From 91c79aab4c6646fc47e668e0e0a4f71f3cdeddb0 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Jan 19 2018 09:16:19 +0000 Subject: add openssl patches from Fedora, enable TLS mode Since edk2 does not compile the apps/ subdirectory, the only other patches that might apply are openssl-1.1.0-no-md5-verify.patch (but edk2 does not have secure_getenv) and of course FIPS 140-2 mode. --- diff --git a/edk2.spec b/edk2.spec index 67a759e..b6621bc 100644 --- a/edk2.spec +++ b/edk2.spec @@ -29,7 +29,7 @@ Name: edk2 Version: %{edk2_date}git%{edk2_githash} -Release: 2%{dist} +Release: 3%{dist} Summary: EFI Development Kit II Group: Applications/Emulators @@ -78,6 +78,12 @@ Patch0024: 0024-OvmfPkg-save-on-I-O-port-accesses-when-the-debug-por.patch Patch0099: 0099-Tweak-the-tools_def-to-support-cross-compiling.patch %endif +# openssl patches from Fedora +Patch1021: openssl-1.1.0-issuer-hash.patch +Patch1039: openssl-1.1.0-cc-reqs.patch +Patch1040: openssl-1.1.0-disable-ssl3.patch +Patch1044: openssl-1.1.0-bio-fd-preserve-nl.patch + %if 0%{?fedora:1} # # actual firmware builds support cross-compiling. edk2-tools @@ -179,7 +185,6 @@ armv7 UEFI Firmware %prep %setup -q -n tianocore-%{name}-%{edk2_githash} -%autopatch -p1 # Ensure old shell and binary packages are not used @@ -193,6 +198,8 @@ cp -a -- %{SOURCE2} . # add openssl (cd .. && tar -xvf %{SOURCE1}) cp CryptoPkg/Library/OpensslLib/openssl/LICENSE LICENSE.openssl + +%autopatch -p1 base64 --decode < MdeModulePkg/Logo/Logo-OpenSSL.bmp.b64 > MdeModulePkg/Logo/Logo-OpenSSL.bmp %build @@ -214,6 +221,7 @@ CC_FLAGS="${CC_FLAGS} --cmd-len=65536" # ovmf features OVMF_FLAGS="${CC_FLAGS}" +OVMF_FLAGS="${OVMF_FLAGS} -D TLS_ENABLE" OVMF_FLAGS="${OVMF_FLAGS} -D HTTP_BOOT_ENABLE" OVMF_FLAGS="${OVMF_FLAGS} -D NETWORK_IP6_ENABLE" OVMF_FLAGS="${OVMF_FLAGS} -D FD_SIZE_2MB" @@ -439,6 +447,10 @@ ln -sf ../%{name}/arm/QEMU_EFI-pflash.raw %{buildroot}/usr/share/AAVMF/ %changelog +* Fri Jan 19 2018 Paolo Bonzini - 20170209git296153c5-3 +- Add OpenSSL patches from Fedora +- Enable TLS_MODE + * Fri Nov 17 2017 Paolo Bonzini - 20170209git296153c5-2 - Backport patches 19-21 from RHEL - Add patches 22-24 to fix SEV slowness diff --git a/openssl-1.1.0-bio-fd-preserve-nl.patch b/openssl-1.1.0-bio-fd-preserve-nl.patch new file mode 100644 index 0000000..fd032a1 --- /dev/null +++ b/openssl-1.1.0-bio-fd-preserve-nl.patch @@ -0,0 +1,29 @@ +diff -up a/CryptoPkg/Library/OpensslLib/openssl/crypto/bio/bss_fd.c.preserve-nl a/CryptoPkg/Library/OpensslLib/openssl/crypto/bio/bss_fd.c +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/bio/bss_fd.c.preserve-nl 2016-11-10 15:03:44.000000000 +0100 ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/bio/bss_fd.c 2016-12-22 14:36:16.730740423 +0100 +@@ -202,8 +202,10 @@ static int fd_gets(BIO *bp, char *buf, i + char *ptr = buf; + char *end = buf + size - 1; + +- while ((ptr < end) && (fd_read(bp, ptr, 1) > 0) && (ptr[0] != '\n')) +- ptr++; ++ while (ptr < end && fd_read(bp, ptr, 1) > 0) { ++ if (*ptr++ == '\n') ++ break; ++ } + + ptr[0] = '\0'; + +diff -up a/CryptoPkg/Library/OpensslLib/openssl/doc/crypto/BIO_read.pod.preserve-nl a/CryptoPkg/Library/OpensslLib/openssl/doc/crypto/BIO_read.pod +--- a/CryptoPkg/Library/OpensslLib/openssl/doc/crypto/BIO_read.pod.preserve-nl 2016-11-10 15:03:45.000000000 +0100 ++++ b/CryptoPkg/Library/OpensslLib/openssl/doc/crypto/BIO_read.pod 2016-12-22 14:37:22.731245197 +0100 +@@ -23,7 +23,8 @@ in B. Usually this operation will a + from the BIO of maximum length B. There are exceptions to this, + however; for example, BIO_gets() on a digest BIO will calculate and + return the digest and other BIOs may not support BIO_gets() at all. +-The returned string is always NUL-terminated. ++The returned string is always NUL-terminated and the '\n' is preserved ++if present in the input data. + + BIO_write() attempts to write B bytes from B to BIO B. + diff --git a/openssl-1.1.0-cc-reqs.patch b/openssl-1.1.0-cc-reqs.patch new file mode 100644 index 0000000..74521c6 --- /dev/null +++ b/openssl-1.1.0-cc-reqs.patch @@ -0,0 +1,27 @@ +diff -up a/CryptoPkg/Library/OpensslLib/openssl/crypto/rsa/rsa_gen.c.cc-reqs b/CryptoPkg/Library/OpensslLib/openssl/crypto/rsa/rsa_gen.c +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/rsa/rsa_gen.c.cc-reqs 2017-01-26 14:10:23.000000000 +0100 ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/rsa/rsa_gen.c 2017-01-26 16:01:52.622308528 +0100 +@@ -75,6 +75,12 @@ static int rsa_builtin_keygen(RSA *rsa, + if (!rsa->iqmp && ((rsa->iqmp = BN_secure_new()) == NULL)) + goto err; + ++ /* prepare minimum p and q difference */ ++ if (!BN_one(r3)) ++ goto err; ++ if (bitsp > 100 && !BN_lshift(r3, r3, bitsp - 100)) ++ goto err; ++ + if (BN_copy(rsa->e, e_value) == NULL) + goto err; + +@@ -103,7 +109,9 @@ static int rsa_builtin_keygen(RSA *rsa, + do { + if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb)) + goto err; +- } while ((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3)); ++ if (!BN_sub(r2, rsa->q, rsa->p)) ++ goto err; ++ } while ((BN_ucmp(r2, r3) <= 0) && (++degenerate < 3)); + if (degenerate == 3) { + ok = 0; /* we set our own err */ + RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL); diff --git a/openssl-1.1.0-disable-ssl3.patch b/openssl-1.1.0-disable-ssl3.patch new file mode 100644 index 0000000..b0906fe --- /dev/null +++ b/openssl-1.1.0-disable-ssl3.patch @@ -0,0 +1,59 @@ +diff -up a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c.disable-ssl3 b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c +--- a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c.disable-ssl3 2016-08-25 17:29:22.000000000 +0200 ++++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c 2016-09-08 11:08:05.252082263 +0200 +@@ -2470,6 +2470,13 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m + * or by using the SSL_CONF library. + */ + ret->options |= SSL_OP_NO_COMPRESSION; ++ /* ++ * Disable SSLv3 by default. Applications can ++ * re-enable it by configuring ++ * SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3); ++ * or by using the SSL_CONF library. ++ */ ++ ret->options |= SSL_OP_NO_SSLv3; + + ret->tlsext_status_type = -1; + +diff -up a/CryptoPkg/Library/OpensslLib/openssl/test/ssl_test.c.disable-ssl3 b/CryptoPkg/Library/OpensslLib/openssl/test/ssl_test.c +--- a/CryptoPkg/Library/OpensslLib/openssl/test/ssl_test.c.disable-ssl3 2016-09-08 11:08:05.252082263 +0200 ++++ b/CryptoPkg/Library/OpensslLib/openssl/test/ssl_test.c 2016-09-08 11:11:44.802005886 +0200 +@@ -258,6 +258,7 @@ static int execute_test(SSL_TEST_FIXTURE + SSL_TEST_SERVERNAME_CB_NONE) { + server2_ctx = SSL_CTX_new(TLS_server_method()); + TEST_check(server2_ctx != NULL); ++ SSL_CTX_clear_options(server2_ctx, SSL_OP_NO_SSLv3); + } + client_ctx = SSL_CTX_new(TLS_client_method()); + +@@ -266,11 +267,15 @@ static int execute_test(SSL_TEST_FIXTURE + resume_client_ctx = SSL_CTX_new(TLS_client_method()); + TEST_check(resume_server_ctx != NULL); + TEST_check(resume_client_ctx != NULL); ++ SSL_CTX_clear_options(resume_server_ctx, SSL_OP_NO_SSLv3); ++ SSL_CTX_clear_options(resume_client_ctx, SSL_OP_NO_SSLv3); + } + } + + TEST_check(server_ctx != NULL); + TEST_check(client_ctx != NULL); ++ SSL_CTX_clear_options(server_ctx, SSL_OP_NO_SSLv3); ++ SSL_CTX_clear_options(client_ctx, SSL_OP_NO_SSLv3); + + TEST_check(CONF_modules_load(conf, fixture.test_app, 0) > 0); + +diff -up a/CryptoPkg/Library/OpensslLib/openssl/test/ssltest_old.c.disable-ssl3 b/CryptoPkg/Library/OpensslLib/openssl/test/ssltest_old.c +--- a/CryptoPkg/Library/OpensslLib/openssl/test/ssltest_old.c.disable-ssl3 2016-08-25 17:29:23.000000000 +0200 ++++ b/CryptoPkg/Library/OpensslLib/openssl/test/ssltest_old.c 2016-09-08 11:08:05.253082286 +0200 +@@ -1456,6 +1456,11 @@ int main(int argc, char *argv[]) + ERR_print_errors(bio_err); + goto end; + } ++ ++ SSL_CTX_clear_options(c_ctx, SSL_OP_NO_SSLv3); ++ SSL_CTX_clear_options(s_ctx, SSL_OP_NO_SSLv3); ++ SSL_CTX_clear_options(s_ctx2, SSL_OP_NO_SSLv3); ++ + /* + * Since we will use low security ciphersuites and keys for testing set + * security level to zero by default. Tests can override this by adding diff --git a/openssl-1.1.0-issuer-hash.patch b/openssl-1.1.0-issuer-hash.patch new file mode 100644 index 0000000..791a62d --- /dev/null +++ b/openssl-1.1.0-issuer-hash.patch @@ -0,0 +1,11 @@ +diff -up a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509/x509_cmp.c.issuer-hash b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509/x509_cmp.c +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509/x509_cmp.c.issuer-hash 2016-07-18 15:16:32.788881100 +0200 ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509/x509_cmp.c 2016-07-18 15:17:16.671871840 +0200 +@@ -87,6 +87,7 @@ unsigned long X509_issuer_and_serial_has + + if (ctx == NULL) + goto err; ++ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + f = X509_NAME_oneline(a->cert_info.issuer, NULL, 0); + if (!EVP_DigestInit_ex(ctx, EVP_md5(), NULL)) + goto err;