From: "Li, Yi" <yi1.li@intel.com>
To: devel@edk2.groups.io
Cc: Yi Li <yi1.li@intel.com>
Subject: [edk2-staging/OpenSSL11_EOL][PATCH 1/4] CryptoPkg: disabled ssl server
Date: Tue, 4 Apr 2023 17:54:30 +0800 [thread overview]
Message-ID: <9afb573183eff52468b511160d3fa6bc6b525a7a.1680601312.git.yi1.li@intel.com> (raw)
In-Reply-To: <cover.1680601312.git.yi1.li@intel.com>
Signed-off-by: Yi Li <yi1.li@intel.com>
---
CryptoPkg/Library/OpensslLib/OpensslLib.inf | 6 +-
.../Library/OpensslLib/OpensslLibFull.inf | 6 +-
CryptoPkg/Library/OpensslLib/SslExtServNull.c | 329 ++++++++++++++++++
.../Library/OpensslLib/SslStatServNull.c | 219 ++++++++++++
4 files changed, 556 insertions(+), 4 deletions(-)
create mode 100644 CryptoPkg/Library/OpensslLib/SslExtServNull.c
create mode 100644 CryptoPkg/Library/OpensslLib/SslStatServNull.c
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index 8641cd2521..048d804292 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -700,12 +700,12 @@
$(OPENSSL_PATH)/providers/implementations/kdfs/pbkdf2.h
$(OPENSSL_PATH)/providers/implementations/rands/drbg_local.h
$(OPENSSL_PATH)/providers/implementations/storemgmt/file_store_local.h
- $(OPENSSL_PATH)/ssl/statem/statem_srvr.c
+ # $(OPENSSL_PATH)/ssl/statem/statem_srvr.c
$(OPENSSL_PATH)/ssl/statem/statem_lib.c
$(OPENSSL_PATH)/ssl/statem/statem_dtls.c
$(OPENSSL_PATH)/ssl/statem/statem_clnt.c
$(OPENSSL_PATH)/ssl/statem/statem.c
- $(OPENSSL_PATH)/ssl/statem/extensions_srvr.c
+ # $(OPENSSL_PATH)/ssl/statem/extensions_srvr.c
$(OPENSSL_PATH)/ssl/statem/extensions_cust.c
$(OPENSSL_PATH)/ssl/statem/extensions_clnt.c
$(OPENSSL_PATH)/ssl/statem/extensions.c
@@ -757,6 +757,8 @@
ossl_store.c
rand_pool.c
# SslNull.c
+ SslStatServNull.c
+ SslExtServNull.c
EcSm2Null.c
DhNull.c
EncoderNull.c
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibFull.inf b/CryptoPkg/Library/OpensslLib/OpensslLibFull.inf
index 8cea86e6f0..7ad3c3fb85 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLibFull.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibFull.inf
@@ -705,12 +705,12 @@
$(OPENSSL_PATH)/providers/implementations/kdfs/pbkdf2.h
$(OPENSSL_PATH)/providers/implementations/rands/drbg_local.h
$(OPENSSL_PATH)/providers/implementations/storemgmt/file_store_local.h
- $(OPENSSL_PATH)/ssl/statem/statem_srvr.c
+ # $(OPENSSL_PATH)/ssl/statem/statem_srvr.c
$(OPENSSL_PATH)/ssl/statem/statem_lib.c
$(OPENSSL_PATH)/ssl/statem/statem_dtls.c
$(OPENSSL_PATH)/ssl/statem/statem_clnt.c
$(OPENSSL_PATH)/ssl/statem/statem.c
- $(OPENSSL_PATH)/ssl/statem/extensions_srvr.c
+ # $(OPENSSL_PATH)/ssl/statem/extensions_srvr.c
$(OPENSSL_PATH)/ssl/statem/extensions_cust.c
$(OPENSSL_PATH)/ssl/statem/extensions_clnt.c
$(OPENSSL_PATH)/ssl/statem/extensions.c
@@ -824,6 +824,8 @@
ossl_store.c
rand_pool.c
# SslNull.c
+ SslStatServNull.c
+ SslExtServNull.c
# EcSm2Null.c
DhNull.c
EncoderNull.c
diff --git a/CryptoPkg/Library/OpensslLib/SslExtServNull.c b/CryptoPkg/Library/OpensslLib/SslExtServNull.c
new file mode 100644
index 0000000000..c256f17667
--- /dev/null
+++ b/CryptoPkg/Library/OpensslLib/SslExtServNull.c
@@ -0,0 +1,329 @@
+/*
+ * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/ocsp.h>
+#include "../ssl_local.h"
+#include "statem_local.h"
+#include "internal/cryptlib.h"
+
+#define COOKIE_STATE_FORMAT_VERSION 1
+
+/*
+ * Parse the client's renegotiation binding and abort if it's not right
+ */
+int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx)
+{
+ return -1;
+}
+
+/*-
+ * The servername extension is treated as follows:
+ *
+ * - Only the hostname type is supported with a maximum length of 255.
