From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=66.187.233.73; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 2AC5F226085CF for ; Tue, 3 Apr 2018 07:51:56 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 991907CBBA; Tue, 3 Apr 2018 14:51:55 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-185.rdu2.redhat.com [10.10.120.185]) by smtp.corp.redhat.com (Postfix) with ESMTP id 320792026E0E; Tue, 3 Apr 2018 14:51:52 +0000 (UTC) From: Laszlo Ersek To: edk2-devel-01 Cc: Ard Biesheuvel , Gary Ching-Pang Lin , Jiaxin Wu , Jordan Justen , Liming Gao , Michael D Kinney , Qin Long , Siyuan Fu , Ting Ye Date: Tue, 3 Apr 2018 16:51:36 +0200 Message-Id: <20180403145149.8925-1-lersek@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Tue, 03 Apr 2018 14:51:55 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Tue, 03 Apr 2018 14:51:55 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'lersek@redhat.com' RCPT:'' Subject: [PATCH 00/13] {Ovmf, Mde, Network, Crypto}Pkg: fixes+features for setting HTTPS cipher suites X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Apr 2018 14:51:57 -0000 Repo: https://github.com/lersek/edk2.git Branch: tls_ciphers Earlier I posted two patch sets for better platform control of the CA certificates used in HTTPS booting (and for putting that control to use in OVMF): [edk2] [PATCH 0/5] NetworkPkg: HTTP and TLS updates [edk2] [PATCH 0/4] MdeModulePkg, OvmfPkg: support large CA cert list for HTTPS boot These series have been committed; thank you everyone that helped with review and testing. My next goal is better platform control of the TLS cipher suites that are used in HTTPS booting (and similarly, putting that control to use in OVMF). That's what this series is about. You'll see references to TianoCore BZ#915 in the commit messages. The BZ is not public just yet, because I originally thought that I found security issues. It turns out that's not the case, so the BZ should be opened up soon. Either way, the commit messages contain enough information about the code changes. I'm aware some of my reviewers are currently traveling for business -- please take your time and feel free to review the patches whenever it best suits you. Cc: Ard Biesheuvel Cc: Gary Ching-Pang Lin Cc: Jiaxin Wu Cc: Jordan Justen Cc: Liming Gao Cc: Michael D Kinney Cc: Qin Long Cc: Siyuan Fu Cc: Ting Ye Thanks! Laszlo Laszlo Ersek (13): OvmfPkg/TlsAuthConfigLib: configure trusted cipher suites for HTTPS boot MdePkg/Include/Protocol/Tls.h: pack structures from the TLS RFC NetworkPkg/TlsDxe: verify DataSize for EfiTlsCipherList NetworkPkg/TlsDxe: clean up byte order conversion for EfiTlsCipherList CryptoPkg/TlsLib: replace TlsGetCipherString() with TlsGetCipherMapping() CryptoPkg/TlsLib: use binary search in the TlsGetCipherMapping() function CryptoPkg/TlsLib: pre-compute OpensslCipherLength in TlsCipherMappingTable CryptoPkg/TlsLib: add the "TlsMappingTable.sh" POSIX shell script CryptoPkg/TlsLib: extend "TlsCipherMappingTable" CryptoPkg/TlsLib: sort [LibraryClasses] section in the INF file CryptoPkg/TlsLib: sanitize lib classes in internal header and INF CryptoPkg/TlsLib: clean up leading comment for TlsSetCipherList() CryptoPkg/TlsLib: rewrite TlsSetCipherList() CryptoPkg/Include/Library/TlsLib.h | 9 +- CryptoPkg/Library/TlsLib/InternalTlsLib.h | 4 + CryptoPkg/Library/TlsLib/TlsConfig.c | 448 +++++++++++++++++--- CryptoPkg/Library/TlsLib/TlsLib.inf | 11 +- CryptoPkg/Library/TlsLib/TlsMappingTable.sh | 140 ++++++ MdePkg/Include/Protocol/Tls.h | 10 + NetworkPkg/TlsDxe/TlsProtocol.c | 17 +- OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.c | 98 +++++ OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.inf | 3 +- 9 files changed, 664 insertions(+), 76 deletions(-) create mode 100644 CryptoPkg/Library/TlsLib/TlsMappingTable.sh -- 2.14.1.3.gb7cf6e02401b