/Include/OpenSslSupport.h | 8 +-
CryptoPkg/Include/memory.h | 16 +
.../Library/BaseCryptLib/Pk/CryptAuthenticode.c | 6 +-
CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c | 10 +-
.../Library/BaseCryptLib/Pk/CryptPkcs7Verify.c | 11 +-
CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c | 12 +-
CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c | 18 +-
.../Library/OpensslLib/EDKII_openssl-0.9.8zf.patch | 279 ---------- .../Library/OpensslLib/EDKII_openssl-1.0.2c.patch | 346 ++++++++++++
CryptoPkg/Library/OpensslLib/Install.cmd | 146 ++---
CryptoPkg/Library/OpensslLib/Install.sh | 146 ++---
CryptoPkg/Library/OpensslLib/OpensslLib.inf | 620 ++++++++++++++-------
CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt | 46 +-
13 files changed, 1013 insertions(+), 651 deletions(-) create mode 100644 CryptoPkg/Include/memory.h delete mode 100644 CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8zf.patch
create mode 100644 CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2c.patch
--
1.9.5.msysgit.1
------------------------------------------------------------------------------
_______________________________________________
edk2-devel mailing list
https://lists.sourceforge.net/lists/listinfo/edk2-devel
------------------------------------------------------------------------------
Laszlo Ersek
2015-06-20 01:42:51 UTC
Permalink
Hi,
Post by Long, Qin
[NOTE]
Just one day after 1.0.2b release, one new upgrade (1.0.2c) was released
to resolve ABI compatibility problems. This patch has to be updated to
catch this latest release.
No actual changes between this 1.0.2c-patch and the last 1.0.2b-patch series.
================================================================
OpenSSL 1.0.2b was just released at 11-Jun-2015. This patch is updated to
catch this latest release.
One memory allocation bug was already fixed in 1.0.2b codes (x509_vpm.c)
Then remove the fix codes from EDKII-openssl-1.0.2b.patch
Add few missed boundary check in CryptX509.c
================================================================
Update the EDKII crypto provider from openssl 0.9.8zf to 1.0.2b.
The OpenSSL Project announced that the support for version 0.9.8 will cease
on 31st December 2015. This patch updates the EDKII openssl support to the
latest 1.0.2 branch.
CryptoPkg: Update openssl patch file from 0.9.8zf to 1.0.2c
CryptoPkg: Update OpensslLib module files for openssl-1.0.2c support
CryptoPkg: Wrapper files updates to support openssl-1.0.2c
CryptoPkg/Include/OpenSslSupport.h | 8 +-
CryptoPkg/Include/memory.h | 16 +
.../Library/BaseCryptLib/Pk/CryptAuthenticode.c | 6 +-
CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c | 10 +-
.../Library/BaseCryptLib/Pk/CryptPkcs7Verify.c | 11 +-
CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c | 12 +-
CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c | 18 +-
.../Library/OpensslLib/EDKII_openssl-0.9.8zf.patch | 279 ----------
.../Library/OpensslLib/EDKII_openssl-1.0.2c.patch | 346 ++++++++++++
CryptoPkg/Library/OpensslLib/Install.cmd | 146 ++---
CryptoPkg/Library/OpensslLib/Install.sh | 146 ++---
CryptoPkg/Library/OpensslLib/OpensslLib.inf | 620 ++++++++++++++-------
CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt | 46 +-
13 files changed, 1013 insertions(+), 651 deletions(-)
create mode 100644 CryptoPkg/Include/memory.h
delete mode 100644 CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8zf.patch
create mode 100644 CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2c.patch
Sorry that I'm late to the party, but this update seems to have broken
Secure Boot under OVMF. I started out with a fresh varstore, enrolled
the Microsoft keys manually, using the SecureBootConfigDxe forms, and
then tried to boot Fedora 20. "Booting fedora shim" appears at the end
of the debug log, and the VM spins into an infinite loop.

I confirmed that with 0.9.8zf things work.

Thanks
Laszlo

------------------------------------------------------------------------------
Ard Biesheuvel
2015-06-20 13:01:17 UTC
Permalink
Post by Laszlo Ersek
Hi,
Post by Long, Qin
[NOTE]
Just one day after 1.0.2b release, one new upgrade (1.0.2c) was released
to resolve ABI compatibility problems. This patch has to be updated to
catch this latest release.
No actual changes between this 1.0.2c-patch and the last 1.0.2b-patch series.
================================================================
OpenSSL 1.0.2b was just released at 11-Jun-2015. This patch is updated to
catch this latest release.
One memory allocation bug was already fixed in 1.0.2b codes (x509_vpm.c)
Then remove the fix codes from EDKII-openssl-1.0.2b.patch
Add few missed boundary check in CryptX509.c
================================================================
Update the EDKII crypto provider from openssl 0.9.8zf to 1.0.2b.
The OpenSSL Project announced that the support for version 0.9.8 will cease
on 31st December 2015. This patch updates the EDKII openssl support to the
latest 1.0.2 branch.
CryptoPkg: Update openssl patch file from 0.9.8zf to 1.0.2c
CryptoPkg: Update OpensslLib module files for openssl-1.0.2c support
CryptoPkg: Wrapper files updates to support openssl-1.0.2c
CryptoPkg/Include/OpenSslSupport.h | 8 +-
CryptoPkg/Include/memory.h | 16 +
.../Library/BaseCryptLib/Pk/CryptAuthenticode.c | 6 +-
CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c | 10 +-
.../Library/BaseCryptLib/Pk/CryptPkcs7Verify.c | 11 +-
CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c | 12 +-
CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c | 18 +-
.../Library/OpensslLib/EDKII_openssl-0.9.8zf.patch | 279 ----------
.../Library/OpensslLib/EDKII_openssl-1.0.2c.patch | 346 ++++++++++++
CryptoPkg/Library/OpensslLib/Install.cmd | 146 ++---
CryptoPkg/Library/OpensslLib/Install.sh | 146 ++---
CryptoPkg/Library/OpensslLib/OpensslLib.inf | 620 ++++++++++++++-------
CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt | 46 +-
13 files changed, 1013 insertions(+), 651 deletions(-)
create mode 100644 CryptoPkg/Include/memory.h
delete mode 100644 CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8zf.patch
create mode 100644 CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2c.patch
Sorry that I'm late to the party, but this update seems to have broken
Secure Boot under OVMF. I started out with a fresh varstore, enrolled
the Microsoft keys manually, using the SecureBootConfigDxe forms, and
then tried to boot Fedora 20. "Booting fedora shim" appears at the end
of the debug log, and the VM spins into an infinite loop.
I confirmed that with 0.9.8zf things work.
I wonder what is going on here. My AArch64 boot tests work fine with
these patches applied, but they don't use shim. (They do use GRUB as
an intermediate loader calling LoadImage() to boot a signed kernel).

Are there any plans or patches yet to move shim to a more recent
OpenSSL version? It shouldn't be affecting things like this, but it
would allow a quick check if someone has patches already.
--
Ard.

------------------------------------------------------------------------------
Long, Qin
2015-06-20 16:59:38 UTC
Permalink
Ersek,

I already checked some local Authenticode signature and Cryptest utility, and Ard also helped to validate something, looks the new update works well.

Could you share me the signed shim binary? (I have no copy in my local environment now). Then I can check if any issues. Thanks.


Best Regards & Thanks,
LONG, Qin

-----Original Message-----
From: Ard Biesheuvel [mailto:***@linaro.org]
Sent: Saturday, June 20, 2015 9:01 PM
To: Laszlo Ersek
Cc: edk2-***@lists.sourceforge.net
Subject: Re: [edk2] [patch 0/3] *** Update OpenSSL support to 1.0.2c release ***
Post by Laszlo Ersek
Hi,
Post by Long, Qin
[NOTE]
Just one day after 1.0.2b release, one new upgrade (1.0.2c) was
released to resolve ABI compatibility problems. This patch has to be
updated to catch this latest release.
No actual changes between this 1.0.2c-patch and the last 1.0.2b-patch series.
================================================================
OpenSSL 1.0.2b was just released at 11-Jun-2015. This patch is
updated to catch this latest release.
One memory allocation bug was already fixed in 1.0.2b codes (x509_vpm.c)
Then remove the fix codes from EDKII-openssl-1.0.2b.patch
Add few missed boundary check in CryptX509.c
================================================================
Update the EDKII crypto provider from openssl 0.9.8zf to 1.0.2b.
The OpenSSL Project announced that the support for version 0.9.8 will
cease on 31st December 2015. This patch updates the EDKII openssl
support to the latest 1.0.2 branch.
CryptoPkg: Update openssl patch file from 0.9.8zf to 1.0.2c
CryptoPkg: Update OpensslLib module files for openssl-1.0.2c support
CryptoPkg: Wrapper files updates to support openssl-1.0.2c
CryptoPkg/Include/OpenSslSupport.h | 8 +-
CryptoPkg/Include/memory.h | 16 +
.../Library/BaseCryptLib/Pk/CryptAuthenticode.c | 6 +-
CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c | 10 +-
.../Library/BaseCryptLib/Pk/CryptPkcs7Verify.c | 11 +-
CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c | 12 +-
CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c | 18 +-
.../Library/OpensslLib/EDKII_openssl-0.9.8zf.patch | 279 ----------
.../Library/OpensslLib/EDKII_openssl-1.0.2c.patch | 346 ++++++++++++
CryptoPkg/Library/OpensslLib/Install.cmd | 146 ++---
CryptoPkg/Library/OpensslLib/Install.sh | 146 ++---
CryptoPkg/Library/OpensslLib/OpensslLib.inf | 620 ++++++++++++++-------
CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt | 46 +-
13 files changed, 1013 insertions(+), 651 deletions(-) create mode
100644 CryptoPkg/Include/memory.h delete mode 100644
CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8zf.patch
create mode 100644
CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2c.patch
Sorry that I'm late to the party, but this update seems to have broken
Secure Boot under OVMF. I started out with a fresh varstore, enrolled
the Microsoft keys manually, using the SecureBootConfigDxe forms, and
then tried to boot Fedora 20. "Booting fedora shim" appears at the end
of the debug log, and the VM spins into an infinite loop.
I confirmed that with 0.9.8zf things work.
I wonder what is going on here. My AArch64 boot tests work fine with these patches applied, but they don't use shim. (They do use GRUB as an intermediate loader calling LoadImage() to boot a signed kernel).

Are there any plans or patches yet to move shim to a more recent OpenSSL version? It shouldn't be affecting things like this, but it would allow a quick check if someone has patches already.

--
Ard.
Laszlo Ersek
2015-06-22 13:32:57 UTC
Permalink
Hi,
Post by Long, Qin
Ersek,
I already checked some local Authenticode signature and Cryptest
utility, and Ard also helped to validate something, looks the new
update works well.
Could you share me the signed shim binary? (I have no copy in my
local environment now). Then I can check if any issues. Thanks.
I have no evidence either way if the root cause is in edk2, or shim, or
grub; the only symptom I'm witnessing is that the combination of the
updated CryptoPkg / OpenSSL version and Fedora's UEFI binaries leads to
an infinite loop "somewhere" after such a binary is booted.

The easiest way to reprocude it is by downloading

https://download.fedoraproject.org/pub/fedora/linux/releases/22/Workstation/x86_64/iso/Fedora-Live-Workstation-x86_64-22-3.iso

and booting it.

The UEFI binary you're most probably interested in is from the following
Fedora package:

shim-signed-0.8-8
http://koji.fedoraproject.org/koji/buildinfo?buildID=612245

I thought that maybe you'd prefer a ZIP file, so I repacked it for you:

http://people.redhat.com/~lersek/for_qin_long/shim-0.8-8.x86_64.zip

Thanks!
Laszlo
Post by Long, Qin
Best Regards & Thanks,
LONG, Qin
-----Original Message-----
Sent: Saturday, June 20, 2015 9:01 PM
To: Laszlo Ersek
Subject: Re: [edk2] [patch 0/3] *** Update OpenSSL support to 1.0.2c release ***
Post by Laszlo Ersek
Hi,
Post by Long, Qin
[NOTE]
Just one day after 1.0.2b release, one new upgrade (1.0.2c) was
released to resolve ABI compatibility problems. This patch has to be
updated to catch this latest release.
No actual changes between this 1.0.2c-patch and the last 1.0.2b-patch series.
================================================================
OpenSSL 1.0.2b was just released at 11-Jun-2015. This patch is
updated to catch this latest release.
One memory allocation bug was already fixed in 1.0.2b codes (x509_vpm.c)
Then remove the fix codes from EDKII-openssl-1.0.2b.patch
Add few missed boundary check in CryptX509.c
================================================================
Update the EDKII crypto provider from openssl 0.9.8zf to 1.0.2b.
The OpenSSL Project announced that the support for version 0.9.8 will
cease on 31st December 2015. This patch updates the EDKII openssl
support to the latest 1.0.2 branch.
CryptoPkg: Update openssl patch file from 0.9.8zf to 1.0.2c
CryptoPkg: Update OpensslLib module files for openssl-1.0.2c support
CryptoPkg: Wrapper files updates to support openssl-1.0.2c
CryptoPkg/Include/OpenSslSupport.h | 8 +-
CryptoPkg/Include/memory.h | 16 +
.../Library/BaseCryptLib/Pk/CryptAuthenticode.c | 6 +-
CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c | 10 +-
.../Library/BaseCryptLib/Pk/CryptPkcs7Verify.c | 11 +-
CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c | 12 +-
CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c | 18 +-
.../Library/OpensslLib/EDKII_openssl-0.9.8zf.patch | 279 ----------
.../Library/OpensslLib/EDKII_openssl-1.0.2c.patch | 346 ++++++++++++
CryptoPkg/Library/OpensslLib/Install.cmd | 146 ++---
CryptoPkg/Library/OpensslLib/Install.sh | 146 ++---
CryptoPkg/Library/OpensslLib/OpensslLib.inf | 620 ++++++++++++++-------
CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt | 46 +-
13 files changed, 1013 insertions(+), 651 deletions(-) create mode
100644 CryptoPkg/Include/memory.h delete mode 100644
CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8zf.patch
create mode 100644
CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2c.patch
Sorry that I'm late to the party, but this update seems to have broken
Secure Boot under OVMF. I started out with a fresh varstore, enrolled
the Microsoft keys manually, using the SecureBootConfigDxe forms, and
then tried to boot Fedora 20. "Booting fedora shim" appears at the end
of the debug log, and the VM spins into an infinite loop.
I confirmed that with 0.9.8zf things work.
I wonder what is going on here. My AArch64 boot tests work fine with these patches applied, but they don't use shim. (They do use GRUB as an intermediate loader calling LoadImage() to boot a signed kernel).
Are there any plans or patches yet to move shim to a more recent OpenSSL version? It shouldn't be affecting things like this, but it would allow a quick check if someone has patches already.
--
Ard.
------------------------------------------------------------------------------
_______________________________________________
edk2-devel mailing list
https://lists.sourceforge.net/lists/listinfo/edk2-devel
Long, Qin
2015-06-22 16:45:24 UTC
Permalink
Laszlo, thanks for updates.

I did one quick validation based on the shared zip file. The signature verification succeeded.
This may just means the new updates (openssl-1.0.2c) should work well on Authenticode verification.

And it is just one static test based on Cryptest utility in CryptoPkg, since I have no full test environment now:
1. I stripped-off the p7 signature from the signed shim.efi file;
2. Use the certificate "Microsoft Corporation UEFI CA 2011" as trusted anchor;
3. Replace some static data in AuthenticodeVerify.c with these shim data (the Hash value was also stripped from the P7 data);
The test result is passed.

So looks the basic image verification should be OK. We may need extra efforts on root-cause. Will do more booting validations on my workstation later. :-)

Peter, any suggestion against this?


