* [edk2-staging/OpenSSL11_EOL][PATCH 0/4] Openssl 3.0 POC update Apr 4
@ 2023-04-04 9:54 Li, Yi
2023-04-04 9:54 ` [edk2-staging/OpenSSL11_EOL][PATCH 1/4] CryptoPkg: disabled ssl server Li, Yi
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Li, Yi @ 2023-04-04 9:54 UTC (permalink / raw)
To: devel; +Cc: Yi Li, Jiewen Yao, Wenxing Hou, Gerd Hoffmann
Updated POC result and next step.
Please check the patch series if interested.
PR: https://github.com/tianocore/edk2-staging/pull/366
The goal of POC has been reached, next step:
1. Optimize code quality
2. Upstream OpenSsl code change
3. Fully validation
Risk:
1. Upstream the openssl code is a long process. if all goes well,
it can be completed before next openssl stable release (July 2023).
If missed, the next stable release will be in September 2023.
2. If bugs are found during validation, some size optimization work
will have to be discarded.
This will result in that size increase greater than current result.
## POC result
Binaries mode (use crypto drivers)
| Driver | 1.1.1 | 3.0 | percent |
|-----------------|------------|------------|------------|
|CryptoPei | 386 | 400 | 3.6% |
|CryptoPeiPreMem | 31 | 31 | 0% |
|CryptoDxeFull | 1014 | 935 | -7.7% |
|CryptoDxe | 804 | 813 | 1.2% |
|CryptoSmm | 558 | 587 | 5.2% |
| LZMA Compressed | 1.1.1 | 3.0 | percent |
|-----------------|------------|------------|------------|
|CryptoDxe | 311 | 321 | 3.3% |
|CryptoSmm | 211 | 233 | 10.4% |
|FV (Dxe+Smm) | 357 | 381 | 6.8% |
Library mode (use crypto library)
| Driver | 1.1.1 | 3.0 | delta |
|--------------------|------------|------------|------------|
| FV | 2377 | 2636 | 262 |
| FV (LZMA) | 459 | 539 | 80 |
|SecurityStubDxe.efi | 562 | 605 | 43 |
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Wenxing Hou <wenxing.hou@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Yi Li <yi1.li@intel.com>
Yi Li (4):
CryptoPkg: disabled ssl server
CryptoPkg: sync latest change in uefiprov to minprov
Readme: 0330 update
Readme: update POC result and next step
CryptoPkg/Library/OpensslLib/OpensslLib.inf | 6 +-
.../Library/OpensslLib/OpensslLibFull.inf | 6 +-
.../Library/OpensslLib/OpensslStub/minprov.c | 30 +-
CryptoPkg/Library/OpensslLib/SslExtServNull.c | 329 ++++++++++++++++++
.../Library/OpensslLib/SslStatServNull.c | 219 ++++++++++++
CryptoPkg/Readme-OpenSSL3.0.md | 32 +-
6 files changed, 587 insertions(+), 35 deletions(-)
create mode 100644 CryptoPkg/Library/OpensslLib/SslExtServNull.c
create mode 100644 CryptoPkg/Library/OpensslLib/SslStatServNull.c
--
2.31.1.windows.1
^ permalink raw reply [flat|nested] 5+ messages in thread
* [edk2-staging/OpenSSL11_EOL][PATCH 1/4] CryptoPkg: disabled ssl server
2023-04-04 9:54 [edk2-staging/OpenSSL11_EOL][PATCH 0/4] Openssl 3.0 POC update Apr 4 Li, Yi
@ 2023-04-04 9:54 ` Li, Yi
2023-04-04 9:54 ` [edk2-staging/OpenSSL11_EOL][PATCH 2/4] CryptoPkg: sync latest change in uefiprov to minprov Li, Yi
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Li, Yi @ 2023-04-04 9:54 UTC (permalink / raw)
To: devel; +Cc: Yi Li
Signed-off-by: Yi Li <yi1.li@intel.com>
---
CryptoPkg/Library/OpensslLib/OpensslLib.inf | 6 +-
.../Library/OpensslLib/OpensslLibFull.inf | 6 +-
CryptoPkg/Library/OpensslLib/SslExtServNull.c | 329 ++++++++++++++++++
.../Library/OpensslLib/SslStatServNull.c | 219 ++++++++++++
4 files changed, 556 insertions(+), 4 deletions(-)
create mode 100644 CryptoPkg/Library/OpensslLib/SslExtServNull.c
create mode 100644 CryptoPkg/Library/OpensslLib/SslStatServNull.c
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index 8641cd2521..048d804292 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -700,12 +700,12 @@
$(OPENSSL_PATH)/providers/implementations/kdfs/pbkdf2.h
$(OPENSSL_PATH)/providers/implementations/rands/drbg_local.h
$(OPENSSL_PATH)/providers/implementations/storemgmt/file_store_local.h
- $(OPENSSL_PATH)/ssl/statem/statem_srvr.c
+ # $(OPENSSL_PATH)/ssl/statem/statem_srvr.c
$(OPENSSL_PATH)/ssl/statem/statem_lib.c
$(OPENSSL_PATH)/ssl/statem/statem_dtls.c
$(OPENSSL_PATH)/ssl/statem/statem_clnt.c
$(OPENSSL_PATH)/ssl/statem/statem.c
- $(OPENSSL_PATH)/ssl/statem/extensions_srvr.c
+ # $(OPENSSL_PATH)/ssl/statem/extensions_srvr.c
$(OPENSSL_PATH)/ssl/statem/extensions_cust.c
$(OPENSSL_PATH)/ssl/statem/extensions_clnt.c
$(OPENSSL_PATH)/ssl/statem/extensions.c
@@ -757,6 +757,8 @@
ossl_store.c
rand_pool.c
# SslNull.c
+ SslStatServNull.c
+ SslExtServNull.c
EcSm2Null.c
DhNull.c
EncoderNull.c
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibFull.inf b/CryptoPkg/Library/OpensslLib/OpensslLibFull.inf
index 8cea86e6f0..7ad3c3fb85 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLibFull.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibFull.inf
@@ -705,12 +705,12 @@
$(OPENSSL_PATH)/providers/implementations/kdfs/pbkdf2.h
$(OPENSSL_PATH)/providers/implementations/rands/drbg_local.h
$(OPENSSL_PATH)/providers/implementations/storemgmt/file_store_local.h
- $(OPENSSL_PATH)/ssl/statem/statem_srvr.c
+ # $(OPENSSL_PATH)/ssl/statem/statem_srvr.c
$(OPENSSL_PATH)/ssl/statem/statem_lib.c
$(OPENSSL_PATH)/ssl/statem/statem_dtls.c
$(OPENSSL_PATH)/ssl/statem/statem_clnt.c
$(OPENSSL_PATH)/ssl/statem/statem.c
- $(OPENSSL_PATH)/ssl/statem/extensions_srvr.c
+ # $(OPENSSL_PATH)/ssl/statem/extensions_srvr.c
$(OPENSSL_PATH)/ssl/statem/extensions_cust.c
$(OPENSSL_PATH)/ssl/statem/extensions_clnt.c
$(OPENSSL_PATH)/ssl/statem/extensions.c
@@ -824,6 +824,8 @@
ossl_store.c
rand_pool.c
# SslNull.c
+ SslStatServNull.c
+ SslExtServNull.c
# EcSm2Null.c
DhNull.c
EncoderNull.c
diff --git a/CryptoPkg/Library/OpensslLib/SslExtServNull.c b/CryptoPkg/Library/OpensslLib/SslExtServNull.c
new file mode 100644
index 0000000000..c256f17667
--- /dev/null
+++ b/CryptoPkg/Library/OpensslLib/SslExtServNull.c
@@ -0,0 +1,329 @@
+/*
+ * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/ocsp.h>
+#include "../ssl_local.h"
+#include "statem_local.h"
+#include "internal/cryptlib.h"
+
+#define COOKIE_STATE_FORMAT_VERSION 1
+
+/*
+ * Parse the client's renegotiation binding and abort if it's not right
+ */
+int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx)
+{
+ return -1;
+}
+
+/*-
+ * The servername extension is treated as follows:
+ *
+ * - Only the hostname type is supported with a maximum length of 255.
+ * - The servername is rejected if too long or if it contains zeros,
+ * in which case an fatal alert is generated.
+ * - The servername field is maintained together with the session cache.
+ * - When a session is resumed, the servername call back invoked in order
+ * to allow the application to position itself to the right context.
+ * - The servername is acknowledged if it is new for a session or when
+ * it is identical to a previously used for the same session.
+ * Applications can control the behaviour. They can at any time
+ * set a 'desirable' servername for a new SSL object. This can be the
+ * case for example with HTTPS when a Host: header field is received and
+ * a renegotiation is requested. In this case, a possible servername
+ * presented in the new client hello is only acknowledged if it matches
+ * the value of the Host: field.
+ * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
+ * if they provide for changing an explicit servername context for the
+ * session, i.e. when the session has been established with a servername
+ * extension.
+ * - On session reconnect, the servername extension may be absent.
+ */
+int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx)
+{
+ return 0;
+}
+
+int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx)
+{
+ return 0;
+}
+
+#ifndef OPENSSL_NO_SRP
+int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ return 0;
+}
+#endif
+
+int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx)
+{
+ return 0;
+}
+
+int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx)
+{
+ return 0;
+}
+
+int tls_parse_ctos_sig_algs_cert(SSL *s, PACKET *pkt,
+ ossl_unused unsigned int context,
+ ossl_unused X509 *x,
+ ossl_unused size_t chainidx)
+{
+ return 0;
+}
+
+int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ return 0;
+}
+
+#ifndef OPENSSL_NO_OCSP
+int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx)
+{
+ return 0;
+}
+#endif
+
+#ifndef OPENSSL_NO_NEXTPROTONEG
+int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ return 0;
+}
+#endif
+
+/*
+ * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
+ * extension, not including type and length. Returns: 1 on success, 0 on error.
+ */
+int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ return 0;
+}
+
+#ifndef OPENSSL_NO_SRTP
+int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ return 0;
+}
+#endif
+
+int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ return 0;
+}
+
+/*
+ * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
+ * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
+ */
+int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx)
+{
+ return 0;
+}
+
+/*
+ * Process a key_share extension received in the ClientHello. |pkt| contains
+ * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
+ */
+int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ return 0;
+}
+
+int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ return 0;
+}
+
+int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx)
+{
+ return 0;
+}
+
+int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ return 0;
+}
+
+
+int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx)
+{
+ return 0;
+}
+
+static SSL_TICKET_STATUS tls_get_stateful_ticket(SSL *s, PACKET *tick,
+ SSL_SESSION **sess)
+{
+ return SSL_TICKET_NO_DECRYPT;
+}
+
+int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ return 0;
+}
+
+int tls_parse_ctos_post_handshake_auth(SSL *s, PACKET *pkt,
+ ossl_unused unsigned int context,
+ ossl_unused X509 *x,
+ ossl_unused size_t chainidx)
+{
+ return 0;
+}
+
+/*
+ * Add the server's renegotiation binding
+ */
+EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
+ unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ return EXT_RETURN_FAIL;
+}
+
+EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
+ unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ return EXT_RETURN_FAIL;
+}
+
+/* Add/include the server's max fragment len extension into ServerHello */
+EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt,
+ unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ return EXT_RETURN_FAIL;
+}
+
+EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
+ unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ return EXT_RETURN_FAIL;
+}
+
+EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
+ unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ return EXT_RETURN_FAIL;
+}
+
+EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
+ unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ return EXT_RETURN_FAIL;
+}
+
+#ifndef OPENSSL_NO_OCSP
+EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
+ unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ return EXT_RETURN_FAIL;
+}
+#endif
+
+#ifndef OPENSSL_NO_NEXTPROTONEG
+EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
+ unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ return EXT_RETURN_FAIL;
+}
+#endif
+
+EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx)
+{
+ return EXT_RETURN_FAIL;
+}
+
+#ifndef OPENSSL_NO_SRTP
+EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
+ unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ return EXT_RETURN_FAIL;
+}
+#endif
+
+EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx)
+{
+ return EXT_RETURN_FAIL;
+}
+
+EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx)
+{
+ return EXT_RETURN_FAIL;
+}
+
+EXT_RETURN tls_construct_stoc_supported_versions(SSL *s, WPACKET *pkt,
+ unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ return EXT_RETURN_FAIL;
+}
+
+EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
+ unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ return EXT_RETURN_FAIL;
+}
+
+EXT_RETURN tls_construct_stoc_cookie(SSL *s, WPACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx)
+{
+ return EXT_RETURN_FAIL;
+}
+
+EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
+ unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ return EXT_RETURN_FAIL;
+}
+
+EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
+ unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ return EXT_RETURN_FAIL;
+}
+
+EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx)
+{
+ return EXT_RETURN_FAIL;
+}
diff --git a/CryptoPkg/Library/OpensslLib/SslStatServNull.c b/CryptoPkg/Library/OpensslLib/SslStatServNull.c
new file mode 100644
index 0000000000..bb05ca772f
--- /dev/null
+++ b/CryptoPkg/Library/OpensslLib/SslStatServNull.c
@@ -0,0 +1,219 @@
+/*
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
+ * Copyright 2005 Nokia. All rights reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <stdio.h>
+#include "../ssl_local.h"
+#include "statem_local.h"
+#include "internal/constant_time.h"
+#include "internal/cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/rand.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/dh.h>
+#include <openssl/rsa.h>
+#include <openssl/bn.h>
+#include <openssl/md5.h>
+#include <openssl/trace.h>
+#include <openssl/core_names.h>
+#include <openssl/asn1t.h>
+
+#define TICKET_NONCE_SIZE 8
+
+typedef struct {
+ ASN1_TYPE *kxBlob;
+ ASN1_TYPE *opaqueBlob;
+} GOST_KX_MESSAGE;
+
+int ossl_statem_server_read_transition(SSL *s, int mt)
+{
+ return 0;
+}
+
+/*
+ * Should we send a CertificateRequest message?
+ *
+ * Valid return values are:
+ * 1: Yes
+ * 0: No
+ */
+int send_certificate_request(SSL *s)
+{
+ return 0;
+}
+
+/*
+ * ossl_statem_server_write_transition() works out what handshake state to move
+ * to next when the server is writing messages to be sent to the client.
+ */
+WRITE_TRAN ossl_statem_server_write_transition(SSL *s)
+{
+ return WRITE_TRAN_ERROR;
+}
+
+WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst)
+{
+ return WORK_ERROR;
+}
+/*
+ * Perform any work that needs to be done after sending a message from the
+ * server to the client.
+ */
+WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst)
+{
+ return WORK_ERROR;
+}
+
+/*
+ * Get the message construction function and message type for sending from the
+ * server
+ *
+ * Valid return values are:
+ * 1: Success
+ * 0: Error
+ */
+int ossl_statem_server_construct_message(SSL *s, WPACKET *pkt,
+ confunc_f *confunc, int *mt)
+{
+ return 0;
+}
+
+/*
+ * Returns the maximum allowed length for the current message that we are
+ * reading. Excludes the message header.
+ */
+size_t ossl_statem_server_max_message_size(SSL *s)
+{
+ return 0;
+}
+
+/*
+ * Process a message that the server has received from the client.
+ */
+MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL *s, PACKET *pkt)
+{
+ return MSG_PROCESS_ERROR;
+}
+
+/*
+ * Perform any further processing required following the receipt of a message
+ * from the client
+ */
+WORK_STATE ossl_statem_server_post_process_message(SSL *s, WORK_STATE wst)
+{
+ return WORK_ERROR;
+}
+
+int dtls_raw_hello_verify_request(WPACKET *pkt, unsigned char *cookie,
+ size_t cookie_len)
+{
+ return 0;
+}
+
+int dtls_construct_hello_verify_request(SSL *s, WPACKET *pkt)
+{
+ return 0;
+}
+
+MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
+{
+ return MSG_PROCESS_ERROR;
+}
+
+/*
+ * Call the alpn_select callback if needed. Upon success, returns 1.
+ * Upon failure, returns 0.
+ */
+int tls_handle_alpn(SSL *s)
+{
+ return 0;
+}
+
+WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
+{
+ return WORK_ERROR;
+}
+
+int tls_construct_server_hello(SSL *s, WPACKET *pkt)
+{
+ return 0;
+}
+
+int tls_construct_server_done(SSL *s, WPACKET *pkt)
+{
+ return 0;
+}
+
+int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
+{
+ return 0;
+}
+
+int tls_construct_certificate_request(SSL *s, WPACKET *pkt)
+{
+ return 0;
+}
+
+MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
+{
+ return MSG_PROCESS_ERROR;
+}
+
+WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst)
+{
+ return WORK_ERROR;
+}
+
+MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
+{
+ return MSG_PROCESS_ERROR;
+}
+
+int tls_construct_server_certificate(SSL *s, WPACKET *pkt)
+{
+ return 0;
+}
+
+int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
+{
+ return 0;
+}
+
+/*
+ * In TLSv1.3 this is called from the extensions code, otherwise it is used to
+ * create a separate message. Returns 1 on success or 0 on failure.
+ */
+int tls_construct_cert_status_body(SSL *s, WPACKET *pkt)
+{
+ return 0;
+}
+
+int tls_construct_cert_status(SSL *s, WPACKET *pkt)
+{
+ return 0;
+}
+
+#ifndef OPENSSL_NO_NEXTPROTONEG
+/*
+ * tls_process_next_proto reads a Next Protocol Negotiation handshake message.
+ * It sets the next_proto member in s if found
+ */
+MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt)
+{
+ return MSG_PROCESS_ERROR;
+}
+#endif
+
+MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL *s, PACKET *pkt)
+{
+ return MSG_PROCESS_ERROR;
+}
--
2.31.1.windows.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [edk2-staging/OpenSSL11_EOL][PATCH 2/4] CryptoPkg: sync latest change in uefiprov to minprov
2023-04-04 9:54 [edk2-staging/OpenSSL11_EOL][PATCH 0/4] Openssl 3.0 POC update Apr 4 Li, Yi
2023-04-04 9:54 ` [edk2-staging/OpenSSL11_EOL][PATCH 1/4] CryptoPkg: disabled ssl server Li, Yi
@ 2023-04-04 9:54 ` Li, Yi
2023-04-04 9:54 ` [edk2-staging/OpenSSL11_EOL][PATCH 3/4] Readme: 0330 update Li, Yi
2023-04-04 9:54 ` [edk2-staging/OpenSSL11_EOL][PATCH 4/4] Readme: update POC result and next step Li, Yi
3 siblings, 0 replies; 5+ messages in thread
From: Li, Yi @ 2023-04-04 9:54 UTC (permalink / raw)
To: devel; +Cc: Yi Li
Signed-off-by: Yi Li <yi1.li@intel.com>
---
.../Library/OpensslLib/OpensslStub/minprov.c | 30 +++++--------------
1 file changed, 7 insertions(+), 23 deletions(-)
diff --git a/CryptoPkg/Library/OpensslLib/OpensslStub/minprov.c b/CryptoPkg/Library/OpensslLib/OpensslStub/minprov.c
index 1ba4b4f669..26fad90408 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslStub/minprov.c
+++ b/CryptoPkg/Library/OpensslLib/OpensslStub/minprov.c
@@ -1,7 +1,5 @@
/** @file
- Minimal UEFI Openssl provider implementation, only support PEI crypto feature
- without PKCS7.
-
+ Minimal UEFI Openssl provider implementation, only support PEI crypto feature.
Copyright (c) 2022, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
@@ -122,7 +120,6 @@ static const OSSL_ALGORITHM deflt_digests[] = {
// { PROV_NAMES_MD5_SHA1, "provider=default", ossl_md5_sha1_functions },
#endif /* OPENSSL_NO_MD5 */
-
{ PROV_NAMES_NULL, "provider=default", ossl_nullmd_functions },
{ NULL, NULL, NULL }
};
@@ -165,16 +162,7 @@ static const OSSL_ALGORITHM deflt_rands[] = {
{ NULL, NULL, NULL }
};
-static const OSSL_ALGORITHM deflt_signature[] = {
- { PROV_NAMES_RSA, "provider=default", ossl_rsa_signature_functions },
- { NULL, NULL, NULL }
-};
-
static const OSSL_ALGORITHM deflt_keymgmt[] = {
- { PROV_NAMES_RSA, "provider=default", ossl_rsa_keymgmt_functions,
- PROV_DESCS_RSA },
- { PROV_NAMES_RSA_PSS, "provider=default", ossl_rsapss_keymgmt_functions,
- PROV_DESCS_RSA_PSS },
{ PROV_NAMES_HKDF, "provider=default", ossl_kdf_keymgmt_functions,
PROV_DESCS_HKDF_SIGN },
{ NULL, NULL, NULL }
@@ -189,16 +177,16 @@ static const OSSL_ALGORITHM *deflt_query(void *provctx, int operation_id,
return deflt_digests;
case OSSL_OP_CIPHER:
return exported_ciphers;
- case OSSL_OP_RAND:
- return deflt_rands;
case OSSL_OP_MAC:
return deflt_macs;
case OSSL_OP_KDF:
return deflt_kdfs;
- case OSSL_OP_KEYEXCH:
- return deflt_keyexch;
+ case OSSL_OP_RAND:
+ return deflt_rands;
case OSSL_OP_KEYMGMT:
return deflt_keymgmt;
+ case OSSL_OP_KEYEXCH:
+ return deflt_keyexch;
}
return NULL;
}
@@ -229,10 +217,8 @@ int ossl_uefi_provider_init(const OSSL_CORE_HANDLE *handle,
void **provctx)
{
OSSL_FUNC_core_get_libctx_fn *c_get_libctx = NULL;
- BIO_METHOD *corebiometh;
- if (!ossl_prov_bio_from_dispatch(in)
- || !ossl_prov_seeding_from_dispatch(in))
+ if (!ossl_prov_seeding_from_dispatch(in))
return 0;
for (; in->function_id != 0; in++) {
switch (in->function_id) {
@@ -262,8 +248,7 @@ int ossl_uefi_provider_init(const OSSL_CORE_HANDLE *handle,
* This only works for built-in providers. Most providers should
* create their own library context.
*/
- if ((*provctx = ossl_prov_ctx_new()) == NULL
- || (corebiometh = ossl_bio_prov_init_bio_method()) == NULL) {
+ if ((*provctx = ossl_prov_ctx_new()) == NULL) {
ossl_prov_ctx_free(*provctx);
*provctx = NULL;
return 0;
@@ -271,7 +256,6 @@ int ossl_uefi_provider_init(const OSSL_CORE_HANDLE *handle,
ossl_prov_ctx_set0_libctx(*provctx,
(OSSL_LIB_CTX *)c_get_libctx(handle));
ossl_prov_ctx_set0_handle(*provctx, handle);
- ossl_prov_ctx_set0_core_bio_method(*provctx, corebiometh);
*out = deflt_dispatch_table;
ossl_prov_cache_exported_algorithms(deflt_ciphers, exported_ciphers);
--
2.31.1.windows.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [edk2-staging/OpenSSL11_EOL][PATCH 3/4] Readme: 0330 update
2023-04-04 9:54 [edk2-staging/OpenSSL11_EOL][PATCH 0/4] Openssl 3.0 POC update Apr 4 Li, Yi
2023-04-04 9:54 ` [edk2-staging/OpenSSL11_EOL][PATCH 1/4] CryptoPkg: disabled ssl server Li, Yi
2023-04-04 9:54 ` [edk2-staging/OpenSSL11_EOL][PATCH 2/4] CryptoPkg: sync latest change in uefiprov to minprov Li, Yi
@ 2023-04-04 9:54 ` Li, Yi
2023-04-04 9:54 ` [edk2-staging/OpenSSL11_EOL][PATCH 4/4] Readme: update POC result and next step Li, Yi
3 siblings, 0 replies; 5+ messages in thread
From: Li, Yi @ 2023-04-04 9:54 UTC (permalink / raw)
To: devel; +Cc: Yi Li
Signed-off-by: Yi Li <yi1.li@intel.com>
---
CryptoPkg/Readme-OpenSSL3.0.md | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
diff --git a/CryptoPkg/Readme-OpenSSL3.0.md b/CryptoPkg/Readme-OpenSSL3.0.md
index fc5d24d074..1c77628b75 100644
--- a/CryptoPkg/Readme-OpenSSL3.0.md
+++ b/CryptoPkg/Readme-OpenSSL3.0.md
@@ -20,17 +20,17 @@ Will update latest result here (Build based on Intel platform).
Binaries mode (use crypto drivers)
| Driver | 1.1.1 | 3.0 | percent |
|-----------------|------------|------------|------------|
-|CryptoPei | 386 | 398 | 3.1% |
+|CryptoPei | 386 | 400 | 3.6% |
|CryptoPeiPreMem | 31 | 31 | 0% |
-|CryptoDxeFull | 1014 | 997 | -1.6% |
-|CryptoDxe | 804 | 871 | 8.3% |
-|CryptoSmm | 558 | 581 | 4.1% |
+|CryptoDxeFull | 1014 | 935 | -7.7% |
+|CryptoDxe | 804 | 813 | 1.2% |
+|CryptoSmm | 558 | 587 | 5.2% |
| LZMA Compressed | 1.1.1 | 3.0 | percent |
|-----------------|------------|------------|------------|
-|CryptoDxe | 311 | 346 | 11.2% |
+|CryptoDxe | 311 | 321 | 3.3% |
|CryptoSmm | 211 | 233 | 10.4% |
-|FV (Dxe+Smm) | 357 | 406 | 13.7% |
+|FV (Dxe+Smm) | 357 | 381 | 6.8% |
Library mode (use crypto library)
| Driver | 1.1.1 | 3.0 | delta |
@@ -61,6 +61,7 @@ SM2,
SM3 - 12KB,
MD5 - 8KB,
PEM - 19KB,
+TlsServer - 51KB (Only for DXE),
...
#### Risk:
1. SM3
@@ -154,5 +155,8 @@ https://github.com/liyi77/openssl/commit/faa5d6781c3af601bcbc11ff199e2955d7ff430
https://github.com/liyi77/openssl/commit/8488c75701cdd5e626785e6d9d002f6fb30ae0ff
(commit: x509: remove unused extentions 19KB)
https://github.com/liyi77/openssl/commit/c27b3428708eb240b626946ce10d4219806d8adf
+(commit: ssl: block out dtls code when OPENSSL_NO_DTLS defined 7KB)
+https://github.com/liyi77/openssl/commit/a92f19cb85232a153f20303d7c9035b2b614fdb3
+
## Timeline
Target for 2023 Q1
\ No newline at end of file
--
2.31.1.windows.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [edk2-staging/OpenSSL11_EOL][PATCH 4/4] Readme: update POC result and next step
2023-04-04 9:54 [edk2-staging/OpenSSL11_EOL][PATCH 0/4] Openssl 3.0 POC update Apr 4 Li, Yi
` (2 preceding siblings ...)
2023-04-04 9:54 ` [edk2-staging/OpenSSL11_EOL][PATCH 3/4] Readme: 0330 update Li, Yi
@ 2023-04-04 9:54 ` Li, Yi
3 siblings, 0 replies; 5+ messages in thread
From: Li, Yi @ 2023-04-04 9:54 UTC (permalink / raw)
To: devel; +Cc: Yi Li
Signed-off-by: Yi Li <yi1.li@intel.com>
---
CryptoPkg/Readme-OpenSSL3.0.md | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/CryptoPkg/Readme-OpenSSL3.0.md b/CryptoPkg/Readme-OpenSSL3.0.md
index 1c77628b75..5b660959e7 100644
--- a/CryptoPkg/Readme-OpenSSL3.0.md
+++ b/CryptoPkg/Readme-OpenSSL3.0.md
@@ -16,7 +16,18 @@ This branch is for investigating how to reduce the size increase.
The branch owner: Li Yi <yi1.li@intel.com>
## Latest update
-Will update latest result here (Build based on Intel platform).
+The goal of POC has been reached, next step:
+1. Optimize code quality
+2. Upstream OpenSsl code change
+3. Fully validation
+
+Risk:
+1. Upstream the openssl code is a long process. if all goes well, it can be completed before the next openssl stable release (July 2023).
+ If missed, the next stable release will be in September 2023.
+2. If bugs are found during validation, some size optimization work will have to be discarded.
+ This will result in that size increase greater than the current result.
+
+## POC result
Binaries mode (use crypto drivers)
| Driver | 1.1.1 | 3.0 | percent |
|-----------------|------------|------------|------------|
@@ -35,7 +46,8 @@ Binaries mode (use crypto drivers)
Library mode (use crypto library)
| Driver | 1.1.1 | 3.0 | delta |
|--------------------|------------|------------|------------|
-| FV | 2377 | 2639 | 262 |
+| FV | 2377 | 2636 | 262 |
+| FV (LZMA) | 459 | 539 | 80 |
|SecurityStubDxe.efi | 562 | 605 | 43 |
## Limitation
--
2.31.1.windows.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-04-04 9:54 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-04-04 9:54 [edk2-staging/OpenSSL11_EOL][PATCH 0/4] Openssl 3.0 POC update Apr 4 Li, Yi
2023-04-04 9:54 ` [edk2-staging/OpenSSL11_EOL][PATCH 1/4] CryptoPkg: disabled ssl server Li, Yi
2023-04-04 9:54 ` [edk2-staging/OpenSSL11_EOL][PATCH 2/4] CryptoPkg: sync latest change in uefiprov to minprov Li, Yi
2023-04-04 9:54 ` [edk2-staging/OpenSSL11_EOL][PATCH 3/4] Readme: 0330 update Li, Yi
2023-04-04 9:54 ` [edk2-staging/OpenSSL11_EOL][PATCH 4/4] Readme: update POC result and next step Li, Yi
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox