From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=66.187.233.73; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 683872274F3C1 for ; Fri, 13 Apr 2018 05:10:19 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id AB7AC8DC4F; Fri, 13 Apr 2018 12:10:18 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-136.rdu2.redhat.com [10.10.120.136]) by smtp.corp.redhat.com (Postfix) with ESMTP id EC1052166BAD; Fri, 13 Apr 2018 12:10:16 +0000 (UTC) From: Laszlo Ersek To: edk2-devel@lists.01.org Cc: Ard Biesheuvel , Ting Ye , Jordan Justen , Liming Gao , Jiaxin Wu , Gary Ching-Pang Lin , Qin Long , Michael D Kinney , Siyuan Fu References: <20180411104247.3758-1-lersek@redhat.com> Message-ID: <2e3b2327-f4d0-716a-00e6-250cc5749159@redhat.com> Date: Fri, 13 Apr 2018 14:10:16 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: <20180411104247.3758-1-lersek@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Fri, 13 Apr 2018 12:10:18 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Fri, 13 Apr 2018 12:10:18 +0000 (UTC) for IP:'10.11.54.6' DOMAIN:'int-mx06.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'lersek@redhat.com' RCPT:'' Subject: Re: [PATCH v2 0/9] {Ovmf, Mde, Network, Crypto}Pkg: fixes+features for setting HTTPS cipher suites X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Apr 2018 12:10:20 -0000 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 04/11/18 12:42, Laszlo Ersek wrote: > Repo: https://github.com/lersek/edk2.git > Branch: tls_ciphers_v2 > > This is version 2 of the series posted earlier at > > http://mid.mail-archive.com/20180403145149.8925-1-lersek@redhat.com > https://lists.01.org/pipermail/edk2-devel/2018-April/023402.html > > Changes are noted per patch. One important change cannot be highlighted > that way however, because it involves the dropping of the following two > patches from v1: > > [edk2] [PATCH 08/13] CryptoPkg/TlsLib: add the "TlsMappingTable.sh" > POSIX shell script > > [edk2] [PATCH 09/13] CryptoPkg/TlsLib: extend "TlsCipherMappingTable" > > I retested HTTPS boot with this series; it succeeded. The TLS cipher > suite preference list came from the system-wide configuration on my > RHEL-7 laptop; basically the binary CipherId array from the command > "openssl ciphers -V". The relevant lines from the OVMF log were: > >> TlsAuthConfigDxe:SetCipherSuites: stored list of cipher suites (190 byte(s)) >> [...] >> TlsDxe:TlsSetCipherList: skipping CipherId=0xC030 >> TlsDxe:TlsSetCipherList: skipping CipherId=0xC02C >> TlsDxe:TlsSetCipherList: skipping CipherId=0xC028 >> TlsDxe:TlsSetCipherList: skipping CipherId=0xC024 >> TlsDxe:TlsSetCipherList: skipping CipherId=0xC014 >> TlsDxe:TlsSetCipherList: skipping CipherId=0xC00A >> TlsDxe:TlsSetCipherList: skipping CipherId=0x00A5 >> TlsDxe:TlsSetCipherList: skipping CipherId=0x00A3 >> TlsDxe:TlsSetCipherList: skipping CipherId=0x00A1 >> TlsDxe:TlsSetCipherList: skipping CipherId=0x009F >> TlsDxe:TlsSetCipherList: skipping CipherId=0x006A >> TlsDxe:TlsSetCipherList: skipping CipherId=0x0038 >> TlsDxe:TlsSetCipherList: skipping CipherId=0x0088 >> TlsDxe:TlsSetCipherList: skipping CipherId=0x0087 >> TlsDxe:TlsSetCipherList: skipping CipherId=0x0086 >> TlsDxe:TlsSetCipherList: skipping CipherId=0x0085 >> TlsDxe:TlsSetCipherList: skipping CipherId=0xC032 >> TlsDxe:TlsSetCipherList: skipping CipherId=0xC02E >> TlsDxe:TlsSetCipherList: skipping CipherId=0xC02A >> TlsDxe:TlsSetCipherList: skipping CipherId=0xC026 >> TlsDxe:TlsSetCipherList: skipping CipherId=0xC00F >> TlsDxe:TlsSetCipherList: skipping CipherId=0xC005 >> TlsDxe:TlsSetCipherList: skipping CipherId=0x009D >> TlsDxe:TlsSetCipherList: skipping CipherId=0x0084 >> TlsDxe:TlsSetCipherList: skipping CipherId=0x008D >> TlsDxe:TlsSetCipherList: skipping CipherId=0xC02F >> TlsDxe:TlsSetCipherList: skipping CipherId=0xC02B >> TlsDxe:TlsSetCipherList: skipping CipherId=0xC027 >> TlsDxe:TlsSetCipherList: skipping CipherId=0xC023 >> TlsDxe:TlsSetCipherList: skipping CipherId=0xC013 >> TlsDxe:TlsSetCipherList: skipping CipherId=0xC009 >> TlsDxe:TlsSetCipherList: skipping CipherId=0x00A4 >> TlsDxe:TlsSetCipherList: skipping CipherId=0x00A2 >> TlsDxe:TlsSetCipherList: skipping CipherId=0x00A0 >> TlsDxe:TlsSetCipherList: skipping CipherId=0x009E >> TlsDxe:TlsSetCipherList: skipping CipherId=0x0040 >> TlsDxe:TlsSetCipherList: skipping CipherId=0x0032 >> TlsDxe:TlsSetCipherList: skipping CipherId=0x009A >> TlsDxe:TlsSetCipherList: skipping CipherId=0x0099 >> TlsDxe:TlsSetCipherList: skipping CipherId=0x0098 >> TlsDxe:TlsSetCipherList: skipping CipherId=0x0097 >> TlsDxe:TlsSetCipherList: skipping CipherId=0x0045 >> TlsDxe:TlsSetCipherList: skipping CipherId=0x0044 >> TlsDxe:TlsSetCipherList: skipping CipherId=0x0043 >> TlsDxe:TlsSetCipherList: skipping CipherId=0x0042 >> TlsDxe:TlsSetCipherList: skipping CipherId=0xC031 >> TlsDxe:TlsSetCipherList: skipping CipherId=0xC02D >> TlsDxe:TlsSetCipherList: skipping CipherId=0xC029 >> TlsDxe:TlsSetCipherList: skipping CipherId=0xC025 >> TlsDxe:TlsSetCipherList: skipping CipherId=0xC00E >> TlsDxe:TlsSetCipherList: skipping CipherId=0xC004 >> TlsDxe:TlsSetCipherList: skipping CipherId=0x009C >> TlsDxe:TlsSetCipherList: skipping CipherId=0x0096 >> TlsDxe:TlsSetCipherList: skipping CipherId=0x0041 >> TlsDxe:TlsSetCipherList: skipping CipherId=0x008C >> TlsDxe:TlsSetCipherList: skipping CipherId=0xC012 >> TlsDxe:TlsSetCipherList: skipping CipherId=0xC008 >> TlsDxe:TlsSetCipherList: skipping CipherId=0x0013 >> TlsDxe:TlsSetCipherList: skipping CipherId=0x0010 >> TlsDxe:TlsSetCipherList: skipping CipherId=0x000D >> TlsDxe:TlsSetCipherList: skipping CipherId=0xC00D >> TlsDxe:TlsSetCipherList: skipping CipherId=0xC003 >> TlsDxe:TlsSetCipherList: skipping CipherId=0x0007 >> TlsDxe:TlsSetCipherList: skipping CipherId=0x008B >> TlsDxe:TlsSetCipherList: skipping CipherId=0x0021 >> TlsDxe:TlsSetCipherList: skipping CipherId=0x001F >> TlsDxe:TlsSetCipherList: skipping CipherId=0x0025 >> TlsDxe:TlsSetCipherList: skipping CipherId=0x0023 >> TlsDxe:TlsSetCipherList: skipping CipherId=0xC011 >> TlsDxe:TlsSetCipherList: skipping CipherId=0xC007 >> TlsDxe:TlsSetCipherList: skipping CipherId=0xC00C >> TlsDxe:TlsSetCipherList: skipping CipherId=0xC002 >> TlsDxe:TlsSetCipherList: skipping CipherId=0x008A >> TlsDxe:TlsSetCipherList: skipping CipherId=0x0020 >> TlsDxe:TlsSetCipherList: skipping CipherId=0x0024 >> TlsDxe:TlsSetCipherList: CipherString={ >> DHE-RSA-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:DHE-RSA-AES256- >> SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:AES256-SHA256:AES256-SHA:DHE-RSA-AES128 >> -SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DH-RSA-AES >> 128-SHA:DH-DSS-AES128-SHA:AES128-SHA256:AES128-SHA:DHE-RSA-DES-CBC3-SHA:DES-CBC >> 3-SHA:RC4-SHA:RC4-MD5 >> } > > Cc: Ard Biesheuvel > Cc: Gary Ching-Pang Lin > Cc: Jiaxin Wu > Cc: Jordan Justen > Cc: Liming Gao > Cc: Michael D Kinney > Cc: Qin Long > Cc: Siyuan Fu > Cc: Ting Ye > > Thanks, > Laszlo > > Laszlo Ersek (9): > OvmfPkg/TlsAuthConfigLib: configure trusted cipher suites for HTTPS > boot > MdePkg/Include/Protocol/Tls.h: pack structures from the TLS RFC > NetworkPkg/TlsDxe: verify DataSize for EfiTlsCipherList > NetworkPkg/TlsDxe: clean up byte order conversion for EfiTlsCipherList > CryptoPkg/TlsLib: replace TlsGetCipherString() with > TlsGetCipherMapping() > CryptoPkg/TlsLib: use binary search in the TlsGetCipherMapping() > function > CryptoPkg/TlsLib: pre-compute OpensslCipherLength in > TlsCipherMappingTable > CryptoPkg/TlsLib: sanitize lib classes in internal header and INF > CryptoPkg/TlsLib: rewrite TlsSetCipherList() > > CryptoPkg/Include/Library/TlsLib.h | 9 +- > CryptoPkg/Library/TlsLib/InternalTlsLib.h | 4 + > CryptoPkg/Library/TlsLib/TlsConfig.c | 279 +++++++++++++++----- > CryptoPkg/Library/TlsLib/TlsLib.inf | 9 +- > MdePkg/Include/Protocol/Tls.h | 10 + > NetworkPkg/TlsDxe/TlsProtocol.c | 17 +- > OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.c | 98 +++++++ > OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.inf | 3 +- > 8 files changed, 353 insertions(+), 76 deletions(-) > Pushed as commit range 54ec85dd2902..2167c7f7a55b. Thanks! Laszlo