add openssl patches from Fedora, enable TLS mode
Since edk2 does not compile the apps/ subdirectory, the only other patches that might apply are openssl-1.1.0-no-md5-verify.patch (but edk2 does not have secure_getenv) and of course FIPS 140-2 mode.
This commit is contained in:
parent
2e34e081c6
commit
91c79aab4c
16
edk2.spec
16
edk2.spec
@ -29,7 +29,7 @@
|
||||
|
||||
Name: edk2
|
||||
Version: %{edk2_date}git%{edk2_githash}
|
||||
Release: 2%{dist}
|
||||
Release: 3%{dist}
|
||||
Summary: EFI Development Kit II
|
||||
|
||||
Group: Applications/Emulators
|
||||
@ -78,6 +78,12 @@ Patch0024: 0024-OvmfPkg-save-on-I-O-port-accesses-when-the-debug-por.patch
|
||||
Patch0099: 0099-Tweak-the-tools_def-to-support-cross-compiling.patch
|
||||
%endif
|
||||
|
||||
# openssl patches from Fedora
|
||||
Patch1021: openssl-1.1.0-issuer-hash.patch
|
||||
Patch1039: openssl-1.1.0-cc-reqs.patch
|
||||
Patch1040: openssl-1.1.0-disable-ssl3.patch
|
||||
Patch1044: openssl-1.1.0-bio-fd-preserve-nl.patch
|
||||
|
||||
%if 0%{?fedora:1}
|
||||
#
|
||||
# actual firmware builds support cross-compiling. edk2-tools
|
||||
@ -179,7 +185,6 @@ armv7 UEFI Firmware
|
||||
|
||||
%prep
|
||||
%setup -q -n tianocore-%{name}-%{edk2_githash}
|
||||
%autopatch -p1
|
||||
|
||||
|
||||
# Ensure old shell and binary packages are not used
|
||||
@ -193,6 +198,8 @@ cp -a -- %{SOURCE2} .
|
||||
# add openssl
|
||||
(cd .. && tar -xvf %{SOURCE1})
|
||||
cp CryptoPkg/Library/OpensslLib/openssl/LICENSE LICENSE.openssl
|
||||
|
||||
%autopatch -p1
|
||||
base64 --decode < MdeModulePkg/Logo/Logo-OpenSSL.bmp.b64 > MdeModulePkg/Logo/Logo-OpenSSL.bmp
|
||||
|
||||
%build
|
||||
@ -214,6 +221,7 @@ CC_FLAGS="${CC_FLAGS} --cmd-len=65536"
|
||||
|
||||
# ovmf features
|
||||
OVMF_FLAGS="${CC_FLAGS}"
|
||||
OVMF_FLAGS="${OVMF_FLAGS} -D TLS_ENABLE"
|
||||
OVMF_FLAGS="${OVMF_FLAGS} -D HTTP_BOOT_ENABLE"
|
||||
OVMF_FLAGS="${OVMF_FLAGS} -D NETWORK_IP6_ENABLE"
|
||||
OVMF_FLAGS="${OVMF_FLAGS} -D FD_SIZE_2MB"
|
||||
@ -439,6 +447,10 @@ ln -sf ../%{name}/arm/QEMU_EFI-pflash.raw %{buildroot}/usr/share/AAVMF/
|
||||
|
||||
|
||||
%changelog
|
||||
* Fri Jan 19 2018 Paolo Bonzini <pbonzini@redhat.com> - 20170209git296153c5-3
|
||||
- Add OpenSSL patches from Fedora
|
||||
- Enable TLS_MODE
|
||||
|
||||
* Fri Nov 17 2017 Paolo Bonzini <pbonzini@redhat.com> - 20170209git296153c5-2
|
||||
- Backport patches 19-21 from RHEL
|
||||
- Add patches 22-24 to fix SEV slowness
|
||||
|
29
openssl-1.1.0-bio-fd-preserve-nl.patch
Normal file
29
openssl-1.1.0-bio-fd-preserve-nl.patch
Normal file
@ -0,0 +1,29 @@
|
||||
diff -up a/CryptoPkg/Library/OpensslLib/openssl/crypto/bio/bss_fd.c.preserve-nl a/CryptoPkg/Library/OpensslLib/openssl/crypto/bio/bss_fd.c
|
||||
--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/bio/bss_fd.c.preserve-nl 2016-11-10 15:03:44.000000000 +0100
|
||||
+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/bio/bss_fd.c 2016-12-22 14:36:16.730740423 +0100
|
||||
@@ -202,8 +202,10 @@ static int fd_gets(BIO *bp, char *buf, i
|
||||
char *ptr = buf;
|
||||
char *end = buf + size - 1;
|
||||
|
||||
- while ((ptr < end) && (fd_read(bp, ptr, 1) > 0) && (ptr[0] != '\n'))
|
||||
- ptr++;
|
||||
+ while (ptr < end && fd_read(bp, ptr, 1) > 0) {
|
||||
+ if (*ptr++ == '\n')
|
||||
+ break;
|
||||
+ }
|
||||
|
||||
ptr[0] = '\0';
|
||||
|
||||
diff -up a/CryptoPkg/Library/OpensslLib/openssl/doc/crypto/BIO_read.pod.preserve-nl a/CryptoPkg/Library/OpensslLib/openssl/doc/crypto/BIO_read.pod
|
||||
--- a/CryptoPkg/Library/OpensslLib/openssl/doc/crypto/BIO_read.pod.preserve-nl 2016-11-10 15:03:45.000000000 +0100
|
||||
+++ b/CryptoPkg/Library/OpensslLib/openssl/doc/crypto/BIO_read.pod 2016-12-22 14:37:22.731245197 +0100
|
||||
@@ -23,7 +23,8 @@ in B<buf>. Usually this operation will a
|
||||
from the BIO of maximum length B<len-1>. There are exceptions to this,
|
||||
however; for example, BIO_gets() on a digest BIO will calculate and
|
||||
return the digest and other BIOs may not support BIO_gets() at all.
|
||||
-The returned string is always NUL-terminated.
|
||||
+The returned string is always NUL-terminated and the '\n' is preserved
|
||||
+if present in the input data.
|
||||
|
||||
BIO_write() attempts to write B<len> bytes from B<buf> to BIO B<b>.
|
||||
|
27
openssl-1.1.0-cc-reqs.patch
Normal file
27
openssl-1.1.0-cc-reqs.patch
Normal file
@ -0,0 +1,27 @@
|
||||
diff -up a/CryptoPkg/Library/OpensslLib/openssl/crypto/rsa/rsa_gen.c.cc-reqs b/CryptoPkg/Library/OpensslLib/openssl/crypto/rsa/rsa_gen.c
|
||||
--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/rsa/rsa_gen.c.cc-reqs 2017-01-26 14:10:23.000000000 +0100
|
||||
+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/rsa/rsa_gen.c 2017-01-26 16:01:52.622308528 +0100
|
||||
@@ -75,6 +75,12 @@ static int rsa_builtin_keygen(RSA *rsa,
|
||||
if (!rsa->iqmp && ((rsa->iqmp = BN_secure_new()) == NULL))
|
||||
goto err;
|
||||
|
||||
+ /* prepare minimum p and q difference */
|
||||
+ if (!BN_one(r3))
|
||||
+ goto err;
|
||||
+ if (bitsp > 100 && !BN_lshift(r3, r3, bitsp - 100))
|
||||
+ goto err;
|
||||
+
|
||||
if (BN_copy(rsa->e, e_value) == NULL)
|
||||
goto err;
|
||||
|
||||
@@ -103,7 +109,9 @@ static int rsa_builtin_keygen(RSA *rsa,
|
||||
do {
|
||||
if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
|
||||
goto err;
|
||||
- } while ((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3));
|
||||
+ if (!BN_sub(r2, rsa->q, rsa->p))
|
||||
+ goto err;
|
||||
+ } while ((BN_ucmp(r2, r3) <= 0) && (++degenerate < 3));
|
||||
if (degenerate == 3) {
|
||||
ok = 0; /* we set our own err */
|
||||
RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL);
|
59
openssl-1.1.0-disable-ssl3.patch
Normal file
59
openssl-1.1.0-disable-ssl3.patch
Normal file
@ -0,0 +1,59 @@
|
||||
diff -up a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c.disable-ssl3 b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c
|
||||
--- a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c.disable-ssl3 2016-08-25 17:29:22.000000000 +0200
|
||||
+++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c 2016-09-08 11:08:05.252082263 +0200
|
||||
@@ -2470,6 +2470,13 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
|
||||
* or by using the SSL_CONF library.
|
||||
*/
|
||||
ret->options |= SSL_OP_NO_COMPRESSION;
|
||||
+ /*
|
||||
+ * Disable SSLv3 by default. Applications can
|
||||
+ * re-enable it by configuring
|
||||
+ * SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
|
||||
+ * or by using the SSL_CONF library.
|
||||
+ */
|
||||
+ ret->options |= SSL_OP_NO_SSLv3;
|
||||
|
||||
ret->tlsext_status_type = -1;
|
||||
|
||||
diff -up a/CryptoPkg/Library/OpensslLib/openssl/test/ssl_test.c.disable-ssl3 b/CryptoPkg/Library/OpensslLib/openssl/test/ssl_test.c
|
||||
--- a/CryptoPkg/Library/OpensslLib/openssl/test/ssl_test.c.disable-ssl3 2016-09-08 11:08:05.252082263 +0200
|
||||
+++ b/CryptoPkg/Library/OpensslLib/openssl/test/ssl_test.c 2016-09-08 11:11:44.802005886 +0200
|
||||
@@ -258,6 +258,7 @@ static int execute_test(SSL_TEST_FIXTURE
|
||||
SSL_TEST_SERVERNAME_CB_NONE) {
|
||||
server2_ctx = SSL_CTX_new(TLS_server_method());
|
||||
TEST_check(server2_ctx != NULL);
|
||||
+ SSL_CTX_clear_options(server2_ctx, SSL_OP_NO_SSLv3);
|
||||
}
|
||||
client_ctx = SSL_CTX_new(TLS_client_method());
|
||||
|
||||
@@ -266,11 +267,15 @@ static int execute_test(SSL_TEST_FIXTURE
|
||||
resume_client_ctx = SSL_CTX_new(TLS_client_method());
|
||||
TEST_check(resume_server_ctx != NULL);
|
||||
TEST_check(resume_client_ctx != NULL);
|
||||
+ SSL_CTX_clear_options(resume_server_ctx, SSL_OP_NO_SSLv3);
|
||||
+ SSL_CTX_clear_options(resume_client_ctx, SSL_OP_NO_SSLv3);
|
||||
}
|
||||
}
|
||||
|
||||
TEST_check(server_ctx != NULL);
|
||||
TEST_check(client_ctx != NULL);
|
||||
+ SSL_CTX_clear_options(server_ctx, SSL_OP_NO_SSLv3);
|
||||
+ SSL_CTX_clear_options(client_ctx, SSL_OP_NO_SSLv3);
|
||||
|
||||
TEST_check(CONF_modules_load(conf, fixture.test_app, 0) > 0);
|
||||
|
||||
diff -up a/CryptoPkg/Library/OpensslLib/openssl/test/ssltest_old.c.disable-ssl3 b/CryptoPkg/Library/OpensslLib/openssl/test/ssltest_old.c
|
||||
--- a/CryptoPkg/Library/OpensslLib/openssl/test/ssltest_old.c.disable-ssl3 2016-08-25 17:29:23.000000000 +0200
|
||||
+++ b/CryptoPkg/Library/OpensslLib/openssl/test/ssltest_old.c 2016-09-08 11:08:05.253082286 +0200
|
||||
@@ -1456,6 +1456,11 @@ int main(int argc, char *argv[])
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
+
|
||||
+ SSL_CTX_clear_options(c_ctx, SSL_OP_NO_SSLv3);
|
||||
+ SSL_CTX_clear_options(s_ctx, SSL_OP_NO_SSLv3);
|
||||
+ SSL_CTX_clear_options(s_ctx2, SSL_OP_NO_SSLv3);
|
||||
+
|
||||
/*
|
||||
* Since we will use low security ciphersuites and keys for testing set
|
||||
* security level to zero by default. Tests can override this by adding
|
11
openssl-1.1.0-issuer-hash.patch
Normal file
11
openssl-1.1.0-issuer-hash.patch
Normal file
@ -0,0 +1,11 @@
|
||||
diff -up a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509/x509_cmp.c.issuer-hash b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509/x509_cmp.c
|
||||
--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509/x509_cmp.c.issuer-hash 2016-07-18 15:16:32.788881100 +0200
|
||||
+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509/x509_cmp.c 2016-07-18 15:17:16.671871840 +0200
|
||||
@@ -87,6 +87,7 @@ unsigned long X509_issuer_and_serial_has
|
||||
|
||||
if (ctx == NULL)
|
||||
goto err;
|
||||
+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
|
||||
f = X509_NAME_oneline(a->cert_info.issuer, NULL, 0);
|
||||
if (!EVP_DigestInit_ex(ctx, EVP_md5(), NULL))
|
||||
goto err;
|
Loading…
Reference in New Issue
Block a user