From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <thomas.palmer@hpe.com>
Received: from g2t2354.austin.hpe.com (g2t2354.austin.hpe.com [15.233.44.27])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
 bits)) (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id D5C441A1E12
 for <edk2-devel@lists.01.org>; Tue,  2 Aug 2016 14:33:56 -0700 (PDT)
Received: from arm-build-server.us.rdlabs.hpecorp.net
 (arm-build-server.us.rdlabs.hpecorp.net [16.84.24.54])
 by g2t2354.austin.hpe.com (Postfix) with ESMTP id E9A0D4C;
 Tue,  2 Aug 2016 21:33:55 +0000 (UTC)
From: Thomas Palmer <thomas.palmer@hpe.com>
To: edk2-devel@lists.01.org
Cc: jiaxin.wu@intel.com, qin.long@intel.com, joseph.shifflett@hpe.com,
 Thomas Palmer <thomas.palmer@hpe.com>
Date: Tue,  2 Aug 2016 16:33:45 -0500
Message-Id: <1470173625-16393-1-git-send-email-thomas.palmer@hpe.com>
X-Mailer: git-send-email 1.9.1
Subject: [PATCH] [staging/HTTPS-TLS] Delete extra TlsCipherMappingTable entries
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Aug 2016 21:33:57 -0000

The TlsCipherMappingTable will be used to control which ciphers UEFI
officially supports. When a user configures the ciphers, each cipher
is checked against this table and if not found is sent the
EFI_UNSUPPORTED error.

However, when an entry is present in TlsCipherMappingTable, but our
library does not have support for it, the user will not see any
error if other ciphers are being set at the same time.

This patch will remove entries from TlsLib's TlsCipherMappingTable
that our OpenSSL library is not configured to support. This restores
behavior of immediate feedback to user.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Thomas Palmer <thomas.palmer@hpe.com>
---
 CryptoPkg/Library/TlsLib/TlsLib.c | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/CryptoPkg/Library/TlsLib/TlsLib.c b/CryptoPkg/Library/TlsLib/TlsLib.c
index 1f3554a..aa08595 100644
--- a/CryptoPkg/Library/TlsLib/TlsLib.c
+++ b/CryptoPkg/Library/TlsLib/TlsLib.c
@@ -57,31 +57,24 @@ STATIC CONST TLS_CIPHER_PAIR TlsCipherMappingTable[] = {
   { 0x0002, "NULL-SHA" },                 /// TLS_RSA_WITH_NULL_SHA
   { 0x0004, "RC4-MD5" },                  /// TLS_RSA_WITH_RC4_128_MD5
   { 0x0005, "RC4-SHA" },                  /// TLS_RSA_WITH_RC4_128_SHA
-  { 0x0007, "IDEA-CBC-SHA" },             /// TLS_RSA_WITH_IDEA_CBC_SHA
-  { 0x0009, "DES-CBC-SHA" },              /// TLS_RSA_WITH_DES_CBC_SHA
   { 0x000A, "DES-CBC3-SHA" },             /// TLS_RSA_WITH_3DES_EDE_CBC_SHA, mandatory TLS 1.1
-  { 0x0013, "DHE-DSS-DES-CBC3-SHA" },     /// TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, mandatory TLS 1.0
   { 0x0016, "DHE-RSA-DES-CBC3-SHA" },     /// TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
   { 0x002F, "AES128-SHA" },               /// TLS_RSA_WITH_AES_128_CBC_SHA, mandatory TLS 1.2
   { 0x0030, "DH-DSS-AES128-SHA" },        /// TLS_DH_DSS_WITH_AES_128_CBC_SHA
   { 0x0031, "DH-RSA-AES128-SHA" },        /// TLS_DH_RSA_WITH_AES_128_CBC_SHA
-  { 0x0032, "DHE-DSS-AES128-SHA" },       /// TLS_DHE_DSS_WITH_AES_128_CBC_SHA
   { 0x0033, "DHE-RSA-AES128-SHA" },       /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA
   { 0x0035, "AES256-SHA" },               /// TLS_RSA_WITH_AES_256_CBC_SHA
   { 0x0036, "DH-DSS-AES256-SHA" },        /// TLS_DH_DSS_WITH_AES_256_CBC_SHA
   { 0x0037, "DH-RSA-AES256-SHA" },        /// TLS_DH_RSA_WITH_AES_256_CBC_SHA
-  { 0x0038, "DHE-DSS-AES256-SHA" },       /// TLS_DHE_DSS_WITH_AES_256_CBC_SHA
   { 0x0039, "DHE-RSA-AES256-SHA" },       /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA
   { 0x003B, "NULL-SHA256" },              /// TLS_RSA_WITH_NULL_SHA256
   { 0x003C, "AES128-SHA256" },            /// TLS_RSA_WITH_AES_128_CBC_SHA256
   { 0x003D, "AES256-SHA256" },            /// TLS_RSA_WITH_AES_256_CBC_SHA256
   { 0x003E, "DH-DSS-AES128-SHA256" },     /// TLS_DH_DSS_WITH_AES_128_CBC_SHA256
   { 0x003F, "DH-RSA-AES128-SHA256" },     /// TLS_DH_RSA_WITH_AES_128_CBC_SHA256
-  { 0x0040, "DHE-DSS-AES128-SHA256" },    /// TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
   { 0x0067, "DHE-RSA-AES128-SHA256" },    /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
   { 0x0068, "DH-DSS-AES256-SHA256" },     /// TLS_DH_DSS_WITH_AES_256_CBC_SHA256
   { 0x0069, "DH-RSA-AES256-SHA256" },     /// TLS_DH_RSA_WITH_AES_256_CBC_SHA256
-  { 0x006A, "DHE-DSS-AES256-SHA256" },    /// TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
   { 0x006B, "DHE-RSA-AES256-SHA256" }     /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
 };
 
-- 
1.9.1