sravan/system76-edk2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
823005621ef4757130f009c48dc96b099cccadf7
system76-edk2/CryptoPkg/Library/OpensslLib/process_files.sh
Laszlo Ersek 823005621e CryptoPkg/OpensslLib: introduce OpensslLibCrypto instance 
Commit 32387e0081 ("CryptoPkg: Enable ssl build in OpensslLib directly",
2016-12-14) pulls OpenSSL's libssl files into the "OpensslLib.inf" library
instance unconditionally.

If a platform doesn't include the TLS modules, such as

- CryptoPkg/Library/TlsLib/TlsLib.inf
- NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
- NetworkPkg/TlsDxe/TlsDxe.inf

then the platform never actually uses the libssl functionality that gets
built into "OpensslLib.inf".

Tomas Hoger from Red Hat Product Security tells me that security
evaluation is less demanding if we can actually *exclude* the libssl files
from such OVMF builds that don't specify -D TLS_ENABLE (rather than just
trust modules not to call libssl functions if we don't specify -D
TLS_ENABLE).

This patch introduces a parallel OpensslLib instance called
"OpensslLibCrypto" that is appropriate for platform builds without TLS
enablement. It does not build C source files in vain, and it eases
security review -- all libssl vulnerabilities can be excluded at once.

"OpensslLibCrypto.inf" is created as a copy of "OpensslLib.inf", modifying
the BASE_NAME, MODULE_UNI_FILE and FILE_GUID defines.

"process_files.sh" is extended to auto-generate the list of OpenSSL files
for both library instances accordingly. This list is updated in
"OpensslLibCrypto.inf" at once.

"OpensslLibCrypto.uni" is introduced as a copy of "OpensslLib.uni",
highlighting the difference.

Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Gary Lin <glin@suse.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Qin Long <qin.long@intel.com>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Cc: Tomas Hoger <thoger@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
2017-02-25 14:55:55 +01:00

111 lines
2.5 KiB
Bash
Executable File
Raw Blame History

#!/bin/sh
#
# This script runs the OpenSSL Configure script, then processes the resulting
# file list into our local OpensslLib.inf and OpensslLibCrypto.inf, and also
# takes a copy of opensslconf.h.
#
# This only needs to be done once by a developer when updating to a
# new version of OpenSSL (or changing options, etc.). Normal users
# do not need to do this, since the results are stored in the EDK2
# git repository for them.
OPENSSL_PATH=$(sed -n '/DEFINE OPENSSL_PATH/{s/.* \(openssl-[0-9.]*[a-z]*\)[[:space:]]*/\1/ p}' OpensslLib.inf)
OPENSSL_CRYPTO_PATH=$(sed -n '/DEFINE OPENSSL_PATH/{s/.* \(openssl-[0-9.]*[a-z]*\)[[:space:]]*/\1/ p}' OpensslLibCrypto.inf)
if [ "$OPENSSL_PATH" != "$OPENSSL_CRYPTO_PATH" ]; then
echo "OPENSSL_PATH diverges between OpensslLib.inf and OpensslLibCrypto.inf"
exit 1
fi
if ! cd "${OPENSSL_PATH}" ; then
echo "Cannot change to OpenSSL directory \"${OPENSSL_PATH}\""
exit 1
fi
./Configure UEFI \
no-asm \
no-bf \
no-camellia \
no-capieng \
no-cast \
no-cms \
no-deprecated \
no-dgram \
no-dsa \
no-dynamic-engine \
no-ec \
no-ecdh \
no-ecdsa \
no-engine \
no-engines \
no-err \
no-filenames \
no-fp-api \
no-hw \
no-idea \
no-jpake \
no-krb5 \
no-locking \
no-mdc2 \
no-posix-io \
no-rc2 \
no-rcs \
no-rfc3779 \
no-ripemd \
no-scrypt \
no-sct \
no-seed \
no-sha0 \
no-sock \
no-srp \
no-ssl \
no-stdio \
no-threads \
no-ts \
no-ui \
no-whirlpool \
|| exit 1
make files
cd -
function filelist ()
{
SSL_SELECT="$1"
echo '1,/# Autogenerated files list starts here/p'
echo '/# Autogenerated files list ends here/,$p'
echo '/# Autogenerated files list starts here/a\'
while read LINE; do
case "$LINE" in
RELATIVE_DIRECTORY=*)
eval "$LINE"
;;
LIBSRC=*)
LIBSRC=$(echo "$LINE" | sed s/^LIBSRC=//)
if [ "$RELATIVE_DIRECTORY" != "ssl" ] ||
[ "$SSL_SELECT" = "crypto-and-ssl" ]; then
for FILE in $LIBSRC; do
if [ "$FILE" != "b_print.c" ]; then
echo -e ' $(OPENSSL_PATH)/'$RELATIVE_DIRECTORY/$FILE\\r\\
fi
done
fi
;;
esac
done
echo -e \\r
}
filelist crypto-and-ssl < "${OPENSSL_PATH}/MINFO" \
| sed -n -f - -i OpensslLib.inf
filelist crypto-only < "${OPENSSL_PATH}/MINFO" \
| sed -n -f - -i OpensslLibCrypto.inf
# We can tell Windows users to put this back manually if they can't run
# Configure. For now, until the git repository is fixed to store things
# sanely, also convert to DOS line-endings
unix2dos -n "${OPENSSL_PATH}/crypto/opensslconf.h" opensslconf.h
Reference in New Issue View Git Blame Copy Permalink