Draft
Conversation
mu-automation
bot
added
language:python
Flickdm
force-pushed
the
update/openssl-4.0.0-beta1
branch
8 times, most recently
from
e4143d3 to
ce5bad7
Compare
…_CTX Replace deprecated HMAC_CTX_new/HMAC_Init_ex/HMAC_Update/HMAC_Final/HMAC_CTX_free with the OpenSSL 3.x EVP_MAC_CTX provider API. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Replace direct RSA* usage with a new RSA_PKEY_CTX struct holding individual BIGNUMs (N, E, D, P, Q, Dp, Dq, QInv) plus a cached EVP_PKEY*. - Add CryptRsaPkeyCtx.h defining RSA_PKEY_CTX and helper declarations - RsaBuildEvpPkey(): lazily builds EVP_PKEY from stored BIGNUMs - RsaInvalidatePkey(): invalidates the cache on component change - RsaGetKey(): return TRUE with *BnSize=0 for unset (NULL) components - All operations (sign/verify/encrypt/decrypt) use EVP_PKEY_CTX Signed-off-by: Doug Flick <dougflick@microsoft.com>
Update files that consume RSA keys to work with the new RSA_PKEY_CTX type instead of the deprecated RSA* direct usage: - CryptPkcs7Sign.c: remove EVP_PKEY_assign_RSA; use RSA_PKEY_CTX->Pkey - CryptPkcs1Oaep.c: remove EVP_PKEY_set1_RSA; use RSA_PKEY_CTX->Pkey - CryptRsaPss.c: update context casting to RSA_PKEY_CTX - CryptRsaPssSign.c: update context casting to RSA_PKEY_CTX Signed-off-by: Doug Flick <dougflick@microsoft.com>
Replace EC_KEY* based implementation with a new EC_PKEY_CTX struct holding the curve NID and a cached EVP_PKEY*: - Add CryptEcPkeyCtx.h defining EC_PKEY_CTX - EcNewByNid(): allocates EC_PKEY_CTX with OpenSSL NID - EcDhComputeKey(): uses EVP_PKEY_derive with OSSL_PARAM_BLD peer key - EcDsaSign(): uses EVP_PKEY_sign producing DER; converts to raw R||S - EcDsaVerify(): converts raw R||S to DER via i2d_ECDSA_SIG; EVP_PKEY_verify - EC public key export: EVP_PKEY_get_octet_string_param returns 04||X||Y; skip leading 0x04 byte to match caller expectation of raw X||Y Signed-off-by: Doug Flick <dougflick@microsoft.com>
Replace DH* based implementation with a new DH_PKEY_CTX struct: - DH_PKEY_CTX holds BnP, BnG (set independently by DhSetParameter) and EVP_PKEY* (generated on DhGenerateKey) - DhSetParameter(): stores BnP/BnG; defers key generation - DhGenerateKey(): uses EVP_PKEY_paramgen + EVP_PKEY_keygen - DhComputeKey(): uses EVP_PKEY_derive with peer public key Signed-off-by: Doug Flick <dougflick@microsoft.com>
Signed-off-by: Doug Flick <dougflick@microsoft.com>
Signed-off-by: Doug Flick <dougflick@microsoft.com>
All BaseCryptLib files now use OpenSSL 3.x non-deprecated EVP_PKEY provider APIs. Remove the OPENSSL_NO_DEPRECATED=0 override from InternalCryptLib.h that was previously required to suppress deprecation warnings. Signed-off-by: Doug Flick <dougflick@microsoft.com>
- RsaExtractBigNums now cleans up partially extracted BIGNUMs on failure instead of leaving them dangling in the RSA_PKEY_CTX. - RsaGetPublicKeyFromX509 error path uses RsaFree() for proper cleanup of all RSA_PKEY_CTX resources. - Fix RsaGetKey doc comment: BigNumber=NULL with sufficient BnSize returns TRUE (size query), not FALSE. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Update the openssl submodule pointer to the openssl-4.0.0-beta1 tag. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Regenerate all intermediate files in OpensslGen including headers, architecture-specific assembly files, DER encoding sources, and the new .inc files generated from .inc.in templates introduced in OpenSSL 4.0. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Fix X64-MSFT assembly filename conversion to handle both .S and .s extensions. Disable SM3 assembly sources in the asm filter to work around build issues with OpenSSL 4.0.0-beta1. SM3 support will need to be re-evaluated in a future update. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Update the autogenerated source file lists in all OpensslLib INF files to reflect the new and changed source files in OpenSSL 4.0.0-beta1. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Add Library/OpensslLib/OpensslGen as a package include path in OpensslPkg.dec. OpenSSL 4.0 introduces .inc files generated from .inc.in templates that are included by provider source files using paths relative to the build root. The OpensslGen directory must be in the include search path to resolve these references. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Add va_copy, vsnprintf, INT64_C, UINT64_C, INT32_C, and UINT32_C macros to CrtLibSupport.h. These are required by OpenSSL 4.0 source files that were not needed in previous versions. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Replace direct struct member access with OpenSSL accessor functions for ASN1_STRING, ASN1_TYPE, and ASN1_OBJECT types. OpenSSL 4.0 makes these struct fields opaque, requiring use of ASN1_STRING_get0_data(), ASN1_STRING_length(), ASN1_STRING_type(), OBJ_get0_data(), and OBJ_length(). Signed-off-by: Doug Flick <dougflick@microsoft.com>
Add null stubs for tls_parse_ctos_ech() and tls_construct_stoc_ech() in SslExtServNull.c for the new Encrypted Client Hello (ECH) extension in OpenSSL 4.0. Update tls_construct_cert_status_body() signature in SslStatServNull.c to include the new OCSP_RESPONSE parameter. Update OSSL_STORE_SEARCH_by_name() in ossl_store.c to use const X509_NAME parameter matching the OpenSSL 4.0 API. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Replace the vsnprintf and sprintf macros in CrtLibSupport.h with proper function implementations that translate standard C format specifiers to EDK2 BasePrintLib equivalents. OpenSSL 4.0 error reporting calls BIO_vsnprintf with C %s (ASCII string), but EDK2 BasePrintLib treats %s as Unicode, causing a segfault in the host unit tests. The new TranslateFormatSpecifiers helper converts C %s to EDK2 %a before calling AsciiVSPrint. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Flickdm
force-pushed
the
update/openssl-4.0.0-beta1
branch
from
ce5bad7 to
a60ea5f
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Tracking PR to update to Openssl 4.0.0
For details on how to complete these options and their meaning refer to CONTRIBUTING.md.
How This Was Tested
<Describe the test(s) that were run to verify the changes.>
Integration Instructions
<Describe how these changes should be integrated. Use N/A if nothing is required.>