+ * - The servername is rejected if too long or if it contains zeros,
+ * in which case an fatal alert is generated.
+ * - The servername field is maintained together with the session cache.
+ * - When a session is resumed, the servername call back invoked in order
+ * to allow the application to position itself to the right context.
+ * - The servername is acknowledged if it is new for a session or when
+ * it is identical to a previously used for the same session.
+ * Applications can control the behaviour. They can at any time
+ * set a 'desirable' servername for a new SSL object. This can be the
+ * case for example with HTTPS when a Host: header field is received and
+ * a renegotiation is requested. In this case, a possible servername
+ * presented in the new client hello is only acknowledged if it matches
+ * the value of the Host: field.
+ * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
+ * if they provide for changing an explicit servername context for the
+ * session, i.e. when the session has been established with a servername
+ * extension.
+ * - On session reconnect, the servername extension may be absent.
+ */
+int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx)
+{
+ return 0;
+}
+
+int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx)
+{
+ return 0;
+}
+
+#ifndef OPENSSL_NO_SRP
+int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ return 0;
+}
+#endif
+
+int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx)
+{
+ return 0;
+}
+
+int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx)
+{
+ return 0;
+}
+
+int tls_parse_ctos_sig_algs_cert(SSL *s, PACKET *pkt,
+ ossl_unused unsigned int context,
+ ossl_unused X509 *x,
+ ossl_unused size_t chainidx)
+{
+ return 0;
+}
+
+int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ return 0;
+}
+
+#ifndef OPENSSL_NO_OCSP
+int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx)
+{
+ return 0;
+}
+#endif
+
+#ifndef OPENSSL_NO_NEXTPROTONEG
+int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ return 0;
+}
+#endif
+
+/*
+ * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
+ * extension, not including type and length. Returns: 1 on success, 0 on error.
+ */
+int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ return 0;
+}
+
+#ifndef OPENSSL_NO_SRTP
+int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ return 0;
+}
+#endif
+
+int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ return 0;
+}
+
+/*
+ * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
+ * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
+ */
+int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx)
+{
+ return 0;
+}
+
+/*
+ * Process a key_share extension received in the ClientHello. |pkt| contains
+ * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
+ */
+int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ return 0;
+}
+
+int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ return 0;
+}
+
+int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx)
+{
+ return 0;
+}
+
+int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ return 0;
+}
+
+
+int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx)
+{
+ return 0;
+}
+
+static SSL_TICKET_STATUS tls_get_stateful_ticket(SSL *s, PACKET *tick,
+ SSL_SESSION **sess)
+{
+ return SSL_TICKET_NO_DECRYPT;
+}
+
+int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ return 0;
+}
+
+int tls_parse_ctos_post_handshake_auth(SSL *s, PACKET *pkt,
+ ossl_unused unsigned int context,
+ ossl_unused X509 *x,
+ ossl_unused size_t chainidx)
+{
+ return 0;
+}
+
+/*
+ * Add the server's renegotiation binding
+ */
+EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
+ unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ return EXT_RETURN_FAIL;
+}
+
+EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
+ unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ return EXT_RETURN_FAIL;
+}
+
+/* Add/include the server's max fragment len extension into ServerHello */
+EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt,
+ unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ return EXT_RETURN_FAIL;
+}
+
+EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
+ unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ return EXT_RETURN_FAIL;
+}
+
+EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
+ unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ return EXT_RETURN_FAIL;
+}
+
+EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
+ unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ return EXT_RETURN_FAIL;
+}
+
+#ifndef OPENSSL_NO_OCSP
+EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
+ unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ return EXT_RETURN_FAIL;
+}
+#endif
+
+#ifndef OPENSSL_NO_NEXTPROTONEG
+EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
+ unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ return EXT_RETURN_FAIL;
+}
+#endif
+
+EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx)
+{
+ return EXT_RETURN_FAIL;
+}
+
+#ifndef OPENSSL_NO_SRTP
+EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
+ unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ return EXT_RETURN_FAIL;
+}
+#endif
+
+EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx)
+{
+ return EXT_RETURN_FAIL;
+}
+
+EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx)
+{
+ return EXT_RETURN_FAIL;
+}
+
+EXT_RETURN tls_construct_stoc_supported_versions(SSL *s, WPACKET *pkt,
+ unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ return EXT_RETURN_FAIL;
+}
+
+EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
+ unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ return EXT_RETURN_FAIL;
+}
+
+EXT_RETURN tls_construct_stoc_cookie(SSL *s, WPACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx)
+{
+ return EXT_RETURN_FAIL;
+}
+
+EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
+ unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ return EXT_RETURN_FAIL;
+}
+
+EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
+ unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ return EXT_RETURN_FAIL;
+}
+
+EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx)
+{
+ return EXT_RETURN_FAIL;
+}
diff --git a/CryptoPkg/Library/OpensslLib/SslStatServNull.c b/CryptoPkg/Library/OpensslLib/SslStatServNull.c
new file mode 100644
index 0000000000..bb05ca772f
--- /dev/null
+++ b/CryptoPkg/Library/OpensslLib/SslStatServNull.c
@@ -0,0 +1,219 @@
+/*
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
+ * Copyright 2005 Nokia. All rights reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <stdio.h>
+#include "../ssl_local.h"
+#include "statem_local.h"
+#include "internal/constant_time.h"
+#include "internal/cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/rand.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/dh.h>
+#include <openssl/rsa.h>
+#include <openssl/bn.h>
+#include <openssl/md5.h>
+#include <openssl/trace.h>
+#include <openssl/core_names.h>
+#include <openssl/asn1t.h>
+
+#define TICKET_NONCE_SIZE 8
+
+typedef struct {
+ ASN1_TYPE *kxBlob;
+ ASN1_TYPE *opaqueBlob;
+} GOST_KX_MESSAGE;
+
+int ossl_statem_server_read_transition(SSL *s, int mt)
+{
+ return 0;
+}
+
+/*
+ * Should we send a CertificateRequest message?
+ *
+ * Valid return values are:
+ * 1: Yes
+ * 0: No
+ */
+int send_certificate_request(SSL *s)
+{
+ return 0;
+}
+
+/*
+ * ossl_statem_server_write_transition() works out what handshake state to move
+ * to next when the server is writing messages to be sent to the client.
+ */
+WRITE_TRAN ossl_statem_server_write_transition(SSL *s)
+{
+ return WRITE_TRAN_ERROR;
+}
+
+WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst)
+{
+ return WORK_ERROR;
+}
+/*
+ * Perform any work that needs to be done after sending a message from the
+ * server to the client.
+ */
+WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst)
+{
+ return WORK_ERROR;
+}
+
+/*
+ * Get the message construction function and message type for sending from the
+ * server
+ *
+ * Valid return values are:
+ * 1: Success
+ * 0: Error
+ */
+int ossl_statem_server_construct_message(SSL *s, WPACKET *pkt,
+ confunc_f *confunc, int *mt)
+{
+ return 0;
+}
+
+/*
+ * Returns the maximum allowed length for the current message that we are
+ * reading. Excludes the message header.
+ */
+size_t ossl_statem_server_max_message_size(SSL *s)
+{
+ return 0;
+}
+
+/*
+ * Process a message that the server has received from the client.
+ */
+MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL *s, PACKET *pkt)
+{
+ return MSG_PROCESS_ERROR;
+}
+
+/*
+ * Perform any further processing required following the receipt of a message
+ * from the client
+ */
+WORK_STATE ossl_statem_server_post_process_message(SSL *s, WORK_STATE wst)
+{
+ return WORK_ERROR;
+}
+
+int dtls_raw_hello_verify_request(WPACKET *pkt, unsigned char *cookie,
+ size_t cookie_len)
+{
+ return 0;
+}
+
+int dtls_construct_hello_verify_request(SSL *s, WPACKET *pkt)
+{
+ return 0;
+}
+
+MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
+{
+ return MSG_PROCESS_ERROR;
+}
+
+/*
+ * Call the alpn_select callback if needed. Upon success, returns 1.
+ * Upon failure, returns 0.
+ */
+int tls_handle_alpn(SSL *s)
+{
+ return 0;
+}
+
+WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
+{
+ return WORK_ERROR;
+}
+
+int tls_construct_server_hello(SSL *s, WPACKET *pkt)
+{
+ return 0;
+}
+
+int tls_construct_server_done(SSL *s, WPACKET *pkt)
+{
+ return 0;
+}
+
+int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
+{
+ return 0;
+}
+
+int tls_construct_certificate_request(SSL *s, WPACKET *pkt)
+{
+ return 0;
+}
+
+MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
+{
+ return MSG_PROCESS_ERROR;
+}
+
+WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst)
+{
+ return WORK_ERROR;
+}
+
+MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
+{
+ return MSG_PROCESS_ERROR;
+}
+
+int tls_construct_server_certificate(SSL *s, WPACKET *pkt)
+{
+ return 0;
+}
+
+int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
+{
+ return 0;
+}
+
+/*
+ * In TLSv1.3 this is called from the extensions code, otherwise it is used to
+ * create a separate message. Returns 1 on success or 0 on failure.
+ */
+int tls_construct_cert_status_body(SSL *s, WPACKET *pkt)
+{
+ return 0;
+}
+
+int tls_construct_cert_status(SSL *s, WPACKET *pkt)
+{
+ return 0;
+}
+
+#ifndef OPENSSL_NO_NEXTPROTONEG
+/*
+ * tls_process_next_proto reads a Next Protocol Negotiation handshake message.
+ * It sets the next_proto member in s if found
+ */
+MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt)
+{
+ return MSG_PROCESS_ERROR;
+}
+#endif
+
+MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL *s, PACKET *pkt)
+{
+ return MSG_PROCESS_ERROR;
+}
--
2.31.1.windows.1
next prev parent reply other threads:[~2023-04-04 9:54 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-04 9:54 [edk2-staging/OpenSSL11_EOL][PATCH 0/4] Openssl 3.0 POC update Apr 4 Li, Yi
2023-04-04 9:54 ` Li, Yi [this message]
2023-04-04 9:54 ` [edk2-staging/OpenSSL11_EOL][PATCH 2/4] CryptoPkg: sync latest change in uefiprov to minprov Li, Yi
2023-04-04 9:54 ` [edk2-staging/OpenSSL11_EOL][PATCH 3/4] Readme: 0330 update Li, Yi
2023-04-04 9:54 ` [edk2-staging/OpenSSL11_EOL][PATCH 4/4] Readme: update POC result and next step Li, Yi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9afb573183eff52468b511160d3fa6bc6b525a7a.1680601312.git.yi1.li@intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox