From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from NAM01-SN1-obe.outbound.protection.outlook.com (mail-sn1nam01on071a.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe40::71a]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id B4601803FD for ; Tue, 21 Mar 2017 10:42:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=HPEnterprise.onmicrosoft.com; s=selector1-hpe-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=/nurucFX57EHcwuB6hxMQ3kvo1yaHH7WfsB9IQFVYxA=; b=akHVR76LHGCSIlPfLbqDiRsNC/bx8QoIrihsL7yol+Y7S1vbIvoQRwVjklu8naryC9siPg1KPG17ChE7LeTV2CVX/wPPuUAy1C4WsMuK3ilPuPsb/to68iM0f1Ugge0PvyHJ/7Q+Bw7JHJroKKuxQp4vkmvGRwEYupNkrob9n5Y= Received: from CS1PR84MB0151.NAMPRD84.PROD.OUTLOOK.COM (10.162.189.30) by CS1PR84MB0150.NAMPRD84.PROD.OUTLOOK.COM (10.162.189.29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.977.11; Tue, 21 Mar 2017 17:42:32 +0000 Received: from CS1PR84MB0151.NAMPRD84.PROD.OUTLOOK.COM ([10.162.189.30]) by CS1PR84MB0151.NAMPRD84.PROD.OUTLOOK.COM ([10.162.189.30]) with mapi id 15.01.0977.020; Tue, 21 Mar 2017 17:42:32 +0000 From: "Palmer, Thomas" To: Qin Long , "edk2-devel@lists.01.org" CC: "ard.biesheuvel@linaro.org" , "ting.ye@intel.com" , "ronald.cron@arm.com" , "jiaxin.wu@intel.com" , "glin@suse.com" , "lersek@redhat.com" Thread-Topic: [edk2] [PATCH v1 9/9] CryptoPkg/TlsLib: Update TLS Wrapper Library to align with OpenSSL changes. Thread-Index: AQHSolwKqljpSkDF9UmJZVa5SYOWxaGfjl0w Date: Tue, 21 Mar 2017 17:42:31 +0000 Message-ID: References: <20170321155612.1192-1-qin.long@intel.com> <20170321155612.1192-10-qin.long@intel.com> In-Reply-To: <20170321155612.1192-10-qin.long@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: intel.com; dkim=none (message not signed) header.d=none;intel.com; dmarc=none action=none header.from=hpe.com; x-originating-ip: [15.203.227.4] x-microsoft-exchange-diagnostics: 1; CS1PR84MB0150; 7:LLzICeFrbiAC22KKq0OSPdSBCz/Izvhn8QmgtXNr+mDJ3sVApailf59juMWlQu42DOm9xpdozhybtVyOqdUGKsuEVwVsYsiZQiNAOQJqY56dC4U7AZmFiJNYGXpF2+EsX7Wj+vDnYLY7Xi6ElOppYJQVq4EKxZ9XXaAP0rJe/+IHl8EqclgJ43R++03O+0FQ5j8KxlaFnp1OLuWZDDS2yGtVHpv8WxqzKm0ANJCCc3R1vdl/wKXpZ7e0N4NxhxEl5xRbCy5prI/1tE6DcxORflRsxJn7z25RolXGRdIeLe9AOl+ujiKGVsSlLnelJxPQ8XZYNKaRjI496p//3JYC2A== x-ms-office365-filtering-correlation-id: 50238fe7-9979-41b0-87a0-08d47081a6f2 x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(48565401081); SRVR:CS1PR84MB0150; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(158342451672863)(180628864354917)(162533806227266)(228905959029699); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026)(6041248)(20161123555025)(20161123558025)(20161123560025)(20161123562025)(20161123564025)(6072148); SRVR:CS1PR84MB0150; BCL:0; PCL:0; RULEID:; SRVR:CS1PR84MB0150; x-forefront-prvs: 02530BD3AA x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(979002)(6009001)(39840400002)(39860400002)(39450400003)(39410400002)(39850400002)(13464003)(377454003)(6436002)(54356999)(81166006)(76176999)(50986999)(86362001)(4326008)(229853002)(53936002)(6246003)(6506006)(33656002)(77096006)(53546009)(3280700002)(7696004)(189998001)(66066001)(38730400002)(8676002)(3660700001)(5660300001)(15650500001)(305945005)(2900100001)(7736002)(2906002)(55016002)(6306002)(74316002)(3846002)(9686003)(2950100002)(6116002)(102836003)(54906002)(2501003)(8936002)(122556002)(25786009)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1102; SCL:1; SRVR:CS1PR84MB0150; H:CS1PR84MB0151.NAMPRD84.PROD.OUTLOOK.COM; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; LANG:en; spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM MIME-Version: 1.0 X-OriginatorOrg: hpe.com X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Mar 2017 17:42:31.8185 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 105b2061-b669-4b31-92ac-24d304d195dc X-MS-Exchange-Transport-CrossTenantHeadersStamped: CS1PR84MB0150 Subject: Re: [PATCH v1 9/9] CryptoPkg/TlsLib: Update TLS Wrapper Library to align with OpenSSL changes. X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Mar 2017 17:42:34 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Qin, Please update TlsSetVersion to use SSL_CTX_set_min_proto_version and SSL_CT= X_set_max_proto_version in the switch statement. We do not want auto-nego= titate but only to restrict to a particular version. Also, lets update TlsCtxNew to use only SSL_CTX_set_min_proto_version. Tls= CtxNew will auto-negotiate, but the version provided will put in a lower fl= oor to what is allowed. Regards, Thomas Palmer "I have only made this letter longer because I have not had the time to mak= e it shorter" - Blaise Pascal -----Original Message----- From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Qin = Long Sent: Tuesday, March 21, 2017 10:56 AM To: edk2-devel@lists.01.org Cc: ard.biesheuvel@linaro.org; ting.ye@intel.com; ronald.cron@arm.com; jiax= in.wu@intel.com; glin@suse.com; lersek@redhat.com Subject: [edk2] [PATCH v1 9/9] CryptoPkg/TlsLib: Update TLS Wrapper Library= to align with OpenSSL changes. This patch update the wrapper implementation in TlsLib to align with the la= test OpenSSL-1.1.0xx API changes. Cc: Jiaxin Wu Cc: Ting Ye Cc: Laszlo Ersek Cc: Ard Biesheuvel Cc: Gary Lin Cc: Ronald Cron Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long --- CryptoPkg/Library/TlsLib/InternalTlsLib.h | 6 +++++- CryptoPkg/Library/TlsLib/TlsConfig.c | 21 +++++++++++++-------- CryptoPkg/Library/TlsLib/TlsInit.c | 19 ++++++++++--------- 3 files changed, 28 insertions(+), 18 deletions(-) diff --git a/CryptoPkg/Library/TlsLib/InternalTlsLib.h b/CryptoPkg/Library/= TlsLib/InternalTlsLib.h index e75146648d..f3a662afea 100644 --- a/CryptoPkg/Library/TlsLib/InternalTlsLib.h +++ b/CryptoPkg/Library/TlsLib/InternalTlsLib.h @@ -1,7 +1,7 @@ /** @file Internal include file for TlsLib. =20 -Copyright (c) 2016, Intel Corporation. All rights reserved.
+Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made availab= le under the terms and conditions of the BSD License which accompanies thi= s distribution. The full text of the license may be found at @@ -15,6 +15,= 10 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR = IMPLIED. #ifndef __INTERNAL_TLS_LIB_H__ #define __INTERNAL_TLS_LIB_H__ =20 +#undef _WIN32 +#undef _WIN64 +#undef _MSC_VER + #include #include #include diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c b/CryptoPkg/Library/TlsLi= b/TlsConfig.c index f103da4321..3586be3945 100644 --- a/CryptoPkg/Library/TlsLib/TlsConfig.c +++ b/CryptoPkg/Library/TlsLib/TlsConfig.c @@ -128,24 +128,30 @@ TlsSetVersion ( =20 ProtoVersion =3D (MajorVer << 8) | MinorVer; =20 + // + // Using the general-purpose version-flexible SSL/TLS methods here. + // The actual protocol version used in OpenSSL-1.1.xx will be=20 + negoriated // to the highest version mutually supported by the client an= d server. + // Old TLSv1_x_method() was marked as deprecated. + // switch (ProtoVersion) { case TLS1_VERSION: // // TLS 1.0 // - SSL_set_ssl_method (TlsConn->Ssl, TLSv1_method ()); + SSL_set_ssl_method (TlsConn->Ssl, TLS_method ()); break; case TLS1_1_VERSION: // // TLS 1.1 // - SSL_set_ssl_method (TlsConn->Ssl, TLSv1_1_method ()); + SSL_set_ssl_method (TlsConn->Ssl, TLS_method ()); break; case TLS1_2_VERSION: // // TLS 1.2 // - SSL_set_ssl_method (TlsConn->Ssl, TLSv1_2_method ()); + SSL_set_ssl_method (TlsConn->Ssl, TLS_method ()); break; default: // @@ -384,8 +390,7 @@ TlsSetSessionId ( return EFI_UNSUPPORTED; } =20 - Session->session_id_length =3D SessionIdLen; - CopyMem (Session->session_id, SessionId, Session->session_id_length); + SSL_SESSION_set1_id (Session, (const unsigned char *)SessionId,=20 + SessionIdLen); =20 return EFI_SUCCESS; } @@ -847,7 +852,7 @@ TlsGetClientRandom ( return; } =20 - CopyMem (ClientRandom, TlsConn->Ssl->s3->client_random, SSL3_RANDOM_SIZE= ); + SSL_get_client_random (TlsConn->Ssl, ClientRandom, SSL3_RANDOM_SIZE); } =20 /** @@ -876,7 +881,7 @@ TlsGetServerRandom ( return; } =20 - CopyMem (ServerRandom, TlsConn->Ssl->s3->server_random, SSL3_RANDOM_SIZE= ); + SSL_get_server_random (TlsConn->Ssl, ServerRandom, SSL3_RANDOM_SIZE); } =20 /** @@ -916,7 +921,7 @@ TlsGetKeyMaterial ( return EFI_UNSUPPORTED; } =20 - CopyMem (KeyMaterial, Session->master_key, Session->master_key_length); + SSL_SESSION_get_master_key (Session, KeyMaterial,=20 + SSL3_MASTER_SECRET_SIZE); =20 return EFI_SUCCESS; } diff --git a/CryptoPkg/Library/TlsLib/TlsInit.c b/CryptoPkg/Library/TlsLib/= TlsInit.c index 6b1fd93ea9..d7b8899ac2 100644 --- a/CryptoPkg/Library/TlsLib/TlsInit.c +++ b/CryptoPkg/Library/TlsLib/TlsInit.c @@ -1,7 +1,7 @@ /** @file SSL/TLS Initialization Library Wrapper Implementation over OpenSSL. =20 -Copyright (c) 2016, Intel Corporation. All rights reserved.
+Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.
(C) Copyright 2016 Hewlett Packard Enterprise Development LP
This pro= gram and the accompanying materials are licensed and made available under = the terms and conditions of the BSD License @@ -33,14 +33,10 @@ TlsInitiali= ze ( // Performs initialization of crypto and ssl library, and loads required // algorithms. // - SSL_library_init (); - - // - // Loads error strings from both crypto and ssl library. - // - SSL_load_error_strings (); - - /// OpenSSL_add_all_algorithms(); + OPENSSL_init_ssl ( + OPENSSL_INIT_LOAD_SSL_STRINGS | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, + NULL + ); =20 // // Initialize the pseudorandom number generator. @@ -220,6 +216,11 @@ TlsNew ( } =20 // + // This retains compatibility with previous version of OpenSSL. + // + SSL_set_security_level (TlsConn->Ssl, 0); + + // // Initialize the created SSL Object // SSL_set_info_callback (TlsConn->Ssl, NULL); -- 2.11.1.windows.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel