* [edk2-staging/HTTPS-TLS][PATCH]: CryptoPkg/TlsLib: Version renegotiate
@ 2016-08-26 19:08 Thomas Palmer
2016-08-26 19:08 ` [PATCH 1/2] [edk2-staging/HTTPS-TLS][PATCH]: CryptoPkg/TlsLib: TLS Ver negotiate Thomas Palmer
2016-08-26 19:08 ` [PATCH 2/2] [edk2-staging/HTTPS-TLS][PATCH]: NetworkPkg/HttpDxe: Unrestrict TLSv Thomas Palmer
0 siblings, 2 replies; 5+ messages in thread
From: Thomas Palmer @ 2016-08-26 19:08 UTC (permalink / raw)
To: edk2-devel; +Cc: joseph.shifflett, jiaxin.wu
The TLS protocol allows for clients and servers to negotiate which
version of TLS to use. Newer versions are deemed safer, so when
they are available the client and server should opt to use them.
The EDK2 TLS code today only allows TLSv1.0 for TLS communication,
regardless of the target server's capabilities. In order to use the
newer protocols, we'll update the EDK2 TlsLib.c code to allow for
TLS version negotiation when a new TLS object is created. The TLS
version specified in TlsCtxNew will be the minimum version accepted.
Because EDK2 is not yet using OpenSSL 1.1, we use SSL_set_options to
simulate SSL_CTX_set_min_proto_version.
We'll leave the current "EfiTlsVersion" functionality intact, which
will restrict which version of TLS to use and prevent negotiation.
However, to demonstrate the TLS regotiation in this feature branch,
we'll remove the code that calls EfiTlsVersion in the HttpDxe
module.
[PATCH 1/2] [edk2-staging/HTTPS-TLS][PATCH]: CryptoPkg/TlsLib: TLS
[PATCH 2/2] [edk2-staging/HTTPS-TLS][PATCH]: NetworkPkg/HttpDxe:
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 1/2] [edk2-staging/HTTPS-TLS][PATCH]: CryptoPkg/TlsLib: TLS Ver negotiate
2016-08-26 19:08 [edk2-staging/HTTPS-TLS][PATCH]: CryptoPkg/TlsLib: Version renegotiate Thomas Palmer
@ 2016-08-26 19:08 ` Thomas Palmer
2016-09-07 8:21 ` Wu, Jiaxin
2016-08-26 19:08 ` [PATCH 2/2] [edk2-staging/HTTPS-TLS][PATCH]: NetworkPkg/HttpDxe: Unrestrict TLSv Thomas Palmer
1 sibling, 1 reply; 5+ messages in thread
From: Thomas Palmer @ 2016-08-26 19:08 UTC (permalink / raw)
To: edk2-devel; +Cc: joseph.shifflett, jiaxin.wu, Thomas Palmer
The TLS protocol allows for clients and servers to negotiate which
version of TLS to use. Newer versions are deemed safer, so when
they are available the client and server should opt to use them.
The EDK2 TLS code today only allows TLSv1.0 for TLS communication,
regardless of the target server's capabilities. In order to use the
newer protocols, we'll update the EDK2 TlsLib.c code to allow for
TLS version negotiation when a new TLS object is created. The TLS
version specified in TlsCtxNew will be the minimum version accepted.
Because EDK2 is not yet using OpenSSL 1.1, we use SSL_set_options to
simulate SSL_CTX_set_min_proto_version.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Thomas Palmer <thomas.palmer@hpe.com>
---
CryptoPkg/Library/TlsLib/TlsLib.c | 21 +++++++++++++++++----
1 file changed, 17 insertions(+), 4 deletions(-)
diff --git a/CryptoPkg/Library/TlsLib/TlsLib.c b/CryptoPkg/Library/TlsLib/TlsLib.c
index aa08595..0ff699b 100644
--- a/CryptoPkg/Library/TlsLib/TlsLib.c
+++ b/CryptoPkg/Library/TlsLib/TlsLib.c
@@ -195,26 +195,39 @@ TlsCtxNew (
ProtoVersion = (MajorVer << 8) | MinorVer;
- TlsCtx = NULL;
+ TlsCtx = SSL_CTX_new (SSLv23_client_method ());
+ if (TlsCtx == NULL) {
+ ASSERT (TlsCtx != NULL);
+ return NULL;
+ }
+
+ //
+ // Ensure SSLv3 is disabled
+ //
+ SSL_CTX_set_options (TlsCtx, SSL_OP_NO_SSLv3);
+ //
+ // Treat as minimum accepted versions. Client can use higher
+ // TLS version if server supports it
+ //
switch (ProtoVersion) {
case TLS1_VERSION:
//
// TLS 1.0
//
- TlsCtx = SSL_CTX_new (TLSv1_method ());
break;
case TLS1_1_VERSION:
//
// TLS 1.1
//
- TlsCtx = SSL_CTX_new (TLSv1_1_method ());
+ SSL_CTX_set_options (TlsCtx, SSL_OP_NO_TLSv1);
break;
case TLS1_2_VERSION:
//
// TLS 1.2
//
- TlsCtx = SSL_CTX_new (TLSv1_2_method ());
+ SSL_CTX_set_options (TlsCtx, SSL_OP_NO_TLSv1);
+ SSL_CTX_set_options (TlsCtx, SSL_OP_NO_TLSv1_1);
break;
default:
//
--
2.7.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 1/2] [edk2-staging/HTTPS-TLS][PATCH]: CryptoPkg/TlsLib: TLS Ver negotiate
2016-08-26 19:08 ` [PATCH 1/2] [edk2-staging/HTTPS-TLS][PATCH]: CryptoPkg/TlsLib: TLS Ver negotiate Thomas Palmer
@ 2016-09-07 8:21 ` Wu, Jiaxin
0 siblings, 0 replies; 5+ messages in thread
From: Wu, Jiaxin @ 2016-09-07 8:21 UTC (permalink / raw)
To: Thomas Palmer, edk2-devel@lists.01.org
Thomas,
Sorry for the delayed response. The patch is good to me, only one comments:
> + TlsCtx = SSL_CTX_new (SSLv23_client_method ()); if (TlsCtx == NULL)
> + {
> + ASSERT (TlsCtx != NULL);
> + return NULL;
> + }
I think we can remove the assert. Return NULL is fine here.
Reviewed-by: Wu Jiaxin <jiaxin.wu@intel.com>
Thanks,
Jiaxin
> -----Original Message-----
> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of
> Thomas Palmer
> Sent: Saturday, August 27, 2016 3:09 AM
> To: edk2-devel@lists.01.org
> Cc: Wu, Jiaxin <jiaxin.wu@intel.com>
> Subject: [edk2] [PATCH 1/2] [edk2-staging/HTTPS-TLS][PATCH]:
> CryptoPkg/TlsLib: TLS Ver negotiate
>
> The TLS protocol allows for clients and servers to negotiate which version of
> TLS to use. Newer versions are deemed safer, so when they are available the
> client and server should opt to use them.
>
> The EDK2 TLS code today only allows TLSv1.0 for TLS communication,
> regardless of the target server's capabilities. In order to use the newer
> protocols, we'll update the EDK2 TlsLib.c code to allow for TLS version
> negotiation when a new TLS object is created. The TLS version specified in
> TlsCtxNew will be the minimum version accepted.
>
> Because EDK2 is not yet using OpenSSL 1.1, we use SSL_set_options to
> simulate SSL_CTX_set_min_proto_version.
>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Thomas Palmer <thomas.palmer@hpe.com>
> ---
> CryptoPkg/Library/TlsLib/TlsLib.c | 21 +++++++++++++++++----
> 1 file changed, 17 insertions(+), 4 deletions(-)
>
> diff --git a/CryptoPkg/Library/TlsLib/TlsLib.c
> b/CryptoPkg/Library/TlsLib/TlsLib.c
> index aa08595..0ff699b 100644
> --- a/CryptoPkg/Library/TlsLib/TlsLib.c
> +++ b/CryptoPkg/Library/TlsLib/TlsLib.c
> @@ -195,26 +195,39 @@ TlsCtxNew (
>
> ProtoVersion = (MajorVer << 8) | MinorVer;
>
> - TlsCtx = NULL;
> + TlsCtx = SSL_CTX_new (SSLv23_client_method ()); if (TlsCtx == NULL)
> + {
> + ASSERT (TlsCtx != NULL);
> + return NULL;
> + }
> +
> + //
> + // Ensure SSLv3 is disabled
> + //
> + SSL_CTX_set_options (TlsCtx, SSL_OP_NO_SSLv3);
>
> + //
> + // Treat as minimum accepted versions. Client can use higher // TLS
> + version if server supports it //
> switch (ProtoVersion) {
> case TLS1_VERSION:
> //
> // TLS 1.0
> //
> - TlsCtx = SSL_CTX_new (TLSv1_method ());
> break;
> case TLS1_1_VERSION:
> //
> // TLS 1.1
> //
> - TlsCtx = SSL_CTX_new (TLSv1_1_method ());
> + SSL_CTX_set_options (TlsCtx, SSL_OP_NO_TLSv1);
> break;
> case TLS1_2_VERSION:
> //
> // TLS 1.2
> //
> - TlsCtx = SSL_CTX_new (TLSv1_2_method ());
> + SSL_CTX_set_options (TlsCtx, SSL_OP_NO_TLSv1);
> + SSL_CTX_set_options (TlsCtx, SSL_OP_NO_TLSv1_1);
> break;
> default:
> //
> --
> 2.7.4
>
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 2/2] [edk2-staging/HTTPS-TLS][PATCH]: NetworkPkg/HttpDxe: Unrestrict TLSv
2016-08-26 19:08 [edk2-staging/HTTPS-TLS][PATCH]: CryptoPkg/TlsLib: Version renegotiate Thomas Palmer
2016-08-26 19:08 ` [PATCH 1/2] [edk2-staging/HTTPS-TLS][PATCH]: CryptoPkg/TlsLib: TLS Ver negotiate Thomas Palmer
@ 2016-08-26 19:08 ` Thomas Palmer
2016-09-07 8:23 ` Wu, Jiaxin
1 sibling, 1 reply; 5+ messages in thread
From: Thomas Palmer @ 2016-08-26 19:08 UTC (permalink / raw)
To: edk2-devel; +Cc: joseph.shifflett, jiaxin.wu, Thomas Palmer
Demonstrate the TLS regotiation in this feature branch. Remove the
code that calls EfiTlsVersion in the HttpDxe module.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Thomas Palmer <thomas.palmer@hpe.com>
---
NetworkPkg/HttpDxe/HttpsSupport.c | 12 +-----------
1 file changed, 1 insertion(+), 11 deletions(-)
diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c b/NetworkPkg/HttpDxe/HttpsSupport.c
index 9a68b45..4cfeab5 100644
--- a/NetworkPkg/HttpDxe/HttpsSupport.c
+++ b/NetworkPkg/HttpDxe/HttpsSupport.c
@@ -2,6 +2,7 @@
Miscellaneous routines specific to Https for HttpDxe driver.
Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
+(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -487,23 +488,12 @@ TlsConfigureSession (
HttpInstance->TlsConfigData.SessionState = EfiTlsSessionNotStarted;
//
- // EfiTlsVersion
// EfiTlsConnectionEnd,
// EfiTlsVerifyMethod
// EfiTlsSessionState
//
Status = HttpInstance->Tls->SetSessionData (
HttpInstance->Tls,
- EfiTlsVersion,
- &(HttpInstance->TlsConfigData.Version),
- sizeof (EFI_TLS_VERSION)
- );
- if (EFI_ERROR (Status)) {
- goto ERROR;
- }
-
- Status = HttpInstance->Tls->SetSessionData (
- HttpInstance->Tls,
EfiTlsConnectionEnd,
&(HttpInstance->TlsConfigData.ConnectionEnd),
sizeof (EFI_TLS_CONNECTION_END)
--
2.7.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 2/2] [edk2-staging/HTTPS-TLS][PATCH]: NetworkPkg/HttpDxe: Unrestrict TLSv
2016-08-26 19:08 ` [PATCH 2/2] [edk2-staging/HTTPS-TLS][PATCH]: NetworkPkg/HttpDxe: Unrestrict TLSv Thomas Palmer
@ 2016-09-07 8:23 ` Wu, Jiaxin
0 siblings, 0 replies; 5+ messages in thread
From: Wu, Jiaxin @ 2016-09-07 8:23 UTC (permalink / raw)
To: Thomas Palmer, edk2-devel@lists.01.org
In TlsConfigureSession(), below piece of code should also be removed. Others is good to me.
HttpInstance->TlsConfigData.Version.Major = TLS10_PROTOCOL_VERSION_MAJOR;
HttpInstance->TlsConfigData.Version.Minor = TLS10_PROTOCOL_VERSION_MINOR;
Reviewed-by: Wu Jiaxin <jiaxin.wu@intel.com>
Thanks,
Jiaxin
> -----Original Message-----
> From: Thomas Palmer [mailto:thomas.palmer@hpe.com]
> Sent: Saturday, August 27, 2016 3:09 AM
> To: edk2-devel@lists.01.org
> Cc: joseph.shifflett@hpe.com; Wu, Jiaxin <jiaxin.wu@intel.com>; Thomas
> Palmer <thomas.palmer@hpe.com>
> Subject: [PATCH 2/2] [edk2-staging/HTTPS-TLS][PATCH]:
> NetworkPkg/HttpDxe: Unrestrict TLSv
>
> Demonstrate the TLS regotiation in this feature branch. Remove the code
> that calls EfiTlsVersion in the HttpDxe module.
>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Thomas Palmer <thomas.palmer@hpe.com>
> ---
> NetworkPkg/HttpDxe/HttpsSupport.c | 12 +-----------
> 1 file changed, 1 insertion(+), 11 deletions(-)
>
> diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c
> b/NetworkPkg/HttpDxe/HttpsSupport.c
> index 9a68b45..4cfeab5 100644
> --- a/NetworkPkg/HttpDxe/HttpsSupport.c
> +++ b/NetworkPkg/HttpDxe/HttpsSupport.c
> @@ -2,6 +2,7 @@
> Miscellaneous routines specific to Https for HttpDxe driver.
>
> Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
> +(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
> This program and the accompanying materials are licensed and made
> available under the terms and conditions of the BSD License which
> accompanies this distribution. The full text of the license may be found at
> @@ -487,23 +488,12 @@ TlsConfigureSession (
> HttpInstance->TlsConfigData.SessionState = EfiTlsSessionNotStarted;
>
> //
> - // EfiTlsVersion
> // EfiTlsConnectionEnd,
> // EfiTlsVerifyMethod
> // EfiTlsSessionState
> //
> Status = HttpInstance->Tls->SetSessionData (
> HttpInstance->Tls,
> - EfiTlsVersion,
> - &(HttpInstance->TlsConfigData.Version),
> - sizeof (EFI_TLS_VERSION)
> - );
> - if (EFI_ERROR (Status)) {
> - goto ERROR;
> - }
> -
> - Status = HttpInstance->Tls->SetSessionData (
> - HttpInstance->Tls,
> EfiTlsConnectionEnd,
> &(HttpInstance->TlsConfigData.ConnectionEnd),
> sizeof (EFI_TLS_CONNECTION_END)
> --
> 2.7.4
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-09-07 8:23 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-08-26 19:08 [edk2-staging/HTTPS-TLS][PATCH]: CryptoPkg/TlsLib: Version renegotiate Thomas Palmer
2016-08-26 19:08 ` [PATCH 1/2] [edk2-staging/HTTPS-TLS][PATCH]: CryptoPkg/TlsLib: TLS Ver negotiate Thomas Palmer
2016-09-07 8:21 ` Wu, Jiaxin
2016-08-26 19:08 ` [PATCH 2/2] [edk2-staging/HTTPS-TLS][PATCH]: NetworkPkg/HttpDxe: Unrestrict TLSv Thomas Palmer
2016-09-07 8:23 ` Wu, Jiaxin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox