[PATCH 00/13] {Ovmf, Mde, Network, Crypto}Pkg: fixes+features for setting HTTPS cipher suites

[Laszlo Ersek <lersek@redhat.com>]

Repo:   https://github.com/lersek/edk2.git
Branch: tls_ciphers

Earlier I posted two patch sets for better platform control of the CA
certificates used in HTTPS booting (and for putting that control to use
in OVMF):

  [edk2] [PATCH 0/5] NetworkPkg: HTTP and TLS updates

  [edk2] [PATCH 0/4] MdeModulePkg, OvmfPkg: support large CA cert list
                     for HTTPS boot

These series have been committed; thank you everyone that helped with
review and testing.

My next goal is better platform control of the TLS cipher suites that
are used in HTTPS booting (and similarly, putting that control to use in
OVMF). That's what this series is about.

You'll see references to TianoCore BZ#915 in the commit messages. The BZ
is not public just yet, because I originally thought that I found
security issues. It turns out that's not the case, so the BZ should be
opened up soon. Either way, the commit messages contain enough
information about the code changes.

I'm aware some of my reviewers are currently traveling for business --
please take your time and feel free to review the patches whenever it
best suits you.

Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Gary Ching-Pang Lin <glin@suse.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Qin Long <qin.long@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Ting Ye <ting.ye@intel.com>

Thanks!
Laszlo

Laszlo Ersek (13):
  OvmfPkg/TlsAuthConfigLib: configure trusted cipher suites for HTTPS
    boot
  MdePkg/Include/Protocol/Tls.h: pack structures from the TLS RFC
  NetworkPkg/TlsDxe: verify DataSize for EfiTlsCipherList
  NetworkPkg/TlsDxe: clean up byte order conversion for EfiTlsCipherList
  CryptoPkg/TlsLib: replace TlsGetCipherString() with
    TlsGetCipherMapping()
  CryptoPkg/TlsLib: use binary search in the TlsGetCipherMapping()
    function
  CryptoPkg/TlsLib: pre-compute OpensslCipherLength in
    TlsCipherMappingTable
  CryptoPkg/TlsLib: add the "TlsMappingTable.sh" POSIX shell script
  CryptoPkg/TlsLib: extend "TlsCipherMappingTable"
  CryptoPkg/TlsLib: sort [LibraryClasses] section in the INF file
  CryptoPkg/TlsLib: sanitize lib classes in internal header and INF
  CryptoPkg/TlsLib: clean up leading comment for TlsSetCipherList()
  CryptoPkg/TlsLib: rewrite TlsSetCipherList()

 CryptoPkg/Include/Library/TlsLib.h                    |   9 +-
 CryptoPkg/Library/TlsLib/InternalTlsLib.h             |   4 +
 CryptoPkg/Library/TlsLib/TlsConfig.c                  | 448 +++++++++++++++++---
 CryptoPkg/Library/TlsLib/TlsLib.inf                   |  11 +-
 CryptoPkg/Library/TlsLib/TlsMappingTable.sh           | 140 ++++++
 MdePkg/Include/Protocol/Tls.h                         |  10 +
 NetworkPkg/TlsDxe/TlsProtocol.c                       |  17 +-
 OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.c   |  98 +++++
 OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.inf |   3 +-
 9 files changed, 664 insertions(+), 76 deletions(-)
 create mode 100644 CryptoPkg/Library/TlsLib/TlsMappingTable.sh

-- 
2.14.1.3.gb7cf6e02401b