From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from NAM03-BY2-obe.outbound.protection.outlook.com (mail-by2nam03on0717.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe4a::717]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id A3DDD80444 for ; Thu, 23 Mar 2017 09:23:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=HPEnterprise.onmicrosoft.com; s=selector1-hpe-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=McFNCnfdbJcTbKoQD495FiDSU+FIHosuhtFwkbArErU=; b=L5uXIj7uDT5BkD39yeqfpbKs4zDkxm6tq4Nz4KoqqCEP35hQneCVdh0QUCrILACJKo6FTMhxpK1B/uMiIMHrWz+ehao2kj00iFh9+/9uoFCYcqr+HTZ4OPVewo8oHy/G9/BF8pSFQimFPj/rEhIWkVuW8K0gkG7ogkCyxe2FrM0= Received: from CS1PR84MB0151.NAMPRD84.PROD.OUTLOOK.COM (10.162.189.30) by CS1PR84MB0152.NAMPRD84.PROD.OUTLOOK.COM (10.162.190.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.977.11; Thu, 23 Mar 2017 16:23:44 +0000 Received: from CS1PR84MB0151.NAMPRD84.PROD.OUTLOOK.COM ([10.162.189.30]) by CS1PR84MB0151.NAMPRD84.PROD.OUTLOOK.COM ([10.162.189.30]) with mapi id 15.01.0977.021; Thu, 23 Mar 2017 16:23:44 +0000 From: "Palmer, Thomas" To: Qin Long , "edk2-devel@lists.01.org" CC: "ting.ye@intel.com" , "jiaxin.wu@intel.com" , "lersek@redhat.com" , "ard.biesheuvel@linaro.org" , "glin@suse.com" , "ronald.cron@arm.com" , "Moso.Lee@citrix.com" Thread-Topic: [PATCH v2 11/11] CryptoPkg/TlsLib: Update TLS Wrapper to align with OpenSSL changes. Thread-Index: AQHSo9hD1r/fbW7gc0ujxHnMIEqZqKGim92g Date: Thu, 23 Mar 2017 16:23:44 +0000 Message-ID: References: <20170323131932.6168-1-qin.long@intel.com> <20170323131932.6168-12-qin.long@intel.com> In-Reply-To: <20170323131932.6168-12-qin.long@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: intel.com; dkim=none (message not signed) header.d=none;intel.com; dmarc=none action=none header.from=hpe.com; x-originating-ip: [15.203.227.4] x-microsoft-exchange-diagnostics: 1; CS1PR84MB0152; 7:CptIbGbrVr8ZLFgUzHDGfV28pyqKHgTx93hWzXMjQ/4cIxfu1zl9sQgXjzDVOst7NgcEOWTqmrmvsiJMC1xs6aNXUYFsgffoA2nXpCoHx4Tkn8w1p6IzF+DhXDupCEK8aaqZwMoIF0wqT3Pi30eLhyyHvcueVNc89BFf0Yua2F8WWz7iEGyzEbkkWzg5zKBaNoprfq/I/YwJObTJSHOh2GQpL2WQQM5ib0wbq3EhwSZX+kTqIAkQ4LEJ+alfiTDHQxlAoD/S7pCOt0X4iao8qUXoofxXUOgLNS9nHZ4RjeAsAtg6bL6ISgJrsNnutg3TAfZcy3HnXBR5lM29yva/DA== x-ms-office365-filtering-correlation-id: a6b4a6d4-99b0-421f-5d54-08d47208f9da x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(48565401081); SRVR:CS1PR84MB0152; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(227479698468861)(158342451672863)(180628864354917)(162533806227266)(70601490899591)(228905959029699); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026)(6041248)(20161123555025)(20161123558025)(20161123562025)(20161123560025)(20161123564025)(6072148); SRVR:CS1PR84MB0152; BCL:0; PCL:0; RULEID:; SRVR:CS1PR84MB0152; x-forefront-prvs: 0255DF69B9 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39860400002)(39840400002)(39410400002)(39450400003)(39850400002)(13464003)(377454003)(229853002)(86362001)(7736002)(2501003)(77096006)(2900100001)(81166006)(3660700001)(6246003)(8676002)(5660300001)(3280700002)(2950100002)(38730400002)(305945005)(33656002)(8936002)(6506006)(53546009)(7696004)(74316002)(2906002)(9686003)(122556002)(6436002)(54356999)(189998001)(50986999)(102836003)(76176999)(3846002)(6116002)(8666007)(15650500001)(4326008)(53936002)(55016002)(25786009)(66066001)(54906002); DIR:OUT; SFP:1102; SCL:1; SRVR:CS1PR84MB0152; H:CS1PR84MB0151.NAMPRD84.PROD.OUTLOOK.COM; FPR:; SPF:None; MLV:sfv; LANG:en; spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM MIME-Version: 1.0 X-OriginatorOrg: hpe.com X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Mar 2017 16:23:44.2674 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 105b2061-b669-4b31-92ac-24d304d195dc X-MS-Exchange-Transport-CrossTenantHeadersStamped: CS1PR84MB0152 Subject: Re: [PATCH v2 11/11] CryptoPkg/TlsLib: Update TLS Wrapper to align with OpenSSL changes. X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Mar 2017 16:23:45 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable This looks fine. I will do additional testing once I pull this into my tre= e. Thanks Qin/Jiaxin! Regards, Thomas Palmer "I have only made this letter longer because I have not had the time to mak= e it shorter" - Blaise Pascal -----Original Message----- From: Qin Long [mailto:qin.long@intel.com]=20 Sent: Thursday, March 23, 2017 8:20 AM To: edk2-devel@lists.01.org Cc: ting.ye@intel.com; jiaxin.wu@intel.com; lersek@redhat.com; ard.biesheuv= el@linaro.org; glin@suse.com; ronald.cron@arm.com; Moso.Lee@citrix.com; Pal= mer, Thomas Subject: [PATCH v2 11/11] CryptoPkg/TlsLib: Update TLS Wrapper to align wit= h OpenSSL changes. This patch update the wrapper implementation in TlsLib to align with the la= test OpenSSL-1.1.0xx API changes. Cc: Ting Ye Cc: Palmer Thomas Cc: Jiaxin Wu Cc: Laszlo Ersek Cc: Ard Biesheuvel Cc: Gary Lin Cc: Ronald Cron Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long --- CryptoPkg/Library/TlsLib/InternalTlsLib.h | 5 ++- CryptoPkg/Library/TlsLib/TlsConfig.c | 21 ++++++++----- CryptoPkg/Library/TlsLib/TlsInit.c | 51 +++++++++------------------= ---- 3 files changed, 31 insertions(+), 46 deletions(-) diff --git a/CryptoPkg/Library/TlsLib/InternalTlsLib.h b/CryptoPkg/Library/= TlsLib/InternalTlsLib.h index e75146648d..97727361e8 100644 --- a/CryptoPkg/Library/TlsLib/InternalTlsLib.h +++ b/CryptoPkg/Library/TlsLib/InternalTlsLib.h @@ -1,7 +1,7 @@ /** @file Internal include file for TlsLib. =20 -Copyright (c) 2016, Intel Corporation. All rights reserved.
+Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made availab= le under the terms and conditions of the BSD License which accompanies thi= s distribution. The full text of the license may be found at @@ -15,6 +15,= 9 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR I= MPLIED. #ifndef __INTERNAL_TLS_LIB_H__ #define __INTERNAL_TLS_LIB_H__ =20 +#undef _WIN32 +#undef _WIN64 + #include #include #include diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c b/CryptoPkg/Library/TlsLi= b/TlsConfig.c index f103da4321..43e275d400 100644 --- a/CryptoPkg/Library/TlsLib/TlsConfig.c +++ b/CryptoPkg/Library/TlsLib/TlsConfig.c @@ -128,24 +128,30 @@ TlsSetVersion ( =20 ProtoVersion =3D (MajorVer << 8) | MinorVer; =20 + // + // Bound TLS method to the particular specified version. + // switch (ProtoVersion) { case TLS1_VERSION: // // TLS 1.0 // - SSL_set_ssl_method (TlsConn->Ssl, TLSv1_method ()); + SSL_set_min_proto_version (TlsConn->Ssl, TLS1_VERSION); + SSL_set_max_proto_version (TlsConn->Ssl, TLS1_VERSION); break; case TLS1_1_VERSION: // // TLS 1.1 // - SSL_set_ssl_method (TlsConn->Ssl, TLSv1_1_method ()); + SSL_set_min_proto_version (TlsConn->Ssl, TLS1_1_VERSION); + SSL_set_max_proto_version (TlsConn->Ssl, TLS1_1_VERSION); break; case TLS1_2_VERSION: // // TLS 1.2 // - SSL_set_ssl_method (TlsConn->Ssl, TLSv1_2_method ()); + SSL_set_min_proto_version (TlsConn->Ssl, TLS1_2_VERSION); + SSL_set_max_proto_version (TlsConn->Ssl, TLS1_2_VERSION); break; default: // @@ -384,8 +390,7 @@ TlsSetSessionId ( return EFI_UNSUPPORTED; } =20 - Session->session_id_length =3D SessionIdLen; - CopyMem (Session->session_id, SessionId, Session->session_id_length); + SSL_SESSION_set1_id (Session, (const unsigned char *)SessionId,=20 + SessionIdLen); =20 return EFI_SUCCESS; } @@ -847,7 +852,7 @@ TlsGetClientRandom ( return; } =20 - CopyMem (ClientRandom, TlsConn->Ssl->s3->client_random, SSL3_RANDOM_SIZE= ); + SSL_get_client_random (TlsConn->Ssl, ClientRandom, SSL3_RANDOM_SIZE); } =20 /** @@ -876,7 +881,7 @@ TlsGetServerRandom ( return; } =20 - CopyMem (ServerRandom, TlsConn->Ssl->s3->server_random, SSL3_RANDOM_SIZE= ); + SSL_get_server_random (TlsConn->Ssl, ServerRandom, SSL3_RANDOM_SIZE); } =20 /** @@ -916,7 +921,7 @@ TlsGetKeyMaterial ( return EFI_UNSUPPORTED; } =20 - CopyMem (KeyMaterial, Session->master_key, Session->master_key_length); + SSL_SESSION_get_master_key (Session, KeyMaterial,=20 + SSL3_MASTER_SECRET_SIZE); =20 return EFI_SUCCESS; } diff --git a/CryptoPkg/Library/TlsLib/TlsInit.c b/CryptoPkg/Library/TlsLib/= TlsInit.c index 6b1fd93ea9..f32148ac9a 100644 --- a/CryptoPkg/Library/TlsLib/TlsInit.c +++ b/CryptoPkg/Library/TlsLib/TlsInit.c @@ -1,7 +1,7 @@ /** @file SSL/TLS Initialization Library Wrapper Implementation over OpenSSL. =20 -Copyright (c) 2016, Intel Corporation. All rights reserved.
+Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.
(C) Copyright 2016 Hewlett Packard Enterprise Development LP
This pro= gram and the accompanying materials are licensed and made available under = the terms and conditions of the BSD License @@ -33,14 +33,10 @@ TlsInitiali= ze ( // Performs initialization of crypto and ssl library, and loads required // algorithms. // - SSL_library_init (); - - // - // Loads error strings from both crypto and ssl library. - // - SSL_load_error_strings (); - - /// OpenSSL_add_all_algorithms(); + OPENSSL_init_ssl ( + OPENSSL_INIT_LOAD_SSL_STRINGS | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, + NULL + ); =20 // // Initialize the pseudorandom number generator. @@ -103,34 +99,10 @@ TlsCtxNew ( SSL_CTX_set_options (TlsCtx, SSL_OP_NO_SSLv3); =20 // - // Treat as minimum accepted versions. Client can use higher - // TLS version if server supports it - // - switch (ProtoVersion) { - case TLS1_VERSION: - // - // TLS 1.0 - // - break; - case TLS1_1_VERSION: - // - // TLS 1.1 - // - SSL_CTX_set_options (TlsCtx, SSL_OP_NO_TLSv1); - break; - case TLS1_2_VERSION: - // - // TLS 1.2 - // - SSL_CTX_set_options (TlsCtx, SSL_OP_NO_TLSv1); - SSL_CTX_set_options (TlsCtx, SSL_OP_NO_TLSv1_1); - break; - default: - // - // Unsupported TLS/SSL Protocol Version. - // - break; - } + // Treat as minimum accepted versions by setting the minimal bound. + // Client can use higher TLS version if server supports it // =20 + SSL_CTX_set_min_proto_version (TlsCtx, ProtoVersion); =20 return (VOID *) TlsCtx; } @@ -220,6 +192,11 @@ TlsNew ( } =20 // + // This retains compatibility with previous version of OpenSSL. + // + SSL_set_security_level (TlsConn->Ssl, 0); + + // // Initialize the created SSL Object // SSL_set_info_callback (TlsConn->Ssl, NULL); -- 2.11.1.windows.1