From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=192.55.52.115; helo=mga14.intel.com; envelope-from=jiaxin.wu@intel.com; receiver=edk2-devel@lists.01.org Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 83B11225FA042 for ; Mon, 9 Apr 2018 21:09:09 -0700 (PDT) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga003.jf.intel.com ([10.7.209.27]) by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 09 Apr 2018 21:09:09 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.48,430,1517904000"; d="scan'208";a="42077843" Received: from fmsmsx103.amr.corp.intel.com ([10.18.124.201]) by orsmga003.jf.intel.com with ESMTP; 09 Apr 2018 21:09:08 -0700 Received: from shsmsx101.ccr.corp.intel.com (10.239.4.153) by FMSMSX103.amr.corp.intel.com (10.18.124.201) with Microsoft SMTP Server (TLS) id 14.3.319.2; Mon, 9 Apr 2018 21:09:08 -0700 Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.151]) by SHSMSX101.ccr.corp.intel.com ([169.254.1.43]) with mapi id 14.03.0319.002; Tue, 10 Apr 2018 12:09:06 +0800 From: "Wu, Jiaxin" To: Laszlo Ersek , edk2-devel-01 CC: Ard Biesheuvel , Gary Ching-Pang Lin , "Justen, Jordan L" , "Gao, Liming" , "Kinney, Michael D" , "Long, Qin" , "Fu, Siyuan" , "Ye, Ting" Thread-Topic: [PATCH 00/13] {Ovmf,Mde,Network,Crypto}Pkg: fixes+features for setting HTTPS cipher suites Thread-Index: AQHTy1tWp/B4MKqsgECyptJc3e1pFqP5ayFg Date: Tue, 10 Apr 2018 04:09:06 +0000 Message-ID: <895558F6EA4E3B41AC93A00D163B7274163B458F@SHSMSX103.ccr.corp.intel.com> References: <20180403145149.8925-1-lersek@redhat.com> In-Reply-To: <20180403145149.8925-1-lersek@redhat.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiNDFlMjYwZDktY2ZhMi00MTQ2LTg1NDAtYWVkN2M5YTIxOTJmIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE2LjUuOS4zIiwiVHJ1c3RlZExhYmVsSGFzaCI6IjB2NU9Va2RQanJjZW10TnFGRUpLeXU0TkVQNUZZVWNZaXIrM1RsU3Byb0E9In0= x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.0.0.116 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [PATCH 00/13] {Ovmf, Mde, Network, Crypto}Pkg: fixes+features for setting HTTPS cipher suites X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Apr 2018 04:09:09 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Laszlo=20 Appreciate your contribution. I have reviewed the series patches you attach= ed here. First, I assume you have verified the patches on OVMF and the func= tionality works well, then, below are my comments: =20 1. The patches for OvmfPkg/NetworkPkg (0001-0004) are good to me. 2. For CryptoPkg, the major viewpoint is also related to the TlsCipherMappi= ngTable. For this table, only include the supported ciphersuites looks more= reasonable. After talked with Qin, I know the unsupported cipher suites wo= n't be rejected/filtrated by the OpenSSL cipher list setting, if so, the ci= pher suite list that passed from the client to the server in the ClientHell= o message might also include such unsupported cipher suites. In such a case= , the failure will happen once the server select the unsupported cipher sui= te. From the handshake process view, it's unreasonable since the client sen= t the desired cipher suites, then the server selected one of them but still= met the error. Anyway, filtrating the unsupported cipher suites as early a= s possible is a wise choice. So, TlsCipherMappingTable should only include = the supported cipher suites by reference the security requirement of Crypto= Pkg.=20 3. For patch 0006, it's good to me to optimize the searching algorithm sinc= e the table is larger than before. 4. Can we combined some patches together to make the things simple? e.g. Pa= tches 0005/0007/0010/0011/0012/0013. Those patches are the same purpose to = fix the issues in 0013. 5. For patch 0008, I think it's unnecessary to provide such script. I prefe= r to maintain the TlsCipherMappingTable more statical since it's the intern= al mapping table. How about we keep it as internal assistant tool? 6. For patch 0009 to extend the TlsCipherMappingTable, I think Qin can help= us to provide the supported cipher suites by reference the security requir= ement of CryptoPkg. Thanks, Jiaxin > -----Original Message----- > From: Laszlo Ersek [mailto:lersek@redhat.com] > Sent: Tuesday, April 3, 2018 10:52 PM > To: edk2-devel-01 > Cc: Ard Biesheuvel ; Gary Ching-Pang Lin > ; Wu, Jiaxin ; Justen, Jordan L > ; Gao, Liming ; Kinney, > Michael D ; Long, Qin ; > Fu, Siyuan ; Ye, Ting > Subject: [PATCH 00/13] {Ovmf,Mde,Network,Crypto}Pkg: fixes+features for > setting HTTPS cipher suites >=20 > Repo: https://github.com/lersek/edk2.git > Branch: tls_ciphers >=20 > Earlier I posted two patch sets for better platform control of the CA > certificates used in HTTPS booting (and for putting that control to use > in OVMF): >=20 > [edk2] [PATCH 0/5] NetworkPkg: HTTP and TLS updates >=20 > [edk2] [PATCH 0/4] MdeModulePkg, OvmfPkg: support large CA cert list > for HTTPS boot >=20 > These series have been committed; thank you everyone that helped with > review and testing. >=20 > My next goal is better platform control of the TLS cipher suites that > are used in HTTPS booting (and similarly, putting that control to use in > OVMF). That's what this series is about. >=20 > You'll see references to TianoCore BZ#915 in the commit messages. The BZ > is not public just yet, because I originally thought that I found > security issues. It turns out that's not the case, so the BZ should be > opened up soon. Either way, the commit messages contain enough > information about the code changes. >=20 > I'm aware some of my reviewers are currently traveling for business -- > please take your time and feel free to review the patches whenever it > best suits you. >=20 > Cc: Ard Biesheuvel > Cc: Gary Ching-Pang Lin > Cc: Jiaxin Wu > Cc: Jordan Justen > Cc: Liming Gao > Cc: Michael D Kinney > Cc: Qin Long > Cc: Siyuan Fu > Cc: Ting Ye >=20 > Thanks! > Laszlo >=20 > Laszlo Ersek (13): > OvmfPkg/TlsAuthConfigLib: configure trusted cipher suites for HTTPS > boot > MdePkg/Include/Protocol/Tls.h: pack structures from the TLS RFC > NetworkPkg/TlsDxe: verify DataSize for EfiTlsCipherList > NetworkPkg/TlsDxe: clean up byte order conversion for EfiTlsCipherList > CryptoPkg/TlsLib: replace TlsGetCipherString() with > TlsGetCipherMapping() > CryptoPkg/TlsLib: use binary search in the TlsGetCipherMapping() > function > CryptoPkg/TlsLib: pre-compute OpensslCipherLength in > TlsCipherMappingTable > CryptoPkg/TlsLib: add the "TlsMappingTable.sh" POSIX shell script > CryptoPkg/TlsLib: extend "TlsCipherMappingTable" > CryptoPkg/TlsLib: sort [LibraryClasses] section in the INF file > CryptoPkg/TlsLib: sanitize lib classes in internal header and INF > CryptoPkg/TlsLib: clean up leading comment for TlsSetCipherList() > CryptoPkg/TlsLib: rewrite TlsSetCipherList() >=20 > CryptoPkg/Include/Library/TlsLib.h | 9 +- > CryptoPkg/Library/TlsLib/InternalTlsLib.h | 4 + > CryptoPkg/Library/TlsLib/TlsConfig.c | 448 ++++++++++++= +++++--- > CryptoPkg/Library/TlsLib/TlsLib.inf | 11 +- > CryptoPkg/Library/TlsLib/TlsMappingTable.sh | 140 ++++++ > MdePkg/Include/Protocol/Tls.h | 10 + > NetworkPkg/TlsDxe/TlsProtocol.c | 17 +- > OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.c | 98 +++++ > OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.inf | 3 +- > 9 files changed, 664 insertions(+), 76 deletions(-) > create mode 100644 CryptoPkg/Library/TlsLib/TlsMappingTable.sh >=20 > -- > 2.14.1.3.gb7cf6e02401b