From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) by mx.groups.io with SMTP id smtpd.web11.97328.1680602083482260372 for ; Tue, 04 Apr 2023 02:54:43 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=WvtT+nX8; spf=pass (domain: intel.com, ip: 192.55.52.93, mailfrom: yi1.li@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1680602083; x=1712138083; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=gMdV2+zA3iXUwf8QGb+drB1U3PObO8F0c+9uM+wUjaw=; b=WvtT+nX80RniUCmNENkz31pNRi6QN4lk94yVH7TU1+AtaG0rw2h0dvyp hBl1RxHV3I5obtTc2mtg39PC/NcRYkcfe60bu0YUX1J09p2SfjuvYUJ1m TEIC9qzfpxsYYk96d1Ko09XG6+cvS9Ui/L4dAuTEnYKZ4JDg72XCjbC3N AnM82JJhUoEbkdL0EWB71Do+lgyROsS4mJIHfBnxGx/f2v9UhBXA7gb06 91GIVl02Blw38+KX6nmln2Yu25g+Au/UbRllAt/MpE3dMqBeKDDg07q3p ytM9aVv8ZcqI5zJ1jXHkjc4XUnowJgzfsD5SJeO5kd8QGvKcMLWOx+ggr A==; X-IronPort-AV: E=McAfee;i="6600,9927,10669"; a="339626621" X-IronPort-AV: E=Sophos;i="5.98,317,1673942400"; d="scan'208";a="339626621" Received: from fmsmga007.fm.intel.com ([10.253.24.52]) by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 04 Apr 2023 02:54:43 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10669"; a="688830685" X-IronPort-AV: E=Sophos;i="5.98,317,1673942400"; d="scan'208";a="688830685" Received: from liyi4-desktop.ccr.corp.intel.com ([10.239.153.82]) by fmsmga007-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 04 Apr 2023 02:54:42 -0700 From: "Li, Yi" To: devel@edk2.groups.io Cc: Yi Li Subject: [edk2-staging/OpenSSL11_EOL][PATCH 1/4] CryptoPkg: disabled ssl server Date: Tue, 4 Apr 2023 17:54:30 +0800 Message-Id: <9afb573183eff52468b511160d3fa6bc6b525a7a.1680601312.git.yi1.li@intel.com> X-Mailer: git-send-email 2.31.1.windows.1 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Signed-off-by: Yi Li --- CryptoPkg/Library/OpensslLib/OpensslLib.inf | 6 +- .../Library/OpensslLib/OpensslLibFull.inf | 6 +- CryptoPkg/Library/OpensslLib/SslExtServNull.c | 329 ++++++++++++++++++ .../Library/OpensslLib/SslStatServNull.c | 219 ++++++++++++ 4 files changed, 556 insertions(+), 4 deletions(-) create mode 100644 CryptoPkg/Library/OpensslLib/SslExtServNull.c create mode 100644 CryptoPkg/Library/OpensslLib/SslStatServNull.c diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf index 8641cd2521..048d804292 100644 --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf @@ -700,12 +700,12 @@ $(OPENSSL_PATH)/providers/implementations/kdfs/pbkdf2.h $(OPENSSL_PATH)/providers/implementations/rands/drbg_local.h $(OPENSSL_PATH)/providers/implementations/storemgmt/file_store_local.h - $(OPENSSL_PATH)/ssl/statem/statem_srvr.c + # $(OPENSSL_PATH)/ssl/statem/statem_srvr.c $(OPENSSL_PATH)/ssl/statem/statem_lib.c $(OPENSSL_PATH)/ssl/statem/statem_dtls.c $(OPENSSL_PATH)/ssl/statem/statem_clnt.c $(OPENSSL_PATH)/ssl/statem/statem.c - $(OPENSSL_PATH)/ssl/statem/extensions_srvr.c + # $(OPENSSL_PATH)/ssl/statem/extensions_srvr.c $(OPENSSL_PATH)/ssl/statem/extensions_cust.c $(OPENSSL_PATH)/ssl/statem/extensions_clnt.c $(OPENSSL_PATH)/ssl/statem/extensions.c @@ -757,6 +757,8 @@ ossl_store.c rand_pool.c # SslNull.c + SslStatServNull.c + SslExtServNull.c EcSm2Null.c DhNull.c EncoderNull.c diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibFull.inf b/CryptoPkg/Library/OpensslLib/OpensslLibFull.inf index 8cea86e6f0..7ad3c3fb85 100644 --- a/CryptoPkg/Library/OpensslLib/OpensslLibFull.inf +++ b/CryptoPkg/Library/OpensslLib/OpensslLibFull.inf @@ -705,12 +705,12 @@ $(OPENSSL_PATH)/providers/implementations/kdfs/pbkdf2.h $(OPENSSL_PATH)/providers/implementations/rands/drbg_local.h $(OPENSSL_PATH)/providers/implementations/storemgmt/file_store_local.h - $(OPENSSL_PATH)/ssl/statem/statem_srvr.c + # $(OPENSSL_PATH)/ssl/statem/statem_srvr.c $(OPENSSL_PATH)/ssl/statem/statem_lib.c $(OPENSSL_PATH)/ssl/statem/statem_dtls.c $(OPENSSL_PATH)/ssl/statem/statem_clnt.c $(OPENSSL_PATH)/ssl/statem/statem.c - $(OPENSSL_PATH)/ssl/statem/extensions_srvr.c + # $(OPENSSL_PATH)/ssl/statem/extensions_srvr.c $(OPENSSL_PATH)/ssl/statem/extensions_cust.c $(OPENSSL_PATH)/ssl/statem/extensions_clnt.c $(OPENSSL_PATH)/ssl/statem/extensions.c @@ -824,6 +824,8 @@ ossl_store.c rand_pool.c # SslNull.c + SslStatServNull.c + SslExtServNull.c # EcSm2Null.c DhNull.c EncoderNull.c diff --git a/CryptoPkg/Library/OpensslLib/SslExtServNull.c b/CryptoPkg/Library/OpensslLib/SslExtServNull.c new file mode 100644 index 0000000000..c256f17667 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/SslExtServNull.c @@ -0,0 +1,329 @@ +/* + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include "../ssl_local.h" +#include "statem_local.h" +#include "internal/cryptlib.h" + +#define COOKIE_STATE_FORMAT_VERSION 1 + +/* + * Parse the client's renegotiation binding and abort if it's not right + */ +int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + return -1; +} + +/*- + * The servername extension is treated as follows: + * + * - Only the hostname type is supported with a maximum length of 255. + * - The servername is rejected if too long or if it contains zeros, + * in which case an fatal alert is generated. + * - The servername field is maintained together with the session cache. + * - When a session is resumed, the servername call back invoked in order + * to allow the application to position itself to the right context. + * - The servername is acknowledged if it is new for a session or when + * it is identical to a previously used for the same session. + * Applications can control the behaviour. They can at any time + * set a 'desirable' servername for a new SSL object. This can be the + * case for example with HTTPS when a Host: header field is received and + * a renegotiation is requested. In this case, a possible servername + * presented in the new client hello is only acknowledged if it matches + * the value of the Host: field. + * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION + * if they provide for changing an explicit servername context for the + * session, i.e. when the session has been established with a servername + * extension. + * - On session reconnect, the servername extension may be absent. + */ +int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + return 0; +} + +int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + return 0; +} + +#ifndef OPENSSL_NO_SRP +int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx) +{ + return 0; +} +#endif + +int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + return 0; +} + +int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + return 0; +} + +int tls_parse_ctos_sig_algs_cert(SSL *s, PACKET *pkt, + ossl_unused unsigned int context, + ossl_unused X509 *x, + ossl_unused size_t chainidx) +{ + return 0; +} + +int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx) +{ + return 0; +} + +#ifndef OPENSSL_NO_OCSP +int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + return 0; +} +#endif + +#ifndef OPENSSL_NO_NEXTPROTONEG +int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx) +{ + return 0; +} +#endif + +/* + * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN + * extension, not including type and length. Returns: 1 on success, 0 on error. + */ +int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx) +{ + return 0; +} + +#ifndef OPENSSL_NO_SRTP +int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx) +{ + return 0; +} +#endif + +int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx) +{ + return 0; +} + +/* + * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains + * the raw PACKET data for the extension. Returns 1 on success or 0 on failure. + */ +int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + return 0; +} + +/* + * Process a key_share extension received in the ClientHello. |pkt| contains + * the raw PACKET data for the extension. Returns 1 on success or 0 on failure. + */ +int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx) +{ + return 0; +} + +int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx) +{ + return 0; +} + +int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + return 0; +} + +int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx) +{ + return 0; +} + + +int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + return 0; +} + +static SSL_TICKET_STATUS tls_get_stateful_ticket(SSL *s, PACKET *tick, + SSL_SESSION **sess) +{ + return SSL_TICKET_NO_DECRYPT; +} + +int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx) +{ + return 0; +} + +int tls_parse_ctos_post_handshake_auth(SSL *s, PACKET *pkt, + ossl_unused unsigned int context, + ossl_unused X509 *x, + ossl_unused size_t chainidx) +{ + return 0; +} + +/* + * Add the server's renegotiation binding + */ +EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + return EXT_RETURN_FAIL; +} + +EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + return EXT_RETURN_FAIL; +} + +/* Add/include the server's max fragment len extension into ServerHello */ +EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + return EXT_RETURN_FAIL; +} + +EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + return EXT_RETURN_FAIL; +} + +EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + return EXT_RETURN_FAIL; +} + +EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + return EXT_RETURN_FAIL; +} + +#ifndef OPENSSL_NO_OCSP +EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + return EXT_RETURN_FAIL; +} +#endif + +#ifndef OPENSSL_NO_NEXTPROTONEG +EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + return EXT_RETURN_FAIL; +} +#endif + +EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + return EXT_RETURN_FAIL; +} + +#ifndef OPENSSL_NO_SRTP +EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + return EXT_RETURN_FAIL; +} +#endif + +EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + return EXT_RETURN_FAIL; +} + +EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + return EXT_RETURN_FAIL; +} + +EXT_RETURN tls_construct_stoc_supported_versions(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + return EXT_RETURN_FAIL; +} + +EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + return EXT_RETURN_FAIL; +} + +EXT_RETURN tls_construct_stoc_cookie(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + return EXT_RETURN_FAIL; +} + +EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + return EXT_RETURN_FAIL; +} + +EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + return EXT_RETURN_FAIL; +} + +EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + return EXT_RETURN_FAIL; +} diff --git a/CryptoPkg/Library/OpensslLib/SslStatServNull.c b/CryptoPkg/Library/OpensslLib/SslStatServNull.c new file mode 100644 index 0000000000..bb05ca772f --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/SslStatServNull.c @@ -0,0 +1,219 @@ +/* + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved + * Copyright 2005 Nokia. All rights reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include "../ssl_local.h" +#include "statem_local.h" +#include "internal/constant_time.h" +#include "internal/cryptlib.h" +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define TICKET_NONCE_SIZE 8 + +typedef struct { + ASN1_TYPE *kxBlob; + ASN1_TYPE *opaqueBlob; +} GOST_KX_MESSAGE; + +int ossl_statem_server_read_transition(SSL *s, int mt) +{ + return 0; +} + +/* + * Should we send a CertificateRequest message? + * + * Valid return values are: + * 1: Yes + * 0: No + */ +int send_certificate_request(SSL *s) +{ + return 0; +} + +/* + * ossl_statem_server_write_transition() works out what handshake state to move + * to next when the server is writing messages to be sent to the client. + */ +WRITE_TRAN ossl_statem_server_write_transition(SSL *s) +{ + return WRITE_TRAN_ERROR; +} + +WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst) +{ + return WORK_ERROR; +} +/* + * Perform any work that needs to be done after sending a message from the + * server to the client. + */ +WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) +{ + return WORK_ERROR; +} + +/* + * Get the message construction function and message type for sending from the + * server + * + * Valid return values are: + * 1: Success + * 0: Error + */ +int ossl_statem_server_construct_message(SSL *s, WPACKET *pkt, + confunc_f *confunc, int *mt) +{ + return 0; +} + +/* + * Returns the maximum allowed length for the current message that we are + * reading. Excludes the message header. + */ +size_t ossl_statem_server_max_message_size(SSL *s) +{ + return 0; +} + +/* + * Process a message that the server has received from the client. + */ +MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL *s, PACKET *pkt) +{ + return MSG_PROCESS_ERROR; +} + +/* + * Perform any further processing required following the receipt of a message + * from the client + */ +WORK_STATE ossl_statem_server_post_process_message(SSL *s, WORK_STATE wst) +{ + return WORK_ERROR; +} + +int dtls_raw_hello_verify_request(WPACKET *pkt, unsigned char *cookie, + size_t cookie_len) +{ + return 0; +} + +int dtls_construct_hello_verify_request(SSL *s, WPACKET *pkt) +{ + return 0; +} + +MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) +{ + return MSG_PROCESS_ERROR; +} + +/* + * Call the alpn_select callback if needed. Upon success, returns 1. + * Upon failure, returns 0. + */ +int tls_handle_alpn(SSL *s) +{ + return 0; +} + +WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst) +{ + return WORK_ERROR; +} + +int tls_construct_server_hello(SSL *s, WPACKET *pkt) +{ + return 0; +} + +int tls_construct_server_done(SSL *s, WPACKET *pkt) +{ + return 0; +} + +int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) +{ + return 0; +} + +int tls_construct_certificate_request(SSL *s, WPACKET *pkt) +{ + return 0; +} + +MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt) +{ + return MSG_PROCESS_ERROR; +} + +WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst) +{ + return WORK_ERROR; +} + +MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) +{ + return MSG_PROCESS_ERROR; +} + +int tls_construct_server_certificate(SSL *s, WPACKET *pkt) +{ + return 0; +} + +int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) +{ + return 0; +} + +/* + * In TLSv1.3 this is called from the extensions code, otherwise it is used to + * create a separate message. Returns 1 on success or 0 on failure. + */ +int tls_construct_cert_status_body(SSL *s, WPACKET *pkt) +{ + return 0; +} + +int tls_construct_cert_status(SSL *s, WPACKET *pkt) +{ + return 0; +} + +#ifndef OPENSSL_NO_NEXTPROTONEG +/* + * tls_process_next_proto reads a Next Protocol Negotiation handshake message. + * It sets the next_proto member in s if found + */ +MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt) +{ + return MSG_PROCESS_ERROR; +} +#endif + +MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL *s, PACKET *pkt) +{ + return MSG_PROCESS_ERROR; +} -- 2.31.1.windows.1