From: Laszlo Ersek <lersek@redhat.com>
To: "Long, Qin" <qin.long@intel.com>
Cc: "Wu, Jiaxin" <jiaxin.wu@intel.com>,
edk2-devel-01 <edk2-devel@lists.01.org>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Gary Ching-Pang Lin <glin@suse.com>,
"Justen, Jordan L" <jordan.l.justen@intel.com>,
"Gao, Liming" <liming.gao@intel.com>,
"Kinney, Michael D" <michael.d.kinney@intel.com>,
"Fu, Siyuan" <siyuan.fu@intel.com>,
"Ye, Ting" <ting.ye@intel.com>
Subject: Re: [PATCH 00/13] {Ovmf, Mde, Network, Crypto}Pkg: fixes+features for setting HTTPS cipher suites
Date: Tue, 10 Apr 2018 12:10:51 +0200 [thread overview]
Message-ID: <f206bb8f-c2a4-80b5-a25a-df054f3131a4@redhat.com> (raw)
In-Reply-To: <475313c2-8a3a-4be4-483c-b15b4d1cbfa6@redhat.com>
On 04/10/18 12:02, Laszlo Ersek wrote:
> On 04/10/18 09:40, Long, Qin wrote:
>> #0005, #0006, #0007, #0012, #0013:
>> These implementation looks good to me.
>> But some of updates were based on the assumption of #0008-0009. I have no strong opinion
>> if some original light implementation are good enough currently.
I'd like to comment on this in more detail (namely that "some original
light implementation are good enough currently"):
- I now agree that "TlsCipherMappingTable" should match the ciphers
built into OpensslLib exactly. However, that makes it only more
important that we *not* return EFI_UNSUPPORTED immediately when we find
a cipher suite in the platform's preference list that we don't support.
Instead, we should filter the platform's list down to what we do support.
- The stack allocation with 500 bytes for CipherString is questionable
practice, in my opinion, given that we add a variable list of cipher
suite names. It's just not deterministic. It can produce confusing
results that don't match the caller's (the platform's) intent, and it
will only become worse when you extend "TlsCipherMappingTable" to the
full cipher list that we build into OpensslLib *right now*. (And that's
not considering any future cipher enablements.)
- "@STRENGTH" must be dropped. I have no doubt about that. :)
So, I'd like to keep patch #13 as-is, perhaps squahed together with
patch #12 if you all prefer that.
Thanks!
Laszlo
next prev parent reply other threads:[~2018-04-10 10:10 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-03 14:51 [PATCH 00/13] {Ovmf, Mde, Network, Crypto}Pkg: fixes+features for setting HTTPS cipher suites Laszlo Ersek
2018-04-03 14:51 ` [PATCH 01/13] OvmfPkg/TlsAuthConfigLib: configure trusted cipher suites for HTTPS boot Laszlo Ersek
2018-04-03 14:51 ` [PATCH 02/13] MdePkg/Include/Protocol/Tls.h: pack structures from the TLS RFC Laszlo Ersek
2018-04-03 15:08 ` Gao, Liming
2018-04-04 10:32 ` Laszlo Ersek
2018-04-10 1:51 ` Fu, Siyuan
2018-04-03 14:51 ` [PATCH 03/13] NetworkPkg/TlsDxe: verify DataSize for EfiTlsCipherList Laszlo Ersek
2018-04-10 1:51 ` Fu, Siyuan
2018-04-03 14:51 ` [PATCH 04/13] NetworkPkg/TlsDxe: clean up byte order conversion " Laszlo Ersek
2018-04-10 1:53 ` Fu, Siyuan
2018-04-03 14:51 ` [PATCH 05/13] CryptoPkg/TlsLib: replace TlsGetCipherString() with TlsGetCipherMapping() Laszlo Ersek
2018-04-03 14:51 ` [PATCH 06/13] CryptoPkg/TlsLib: use binary search in the TlsGetCipherMapping() function Laszlo Ersek
2018-04-03 14:51 ` [PATCH 07/13] CryptoPkg/TlsLib: pre-compute OpensslCipherLength in TlsCipherMappingTable Laszlo Ersek
2018-04-03 14:51 ` [PATCH 08/13] CryptoPkg/TlsLib: add the "TlsMappingTable.sh" POSIX shell script Laszlo Ersek
2018-04-03 14:51 ` [PATCH 09/13] CryptoPkg/TlsLib: extend "TlsCipherMappingTable" Laszlo Ersek
2018-04-03 14:51 ` [PATCH 10/13] CryptoPkg/TlsLib: sort [LibraryClasses] section in the INF file Laszlo Ersek
2018-04-03 14:51 ` [PATCH 11/13] CryptoPkg/TlsLib: sanitize lib classes in internal header and INF Laszlo Ersek
2018-04-03 14:51 ` [PATCH 12/13] CryptoPkg/TlsLib: clean up leading comment for TlsSetCipherList() Laszlo Ersek
2018-04-03 14:51 ` [PATCH 13/13] CryptoPkg/TlsLib: rewrite TlsSetCipherList() Laszlo Ersek
2018-04-10 4:09 ` [PATCH 00/13] {Ovmf, Mde, Network, Crypto}Pkg: fixes+features for setting HTTPS cipher suites Wu, Jiaxin
2018-04-10 7:40 ` Long, Qin
2018-04-10 10:02 ` Laszlo Ersek
2018-04-10 10:10 ` Laszlo Ersek [this message]
2018-04-10 16:56 ` Long, Qin
2018-04-10 9:47 ` Laszlo Ersek
2018-04-10 17:06 ` Long, Qin
2018-04-10 20:06 ` Laszlo Ersek
2018-04-11 1:59 ` Wu, Jiaxin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f206bb8f-c2a4-80b5-a25a-df054f3131a4@redhat.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox