From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by mx.groups.io with SMTP id smtpd.web08.6831.1651821126359610120 for ; Fri, 06 May 2022 00:12:07 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=cZ/W3HMj; spf=pass (domain: intel.com, ip: 192.55.52.88, mailfrom: yi1.li@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1651821126; x=1683357126; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=AnrkaFv+SouR46nEIXkicWJSNQ8EoNhJBQ1aXxrMDsk=; b=cZ/W3HMjOrr31jEsh4J01chBxlMVoRkcZ89ta4gEbfjNLriS9EbMXrwI QXqHBVBMTCsqV3JvbUX/Rq9jwLkNkqSi2oOJTPZoMee7IKe79e5a6BfwB dl4EMNpx602N54zTPfMmJM+V17UsH6xnrz/H8l8k+1LsG2iv7M50CME/u +celp+whh9xau/XKfUxlxzoyZzWyl9AnSChPy7BZm9XkEHhKiipJj2COf hu7Icso1dm49mP59DPpAt15oFhAVmn0nyGIhDGpN/1WV96Ky2vlwoXoQK AuRk7rxMnrJ03ZHMnml9TKFkp6sy6O4+HTNKU9eYZVBcJbQ2zoUl417tr w==; X-IronPort-AV: E=McAfee;i="6400,9594,10338"; a="293583557" X-IronPort-AV: E=Sophos;i="5.91,203,1647327600"; d="scan'208,217";a="293583557" Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 06 May 2022 00:12:05 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.91,203,1647327600"; d="scan'208,217";a="654584808" Received: from fmsmsx605.amr.corp.intel.com ([10.18.126.85]) by FMSMGA003.fm.intel.com with ESMTP; 06 May 2022 00:12:05 -0700 Received: from fmsmsx609.amr.corp.intel.com (10.18.126.89) by fmsmsx605.amr.corp.intel.com (10.18.126.85) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.27; Fri, 6 May 2022 00:12:04 -0700 Received: from fmsmsx606.amr.corp.intel.com (10.18.126.86) by fmsmsx609.amr.corp.intel.com (10.18.126.89) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.27; Fri, 6 May 2022 00:12:04 -0700 Received: from fmsedg602.ED.cps.intel.com (10.1.192.136) by fmsmsx606.amr.corp.intel.com (10.18.126.86) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.27 via Frontend Transport; Fri, 6 May 2022 00:12:04 -0700 Received: from NAM04-BN8-obe.outbound.protection.outlook.com (104.47.74.48) by edgegateway.intel.com (192.55.55.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2308.27; Fri, 6 May 2022 00:12:04 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VaDvUVB4MrvfjxSaayqXrmgu2zGrXGZkZIsVVloVoHQO7ytWVJ5Y2k2TS5/TSUFhZNI1CbhhMmYA1imrjJ2kdqEAgsuXdjJ0lTBAjhk0TGlOuzk8RObN0x0tCYgLhpTsyhHcAsvXM+3tfN9wfTghxQE9AWo+U6sIjzQXlnjksA4JMm5JfOvIkzgercWbvuNCM72M3raqJeqbTH4wH1olXF1ZCn6Z53I0eyURrmFqzeF8AIY6YFb7c5iy/W9L8Cq2AXPlWWTZP/qf0yNI+Y+Gvl0Qb6VHTUidFY6UhMRR2oeTSAxPjZoqTu0EIrr1PiN8cQqlFOn7pg44XVgcmClryA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=pOkSq0YjIYqyIeGzuC4H28866DZKJfozh68r/Ra2RRI=; b=SF8hvGAn3eNxj1qgKNlDApFwF52hjMMgjNRM/AEO1qfVdQPuiyApGCgpi1/58WESMZp7JN4D+i+vWUKjF2n0wxCTulNWmmiS2JfGekTTcumzQLvNh43BUaP5f67W56Wn3rDdYPIv3S41VUA5IAY+RT2wnsqJAL8rtBwr26MTUQb6s+HFRcuUtoC9a362CwdVwisqYuCBRbCZ3TyzXliC80EzJUtsDP6t5BQ8AbJiTmUr7zpzGNMMkS9XiD1LYryh3uV7oyb80NWDy406gBV3qF6Glm3aOQwCHJ2SSQD+LyOqHlvRkZT0Y2zskDNy1s85lpCptswUfseztH04fC/2yQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none Received: from BL0PR11MB3396.namprd11.prod.outlook.com (2603:10b6:208:6d::11) by MWHPR11MB1552.namprd11.prod.outlook.com (2603:10b6:301:e::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5186.23; Fri, 6 May 2022 07:12:00 +0000 Received: from BL0PR11MB3396.namprd11.prod.outlook.com ([fe80::c9a9:ec23:2f4d:b272]) by BL0PR11MB3396.namprd11.prod.outlook.com ([fe80::c9a9:ec23:2f4d:b272%5]) with mapi id 15.20.5186.028; Fri, 6 May 2022 07:12:00 +0000 From: "yi1 li" To: "Yao, Jiewen" , "devel@edk2.groups.io" CC: "Kinney, Michael D" , "Gao, Liming" Subject: Re: [edk2-devel] [PATCH 1/1] MdePkg: Add WPA3 related TLS configure macro Thread-Topic: [edk2-devel] [PATCH 1/1] MdePkg: Add WPA3 related TLS configure macro Thread-Index: AQHYX5mn/E/0Wz7rx0u36WInivFdpK0Of9yAgALZwhA= Date: Fri, 6 May 2022 07:12:00 +0000 Message-ID: References: <075f00b16013a2c401de91304f0ce4ff5bf4dfc5.1651656533.git.yi1.li@intel.com> In-Reply-To: Accept-Language: zh-CN, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-product: dlpe-windows dlp-version: 11.6.401.20 dlp-reaction: no-action authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 6679ca96-b3dd-47be-bc00-08da2f2fb6e6 x-ms-traffictypediagnostic: MWHPR11MB1552:EE_ x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-microsoft-antispam-prvs: x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: +GWg83UWgT0AP0RG60ZcoUB/VCY0YxX4KRwK3tkysTTDlamGDqVMfvCqyJwiV+mIb2wyyx7A7qn/IJUmMaKm4WMA2KVRHj9G/q1/xKiIHX4hRli8rVXsFMzOKbuEiOxtdA/D4ELAL0QccdosHuu0qvuah+nnL/px/MKi1UMlwTDptSH/NEZ+Lk4PTprnu1kXKAqH9LlpCFlsv1aGSQaMWgCVmbKlM4m0ZMAG0d1Evc4DOJOZ8mZSg9Uhy24IxNmJEAKnUxlsfAmm+GoVqM1C8HsMLE/WEIf+74ryx9tTCSxcpUZsM8hWXOtiGtD9j9ur+2wVC0D81mrIJO5X+r1XBhZKItPVDKRAjaIOmf9roUJz2ZZ3RkGdMG5eo/hZphJssvwG4ZhUfIow2J/InmoaAWNHgdWSrlkM56IXb/u4/Irpp9ROTlgQvKc4klVyqfH2Ya1BO4GYNVvilaGZ0RgCs+yVZSVcg7QbCl/B6Z8RTqvNedHnJkr62ZmbJmTWwhNn/rfj6X1iXfuC4tFGH1fW1J55GQv3t+cRq5AosSPBDMusKeqiouFROQsgGGozDaYASGQ+WibeULFQuE+G8OE2fwLOIb+gswJbqesPnrYvwGe3EhfspKgYUc5V3PJDMYjWii0G1kki7bRUaQD53kfarC5Y0Cw0CTrbvaDhPVSVLSLTaFf9V2jpfu+vADmc92rpEoDwytG/Z94fLm0NxCWE/He3gf8FLfAjYOywZhIEDeIlBk967P43VSZPcUIydf5tC+3l3LvL732y9OJNZeurYToJ8jhO3RgD7J7TYrtACK6drr7PeFEkL+8Ge8Ii/suYUT8AUS6hJ8jDWKpiv/4VFw== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BL0PR11MB3396.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230001)(366004)(508600001)(8936002)(53546011)(2906002)(86362001)(33656002)(5660300002)(52536014)(966005)(7696005)(9326002)(6506007)(9686003)(166002)(30864003)(83380400001)(71200400001)(55016003)(38100700002)(4326008)(76116006)(66946007)(8676002)(110136005)(64756008)(66476007)(66446008)(66556008)(186003)(38070700005)(82960400001)(19627235002)(54906003)(316002)(122000001)(26005);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?mj12fmoijFUp63uygG6QzoCQ4nJ9dkqIhE8KDscjsSdkzx2hYa9c4Sh022ep?= =?us-ascii?Q?052P9nd/kQeMhaS7ezvEp29xEDGP9HyY9uYcohRufPNoVxhXa3IfobLl7TfU?= =?us-ascii?Q?xxApaErqc8p3D6h9n0kZxUNIF9NGK6mKgLAgtSnb31qZJVDme9XCBa+Y22R/?= =?us-ascii?Q?OpL8Ra//UAhvPa8gTCLls9EqBwG6MkrK5VkGKtS64kndbBgrtCnDh8/I9cD5?= =?us-ascii?Q?WhNaEkfPo/EH/qEUWNxQkUjmSZV8G0VRzuKOtUa7PSt7YigcyLBRVfu1SUIc?= =?us-ascii?Q?2urlklTDoMyvmZens5CdIs3/P9Qybslx7gRH63SEwFUjUXZNngrX0+oGmmdY?= =?us-ascii?Q?pUX0gKODyC9UOK6bvHB4i9kbxW6NjJdd+anGaMUpWEhCe+PEbB265RUOM4JX?= =?us-ascii?Q?LdSCOE3L0xr8RKx1M9pfYtGV3sGZawZUfzKEevChxIivyhrabD0IljzIcc+b?= =?us-ascii?Q?aRJx4h1iMdCy5z0/2WcOTd+r9XW1nIegTrN6WBXg0cby7RisZgfvLHYKQDFR?= =?us-ascii?Q?DwMMGGgGPDJjRcXvdTxsFPaNBy9r6aFgNYrehKxgQ6bi1Ikk1zjUhZ7my32/?= =?us-ascii?Q?yuYhK66xCIQDjlJm7m+RK6Ob36V4F8anl9Ipz1MsuFxj6kGQ7plnFiC8EGmg?= =?us-ascii?Q?UHuNDWIhnuCZpIadP2hEdmuag/SxSeE7/mEJw3NOo4FBI1i7DEbXE5+4H+Au?= =?us-ascii?Q?AM1s8b+3dj0P6N8oq0cjvqmsoNrP+DKyAXeRXUj31bNsEED2POD3nr9FVp58?= =?us-ascii?Q?ahCne36Qqdh/o6UkqmUhUPkB/7BmmbpI2ymIt4atBACpqVUAnb2hw3ToUHvy?= =?us-ascii?Q?RjOg1b24wLiIeGBFKP6AeF5s8fJfQEhKkJ4rTH0uBfmPpUBv13V71Ni8ePXp?= =?us-ascii?Q?fzNN536HKYWJSe/lPUmdDwerWR5cWq+U5qKzHziadilAAHj55qRkddM/sykB?= =?us-ascii?Q?rb6j8ACf/C4EnWfOi1ylIYwEitQ3u/gVgoyb1/YjHLRKiK5Sz5EsPIL9Qq0I?= =?us-ascii?Q?yAUHvKqnYOIXgw9EjFpG8hQA6JslLdaCztaJ8Lyzd9xd55vlYtvpp3kqQFR1?= =?us-ascii?Q?5XXeDfbXUDZnMk4aPvIKDJrmBj35BY6buwOdHxF3Fz95z7DAJfdfbl98FPrA?= =?us-ascii?Q?JKBGqn7XDIt2KN5Gs9EWJKPJn6Tnp+Zg1PdTnJl8tR02DPbOdnhWblW9Lcd0?= =?us-ascii?Q?sTL3Z+paC4admIliRUxQvtMdv+M6WF+jIeSNlXF4f3WUZxHcgncq7OXMhcII?= =?us-ascii?Q?6CpouKAMnZtr+p9LvA4w2dI7k8aE2TbSJo4E+IwhPVmdG2sWyCjoYv6msMry?= =?us-ascii?Q?aX033vVkwNO+FvQc+4cmKaAO1LGDvIy1HUXHe2pPoBLefAhF5Zx7jPJ0aTSi?= =?us-ascii?Q?MzqKUXxWe6/h11FYoY/k8lohtC66rBxis4KKQd+hnflRqGOauCJcQqm47fSX?= =?us-ascii?Q?Yw//6cviXO/BMHWZslLCdAynengsSpr+Wz/Mt539vl/pleqOJ3DC5qPszWG8?= =?us-ascii?Q?Be/o16UJsAZ3pQJgEGNOydsfxVDMTUxn9OOYc+KUc2WYGd0Q6+6T4Jl93eJg?= =?us-ascii?Q?iSW5aHPUFmoY7fjDUA2dcyNBnz8BpowXY1i+5tf/z4Q4Jzopmd1s+lfsBQ/C?= =?us-ascii?Q?dzqe+XJ+muWW6BjUzCTPG6Zg9Wzr9wRCg8s9eMBfEEbhW+N+kMCy0n+XpwZE?= =?us-ascii?Q?MnpA+0cqUMiKSFyoMjXTS6pwkv+W87134D9MG3aex94dwJWYSsWxhNWeLRAg?= =?us-ascii?Q?YK9BfzVTAA=3D=3D?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: BL0PR11MB3396.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 6679ca96-b3dd-47be-bc00-08da2f2fb6e6 X-MS-Exchange-CrossTenant-originalarrivaltime: 06 May 2022 07:12:00.4420 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: qANP34+QiUlU8DxEEMJv60S7Wpux4CwB8+UG7sIaQo3ijKl+kv5CSDVv+s/p8geNQLUQByi+wtNzT98Ss++D4g== X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR11MB1552 Return-Path: yi1.li@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_BL0PR11MB339665858F2B83521ADD0DBEC5C59BL0PR11MB3396namp_" --_000_BL0PR11MB339665858F2B83521ADD0DBEC5C59BL0PR11MB3396namp_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Jiewen, 1) {0x13, *} is defined in TLS1.3 Due to TlsLib in edk2 is not fully support TLS1.3, I think I need to remove= 1.3 cipher suite to avoid confusion. 2) 3) Although it is not absolutely required, I highly recommend to add spe= cific value to TLS_HASH_ALGO, to align with definition in RFC. I think we can add the version value to the enum name to identify it is TLS= 1.2 specific. > + Tls12HashAlgoSha512 =3D 6, > +} TLS1_2_HASH_ALGO; 4) RFC4492 is obsoleted by RFC8422 - https://datatracker.ietf.org/doc/html/= rfc8422#section-5.1.1 Agree with it, should remove deprecated algo. 5) 6) "signature_algorithms" is changed in TLS 1.3 - https://datatracker.ie= tf.org/doc/html/rfc8446#section-4.2.3. Similar to 1), if we align with tls1.2, we need to continue to use Hash&Sig= nature Pair instead of Scheme, even if some algorithms are deprecated in tls1.3. I prefer to keep using th= is Pair. Since this is a backwards compatible extension field, we of course could us= e the Signature Scheme to deprecate MD5 SHA1 and others, but this would be a bit confusing due to the sudden appearance of a tls1.3= structure. 7) Last but not least, I hope to see how those new definition is used. This commit show how we use Hash&Signature Pair to set SignatureAlgoList: https://github.com/tianocore/edk2/pull/2856/commits/cedb3c322e6d9a7efc13912= 1bfa95c2f49383675#diff-a09163cae884557cab2f09c088c9bc53180bdcd8d7679abb6b21= 7eeb130e071c Consumer can call TlsSetSignatureAlgoList() with a Hash&Signature Pair arra= y, Then form a parameter list according to the name map TlsSignatureAlgoToName= [] and TlsHashAlgoToName[], Finally call the Openssl function like: SSL_set1_sigalgs_list(ssl,"DSA+SHA5= 12:RSA+SHA512:ECDSA+SHA512 "); The TLS code is in final testing, it would be very helpful if you could giv= e some advice. Thank you, Yi -----Original Message----- From: Yao, Jiewen Sent: Wednesday, May 4, 2022 6:13 PM To: devel@edk2.groups.io; Li, Yi1 Cc: Kinney, Michael D ; Gao, Liming Subject: RE: [edk2-devel] [PATCH 1/1] MdePkg: Add WPA3 related TLS configur= e macro Thanks Yi. Some feedback: 1) {0x13, *} is defined in TLS1.3 - https://datatracker.ietf.org/doc/html/r= fc8446#appendix-B.4 The comment "> /// TLS Cipher Suite, refers to A.5 of rfc-2246, rfc-4346 a= nd rfc-5246." should be updated to include 8446 as well. 2) Although it is not absolutely required, I highly recommend to add specif= ic value to TLS_HASH_ALGO, to align with definition in RFC. > + TlsHashAlgoNone =3D 0, > + TlsHashAlgoMd5 =3D 1, > + TlsHashAlgoSha1 =3D 2, > + TlsHashAlgoSha224 =3D 3, > + TlsHashAlgoSha256 =3D 4, > + TlsHashAlgoSha384 =3D 5, > + TlsHashAlgoSha512 =3D 6, > +} TLS_HASH_ALGO; 3) Ditto, for TLS_SIGNATURE_ALGO. > + TlsSignatureAlgoAnonymous =3D 0, > + TlsSignatureAlgoRsa =3D 1, > + TlsSignatureAlgoDsa =3D 2, > + TlsSignatureAlgoEcdsa =3D 3, > +} TLS_SIGNATURE_ALGO; The value is assigned in the spec. It cannot be changed. 4) RFC4492 is obsoleted by RFC8422 - https://datatracker.ietf.org/doc/html/= rfc8422#section-5.1.1 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RFC 4492 defined 25 different curves in the NamedCurve registry (now renamed the "TLS Supported Groups" registry, although the enumeration below is still named NamedCurve) for use in TLS. Only three have seen much use. This specification is deprecating the rest (with numbers 1-22). =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D I don't see a reason to define so many deprecated algorithms. Would you please align with section 5.1.1 in RFC8422? You may consider to a= dd x25519 and x448 as well. =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D enum { deprecated(1..22), secp256r1 (23), secp384r1 (24), secp521r1 (25), x25519(29), x448(30), reserved (0xFE00..0xFEFF), deprecated(0xFF01..0xFF02), (0xFFFF) } NamedCurve; =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D 5) Since you added TLS 1.3 cipher suit, I assume you also want to add defin= ition for TLS 1.3. Please aware that "signature_algorithms" is changed in TLS 1.3 - https://da= tatracker.ietf.org/doc/html/rfc8446#section-4.2.3. I am not sure if you need define that as well. =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D enum { /* RSASSA-PKCS1-v1_5 algorithms */ rsa_pkcs1_sha256(0x0401), rsa_pkcs1_sha384(0x0501), rsa_pkcs1_sha512(0x0601), /* ECDSA algorithms */ ecdsa_secp256r1_sha256(0x0403), ecdsa_secp384r1_sha384(0x0503), ecdsa_secp521r1_sha512(0x0603), /* RSASSA-PSS algorithms with public key OID rsaEncryption */ rsa_pss_rsae_sha256(0x0804), rsa_pss_rsae_sha384(0x0805), rsa_pss_rsae_sha512(0x0806), /* EdDSA algorithms */ ed25519(0x0807), ed448(0x0808), /* RSASSA-PSS algorithms with public key OID RSASSA-PSS */ rsa_pss_pss_sha256(0x0809), rsa_pss_pss_sha384(0x080a), rsa_pss_pss_sha512(0x080b), ... } SignatureScheme; =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D 6) Ditto. Please aware that "NamedCurve" is changed in TLS 1.3 - https://da= tatracker.ietf.org/doc/html/rfc8446#section-4.2.7 I am not sure if you need define that as well. =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D enum { /* Elliptic Curve Groups (ECDHE) */ secp256r1(0x0017), secp384r1(0x0018), secp521r1(0x0019), x25519(0x001D), x448(0x001E), ... } NamedGroup; =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D 7) Last but not least, I hope to see how those new definition is used. Without consumer, it is hard for me to understand why they are needed, or i= f we miss something else. Thank you Yao, Jiewen > -----Original Message----- > From: devel@edk2.groups.io > On Behalf Of yi1 li > Sent: Wednesday, May 4, 2022 5:31 PM > To: devel@edk2.groups.io > Cc: Li, Yi1 >; Kinney, Michael = D > >; Gao, Lim= ing > > Subject: [edk2-devel] [PATCH 1/1] MdePkg: Add WPA3 related TLS > configure macro > > REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D3892 > > Which are needed for SUITE-B and SUITE-B-192. > > Cc: Michael D Kinney > > Cc: Liming Gao = > > Signed-off-by: yi1 li > > --- > MdePkg/Include/IndustryStandard/Tls1.h | 133 > ++++++++++++++++++------- > 1 file changed, 97 insertions(+), 36 deletions(-) > > diff --git a/MdePkg/Include/IndustryStandard/Tls1.h > b/MdePkg/Include/IndustryStandard/Tls1.h > index cf67428b1129..6519afe15e78 100644 > --- a/MdePkg/Include/IndustryStandard/Tls1.h > +++ b/MdePkg/Include/IndustryStandard/Tls1.h > @@ -15,42 +15,49 @@ > /// > /// TLS Cipher Suite, refers to A.5 of rfc-2246, rfc-4346 and rfc-5246. > /// > -#define TLS_RSA_WITH_NULL_MD5 {0x00, 0x01} > -#define TLS_RSA_WITH_NULL_SHA {0x00, 0x02} > -#define TLS_RSA_WITH_RC4_128_MD5 {0x00, 0x04} > -#define TLS_RSA_WITH_RC4_128_SHA {0x00, 0x05} > -#define TLS_RSA_WITH_IDEA_CBC_SHA {0x00, 0x07} > -#define TLS_RSA_WITH_DES_CBC_SHA {0x00, 0x09} > -#define TLS_RSA_WITH_3DES_EDE_CBC_SHA {0x00, 0x0A} > -#define TLS_DH_DSS_WITH_DES_CBC_SHA {0x00, 0x0C} > -#define TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA {0x00, 0x0D} > -#define TLS_DH_RSA_WITH_DES_CBC_SHA {0x00, 0x0F} > -#define TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA {0x00, 0x10} > -#define TLS_DHE_DSS_WITH_DES_CBC_SHA {0x00, 0x12} > -#define TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA {0x00, 0x13} > -#define TLS_DHE_RSA_WITH_DES_CBC_SHA {0x00, 0x15} > -#define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA {0x00, 0x16} > -#define TLS_RSA_WITH_AES_128_CBC_SHA {0x00, 0x2F} > -#define TLS_DH_DSS_WITH_AES_128_CBC_SHA {0x00, 0x30} > -#define TLS_DH_RSA_WITH_AES_128_CBC_SHA {0x00, 0x31} > -#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA {0x00, 0x32} > -#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA {0x00, 0x33} > -#define TLS_RSA_WITH_AES_256_CBC_SHA {0x00, 0x35} > -#define TLS_DH_DSS_WITH_AES_256_CBC_SHA {0x00, 0x36} > -#define TLS_DH_RSA_WITH_AES_256_CBC_SHA {0x00, 0x37} > -#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA {0x00, 0x38} > -#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA {0x00, 0x39} > -#define TLS_RSA_WITH_NULL_SHA256 {0x00, 0x3B} > -#define TLS_RSA_WITH_AES_128_CBC_SHA256 {0x00, 0x3C} > -#define TLS_RSA_WITH_AES_256_CBC_SHA256 {0x00, 0x3D} > -#define TLS_DH_DSS_WITH_AES_128_CBC_SHA256 {0x00, 0x3E} > -#define TLS_DH_RSA_WITH_AES_128_CBC_SHA256 {0x00, 0x3F} > -#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 {0x00, 0x40} -#define > TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 {0x00, 0x67} > -#define TLS_DH_DSS_WITH_AES_256_CBC_SHA256 {0x00, 0x68} > -#define TLS_DH_RSA_WITH_AES_256_CBC_SHA256 {0x00, 0x69} > -#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 {0x00, 0x6A} -#define > TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 {0x00, 0x6B} > +#define TLS_RSA_WITH_NULL_MD5 {0x00, 0x01} > +#define TLS_RSA_WITH_NULL_SHA {0x00, 0x02} > +#define TLS_RSA_WITH_RC4_128_MD5 {0x00, 0x04} > +#define TLS_RSA_WITH_RC4_128_SHA {0x00, 0x05} > +#define TLS_RSA_WITH_IDEA_CBC_SHA {0x00, 0x07} > +#define TLS_RSA_WITH_DES_CBC_SHA {0x00, 0x09} > +#define TLS_RSA_WITH_3DES_EDE_CBC_SHA {0x00, 0x0A} > +#define TLS_DH_DSS_WITH_DES_CBC_SHA {0x00, 0x0C} > +#define TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA {0x00, 0x0D} > +#define TLS_DH_RSA_WITH_DES_CBC_SHA {0x00, 0x0F} > +#define TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA {0x00, 0x10} > +#define TLS_DHE_DSS_WITH_DES_CBC_SHA {0x00, 0x12} > +#define TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA {0x00, 0x13} > +#define TLS_DHE_RSA_WITH_DES_CBC_SHA {0x00, 0x15} > +#define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA {0x00, 0x16} > +#define TLS_RSA_WITH_AES_128_CBC_SHA {0x00, 0x2F} > +#define TLS_DH_DSS_WITH_AES_128_CBC_SHA {0x00, 0x30} > +#define TLS_DH_RSA_WITH_AES_128_CBC_SHA {0x00, 0x31} > +#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA {0x00, 0x32} > +#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA {0x00, 0x33} > +#define TLS_RSA_WITH_AES_256_CBC_SHA {0x00, 0x35} > +#define TLS_DH_DSS_WITH_AES_256_CBC_SHA {0x00, 0x36} > +#define TLS_DH_RSA_WITH_AES_256_CBC_SHA {0x00, 0x37} > +#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA {0x00, 0x38} > +#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA {0x00, 0x39} > +#define TLS_RSA_WITH_NULL_SHA256 {0x00, 0x3B} > +#define TLS_RSA_WITH_AES_128_CBC_SHA256 {0x00, 0x3C} > +#define TLS_RSA_WITH_AES_256_CBC_SHA256 {0x00, 0x3D} > +#define TLS_DH_DSS_WITH_AES_128_CBC_SHA256 {0x00, 0x3E} > +#define TLS_DH_RSA_WITH_AES_128_CBC_SHA256 {0x00, 0x3F} > +#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 {0x00, 0x40} > +#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 {0x00, 0x67} > +#define TLS_DH_DSS_WITH_AES_256_CBC_SHA256 {0x00, 0x68} > +#define TLS_DH_RSA_WITH_AES_256_CBC_SHA256 {0x00, 0x69} > +#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 {0x00, 0x6A} > +#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 {0x00, 0x6B} > +#define TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 {0x00, 0x9F} > +#define TLS_AES_128_GCM_SHA256 {0x13, 0x01} > +#define TLS_AES_256_GCM_SHA384 {0x13, 0x02} > +#define TLS_CHACHA20_POLY1305_SHA256 {0x13, 0x03} > +#define TLS_ECDHE_ECDSA_AES128_GCM_SHA256 {0xC0, 0x2B} > +#define TLS_ECDHE_ECDSA_AES256_GCM_SHA384 {0xC0, 0x2C} > +#define TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 {0xC0, 0x30} > > /// > /// TLS Version, refers to A.1 of rfc-2246, rfc-4346 and rfc-5246. > @@ -95,6 +102,60 @@ typedef struct { > // > #define TLS_CIPHERTEXT_RECORD_MAX_PAYLOAD_LENGTH 18432 > > +/// > +/// TLS Hash algorithm, refers to section 7.4.1.4.1. of rfc-5246. > +/// > +typedef enum { > + TlsHashAlgoNone =3D 0, > + TlsHashAlgoMd5, > + TlsHashAlgoSha1, > + TlsHashAlgoSha224, > + TlsHashAlgoSha256, > + TlsHashAlgoSha384, > + TlsHashAlgoSha512, > +} TLS_HASH_ALGO; > + > +/// > +/// TLS Signature algorithm, refers to section 7.4.1.4.1. of rfc-5246. > +/// > +typedef enum { > + TlsSignatureAlgoAnonymous =3D 0, > + TlsSignatureAlgoRsa, > + TlsSignatureAlgoDsa, > + TlsSignatureAlgoEcdsa, > +} TLS_SIGNATURE_ALGO; > + > +/// > +/// TLS Supported Elliptic Curves Extensions, refers to section 5.1.1 > +of rfc-4492 /// typedef enum { > + TlsEcNamedCurve_sect163k1 =3D 1, > + TlsEcNamedCurve_sect163r1, // 2, > + TlsEcNamedCurve_sect163r2, // 3, > + TlsEcNamedCurve_sect193r1, // 4, > + TlsEcNamedCurve_sect193r2, // 5, > + TlsEcNamedCurve_sect233k1, // 6, > + TlsEcNamedCurve_sect233r1, // 7, > + TlsEcNamedCurve_sect239k1, // 8, > + TlsEcNamedCurve_sect283k1, // 9, > + TlsEcNamedCurve_sect283r1, // 10, > + TlsEcNamedCurve_sect409k1, // 11, > + TlsEcNamedCurve_sect409r1, // 12, > + TlsEcNamedCurve_sect571k1, // 13, > + TlsEcNamedCurve_sect571r1, // 14, > + TlsEcNamedCurve_secp160k1, // 15, > + TlsEcNamedCurve_secp160r1, // 16, > + TlsEcNamedCurve_secp160r2, // 17, > + TlsEcNamedCurve_secp192k1, // 18, > + TlsEcNamedCurve_secp192r1, // 19, > + TlsEcNamedCurve_secp224k1, // 20, > + TlsEcNamedCurve_secp224r1, // 21, > + TlsEcNamedCurve_secp256k1, // 22, > + TlsEcNamedCurve_secp256r1, // 23, > + TlsEcNamedCurve_secp384r1, // 24, > + TlsEcNamedCurve_secp521r1, // 25, > +} TLS_EC_NAMED_CUREVE; > + > #pragma pack() > > #endif > -- > 2.31.1.windows.1 > > > >=20 > --_000_BL0PR11MB339665858F2B83521ADD0DBEC5C59BL0PR11MB3396namp_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi Jiewen,

 

1) {0x13, *} is defined in TLS1.3

 

Due to TlsLib in edk2 is not fully support TLS1.3= , I think I need to remove 1.3 cipher suite to avoid confusion.<= /p>

 

2) 3) Although it is not absolutely required, I highly recommend to a= dd specific value to TLS_HASH_ALGO, to align with definition in RFC.=

 

I think we can add the version value to the enum = name to identify it is TLS1.2 specific.

> +  Tls12HashAlgoSha512 =3D 6,

> +} TLS1_2_HASH_ALGO;

 

4) RFC4492 is obsoleted by RFC8422 - https://datatracker.ietf= .org/doc/html/rfc8422#section-5.1.1

 

Agree with it, should remove deprecated algo.

 

5) 6) "signature_algorithms" is changed in TLS 1.3 - https://datatracker.ietf= .org/doc/html/rfc8446#section-4.2.3.

 

Similar to 1), if we align with tls1.2, we need t= o continue to use Hash&Signature Pair instead of Scheme,

even if some algorithms are deprecated in tls1.3.= I prefer to keep using this Pair.

 

Since this is a backwards compatible extension fi= eld, we of course could use the Signature Scheme to deprecate MD5 SHA1 and others,

but this would be a bit confusing due to the sudd= en appearance of  a tls1.3 structure.

 

7) Last but not least, I hope to see how those new definition is used= .

 

This commit show how we use Hash&Signature= Pair to set SignatureAlgoList:

https://github.com/tiano= core/edk2/pull/2856/commits/cedb3c322e6d9a7efc139121bfa95c2f49383675#diff-a= 09163cae884557cab2f09c088c9bc53180bdcd8d7679abb6b217eeb130e071c

 

Consumer can call TlsSetSignatureAlgoList() with = a Hash&Signature Pair array,

Then form a parameter list according to the name map TlsSignatureAlgo=
ToName[] and TlsHashAlgoToName[],
Finally call the Openssl function like: SSL_set1_sigalgs_list(ssl,&qu=
ot;DSA+SHA512:RSA+SHA512:ECDSA+SHA512 ");
 

The TLS code is in final testing, it would be ver= y helpful if you could give some advice.

 

Thank you,

Yi

 

-----Original Message-----
From: Yao, Jiewen <jiewen.yao@intel.com>
Sent: Wednesday, May 4, 2022 6:13 PM
To: devel@edk2.groups.io; Li, Yi1 <yi1.li@intel.com>
Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Gao, Liming <g= aoliming@byosoft.com.cn>
Subject: RE: [edk2-devel] [PATCH 1/1] MdePkg: Add WPA3 related TLS configur= e macro

 

Thanks Yi.

 

Some feedback:

 

1) {0x13, *} is defined in TLS1.3 - https://datatracker.i= etf.org/doc/html/rfc8446#appendix-B.4

The comment ">  /// TLS Cipher Suite= , refers to A.5 of rfc-2246, rfc-4346 and rfc-5246." should be updated= to include 8446 as well.

 

2) Although it is not absolutely required, I high= ly recommend to add specific value to TLS_HASH_ALGO, to align with definiti= on in RFC.

> +  TlsHashAlgoNone =3D 0,

> +  TlsHashAlgoMd5 =3D 1,

> +  TlsHashAlgoSha1 =3D 2,

> +  TlsHashAlgoSha224 =3D 3,<= /p>

> +  TlsHashAlgoSha256 =3D 4,<= /p>

> +  TlsHashAlgoSha384 =3D 5,<= /p>

> +  TlsHashAlgoSha512 =3D 6,<= /p>

> +} TLS_HASH_ALGO;

 

3) Ditto, for TLS_SIGNATURE_ALGO.

 

> +  TlsSignatureAlgoAnonymous =3D 0,

> +  TlsSignatureAlgoRsa =3D 1,

> +  TlsSignatureAlgoDsa =3D 2,

> +  TlsSignatureAlgoEcdsa =3D 3,

> +} TLS_SIGNATURE_ALGO;

 

The value is assigned in the spec. It cannot be c= hanged.

 

4) RFC4492 is obsoleted by RFC8422 - https://datatracker.i= etf.org/doc/html/rfc8422#section-5.1.1

 

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D

   RFC 4492 defined 25 different curves= in the NamedCurve registry (now

   renamed the "TLS Supported Grou= ps" registry, although the enumeration

   below is still named NamedCurve) for= use in TLS.  Only three have

   seen much use.  This specificat= ion is deprecating the rest (with

   numbers 1-22).

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D

 

I don’t see a reason to define so many depr= ecated algorithms.

Would you please align with section 5.1.1 in RFC8= 422? You may consider to add x25519 and x448 as well.

 

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

        &= nbsp;  enum {

        &= nbsp;      deprecated(1..22),

        &= nbsp;      secp256r1 (23), secp384r1 (24), secp521= r1 (25),

        &= nbsp;      x25519(29), x448(30),

        &= nbsp;      reserved (0xFE00..0xFEFF),

        &= nbsp;      deprecated(0xFF01..0xFF02),<= /p>

        &= nbsp;      (0xFFFF)

        &= nbsp;  } NamedCurve;

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

 

5) Since you added TLS 1.3 cipher suit, I assume = you also want to add definition for TLS 1.3.

 

Please aware that "signature_algorithms"= ; is changed in TLS 1.3 - https://datatracker.ietf= .org/doc/html/rfc8446#section-4.2.3.

I am not sure if you need define that as well.

 

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

      enum {<= /p>

         =  /* RSASSA-PKCS1-v1_5 algorithms */

        &= nbsp; rsa_pkcs1_sha256(0x0401),

        &= nbsp; rsa_pkcs1_sha384(0x0501),

        &= nbsp; rsa_pkcs1_sha512(0x0601),

 

        &= nbsp; /* ECDSA algorithms */

        &= nbsp; ecdsa_secp256r1_sha256(0x0403),

        &= nbsp; ecdsa_secp384r1_sha384(0x0503),

        &= nbsp; ecdsa_secp521r1_sha512(0x0603),

 

        &= nbsp; /* RSASSA-PSS algorithms with public key OID rsaEncryption */

        &= nbsp; rsa_pss_rsae_sha256(0x0804),

        &= nbsp; rsa_pss_rsae_sha384(0x0805),

        &= nbsp; rsa_pss_rsae_sha512(0x0806),

 

        &= nbsp; /* EdDSA algorithms */

        &= nbsp; ed25519(0x0807),

        &= nbsp; ed448(0x0808),

 

        &= nbsp; /* RSASSA-PSS algorithms with public key OID RSASSA-PSS */=

        &= nbsp; rsa_pss_pss_sha256(0x0809),

         =  rsa_pss_pss_sha384(0x080a),

        &= nbsp; rsa_pss_pss_sha512(0x080b),

...

      } SignatureScheme;=

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

 

6) Ditto. Please aware that "NamedCurve"= ; is changed in TLS 1.3 - https://datatracker.ietf= .org/doc/html/rfc8446#section-4.2.7

I am not sure if you need define that as well.

 

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

      enum {<= /p>

 

        &= nbsp; /* Elliptic Curve Groups (ECDHE) */

        &= nbsp; secp256r1(0x0017), secp384r1(0x0018), secp521r1(0x0019),

        &= nbsp; x25519(0x001D), x448(0x001E),

...

      } NamedGroup;=

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

 

7) Last but not least, I hope to see how those ne= w definition is used.

Without consumer, it is hard for me to understand= why they are needed, or if we miss something else.

 

 

Thank you

Yao, Jiewen

 

 

> -----Original Message-----

> From: devel@edk2.groups.i= o <devel@edk2.groups.io> On Behalf Of yi1 li

> Sent: Wednesday, May 4, 2022 5:31 PM

> To: = devel@edk2.groups.io<= /span>

> Cc: Li, Yi1 <yi1.li@intel.= com>; Kinney, Michael D

> <michael.d.kinne= y@intel.com>; Gao, Liming <gaolimin= g@byosoft.com.cn>

> Subject: [edk2-devel] [PATCH 1/1] MdePkg: Ad= d WPA3 related TLS

> configure macro

>

> REF:https://bugzilla.tianocore.org/show_bug.= cgi?id=3D3892

>

> Which are needed for SUITE-B and SUITE-B-192= .

>

> Cc: Michael D Kinney <michael.d.kinney@intel.com>

> Cc: Liming Gao <ga= oliming@byosoft.com.cn>

> Signed-off-by: yi1 li <yi1= .li@intel.com>

> ---

>  MdePkg/Include/IndustryStandard/Tls1.h= | 133

> ++++++++++++++++++-------

>  1 file changed, 97 insertions(+), 36 d= eletions(-)

>

> diff --git a/MdePkg/Include/IndustryStandard= /Tls1.h

> b/MdePkg/Include/IndustryStandard/Tls1.h

> index cf67428b1129..6519afe15e78 100644=

> --- a/MdePkg/Include/IndustryStandard/Tls1.h=

> +++ b/MdePkg/Include/IndustryStandard/Tls1.h=

> @@ -15,42 +15,49 @@

>  ///

>  /// TLS Cipher Suite, refers to A.5 of= rfc-2246, rfc-4346 and rfc-5246.

>  ///

> -#define TLS_RSA_WITH_NULL_MD5  &n= bsp;            = ; {0x00, 0x01}

> -#define TLS_RSA_WITH_NULL_SHA  &n= bsp;            = ; {0x00, 0x02}

> -#define TLS_RSA_WITH_RC4_128_MD5  = ;           {0x00, 0x04}<= o:p>

> -#define TLS_RSA_WITH_RC4_128_SHA  = ;           {0x00, 0x05}<= o:p>

> -#define TLS_RSA_WITH_IDEA_CBC_SHA &nbs= p;          {0x00, 0x07}<= /o:p>

> -#define TLS_RSA_WITH_DES_CBC_SHA  = ;           {0x00, 0x09}<= o:p>

> -#define TLS_RSA_WITH_3DES_EDE_CBC_SHA =        {0x00, 0x0A}

> -#define TLS_DH_DSS_WITH_DES_CBC_SHA &n= bsp;        {0x00, 0x0C}

> -#define TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA&nb= sp;    {0x00, 0x0D}

> -#define TLS_DH_RSA_WITH_DES_CBC_SHA &n= bsp;        {0x00, 0x0F}

> -#define TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA&nb= sp;    {0x00, 0x10}

> -#define TLS_DHE_DSS_WITH_DES_CBC_SHA &= nbsp;       {0x00, 0x12}

> -#define TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA&n= bsp;   {0x00, 0x13}

> -#define TLS_DHE_RSA_WITH_DES_CBC_SHA &= nbsp;       {0x00, 0x15}

> -#define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA&n= bsp;   {0x00, 0x16}

> -#define TLS_RSA_WITH_AES_128_CBC_SHA &= nbsp;       {0x00, 0x2F}

> -#define TLS_DH_DSS_WITH_AES_128_CBC_SHA&nbs= p;     {0x00, 0x30}

> -#define TLS_DH_RSA_WITH_AES_128_CBC_SHA&nbs= p;     {0x00, 0x31}

> -#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA&nb= sp;    {0x00, 0x32}

> -#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA&nb= sp;    {0x00, 0x33}

> -#define TLS_RSA_WITH_AES_256_CBC_SHA &= nbsp;       {0x00, 0x35}

> -#define TLS_DH_DSS_WITH_AES_256_CBC_SHA&nbs= p;     {0x00, 0x36}

> -#define TLS_DH_RSA_WITH_AES_256_CBC_SHA&nbs= p;     {0x00, 0x37}

> -#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA&nb= sp;    {0x00, 0x38}

> -#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA&nb= sp;    {0x00, 0x39}

> -#define TLS_RSA_WITH_NULL_SHA256  = ;           {0x00, 0x3B}<= o:p>

> -#define TLS_RSA_WITH_AES_128_CBC_SHA256&nbs= p;     {0x00, 0x3C}

> -#define TLS_RSA_WITH_AES_256_CBC_SHA256&nbs= p;     {0x00, 0x3D}

> -#define TLS_DH_DSS_WITH_AES_128_CBC_SHA256&= nbsp;  {0x00, 0x3E}

> -#define TLS_DH_RSA_WITH_AES_128_CBC_SHA256&= nbsp;  {0x00, 0x3F}

> -#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA256=   {0x00, 0x40} -#define

> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256  {0= x00, 0x67}

> -#define TLS_DH_DSS_WITH_AES_256_CBC_SHA256&= nbsp;  {0x00, 0x68}

> -#define TLS_DH_RSA_WITH_AES_256_CBC_SHA256&= nbsp;  {0x00, 0x69}

> -#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA256=   {0x00, 0x6A} -#define

> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256  {0= x00, 0x6B}

> +#define TLS_RSA_WITH_NULL_MD5  &n= bsp;            = ;   {0x00, 0x01}

> +#define TLS_RSA_WITH_NULL_SHA  &n= bsp;            = ;   {0x00, 0x02}

> +#define TLS_RSA_WITH_RC4_128_MD5  = ;             {= 0x00, 0x04}

> +#define TLS_RSA_WITH_RC4_128_SHA  = ;             {= 0x00, 0x05}

> +#define TLS_RSA_WITH_IDEA_CBC_SHA &nbs= p;            {0x00,= 0x07}

> +#define TLS_RSA_WITH_DES_CBC_SHA  = ;             {= 0x00, 0x09}

> +#define TLS_RSA_WITH_3DES_EDE_CBC_SHA =          {0x00, 0x0A}

> +#define TLS_DH_DSS_WITH_DES_CBC_SHA &n= bsp;          {0x00, 0x0C}

> +#define TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA&nb= sp;      {0x00, 0x0D}

> +#define TLS_DH_RSA_WITH_DES_CBC_SHA &n= bsp;          {0x00, 0x0F}

> +#define TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA&nb= sp;      {0x00, 0x10}

> +#define TLS_DHE_DSS_WITH_DES_CBC_SHA &= nbsp;         {0x00, 0x12}

> +#define TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA&n= bsp;     {0x00, 0x13}

> +#define TLS_DHE_RSA_WITH_DES_CBC_SHA &= nbsp;         {0x00, 0x15}

> +#define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA&n= bsp;     {0x00, 0x16}

> +#define TLS_RSA_WITH_AES_128_CBC_SHA &= nbsp;         {0x00, 0x2F}

> +#define TLS_DH_DSS_WITH_AES_128_CBC_SHA&nbs= p;       {0x00, 0x30}

> +#define TLS_DH_RSA_WITH_AES_128_CBC_SHA&nbs= p;       {0x00, 0x31}

> +#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA&nb= sp;      {0x00, 0x32}

> +#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA&nb= sp;      {0x00, 0x33}

> +#define TLS_RSA_WITH_AES_256_CBC_SHA &= nbsp;         {0x00, 0x35}

> +#define TLS_DH_DSS_WITH_AES_256_CBC_SHA&nbs= p;       {0x00, 0x36}

> +#define TLS_DH_RSA_WITH_AES_256_CBC_SHA&nbs= p;       {0x00, 0x37}

> +#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA&nb= sp;      {0x00, 0x38}

> +#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA&nb= sp;      {0x00, 0x39}

> +#define TLS_RSA_WITH_NULL_SHA256  = ;             {= 0x00, 0x3B}

> +#define TLS_RSA_WITH_AES_128_CBC_SHA256&nbs= p;       {0x00, 0x3C}

> +#define TLS_RSA_WITH_AES_256_CBC_SHA256&nbs= p;       {0x00, 0x3D}

> +#define TLS_DH_DSS_WITH_AES_128_CBC_SHA256&= nbsp;    {0x00, 0x3E}

> +#define TLS_DH_RSA_WITH_AES_128_CBC_SHA256&= nbsp;    {0x00, 0x3F}

> +#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA256=     {0x00, 0x40}

> +#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256=     {0x00, 0x67}

> +#define TLS_DH_DSS_WITH_AES_256_CBC_SHA256&= nbsp;    {0x00, 0x68}

> +#define TLS_DH_RSA_WITH_AES_256_CBC_SHA256&= nbsp;    {0x00, 0x69}

> +#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA256=     {0x00, 0x6A}

> +#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256=     {0x00, 0x6B}

> +#define TLS_DHE_RSA_WITH_AES_256_GCM_SHA384=     {0x00, 0x9F}

> +#define TLS_AES_128_GCM_SHA256  &= nbsp;           &nbs= p;  {0x13, 0x01}

> +#define TLS_AES_256_GCM_SHA384  &= nbsp;           &nbs= p;  {0x13, 0x02}

> +#define TLS_CHACHA20_POLY1305_SHA256 &= nbsp;         {0x13, 0x03}

> +#define TLS_ECDHE_ECDSA_AES128_GCM_SHA256&n= bsp;     {0xC0, 0x2B}

> +#define TLS_ECDHE_ECDSA_AES256_GCM_SHA384&n= bsp;     {0xC0, 0x2C}

> +#define TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA3= 84  {0xC0, 0x30}

>

>  ///

>  /// TLS Version, refers to A.1 of rfc-= 2246, rfc-4346 and rfc-5246.

> @@ -95,6 +102,60 @@ typedef struct {

>  //

>  #define TLS_CIPHERTEXT_RECORD_MAX_PAYL= OAD_LENGTH  18432

>

> +///

> +/// TLS Hash algorithm, refers to section 7= .4.1.4.1. of rfc-5246.

> +///

> +typedef enum {

> +  TlsHashAlgoNone =3D 0,

> +  TlsHashAlgoMd5,

> +  TlsHashAlgoSha1,

> +  TlsHashAlgoSha224,

> +  TlsHashAlgoSha256,

> +  TlsHashAlgoSha384,

> +  TlsHashAlgoSha512,

> +} TLS_HASH_ALGO;

> +

> +///

> +/// TLS Signature algorithm, refers to sect= ion 7.4.1.4.1. of rfc-5246.

> +///

> +typedef enum {

> +  TlsSignatureAlgoAnonymous =3D 0,

> +  TlsSignatureAlgoRsa,

> +  TlsSignatureAlgoDsa,

> +  TlsSignatureAlgoEcdsa,

> +} TLS_SIGNATURE_ALGO;

> +

> +///

> +/// TLS Supported Elliptic Curves Extension= s, refers to section 5.1.1

> +of rfc-4492 /// typedef enum {

> +  TlsEcNamedCurve_sect163k1 =3D 1,

> +  TlsEcNamedCurve_sect163r1, &nbs= p; // 2,

> +  TlsEcNamedCurve_sect163r2, &nbs= p; // 3,

> +  TlsEcNamedCurve_sect193r1, &nbs= p; // 4,

> +  TlsEcNamedCurve_sect193r2, &nbs= p; // 5,

> +  TlsEcNamedCurve_sect233k1, &nbs= p; // 6,

> +  TlsEcNamedCurve_sect233r1, &nbs= p; // 7,

> +  TlsEcNamedCurve_sect239k1, &nbs= p; // 8,

> +  TlsEcNamedCurve_sect283k1, &nbs= p; // 9,

> +  TlsEcNamedCurve_sect283r1, &nbs= p; // 10,

> +  TlsEcNamedCurve_sect409k1, &nbs= p; // 11,

> +  TlsEcNamedCurve_sect409r1, &nbs= p; // 12,

> +  TlsEcNamedCurve_sect571k1, &nbs= p; // 13,

> +  TlsEcNamedCurve_sect571r1, &nbs= p; // 14,

> +  TlsEcNamedCurve_secp160k1, &nbs= p; // 15,

> +  TlsEcNamedCurve_secp160r1, &nbs= p; // 16,

> +  TlsEcNamedCurve_secp160r2, &nbs= p; // 17,

> +  TlsEcNamedCurve_secp192k1, &nbs= p; // 18,

> +  TlsEcNamedCurve_secp192r1, &nbs= p; // 19,

> +  TlsEcNamedCurve_secp224k1, &nbs= p; // 20,

> +  TlsEcNamedCurve_secp224r1, &nbs= p; // 21,

> +  TlsEcNamedCurve_secp256k1, &nbs= p; // 22,

> +  TlsEcNamedCurve_secp256r1, &nbs= p; // 23,

> +  TlsEcNamedCurve_secp384r1, &nbs= p; // 24,

> +  TlsEcNamedCurve_secp521r1, &nbs= p; // 25,

> +} TLS_EC_NAMED_CUREVE;

> +

>  #pragma pack()

>

>  #endif

> --

> 2.31.1.windows.1

>

>

>

>

>

 

--_000_BL0PR11MB339665858F2B83521ADD0DBEC5C59BL0PR11MB3396namp_--