From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <lersek@redhat.com>
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
 client-ip=66.187.233.73; helo=mx1.redhat.com; envelope-from=lersek@redhat.com;
 receiver=edk2-devel@lists.01.org 
Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 683872274F3C1
 for <edk2-devel@lists.01.org>; Fri, 13 Apr 2018 05:10:19 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com
 [10.11.54.6])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.redhat.com (Postfix) with ESMTPS id AB7AC8DC4F;
 Fri, 13 Apr 2018 12:10:18 +0000 (UTC)
Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-136.rdu2.redhat.com
 [10.10.120.136])
 by smtp.corp.redhat.com (Postfix) with ESMTP id EC1052166BAD;
 Fri, 13 Apr 2018 12:10:16 +0000 (UTC)
From: Laszlo Ersek <lersek@redhat.com>
To: edk2-devel@lists.01.org
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>, Ting Ye <ting.ye@intel.com>,
 Jordan Justen <jordan.l.justen@intel.com>, Liming Gao
 <liming.gao@intel.com>, Jiaxin Wu <jiaxin.wu@intel.com>,
 Gary Ching-Pang Lin <glin@suse.com>, Qin Long <qin.long@intel.com>,
 Michael D Kinney <michael.d.kinney@intel.com>,
 Siyuan Fu <siyuan.fu@intel.com>
References: <20180411104247.3758-1-lersek@redhat.com>
Message-ID: <2e3b2327-f4d0-716a-00e6-250cc5749159@redhat.com>
Date: Fri, 13 Apr 2018 14:10:16 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <20180411104247.3758-1-lersek@redhat.com>
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
 (mx1.redhat.com [10.11.55.2]); Fri, 13 Apr 2018 12:10:18 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]);
 Fri, 13 Apr 2018 12:10:18 +0000 (UTC) for IP:'10.11.54.6'
 DOMAIN:'int-mx06.intmail.prod.int.rdu2.redhat.com'
 HELO:'smtp.corp.redhat.com' FROM:'lersek@redhat.com' RCPT:''
Subject: Re: [PATCH v2 0/9] {Ovmf, Mde, Network, Crypto}Pkg: fixes+features for setting HTTPS cipher suites
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Apr 2018 12:10:20 -0000
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit

On 04/11/18 12:42, Laszlo Ersek wrote:
> Repo:   https://github.com/lersek/edk2.git
> Branch: tls_ciphers_v2
> 
> This is version 2 of the series posted earlier at
> 
>   http://mid.mail-archive.com/20180403145149.8925-1-lersek@redhat.com
>   https://lists.01.org/pipermail/edk2-devel/2018-April/023402.html
> 
> Changes are noted per patch. One important change cannot be highlighted
> that way however, because it involves the dropping of the following two
> patches from v1:
> 
>   [edk2] [PATCH 08/13] CryptoPkg/TlsLib: add the "TlsMappingTable.sh"
>                        POSIX shell script
> 
>   [edk2] [PATCH 09/13] CryptoPkg/TlsLib: extend "TlsCipherMappingTable"
> 
> I retested HTTPS boot with this series; it succeeded. The TLS cipher
> suite preference list came from the system-wide configuration on my
> RHEL-7 laptop; basically the binary CipherId array from the command
> "openssl ciphers -V". The relevant lines from the OVMF log were:
> 
>> TlsAuthConfigDxe:SetCipherSuites: stored list of cipher suites (190 byte(s))
>> [...]
>> TlsDxe:TlsSetCipherList: skipping CipherId=0xC030
>> TlsDxe:TlsSetCipherList: skipping CipherId=0xC02C
>> TlsDxe:TlsSetCipherList: skipping CipherId=0xC028
>> TlsDxe:TlsSetCipherList: skipping CipherId=0xC024
>> TlsDxe:TlsSetCipherList: skipping CipherId=0xC014
>> TlsDxe:TlsSetCipherList: skipping CipherId=0xC00A
>> TlsDxe:TlsSetCipherList: skipping CipherId=0x00A5
>> TlsDxe:TlsSetCipherList: skipping CipherId=0x00A3
>> TlsDxe:TlsSetCipherList: skipping CipherId=0x00A1
>> TlsDxe:TlsSetCipherList: skipping CipherId=0x009F
>> TlsDxe:TlsSetCipherList: skipping CipherId=0x006A
>> TlsDxe:TlsSetCipherList: skipping CipherId=0x0038
>> TlsDxe:TlsSetCipherList: skipping CipherId=0x0088
>> TlsDxe:TlsSetCipherList: skipping CipherId=0x0087
>> TlsDxe:TlsSetCipherList: skipping CipherId=0x0086
>> TlsDxe:TlsSetCipherList: skipping CipherId=0x0085
>> TlsDxe:TlsSetCipherList: skipping CipherId=0xC032
>> TlsDxe:TlsSetCipherList: skipping CipherId=0xC02E
>> TlsDxe:TlsSetCipherList: skipping CipherId=0xC02A
>> TlsDxe:TlsSetCipherList: skipping CipherId=0xC026
>> TlsDxe:TlsSetCipherList: skipping CipherId=0xC00F
>> TlsDxe:TlsSetCipherList: skipping CipherId=0xC005
>> TlsDxe:TlsSetCipherList: skipping CipherId=0x009D
>> TlsDxe:TlsSetCipherList: skipping CipherId=0x0084
>> TlsDxe:TlsSetCipherList: skipping CipherId=0x008D
>> TlsDxe:TlsSetCipherList: skipping CipherId=0xC02F
>> TlsDxe:TlsSetCipherList: skipping CipherId=0xC02B
>> TlsDxe:TlsSetCipherList: skipping CipherId=0xC027
>> TlsDxe:TlsSetCipherList: skipping CipherId=0xC023
>> TlsDxe:TlsSetCipherList: skipping CipherId=0xC013
>> TlsDxe:TlsSetCipherList: skipping CipherId=0xC009
>> TlsDxe:TlsSetCipherList: skipping CipherId=0x00A4
>> TlsDxe:TlsSetCipherList: skipping CipherId=0x00A2
>> TlsDxe:TlsSetCipherList: skipping CipherId=0x00A0
>> TlsDxe:TlsSetCipherList: skipping CipherId=0x009E
>> TlsDxe:TlsSetCipherList: skipping CipherId=0x0040
>> TlsDxe:TlsSetCipherList: skipping CipherId=0x0032
>> TlsDxe:TlsSetCipherList: skipping CipherId=0x009A
>> TlsDxe:TlsSetCipherList: skipping CipherId=0x0099
>> TlsDxe:TlsSetCipherList: skipping CipherId=0x0098
>> TlsDxe:TlsSetCipherList: skipping CipherId=0x0097
>> TlsDxe:TlsSetCipherList: skipping CipherId=0x0045
>> TlsDxe:TlsSetCipherList: skipping CipherId=0x0044
>> TlsDxe:TlsSetCipherList: skipping CipherId=0x0043
>> TlsDxe:TlsSetCipherList: skipping CipherId=0x0042
>> TlsDxe:TlsSetCipherList: skipping CipherId=0xC031
>> TlsDxe:TlsSetCipherList: skipping CipherId=0xC02D
>> TlsDxe:TlsSetCipherList: skipping CipherId=0xC029
>> TlsDxe:TlsSetCipherList: skipping CipherId=0xC025
>> TlsDxe:TlsSetCipherList: skipping CipherId=0xC00E
>> TlsDxe:TlsSetCipherList: skipping CipherId=0xC004
>> TlsDxe:TlsSetCipherList: skipping CipherId=0x009C
>> TlsDxe:TlsSetCipherList: skipping CipherId=0x0096
>> TlsDxe:TlsSetCipherList: skipping CipherId=0x0041
>> TlsDxe:TlsSetCipherList: skipping CipherId=0x008C
>> TlsDxe:TlsSetCipherList: skipping CipherId=0xC012
>> TlsDxe:TlsSetCipherList: skipping CipherId=0xC008
>> TlsDxe:TlsSetCipherList: skipping CipherId=0x0013
>> TlsDxe:TlsSetCipherList: skipping CipherId=0x0010
>> TlsDxe:TlsSetCipherList: skipping CipherId=0x000D
>> TlsDxe:TlsSetCipherList: skipping CipherId=0xC00D
>> TlsDxe:TlsSetCipherList: skipping CipherId=0xC003
>> TlsDxe:TlsSetCipherList: skipping CipherId=0x0007
>> TlsDxe:TlsSetCipherList: skipping CipherId=0x008B
>> TlsDxe:TlsSetCipherList: skipping CipherId=0x0021
>> TlsDxe:TlsSetCipherList: skipping CipherId=0x001F
>> TlsDxe:TlsSetCipherList: skipping CipherId=0x0025
>> TlsDxe:TlsSetCipherList: skipping CipherId=0x0023
>> TlsDxe:TlsSetCipherList: skipping CipherId=0xC011
>> TlsDxe:TlsSetCipherList: skipping CipherId=0xC007
>> TlsDxe:TlsSetCipherList: skipping CipherId=0xC00C
>> TlsDxe:TlsSetCipherList: skipping CipherId=0xC002
>> TlsDxe:TlsSetCipherList: skipping CipherId=0x008A
>> TlsDxe:TlsSetCipherList: skipping CipherId=0x0020
>> TlsDxe:TlsSetCipherList: skipping CipherId=0x0024
>> TlsDxe:TlsSetCipherList: CipherString={
>> DHE-RSA-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:DHE-RSA-AES256-
>> SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:AES256-SHA256:AES256-SHA:DHE-RSA-AES128
>> -SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DH-RSA-AES
>> 128-SHA:DH-DSS-AES128-SHA:AES128-SHA256:AES128-SHA:DHE-RSA-DES-CBC3-SHA:DES-CBC
>> 3-SHA:RC4-SHA:RC4-MD5
>> }
> 
> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> Cc: Gary Ching-Pang Lin <glin@suse.com>
> Cc: Jiaxin Wu <jiaxin.wu@intel.com>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Liming Gao <liming.gao@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Qin Long <qin.long@intel.com>
> Cc: Siyuan Fu <siyuan.fu@intel.com>
> Cc: Ting Ye <ting.ye@intel.com>
> 
> Thanks,
> Laszlo
> 
> Laszlo Ersek (9):
>   OvmfPkg/TlsAuthConfigLib: configure trusted cipher suites for HTTPS
>     boot
>   MdePkg/Include/Protocol/Tls.h: pack structures from the TLS RFC
>   NetworkPkg/TlsDxe: verify DataSize for EfiTlsCipherList
>   NetworkPkg/TlsDxe: clean up byte order conversion for EfiTlsCipherList
>   CryptoPkg/TlsLib: replace TlsGetCipherString() with
>     TlsGetCipherMapping()
>   CryptoPkg/TlsLib: use binary search in the TlsGetCipherMapping()
>     function
>   CryptoPkg/TlsLib: pre-compute OpensslCipherLength in
>     TlsCipherMappingTable
>   CryptoPkg/TlsLib: sanitize lib classes in internal header and INF
>   CryptoPkg/TlsLib: rewrite TlsSetCipherList()
> 
>  CryptoPkg/Include/Library/TlsLib.h                    |   9 +-
>  CryptoPkg/Library/TlsLib/InternalTlsLib.h             |   4 +
>  CryptoPkg/Library/TlsLib/TlsConfig.c                  | 279 +++++++++++++++-----
>  CryptoPkg/Library/TlsLib/TlsLib.inf                   |   9 +-
>  MdePkg/Include/Protocol/Tls.h                         |  10 +
>  NetworkPkg/TlsDxe/TlsProtocol.c                       |  17 +-
>  OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.c   |  98 +++++++
>  OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.inf |   3 +-
>  8 files changed, 353 insertions(+), 76 deletions(-)
> 

Pushed as commit range 54ec85dd2902..2167c7f7a55b.

Thanks!
Laszlo