From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga04.intel.com (mga04.intel.com [192.55.52.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id C92FA80301 for ; Wed, 22 Mar 2017 18:20:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=intel.com; i=@intel.com; q=dns/txt; s=intel; t=1490232057; x=1521768057; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=5t0UsML1FGmEMOzjR57ODQq2gTImp72k8/dRm3SQ+M4=; b=BPinLqIAE9UOY0zXUH/fo344Ax2WpRmseziTApnh/7FXivwmvyOaDpzz b2cRbJtkqcOMKH7Rd82i1b93cUTZyA==; Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 22 Mar 2017 18:20:57 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.36,207,1486454400"; d="scan'208";a="239349802" Received: from fmsmsx108.amr.corp.intel.com ([10.18.124.206]) by fmsmga004.fm.intel.com with ESMTP; 22 Mar 2017 18:20:57 -0700 Received: from FMSMSX109.amr.corp.intel.com (10.18.116.9) by FMSMSX108.amr.corp.intel.com (10.18.124.206) with Microsoft SMTP Server (TLS) id 14.3.319.2; Wed, 22 Mar 2017 18:20:57 -0700 Received: from shsmsx101.ccr.corp.intel.com (10.239.4.153) by fmsmsx109.amr.corp.intel.com (10.18.116.9) with Microsoft SMTP Server (TLS) id 14.3.319.2; Wed, 22 Mar 2017 18:20:56 -0700 Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.20]) by SHSMSX101.ccr.corp.intel.com ([169.254.1.177]) with mapi id 14.03.0248.002; Thu, 23 Mar 2017 09:20:54 +0800 From: "Wu, Jiaxin" To: "Long, Qin" , "Palmer, Thomas" , "edk2-devel@lists.01.org" CC: "ard.biesheuvel@linaro.org" , "Ye, Ting" , "ronald.cron@arm.com" , "glin@suse.com" , "lersek@redhat.com" Thread-Topic: [edk2] [PATCH v1 9/9] CryptoPkg/TlsLib: Update TLS Wrapper Library to align with OpenSSL changes. Thread-Index: AQHSolvk7AFf77/LF0eUW/YtbUNF/aGfCjOAgACDMoCAAhRS4A== Date: Thu, 23 Mar 2017 01:20:54 +0000 Message-ID: <895558F6EA4E3B41AC93A00D163B7274162A57BA@SHSMSX103.ccr.corp.intel.com> References: <20170321155612.1192-1-qin.long@intel.com> <20170321155612.1192-10-qin.long@intel.com> In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiZjkxODFjMTEtYmE4NS00MjI5LWE2MDMtYTNjMTkzNjY5MGVkIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX0lDIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE1LjkuNi42IiwiVHJ1c3RlZExhYmVsSGFzaCI6IlBub21tXC83YzJcL1wvUStSbExDM1ZrRjFhdmZsM000dEpaSEpKWW5YSWRXTkk9In0= x-ctpclassification: CTP_IC x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [PATCH v1 9/9] CryptoPkg/TlsLib: Update TLS Wrapper Library to align with OpenSSL changes. X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Mar 2017 01:20:58 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Thomas, I agree with the update for TlsSetVersion/TlsCtxNew. But for TlsSetVersion,= we should use SSL_set_min_proto_version instead of SSL_CTX_set_min_proto_= version to avoid the SSL CONTEXT change directly. Thanks, Jiaxin > -----Original Message----- > From: Long, Qin > Sent: Wednesday, March 22, 2017 9:32 AM > To: Palmer, Thomas ; edk2-devel@lists.01.org > Cc: ard.biesheuvel@linaro.org; Ye, Ting ; > ronald.cron@arm.com; Wu, Jiaxin ; glin@suse.com; > lersek@redhat.com > Subject: RE: [edk2] [PATCH v1 9/9] CryptoPkg/TlsLib: Update TLS Wrapper > Library to align with OpenSSL changes. >=20 > Thomas, >=20 > Thanks for the comments. I will check this with Jiaxin, and make the poss= ible > updates in V2. >=20 >=20 > Best Regards & Thanks, > LONG, Qin >=20 > > -----Original Message----- > > From: Palmer, Thomas [mailto:thomas.palmer@hpe.com] > > Sent: Wednesday, March 22, 2017 1:43 AM > > To: Long, Qin; edk2-devel@lists.01.org > > Cc: ard.biesheuvel@linaro.org; Ye, Ting; ronald.cron@arm.com; Wu, Jiaxi= n; > > glin@suse.com; lersek@redhat.com > > Subject: RE: [edk2] [PATCH v1 9/9] CryptoPkg/TlsLib: Update TLS Wrapper > > Library to align with OpenSSL changes. > > > > Qin, > > > > Please update TlsSetVersion to use SSL_CTX_set_min_proto_version and > > SSL_CTX_set_max_proto_version in the switch statement. We do not > want > > auto-negotitate but only to restrict to a particular version. > > > > Also, lets update TlsCtxNew to use only SSL_CTX_set_min_proto_version. > > TlsCtxNew will auto-negotiate, but the version provided will put in a l= ower > > floor to what is allowed. > > > > Regards, > > > > Thomas Palmer > > > > "I have only made this letter longer because I have not had the time to > > make it shorter" - Blaise Pascal > > > > > > -----Original Message----- > > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > > Qin Long > > Sent: Tuesday, March 21, 2017 10:56 AM > > To: edk2-devel@lists.01.org > > Cc: ard.biesheuvel@linaro.org; ting.ye@intel.com; ronald.cron@arm.com; > > jiaxin.wu@intel.com; glin@suse.com; lersek@redhat.com > > Subject: [edk2] [PATCH v1 9/9] CryptoPkg/TlsLib: Update TLS Wrapper > Library > > to align with OpenSSL changes. > > > > This patch update the wrapper implementation in TlsLib to align with th= e > > latest OpenSSL-1.1.0xx API changes. > > > > Cc: Jiaxin Wu > > Cc: Ting Ye > > Cc: Laszlo Ersek > > Cc: Ard Biesheuvel > > Cc: Gary Lin > > Cc: Ronald Cron > > Contributed-under: TianoCore Contribution Agreement 1.0 > > Signed-off-by: Qin Long > > --- > > CryptoPkg/Library/TlsLib/InternalTlsLib.h | 6 +++++- > > CryptoPkg/Library/TlsLib/TlsConfig.c | 21 +++++++++++++-------- > > CryptoPkg/Library/TlsLib/TlsInit.c | 19 ++++++++++--------- > > 3 files changed, 28 insertions(+), 18 deletions(-) > > > > diff --git a/CryptoPkg/Library/TlsLib/InternalTlsLib.h > > b/CryptoPkg/Library/TlsLib/InternalTlsLib.h > > index e75146648d..f3a662afea 100644 > > --- a/CryptoPkg/Library/TlsLib/InternalTlsLib.h > > +++ b/CryptoPkg/Library/TlsLib/InternalTlsLib.h > > @@ -1,7 +1,7 @@ > > /** @file > > Internal include file for TlsLib. > > > > -Copyright (c) 2016, Intel Corporation. All rights reserved.
> > +Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.
> > This program and the accompanying materials are licensed and made > > available under the terms and conditions of the BSD License which > > accompanies this distribution. The full text of the license may be fou= nd at > > @@ -15,6 +15,10 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF > ANY > > KIND, EITHER EXPRESS OR IMPLIED. > > #ifndef __INTERNAL_TLS_LIB_H__ > > #define __INTERNAL_TLS_LIB_H__ > > > > +#undef _WIN32 > > +#undef _WIN64 > > +#undef _MSC_VER > > + > > #include > > #include > > #include > > diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c > > b/CryptoPkg/Library/TlsLib/TlsConfig.c > > index f103da4321..3586be3945 100644 > > --- a/CryptoPkg/Library/TlsLib/TlsConfig.c > > +++ b/CryptoPkg/Library/TlsLib/TlsConfig.c > > @@ -128,24 +128,30 @@ TlsSetVersion ( > > > > ProtoVersion =3D (MajorVer << 8) | MinorVer; > > > > + // > > + // Using the general-purpose version-flexible SSL/TLS methods here. > > + // The actual protocol version used in OpenSSL-1.1.xx will be > > + negoriated // to the highest version mutually supported by the clien= t and > > server. > > + // Old TLSv1_x_method() was marked as deprecated. > > + // > > switch (ProtoVersion) { > > case TLS1_VERSION: > > // > > // TLS 1.0 > > // > > - SSL_set_ssl_method (TlsConn->Ssl, TLSv1_method ()); > > + SSL_set_ssl_method (TlsConn->Ssl, TLS_method ()); > > break; > > case TLS1_1_VERSION: > > // > > // TLS 1.1 > > // > > - SSL_set_ssl_method (TlsConn->Ssl, TLSv1_1_method ()); > > + SSL_set_ssl_method (TlsConn->Ssl, TLS_method ()); > > break; > > case TLS1_2_VERSION: > > // > > // TLS 1.2 > > // > > - SSL_set_ssl_method (TlsConn->Ssl, TLSv1_2_method ()); > > + SSL_set_ssl_method (TlsConn->Ssl, TLS_method ()); > > break; > > default: > > // > > @@ -384,8 +390,7 @@ TlsSetSessionId ( > > return EFI_UNSUPPORTED; > > } > > > > - Session->session_id_length =3D SessionIdLen; > > - CopyMem (Session->session_id, SessionId, Session->session_id_length)= ; > > + SSL_SESSION_set1_id (Session, (const unsigned char *)SessionId, > > + SessionIdLen); > > > > return EFI_SUCCESS; > > } > > @@ -847,7 +852,7 @@ TlsGetClientRandom ( > > return; > > } > > > > - CopyMem (ClientRandom, TlsConn->Ssl->s3->client_random, > > SSL3_RANDOM_SIZE); > > + SSL_get_client_random (TlsConn->Ssl, ClientRandom, > > SSL3_RANDOM_SIZE); > > } > > > > /** > > @@ -876,7 +881,7 @@ TlsGetServerRandom ( > > return; > > } > > > > - CopyMem (ServerRandom, TlsConn->Ssl->s3->server_random, > > SSL3_RANDOM_SIZE); > > + SSL_get_server_random (TlsConn->Ssl, ServerRandom, > > SSL3_RANDOM_SIZE); > > } > > > > /** > > @@ -916,7 +921,7 @@ TlsGetKeyMaterial ( > > return EFI_UNSUPPORTED; > > } > > > > - CopyMem (KeyMaterial, Session->master_key, Session- > > >master_key_length); > > + SSL_SESSION_get_master_key (Session, KeyMaterial, > > + SSL3_MASTER_SECRET_SIZE); > > > > return EFI_SUCCESS; > > } > > diff --git a/CryptoPkg/Library/TlsLib/TlsInit.c > > b/CryptoPkg/Library/TlsLib/TlsInit.c > > index 6b1fd93ea9..d7b8899ac2 100644 > > --- a/CryptoPkg/Library/TlsLib/TlsInit.c > > +++ b/CryptoPkg/Library/TlsLib/TlsInit.c > > @@ -1,7 +1,7 @@ > > /** @file > > SSL/TLS Initialization Library Wrapper Implementation over OpenSSL. > > > > -Copyright (c) 2016, Intel Corporation. All rights reserved.
> > +Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.
> > (C) Copyright 2016 Hewlett Packard Enterprise Development LP
This > > program and the accompanying materials are licensed and made available > > under the terms and conditions of the BSD License @@ -33,14 +33,10 @@ > > TlsInitialize ( > > // Performs initialization of crypto and ssl library, and loads requ= ired > > // algorithms. > > // > > - SSL_library_init (); > > - > > - // > > - // Loads error strings from both crypto and ssl library. > > - // > > - SSL_load_error_strings (); > > - > > - /// OpenSSL_add_all_algorithms(); > > + OPENSSL_init_ssl ( > > + OPENSSL_INIT_LOAD_SSL_STRINGS | > > OPENSSL_INIT_LOAD_CRYPTO_STRINGS, > > + NULL > > + ); > > > > // > > // Initialize the pseudorandom number generator. > > @@ -220,6 +216,11 @@ TlsNew ( > > } > > > > // > > + // This retains compatibility with previous version of OpenSSL. > > + // > > + SSL_set_security_level (TlsConn->Ssl, 0); > > + > > + // > > // Initialize the created SSL Object > > // > > SSL_set_info_callback (TlsConn->Ssl, NULL); > > -- > > 2.11.1.windows.1 > > > > _______________________________________________ > > edk2-devel mailing list > > edk2-devel@lists.01.org > > https://lists.01.org/mailman/listinfo/edk2-devel