public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Li, Yi" <yi1.li@intel.com>
To: devel@edk2.groups.io
Cc: Yi Li <yi1.li@intel.com>
Subject: [edk2-staging/OpenSSL11_EOL][PATCH 1/4] CryptoPkg: disabled ssl server
Date: Tue,  4 Apr 2023 17:54:30 +0800	[thread overview]
Message-ID: <9afb573183eff52468b511160d3fa6bc6b525a7a.1680601312.git.yi1.li@intel.com> (raw)
In-Reply-To: <cover.1680601312.git.yi1.li@intel.com>

Signed-off-by: Yi Li <yi1.li@intel.com>
---
 CryptoPkg/Library/OpensslLib/OpensslLib.inf   |   6 +-
 .../Library/OpensslLib/OpensslLibFull.inf     |   6 +-
 CryptoPkg/Library/OpensslLib/SslExtServNull.c | 329 ++++++++++++++++++
 .../Library/OpensslLib/SslStatServNull.c      | 219 ++++++++++++
 4 files changed, 556 insertions(+), 4 deletions(-)
 create mode 100644 CryptoPkg/Library/OpensslLib/SslExtServNull.c
 create mode 100644 CryptoPkg/Library/OpensslLib/SslStatServNull.c

diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index 8641cd2521..048d804292 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -700,12 +700,12 @@
   $(OPENSSL_PATH)/providers/implementations/kdfs/pbkdf2.h
   $(OPENSSL_PATH)/providers/implementations/rands/drbg_local.h
   $(OPENSSL_PATH)/providers/implementations/storemgmt/file_store_local.h
-  $(OPENSSL_PATH)/ssl/statem/statem_srvr.c
+  # $(OPENSSL_PATH)/ssl/statem/statem_srvr.c
   $(OPENSSL_PATH)/ssl/statem/statem_lib.c
   $(OPENSSL_PATH)/ssl/statem/statem_dtls.c
   $(OPENSSL_PATH)/ssl/statem/statem_clnt.c
   $(OPENSSL_PATH)/ssl/statem/statem.c
-  $(OPENSSL_PATH)/ssl/statem/extensions_srvr.c
+  # $(OPENSSL_PATH)/ssl/statem/extensions_srvr.c
   $(OPENSSL_PATH)/ssl/statem/extensions_cust.c
   $(OPENSSL_PATH)/ssl/statem/extensions_clnt.c
   $(OPENSSL_PATH)/ssl/statem/extensions.c
@@ -757,6 +757,8 @@
   ossl_store.c
   rand_pool.c
 #  SslNull.c
+  SslStatServNull.c
+  SslExtServNull.c
   EcSm2Null.c
   DhNull.c
   EncoderNull.c
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibFull.inf b/CryptoPkg/Library/OpensslLib/OpensslLibFull.inf
index 8cea86e6f0..7ad3c3fb85 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLibFull.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibFull.inf
@@ -705,12 +705,12 @@
   $(OPENSSL_PATH)/providers/implementations/kdfs/pbkdf2.h
   $(OPENSSL_PATH)/providers/implementations/rands/drbg_local.h
   $(OPENSSL_PATH)/providers/implementations/storemgmt/file_store_local.h
-  $(OPENSSL_PATH)/ssl/statem/statem_srvr.c
+  # $(OPENSSL_PATH)/ssl/statem/statem_srvr.c
   $(OPENSSL_PATH)/ssl/statem/statem_lib.c
   $(OPENSSL_PATH)/ssl/statem/statem_dtls.c
   $(OPENSSL_PATH)/ssl/statem/statem_clnt.c
   $(OPENSSL_PATH)/ssl/statem/statem.c
-  $(OPENSSL_PATH)/ssl/statem/extensions_srvr.c
+  # $(OPENSSL_PATH)/ssl/statem/extensions_srvr.c
   $(OPENSSL_PATH)/ssl/statem/extensions_cust.c
   $(OPENSSL_PATH)/ssl/statem/extensions_clnt.c
   $(OPENSSL_PATH)/ssl/statem/extensions.c
@@ -824,6 +824,8 @@
   ossl_store.c
   rand_pool.c
 #  SslNull.c
+  SslStatServNull.c
+  SslExtServNull.c
 #  EcSm2Null.c
   DhNull.c
   EncoderNull.c
diff --git a/CryptoPkg/Library/OpensslLib/SslExtServNull.c b/CryptoPkg/Library/OpensslLib/SslExtServNull.c
new file mode 100644
index 0000000000..c256f17667
--- /dev/null
+++ b/CryptoPkg/Library/OpensslLib/SslExtServNull.c
@@ -0,0 +1,329 @@
+/*
+ * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/ocsp.h>
+#include "../ssl_local.h"
+#include "statem_local.h"
+#include "internal/cryptlib.h"
+
+#define COOKIE_STATE_FORMAT_VERSION     1
+
+/*
+ * Parse the client's renegotiation binding and abort if it's not right
+ */
+int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
+                               X509 *x, size_t chainidx)
+{
+    return -1;
+}
+
+/*-
+ * The servername extension is treated as follows:
+ *
+ * - Only the hostname type is supported with a maximum length of 255.
+ * - The servername is rejected if too long or if it contains zeros,
+ *   in which case an fatal alert is generated.
+ * - The servername field is maintained together with the session cache.
+ * - When a session is resumed, the servername call back invoked in order
+ *   to allow the application to position itself to the right context.
+ * - The servername is acknowledged if it is new for a session or when
+ *   it is identical to a previously used for the same session.
+ *   Applications can control the behaviour.  They can at any time
+ *   set a 'desirable' servername for a new SSL object. This can be the
+ *   case for example with HTTPS when a Host: header field is received and
+ *   a renegotiation is requested. In this case, a possible servername
+ *   presented in the new client hello is only acknowledged if it matches
+ *   the value of the Host: field.
+ * - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
+ *   if they provide for changing an explicit servername context for the
+ *   session, i.e. when the session has been established with a servername
+ *   extension.
+ * - On session reconnect, the servername extension may be absent.
+ */
+int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
+                               X509 *x, size_t chainidx)
+{
+    return 0;
+}
+
+int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
+                                  X509 *x, size_t chainidx)
+{
+    return 0;
+}
+
+#ifndef OPENSSL_NO_SRP
+int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+                       size_t chainidx)
+{
+    return 0;
+}
+#endif
+
+int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
+                                 X509 *x, size_t chainidx)
+{
+    return 0;
+}
+
+int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
+                                  X509 *x, size_t chainidx)
+{
+    return 0;
+}
+
+int tls_parse_ctos_sig_algs_cert(SSL *s, PACKET *pkt,
+                                 ossl_unused unsigned int context,
+                                 ossl_unused X509 *x,
+                                 ossl_unused size_t chainidx)
+{
+    return 0;
+}
+
+int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+                            size_t chainidx)
+{
+    return 0;
+}
+
+#ifndef OPENSSL_NO_OCSP
+int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
+                                  X509 *x, size_t chainidx)
+{
+    return 0;
+}
+#endif
+
+#ifndef OPENSSL_NO_NEXTPROTONEG
+int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+                       size_t chainidx)
+{
+    return 0;
+}
+#endif
+
+/*
+ * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
+ * extension, not including type and length. Returns: 1 on success, 0 on error.
+ */
+int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+                        size_t chainidx)
+{
+    return 0;
+}
+
+#ifndef OPENSSL_NO_SRTP
+int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+                            size_t chainidx)
+{
+    return 0;
+}
+#endif
+
+int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+                       size_t chainidx)
+{
+    return 0;
+}
+
+/*
+ * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
+ * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
+ */
+int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
+                                 X509 *x, size_t chainidx)
+{
+    return 0;
+}
+
+/*
+ * Process a key_share extension received in the ClientHello. |pkt| contains
+ * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
+ */
+int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+                             size_t chainidx)
+{
+    return 0;
+}
+
+int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+                          size_t chainidx)
+{
+    return 0;
+}
+
+int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
+                                    X509 *x, size_t chainidx)
+{
+    return 0;
+}
+
+int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+                       size_t chainidx)
+{
+    return 0;
+}
+
+
+int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
+                              X509 *x, size_t chainidx)
+{
+    return 0;
+}
+
+static SSL_TICKET_STATUS tls_get_stateful_ticket(SSL *s, PACKET *tick,
+                                                 SSL_SESSION **sess)
+{
+    return SSL_TICKET_NO_DECRYPT;
+}
+
+int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+                       size_t chainidx)
+{
+    return 0;
+}
+
+int tls_parse_ctos_post_handshake_auth(SSL *s, PACKET *pkt,
+                                       ossl_unused unsigned int context,
+                                       ossl_unused X509 *x,
+                                       ossl_unused size_t chainidx)
+{
+    return 0;
+}
+
+/*
+ * Add the server's renegotiation binding
+ */
+EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
+                                          unsigned int context, X509 *x,
+                                          size_t chainidx)
+{
+    return EXT_RETURN_FAIL;
+}
+
+EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
+                                          unsigned int context, X509 *x,
+                                          size_t chainidx)
+{
+    return EXT_RETURN_FAIL;
+}
+
+/* Add/include the server's max fragment len extension into ServerHello */
+EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt,
+                                             unsigned int context, X509 *x,
+                                             size_t chainidx)
+{
+    return EXT_RETURN_FAIL;
+}
+
+EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
+                                            unsigned int context, X509 *x,
+                                            size_t chainidx)
+{
+    return EXT_RETURN_FAIL;
+}
+
+EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
+                                               unsigned int context, X509 *x,
+                                               size_t chainidx)
+{
+    return EXT_RETURN_FAIL;
+}
+
+EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
+                                             unsigned int context, X509 *x,
+                                             size_t chainidx)
+{
+    return EXT_RETURN_FAIL;
+}
+
+#ifndef OPENSSL_NO_OCSP
+EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
+                                             unsigned int context, X509 *x,
+                                             size_t chainidx)
+{
+    return EXT_RETURN_FAIL;
+}
+#endif
+
+#ifndef OPENSSL_NO_NEXTPROTONEG
+EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
+                                             unsigned int context, X509 *x,
+                                             size_t chainidx)
+{
+    return EXT_RETURN_FAIL;
+}
+#endif
+
+EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
+                                   X509 *x, size_t chainidx)
+{
+    return EXT_RETURN_FAIL;
+}
+
+#ifndef OPENSSL_NO_SRTP
+EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
+                                       unsigned int context, X509 *x,
+                                       size_t chainidx)
+{
+    return EXT_RETURN_FAIL;
+}
+#endif
+
+EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
+                                  X509 *x, size_t chainidx)
+{
+    return EXT_RETURN_FAIL;
+}
+
+EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
+                                  X509 *x, size_t chainidx)
+{
+    return EXT_RETURN_FAIL;
+}
+
+EXT_RETURN tls_construct_stoc_supported_versions(SSL *s, WPACKET *pkt,
+                                                 unsigned int context, X509 *x,
+                                                 size_t chainidx)
+{
+    return EXT_RETURN_FAIL;
+}
+
+EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
+                                        unsigned int context, X509 *x,
+                                        size_t chainidx)
+{
+    return EXT_RETURN_FAIL;
+}
+
+EXT_RETURN tls_construct_stoc_cookie(SSL *s, WPACKET *pkt, unsigned int context,
+                                     X509 *x, size_t chainidx)
+{
+    return EXT_RETURN_FAIL;
+}
+
+EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
+                                            unsigned int context, X509 *x,
+                                            size_t chainidx)
+{
+    return EXT_RETURN_FAIL;
+}
+
+EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
+                                         unsigned int context, X509 *x,
+                                         size_t chainidx)
+{
+    return EXT_RETURN_FAIL;
+}
+
+EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
+                                  X509 *x, size_t chainidx)
+{
+    return EXT_RETURN_FAIL;
+}
diff --git a/CryptoPkg/Library/OpensslLib/SslStatServNull.c b/CryptoPkg/Library/OpensslLib/SslStatServNull.c
new file mode 100644
index 0000000000..bb05ca772f
--- /dev/null
+++ b/CryptoPkg/Library/OpensslLib/SslStatServNull.c
@@ -0,0 +1,219 @@
+/*
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
+ * Copyright 2005 Nokia. All rights reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <stdio.h>
+#include "../ssl_local.h"
+#include "statem_local.h"
+#include "internal/constant_time.h"
+#include "internal/cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/rand.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/dh.h>
+#include <openssl/rsa.h>
+#include <openssl/bn.h>
+#include <openssl/md5.h>
+#include <openssl/trace.h>
+#include <openssl/core_names.h>
+#include <openssl/asn1t.h>
+
+#define TICKET_NONCE_SIZE       8
+
+typedef struct {
+  ASN1_TYPE *kxBlob;
+  ASN1_TYPE *opaqueBlob;
+} GOST_KX_MESSAGE;
+
+int ossl_statem_server_read_transition(SSL *s, int mt)
+{
+    return 0;
+}
+
+/*
+ * Should we send a CertificateRequest message?
+ *
+ * Valid return values are:
+ *   1: Yes
+ *   0: No
+ */
+int send_certificate_request(SSL *s)
+{
+    return 0;
+}
+
+/*
+ * ossl_statem_server_write_transition() works out what handshake state to move
+ * to next when the server is writing messages to be sent to the client.
+ */
+WRITE_TRAN ossl_statem_server_write_transition(SSL *s)
+{
+    return WRITE_TRAN_ERROR;
+}
+
+WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst)
+{
+    return WORK_ERROR;
+}
+/*
+ * Perform any work that needs to be done after sending a message from the
+ * server to the client.
+ */
+WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst)
+{
+    return WORK_ERROR;
+}
+
+/*
+ * Get the message construction function and message type for sending from the
+ * server
+ *
+ * Valid return values are:
+ *   1: Success
+ *   0: Error
+ */
+int ossl_statem_server_construct_message(SSL *s, WPACKET *pkt,
+                                         confunc_f *confunc, int *mt)
+{
+    return 0;
+}
+
+/*
+ * Returns the maximum allowed length for the current message that we are
+ * reading. Excludes the message header.
+ */
+size_t ossl_statem_server_max_message_size(SSL *s)
+{
+    return 0;
+}
+
+/*
+ * Process a message that the server has received from the client.
+ */
+MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL *s, PACKET *pkt)
+{
+    return MSG_PROCESS_ERROR;
+}
+
+/*
+ * Perform any further processing required following the receipt of a message
+ * from the client
+ */
+WORK_STATE ossl_statem_server_post_process_message(SSL *s, WORK_STATE wst)
+{
+    return WORK_ERROR;
+}
+
+int dtls_raw_hello_verify_request(WPACKET *pkt, unsigned char *cookie,
+                                  size_t cookie_len)
+{
+    return 0;
+}
+
+int dtls_construct_hello_verify_request(SSL *s, WPACKET *pkt)
+{
+    return 0;
+}
+
+MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
+{
+    return MSG_PROCESS_ERROR;
+}
+
+/*
+ * Call the alpn_select callback if needed. Upon success, returns 1.
+ * Upon failure, returns 0.
+ */
+int tls_handle_alpn(SSL *s)
+{
+    return 0;
+}
+
+WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
+{
+    return WORK_ERROR;
+}
+
+int tls_construct_server_hello(SSL *s, WPACKET *pkt)
+{
+    return 0;
+}
+
+int tls_construct_server_done(SSL *s, WPACKET *pkt)
+{
+    return 0;
+}
+
+int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
+{
+    return 0;
+}
+
+int tls_construct_certificate_request(SSL *s, WPACKET *pkt)
+{
+    return 0;
+}
+
+MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
+{
+    return MSG_PROCESS_ERROR;
+}
+
+WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst)
+{
+    return WORK_ERROR;
+}
+
+MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
+{
+    return MSG_PROCESS_ERROR;
+}
+
+int tls_construct_server_certificate(SSL *s, WPACKET *pkt)
+{
+    return 0;
+}
+
+int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
+{
+    return 0;
+}
+
+/*
+ * In TLSv1.3 this is called from the extensions code, otherwise it is used to
+ * create a separate message. Returns 1 on success or 0 on failure.
+ */
+int tls_construct_cert_status_body(SSL *s, WPACKET *pkt)
+{
+    return 0;
+}
+
+int tls_construct_cert_status(SSL *s, WPACKET *pkt)
+{
+    return 0;
+}
+
+#ifndef OPENSSL_NO_NEXTPROTONEG
+/*
+ * tls_process_next_proto reads a Next Protocol Negotiation handshake message.
+ * It sets the next_proto member in s if found
+ */
+MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt)
+{
+    return MSG_PROCESS_ERROR;
+}
+#endif
+
+MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL *s, PACKET *pkt)
+{
+    return MSG_PROCESS_ERROR;
+}
-- 
2.31.1.windows.1


  reply	other threads:[~2023-04-04  9:54 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-04-04  9:54 [edk2-staging/OpenSSL11_EOL][PATCH 0/4] Openssl 3.0 POC update Apr 4 Li, Yi
2023-04-04  9:54 ` Li, Yi [this message]
2023-04-04  9:54 ` [edk2-staging/OpenSSL11_EOL][PATCH 2/4] CryptoPkg: sync latest change in uefiprov to minprov Li, Yi
2023-04-04  9:54 ` [edk2-staging/OpenSSL11_EOL][PATCH 3/4] Readme: 0330 update Li, Yi
2023-04-04  9:54 ` [edk2-staging/OpenSSL11_EOL][PATCH 4/4] Readme: update POC result and next step Li, Yi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=9afb573183eff52468b511160d3fa6bc6b525a7a.1680601312.git.yi1.li@intel.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox