From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id 70E18AC10CB for ; Sat, 7 Oct 2023 14:32:30 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=hr5tLcLZsVtoEPshKsTbl+7V6RJcGsobRIHt0k1cGPI=; c=relaxed/simple; d=groups.io; h=ARC-Seal:ARC-Message-Signature:ARC-Authentication-Results:From:To:CC:Subject:Thread-Topic:Thread-Index:Date:Message-ID:References:In-Reply-To:Accept-Language:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type:Content-Transfer-Encoding; s=20140610; t=1696689149; v=1; b=Ss7ooIwLCe/EqAhlH9nFgH9Rn/6+L9mo7+2LXv1M90hnBeh+ivfbzU4zpzhSRsgmMIXKt14s B7tVKy1RYDI7i8wH58phD+6b0/Uw5dExbdHuWn9fk41Vk3TzLmyJ1E2uHdOdM0n4V0744E2FCwn 5GyCH8k9NyZIpNnN8yNmMD7Y= X-Received: by 127.0.0.2 with SMTP id T7Q2YY7687511x6NCSQDS9fj; Sat, 07 Oct 2023 07:32:29 -0700 X-Received: from mgamail.intel.com (mgamail.intel.com [192.55.52.43]) by mx.groups.io with SMTP id smtpd.web11.18724.1696689147529896742 for ; Sat, 07 Oct 2023 07:32:28 -0700 X-IronPort-AV: E=McAfee;i="6600,9927,10856"; a="470199588" X-IronPort-AV: E=Sophos;i="6.03,206,1694761200"; d="scan'208";a="470199588" X-Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 07 Oct 2023 07:32:26 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10856"; a="843210768" X-IronPort-AV: E=Sophos;i="6.03,206,1694761200"; d="scan'208";a="843210768" X-Received: from orsmsx602.amr.corp.intel.com ([10.22.229.15]) by FMSMGA003.fm.intel.com with ESMTP/TLS/AES256-GCM-SHA384; 07 Oct 2023 07:32:26 -0700 X-Received: from orsmsx610.amr.corp.intel.com (10.22.229.23) by ORSMSX602.amr.corp.intel.com (10.22.229.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.32; Sat, 7 Oct 2023 07:32:25 -0700 X-Received: from orsedg603.ED.cps.intel.com (10.7.248.4) by orsmsx610.amr.corp.intel.com (10.22.229.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.32 via Frontend Transport; Sat, 7 Oct 2023 07:32:25 -0700 X-Received: from NAM10-DM6-obe.outbound.protection.outlook.com (104.47.58.107) by edgegateway.intel.com (134.134.137.100) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.32; Sat, 7 Oct 2023 07:32:25 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fYSKg1GM9c3D0Nlj37/LU/wSt92cH3LsrFc9rDC21rtdSS0NIyiY6mKSsI4eIhyZpwuOlba1xGiRgf0r4RR3fLoeAjWrUWcEJVoO33xYwKP2u93ymO/pkmf2K925RNz98Wes8epXkqvtPjoEPTozscff1aMyqYNIb+2lgw5IWrDb68zapoC15iRoVQ6GV8L6I2bDIEJr31y59FodVe47kwCyU2cWzGvPw7ozLL68FKhPY7WYWTfAAqGs1RXlZx6/87ALqvihrBE32bPJ7Ih1/DzkrIEK89OKSPlNonRrTLkwovkp/ixOWoq0LVpyg+RE8lPjC/TZBycjXXIU67MYbQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=rL3IyE7sY95qM6hkZ/n5Ap+zUtDMtKvb0bQONcU/Fg8=; b=EJYweNmPZrCureAKReNcZBp3xFPTBfN5ApY1qekrB4p5gxLXi5xhhNCFIo/Y3pvnTpVK5AJnkMP1X0+XFXnjrzS39H9Tw/nthIE+1AHYVcEKztFFTJxZGPtWcZYXwf7vY8V0ZX7ug4N/Pt5HFp0kimeUrqfSC6W2hgIoTnKr/Rbg0+Y8qqhgOpvdHh12oDUEuMMMLFTs10T/EomJPDMhDHj/XqB7ahvy2Lm3lAZWfD/+cEqTavp8Yyj8Iohotj90hIfFhhTzIfgbND7oPOck3tiRO+TABbSvl24QsFRdvKM828hL5Td5SoprLaxUARRTPHdvDsJkrGzVi8MCh+O2dA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none X-Received: from SJ1PR11MB6227.namprd11.prod.outlook.com (2603:10b6:a03:45a::10) by SA0PR11MB4767.namprd11.prod.outlook.com (2603:10b6:806:97::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6838.41; Sat, 7 Oct 2023 14:32:23 +0000 X-Received: from SJ1PR11MB6227.namprd11.prod.outlook.com ([fe80::ece6:2daa:9c47:4655]) by SJ1PR11MB6227.namprd11.prod.outlook.com ([fe80::ece6:2daa:9c47:4655%7]) with mapi id 15.20.6838.033; Sat, 7 Oct 2023 14:32:23 +0000 From: "Li, Yi" To: Gerd Hoffmann , "devel@edk2.groups.io" CC: Pawel Polawski , =?iso-8859-1?B?TOFzemzzIMlyc2Vr?= , "Jiang, Guomin" , "Yao, Jiewen" , Oliver Steffen , "Lu, Xiaoyu1" Subject: Re: [edk2-devel] [PATCH v2 1/1] CryptoPkg/TlsLib: fix tls cipher configuration Thread-Topic: [PATCH v2 1/1] CryptoPkg/TlsLib: fix tls cipher configuration Thread-Index: AQHZ9qP/60eA0wXwh0ycPLJYkMDEibA+ZfGg Date: Sat, 7 Oct 2023 14:32:22 +0000 Message-ID: References: <20231004092003.3809321-1-kraxel@redhat.com> In-Reply-To: <20231004092003.3809321-1-kraxel@redhat.com> Accept-Language: zh-CN, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-traffictypediagnostic: SJ1PR11MB6227:EE_|SA0PR11MB4767:EE_ x-ms-office365-filtering-correlation-id: ec6fc606-4060-4e17-f199-08dbc742384c x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam-message-info: oKV+sDOAHuVHY05uq7VzpcnRML+bebcnIpjWL5SwdT8lyDnBJRbgSoOpt56RVhlq6BurDhKjNfMZ9hm/F0ZYz8xDbrGCyacfK7TTKtXAk16gzYaQzA3Gx/lgjPA5oRP7G/AK3OWkhaAyw7+YQlLos8pzD2Y3ndSX23AVD/sS4d830dgbvuIg4Jk3srLKudsupkFv2eHBFmSzLT+B+SrzgxrQEgHmMJoVl4mV7p6Y2Tl0/e6GBn3zP1jk1IQ2laOROmEu9s8JxlR4AHog8HIFRE6p/dxJh1Fj4GgMUVphj4MTJ7o0U5DaURrOOaoB9IIV8EXLLXnJtodDv6pY9CT18emeUUZelQuzi0vDJZDIX2+tvtswMt4RRPbU9Wo/SXGSixNGmchQXm+Uax544x2sAk8vCGxTLWyt25brv6HAxc+Heue/i/yTVhyytP9w3l+1ufrB3XxqcBBcXpiUXIolcC9P1GxBvPAWF0ZI55akVgb0zUxSw2u9UfTzGoeUH6AE+pUsZJqpevJZVJl+ppmdOKPlScIxVy7EauVlZnMK0P6YYVKAG/VPNFZTpSU6IcTJhXbLcNgmneHst8DGokCP39NyenTw5TPBhHNtQcMwIVQ= x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?iso-8859-1?Q?hVX4bViwxSpLIka8akRWlcbsxQe5qpSjg6HcLHt5tzAD6SH3feZxZ6hTBK?= =?iso-8859-1?Q?+rBWBhG2AZZKVm1ip8coGXh98+G2jqySHIkv5VYQWv2QM+8dE9kpNhXewG?= =?iso-8859-1?Q?7Yb0vKm2pgVOfWK77NZBHkA8KKuzHWOEIbFz/MjPjAKa9yBGlnaMdpM/re?= =?iso-8859-1?Q?fYc2RTb8WzAat1xJ8jVz/sii0PPhxFfF6C5wbv0N2bk5KoM4jmtnvcHwNI?= =?iso-8859-1?Q?pGXXtSjgnXDDUWog1eYcIBjGPL5BryVim06fGek2XIn8DiOSyDYWUyxb8V?= =?iso-8859-1?Q?zY9Opo5FCMbySHbqUVEYxBCyVWoFl0vYx/OsqIXtVHqji+NKuykiEnqKeA?= =?iso-8859-1?Q?fM0veUux98q8MsyOeNjYjKLNv/oMIVlCFe+6FGw1Q7zUJ6hAj6qd8Gxh1o?= =?iso-8859-1?Q?h+Sq/ZDu9bZg+ujhRCReQOLJaHypBYGnjKYvZZJwPMrjOu2Ig7zWZIGWco?= =?iso-8859-1?Q?AumocERcDTWngRytr124pb8QAWdyGu7FbqJi7QkUzxZTqP+HZ/3eQ2e0nY?= =?iso-8859-1?Q?J2YgXwF3X3jd8qS0kpSGlx0Kqi76hO3k/ZFCXmE/INTp4f/nMbpID/NckL?= =?iso-8859-1?Q?I/kzpQlEDLAHNa7Nh8iIR2BVjd+itcQC2okx6eTWv/qx4ry3gQ6CvWlPm+?= =?iso-8859-1?Q?DP8inXNcHomR43LDHGXMfWnPzVfepzLJvPyutm8YcK/4X7L/4hfL2Mk5t6?= =?iso-8859-1?Q?TFmNve7n+0uQc+/7qwg9r7KfRVDr4JFjQE1yISd8yaftV43E+O1nEQNq+s?= =?iso-8859-1?Q?xSqpI/JqRXSupLkDMtWcHpBaB5po0W37CWuQQEmyuUlE0M864LYdtm2Rxn?= =?iso-8859-1?Q?JzZI/+fAiEkwoVn81VIP+KgwoI2QwlBT7JGy/oN5DEWcCat3mx56z6HHlW?= =?iso-8859-1?Q?ovdrBDjM/lCYUGnVPDT8lDGLUUMBWGrgzCIlBzyts5R/yx3+V3nVXUPV/G?= =?iso-8859-1?Q?xedB7InfVxfaLUyC2hHffOPvHfhhDmECmIdEaYspIUpoBVcNT13X01WIyj?= =?iso-8859-1?Q?Nt5OYSYdo+Xx8CyFeTBrbm2bXRF7wHsAZxHoabHB/q/B3CnPV7imLWSpKr?= =?iso-8859-1?Q?UgZSMR0xn/3Ag9IK4gZS2BoaKTqT13lD7/kgizKAdqGCE+qxh1eTqnQLVm?= =?iso-8859-1?Q?PRFYLBHSWsnVZR+OFu20LhNsfmm+EQLhfl2YxUwmR9w1MaZJ/6BIJp6ngU?= =?iso-8859-1?Q?qTjPSIcmPfThKBkERWC3eRRiLOWq2NT/Hj578QCkJ0TnnuO4zaHod5JX6l?= =?iso-8859-1?Q?hC0I2nTgxCSw/tn3FWTh+R91ipd1yJEz4Ikg6/6k6vadwdKL9UPehcO2Hq?= =?iso-8859-1?Q?6C6NV9Sr1394nli7heUPBPMWttp+HZ5iHifEAmuZEnhSvQ4Qd4EfuL8JCb?= =?iso-8859-1?Q?7CP2nf/Z0Yyi3VGXHaNh/V17yfVVLz+cfcSmNai5zUZnuHeUMQPT+Ul0oK?= =?iso-8859-1?Q?ZXh0naS15c2am+Gh6K6j/Kc7S3Vi3oG60d0LN+DrcrPxOuqouOfz9kqhbp?= =?iso-8859-1?Q?2Fewtm2McphGIl4Lk9VQlaiiCSpJHYUOcmNio7MC+E1+5SLlzKBbXjJXBq?= =?iso-8859-1?Q?KmkCN0FIoYb53C6txKH9x2yB3J74Vpy7X7s29CwWjPlI8xFg9NJftuZ8XQ?= =?iso-8859-1?Q?dUTFnNcoCu3WU=3D?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: SJ1PR11MB6227.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: ec6fc606-4060-4e17-f199-08dbc742384c X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Oct 2023 14:32:22.9285 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 0vYlH1RgkMMm+2jr8lmpeCtj7JdHxh+85wSYHhdO2wYFp+gCg7rVaXSvcRazeXENyfR58PZ4iZ6ukP+CcIIGQA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR11MB4767 X-OriginatorOrg: intel.com Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,yi1.li@intel.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: vUs2l7srxq8bGd7sI6SZPa2Rx7686176AA= Content-Language: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=Ss7ooIwL; arc=reject ("signature check failed: fail, {[1] = sig:microsoft.com:reject}"); dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=intel.com (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io Sorry for delayed response due to PRC holiday. This is a pretty good solution, I also ran some basic HTTPSBOOT and EAP-TLS= test cases, and all passed. Reviewed-by: Yi Li -----Original Message----- From: Gerd Hoffmann =20 Sent: Wednesday, October 4, 2023 5:20 PM To: devel@edk2.groups.io Cc: Li, Yi1 ; Pawel Polawski ; L=E1s= zl=F3 =C9rsek ; Jiang, Guomin ; = Yao, Jiewen ; Oliver Steffen ; L= u, Xiaoyu1 ; Gerd Hoffmann Subject: [PATCH v2 1/1] CryptoPkg/TlsLib: fix tls cipher configuration Trying to configure the TLS ciphers can lead to TLS handshake failures beca= use TlsCipherMappingTable is not in line with the ciphers actually supporte= d by OpensslLib. Fix that by removing TlsCipherMappingTable altogether. Use SSL_get_ciphers() instead to get the stack of ciphers supported by openssl.= Name and ID of the ciphers can be queried using the SSL_CIPHER_get_name() and SSL_CIPHER_get_protocol_id() functions, which all= ows us to map IDs to names without a hard-code table. Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2541 Signed-off-by: Gerd Hoffmann --- CryptoPkg/Library/TlsLib/TlsConfig.c | 164 ++++++--------------------- 1 file changed, 36 insertions(+), 128 deletions(-) diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c b/CryptoPkg/Library/TlsLi= b/TlsConfig.c index f9333165a913..29d24abdca0f 100644 --- a/CryptoPkg/Library/TlsLib/TlsConfig.c +++ b/CryptoPkg/Library/TlsLib/TlsConfig.c @@ -9,65 +9,6 @@ SPDX-License-Identifier: BSD-2-Clause-Patent =20 #include "InternalTlsLib.h" =20 -typedef struct { - // - // IANA/IETF defined Cipher Suite ID - // - UINT16 IanaCipher; - // - // OpenSSL-used Cipher Suite String - // - CONST CHAR8 *OpensslCipher; - // - // Length of OpensslCipher - // - UINTN OpensslCipherLength; -} TLS_CIPHER_MAPPING; - -// -// Create a TLS_CIPHER_MAPPING initializer from IanaCipher and OpensslCiph= er so -// that OpensslCipherLength is filled in automatically. IanaCipher m= ust be an -// integer constant expression, and OpensslCipher must be a stri= ng literal. -// -#define MAP(IanaCipher, OpensslCipher) \ - { (IanaCipher), (OpensslCipher), sizeof (OpensslCipher) - 1 } - -// -// The mapping table between IANA/IETF Cipher Suite definitions and -// Op= enSSL-used Cipher Suite name. -// -// Keep the table uniquely sorted by the IanaCipher field, in increasing o= rder. -// -STATIC CONST TLS_CIPHER_MAPPING TlsCipherMappingTable[] =3D { - MAP (0x0001, "NULL-MD5"), /// TLS_RSA_WITH_NULL_= MD5 - MAP (0x0002, "NULL-SHA"), /// TLS_RSA_WITH_NULL_= SHA - MAP (0x0004, "RC4-MD5"), /// TLS_RSA_WITH_RC4_1= 28_MD5 - MAP (0x0005, "RC4-SHA"), /// TLS_RSA_WITH_RC4_1= 28_SHA - MAP (0x000A, "DES-CBC3-SHA"), /// TLS_RSA_WITH_3DES_= EDE_CBC_SHA, mandatory TLS 1.1 - MAP (0x0016, "DHE-RSA-DES-CBC3-SHA"), /// TLS_DHE_RSA_WITH_3= DES_EDE_CBC_SHA - MAP (0x002F, "AES128-SHA"), /// TLS_RSA_WITH_AES_1= 28_CBC_SHA, mandatory TLS 1.2 - MAP (0x0030, "DH-DSS-AES128-SHA"), /// TLS_DH_DSS_WITH_AE= S_128_CBC_SHA - MAP (0x0031, "DH-RSA-AES128-SHA"), /// TLS_DH_RSA_WITH_AE= S_128_CBC_SHA - MAP (0x0033, "DHE-RSA-AES128-SHA"), /// TLS_DHE_RSA_WITH_A= ES_128_CBC_SHA - MAP (0x0035, "AES256-SHA"), /// TLS_RSA_WITH_AES_2= 56_CBC_SHA - MAP (0x0036, "DH-DSS-AES256-SHA"), /// TLS_DH_DSS_WITH_AE= S_256_CBC_SHA - MAP (0x0037, "DH-RSA-AES256-SHA"), /// TLS_DH_RSA_WITH_AE= S_256_CBC_SHA - MAP (0x0039, "DHE-RSA-AES256-SHA"), /// TLS_DHE_RSA_WITH_A= ES_256_CBC_SHA - MAP (0x003B, "NULL-SHA256"), /// TLS_RSA_WITH_NULL_= SHA256 - MAP (0x003C, "AES128-SHA256"), /// TLS_RSA_WITH_AES_1= 28_CBC_SHA256 - MAP (0x003D, "AES256-SHA256"), /// TLS_RSA_WITH_AES_2= 56_CBC_SHA256 - MAP (0x003E, "DH-DSS-AES128-SHA256"), /// TLS_DH_DSS_WITH_AE= S_128_CBC_SHA256 - MAP (0x003F, "DH-RSA-AES128-SHA256"), /// TLS_DH_RSA_WITH_AE= S_128_CBC_SHA256 - MAP (0x0067, "DHE-RSA-AES128-SHA256"), /// TLS_DHE_RSA_WITH_A= ES_128_CBC_SHA256 - MAP (0x0068, "DH-DSS-AES256-SHA256"), /// TLS_DH_DSS_WITH_AE= S_256_CBC_SHA256 - MAP (0x0069, "DH-RSA-AES256-SHA256"), /// TLS_DH_RSA_WITH_AE= S_256_CBC_SHA256 - MAP (0x006B, "DHE-RSA-AES256-SHA256"), /// TLS_DHE_RSA_WITH_A= ES_256_CBC_SHA256 - MAP (0x009F, "DHE-RSA-AES256-GCM-SHA384"), /// TLS_DHE_RSA_WITH_A= ES_256_GCM_SHA384 - MAP (0xC02B, "ECDHE-ECDSA-AES128-GCM-SHA256"), /// TLS_ECDHE_ECDSA_WI= TH_AES_128_GCM_SHA256 - MAP (0xC02C, "ECDHE-ECDSA-AES256-GCM-SHA384"), /// TLS_ECDHE_ECDSA_WI= TH_AES_256_GCM_SHA384 - MAP (0xC030, "ECDHE-RSA-AES256-GCM-SHA384"), /// TLS_ECDHE_RSA_WITH= _AES_256_GCM_SHA384 -}; - typedef struct { // // TLS Algorithm @@ -96,54 +37,6 @@ STATIC CONST TLS_ALGO_TO_NAME TlsSignatureAlgoToName[] = =3D { { TlsSignatureAlgoEcdsa, "ECDSA" }, }; =20 -/** - Gets the OpenSSL cipher suite mapping for the supplied IANA TLS cipher s= uite. - - @param[in] CipherId The supplied IANA TLS cipher suite ID. - - @return The corresponding OpenSSL cipher suite mapping if found, - NULL otherwise. - -**/ -STATIC -CONST TLS_CIPHER_MAPPING * -TlsGetCipherMapping ( - IN UINT16 CipherId - ) -{ - INTN Left; - INTN Right; - INTN Middle; - - // - // Binary Search Cipher Mapping Table for IANA-OpenSSL Cipher Translatio= n - // - Left =3D 0; - Right =3D ARRAY_SIZE (TlsCipherMappingTable) - 1; - - while (Right >=3D Left) { - Middle =3D (Left + Right) / 2; - - if (CipherId =3D=3D TlsCipherMappingTable[Middle].IanaCipher) { - // - // Translate IANA cipher suite ID to OpenSSL name. - // - return &TlsCipherMappingTable[Middle]; - } - - if (CipherId < TlsCipherMappingTable[Middle].IanaCipher) { - Right =3D Middle - 1; - } else { - Left =3D Middle + 1; - } - } - - // - // No Cipher Mapping found, return NULL. - // - return NULL; -} - /** Set a new TLS/SSL method for a particular TLS object. =20 @@ -281,16 +174,21 @@ TlsSetCipherList ( IN UINTN CipherNum ) { - TLS_CONNECTION *TlsConn; - EFI_STATUS Status; - CONST TLS_CIPHER_MAPPING **MappedCipher; - UINTN MappedCipherBytes; - UINTN MappedCipherCount; - UINTN CipherStringSize; - UINTN Index; - CONST TLS_CIPHER_MAPPING *Mapping; - CHAR8 *CipherString; - CHAR8 *CipherStringPosition; + TLS_CONNECTION *TlsConn; + EFI_STATUS Status; + CONST SSL_CIPHER **MappedCipher; + UINTN MappedCipherBytes; + UINTN MappedCipherCount; + UINTN CipherStringSize; + UINTN Index; + INT32 StackIdx; + CHAR8 *CipherString; + CHAR8 *CipherStringPosition; + + STACK_OF (SSL_CIPHER) *OpensslCipherStack; + CONST SSL_CIPHER *OpensslCipher; + CONST CHAR8 *OpensslCipherName; + UINTN OpensslCipherNameLength; =20 TlsConn =3D (TLS_CONNECTION *)Tls; if ((TlsConn =3D=3D NULL) || (TlsConn->Ssl =3D=3D NULL) || (CipherId =3D= =3D NULL)) { @@ -315,18 +213,26 @@ TlsSetCipherList ( return EFI_OUT_OF_RESOURCES; } =20 + OpensslCipherStack =3D SSL_get_ciphers (TlsConn->Ssl); + // // Map the cipher IDs, and count the number of bytes for the full // CipherString. // MappedCipherCount =3D 0; CipherStringSize =3D 0; - for (Index =3D 0; Index < CipherNum; Index++) { + for (Index =3D 0; OpensslCipherStack !=3D NULL && Index < CipherNum;=20 + Index++) { // // Look up the IANA-to-OpenSSL mapping. // - Mapping =3D TlsGetCipherMapping (CipherId[Index]); - if (Mapping =3D=3D NULL) { + for (StackIdx =3D 0; StackIdx < sk_SSL_CIPHER_num (OpensslCipherStack)= ; StackIdx++) { + OpensslCipher =3D sk_SSL_CIPHER_value (OpensslCipherStack, StackIdx)= ; + if (CipherId[Index] =3D=3D SSL_CIPHER_get_protocol_id (OpensslCipher= )) { + break; + } + } + + if (StackIdx =3D=3D sk_SSL_CIPHER_num (OpensslCipherStack)) { DEBUG (( DEBUG_VERBOSE, "%a:%a: skipping CipherId=3D0x%04x\n", @@ -343,7 +249,7 @@ TlsSetC= ipherList ( } =20 // - // Accumulate Mapping->OpensslCipherLength into CipherStringSize. If t= his + // Accumulate cipher name string length into CipherStringSize. If=20 + this // is not the first successful mapping, account for a colon (":") pref= ix // too. // @@ -357,7 +263,7 @@ TlsSetCipherList ( =20 Status =3D SafeUintnAdd ( CipherStringSize, - Mapping->OpensslCipherLength, + AsciiStrLen (SSL_CIPHER_get_name (OpensslCipher)), &CipherStringSize ); if (EFI_ERROR (Status)) { @@ -368,7 +274,7 @@ TlsSetCipherList ( // // Record the mapping. // - MappedCipher[MappedCipherCount++] =3D Mapping; + MappedCipher[MappedCipherCount++] =3D OpensslCipher; } =20 // @@ -403,10 +309,12 @@ TlsSetCipherList ( // CipherStringPosition =3D CipherString; for (Index =3D 0; Index < MappedCipherCount; Index++) { - Mapping =3D MappedCipher[Index]; + OpensslCipher =3D MappedCipher[Index]; + OpensslCipherName =3D SSL_CIPHER_get_name (OpensslCipher); + OpensslCipherNameLength =3D AsciiStrLen (OpensslCipherName); // // Append the colon (":") prefix except for the first mapping, then ap= pend - // Mapping->OpensslCipher. + // OpensslCipherName. // if (Index > 0) { *(CipherStringPosition++) =3D ':'; @@ -414,10 +322,10 @@ TlsSetCipherList ( =20 CopyMem ( CipherStringPosition, - Mapping->OpensslCipher, - Mapping->OpensslCipherLength + OpensslCipherName, + OpensslCipherNameLength ); - CipherStringPosition +=3D Mapping->OpensslCipherLength; + CipherStringPosition +=3D OpensslCipherNameLength; } =20 // -- 2.41.0 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#109386): https://edk2.groups.io/g/devel/message/109386 Mute This Topic: https://groups.io/mt/101751673/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-