From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <thomas.palmer@hpe.com>
Received: from NAM01-SN1-obe.outbound.protection.outlook.com
 (mail-sn1nam01on071a.outbound.protection.outlook.com
 [IPv6:2a01:111:f400:fe40::71a])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id B4601803FD
 for <edk2-devel@lists.01.org>; Tue, 21 Mar 2017 10:42:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=HPEnterprise.onmicrosoft.com; s=selector1-hpe-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
 bh=/nurucFX57EHcwuB6hxMQ3kvo1yaHH7WfsB9IQFVYxA=;
 b=akHVR76LHGCSIlPfLbqDiRsNC/bx8QoIrihsL7yol+Y7S1vbIvoQRwVjklu8naryC9siPg1KPG17ChE7LeTV2CVX/wPPuUAy1C4WsMuK3ilPuPsb/to68iM0f1Ugge0PvyHJ/7Q+Bw7JHJroKKuxQp4vkmvGRwEYupNkrob9n5Y=
Received: from CS1PR84MB0151.NAMPRD84.PROD.OUTLOOK.COM (10.162.189.30) by
 CS1PR84MB0150.NAMPRD84.PROD.OUTLOOK.COM (10.162.189.29) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id
 15.1.977.11; Tue, 21 Mar 2017 17:42:32 +0000
Received: from CS1PR84MB0151.NAMPRD84.PROD.OUTLOOK.COM ([10.162.189.30]) by
 CS1PR84MB0151.NAMPRD84.PROD.OUTLOOK.COM ([10.162.189.30]) with mapi id
 15.01.0977.020; Tue, 21 Mar 2017 17:42:32 +0000
From: "Palmer, Thomas" <thomas.palmer@hpe.com>
To: Qin Long <qin.long@intel.com>, "edk2-devel@lists.01.org"
 <edk2-devel@lists.01.org>
CC: "ard.biesheuvel@linaro.org" <ard.biesheuvel@linaro.org>,
 "ting.ye@intel.com" <ting.ye@intel.com>, "ronald.cron@arm.com"
 <ronald.cron@arm.com>, "jiaxin.wu@intel.com" <jiaxin.wu@intel.com>,
 "glin@suse.com" <glin@suse.com>, "lersek@redhat.com" <lersek@redhat.com>
Thread-Topic: [edk2] [PATCH v1 9/9] CryptoPkg/TlsLib: Update TLS Wrapper
 Library to align with OpenSSL changes.
Thread-Index: AQHSolwKqljpSkDF9UmJZVa5SYOWxaGfjl0w
Date: Tue, 21 Mar 2017 17:42:31 +0000
Message-ID: <CS1PR84MB0151B8DE37ECA70DFFDF9D2FED3D0@CS1PR84MB0151.NAMPRD84.PROD.OUTLOOK.COM>
References: <20170321155612.1192-1-qin.long@intel.com>
 <20170321155612.1192-10-qin.long@intel.com>
In-Reply-To: <20170321155612.1192-10-qin.long@intel.com>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: intel.com; dkim=none (message not signed)
 header.d=none;intel.com; dmarc=none action=none header.from=hpe.com;
x-originating-ip: [15.203.227.4]
x-microsoft-exchange-diagnostics: 1; CS1PR84MB0150;
 7:LLzICeFrbiAC22KKq0OSPdSBCz/Izvhn8QmgtXNr+mDJ3sVApailf59juMWlQu42DOm9xpdozhybtVyOqdUGKsuEVwVsYsiZQiNAOQJqY56dC4U7AZmFiJNYGXpF2+EsX7Wj+vDnYLY7Xi6ElOppYJQVq4EKxZ9XXaAP0rJe/+IHl8EqclgJ43R++03O+0FQ5j8KxlaFnp1OLuWZDDS2yGtVHpv8WxqzKm0ANJCCc3R1vdl/wKXpZ7e0N4NxhxEl5xRbCy5prI/1tE6DcxORflRsxJn7z25RolXGRdIeLe9AOl+ujiKGVsSlLnelJxPQ8XZYNKaRjI496p//3JYC2A==
x-ms-office365-filtering-correlation-id: 50238fe7-9979-41b0-87a0-08d47081a6f2
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0;
 RULEID:(22001)(2017030254075)(48565401081); SRVR:CS1PR84MB0150; 
x-microsoft-antispam-prvs: <CS1PR84MB01502C6B99E0D7E0E7D49429ED3D0@CS1PR84MB0150.NAMPRD84.PROD.OUTLOOK.COM>
x-exchange-antispam-report-test: UriScan:(158342451672863)(180628864354917)(162533806227266)(228905959029699); 
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0;
 RULEID:(6040375)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026)(6041248)(20161123555025)(20161123558025)(20161123560025)(20161123562025)(20161123564025)(6072148);
 SRVR:CS1PR84MB0150; BCL:0; PCL:0; RULEID:; SRVR:CS1PR84MB0150; 
x-forefront-prvs: 02530BD3AA
x-forefront-antispam-report: SFV:NSPM;
 SFS:(10019020)(979002)(6009001)(39840400002)(39860400002)(39450400003)(39410400002)(39850400002)(13464003)(377454003)(6436002)(54356999)(81166006)(76176999)(50986999)(86362001)(4326008)(229853002)(53936002)(6246003)(6506006)(33656002)(77096006)(53546009)(3280700002)(7696004)(189998001)(66066001)(38730400002)(8676002)(3660700001)(5660300001)(15650500001)(305945005)(2900100001)(7736002)(2906002)(55016002)(6306002)(74316002)(3846002)(9686003)(2950100002)(6116002)(102836003)(54906002)(2501003)(8936002)(122556002)(25786009)(969003)(989001)(999001)(1009001)(1019001);
 DIR:OUT; SFP:1102; SCL:1; SRVR:CS1PR84MB0150;
 H:CS1PR84MB0151.NAMPRD84.PROD.OUTLOOK.COM; FPR:; SPF:None; MLV:ovrnspm;
 PTR:InfoNoRecords; LANG:en; 
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
MIME-Version: 1.0
X-OriginatorOrg: hpe.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Mar 2017 17:42:31.8185 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 105b2061-b669-4b31-92ac-24d304d195dc
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CS1PR84MB0150
Subject: Re: [PATCH v1 9/9] CryptoPkg/TlsLib: Update TLS Wrapper Library to align with OpenSSL changes.
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Mar 2017 17:42:34 -0000
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Qin,

Please update TlsSetVersion to use SSL_CTX_set_min_proto_version and SSL_CT=
X_set_max_proto_version  in the switch statement.  We do not want auto-nego=
titate but only to restrict to a particular version.

Also, lets update TlsCtxNew to use only SSL_CTX_set_min_proto_version.  Tls=
CtxNew will auto-negotiate, but the version provided will put in a lower fl=
oor to what is allowed.

Regards,

Thomas Palmer

"I have only made this letter longer because I have not had the time to mak=
e it shorter" - Blaise Pascal


-----Original Message-----
From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Qin =
Long
Sent: Tuesday, March 21, 2017 10:56 AM
To: edk2-devel@lists.01.org
Cc: ard.biesheuvel@linaro.org; ting.ye@intel.com; ronald.cron@arm.com; jiax=
in.wu@intel.com; glin@suse.com; lersek@redhat.com
Subject: [edk2] [PATCH v1 9/9] CryptoPkg/TlsLib: Update TLS Wrapper Library=
 to align with OpenSSL changes.

This patch update the wrapper implementation in TlsLib to align with the la=
test OpenSSL-1.1.0xx API changes.

Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Gary Lin <glin@suse.com>
Cc: Ronald Cron <ronald.cron@arm.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
---
 CryptoPkg/Library/TlsLib/InternalTlsLib.h |  6 +++++-
 CryptoPkg/Library/TlsLib/TlsConfig.c      | 21 +++++++++++++--------
 CryptoPkg/Library/TlsLib/TlsInit.c        | 19 ++++++++++---------
 3 files changed, 28 insertions(+), 18 deletions(-)

diff --git a/CryptoPkg/Library/TlsLib/InternalTlsLib.h b/CryptoPkg/Library/=
TlsLib/InternalTlsLib.h
index e75146648d..f3a662afea 100644
--- a/CryptoPkg/Library/TlsLib/InternalTlsLib.h
+++ b/CryptoPkg/Library/TlsLib/InternalTlsLib.h
@@ -1,7 +1,7 @@
 /** @file
   Internal include file for TlsLib.
=20
-Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
 This program and the accompanying materials  are licensed and made availab=
le under the terms and conditions of the BSD License  which accompanies thi=
s distribution.  The full text of the license may be found at @@ -15,6 +15,=
10 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR =
IMPLIED.
 #ifndef __INTERNAL_TLS_LIB_H__
 #define __INTERNAL_TLS_LIB_H__
=20
+#undef _WIN32
+#undef _WIN64
+#undef _MSC_VER
+
 #include <Library/BaseCryptLib.h>
 #include <openssl/ssl.h>
 #include <openssl/bio.h>
diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c b/CryptoPkg/Library/TlsLi=
b/TlsConfig.c
index f103da4321..3586be3945 100644
--- a/CryptoPkg/Library/TlsLib/TlsConfig.c
+++ b/CryptoPkg/Library/TlsLib/TlsConfig.c
@@ -128,24 +128,30 @@ TlsSetVersion (
=20
   ProtoVersion =3D (MajorVer << 8) | MinorVer;
=20
+  //
+  // Using the general-purpose version-flexible SSL/TLS methods here.
+  // The actual protocol version used in OpenSSL-1.1.xx will be=20
+ negoriated  // to the highest version mutually supported by the client an=
d server.
+  // Old TLSv1_x_method() was marked as deprecated.
+  //
   switch (ProtoVersion) {
   case TLS1_VERSION:
     //
     // TLS 1.0
     //
-    SSL_set_ssl_method (TlsConn->Ssl, TLSv1_method ());
+    SSL_set_ssl_method (TlsConn->Ssl, TLS_method ());
     break;
   case TLS1_1_VERSION:
     //
     // TLS 1.1
     //
-    SSL_set_ssl_method (TlsConn->Ssl, TLSv1_1_method ());
+    SSL_set_ssl_method (TlsConn->Ssl, TLS_method ());
     break;
   case TLS1_2_VERSION:
     //
     // TLS 1.2
     //
-    SSL_set_ssl_method (TlsConn->Ssl, TLSv1_2_method ());
+    SSL_set_ssl_method (TlsConn->Ssl, TLS_method ());
     break;
   default:
     //
@@ -384,8 +390,7 @@ TlsSetSessionId (
     return EFI_UNSUPPORTED;
   }
=20
-  Session->session_id_length =3D SessionIdLen;
-  CopyMem (Session->session_id, SessionId, Session->session_id_length);
+  SSL_SESSION_set1_id (Session, (const unsigned char *)SessionId,=20
+ SessionIdLen);
=20
   return EFI_SUCCESS;
 }
@@ -847,7 +852,7 @@ TlsGetClientRandom (
     return;
   }
=20
-  CopyMem (ClientRandom, TlsConn->Ssl->s3->client_random, SSL3_RANDOM_SIZE=
);
+  SSL_get_client_random (TlsConn->Ssl, ClientRandom, SSL3_RANDOM_SIZE);
 }
=20
 /**
@@ -876,7 +881,7 @@ TlsGetServerRandom (
     return;
   }
=20
-  CopyMem (ServerRandom, TlsConn->Ssl->s3->server_random, SSL3_RANDOM_SIZE=
);
+  SSL_get_server_random (TlsConn->Ssl, ServerRandom, SSL3_RANDOM_SIZE);
 }
=20
 /**
@@ -916,7 +921,7 @@ TlsGetKeyMaterial (
     return EFI_UNSUPPORTED;
   }
=20
-  CopyMem (KeyMaterial, Session->master_key, Session->master_key_length);
+  SSL_SESSION_get_master_key (Session, KeyMaterial,=20
+ SSL3_MASTER_SECRET_SIZE);
=20
   return EFI_SUCCESS;
 }
diff --git a/CryptoPkg/Library/TlsLib/TlsInit.c b/CryptoPkg/Library/TlsLib/=
TlsInit.c
index 6b1fd93ea9..d7b8899ac2 100644
--- a/CryptoPkg/Library/TlsLib/TlsInit.c
+++ b/CryptoPkg/Library/TlsLib/TlsInit.c
@@ -1,7 +1,7 @@
 /** @file
   SSL/TLS Initialization Library Wrapper Implementation over OpenSSL.
=20
-Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
 (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>  This pro=
gram and the accompanying materials  are licensed and made available under =
the terms and conditions of the BSD License @@ -33,14 +33,10 @@ TlsInitiali=
ze (
   // Performs initialization of crypto and ssl library, and loads required
   // algorithms.
   //
-  SSL_library_init ();
-
-  //
-  // Loads error strings from both crypto and ssl library.
-  //
-  SSL_load_error_strings ();
-
-  /// OpenSSL_add_all_algorithms();
+  OPENSSL_init_ssl (
+    OPENSSL_INIT_LOAD_SSL_STRINGS | OPENSSL_INIT_LOAD_CRYPTO_STRINGS,
+    NULL
+    );
=20
   //
   // Initialize the pseudorandom number generator.
@@ -220,6 +216,11 @@ TlsNew (
   }
=20
   //
+  // This retains compatibility with previous version of OpenSSL.
+  //
+  SSL_set_security_level (TlsConn->Ssl, 0);
+
+  //
   // Initialize the created SSL Object
   //
   SSL_set_info_callback (TlsConn->Ssl, NULL);
--
2.11.1.windows.1

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel