Skip to content

Update OpenSSL to 4.0.0#240

Draft
Flickdm wants to merge 13 commits into
microsoft:mainfrom
Flickdm:update/openssl-4.0.0
Draft

Update OpenSSL to 4.0.0#240
Flickdm wants to merge 13 commits into
microsoft:mainfrom
Flickdm:update/openssl-4.0.0

Conversation

@Flickdm
Copy link
Copy Markdown
Member

@Flickdm Flickdm commented Apr 24, 2026
edited
Loading

Description

Updates to Openssl-4.0.0

For details on how to complete these options and their meaning refer to CONTRIBUTING.md.

Known Issues

AuthenticodeVerify SHA-1 Test Failure (OpenSSL 4.0.0)

Status: Expected failure
Affected test: TestVerifyAuthenticodeVerify() in BaseCryptLibUnitTestHost
Root cause: OpenSSL 4.0.0 defaults to security level 2 (OPENSSL_TLS_SECURITY_LEVEL = 2),
which rejects SHA-1 for signature verification. The test uses a SHA-1 signed Authenticode
blob (AuthenticodeWithSha1) that is rejected at this security level.

Impact: SHA-1 Authenticode verification will fail at runtime. SHA-256 Authenticode
verification is unaffected. This is a deliberate security posture change in OpenSSL 4.0.0
aligned with industry deprecation of SHA-1.

  • Impacts functionality?
  • Impacts security?
  • Breaking change?
  • Includes tests?
  • Includes documentation?

How This Was Tested

TODO

Integration Instructions

N/A

@Flickdm Flickdm force-pushed the update/openssl-4.0.0 branch from 6585c7b to f1334c8 Compare April 24, 2026 02:01
@mu-automation mu-automation Bot added language:python Pull requests that update Python code impact:non-functional Does not have a functional impact labels Apr 24, 2026
@Flickdm Flickdm force-pushed the update/openssl-4.0.0 branch 2 times, most recently from 632602b to 9fef5a0 Compare April 24, 2026 04:58
@Flickdm Flickdm added this to the v1.1.0-OneCrypto milestone Apr 24, 2026
@Flickdm Flickdm force-pushed the update/openssl-4.0.0 branch 4 times, most recently from edbbfe0 to aa5424c Compare April 29, 2026 20:33
Flickdm added 13 commits May 5, 2026 14:23
@Flickdm
OpensslPkg: Add TlsLib host unit test infrastructure
561b649 
Add UnitTestHostTlsLib.inf, a HOST_APPLICATION wrapper for the
production TlsLib sources, enabling TlsLib to be linked into
host-based unit test executables.

Update OpensslPkgHostUnitTest.dsc with TlsLib and IntrinsicLib
library mappings and the TlsLibUnitTestHost component reference
for the provider-agnostic TLS unit tests in CryptoPkg.

Signed-off-by: Doug Flick <dougflick@microsoft.com>
@Flickdm
Pin MU_BASECORE to Pull in TLS Unit Tests
f01a64f 
Bring in the latest MU_BASECORE commit to pull in TLS unit tests that
are needed to validate the TlsLib.

Signed-off-by: Doug Flick <dougflick@microsoft.com>
@Flickdm
Build: Add TLS algorithm support summary to host test workflow
088ac39 
After running OpensslPkg host-based unit tests, re-run the
TlsLibUnitTestHost binary and extract the structured TLS
capability report (cipher suites, TLS versions, EC curves,
TLS 1.3, PQC groups, DFCI required ciphers, security levels)
into the GitHub Actions job summary.

Signed-off-by: Doug Flick <dougflick@microsoft.com>
@Flickdm
OpensslPkg: Update openssl submodule to 4.0.0
2732cc3 
Update the openssl submodule pointer to the openssl-4.0.0 tag.

Signed-off-by: Doug Flick <dougflick@microsoft.com>
@Flickdm
OpensslPkg: Update configure.py for OpenSSL 4.0.0
6bc13d6 
Fix X64-MSFT assembly filename conversion to handle both .S and
.s extensions.

Disable SM3 assembly sources in the asm filter to work around
build issues with OpenSSL 4.0.0. SM3 support will need
to be re-evaluated in a future update.

Signed-off-by: Doug Flick <dougflick@microsoft.com>
@Flickdm
OpensslPkg: Regenerate OpensslGen for OpenSSL 4.0.0
eed0129 
Regenerate all intermediate files in OpensslGen including headers,
architecture-specific assembly files, DER encoding sources, and
the new .inc files generated from .inc.in templates introduced
in OpenSSL 4.0.

Signed-off-by: Doug Flick <dougflick@microsoft.com>
@Flickdm
OpensslPkg: Update INFs for OpenSSL 4.0.0 sources
01d1c17 
Update the autogenerated source file lists in all OpensslLib INF
files to reflect the new and changed source files in OpenSSL
4.0.0.

Signed-off-by: Doug Flick <dougflick@microsoft.com>
@Flickdm
OpensslPkg: Add OpensslGen root to package include paths
1520091 
Add Library/OpensslLib/OpensslGen as a package include path in
OpensslPkg.dec. OpenSSL 4.0 introduces .inc files generated from
.inc.in templates that are included by provider source files
using paths relative to the build root. The OpensslGen directory
must be in the include search path to resolve these references.

Signed-off-by: Doug Flick <dougflick@microsoft.com>
@Flickdm
OpensslPkg: Add CRT compat macros for OpenSSL 4.0
a108bc0 
Add va_copy, vsnprintf, INT64_C, UINT64_C, INT32_C, and UINT32_C
macros to CrtLibSupport.h. These are required by OpenSSL 4.0
source files that were not needed in previous versions.

Signed-off-by: Doug Flick <dougflick@microsoft.com>
@Flickdm
OpensslPkg: Update BaseCryptLib for OpenSSL 4.0 API changes
0e7f57b 
Replace direct struct member access with OpenSSL accessor
functions for ASN1_STRING, ASN1_TYPE, and ASN1_OBJECT types.
OpenSSL 4.0 makes these struct fields opaque, requiring use of
ASN1_STRING_get0_data(), ASN1_STRING_length(),
ASN1_STRING_type(), OBJ_get0_data(), and OBJ_length().

Signed-off-by: Doug Flick <dougflick@microsoft.com>
@Flickdm
OpensslPkg: Update stubs for OpenSSL 4.0 API changes
c5998e6 
Add null stubs for tls_parse_ctos_ech() and
tls_construct_stoc_ech() in SslExtServNull.c for the new
Encrypted Client Hello (ECH) extension in OpenSSL 4.0.

Update tls_construct_cert_status_body() signature in
SslStatServNull.c to include the new OCSP_RESPONSE parameter.

Update OSSL_STORE_SEARCH_by_name() in ossl_store.c to use
const X509_NAME parameter matching the OpenSSL 4.0 API.

Signed-off-by: Doug Flick <dougflick@microsoft.com>
@Flickdm
OpensslPkg: Add C-compatible vsnprintf and sprintf wrappers
83b07ae 
Replace the vsnprintf and sprintf macros in CrtLibSupport.h with
proper function implementations that translate standard C format
specifiers to EDK2 BasePrintLib equivalents. OpenSSL 4.0 error
reporting calls BIO_vsnprintf with C %s (ASCII string), but EDK2
BasePrintLib treats %s as Unicode, causing a segfault in the
host unit tests. The new TranslateFormatSpecifiers helper converts
C %s to EDK2 %a before calling AsciiVSPrint.

Signed-off-by: Doug Flick <dougflick@microsoft.com>
@Flickdm
OpensslPkg: Enable ML-KEM, ML-DSA, and TLS 1.3
35fc449 
Remove no-ml-dsa, no-ml-kem, and no-tls1_3 from configure.py
to enable Post-Quantum Cryptography support in OpenSSL 4.0.0.

Regenerated configuration headers and INF files with:
- ML-KEM (FIPS 203) key encapsulation sources
- ML-DSA (FIPS 204) digital signature sources
- MLX hybrid key exchange sources
- TLS 1.3 protocol support (required for PQC key exchange)

OpenSSL 4.0.0 has native PQC support - no external provider
(oqsprovider) needed.

Note: Build is blocked by pre-existing missing decoders.inc
in uefiprov.c (not related to this change).

Signed-off-by: Doug Flick <dougflick@microsoft.com>
@Flickdm Flickdm force-pushed the update/openssl-4.0.0 branch from a338264 to 35fc449 Compare May 6, 2026 21:12
@Flickdm Flickdm moved this from Todo to In Progress in Project MU - UEFI Crypto Planning May 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

impact:non-functional Does not have a functional impact language:python Pull requests that update Python code

Projects

Project MU - UEFI Crypto Planning
Status: In Progress

Milestone

v1.1.0-OneCrypto

Development

Successfully merging this pull request may close these issues.

1 participant

@Flickdm