Best Regards & Thanks,
LONG, Qin

-----Original Message-----
From: Laszlo Ersek [mailto:***@redhat.com]
Sent: Monday, June 22, 2015 9:33 PM
To: Long, Qin
Cc: edk2-***@lists.sourceforge.net; Peter Jones
Subject: Re: [edk2] [patch 0/3] *** Update OpenSSL support to 1.0.2c release ***

Hi,
Post by Long, Qin
Ersek,
I already checked some local Authenticode signature and Cryptest
utility, and Ard also helped to validate something, looks the new
update works well.
Could you share me the signed shim binary? (I have no copy in my local
environment now). Then I can check if any issues. Thanks.
I have no evidence either way if the root cause is in edk2, or shim, or grub; the only symptom I'm witnessing is that the combination of the updated CryptoPkg / OpenSSL version and Fedora's UEFI binaries leads to an infinite loop "somewhere" after such a binary is booted.

The easiest way to reprocude it is by downloading

https://download.fedoraproject.org/pub/fedora/linux/releases/22/Workstation/x86_64/iso/Fedora-Live-Workstation-x86_64-22-3.iso

and booting it.

The UEFI binary you're most probably interested in is from the following Fedora package:

shim-signed-0.8-8
http://koji.fedoraproject.org/koji/buildinfo?buildID=612245

I thought that maybe you'd prefer a ZIP file, so I repacked it for you:

http://people.redhat.com/~lersek/for_qin_long/shim-0.8-8.x86_64.zip

Thanks!
Laszlo
Post by Long, Qin
Best Regards & Thanks,
LONG, Qin
-----Original Message-----
Sent: Saturday, June 20, 2015 9:01 PM
To: Laszlo Ersek
Subject: Re: [edk2] [patch 0/3] *** Update OpenSSL support to 1.0.2c release ***
Post by Laszlo Ersek
Hi,
Post by Long, Qin
[NOTE]
Just one day after 1.0.2b release, one new upgrade (1.0.2c) was
released to resolve ABI compatibility problems. This patch has to be
updated to catch this latest release.
No actual changes between this 1.0.2c-patch and the last 1.0.2b-patch series.
================================================================
OpenSSL 1.0.2b was just released at 11-Jun-2015. This patch is
updated to catch this latest release.
One memory allocation bug was already fixed in 1.0.2b codes (x509_vpm.c)
Then remove the fix codes from EDKII-openssl-1.0.2b.patch
Add few missed boundary check in CryptX509.c
================================================================
Update the EDKII crypto provider from openssl 0.9.8zf to 1.0.2b.
The OpenSSL Project announced that the support for version 0.9.8
will cease on 31st December 2015. This patch updates the EDKII
openssl support to the latest 1.0.2 branch.
CryptoPkg: Update openssl patch file from 0.9.8zf to 1.0.2c
CryptoPkg: Update OpensslLib module files for openssl-1.0.2c support
CryptoPkg: Wrapper files updates to support openssl-1.0.2c
CryptoPkg/Include/OpenSslSupport.h | 8 +-
CryptoPkg/Include/memory.h | 16 +
.../Library/BaseCryptLib/Pk/CryptAuthenticode.c | 6 +-
CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c | 10 +-
.../Library/BaseCryptLib/Pk/CryptPkcs7Verify.c | 11 +-
CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c | 12 +-
CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c | 18 +-
.../Library/OpensslLib/EDKII_openssl-0.9.8zf.patch | 279 ----------
.../Library/OpensslLib/EDKII_openssl-1.0.2c.patch | 346 ++++++++++++
CryptoPkg/Library/OpensslLib/Install.cmd | 146 ++---
CryptoPkg/Library/OpensslLib/Install.sh | 146 ++---
CryptoPkg/Library/OpensslLib/OpensslLib.inf | 620 ++++++++++++++-------
CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt | 46 +-
13 files changed, 1013 insertions(+), 651 deletions(-) create mode
100644 CryptoPkg/Include/memory.h delete mode 100644
CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8zf.patch
create mode 100644
CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2c.patch
Sorry that I'm late to the party, but this update seems to have broken
Secure Boot under OVMF. I started out with a fresh varstore, enrolled
the Microsoft keys manually, using the SecureBootConfigDxe forms, and
then tried to boot Fedora 20. "Booting fedora shim" appears at the end
of the debug log, and the VM spins into an infinite loop.
I confirmed that with 0.9.8zf things work.
I wonder what is going on here. My AArch64 boot tests work fine with these patches applied, but they don't use shim. (They do use GRUB as an intermediate loader calling LoadImage() to boot a signed kernel).
Are there any plans or patches yet to move shim to a more recent OpenSSL version? It shouldn't be affecting things like this, but it would allow a quick check if someone has patches already.
--
Ard.
------------------------------------------------------------------------------
_______________________________________________
edk2-devel mailing list
https://lists.sourceforge.net/lists/listinfo/edk2-devel
Peter Jones
2015-06-22 18:23:48 UTC
Permalink
Post by Long, Qin
Laszlo, thanks for updates.
I did one quick validation based on the shared zip file. The signature verification succeeded.
This may just means the new updates (openssl-1.0.2c) should work well on Authenticode verification.
1. I stripped-off the p7 signature from the signed shim.efi file;
2. Use the certificate "Microsoft Corporation UEFI CA 2011" as trusted anchor;
3. Replace some static data in AuthenticodeVerify.c with these shim data (the Hash value was also stripped from the P7 data);
The test result is passed.
So looks the basic image verification should be OK. We may need extra efforts on root-cause. Will do more booting validations on my workstation later. :-)
Peter, any suggestion against this?
I've got some features in an upcoming shim release to make debugging a
lot easier. Until then, basically you need to know the address shim was
loaded at and the offset of .text, and then use shim.efi.debug as the
symbol file in gdb with add-symbol-file .

I can look in to this, but right now I'm very deep in deadline time for
RHEL 7.2, so it's going to be hard to find time in the *immediate*
future. If somebody else can figure those out and get a traceback
out of it, that'd be helpful.

Hard to see how shim wedging can be the result of changing the openssl
version in tiano, though - we don't directly call any of that code.
Post by Long, Qin
Best Regards & Thanks,
LONG, Qin
-----Original Message-----
Sent: Monday, June 22, 2015 9:33 PM
To: Long, Qin
Subject: Re: [edk2] [patch 0/3] *** Update OpenSSL support to 1.0.2c release ***
Hi,
Post by Long, Qin
Ersek,
I already checked some local Authenticode signature and Cryptest
utility, and Ard also helped to validate something, looks the new
update works well.
Could you share me the signed shim binary? (I have no copy in my local
environment now). Then I can check if any issues. Thanks.
I have no evidence either way if the root cause is in edk2, or shim, or grub; the only symptom I'm witnessing is that the combination of the updated CryptoPkg / OpenSSL version and Fedora's UEFI binaries leads to an infinite loop "somewhere" after such a binary is booted.
The easiest way to reprocude it is by downloading
https://download.fedoraproject.org/pub/fedora/linux/releases/22/Workstation/x86_64/iso/Fedora-Live-Workstation-x86_64-22-3.iso
and booting it.
shim-signed-0.8-8
http://koji.fedoraproject.org/koji/buildinfo?buildID=612245
http://people.redhat.com/~lersek/for_qin_long/shim-0.8-8.x86_64.zip
Thanks!
Laszlo
Post by Long, Qin
Best Regards & Thanks,
LONG, Qin
-----Original Message-----
Sent: Saturday, June 20, 2015 9:01 PM
To: Laszlo Ersek
Subject: Re: [edk2] [patch 0/3] *** Update OpenSSL support to 1.0.2c release ***
Post by Laszlo Ersek
Hi,
Post by Long, Qin
[NOTE]
Just one day after 1.0.2b release, one new upgrade (1.0.2c) was
released to resolve ABI compatibility problems. This patch has to be
updated to catch this latest release.
No actual changes between this 1.0.2c-patch and the last 1.0.2b-patch series.
================================================================
OpenSSL 1.0.2b was just released at 11-Jun-2015. This patch is
updated to catch this latest release.
One memory allocation bug was already fixed in 1.0.2b codes (x509_vpm.c)
Then remove the fix codes from EDKII-openssl-1.0.2b.patch
Add few missed boundary check in CryptX509.c
================================================================
Update the EDKII crypto provider from openssl 0.9.8zf to 1.0.2b.
The OpenSSL Project announced that the support for version 0.9.8
will cease on 31st December 2015. This patch updates the EDKII
openssl support to the latest 1.0.2 branch.
CryptoPkg: Update openssl patch file from 0.9.8zf to 1.0.2c
CryptoPkg: Update OpensslLib module files for openssl-1.0.2c support
CryptoPkg: Wrapper files updates to support openssl-1.0.2c
CryptoPkg/Include/OpenSslSupport.h | 8 +-
CryptoPkg/Include/memory.h | 16 +
.../Library/BaseCryptLib/Pk/CryptAuthenticode.c | 6 +-
CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c | 10 +-
.../Library/BaseCryptLib/Pk/CryptPkcs7Verify.c | 11 +-
CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c | 12 +-
CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c | 18 +-
.../Library/OpensslLib/EDKII_openssl-0.9.8zf.patch | 279 ----------
.../Library/OpensslLib/EDKII_openssl-1.0.2c.patch | 346 ++++++++++++
CryptoPkg/Library/OpensslLib/Install.cmd | 146 ++---
CryptoPkg/Library/OpensslLib/Install.sh | 146 ++---
CryptoPkg/Library/OpensslLib/OpensslLib.inf | 620 ++++++++++++++-------
CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt | 46 +-
13 files changed, 1013 insertions(+), 651 deletions(-) create mode
100644 CryptoPkg/Include/memory.h delete mode 100644
CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8zf.patch
create mode 100644
CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2c.patch
Sorry that I'm late to the party, but this update seems to have broken
Secure Boot under OVMF. I started out with a fresh varstore, enrolled
the Microsoft keys manually, using the SecureBootConfigDxe forms, and
then tried to boot Fedora 20. "Booting fedora shim" appears at the end
of the debug log, and the VM spins into an infinite loop.
I confirmed that with 0.9.8zf things work.
I wonder what is going on here. My AArch64 boot tests work fine with these patches applied, but they don't use shim. (They do use GRUB as an intermediate loader calling LoadImage() to boot a signed kernel).
Are there any plans or patches yet to move shim to a more recent OpenSSL version? It shouldn't be affecting things like this, but it would allow a quick check if someone has patches already.
--
Ard.
------------------------------------------------------------------------------
_______________________________________________
edk2-devel mailing list
https://lists.sourceforge.net/lists/listinfo/edk2-devel
--
Peter
Peter Jones
2015-06-22 18:24:55 UTC
Permalink
Post by Ard Biesheuvel
I wonder what is going on here. My AArch64 boot tests work fine with
these patches applied, but they don't use shim. (They do use GRUB as
an intermediate loader calling LoadImage() to boot a signed kernel).
Are there any plans or patches yet to move shim to a more recent
OpenSSL version? It shouldn't be affecting things like this, but it
would allow a quick check if someone has patches already.
Yes, there's a plan to do so - Gary Lin has had a patch in progress and
was waiting for this patch to hit before sending it to me. I expect to
see it any time. (I would not be surprised if he's trying to debug an
analog to this exact same issue...)

That said, it's unclear to me how shim being on a prior openssl version
would cause the problem Laszlo is seeing - there's no cross-linkage of
any kind between the two openssl builds in memory.
--
Peter
Gary Ching-Pang Lin
2015-06-23 02:25:30 UTC
Permalink
Post by Peter Jones
Post by Ard Biesheuvel
I wonder what is going on here. My AArch64 boot tests work fine with
these patches applied, but they don't use shim. (They do use GRUB as
an intermediate loader calling LoadImage() to boot a signed kernel).
Are there any plans or patches yet to move shim to a more recent
OpenSSL version? It shouldn't be affecting things like this, but it
would allow a quick check if someone has patches already.
Yes, there's a plan to do so - Gary Lin has had a patch in progress and
was waiting for this patch to hit before sending it to me. I expect to
see it any time. (I would not be surprised if he's trying to debug an
analog to this exact same issue...)
I'm currently busy with other things so the update in shim may be delayed
for a while.
Post by Peter Jones
That said, it's unclear to me how shim being on a prior openssl version
would cause the problem Laszlo is seeing - there's no cross-linkage of
any kind between the two openssl builds in memory.
shim and grub2 are using the openssl lib independent from the one in firmware,
so it surprised me the openssl update patches broke the bootloaders. I just
tested OVMF R17650 with openSUSE 13.2 and everything went well. The shim we
use in openSUSE 13.2 is 0.7 + a series of patches (most of them are upstream
patches). Hope this could narrow down the issue.

Cheers,

Gary Lin
Laszlo Ersek
2015-06-23 08:07:36 UTC
Permalink
Post by Gary Ching-Pang Lin
Post by Peter Jones
Post by Ard Biesheuvel
I wonder what is going on here. My AArch64 boot tests work fine with
these patches applied, but they don't use shim. (They do use GRUB as
an intermediate loader calling LoadImage() to boot a signed kernel).
Are there any plans or patches yet to move shim to a more recent
OpenSSL version? It shouldn't be affecting things like this, but it
would allow a quick check if someone has patches already.
Yes, there's a plan to do so - Gary Lin has had a patch in progress and
was waiting for this patch to hit before sending it to me. I expect to
see it any time. (I would not be surprised if he's trying to debug an
analog to this exact same issue...)
I'm currently busy with other things so the update in shim may be delayed
for a while.
Post by Peter Jones
That said, it's unclear to me how shim being on a prior openssl version
would cause the problem Laszlo is seeing - there's no cross-linkage of
any kind between the two openssl builds in memory.
shim and grub2 are using the openssl lib independent from the one in firmware,
so it surprised me the openssl update patches broke the bootloaders. I just
tested OVMF R17650 with openSUSE 13.2 and everything went well. The shim we
use in openSUSE 13.2 is 0.7 + a series of patches (most of them are upstream
patches). Hope this could narrow down the issue.
Huh. R17650 is past the openssl-1.0.2c update.

Can you please give me (or link for me) the install media for openSUSE
13.2? I'd like to try it.

Thanks
Laszlo
Post by Gary Ching-Pang Lin
Cheers,
Gary Lin
------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
edk2-devel mailing list
https://lists.sourceforge.net/lists/listinfo/edk2-devel
Gary Ching-Pang Lin
2015-06-23 08:43:30 UTC
Permalink
Post by Laszlo Ersek
Post by Gary Ching-Pang Lin
Post by Peter Jones
Post by Ard Biesheuvel
I wonder what is going on here. My AArch64 boot tests work fine with
these patches applied, but they don't use shim. (They do use GRUB as
an intermediate loader calling LoadImage() to boot a signed kernel).
Are there any plans or patches yet to move shim to a more recent
OpenSSL version? It shouldn't be affecting things like this, but it
would allow a quick check if someone has patches already.
Yes, there's a plan to do so - Gary Lin has had a patch in progress and
was waiting for this patch to hit before sending it to me. I expect to
see it any time. (I would not be surprised if he's trying to debug an
analog to this exact same issue...)
I'm currently busy with other things so the update in shim may be delayed
for a while.
Post by Peter Jones
That said, it's unclear to me how shim being on a prior openssl version
would cause the problem Laszlo is seeing - there's no cross-linkage of
any kind between the two openssl builds in memory.
shim and grub2 are using the openssl lib independent from the one in firmware,
so it surprised me the openssl update patches broke the bootloaders. I just
tested OVMF R17650 with openSUSE 13.2 and everything went well. The shim we
use in openSUSE 13.2 is 0.7 + a series of patches (most of them are upstream
patches). Hope this could narrow down the issue.
Huh. R17650 is past the openssl-1.0.2c update.
Can you please give me (or link for me) the install media for openSUSE
13.2? I'd like to try it.
openSUSE 13.2 is available in:
https://software.opensuse.org/132/

Maybe you could download the shim first and test it in a vfat dir
(ex: -hda fat:hda-contents/)? Just put shim.efi and MokManager.efi
in the same directory, and shim will load MokManager when there is
no grub2. If it works, then put grub.efi in the same directory and
see whether the grub console shows or not. It would be easier to
identify the problem.

The openSUSE shim is available in
https://build.opensuse.org/package/binaries/openSUSE:13.2/shim?repository=standard

Cheers,

Gary Lin
Laszlo Ersek
2015-06-23 12:40:43 UTC
Permalink
Post by Gary Ching-Pang Lin
Post by Laszlo Ersek
Post by Gary Ching-Pang Lin
Post by Peter Jones
Post by Ard Biesheuvel
I wonder what is going on here. My AArch64 boot tests work fine
with these patches applied, but they don't use shim. (They do use
GRUB as an intermediate loader calling LoadImage() to boot a
signed kernel).
Are there any plans or patches yet to move shim to a more recent
OpenSSL version? It shouldn't be affecting things like this, but
it would allow a quick check if someone has patches already.
Yes, there's a plan to do so - Gary Lin has had a patch in progress
and was waiting for this patch to hit before sending it to me. I
expect to see it any time. (I would not be surprised if he's
trying to debug an analog to this exact same issue...)
I'm currently busy with other things so the update in shim may be
delayed for a while.
Post by Peter Jones
That said, it's unclear to me how shim being on a prior openssl
version would cause the problem Laszlo is seeing - there's no
cross-linkage of any kind between the two openssl builds in memory.
shim and grub2 are using the openssl lib independent from the one in
firmware, so it surprised me the openssl update patches broke the
bootloaders. I just tested OVMF R17650 with openSUSE 13.2 and
everything went well. The shim we use in openSUSE 13.2 is 0.7 + a
series of patches (most of them are upstream patches). Hope this
could narrow down the issue.
Huh. R17650 is past the openssl-1.0.2c update.
Can you please give me (or link for me) the install media for
openSUSE 13.2? I'd like to try it.
https://software.opensuse.org/132/
Maybe you could download the shim first and test it in a vfat dir
(ex: -hda fat:hda-contents/)? Just put shim.efi and MokManager.efi
in the same directory, and shim will load MokManager when there is
no grub2. If it works, then put grub.efi in the same directory and
see whether the grub console shows or not. It would be easier to
identify the problem.
The openSUSE shim is available in
https://build.opensuse.org/package/binaries/openSUSE:13.2/shim?repository=standard
Thanks, I tested this. It fails the same way for me as my earlier test.

Luckily though, I happened to have the serial console of the VM open at
this point, and I got the following exception dump there:

FS1:\opensuse\usr\lib64\efi\> shim.efi
!!!! X64 Exception Type - 000000000000000D CPU Apic ID - 00000000 !!!!
RIP - 000000001FDEFDF3, CS - 0000000000000028, RFLAGS - 0000000000010206
ExceptionData - 0000000000000000
RAX - 1FF5FF7400000000, RCX - 1FF5FF7400000000, RDX - 0000000000000004
RBX - 000000001FDF430E, RSP - 000000001FF5FEB0, RBP - 000000001FF5FEE0
RSI - 0000000000000000, RDI - 0000000000000051
R8 - 000000001EE66458, R9 - 000000001EE66458, R10 - 00000000FFFFFFFF
R11 - 0000000000000000, R12 - 0000000000000000, R13 - 0000000000000000
R14 - 0000000000000000, R15 - 0000000000000000
DS - 0000000000000008, ES - 0000000000000008, FS - 0000000000000008
GS - 0000000000000008, SS - 0000000000000008
CR0 - 0000000080000033, CR2 - 0000000000000000, CR3 - 000000001FEFF000
CR4 - 0000000000000668, CR8 - 0000000000000000
DR0 - 0000000000000000, DR1 - 0000000000000000, DR2 - 0000000000000000
DR3 - 0000000000000000, DR6 - 00000000FFFF0FF0, DR7 - 0000000000000400
GDTR - 000000001FEED7D8 000000000000003F, LDTR - 0000000000000000
IDTR - 000000001F712018 0000000000000FFF, TR - 0000000000000000
FXSAVE_STATE - 000000001FF5FB10
!!!! Find PE image .../Build/OvmfX64/DEBUG_GCC48/X64/MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe/DEBUG/SecurityStubDxe.dll (ImageBase=000000001FDEA000, EntryPoint=000000001FDEA2AF) !!!!

I quickly repeated my original, Fedora-based test (now looking at the
serial console too), and it fails with the same exception.

The crash itself seems to be inside AsciiStrLen() -- based on RIP,
ImageBase, EntryPoint --, but I don't see the call stack that leads up
to it.

...

Okay, after a few more hours of struggle, I found the bug. It's the
usual VA_START <-> EFIAPI problem.

As discussed earlier (on several occasions), in practice *all* code in
edk2 that uses VA_START() *must* be EFIAPI. Refer to the third
VA_START() macro definition in "MdePkg/Include/Base.h". That macro
definition *depends* on the EFIAPI calling convention. This is violated
by the openssl library.

The call stack that I reconstructed (with manual debug messages) goes
like this, when edk2 tries to validate the shim binary:

Security2StubAuthenticate() [MdeModulePkg/Universal/SecurityStubDxe/SecurityStub.c]
ExecuteSecurity2Handlers() [MdeModulePkg/Library/DxeSecurityManagementLib/DxeSecurityManagementLib.c]
// via function pointer
// "Security2Handler"
DxeImageVerificationHandler [SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c]
IsAllowedByDb() [SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c]
AuthenticodeVerify() [CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c]
Pkcs7Verify() [CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c]
PKCS7_verify() [CryptoPkg/Library/OpensslLib/openssl-1.0.2c/crypto/pkcs7/pk7_smime.c]
ERR_add_error_data() [CryptoPkg/Library/OpensslLib/openssl-1.0.2c/crypto/err/err.c]
ERR_add_error_vdata() [CryptoPkg/Library/OpensslLib/openssl-1.0.2c/crypto/err/err.c]
strlen() BOOM

More closely, look at the following in the PKCS7_verify() function:

323 i = X509_verify_cert(&cert_ctx);
324 if (i <= 0)
325 j = X509_STORE_CTX_get_error(&cert_ctx);
326 X509_STORE_CTX_cleanup(&cert_ctx);
327 if (i <= 0) {
328 PKCS7err(PKCS7_F_PKCS7_VERIFY,
329 PKCS7_R_CERTIFICATE_VERIFY_ERROR);
330 ERR_add_error_data(2, "Verify error:",
331 X509_verify_cert_error_string(j));
332 sk_X509_free(signers);
333 return 0;
334 }

The verification step on line 323 fails. (I don't know why, but I guess
shim.efi could still be accepted by other means -- we are only inside
IsAllowedByDb(), and there are other possibilities for a binary to pass
the check.)

In any case, the variable "j" is assigned. The error message that "j"
corresponds to is:

unable to get local issuer certificate

I printed this error string separately, and it is all right per se. The
function call that blows up is on line 330, the ERR_add_error_data()
one.

Namely:

1075 void ERR_add_error_data(int num, ...)
1076 {
1077 va_list args;
1078 va_start(args, num);
1079 ERR_add_error_vdata(num, args);
1080 va_end(args);
1081 }

This function uses va_start(), which, according to
"CryptoPkg/Include/OpenSslSupport.h", gets turned into VA_START().
However, the function does not apply the EFIAPI calling convention, and
that causes it to blow up.

In PKCS7_verify(), before the call to ERR_add_error_data(), I extracted
the string "Verify error:" as:

STATIC CONST CHAR8 err1[] = "Verify error:";

and then I printed the *address* of err1, before passing err1 to
ERR_add_error_data(). It was: 0x3FE6CC98, a valid address.

Inside ERR_add_error_data() --> ERR_add_error_vdata(), we have:

1083 void ERR_add_error_vdata(int num, va_list args)
1084 {
1085 int i, n, s;
1086 char *str, *p, *a;
1087
1088 s = 80;
1089 str = OPENSSL_malloc(s + 1);
1090 if (str == NULL)
1091 return;
1092 str[0] = '\0';
1093
1094 n = 0;
1095 for (i = 0; i < num; i++) {
1096 a = va_arg(args, char *);
1097 /* ignore NULLs, thanks to Bob Beck <***@obtuse.com> */
1098 if (a != NULL) {
1099 n += strlen(a);

The function retrieves the address of the string, and calls strlen() on
it -- which corresponds to AsciiStrLen(), again according to
OpenSslSupport.h.

Now, just before the call to strlen(), I printed the address stored "a"
*again* -- and it was 0x3FF6_0474_0000_0000.

That address is consistent with the exception dump I'm getting right
after on the serial console; the address is visible in both RAX and RCX.
Plus, the call stack that I tracked down is consistent with the
exception RIP identifying AsciiStrLen().

Summary: while storing the error message from the X509 certificate
verification, things blow up, because ERR_add_error_data() is a varargs
function, but lacks EFIAPI, hence turns its arguments into garbage.

Now, why did this use to work with 0.9.8zf? Easy; just compare the
following two files:

- CryptoPkg/Library/OpensslLib/openssl-0.9.8zf/crypto/err/err.c
- CryptoPkg/Library/OpensslLib/openssl-1.0.2c/crypto/err/err.c

In 0.9.8zf, the prototype of the ERR_add_error_data() function looks
like this:

324 /* Add EFIAPI for UEFI version. */
325 #if defined(OPENSSL_SYS_UEFI)
326 void EFIAPI ERR_add_error_data(int num, ...)
327 #else
328 void ERR_add_error_data(int num, ...)
329 #endif
330 {
331 va_list args;
332 int i, n, s;
333 char *str, *p, *a;

And that's gone in 1.0.2c.

The bug is in:

commit f93f78ea70f14f0ca17e122588b85f947adfa569
Author: Qin Long <***@intel.com>
Date: Tue Jun 16 00:52:17 2015 +0000

CryptoPkg: Update openssl patch file from 0.9.8zf to 1.0.2c

This patch adds a patch file for openssl-1.0.2c, and removes
the patch file for openssl-0.9.8zf.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <***@intel.com>
Reviewed-by: Ard Biesheuvel <***@linaro.org>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/***@17633 6f19259b-4bc3-4df7-8a09-765794883524

Because

CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8zf.patch

used to have
a hunk that added the EFIAPI declspec to ERR_add_error_data(), but

CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2c.patch

dropped that hunk.

I'll post a patch soon.

Thanks
Laszlo
Laszlo Ersek
2015-06-23 12:45:11 UTC
Permalink
Post by Laszlo Ersek
commit f93f78ea70f14f0ca17e122588b85f947adfa569
Date: Tue Jun 16 00:52:17 2015 +0000
CryptoPkg: Update openssl patch file from 0.9.8zf to 1.0.2c
This patch adds a patch file for openssl-1.0.2c, and removes
the patch file for openssl-0.9.8zf.
Contributed-under: TianoCore Contribution Agreement 1.0
Because
CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8zf.patch
used to have
a hunk that added the EFIAPI declspec to ERR_add_error_data(), but
CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2c.patch
dropped that hunk.
Also, there are no more EFIAPI strings in "EDKII_openssl-0.9.8zf.patch",
so hopefully this is the only such omission in the 1.0.2c patch. I'll
see soon.

Thanks
Laszlo

Loading...