From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from NAM03-BY2-obe.outbound.protection.outlook.com (mail-by2nam03on0717.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe4a::717]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 1992B80447 for ; Thu, 23 Mar 2017 09:23:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=HPEnterprise.onmicrosoft.com; s=selector1-hpe-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=zrhcHieCCJo1blV29kQx0WoePi0OxwMMsH2z57srNhw=; b=dc2Aeok+Ca/Vvw164+r06XA827iZB8/21EuxUHcGdum5qG8NpVn301YhhqwMs2QDfXTIKlZXAQLRYVITyZx+RNYTJyhcPn17ZTtiNG2ZyTVZUXLdsMHehrj3ZsDxSTow/vkOvrp4DjR2rc/44POYb2QDOIWqhiVryIE9HnRvg7E= Received: from CS1PR84MB0151.NAMPRD84.PROD.OUTLOOK.COM (10.162.189.30) by CS1PR84MB0152.NAMPRD84.PROD.OUTLOOK.COM (10.162.190.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.977.11; Thu, 23 Mar 2017 16:23:57 +0000 Received: from CS1PR84MB0151.NAMPRD84.PROD.OUTLOOK.COM ([10.162.189.30]) by CS1PR84MB0151.NAMPRD84.PROD.OUTLOOK.COM ([10.162.189.30]) with mapi id 15.01.0977.021; Thu, 23 Mar 2017 16:23:58 +0000 From: "Palmer, Thomas" To: "Wu, Jiaxin" , "Long, Qin" , "edk2-devel@lists.01.org" CC: "ard.biesheuvel@linaro.org" , "Ye, Ting" , "ronald.cron@arm.com" , "glin@suse.com" , "lersek@redhat.com" Thread-Topic: [edk2] [PATCH v1 9/9] CryptoPkg/TlsLib: Update TLS Wrapper Library to align with OpenSSL changes. Thread-Index: AQHSolwKqljpSkDF9UmJZVa5SYOWxaGfjl0wgACFJICAAY81AIAA/Eew Date: Thu, 23 Mar 2017 16:23:57 +0000 Message-ID: References: <20170321155612.1192-1-qin.long@intel.com> <20170321155612.1192-10-qin.long@intel.com> <895558F6EA4E3B41AC93A00D163B7274162A57BA@SHSMSX103.ccr.corp.intel.com> In-Reply-To: <895558F6EA4E3B41AC93A00D163B7274162A57BA@SHSMSX103.ccr.corp.intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: intel.com; dkim=none (message not signed) header.d=none;intel.com; dmarc=none action=none header.from=hpe.com; x-originating-ip: [15.203.227.4] x-microsoft-exchange-diagnostics: 1; CS1PR84MB0152; 7:qiuQA36CLYRCAywJNKgpEw8l5Kbm9O3eqHgGoDe0sZxK4fx/XXLiS0ZqQl/bvXY2PaTgyyci5F3nJSB87/EXaxS//bBsDNeDXW1j6Yvry0GAZyTiYVxNIHBU8/uPxcCoLcXmcPj1tt2notdp0oowLuzCDba2RyIBq6hRxwQtUWvkYNsWT8AXmk0Zn0p9js96MO951i2eC0l69os4cIaC1E+/OOHW5RPrlmu7wghj24KYhiL5WYwFuj93r7map4XFcXiFED3BlTxxFCK/W6EAQaoOnaGMfE2VO9xvvrhEnl804bjy/dGUTgJs1OAqD13kWw4v0JPAJugAn7Ig12PoBA== x-ms-office365-filtering-correlation-id: ab657ac5-3d77-424e-06c5-08d472090206 x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(48565401081); SRVR:CS1PR84MB0152; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(227479698468861)(158342451672863)(180628864354917)(162533806227266)(228905959029699); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026)(6041248)(20161123555025)(20161123558025)(20161123562025)(20161123560025)(20161123564025)(6072148); SRVR:CS1PR84MB0152; BCL:0; PCL:0; RULEID:; SRVR:CS1PR84MB0152; x-forefront-prvs: 0255DF69B9 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39860400002)(39840400002)(39410400002)(39450400003)(39850400002)(51914003)(13464003)(377454003)(229853002)(86362001)(93886004)(7736002)(2501003)(77096006)(2900100001)(81166006)(3660700001)(6246003)(8676002)(5660300001)(3280700002)(2950100002)(38730400002)(305945005)(33656002)(8936002)(6506006)(53546009)(7696004)(74316002)(2906002)(9686003)(122556002)(6436002)(54356999)(189998001)(50986999)(102836003)(76176999)(3846002)(6116002)(6306002)(15650500001)(4326008)(53936002)(55016002)(25786009)(66066001)(54906002); DIR:OUT; SFP:1102; SCL:1; SRVR:CS1PR84MB0152; H:CS1PR84MB0151.NAMPRD84.PROD.OUTLOOK.COM; FPR:; SPF:None; MLV:sfv; LANG:en; spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM MIME-Version: 1.0 X-OriginatorOrg: hpe.com X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Mar 2017 16:23:57.8621 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 105b2061-b669-4b31-92ac-24d304d195dc X-MS-Exchange-Transport-CrossTenantHeadersStamped: CS1PR84MB0152 Subject: Re: [PATCH v1 9/9] CryptoPkg/TlsLib: Update TLS Wrapper Library to align with OpenSSL changes. X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Mar 2017 16:23:59 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Good catch, thanks! Regards, Thomas Palmer "I have only made this letter longer because I have not had the time to mak= e it shorter" - Blaise Pascal -----Original Message----- From: Wu, Jiaxin [mailto:jiaxin.wu@intel.com]=20 Sent: Wednesday, March 22, 2017 8:21 PM To: Long, Qin ; Palmer, Thomas ;= edk2-devel@lists.01.org Cc: ard.biesheuvel@linaro.org; Ye, Ting ; ronald.cron@ar= m.com; glin@suse.com; lersek@redhat.com Subject: RE: [edk2] [PATCH v1 9/9] CryptoPkg/TlsLib: Update TLS Wrapper Lib= rary to align with OpenSSL changes. Hi Thomas, I agree with the update for TlsSetVersion/TlsCtxNew. But for TlsSetVersion,= we should use SSL_set_min_proto_version instead of SSL_CTX_set_min_proto_= version to avoid the SSL CONTEXT change directly. Thanks, Jiaxin > -----Original Message----- > From: Long, Qin > Sent: Wednesday, March 22, 2017 9:32 AM > To: Palmer, Thomas ; edk2-devel@lists.01.org > Cc: ard.biesheuvel@linaro.org; Ye, Ting ;=20 > ronald.cron@arm.com; Wu, Jiaxin ; glin@suse.com;=20 > lersek@redhat.com > Subject: RE: [edk2] [PATCH v1 9/9] CryptoPkg/TlsLib: Update TLS=20 > Wrapper Library to align with OpenSSL changes. >=20 > Thomas, >=20 > Thanks for the comments. I will check this with Jiaxin, and make the=20 > possible updates in V2. >=20 >=20 > Best Regards & Thanks, > LONG, Qin >=20 > > -----Original Message----- > > From: Palmer, Thomas [mailto:thomas.palmer@hpe.com] > > Sent: Wednesday, March 22, 2017 1:43 AM > > To: Long, Qin; edk2-devel@lists.01.org > > Cc: ard.biesheuvel@linaro.org; Ye, Ting; ronald.cron@arm.com; Wu,=20 > > Jiaxin; glin@suse.com; lersek@redhat.com > > Subject: RE: [edk2] [PATCH v1 9/9] CryptoPkg/TlsLib: Update TLS=20 > > Wrapper Library to align with OpenSSL changes. > > > > Qin, > > > > Please update TlsSetVersion to use SSL_CTX_set_min_proto_version and=20 > > SSL_CTX_set_max_proto_version in the switch statement. We do not > want > > auto-negotitate but only to restrict to a particular version. > > > > Also, lets update TlsCtxNew to use only SSL_CTX_set_min_proto_version. > > TlsCtxNew will auto-negotiate, but the version provided will put in=20 > > a lower floor to what is allowed. > > > > Regards, > > > > Thomas Palmer > > > > "I have only made this letter longer because I have not had the time=20 > > to make it shorter" - Blaise Pascal > > > > > > -----Original Message----- > > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf=20 > > Of Qin Long > > Sent: Tuesday, March 21, 2017 10:56 AM > > To: edk2-devel@lists.01.org > > Cc: ard.biesheuvel@linaro.org; ting.ye@intel.com;=20 > > ronald.cron@arm.com; jiaxin.wu@intel.com; glin@suse.com;=20 > > lersek@redhat.com > > Subject: [edk2] [PATCH v1 9/9] CryptoPkg/TlsLib: Update TLS Wrapper > Library > > to align with OpenSSL changes. > > > > This patch update the wrapper implementation in TlsLib to align with=20 > > the latest OpenSSL-1.1.0xx API changes. > > > > Cc: Jiaxin Wu > > Cc: Ting Ye > > Cc: Laszlo Ersek > > Cc: Ard Biesheuvel > > Cc: Gary Lin > > Cc: Ronald Cron > > Contributed-under: TianoCore Contribution Agreement 1.0 > > Signed-off-by: Qin Long > > --- > > CryptoPkg/Library/TlsLib/InternalTlsLib.h | 6 +++++- > > CryptoPkg/Library/TlsLib/TlsConfig.c | 21 +++++++++++++-------- > > CryptoPkg/Library/TlsLib/TlsInit.c | 19 ++++++++++--------- > > 3 files changed, 28 insertions(+), 18 deletions(-) > > > > diff --git a/CryptoPkg/Library/TlsLib/InternalTlsLib.h > > b/CryptoPkg/Library/TlsLib/InternalTlsLib.h > > index e75146648d..f3a662afea 100644 > > --- a/CryptoPkg/Library/TlsLib/InternalTlsLib.h > > +++ b/CryptoPkg/Library/TlsLib/InternalTlsLib.h > > @@ -1,7 +1,7 @@ > > /** @file > > Internal include file for TlsLib. > > > > -Copyright (c) 2016, Intel Corporation. All rights reserved.
> > +Copyright (c) 2016 - 2017, Intel Corporation. All rights=20 > > +reserved.
> > This program and the accompanying materials are licensed and made=20 > > available under the terms and conditions of the BSD License which=20 > > accompanies this distribution. The full text of the license may be=20 > > found at @@ -15,6 +15,10 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF > ANY > > KIND, EITHER EXPRESS OR IMPLIED. > > #ifndef __INTERNAL_TLS_LIB_H__ > > #define __INTERNAL_TLS_LIB_H__ > > > > +#undef _WIN32 > > +#undef _WIN64 > > +#undef _MSC_VER > > + > > #include > > #include > > #include > > diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c > > b/CryptoPkg/Library/TlsLib/TlsConfig.c > > index f103da4321..3586be3945 100644 > > --- a/CryptoPkg/Library/TlsLib/TlsConfig.c > > +++ b/CryptoPkg/Library/TlsLib/TlsConfig.c > > @@ -128,24 +128,30 @@ TlsSetVersion ( > > > > ProtoVersion =3D (MajorVer << 8) | MinorVer; > > > > + // > > + // Using the general-purpose version-flexible SSL/TLS methods here. > > + // The actual protocol version used in OpenSSL-1.1.xx will be=20 > > + negoriated // to the highest version mutually supported by the=20 > > + client and > > server. > > + // Old TLSv1_x_method() was marked as deprecated. > > + // > > switch (ProtoVersion) { > > case TLS1_VERSION: > > // > > // TLS 1.0 > > // > > - SSL_set_ssl_method (TlsConn->Ssl, TLSv1_method ()); > > + SSL_set_ssl_method (TlsConn->Ssl, TLS_method ()); > > break; > > case TLS1_1_VERSION: > > // > > // TLS 1.1 > > // > > - SSL_set_ssl_method (TlsConn->Ssl, TLSv1_1_method ()); > > + SSL_set_ssl_method (TlsConn->Ssl, TLS_method ()); > > break; > > case TLS1_2_VERSION: > > // > > // TLS 1.2 > > // > > - SSL_set_ssl_method (TlsConn->Ssl, TLSv1_2_method ()); > > + SSL_set_ssl_method (TlsConn->Ssl, TLS_method ()); > > break; > > default: > > // > > @@ -384,8 +390,7 @@ TlsSetSessionId ( > > return EFI_UNSUPPORTED; > > } > > > > - Session->session_id_length =3D SessionIdLen; > > - CopyMem (Session->session_id, SessionId,=20 > > Session->session_id_length); > > + SSL_SESSION_set1_id (Session, (const unsigned char *)SessionId,=20 > > + SessionIdLen); > > > > return EFI_SUCCESS; > > } > > @@ -847,7 +852,7 @@ TlsGetClientRandom ( > > return; > > } > > > > - CopyMem (ClientRandom, TlsConn->Ssl->s3->client_random,=20 > > SSL3_RANDOM_SIZE); > > + SSL_get_client_random (TlsConn->Ssl, ClientRandom, > > SSL3_RANDOM_SIZE); > > } > > > > /** > > @@ -876,7 +881,7 @@ TlsGetServerRandom ( > > return; > > } > > > > - CopyMem (ServerRandom, TlsConn->Ssl->s3->server_random,=20 > > SSL3_RANDOM_SIZE); > > + SSL_get_server_random (TlsConn->Ssl, ServerRandom, > > SSL3_RANDOM_SIZE); > > } > > > > /** > > @@ -916,7 +921,7 @@ TlsGetKeyMaterial ( > > return EFI_UNSUPPORTED; > > } > > > > - CopyMem (KeyMaterial, Session->master_key, Session- > > >master_key_length); > > + SSL_SESSION_get_master_key (Session, KeyMaterial,=20 > > + SSL3_MASTER_SECRET_SIZE); > > > > return EFI_SUCCESS; > > } > > diff --git a/CryptoPkg/Library/TlsLib/TlsInit.c > > b/CryptoPkg/Library/TlsLib/TlsInit.c > > index 6b1fd93ea9..d7b8899ac2 100644 > > --- a/CryptoPkg/Library/TlsLib/TlsInit.c > > +++ b/CryptoPkg/Library/TlsLib/TlsInit.c > > @@ -1,7 +1,7 @@ > > /** @file > > SSL/TLS Initialization Library Wrapper Implementation over OpenSSL. > > > > -Copyright (c) 2016, Intel Corporation. All rights reserved.
> > +Copyright (c) 2016 - 2017, Intel Corporation. All rights=20 > > +reserved.
> > (C) Copyright 2016 Hewlett Packard Enterprise Development LP
=20 > > This program and the accompanying materials are licensed and made=20 > > available under the terms and conditions of the BSD License @@=20 > > -33,14 +33,10 @@ TlsInitialize ( > > // Performs initialization of crypto and ssl library, and loads requ= ired > > // algorithms. > > // > > - SSL_library_init (); > > - > > - // > > - // Loads error strings from both crypto and ssl library. > > - // > > - SSL_load_error_strings (); > > - > > - /// OpenSSL_add_all_algorithms(); > > + OPENSSL_init_ssl ( > > + OPENSSL_INIT_LOAD_SSL_STRINGS | > > OPENSSL_INIT_LOAD_CRYPTO_STRINGS, > > + NULL > > + ); > > > > // > > // Initialize the pseudorandom number generator. > > @@ -220,6 +216,11 @@ TlsNew ( > > } > > > > // > > + // This retains compatibility with previous version of OpenSSL. > > + // > > + SSL_set_security_level (TlsConn->Ssl, 0); > > + > > + // > > // Initialize the created SSL Object > > // > > SSL_set_info_callback (TlsConn->Ssl, NULL); > > -- > > 2.11.1.windows.1 > > > > _______________________________________________ > > edk2-devel mailing list > > edk2-devel@lists.01.org > > https://lists.01.org/mailman/listinfo/edk2-devel