From: "Wu, Jiaxin" <jiaxin.wu@intel.com>
To: "Long, Qin" <qin.long@intel.com>,
"edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Cc: "Ye, Ting" <ting.ye@intel.com>,
"lersek@redhat.com" <lersek@redhat.com>,
"ard.biesheuvel@linaro.org" <ard.biesheuvel@linaro.org>,
"glin@suse.com" <glin@suse.com>,
"ronald.cron@arm.com" <ronald.cron@arm.com>,
"Moso.Lee@citrix.com" <Moso.Lee@citrix.com>,
"thomas.palmer@hpe.com" <thomas.palmer@hpe.com>
Subject: Re: [PATCH v2 11/11] CryptoPkg/TlsLib: Update TLS Wrapper to align with OpenSSL changes.
Date: Fri, 24 Mar 2017 05:40:01 +0000 [thread overview]
Message-ID: <895558F6EA4E3B41AC93A00D163B7274162ACFC9@SHSMSX103.ccr.corp.intel.com> (raw)
In-Reply-To: <20170323131932.6168-12-qin.long@intel.com>
Reviewed-by: Wu Jiaxin <jiaxin.wu@intel.com>
Thanks,
Jiaxin
> -----Original Message-----
> From: Long, Qin
> Sent: Thursday, March 23, 2017 9:20 PM
> To: edk2-devel@lists.01.org
> Cc: Ye, Ting <ting.ye@intel.com>; Wu, Jiaxin <jiaxin.wu@intel.com>;
> lersek@redhat.com; ard.biesheuvel@linaro.org; glin@suse.com;
> ronald.cron@arm.com; Moso.Lee@citrix.com; thomas.palmer@hpe.com
> Subject: [PATCH v2 11/11] CryptoPkg/TlsLib: Update TLS Wrapper to align
> with OpenSSL changes.
>
> This patch update the wrapper implementation in TlsLib to align
> with the latest OpenSSL-1.1.0xx API changes.
>
> Cc: Ting Ye <ting.ye@intel.com>
> Cc: Palmer Thomas <thomas.palmer@hpe.com>
> Cc: Jiaxin Wu <jiaxin.wu@intel.com>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> Cc: Gary Lin <glin@suse.com>
> Cc: Ronald Cron <ronald.cron@arm.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Qin Long <qin.long@intel.com>
> ---
> CryptoPkg/Library/TlsLib/InternalTlsLib.h | 5 ++-
> CryptoPkg/Library/TlsLib/TlsConfig.c | 21 ++++++++-----
> CryptoPkg/Library/TlsLib/TlsInit.c | 51 +++++++++----------------------
> 3 files changed, 31 insertions(+), 46 deletions(-)
>
> diff --git a/CryptoPkg/Library/TlsLib/InternalTlsLib.h
> b/CryptoPkg/Library/TlsLib/InternalTlsLib.h
> index e75146648d..97727361e8 100644
> --- a/CryptoPkg/Library/TlsLib/InternalTlsLib.h
> +++ b/CryptoPkg/Library/TlsLib/InternalTlsLib.h
> @@ -1,7 +1,7 @@
> /** @file
> Internal include file for TlsLib.
>
> -Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
> +Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
> This program and the accompanying materials
> are licensed and made available under the terms and conditions of the BSD
> License
> which accompanies this distribution. The full text of the license may be
> found at
> @@ -15,6 +15,9 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY
> KIND, EITHER EXPRESS OR IMPLIED.
> #ifndef __INTERNAL_TLS_LIB_H__
> #define __INTERNAL_TLS_LIB_H__
>
> +#undef _WIN32
> +#undef _WIN64
> +
> #include <Library/BaseCryptLib.h>
> #include <openssl/ssl.h>
> #include <openssl/bio.h>
> diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c
> b/CryptoPkg/Library/TlsLib/TlsConfig.c
> index f103da4321..43e275d400 100644
> --- a/CryptoPkg/Library/TlsLib/TlsConfig.c
> +++ b/CryptoPkg/Library/TlsLib/TlsConfig.c
> @@ -128,24 +128,30 @@ TlsSetVersion (
>
> ProtoVersion = (MajorVer << 8) | MinorVer;
>
> + //
> + // Bound TLS method to the particular specified version.
> + //
> switch (ProtoVersion) {
> case TLS1_VERSION:
> //
> // TLS 1.0
> //
> - SSL_set_ssl_method (TlsConn->Ssl, TLSv1_method ());
> + SSL_set_min_proto_version (TlsConn->Ssl, TLS1_VERSION);
> + SSL_set_max_proto_version (TlsConn->Ssl, TLS1_VERSION);
> break;
> case TLS1_1_VERSION:
> //
> // TLS 1.1
> //
> - SSL_set_ssl_method (TlsConn->Ssl, TLSv1_1_method ());
> + SSL_set_min_proto_version (TlsConn->Ssl, TLS1_1_VERSION);
> + SSL_set_max_proto_version (TlsConn->Ssl, TLS1_1_VERSION);
> break;
> case TLS1_2_VERSION:
> //
> // TLS 1.2
> //
> - SSL_set_ssl_method (TlsConn->Ssl, TLSv1_2_method ());
> + SSL_set_min_proto_version (TlsConn->Ssl, TLS1_2_VERSION);
> + SSL_set_max_proto_version (TlsConn->Ssl, TLS1_2_VERSION);
> break;
> default:
> //
> @@ -384,8 +390,7 @@ TlsSetSessionId (
> return EFI_UNSUPPORTED;
> }
>
> - Session->session_id_length = SessionIdLen;
> - CopyMem (Session->session_id, SessionId, Session->session_id_length);
> + SSL_SESSION_set1_id (Session, (const unsigned char *)SessionId,
> SessionIdLen);
>
> return EFI_SUCCESS;
> }
> @@ -847,7 +852,7 @@ TlsGetClientRandom (
> return;
> }
>
> - CopyMem (ClientRandom, TlsConn->Ssl->s3->client_random,
> SSL3_RANDOM_SIZE);
> + SSL_get_client_random (TlsConn->Ssl, ClientRandom,
> SSL3_RANDOM_SIZE);
> }
>
> /**
> @@ -876,7 +881,7 @@ TlsGetServerRandom (
> return;
> }
>
> - CopyMem (ServerRandom, TlsConn->Ssl->s3->server_random,
> SSL3_RANDOM_SIZE);
> + SSL_get_server_random (TlsConn->Ssl, ServerRandom,
> SSL3_RANDOM_SIZE);
> }
>
> /**
> @@ -916,7 +921,7 @@ TlsGetKeyMaterial (
> return EFI_UNSUPPORTED;
> }
>
> - CopyMem (KeyMaterial, Session->master_key, Session-
> >master_key_length);
> + SSL_SESSION_get_master_key (Session, KeyMaterial,
> SSL3_MASTER_SECRET_SIZE);
>
> return EFI_SUCCESS;
> }
> diff --git a/CryptoPkg/Library/TlsLib/TlsInit.c
> b/CryptoPkg/Library/TlsLib/TlsInit.c
> index 6b1fd93ea9..f32148ac9a 100644
> --- a/CryptoPkg/Library/TlsLib/TlsInit.c
> +++ b/CryptoPkg/Library/TlsLib/TlsInit.c
> @@ -1,7 +1,7 @@
> /** @file
> SSL/TLS Initialization Library Wrapper Implementation over OpenSSL.
>
> -Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
> +Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
> (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
> This program and the accompanying materials
> are licensed and made available under the terms and conditions of the BSD
> License
> @@ -33,14 +33,10 @@ TlsInitialize (
> // Performs initialization of crypto and ssl library, and loads required
> // algorithms.
> //
> - SSL_library_init ();
> -
> - //
> - // Loads error strings from both crypto and ssl library.
> - //
> - SSL_load_error_strings ();
> -
> - /// OpenSSL_add_all_algorithms();
> + OPENSSL_init_ssl (
> + OPENSSL_INIT_LOAD_SSL_STRINGS |
> OPENSSL_INIT_LOAD_CRYPTO_STRINGS,
> + NULL
> + );
>
> //
> // Initialize the pseudorandom number generator.
> @@ -103,34 +99,10 @@ TlsCtxNew (
> SSL_CTX_set_options (TlsCtx, SSL_OP_NO_SSLv3);
>
> //
> - // Treat as minimum accepted versions. Client can use higher
> - // TLS version if server supports it
> - //
> - switch (ProtoVersion) {
> - case TLS1_VERSION:
> - //
> - // TLS 1.0
> - //
> - break;
> - case TLS1_1_VERSION:
> - //
> - // TLS 1.1
> - //
> - SSL_CTX_set_options (TlsCtx, SSL_OP_NO_TLSv1);
> - break;
> - case TLS1_2_VERSION:
> - //
> - // TLS 1.2
> - //
> - SSL_CTX_set_options (TlsCtx, SSL_OP_NO_TLSv1);
> - SSL_CTX_set_options (TlsCtx, SSL_OP_NO_TLSv1_1);
> - break;
> - default:
> - //
> - // Unsupported TLS/SSL Protocol Version.
> - //
> - break;
> - }
> + // Treat as minimum accepted versions by setting the minimal bound.
> + // Client can use higher TLS version if server supports it
> + //
> + SSL_CTX_set_min_proto_version (TlsCtx, ProtoVersion);
>
> return (VOID *) TlsCtx;
> }
> @@ -220,6 +192,11 @@ TlsNew (
> }
>
> //
> + // This retains compatibility with previous version of OpenSSL.
> + //
> + SSL_set_security_level (TlsConn->Ssl, 0);
> +
> + //
> // Initialize the created SSL Object
> //
> SSL_set_info_callback (TlsConn->Ssl, NULL);
> --
> 2.11.1.windows.1
next prev parent reply other threads:[~2017-03-24 5:40 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-23 13:19 [PATCH v2 00/11] Upgrade CryptoPkg to use the OpenSSL 1.1.0xx/stable release Qin Long
2017-03-23 13:19 ` [PATCH v2 01/11] CryptoPkg/OpensslLib: Update INF files to support OpenSSL-1.1.0x build Qin Long
2017-03-23 18:27 ` Laszlo Ersek
2017-03-27 9:40 ` Gary Lin
2017-03-23 13:19 ` [PATCH v2 02/11] CryptoPkg: Update .gitignore for OpenSSL source masking Qin Long
2017-03-23 18:28 ` Laszlo Ersek
2017-03-23 13:19 ` [PATCH v2 03/11] CryptoPkg/OpensslLib: Remove patch file and installation scripts Qin Long
2017-03-23 18:28 ` Laszlo Ersek
2017-03-23 13:19 ` [PATCH v2 04/11] CryptoPkg/OpensslLib: Add new Perl script for file list generation Qin Long
2017-03-23 18:29 ` Laszlo Ersek
2017-03-23 13:19 ` [PATCH v2 05/11] CryptoPkg/OpensslLib: Add new OpenSSL-HOWTO document Qin Long
2017-03-23 18:31 ` Laszlo Ersek
2017-03-27 9:58 ` Gary Lin
2017-03-23 13:19 ` [PATCH v2 06/11] CryptoPkg: Fix handling of &strcmp function pointers Qin Long
2017-03-23 18:33 ` Laszlo Ersek
2017-03-27 9:41 ` Gary Lin
2017-03-23 13:19 ` [PATCH v2 07/11] CryptoPkg: Clean-up CRT Library Wrapper Qin Long
2017-03-23 18:34 ` Laszlo Ersek
2017-03-27 9:42 ` Gary Lin
2017-03-30 17:33 ` Laszlo Ersek
2017-03-31 2:06 ` Long, Qin
2017-03-23 13:19 ` [PATCH v2 08/11] CryptoPkg: Add extra build option to disable VS build warning Qin Long
2017-03-23 13:19 ` [PATCH v2 09/11] CryptoPkg: Update HMAC Wrapper with opaque HMAC_CTX object Qin Long
2017-03-23 18:37 ` Laszlo Ersek
2017-03-27 9:56 ` Gary Lin
2017-03-23 13:19 ` [PATCH v2 10/11] CryptoPkg: Update PK Cipher Wrappers work with opaque objects Qin Long
2017-03-23 18:38 ` Laszlo Ersek
2017-03-27 9:44 ` Gary Lin
2017-03-23 13:19 ` [PATCH v2 11/11] CryptoPkg/TlsLib: Update TLS Wrapper to align with OpenSSL changes Qin Long
2017-03-23 16:23 ` Palmer, Thomas
2017-03-24 5:40 ` Wu, Jiaxin [this message]
2017-03-23 17:28 ` [PATCH v2 00/11] Upgrade CryptoPkg to use the OpenSSL 1.1.0xx/stable release Laszlo Ersek
2017-03-28 8:19 ` Ye, Ting
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=895558F6EA4E3B41AC93A00D163B7274162ACFC9@SHSMSX103.ccr.corp.intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox