From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 5C863803DF for ; Tue, 21 Mar 2017 18:32:10 -0700 (PDT) Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by fmsmga105.fm.intel.com with ESMTP; 21 Mar 2017 18:32:10 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.36,202,1486454400"; d="scan'208";a="238947373" Received: from fmsmsx104.amr.corp.intel.com ([10.18.124.202]) by fmsmga004.fm.intel.com with ESMTP; 21 Mar 2017 18:32:09 -0700 Received: from shsmsx102.ccr.corp.intel.com (10.239.4.154) by fmsmsx104.amr.corp.intel.com (10.18.124.202) with Microsoft SMTP Server (TLS) id 14.3.319.2; Tue, 21 Mar 2017 18:32:09 -0700 Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.20]) by shsmsx102.ccr.corp.intel.com ([169.254.2.88]) with mapi id 14.03.0248.002; Wed, 22 Mar 2017 09:32:05 +0800 From: "Long, Qin" To: "Palmer, Thomas" , "edk2-devel@lists.01.org" CC: "ard.biesheuvel@linaro.org" , "Ye, Ting" , "ronald.cron@arm.com" , "Wu, Jiaxin" , "glin@suse.com" , "lersek@redhat.com" Thread-Topic: [edk2] [PATCH v1 9/9] CryptoPkg/TlsLib: Update TLS Wrapper Library to align with OpenSSL changes. Thread-Index: AQHSolv/olUMsoDn8Eqe1gxLc7WcTKGfCjOAgAEIveA= Date: Wed, 22 Mar 2017 01:32:05 +0000 Message-ID: References: <20170321155612.1192-1-qin.long@intel.com> <20170321155612.1192-10-qin.long@intel.com> In-Reply-To: Accept-Language: zh-CN, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [PATCH v1 9/9] CryptoPkg/TlsLib: Update TLS Wrapper Library to align with OpenSSL changes. X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Mar 2017 01:32:10 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Thomas, Thanks for the comments. I will check this with Jiaxin, and make the possib= le updates in V2. Best Regards & Thanks, LONG, Qin > -----Original Message----- > From: Palmer, Thomas [mailto:thomas.palmer@hpe.com] > Sent: Wednesday, March 22, 2017 1:43 AM > To: Long, Qin; edk2-devel@lists.01.org > Cc: ard.biesheuvel@linaro.org; Ye, Ting; ronald.cron@arm.com; Wu, Jiaxin; > glin@suse.com; lersek@redhat.com > Subject: RE: [edk2] [PATCH v1 9/9] CryptoPkg/TlsLib: Update TLS Wrapper > Library to align with OpenSSL changes. >=20 > Qin, >=20 > Please update TlsSetVersion to use SSL_CTX_set_min_proto_version and > SSL_CTX_set_max_proto_version in the switch statement. We do not want > auto-negotitate but only to restrict to a particular version. >=20 > Also, lets update TlsCtxNew to use only SSL_CTX_set_min_proto_version. > TlsCtxNew will auto-negotiate, but the version provided will put in a low= er > floor to what is allowed. >=20 > Regards, >=20 > Thomas Palmer >=20 > "I have only made this letter longer because I have not had the time to > make it shorter" - Blaise Pascal >=20 >=20 > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > Qin Long > Sent: Tuesday, March 21, 2017 10:56 AM > To: edk2-devel@lists.01.org > Cc: ard.biesheuvel@linaro.org; ting.ye@intel.com; ronald.cron@arm.com; > jiaxin.wu@intel.com; glin@suse.com; lersek@redhat.com > Subject: [edk2] [PATCH v1 9/9] CryptoPkg/TlsLib: Update TLS Wrapper Libra= ry > to align with OpenSSL changes. >=20 > This patch update the wrapper implementation in TlsLib to align with the > latest OpenSSL-1.1.0xx API changes. >=20 > Cc: Jiaxin Wu > Cc: Ting Ye > Cc: Laszlo Ersek > Cc: Ard Biesheuvel > Cc: Gary Lin > Cc: Ronald Cron > Contributed-under: TianoCore Contribution Agreement 1.0 > Signed-off-by: Qin Long > --- > CryptoPkg/Library/TlsLib/InternalTlsLib.h | 6 +++++- > CryptoPkg/Library/TlsLib/TlsConfig.c | 21 +++++++++++++-------- > CryptoPkg/Library/TlsLib/TlsInit.c | 19 ++++++++++--------- > 3 files changed, 28 insertions(+), 18 deletions(-) >=20 > diff --git a/CryptoPkg/Library/TlsLib/InternalTlsLib.h > b/CryptoPkg/Library/TlsLib/InternalTlsLib.h > index e75146648d..f3a662afea 100644 > --- a/CryptoPkg/Library/TlsLib/InternalTlsLib.h > +++ b/CryptoPkg/Library/TlsLib/InternalTlsLib.h > @@ -1,7 +1,7 @@ > /** @file > Internal include file for TlsLib. >=20 > -Copyright (c) 2016, Intel Corporation. All rights reserved.
> +Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.
> This program and the accompanying materials are licensed and made > available under the terms and conditions of the BSD License which > accompanies this distribution. The full text of the license may be found= at > @@ -15,6 +15,10 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY > KIND, EITHER EXPRESS OR IMPLIED. > #ifndef __INTERNAL_TLS_LIB_H__ > #define __INTERNAL_TLS_LIB_H__ >=20 > +#undef _WIN32 > +#undef _WIN64 > +#undef _MSC_VER > + > #include > #include > #include > diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c > b/CryptoPkg/Library/TlsLib/TlsConfig.c > index f103da4321..3586be3945 100644 > --- a/CryptoPkg/Library/TlsLib/TlsConfig.c > +++ b/CryptoPkg/Library/TlsLib/TlsConfig.c > @@ -128,24 +128,30 @@ TlsSetVersion ( >=20 > ProtoVersion =3D (MajorVer << 8) | MinorVer; >=20 > + // > + // Using the general-purpose version-flexible SSL/TLS methods here. > + // The actual protocol version used in OpenSSL-1.1.xx will be > + negoriated // to the highest version mutually supported by the client = and > server. > + // Old TLSv1_x_method() was marked as deprecated. > + // > switch (ProtoVersion) { > case TLS1_VERSION: > // > // TLS 1.0 > // > - SSL_set_ssl_method (TlsConn->Ssl, TLSv1_method ()); > + SSL_set_ssl_method (TlsConn->Ssl, TLS_method ()); > break; > case TLS1_1_VERSION: > // > // TLS 1.1 > // > - SSL_set_ssl_method (TlsConn->Ssl, TLSv1_1_method ()); > + SSL_set_ssl_method (TlsConn->Ssl, TLS_method ()); > break; > case TLS1_2_VERSION: > // > // TLS 1.2 > // > - SSL_set_ssl_method (TlsConn->Ssl, TLSv1_2_method ()); > + SSL_set_ssl_method (TlsConn->Ssl, TLS_method ()); > break; > default: > // > @@ -384,8 +390,7 @@ TlsSetSessionId ( > return EFI_UNSUPPORTED; > } >=20 > - Session->session_id_length =3D SessionIdLen; > - CopyMem (Session->session_id, SessionId, Session->session_id_length); > + SSL_SESSION_set1_id (Session, (const unsigned char *)SessionId, > + SessionIdLen); >=20 > return EFI_SUCCESS; > } > @@ -847,7 +852,7 @@ TlsGetClientRandom ( > return; > } >=20 > - CopyMem (ClientRandom, TlsConn->Ssl->s3->client_random, > SSL3_RANDOM_SIZE); > + SSL_get_client_random (TlsConn->Ssl, ClientRandom, > SSL3_RANDOM_SIZE); > } >=20 > /** > @@ -876,7 +881,7 @@ TlsGetServerRandom ( > return; > } >=20 > - CopyMem (ServerRandom, TlsConn->Ssl->s3->server_random, > SSL3_RANDOM_SIZE); > + SSL_get_server_random (TlsConn->Ssl, ServerRandom, > SSL3_RANDOM_SIZE); > } >=20 > /** > @@ -916,7 +921,7 @@ TlsGetKeyMaterial ( > return EFI_UNSUPPORTED; > } >=20 > - CopyMem (KeyMaterial, Session->master_key, Session- > >master_key_length); > + SSL_SESSION_get_master_key (Session, KeyMaterial, > + SSL3_MASTER_SECRET_SIZE); >=20 > return EFI_SUCCESS; > } > diff --git a/CryptoPkg/Library/TlsLib/TlsInit.c > b/CryptoPkg/Library/TlsLib/TlsInit.c > index 6b1fd93ea9..d7b8899ac2 100644 > --- a/CryptoPkg/Library/TlsLib/TlsInit.c > +++ b/CryptoPkg/Library/TlsLib/TlsInit.c > @@ -1,7 +1,7 @@ > /** @file > SSL/TLS Initialization Library Wrapper Implementation over OpenSSL. >=20 > -Copyright (c) 2016, Intel Corporation. All rights reserved.
> +Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.
> (C) Copyright 2016 Hewlett Packard Enterprise Development LP
This > program and the accompanying materials are licensed and made available > under the terms and conditions of the BSD License @@ -33,14 +33,10 @@ > TlsInitialize ( > // Performs initialization of crypto and ssl library, and loads requir= ed > // algorithms. > // > - SSL_library_init (); > - > - // > - // Loads error strings from both crypto and ssl library. > - // > - SSL_load_error_strings (); > - > - /// OpenSSL_add_all_algorithms(); > + OPENSSL_init_ssl ( > + OPENSSL_INIT_LOAD_SSL_STRINGS | > OPENSSL_INIT_LOAD_CRYPTO_STRINGS, > + NULL > + ); >=20 > // > // Initialize the pseudorandom number generator. > @@ -220,6 +216,11 @@ TlsNew ( > } >=20 > // > + // This retains compatibility with previous version of OpenSSL. > + // > + SSL_set_security_level (TlsConn->Ssl, 0); > + > + // > // Initialize the created SSL Object > // > SSL_set_info_callback (TlsConn->Ssl, NULL); > -- > 2.11.1.windows.1 >=20 > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel