[edk2-devel] [PATCH 01/22] CryptoPkg/openssl: update submodule to openssl-3.0.8

Thu Aug 3 04:40:24 UTC 2023

Hi Ard,

Your feedback already integrated to latest patch series:  [PATCH V2 00/29] CryptoPkg: Update OpenSSL submodule to 3.0.9
Thanks for your review, let me know if you have any feedback.

Regards,
Yi

-----Original Message-----
From: devel at edk2.groups.io <devel at edk2.groups.io> On Behalf Of Ard Biesheuvel
Sent: Friday, June 2, 2023 5:15 PM
To: Yao, Jiewen <jiewen.yao at intel.com>
Cc: devel at edk2.groups.io; kraxel at redhat.com; Li, Yi1 <yi1.li at intel.com>; Wang, Jian J <jian.j.wang at intel.com>; Pawel Polawski <ppolawsk at redhat.com>; Lu, Xiaoyu1 <xiaoyu1.lu at intel.com>; Jiang, Guomin <guomin.jiang at intel.com>; Oliver Steffen <osteffen at redhat.com>; Justen, Jordan L <jordan.l.justen at intel.com>
Subject: Re: [edk2-devel] [PATCH 01/22] CryptoPkg/openssl: update submodule to openssl-3.0.8

On Fri, 2 Jun 2023 at 04:53, Yao, Jiewen <jiewen.yao at intel.com> wrote:
>
> Hi Ard
> Would you please take a look at https://github.com/tianocore/edk2-staging/tree/OpenSSL30, which is our current working version? If you have any idea, please propose patch.
>
> Also, could you please try that on ARM/AARCH64 platform to see if there is anything broken?
>
> I think those are important to make sure we have a working version for next stable tag.
>

Agreed.

With GCC5 and the tweak below [0], that branch builds OVMF/ArmVirtQemu fine for me on {X64,AARCH64,ARM} x {DEBUG,RELEASE,NOOPT}.

I also built DeveloperBox.dsc and DeveloperBoxMm.dsc from edk2-platforms without problems, with SECURE_BOOT_ENABLE and TPM2_ENABLE both set.

Clang seemed to work fine as well, but the branch still uses CLANG3x so we need to rebase this branch onto the latest stable tag first and retest.

I did only a quick boot test to check whether secure boot verification was working, but all seemed to work fine.

In any case, if we want to make the next stable tag, I think we should move quickly, so that we have enough time to fix any issues that may arise.



[0] first hunk is based on 7880536fe17c2b54 in openssl upstream

--- a/CryptoPkg/Library/OpensslLib/OpensslGen/openssl/x509v3.h
+++ b/CryptoPkg/Library/OpensslLib/OpensslGen/openssl/x509v3.h
@@ -177,7 +177,7 @@ typedef struct GENERAL_NAME_st {
         OTHERNAME *otherName;   /* otherName */
         ASN1_IA5STRING *rfc822Name;
         ASN1_IA5STRING *dNSName;
-        ASN1_TYPE *x400Address;
+        ASN1_STRING *x400Address;
         X509_NAME *directoryName;
         EDIPARTYNAME *ediPartyName;
         ASN1_IA5STRING *uniformResourceIdentifier; diff --git a/CryptoPkg/Library/OpensslLib/SslExtServNull.c
b/CryptoPkg/Library/OpensslLib/SslExtServNull.c
index c256f17667668866..a736dca8b73d27d5 100644
--- a/CryptoPkg/Library/OpensslLib/SslExtServNull.c
+++ b/CryptoPkg/Library/OpensslLib/SslExtServNull.c
@@ -177,12 +177,6 @@ int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
     return 0;
 }

-static SSL_TICKET_STATUS tls_get_stateful_ticket(SSL *s, PACKET *tick,
-                                                 SSL_SESSION **sess)
-{
-    return SSL_TICKET_NO_DECRYPT;
-}
-
 int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
                        size_t chainidx)  {







-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#107511): https://edk2.groups.io/g/devel/message/107511
Mute This Topic: https://groups.io/mt/97576405/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-


