From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 530BE8044B for ; Thu, 23 Mar 2017 22:40:06 -0700 (PDT) Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by orsmga105.jf.intel.com with ESMTP; 23 Mar 2017 22:40:06 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.36,213,1486454400"; d="scan'208";a="80519363" Received: from fmsmsx103.amr.corp.intel.com ([10.18.124.201]) by fmsmga006.fm.intel.com with ESMTP; 23 Mar 2017 22:40:05 -0700 Received: from fmsmsx126.amr.corp.intel.com (10.18.125.43) by FMSMSX103.amr.corp.intel.com (10.18.124.201) with Microsoft SMTP Server (TLS) id 14.3.319.2; Thu, 23 Mar 2017 22:40:05 -0700 Received: from shsmsx151.ccr.corp.intel.com (10.239.6.50) by FMSMSX126.amr.corp.intel.com (10.18.125.43) with Microsoft SMTP Server (TLS) id 14.3.319.2; Thu, 23 Mar 2017 22:40:05 -0700 Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.253]) by SHSMSX151.ccr.corp.intel.com ([169.254.3.82]) with mapi id 14.03.0248.002; Fri, 24 Mar 2017 13:40:02 +0800 From: "Wu, Jiaxin" To: "Long, Qin" , "edk2-devel@lists.01.org" CC: "Ye, Ting" , "lersek@redhat.com" , "ard.biesheuvel@linaro.org" , "glin@suse.com" , "ronald.cron@arm.com" , "Moso.Lee@citrix.com" , "thomas.palmer@hpe.com" Thread-Topic: [PATCH v2 11/11] CryptoPkg/TlsLib: Update TLS Wrapper to align with OpenSSL changes. Thread-Index: AQHSo9hAn8nUoTlm3EG50NWp8K4rv6Gjekgw Date: Fri, 24 Mar 2017 05:40:01 +0000 Message-ID: <895558F6EA4E3B41AC93A00D163B7274162ACFC9@SHSMSX103.ccr.corp.intel.com> References: <20170323131932.6168-1-qin.long@intel.com> <20170323131932.6168-12-qin.long@intel.com> In-Reply-To: <20170323131932.6168-12-qin.long@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiODY5NjU1NGMtOTYwZS00YzgwLWIzYmUtYWJmOGVhNzk0NmQyIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX0lDIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE1LjkuNi42IiwiVHJ1c3RlZExhYmVsSGFzaCI6InFlSWdkU2JMaWtTbFwvWFwvYll4c3k4d3hpcEVYOUxMd1wveXdvRlhVRTFVMUU9In0= x-ctpclassification: CTP_IC x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [PATCH v2 11/11] CryptoPkg/TlsLib: Update TLS Wrapper to align with OpenSSL changes. X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Mar 2017 05:40:06 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Wu Jiaxin Thanks, Jiaxin > -----Original Message----- > From: Long, Qin > Sent: Thursday, March 23, 2017 9:20 PM > To: edk2-devel@lists.01.org > Cc: Ye, Ting ; Wu, Jiaxin ; > lersek@redhat.com; ard.biesheuvel@linaro.org; glin@suse.com; > ronald.cron@arm.com; Moso.Lee@citrix.com; thomas.palmer@hpe.com > Subject: [PATCH v2 11/11] CryptoPkg/TlsLib: Update TLS Wrapper to align > with OpenSSL changes. >=20 > This patch update the wrapper implementation in TlsLib to align > with the latest OpenSSL-1.1.0xx API changes. >=20 > Cc: Ting Ye > Cc: Palmer Thomas > Cc: Jiaxin Wu > Cc: Laszlo Ersek > Cc: Ard Biesheuvel > Cc: Gary Lin > Cc: Ronald Cron > Contributed-under: TianoCore Contribution Agreement 1.0 > Signed-off-by: Qin Long > --- > CryptoPkg/Library/TlsLib/InternalTlsLib.h | 5 ++- > CryptoPkg/Library/TlsLib/TlsConfig.c | 21 ++++++++----- > CryptoPkg/Library/TlsLib/TlsInit.c | 51 +++++++++----------------= ------ > 3 files changed, 31 insertions(+), 46 deletions(-) >=20 > diff --git a/CryptoPkg/Library/TlsLib/InternalTlsLib.h > b/CryptoPkg/Library/TlsLib/InternalTlsLib.h > index e75146648d..97727361e8 100644 > --- a/CryptoPkg/Library/TlsLib/InternalTlsLib.h > +++ b/CryptoPkg/Library/TlsLib/InternalTlsLib.h > @@ -1,7 +1,7 @@ > /** @file > Internal include file for TlsLib. >=20 > -Copyright (c) 2016, Intel Corporation. All rights reserved.
> +Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.
> This program and the accompanying materials > are licensed and made available under the terms and conditions of the BS= D > License > which accompanies this distribution. The full text of the license may b= e > found at > @@ -15,6 +15,9 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY > KIND, EITHER EXPRESS OR IMPLIED. > #ifndef __INTERNAL_TLS_LIB_H__ > #define __INTERNAL_TLS_LIB_H__ >=20 > +#undef _WIN32 > +#undef _WIN64 > + > #include > #include > #include > diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c > b/CryptoPkg/Library/TlsLib/TlsConfig.c > index f103da4321..43e275d400 100644 > --- a/CryptoPkg/Library/TlsLib/TlsConfig.c > +++ b/CryptoPkg/Library/TlsLib/TlsConfig.c > @@ -128,24 +128,30 @@ TlsSetVersion ( >=20 > ProtoVersion =3D (MajorVer << 8) | MinorVer; >=20 > + // > + // Bound TLS method to the particular specified version. > + // > switch (ProtoVersion) { > case TLS1_VERSION: > // > // TLS 1.0 > // > - SSL_set_ssl_method (TlsConn->Ssl, TLSv1_method ()); > + SSL_set_min_proto_version (TlsConn->Ssl, TLS1_VERSION); > + SSL_set_max_proto_version (TlsConn->Ssl, TLS1_VERSION); > break; > case TLS1_1_VERSION: > // > // TLS 1.1 > // > - SSL_set_ssl_method (TlsConn->Ssl, TLSv1_1_method ()); > + SSL_set_min_proto_version (TlsConn->Ssl, TLS1_1_VERSION); > + SSL_set_max_proto_version (TlsConn->Ssl, TLS1_1_VERSION); > break; > case TLS1_2_VERSION: > // > // TLS 1.2 > // > - SSL_set_ssl_method (TlsConn->Ssl, TLSv1_2_method ()); > + SSL_set_min_proto_version (TlsConn->Ssl, TLS1_2_VERSION); > + SSL_set_max_proto_version (TlsConn->Ssl, TLS1_2_VERSION); > break; > default: > // > @@ -384,8 +390,7 @@ TlsSetSessionId ( > return EFI_UNSUPPORTED; > } >=20 > - Session->session_id_length =3D SessionIdLen; > - CopyMem (Session->session_id, SessionId, Session->session_id_length); > + SSL_SESSION_set1_id (Session, (const unsigned char *)SessionId, > SessionIdLen); >=20 > return EFI_SUCCESS; > } > @@ -847,7 +852,7 @@ TlsGetClientRandom ( > return; > } >=20 > - CopyMem (ClientRandom, TlsConn->Ssl->s3->client_random, > SSL3_RANDOM_SIZE); > + SSL_get_client_random (TlsConn->Ssl, ClientRandom, > SSL3_RANDOM_SIZE); > } >=20 > /** > @@ -876,7 +881,7 @@ TlsGetServerRandom ( > return; > } >=20 > - CopyMem (ServerRandom, TlsConn->Ssl->s3->server_random, > SSL3_RANDOM_SIZE); > + SSL_get_server_random (TlsConn->Ssl, ServerRandom, > SSL3_RANDOM_SIZE); > } >=20 > /** > @@ -916,7 +921,7 @@ TlsGetKeyMaterial ( > return EFI_UNSUPPORTED; > } >=20 > - CopyMem (KeyMaterial, Session->master_key, Session- > >master_key_length); > + SSL_SESSION_get_master_key (Session, KeyMaterial, > SSL3_MASTER_SECRET_SIZE); >=20 > return EFI_SUCCESS; > } > diff --git a/CryptoPkg/Library/TlsLib/TlsInit.c > b/CryptoPkg/Library/TlsLib/TlsInit.c > index 6b1fd93ea9..f32148ac9a 100644 > --- a/CryptoPkg/Library/TlsLib/TlsInit.c > +++ b/CryptoPkg/Library/TlsLib/TlsInit.c > @@ -1,7 +1,7 @@ > /** @file > SSL/TLS Initialization Library Wrapper Implementation over OpenSSL. >=20 > -Copyright (c) 2016, Intel Corporation. All rights reserved.
> +Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.
> (C) Copyright 2016 Hewlett Packard Enterprise Development LP
> This program and the accompanying materials > are licensed and made available under the terms and conditions of the BS= D > License > @@ -33,14 +33,10 @@ TlsInitialize ( > // Performs initialization of crypto and ssl library, and loads requir= ed > // algorithms. > // > - SSL_library_init (); > - > - // > - // Loads error strings from both crypto and ssl library. > - // > - SSL_load_error_strings (); > - > - /// OpenSSL_add_all_algorithms(); > + OPENSSL_init_ssl ( > + OPENSSL_INIT_LOAD_SSL_STRINGS | > OPENSSL_INIT_LOAD_CRYPTO_STRINGS, > + NULL > + ); >=20 > // > // Initialize the pseudorandom number generator. > @@ -103,34 +99,10 @@ TlsCtxNew ( > SSL_CTX_set_options (TlsCtx, SSL_OP_NO_SSLv3); >=20 > // > - // Treat as minimum accepted versions. Client can use higher > - // TLS version if server supports it > - // > - switch (ProtoVersion) { > - case TLS1_VERSION: > - // > - // TLS 1.0 > - // > - break; > - case TLS1_1_VERSION: > - // > - // TLS 1.1 > - // > - SSL_CTX_set_options (TlsCtx, SSL_OP_NO_TLSv1); > - break; > - case TLS1_2_VERSION: > - // > - // TLS 1.2 > - // > - SSL_CTX_set_options (TlsCtx, SSL_OP_NO_TLSv1); > - SSL_CTX_set_options (TlsCtx, SSL_OP_NO_TLSv1_1); > - break; > - default: > - // > - // Unsupported TLS/SSL Protocol Version. > - // > - break; > - } > + // Treat as minimum accepted versions by setting the minimal bound. > + // Client can use higher TLS version if server supports it > + // > + SSL_CTX_set_min_proto_version (TlsCtx, ProtoVersion); >=20 > return (VOID *) TlsCtx; > } > @@ -220,6 +192,11 @@ TlsNew ( > } >=20 > // > + // This retains compatibility with previous version of OpenSSL. > + // > + SSL_set_security_level (TlsConn->Ssl, 0); > + > + // > // Initialize the created SSL Object > // > SSL_set_info_callback (TlsConn->Ssl, NULL); > -- > 2.11.1.windows.1