From nobody Mon Apr 29 03:31:42 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1522767121717857.8958209608857; Tue, 3 Apr 2018 07:52:01 -0700 (PDT) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 83B7721FB7D20; Tue, 3 Apr 2018 07:51:59 -0700 (PDT) Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id E6847226085CF for ; Tue, 3 Apr 2018 07:51:57 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 37DDA722E8; Tue, 3 Apr 2018 14:51:57 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-185.rdu2.redhat.com [10.10.120.185]) by smtp.corp.redhat.com (Postfix) with ESMTP id EB0E32026E0E; Tue, 3 Apr 2018 14:51:55 +0000 (UTC) X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=66.187.233.73; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org From: Laszlo Ersek To: edk2-devel-01 Date: Tue, 3 Apr 2018 16:51:37 +0200 Message-Id: <20180403145149.8925-2-lersek@redhat.com> In-Reply-To: <20180403145149.8925-1-lersek@redhat.com> References: <20180403145149.8925-1-lersek@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Tue, 03 Apr 2018 14:51:57 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Tue, 03 Apr 2018 14:51:57 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'lersek@redhat.com' RCPT:'' Subject: [edk2] [PATCH 01/13] OvmfPkg/TlsAuthConfigLib: configure trusted cipher suites for HTTPS boot X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jordan Justen , Gary Ching-Pang Lin , Ard Biesheuvel MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Read the list of trusted cipher suites from fw_cfg and to store it to EFI_TLS_CA_CERTIFICATE_VARIABLE. The fw_cfg file is formatted by the "update-crypto-policies" utility on the host side, so that the host settings take effect in guest HTTPS boot as well. QEMU forwards the file intact to the firmware. The contents are forwarded by NetworkPkg/HttpDxe (in TlsConfigCipherList()) to NetworkPkg/TlsDxe (TlsSetSessionData()) and TlsLib (TlsSetCipherList()). Cc: Ard Biesheuvel Cc: Gary Ching-Pang Lin Cc: Jordan Justen Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek --- OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.inf | 3 +- OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.c | 98 +++++++++++++++= +++++ 2 files changed, 100 insertions(+), 1 deletion(-) diff --git a/OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.inf b/OvmfPk= g/Library/TlsAuthConfigLib/TlsAuthConfigLib.inf index 5f83582a8313..40754ea5a2f3 100644 --- a/OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.inf +++ b/OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.inf @@ -46,10 +46,11 @@ [LibraryClasses] DebugLib MemoryAllocationLib QemuFwCfgLib UefiRuntimeServicesTableLib =20 [Guids] - gEfiTlsCaCertificateGuid ## PRODUCES ## Variable:L"TlsCaCertificate" + gEdkiiHttpTlsCipherListGuid ## PRODUCES ## Variable:L"HttpTlsCipherList" + gEfiTlsCaCertificateGuid ## PRODUCES ## Variable:L"TlsCaCertificate" =20 [Depex] gEfiVariableWriteArchProtocolGuid diff --git a/OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.c b/OvmfPkg/= Library/TlsAuthConfigLib/TlsAuthConfigLib.c index b5b33bc4fc69..74c393e5462f 100644 --- a/OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.c +++ b/OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.c @@ -17,12 +17,13 @@ =20 **/ =20 #include #include =20 +#include #include =20 #include #include #include #include @@ -118,16 +119,113 @@ SetCaCerts ( gEfiCallerBaseName, __FUNCTION__, (UINT64)HttpsCaCertsSize)); =20 FreeHttpsCaCerts: FreePool (HttpsCaCerts); } =20 +/** + Read the list of trusted cipher suites from the fw_cfg file + "etc/edk2/https/ciphers", and store it to + gEdkiiHttpTlsCipherListGuid:EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE. + + The contents are propagated by NetworkPkg/HttpDxe to NetworkPkg/TlsDxe; = the + list is processed by the latter. +**/ +STATIC +VOID +SetCipherSuites ( + VOID + ) +{ + EFI_STATUS Status; + FIRMWARE_CONFIG_ITEM HttpsCiphersItem; + UINTN HttpsCiphersSize; + VOID *HttpsCiphers; + + Status =3D QemuFwCfgFindFile ("etc/edk2/https/ciphers", &HttpsCiphersIte= m, + &HttpsCiphersSize); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_VERBOSE, "%a:%a: not touching cipher suites\n", + gEfiCallerBaseName, __FUNCTION__)); + return; + } + // + // From this point on, any failure is fatal. An ordered cipher preference + // list is available from QEMU, thus we cannot let the firmware attempt = HTTPS + // boot with either pre-existent or non-existent preferences. An empty s= et of + // cipher suites does not fail HTTPS boot automatically; the default cip= her + // suite preferences would take effect, and we must prevent that. + // + // Delete the current EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE if it exists. = If + // the variable exists with EFI_VARIABLE_NON_VOLATILE attribute, we cann= ot + // make it volatile without deleting it first. + // + Status =3D gRT->SetVariable ( + EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE, // VariableName + &gEdkiiHttpTlsCipherListGuid, // VendorGuid + 0, // Attributes + 0, // DataSize + NULL // Data + ); + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { + DEBUG ((DEBUG_ERROR, "%a:%a: failed to delete %g:\"%s\"\n", + gEfiCallerBaseName, __FUNCTION__, &gEdkiiHttpTlsCipherListGuid, + EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE)); + goto Done; + } + + if (HttpsCiphersSize =3D=3D 0) { + DEBUG ((DEBUG_ERROR, "%a:%a: list of cipher suites must not be empty\n= ", + gEfiCallerBaseName, __FUNCTION__)); + Status =3D EFI_INVALID_PARAMETER; + goto Done; + } + + HttpsCiphers =3D AllocatePool (HttpsCiphersSize); + if (HttpsCiphers =3D=3D NULL) { + DEBUG ((DEBUG_ERROR, "%a:%a: failed to allocate HttpsCiphers\n", + gEfiCallerBaseName, __FUNCTION__)); + Status =3D EFI_OUT_OF_RESOURCES; + goto Done; + } + + QemuFwCfgSelectItem (HttpsCiphersItem); + QemuFwCfgReadBytes (HttpsCiphersSize, HttpsCiphers); + + Status =3D gRT->SetVariable ( + EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE, // VariableName + &gEdkiiHttpTlsCipherListGuid, // VendorGuid + EFI_VARIABLE_BOOTSERVICE_ACCESS, // Attributes + HttpsCiphersSize, // DataSize + HttpsCiphers // Data + ); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a:%a: failed to set %g:\"%s\"\n", + gEfiCallerBaseName, __FUNCTION__, &gEdkiiHttpTlsCipherListGuid, + EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE)); + goto FreeHttpsCiphers; + } + + DEBUG ((DEBUG_VERBOSE, "%a:%a: stored list of cipher suites (%Lu byte(s)= )\n", + gEfiCallerBaseName, __FUNCTION__, (UINT64)HttpsCiphersSize)); + +FreeHttpsCiphers: + FreePool (HttpsCiphers); + +Done: + if (EFI_ERROR (Status)) { + ASSERT_EFI_ERROR (Status); + CpuDeadLoop (); + } +} + RETURN_STATUS EFIAPI TlsAuthConfigInit ( VOID ) { SetCaCerts (); + SetCipherSuites (); =20 return RETURN_SUCCESS; } --=20 2.14.1.3.gb7cf6e02401b _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel From nobody Mon Apr 29 03:31:42 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1522767125242381.93264103702427; Tue, 3 Apr 2018 07:52:05 -0700 (PDT) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id ACFA121FB7D32; Tue, 3 Apr 2018 07:52:01 -0700 (PDT) Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 24D14226085D0 for ; Tue, 3 Apr 2018 07:52:00 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 733176166F; Tue, 3 Apr 2018 14:51:59 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-185.rdu2.redhat.com [10.10.120.185]) by smtp.corp.redhat.com (Postfix) with ESMTP id 930472026E0E; Tue, 3 Apr 2018 14:51:57 +0000 (UTC) X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=66.187.233.73; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org From: Laszlo Ersek To: edk2-devel-01 Date: Tue, 3 Apr 2018 16:51:38 +0200 Message-Id: <20180403145149.8925-3-lersek@redhat.com> In-Reply-To: <20180403145149.8925-1-lersek@redhat.com> References: <20180403145149.8925-1-lersek@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Tue, 03 Apr 2018 14:51:59 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Tue, 03 Apr 2018 14:51:59 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'lersek@redhat.com' RCPT:'' Subject: [edk2] [PATCH 02/13] MdePkg/Include/Protocol/Tls.h: pack structures from the TLS RFC X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael D Kinney , Siyuan Fu , Jiaxin Wu , Liming Gao MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" The structures defined in RFC 5246 are not to have any padding between fields or at the end; use the "pack" pragma as necessary. Cc: Jiaxin Wu Cc: Liming Gao Cc: Michael D Kinney Cc: Siyuan Fu Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D915 Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek Reviewed-by: Fu Siyuan --- MdePkg/Include/Protocol/Tls.h | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/MdePkg/Include/Protocol/Tls.h b/MdePkg/Include/Protocol/Tls.h index 2119f33c0f5b..dafaabcd2a8b 100644 --- a/MdePkg/Include/Protocol/Tls.h +++ b/MdePkg/Include/Protocol/Tls.h @@ -138,33 +138,37 @@ typedef enum { /// /// EFI_TLS_CIPHER /// Note: The definition of EFI_TLS_CIPHER definition is from "RFC 5246, A= .4.1. /// Hello Messages". The value of EFI_TLS_CIPHER is from TLS Cipher /// Suite Registry of IANA. /// +#pragma pack (1) typedef struct { UINT8 Data1; UINT8 Data2; } EFI_TLS_CIPHER; +#pragma pack () =20 /// /// EFI_TLS_COMPRESSION /// Note: The value of EFI_TLS_COMPRESSION definition is from "RFC 3749". /// typedef UINT8 EFI_TLS_COMPRESSION; =20 /// /// EFI_TLS_EXTENSION /// Note: The definition of EFI_TLS_EXTENSION if from "RFC 5246 A.4.1. /// Hello Messages". /// +#pragma pack (1) typedef struct { UINT16 ExtensionType; UINT16 Length; UINT8 Data[1]; } EFI_TLS_EXTENSION; +#pragma pack () =20 /// /// EFI_TLS_VERIFY /// Use either EFI_TLS_VERIFY_NONE or EFI_TLS_VERIFY_PEER, the last two op= tions /// are 'ORed' with EFI_TLS_VERIFY_PEER if they are desired. /// @@ -191,35 +195,41 @@ typedef UINT32 EFI_TLS_VERIFY; =20 /// /// EFI_TLS_RANDOM /// Note: The definition of EFI_TLS_RANDOM is from "RFC 5246 A.4.1. /// Hello Messages". /// +#pragma pack (1) typedef struct { UINT32 GmtUnixTime; UINT8 RandomBytes[28]; } EFI_TLS_RANDOM; +#pragma pack () =20 /// /// EFI_TLS_MASTER_SECRET /// Note: The definition of EFI_TLS_MASTER_SECRET is from "RFC 5246 8.1. /// Computing the Master Secret". /// +#pragma pack (1) typedef struct { UINT8 Data[48]; } EFI_TLS_MASTER_SECRET; +#pragma pack () =20 /// /// EFI_TLS_SESSION_ID /// Note: The definition of EFI_TLS_SESSION_ID is from "RFC 5246 A.4.1. He= llo Messages". /// #define MAX_TLS_SESSION_ID_LENGTH 32 +#pragma pack (1) typedef struct { UINT16 Length; UINT8 Data[MAX_TLS_SESSION_ID_LENGTH]; } EFI_TLS_SESSION_ID; +#pragma pack () =20 /// /// EFI_TLS_SESSION_STATE /// typedef enum { /// --=20 2.14.1.3.gb7cf6e02401b _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel From nobody Mon Apr 29 03:31:42 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 15227671360851006.403188904766; Tue, 3 Apr 2018 07:52:16 -0700 (PDT) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id D58A521FB7D42; Tue, 3 Apr 2018 07:52:02 -0700 (PDT) Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 9AC5121FB7D2D for ; Tue, 3 Apr 2018 07:52:01 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id DF0C0EB6FF; Tue, 3 Apr 2018 14:52:00 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-185.rdu2.redhat.com [10.10.120.185]) by smtp.corp.redhat.com (Postfix) with ESMTP id D08782026E0E; Tue, 3 Apr 2018 14:51:59 +0000 (UTC) X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=66.187.233.73; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org From: Laszlo Ersek To: edk2-devel-01 Date: Tue, 3 Apr 2018 16:51:39 +0200 Message-Id: <20180403145149.8925-4-lersek@redhat.com> In-Reply-To: <20180403145149.8925-1-lersek@redhat.com> References: <20180403145149.8925-1-lersek@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Tue, 03 Apr 2018 14:52:00 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Tue, 03 Apr 2018 14:52:00 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'lersek@redhat.com' RCPT:'' Subject: [edk2] [PATCH 03/13] NetworkPkg/TlsDxe: verify DataSize for EfiTlsCipherList X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Siyuan Fu , Jiaxin Wu MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" TlsSetSessionData() shouldn't just ignore an incomplete EFI_TLS_CIPHER element at the end of "Data": - Generally speaking, malformed input for a security API is best rejected explicitly. - Specifically speaking, the size of EFI_TLS_CIPHER is 2 bytes. If DataSize is 1 on input, then the initial check for (DataSize =3D=3D 0) wi= ll fail, but then TlsSetCipherList() will be called with CipherNum=3D0. Return EFI_INVALID_PARAMETER from TlsSetSessionData() if "Data" doesn't contain a whole number of EFI_TLS_CIPHER elements. While at it, introduce the dedicated variable CipherCount. Cc: Jiaxin Wu Cc: Siyuan Fu Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D915 Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek Reviewed-by: Fu Siyuan --- NetworkPkg/TlsDxe/TlsProtocol.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/NetworkPkg/TlsDxe/TlsProtocol.c b/NetworkPkg/TlsDxe/TlsProtoco= l.c index ad4c922c60bd..a5f95a098345 100644 --- a/NetworkPkg/TlsDxe/TlsProtocol.c +++ b/NetworkPkg/TlsDxe/TlsProtocol.c @@ -35,12 +35,13 @@ EFI_TLS_PROTOCOL mTlsProtocol =3D { =20 @retval EFI_SUCCESS The TLS session data is set successfully. @retval EFI_INVALID_PARAMETER One or more of the following conditions = is TRUE: This is NULL. Data is NULL. DataSize is 0. + DataSize is invalid for DataType. @retval EFI_UNSUPPORTED The DataType is unsupported. @retval EFI_ACCESS_DENIED If the DataType is one of below: EfiTlsClientRandom EfiTlsServerRandom EfiTlsKeyMaterial @retval EFI_NOT_READY Current TLS session state is NOT @@ -56,12 +57,13 @@ TlsSetSessionData ( IN UINTN DataSize ) { EFI_STATUS Status; TLS_INSTANCE *Instance; UINT16 *CipherId; + UINTN CipherCount; UINTN Index; =20 EFI_TPL OldTpl; =20 Status =3D EFI_SUCCESS; CipherId =3D NULL; @@ -97,23 +99,29 @@ TlsSetSessionData ( goto ON_EXIT; } =20 Status =3D TlsSetConnectionEnd (Instance->TlsConn, *((EFI_TLS_CONNECTI= ON_END *) Data)); break; case EfiTlsCipherList: + if (DataSize % sizeof (EFI_TLS_CIPHER) !=3D 0) { + Status =3D EFI_INVALID_PARAMETER; + goto ON_EXIT; + } + CipherId =3D AllocatePool (DataSize); if (CipherId =3D=3D NULL) { Status =3D EFI_OUT_OF_RESOURCES; goto ON_EXIT; } =20 - for (Index =3D 0; Index < DataSize / sizeof (EFI_TLS_CIPHER); Index++)= { + CipherCount =3D DataSize / sizeof (EFI_TLS_CIPHER); + for (Index =3D 0; Index < CipherCount; Index++) { *(CipherId +Index) =3D HTONS (*(((UINT16 *) Data) + Index)); } =20 - Status =3D TlsSetCipherList (Instance->TlsConn, CipherId, DataSize / s= izeof (EFI_TLS_CIPHER)); + Status =3D TlsSetCipherList (Instance->TlsConn, CipherId, CipherCount); =20 FreePool (CipherId); break; case EfiTlsCompressionMethod: // // TLS seems only define one CompressionMethod.null, which specifies t= hat data exchanged via the --=20 2.14.1.3.gb7cf6e02401b _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel From nobody Mon Apr 29 03:31:42 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1522767135903847.6195001195387; Tue, 3 Apr 2018 07:52:15 -0700 (PDT) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 0D14921FB7D52; Tue, 3 Apr 2018 07:52:04 -0700 (PDT) Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 0D28C226085CF for ; Tue, 3 Apr 2018 07:52:03 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 5509C6166F; Tue, 3 Apr 2018 14:52:02 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-185.rdu2.redhat.com [10.10.120.185]) by smtp.corp.redhat.com (Postfix) with ESMTP id 464F72026E0E; Tue, 3 Apr 2018 14:52:01 +0000 (UTC) X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=66.187.233.73; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org From: Laszlo Ersek To: edk2-devel-01 Date: Tue, 3 Apr 2018 16:51:40 +0200 Message-Id: <20180403145149.8925-5-lersek@redhat.com> In-Reply-To: <20180403145149.8925-1-lersek@redhat.com> References: <20180403145149.8925-1-lersek@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Tue, 03 Apr 2018 14:52:02 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Tue, 03 Apr 2018 14:52:02 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'lersek@redhat.com' RCPT:'' Subject: [edk2] [PATCH 04/13] NetworkPkg/TlsDxe: clean up byte order conversion for EfiTlsCipherList X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Siyuan Fu , Jiaxin Wu MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Fix the following style issues: - "Data" is accessed through a pointer to UINT16 rather than to a pointer to EFI_TLS_CIPHER. While technically correct, UINT16 is harder to interpret against the UEFI spec. - Array subscripting is written with weird *(Pointer + Offset) expressions, rather than with Pointer[Offset]. - The byte order is converted with HTONS(), while it should be NTOHS(). Either way, use the Data1 and Data2 fields of EFI_TLS_CIPHER instead. Cc: Jiaxin Wu Cc: Siyuan Fu Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D915 Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek Reviewed-by: Fu Siyuan --- NetworkPkg/TlsDxe/TlsProtocol.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/NetworkPkg/TlsDxe/TlsProtocol.c b/NetworkPkg/TlsDxe/TlsProtoco= l.c index a5f95a098345..298ffdd659a2 100644 --- a/NetworkPkg/TlsDxe/TlsProtocol.c +++ b/NetworkPkg/TlsDxe/TlsProtocol.c @@ -57,12 +57,13 @@ TlsSetSessionData ( IN UINTN DataSize ) { EFI_STATUS Status; TLS_INSTANCE *Instance; UINT16 *CipherId; + CONST EFI_TLS_CIPHER *TlsCipherList; UINTN CipherCount; UINTN Index; =20 EFI_TPL OldTpl; =20 Status =3D EFI_SUCCESS; @@ -110,15 +111,17 @@ TlsSetSessionData ( CipherId =3D AllocatePool (DataSize); if (CipherId =3D=3D NULL) { Status =3D EFI_OUT_OF_RESOURCES; goto ON_EXIT; } =20 + TlsCipherList =3D (CONST EFI_TLS_CIPHER *) Data; CipherCount =3D DataSize / sizeof (EFI_TLS_CIPHER); for (Index =3D 0; Index < CipherCount; Index++) { - *(CipherId +Index) =3D HTONS (*(((UINT16 *) Data) + Index)); + CipherId[Index] =3D ((TlsCipherList[Index].Data1 << 8) | + TlsCipherList[Index].Data2); } =20 Status =3D TlsSetCipherList (Instance->TlsConn, CipherId, CipherCount); =20 FreePool (CipherId); break; --=20 2.14.1.3.gb7cf6e02401b _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel From nobody Mon Apr 29 03:31:42 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1522767136096738.4647813976846; Tue, 3 Apr 2018 07:52:16 -0700 (PDT) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 33F6021FB7D5F; Tue, 3 Apr 2018 07:52:06 -0700 (PDT) Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id D830A226085CF for ; Tue, 3 Apr 2018 07:52:04 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 30BFF8182D0A; Tue, 3 Apr 2018 14:52:04 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-185.rdu2.redhat.com [10.10.120.185]) by smtp.corp.redhat.com (Postfix) with ESMTP id B02F42026E0E; Tue, 3 Apr 2018 14:52:02 +0000 (UTC) X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=66.187.233.73; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org From: Laszlo Ersek To: edk2-devel-01 Date: Tue, 3 Apr 2018 16:51:41 +0200 Message-Id: <20180403145149.8925-6-lersek@redhat.com> In-Reply-To: <20180403145149.8925-1-lersek@redhat.com> References: <20180403145149.8925-1-lersek@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Tue, 03 Apr 2018 14:52:04 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Tue, 03 Apr 2018 14:52:04 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'lersek@redhat.com' RCPT:'' Subject: [edk2] [PATCH 05/13] CryptoPkg/TlsLib: replace TlsGetCipherString() with TlsGetCipherMapping() X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Ting Ye , Siyuan Fu , Jiaxin Wu , Qin Long MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" In the following patches it will be useful if the IANA CipherId lookup returns a pointer to the whole matching IANA-to-OpenSSL mapping structure, not just the OpenSSL cipher suite name. Rename TLS_CIPHER_PAIR and TlsGetCipherString() to TLS_CIPHER_MAPPING and TlsGetCipherMapping() respectively, and make the function return a pointer to TLS_CIPHER_MAPPING. Cc: Jiaxin Wu Cc: Qin Long Cc: Siyuan Fu Cc: Ting Ye Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D915 Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek --- CryptoPkg/Library/TlsLib/TlsConfig.c | 37 +++++++++++--------- 1 file changed, 20 insertions(+), 17 deletions(-) diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c b/CryptoPkg/Library/TlsLi= b/TlsConfig.c index 2ffe58ad29a2..507489386b8e 100644 --- a/CryptoPkg/Library/TlsLib/TlsConfig.c +++ b/CryptoPkg/Library/TlsLib/TlsConfig.c @@ -21,19 +21,19 @@ typedef struct { // UINT16 IanaCipher; // // OpenSSL-used Cipher Suite String // CONST CHAR8 *OpensslCipher; -} TLS_CIPHER_PAIR; +} TLS_CIPHER_MAPPING; =20 // // The mapping table between IANA/IETF Cipher Suite definitions and // OpenSSL-used Cipher Suite name. // -STATIC CONST TLS_CIPHER_PAIR TlsCipherMappingTable[] =3D { +STATIC CONST TLS_CIPHER_MAPPING TlsCipherMappingTable[] =3D { { 0x0001, "NULL-MD5" }, /// TLS_RSA_WITH_NULL_MD5 { 0x0002, "NULL-SHA" }, /// TLS_RSA_WITH_NULL_SHA { 0x0004, "RC4-MD5" }, /// TLS_RSA_WITH_RC4_128_MD5 { 0x0005, "RC4-SHA" }, /// TLS_RSA_WITH_RC4_128_SHA { 0x000A, "DES-CBC3-SHA" }, /// TLS_RSA_WITH_3DES_EDE_CBC_SH= A, mandatory TLS 1.1 { 0x0016, "DHE-RSA-DES-CBC3-SHA" }, /// TLS_DHE_RSA_WITH_3DES_EDE_CB= C_SHA @@ -54,42 +54,42 @@ STATIC CONST TLS_CIPHER_PAIR TlsCipherMappingTable[] = =3D { { 0x0068, "DH-DSS-AES256-SHA256" }, /// TLS_DH_DSS_WITH_AES_256_CBC_= SHA256 { 0x0069, "DH-RSA-AES256-SHA256" }, /// TLS_DH_RSA_WITH_AES_256_CBC_= SHA256 { 0x006B, "DHE-RSA-AES256-SHA256" } /// TLS_DHE_RSA_WITH_AES_256_CBC= _SHA256 }; =20 /** - Gets the OpenSSL cipher suite string for the supplied IANA TLS cipher su= ite. + Gets the OpenSSL cipher suite mapping for the supplied IANA TLS cipher s= uite. =20 @param[in] CipherId The supplied IANA TLS cipher suite ID. =20 - @return The corresponding OpenSSL cipher suite string if found, + @return The corresponding OpenSSL cipher suite mapping if found, NULL otherwise. =20 **/ STATIC -CONST CHAR8 * -TlsGetCipherString ( +CONST TLS_CIPHER_MAPPING * +TlsGetCipherMapping ( IN UINT16 CipherId ) { - CONST TLS_CIPHER_PAIR *CipherEntry; - UINTN TableSize; - UINTN Index; + CONST TLS_CIPHER_MAPPING *CipherEntry; + UINTN TableSize; + UINTN Index; =20 CipherEntry =3D TlsCipherMappingTable; - TableSize =3D sizeof (TlsCipherMappingTable) / sizeof (TLS_CIPHER_PAIR); + TableSize =3D sizeof (TlsCipherMappingTable) / sizeof (TLS_CIPHER_MAPPIN= G); =20 // // Search Cipher Mapping Table for IANA-OpenSSL Cipher Translation // for (Index =3D 0; Index < TableSize; Index++, CipherEntry++) { // // Translate IANA cipher suite name to OpenSSL name. // if (CipherEntry->IanaCipher =3D=3D CipherId) { - return CipherEntry->OpensslCipher; + return CipherEntry; } } =20 // // No Cipher Mapping found, return NULL. // @@ -226,34 +226,37 @@ EFIAPI TlsSetCipherList ( IN VOID *Tls, IN UINT16 *CipherId, IN UINTN CipherNum ) { - TLS_CONNECTION *TlsConn; - UINTN Index; - CONST CHAR8 *MappingName; - CHAR8 CipherString[500]; + TLS_CONNECTION *TlsConn; + UINTN Index; + CONST TLS_CIPHER_MAPPING *Mapping; + CONST CHAR8 *MappingName; + CHAR8 CipherString[500]; =20 TlsConn =3D (TLS_CONNECTION *) Tls; if (TlsConn =3D=3D NULL || TlsConn->Ssl =3D=3D NULL || CipherId =3D=3D N= ULL) { return EFI_INVALID_PARAMETER; } =20 + Mapping =3D NULL; MappingName =3D NULL; =20 memset (CipherString, 0, sizeof (CipherString)); =20 for (Index =3D 0; Index < CipherNum; Index++) { // // Handling OpenSSL / RFC Cipher name mapping. // - MappingName =3D TlsGetCipherString (*(CipherId + Index)); - if (MappingName =3D=3D NULL) { + Mapping =3D TlsGetCipherMapping (*(CipherId + Index)); + if (Mapping =3D=3D NULL) { return EFI_UNSUPPORTED; } + MappingName =3D Mapping->OpensslCipher; =20 if (Index !=3D 0) { // // The ciphers were separated by a colon. // AsciiStrCatS (CipherString, sizeof (CipherString), ":"); --=20 2.14.1.3.gb7cf6e02401b _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel From nobody Mon Apr 29 03:31:42 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 152276713912457.866468819538; Tue, 3 Apr 2018 07:52:19 -0700 (PDT) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 5EA33224A9EAC; Tue, 3 Apr 2018 07:52:08 -0700 (PDT) Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id B9566226085CF for ; Tue, 3 Apr 2018 07:52:06 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 08109406E8A4; Tue, 3 Apr 2018 14:52:06 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-185.rdu2.redhat.com [10.10.120.185]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8AE212026E0E; Tue, 3 Apr 2018 14:52:04 +0000 (UTC) X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=66.187.233.73; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org From: Laszlo Ersek To: edk2-devel-01 Date: Tue, 3 Apr 2018 16:51:42 +0200 Message-Id: <20180403145149.8925-7-lersek@redhat.com> In-Reply-To: <20180403145149.8925-1-lersek@redhat.com> References: <20180403145149.8925-1-lersek@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.7]); Tue, 03 Apr 2018 14:52:06 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.7]); Tue, 03 Apr 2018 14:52:06 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'lersek@redhat.com' RCPT:'' Subject: [edk2] [PATCH 06/13] CryptoPkg/TlsLib: use binary search in the TlsGetCipherMapping() function X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Ting Ye , Siyuan Fu , Jiaxin Wu , Qin Long MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Improve the performance of the TlsGetCipherMapping() function by adopting the binary search from DhcpFindOptionFormat() [MdeModulePkg/Universal/Network/Dhcp4Dxe/Dhcp4Option.c]. Cc: Jiaxin Wu Cc: Qin Long Cc: Siyuan Fu Cc: Ting Ye Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D915 Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek --- CryptoPkg/Library/TlsLib/TlsConfig.c | 36 +++++++++++++------- 1 file changed, 23 insertions(+), 13 deletions(-) diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c b/CryptoPkg/Library/TlsLi= b/TlsConfig.c index 507489386b8e..c1d91a599482 100644 --- a/CryptoPkg/Library/TlsLib/TlsConfig.c +++ b/CryptoPkg/Library/TlsLib/TlsConfig.c @@ -27,12 +27,14 @@ typedef struct { } TLS_CIPHER_MAPPING; =20 // // The mapping table between IANA/IETF Cipher Suite definitions and // OpenSSL-used Cipher Suite name. // +// Keep the table uniquely sorted by the IanaCipher field, in increasing o= rder. +// STATIC CONST TLS_CIPHER_MAPPING TlsCipherMappingTable[] =3D { { 0x0001, "NULL-MD5" }, /// TLS_RSA_WITH_NULL_MD5 { 0x0002, "NULL-SHA" }, /// TLS_RSA_WITH_NULL_SHA { 0x0004, "RC4-MD5" }, /// TLS_RSA_WITH_RC4_128_MD5 { 0x0005, "RC4-SHA" }, /// TLS_RSA_WITH_RC4_128_SHA { 0x000A, "DES-CBC3-SHA" }, /// TLS_RSA_WITH_3DES_EDE_CBC_SH= A, mandatory TLS 1.1 @@ -68,28 +70,36 @@ STATIC CONST TLS_CIPHER_MAPPING TlsCipherMappingTable[]= =3D { STATIC CONST TLS_CIPHER_MAPPING * TlsGetCipherMapping ( IN UINT16 CipherId ) { - CONST TLS_CIPHER_MAPPING *CipherEntry; - UINTN TableSize; - UINTN Index; - - CipherEntry =3D TlsCipherMappingTable; - TableSize =3D sizeof (TlsCipherMappingTable) / sizeof (TLS_CIPHER_MAPPIN= G); + INTN Left; + INTN Right; + INTN Middle; =20 // - // Search Cipher Mapping Table for IANA-OpenSSL Cipher Translation + // Binary Search Cipher Mapping Table for IANA-OpenSSL Cipher Translation // - for (Index =3D 0; Index < TableSize; Index++, CipherEntry++) { - // - // Translate IANA cipher suite name to OpenSSL name. - // - if (CipherEntry->IanaCipher =3D=3D CipherId) { - return CipherEntry; + Left =3D 0; + Right =3D ARRAY_SIZE (TlsCipherMappingTable) - 1; + + while (Right >=3D Left) { + Middle =3D (Left + Right) / 2; + + if (CipherId =3D=3D TlsCipherMappingTable[Middle].IanaCipher) { + // + // Translate IANA cipher suite ID to OpenSSL name. + // + return &TlsCipherMappingTable[Middle]; + } + + if (CipherId < TlsCipherMappingTable[Middle].IanaCipher) { + Right =3D Middle - 1; + } else { + Left =3D Middle + 1; } } =20 // // No Cipher Mapping found, return NULL. // --=20 2.14.1.3.gb7cf6e02401b _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel From nobody Mon Apr 29 03:31:42 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1522767143402844.967120690517; Tue, 3 Apr 2018 07:52:23 -0700 (PDT) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 8861B224AE8B9; Tue, 3 Apr 2018 07:52:09 -0700 (PDT) Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 02753226085CF for ; Tue, 3 Apr 2018 07:52:09 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 45F674022909; Tue, 3 Apr 2018 14:52:08 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-185.rdu2.redhat.com [10.10.120.185]) by smtp.corp.redhat.com (Postfix) with ESMTP id 4A8B02026E0E; Tue, 3 Apr 2018 14:52:06 +0000 (UTC) X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=66.187.233.73; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org From: Laszlo Ersek To: edk2-devel-01 Date: Tue, 3 Apr 2018 16:51:43 +0200 Message-Id: <20180403145149.8925-8-lersek@redhat.com> In-Reply-To: <20180403145149.8925-1-lersek@redhat.com> References: <20180403145149.8925-1-lersek@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Tue, 03 Apr 2018 14:52:08 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Tue, 03 Apr 2018 14:52:08 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'lersek@redhat.com' RCPT:'' Subject: [edk2] [PATCH 07/13] CryptoPkg/TlsLib: pre-compute OpensslCipherLength in TlsCipherMappingTable X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Ting Ye , Siyuan Fu , Jiaxin Wu , Qin Long MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" In the next patches, we'll need the lengths of the TLS_CIPHER_MAPPING.OpensslCipher string fields. These lengths can be computed at build time; add the new field "OpensslCipherLength", and introduce the MAP() macro for populating it. While at it, add some horizontal whitespace to "TlsCipherMappingTable", and add a comma after the last element. This will come handy in a later patch. (The patch does not change the first two columns of "TlsCipherMappingTable", which can be easily verified with "git show --word-diff".) Cc: Jiaxin Wu Cc: Qin Long Cc: Siyuan Fu Cc: Ting Ye Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D915 Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek --- CryptoPkg/Library/TlsLib/TlsConfig.c | 58 ++++++++++++-------- 1 file changed, 35 insertions(+), 23 deletions(-) diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c b/CryptoPkg/Library/TlsLi= b/TlsConfig.c index c1d91a599482..e2f819b9035f 100644 --- a/CryptoPkg/Library/TlsLib/TlsConfig.c +++ b/CryptoPkg/Library/TlsLib/TlsConfig.c @@ -21,44 +21,56 @@ typedef struct { // UINT16 IanaCipher; // // OpenSSL-used Cipher Suite String // CONST CHAR8 *OpensslCipher; + // + // Length of OpensslCipher + // + UINTN OpensslCipherLength; } TLS_CIPHER_MAPPING; =20 +// +// Create a TLS_CIPHER_MAPPING initializer from IanaCipher and OpensslCiph= er so +// that OpensslCipherLength is filled in automatically. IanaCipher must be= an +// integer constant expression, and OpensslCipher must be a string literal. +// +#define MAP(IanaCipher, OpensslCipher) \ + { (IanaCipher), (OpensslCipher), sizeof (OpensslCipher) - 1 } + // // The mapping table between IANA/IETF Cipher Suite definitions and // OpenSSL-used Cipher Suite name. // // Keep the table uniquely sorted by the IanaCipher field, in increasing o= rder. // STATIC CONST TLS_CIPHER_MAPPING TlsCipherMappingTable[] =3D { - { 0x0001, "NULL-MD5" }, /// TLS_RSA_WITH_NULL_MD5 - { 0x0002, "NULL-SHA" }, /// TLS_RSA_WITH_NULL_SHA - { 0x0004, "RC4-MD5" }, /// TLS_RSA_WITH_RC4_128_MD5 - { 0x0005, "RC4-SHA" }, /// TLS_RSA_WITH_RC4_128_SHA - { 0x000A, "DES-CBC3-SHA" }, /// TLS_RSA_WITH_3DES_EDE_CBC_SH= A, mandatory TLS 1.1 - { 0x0016, "DHE-RSA-DES-CBC3-SHA" }, /// TLS_DHE_RSA_WITH_3DES_EDE_CB= C_SHA - { 0x002F, "AES128-SHA" }, /// TLS_RSA_WITH_AES_128_CBC_SHA= , mandatory TLS 1.2 - { 0x0030, "DH-DSS-AES128-SHA" }, /// TLS_DH_DSS_WITH_AES_128_CBC_= SHA - { 0x0031, "DH-RSA-AES128-SHA" }, /// TLS_DH_RSA_WITH_AES_128_CBC_= SHA - { 0x0033, "DHE-RSA-AES128-SHA" }, /// TLS_DHE_RSA_WITH_AES_128_CBC= _SHA - { 0x0035, "AES256-SHA" }, /// TLS_RSA_WITH_AES_256_CBC_SHA - { 0x0036, "DH-DSS-AES256-SHA" }, /// TLS_DH_DSS_WITH_AES_256_CBC_= SHA - { 0x0037, "DH-RSA-AES256-SHA" }, /// TLS_DH_RSA_WITH_AES_256_CBC_= SHA - { 0x0039, "DHE-RSA-AES256-SHA" }, /// TLS_DHE_RSA_WITH_AES_256_CBC= _SHA - { 0x003B, "NULL-SHA256" }, /// TLS_RSA_WITH_NULL_SHA256 - { 0x003C, "AES128-SHA256" }, /// TLS_RSA_WITH_AES_128_CBC_SHA= 256 - { 0x003D, "AES256-SHA256" }, /// TLS_RSA_WITH_AES_256_CBC_SHA= 256 - { 0x003E, "DH-DSS-AES128-SHA256" }, /// TLS_DH_DSS_WITH_AES_128_CBC_= SHA256 - { 0x003F, "DH-RSA-AES128-SHA256" }, /// TLS_DH_RSA_WITH_AES_128_CBC_= SHA256 - { 0x0067, "DHE-RSA-AES128-SHA256" }, /// TLS_DHE_RSA_WITH_AES_128_CBC= _SHA256 - { 0x0068, "DH-DSS-AES256-SHA256" }, /// TLS_DH_DSS_WITH_AES_256_CBC_= SHA256 - { 0x0069, "DH-RSA-AES256-SHA256" }, /// TLS_DH_RSA_WITH_AES_256_CBC_= SHA256 - { 0x006B, "DHE-RSA-AES256-SHA256" } /// TLS_DHE_RSA_WITH_AES_256_CBC= _SHA256 + MAP ( 0x0001, "NULL-MD5" ), /// TLS_RSA_WITH_NULL_= MD5 + MAP ( 0x0002, "NULL-SHA" ), /// TLS_RSA_WITH_NULL_= SHA + MAP ( 0x0004, "RC4-MD5" ), /// TLS_RSA_WITH_RC4_1= 28_MD5 + MAP ( 0x0005, "RC4-SHA" ), /// TLS_RSA_WITH_RC4_1= 28_SHA + MAP ( 0x000A, "DES-CBC3-SHA" ), /// TLS_RSA_WITH_3DES_= EDE_CBC_SHA, mandatory TLS 1.1 + MAP ( 0x0016, "DHE-RSA-DES-CBC3-SHA" ), /// TLS_DHE_RSA_WITH_3= DES_EDE_CBC_SHA + MAP ( 0x002F, "AES128-SHA" ), /// TLS_RSA_WITH_AES_1= 28_CBC_SHA, mandatory TLS 1.2 + MAP ( 0x0030, "DH-DSS-AES128-SHA" ), /// TLS_DH_DSS_WITH_AE= S_128_CBC_SHA + MAP ( 0x0031, "DH-RSA-AES128-SHA" ), /// TLS_DH_RSA_WITH_AE= S_128_CBC_SHA + MAP ( 0x0033, "DHE-RSA-AES128-SHA" ), /// TLS_DHE_RSA_WITH_A= ES_128_CBC_SHA + MAP ( 0x0035, "AES256-SHA" ), /// TLS_RSA_WITH_AES_2= 56_CBC_SHA + MAP ( 0x0036, "DH-DSS-AES256-SHA" ), /// TLS_DH_DSS_WITH_AE= S_256_CBC_SHA + MAP ( 0x0037, "DH-RSA-AES256-SHA" ), /// TLS_DH_RSA_WITH_AE= S_256_CBC_SHA + MAP ( 0x0039, "DHE-RSA-AES256-SHA" ), /// TLS_DHE_RSA_WITH_A= ES_256_CBC_SHA + MAP ( 0x003B, "NULL-SHA256" ), /// TLS_RSA_WITH_NULL_= SHA256 + MAP ( 0x003C, "AES128-SHA256" ), /// TLS_RSA_WITH_AES_1= 28_CBC_SHA256 + MAP ( 0x003D, "AES256-SHA256" ), /// TLS_RSA_WITH_AES_2= 56_CBC_SHA256 + MAP ( 0x003E, "DH-DSS-AES128-SHA256" ), /// TLS_DH_DSS_WITH_AE= S_128_CBC_SHA256 + MAP ( 0x003F, "DH-RSA-AES128-SHA256" ), /// TLS_DH_RSA_WITH_AE= S_128_CBC_SHA256 + MAP ( 0x0067, "DHE-RSA-AES128-SHA256" ), /// TLS_DHE_RSA_WITH_A= ES_128_CBC_SHA256 + MAP ( 0x0068, "DH-DSS-AES256-SHA256" ), /// TLS_DH_DSS_WITH_AE= S_256_CBC_SHA256 + MAP ( 0x0069, "DH-RSA-AES256-SHA256" ), /// TLS_DH_RSA_WITH_AE= S_256_CBC_SHA256 + MAP ( 0x006B, "DHE-RSA-AES256-SHA256" ), /// TLS_DHE_RSA_WITH_A= ES_256_CBC_SHA256 }; =20 /** Gets the OpenSSL cipher suite mapping for the supplied IANA TLS cipher s= uite. =20 @param[in] CipherId The supplied IANA TLS cipher suite ID. --=20 2.14.1.3.gb7cf6e02401b _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel From nobody Mon Apr 29 03:31:42 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 15227671473058.323980398681897; Tue, 3 Apr 2018 07:52:27 -0700 (PDT) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id B00AA226C7C22; Tue, 3 Apr 2018 07:52:11 -0700 (PDT) Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id C749822661B21 for ; Tue, 3 Apr 2018 07:52:10 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 1F1F06166F; Tue, 3 Apr 2018 14:52:10 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-185.rdu2.redhat.com [10.10.120.185]) by smtp.corp.redhat.com (Postfix) with ESMTP id A15E72026E0E; Tue, 3 Apr 2018 14:52:08 +0000 (UTC) X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=66.187.233.73; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org From: Laszlo Ersek To: edk2-devel-01 Date: Tue, 3 Apr 2018 16:51:44 +0200 Message-Id: <20180403145149.8925-9-lersek@redhat.com> In-Reply-To: <20180403145149.8925-1-lersek@redhat.com> References: <20180403145149.8925-1-lersek@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Tue, 03 Apr 2018 14:52:10 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Tue, 03 Apr 2018 14:52:10 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'lersek@redhat.com' RCPT:'' Subject: [edk2] [PATCH 08/13] CryptoPkg/TlsLib: add the "TlsMappingTable.sh" POSIX shell script X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Ting Ye , Siyuan Fu , Jiaxin Wu , Qin Long MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Add a shell script that will help us keep "TlsCipherMappingTable" in "TlsConfig.c" up-to-date. Cc: Jiaxin Wu Cc: Qin Long Cc: Siyuan Fu Cc: Ting Ye Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D915 Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek --- CryptoPkg/Library/TlsLib/TlsLib.inf | 2 + CryptoPkg/Library/TlsLib/TlsMappingTable.sh | 140 ++++++++++++++++++++ 2 files changed, 142 insertions(+) diff --git a/CryptoPkg/Library/TlsLib/TlsLib.inf b/CryptoPkg/Library/TlsLib= /TlsLib.inf index a3f93e7165cb..dc7f3a5dbd23 100644 --- a/CryptoPkg/Library/TlsLib/TlsLib.inf +++ b/CryptoPkg/Library/TlsLib/TlsLib.inf @@ -52,6 +52,8 @@ [BuildOptions] # # suppress the following warnings so we do not break the build with warn= ings-as-errors: # C4090: 'function' : different 'const' qualifiers # MSFT:*_*_*_CC_FLAGS =3D /wd4090 =20 +[UserExtensions.TianoCore."ExtraFiles"] + TlsMappingTable.sh diff --git a/CryptoPkg/Library/TlsLib/TlsMappingTable.sh b/CryptoPkg/Librar= y/TlsLib/TlsMappingTable.sh new file mode 100644 index 000000000000..0cb4a4faa597 --- /dev/null +++ b/CryptoPkg/Library/TlsLib/TlsMappingTable.sh @@ -0,0 +1,140 @@ +## @file +# +# POSIX shell script to refresh "TlsCipherMappingTable" in "TlsConfig.c". +# +# Note: the output of this script is not meant to blindly replace the curr= ent +# contents of "TlsCipherMappingTable". It only helps with the composition = and +# formatting of candidate lines. +# +# Copyright (C) 2018, Red Hat, Inc. +# +# This program and the accompanying materials are licensed and made availa= ble +# under the terms and conditions of the BSD License which accompanies this +# distribution. The full text of the license may be found at +# http://opensource.org/licenses/bsd-license.php +# +# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, WI= THOUT +# WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. +# +## + +# Exit on error, treat unset variables as errors, don't overwrite existing +# files with the ">" output redirection operator. +set -e -u -C + +# This script uses a few utilities that are not defined by POSIX. Check if= they +# are available. +if ( ! command -v mktemp || + ! command -v openssl || + ! command -v curl || + ! command -v column ) >/dev/null +then + BASENAME=3D$(basename -- "$0") + { + printf -- '%s: please install the following utilities first:\n' "$BASE= NAME" + printf -- '%s: mktemp openssl curl column\n' "$BASENAME" + } >&2 + exit 1 +fi + +# Create a temporary file for saving the OpenSSL output. +OPENSSL_LIST=3D$(mktemp) +trap 'rm -f -- "$OPENSSL_LIST"' EXIT + +# Create a temporary file for saving the IANA TLS Cipher Suite Registry. +IANA_LIST=3D$(mktemp) +trap 'rm -f -- "$OPENSSL_LIST" "$IANA_LIST"' EXIT + +# Sorting, and range expressions in regular expressions, depend on the loc= ale. +# Use a well-defined locale. +LC_ALL=3DC +export LC_ALL + +# Get OPENSSL_LIST. +{ + # List cipher suite codes and names from OpenSSL. + openssl ciphers -V ALL + + # This produces a line format like: + # 0xC0,0x30 - ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=3DECDH Au=3DRSA Enc= =3DAESGCM(256) Mac=3DAEAD + # (sequences of space characters squeezed for brevity). +} | +{ + # Project the list to UINT16 hex codes (network byte order interpretatio= n) + # and OpenSSL cipher suite names. + sed -r -n -e 's/^ *0x([0-9A-F]{2}),0x([0-9A-F]{2}) - ([^ ]+) .*$/\1\2 \3= /p' + + # This produces a line format like: + # C030 ECDHE-RSA-AES256-GCM-SHA384 +} | +{ + # Sort the output so we can later join it on the UINT16 hex code as key. + sort +} >>"$OPENSSL_LIST" + +# Get IANA_LIST. +{ + # Download the CSV file from the IANA website. + curl -s https://www.iana.org/assignments/tls-parameters/tls-parameters-4= .csv + + # This produces a line format like: + # Value,Description,DTLS-OK,Reference + # "0x00,0x00",TLS_NULL_WITH_NULL_NULL,Y,[RFC5246] +} | +{ + # Project the list to UINT16 hex codes (network byte order interpretatio= n) + # and Descriptions (TLS_xxx macros). + sed -r -n \ + -e 's/^"0x([0-9A-F]{2}),0x([0-9A-F]{2})",([A-Za-z0-9_]+).*$/\1\2 \3/p' + + # This produces a line format like: + # 0000 TLS_NULL_WITH_NULL_NULL +} | +{ + # Sort the output so we can later join it on the UINT16 hex code as key. + sort +} >>"$IANA_LIST" + +# Produce the C source code on stdout. +{ + # Join the two lists first. Elements that are in exactly one input file = are + # dropped. + join -- "$OPENSSL_LIST" "$IANA_LIST" + + # This produces a line format like: + # 0004 RC4-MD5 TLS_RSA_WITH_RC4_128_MD5 + # And the output remains sorted by UINT16 hex key. +} | +{ + # Produce a valid C language line. Be careful that only one space charac= ter + # is preserved, for the next step. + sed -r -n -e 's!^([0-9A-F]{4}) ([^ ]+) ([^ ]+)$!{0x\1,"\2"}, ///\3!p' + + # This produces a line format like: + # {0x0004,"RC4-MD5"}, ///TLS_RSA_WITH_RC4_128_MD5 +} | +{ + # Align the rightmost column nicely (the TLS_xxx macros). The "column" + # command will expand the space character as necessary. + column -t + + # This produces a line format like: + # {0x0004,"RC4-MD5"}, ///TLS_RSA_WITH_RC4_128_MD5 +} | +{ + # Final touches: + # - replace the opening brace "{" with " MAP ( ", + # - insert one space character after the first comma "," + # - replace the closing brace "}" with " )", + # - remove one space character after the second comma "," (because the + # "column" utility pads space characters to at least two), + # - insert one space character after the comment marker "///" + sed \ + -e 's/^{/ MAP ( /' \ + -e 's/,/, /' \ + -e 's/}, / ),/' \ + -e 's!///!/// !' + + # This produces a line format like: + # MAP ( 0x0004, "RC4-MD5" ), /// TLS_RSA_WITH_RC= 4_128_MD5 +} --=20 2.14.1.3.gb7cf6e02401b _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel From nobody Mon Apr 29 03:31:42 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1522767151527596.7716758045307; Tue, 3 Apr 2018 07:52:31 -0700 (PDT) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id DC1CC226C7C28; Tue, 3 Apr 2018 07:52:13 -0700 (PDT) Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id D472C226C7C20 for ; Tue, 3 Apr 2018 07:52:12 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 2B2628011462; Tue, 3 Apr 2018 14:52:12 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-185.rdu2.redhat.com [10.10.120.185]) by smtp.corp.redhat.com (Postfix) with ESMTP id 7ADE72026E0E; Tue, 3 Apr 2018 14:52:10 +0000 (UTC) X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=66.187.233.73; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org From: Laszlo Ersek To: edk2-devel-01 Date: Tue, 3 Apr 2018 16:51:45 +0200 Message-Id: <20180403145149.8925-10-lersek@redhat.com> In-Reply-To: <20180403145149.8925-1-lersek@redhat.com> References: <20180403145149.8925-1-lersek@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Tue, 03 Apr 2018 14:52:12 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Tue, 03 Apr 2018 14:52:12 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'lersek@redhat.com' RCPT:'' Subject: [edk2] [PATCH 09/13] CryptoPkg/TlsLib: extend "TlsCipherMappingTable" X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Ting Ye , Siyuan Fu , Jiaxin Wu , Qin Long MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Add mapping entries printed by "TlsMappingTable.sh" to "TlsCipherMappingTable". This allows HTTPS / TLS clients to get a good match for their EFI_TLS_CIPHER lists. Cc: Jiaxin Wu Cc: Qin Long Cc: Siyuan Fu Cc: Ting Ye Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D915 Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek --- CryptoPkg/Library/TlsLib/TlsConfig.c | 169 ++++++++++++++++++++ 1 file changed, 169 insertions(+) diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c b/CryptoPkg/Library/TlsLi= b/TlsConfig.c index e2f819b9035f..9d21e6c1466d 100644 --- a/CryptoPkg/Library/TlsLib/TlsConfig.c +++ b/CryptoPkg/Library/TlsLib/TlsConfig.c @@ -46,31 +46,200 @@ typedef struct { // STATIC CONST TLS_CIPHER_MAPPING TlsCipherMappingTable[] =3D { MAP ( 0x0001, "NULL-MD5" ), /// TLS_RSA_WITH_NULL_= MD5 MAP ( 0x0002, "NULL-SHA" ), /// TLS_RSA_WITH_NULL_= SHA MAP ( 0x0004, "RC4-MD5" ), /// TLS_RSA_WITH_RC4_1= 28_MD5 MAP ( 0x0005, "RC4-SHA" ), /// TLS_RSA_WITH_RC4_1= 28_SHA + MAP ( 0x0007, "IDEA-CBC-SHA" ), /// TLS_RSA_WITH_IDEA_= CBC_SHA MAP ( 0x000A, "DES-CBC3-SHA" ), /// TLS_RSA_WITH_3DES_= EDE_CBC_SHA, mandatory TLS 1.1 + MAP ( 0x000D, "DH-DSS-DES-CBC3-SHA" ), /// TLS_DH_DSS_WITH_3D= ES_EDE_CBC_SHA + MAP ( 0x0010, "DH-RSA-DES-CBC3-SHA" ), /// TLS_DH_RSA_WITH_3D= ES_EDE_CBC_SHA + MAP ( 0x0013, "DHE-DSS-DES-CBC3-SHA" ), /// TLS_DHE_DSS_WITH_3= DES_EDE_CBC_SHA MAP ( 0x0016, "DHE-RSA-DES-CBC3-SHA" ), /// TLS_DHE_RSA_WITH_3= DES_EDE_CBC_SHA + MAP ( 0x0018, "ADH-RC4-MD5" ), /// TLS_DH_anon_WITH_R= C4_128_MD5 + MAP ( 0x001B, "ADH-DES-CBC3-SHA" ), /// TLS_DH_anon_WITH_3= DES_EDE_CBC_SHA + MAP ( 0x001F, "KRB5-DES-CBC3-SHA" ), /// TLS_KRB5_WITH_3DES= _EDE_CBC_SHA + MAP ( 0x0020, "KRB5-RC4-SHA" ), /// TLS_KRB5_WITH_RC4_= 128_SHA + MAP ( 0x0021, "KRB5-IDEA-CBC-SHA" ), /// TLS_KRB5_WITH_IDEA= _CBC_SHA + MAP ( 0x0023, "KRB5-DES-CBC3-MD5" ), /// TLS_KRB5_WITH_3DES= _EDE_CBC_MD5 + MAP ( 0x0024, "KRB5-RC4-MD5" ), /// TLS_KRB5_WITH_RC4_= 128_MD5 + MAP ( 0x0025, "KRB5-IDEA-CBC-MD5" ), /// TLS_KRB5_WITH_IDEA= _CBC_MD5 MAP ( 0x002F, "AES128-SHA" ), /// TLS_RSA_WITH_AES_1= 28_CBC_SHA, mandatory TLS 1.2 MAP ( 0x0030, "DH-DSS-AES128-SHA" ), /// TLS_DH_DSS_WITH_AE= S_128_CBC_SHA MAP ( 0x0031, "DH-RSA-AES128-SHA" ), /// TLS_DH_RSA_WITH_AE= S_128_CBC_SHA + MAP ( 0x0032, "DHE-DSS-AES128-SHA" ), /// TLS_DHE_DSS_WITH_A= ES_128_CBC_SHA MAP ( 0x0033, "DHE-RSA-AES128-SHA" ), /// TLS_DHE_RSA_WITH_A= ES_128_CBC_SHA + MAP ( 0x0034, "ADH-AES128-SHA" ), /// TLS_DH_anon_WITH_A= ES_128_CBC_SHA MAP ( 0x0035, "AES256-SHA" ), /// TLS_RSA_WITH_AES_2= 56_CBC_SHA MAP ( 0x0036, "DH-DSS-AES256-SHA" ), /// TLS_DH_DSS_WITH_AE= S_256_CBC_SHA MAP ( 0x0037, "DH-RSA-AES256-SHA" ), /// TLS_DH_RSA_WITH_AE= S_256_CBC_SHA + MAP ( 0x0038, "DHE-DSS-AES256-SHA" ), /// TLS_DHE_DSS_WITH_A= ES_256_CBC_SHA MAP ( 0x0039, "DHE-RSA-AES256-SHA" ), /// TLS_DHE_RSA_WITH_A= ES_256_CBC_SHA + MAP ( 0x003A, "ADH-AES256-SHA" ), /// TLS_DH_anon_WITH_A= ES_256_CBC_SHA MAP ( 0x003B, "NULL-SHA256" ), /// TLS_RSA_WITH_NULL_= SHA256 MAP ( 0x003C, "AES128-SHA256" ), /// TLS_RSA_WITH_AES_1= 28_CBC_SHA256 MAP ( 0x003D, "AES256-SHA256" ), /// TLS_RSA_WITH_AES_2= 56_CBC_SHA256 MAP ( 0x003E, "DH-DSS-AES128-SHA256" ), /// TLS_DH_DSS_WITH_AE= S_128_CBC_SHA256 MAP ( 0x003F, "DH-RSA-AES128-SHA256" ), /// TLS_DH_RSA_WITH_AE= S_128_CBC_SHA256 + MAP ( 0x0040, "DHE-DSS-AES128-SHA256" ), /// TLS_DHE_DSS_WITH_A= ES_128_CBC_SHA256 + MAP ( 0x0041, "CAMELLIA128-SHA" ), /// TLS_RSA_WITH_CAMEL= LIA_128_CBC_SHA + MAP ( 0x0042, "DH-DSS-CAMELLIA128-SHA" ), /// TLS_DH_DSS_WITH_CA= MELLIA_128_CBC_SHA + MAP ( 0x0043, "DH-RSA-CAMELLIA128-SHA" ), /// TLS_DH_RSA_WITH_CA= MELLIA_128_CBC_SHA + MAP ( 0x0044, "DHE-DSS-CAMELLIA128-SHA" ), /// TLS_DHE_DSS_WITH_C= AMELLIA_128_CBC_SHA + MAP ( 0x0045, "DHE-RSA-CAMELLIA128-SHA" ), /// TLS_DHE_RSA_WITH_C= AMELLIA_128_CBC_SHA + MAP ( 0x0046, "ADH-CAMELLIA128-SHA" ), /// TLS_DH_anon_WITH_C= AMELLIA_128_CBC_SHA MAP ( 0x0067, "DHE-RSA-AES128-SHA256" ), /// TLS_DHE_RSA_WITH_A= ES_128_CBC_SHA256 MAP ( 0x0068, "DH-DSS-AES256-SHA256" ), /// TLS_DH_DSS_WITH_AE= S_256_CBC_SHA256 MAP ( 0x0069, "DH-RSA-AES256-SHA256" ), /// TLS_DH_RSA_WITH_AE= S_256_CBC_SHA256 + MAP ( 0x006A, "DHE-DSS-AES256-SHA256" ), /// TLS_DHE_DSS_WITH_A= ES_256_CBC_SHA256 MAP ( 0x006B, "DHE-RSA-AES256-SHA256" ), /// TLS_DHE_RSA_WITH_A= ES_256_CBC_SHA256 + MAP ( 0x006C, "ADH-AES128-SHA256" ), /// TLS_DH_anon_WITH_A= ES_128_CBC_SHA256 + MAP ( 0x006D, "ADH-AES256-SHA256" ), /// TLS_DH_anon_WITH_A= ES_256_CBC_SHA256 + MAP ( 0x0084, "CAMELLIA256-SHA" ), /// TLS_RSA_WITH_CAMEL= LIA_256_CBC_SHA + MAP ( 0x0085, "DH-DSS-CAMELLIA256-SHA" ), /// TLS_DH_DSS_WITH_CA= MELLIA_256_CBC_SHA + MAP ( 0x0086, "DH-RSA-CAMELLIA256-SHA" ), /// TLS_DH_RSA_WITH_CA= MELLIA_256_CBC_SHA + MAP ( 0x0087, "DHE-DSS-CAMELLIA256-SHA" ), /// TLS_DHE_DSS_WITH_C= AMELLIA_256_CBC_SHA + MAP ( 0x0088, "DHE-RSA-CAMELLIA256-SHA" ), /// TLS_DHE_RSA_WITH_C= AMELLIA_256_CBC_SHA + MAP ( 0x0089, "ADH-CAMELLIA256-SHA" ), /// TLS_DH_anon_WITH_C= AMELLIA_256_CBC_SHA + MAP ( 0x008A, "PSK-RC4-SHA" ), /// TLS_PSK_WITH_RC4_1= 28_SHA + MAP ( 0x008B, "PSK-3DES-EDE-CBC-SHA" ), /// TLS_PSK_WITH_3DES_= EDE_CBC_SHA + MAP ( 0x008C, "PSK-AES128-CBC-SHA" ), /// TLS_PSK_WITH_AES_1= 28_CBC_SHA + MAP ( 0x008D, "PSK-AES256-CBC-SHA" ), /// TLS_PSK_WITH_AES_2= 56_CBC_SHA + MAP ( 0x008F, "DHE-PSK-3DES-EDE-CBC-SHA" ), /// TLS_DHE_PSK_WITH_3= DES_EDE_CBC_SHA + MAP ( 0x0090, "DHE-PSK-AES128-CBC-SHA" ), /// TLS_DHE_PSK_WITH_A= ES_128_CBC_SHA + MAP ( 0x0091, "DHE-PSK-AES256-CBC-SHA" ), /// TLS_DHE_PSK_WITH_A= ES_256_CBC_SHA + MAP ( 0x0093, "RSA-PSK-3DES-EDE-CBC-SHA" ), /// TLS_RSA_PSK_WITH_3= DES_EDE_CBC_SHA + MAP ( 0x0094, "RSA-PSK-AES128-CBC-SHA" ), /// TLS_RSA_PSK_WITH_A= ES_128_CBC_SHA + MAP ( 0x0095, "RSA-PSK-AES256-CBC-SHA" ), /// TLS_RSA_PSK_WITH_A= ES_256_CBC_SHA + MAP ( 0x0096, "SEED-SHA" ), /// TLS_RSA_WITH_SEED_= CBC_SHA + MAP ( 0x0097, "DH-DSS-SEED-SHA" ), /// TLS_DH_DSS_WITH_SE= ED_CBC_SHA + MAP ( 0x0098, "DH-RSA-SEED-SHA" ), /// TLS_DH_RSA_WITH_SE= ED_CBC_SHA + MAP ( 0x0099, "DHE-DSS-SEED-SHA" ), /// TLS_DHE_DSS_WITH_S= EED_CBC_SHA + MAP ( 0x009A, "DHE-RSA-SEED-SHA" ), /// TLS_DHE_RSA_WITH_S= EED_CBC_SHA + MAP ( 0x009B, "ADH-SEED-SHA" ), /// TLS_DH_anon_WITH_S= EED_CBC_SHA + MAP ( 0x009C, "AES128-GCM-SHA256" ), /// TLS_RSA_WITH_AES_1= 28_GCM_SHA256 + MAP ( 0x009D, "AES256-GCM-SHA384" ), /// TLS_RSA_WITH_AES_2= 56_GCM_SHA384 + MAP ( 0x009E, "DHE-RSA-AES128-GCM-SHA256" ), /// TLS_DHE_RSA_WITH_A= ES_128_GCM_SHA256 + MAP ( 0x009F, "DHE-RSA-AES256-GCM-SHA384" ), /// TLS_DHE_RSA_WITH_A= ES_256_GCM_SHA384 + MAP ( 0x00A0, "DH-RSA-AES128-GCM-SHA256" ), /// TLS_DH_RSA_WITH_AE= S_128_GCM_SHA256 + MAP ( 0x00A1, "DH-RSA-AES256-GCM-SHA384" ), /// TLS_DH_RSA_WITH_AE= S_256_GCM_SHA384 + MAP ( 0x00A2, "DHE-DSS-AES128-GCM-SHA256" ), /// TLS_DHE_DSS_WITH_A= ES_128_GCM_SHA256 + MAP ( 0x00A3, "DHE-DSS-AES256-GCM-SHA384" ), /// TLS_DHE_DSS_WITH_A= ES_256_GCM_SHA384 + MAP ( 0x00A4, "DH-DSS-AES128-GCM-SHA256" ), /// TLS_DH_DSS_WITH_AE= S_128_GCM_SHA256 + MAP ( 0x00A5, "DH-DSS-AES256-GCM-SHA384" ), /// TLS_DH_DSS_WITH_AE= S_256_GCM_SHA384 + MAP ( 0x00A6, "ADH-AES128-GCM-SHA256" ), /// TLS_DH_anon_WITH_A= ES_128_GCM_SHA256 + MAP ( 0x00A7, "ADH-AES256-GCM-SHA384" ), /// TLS_DH_anon_WITH_A= ES_256_GCM_SHA384 + MAP ( 0x00A8, "PSK-AES128-GCM-SHA256" ), /// TLS_PSK_WITH_AES_1= 28_GCM_SHA256 + MAP ( 0x00A9, "PSK-AES256-GCM-SHA384" ), /// TLS_PSK_WITH_AES_2= 56_GCM_SHA384 + MAP ( 0x00AA, "DHE-PSK-AES128-GCM-SHA256" ), /// TLS_DHE_PSK_WITH_A= ES_128_GCM_SHA256 + MAP ( 0x00AB, "DHE-PSK-AES256-GCM-SHA384" ), /// TLS_DHE_PSK_WITH_A= ES_256_GCM_SHA384 + MAP ( 0x00AC, "RSA-PSK-AES128-GCM-SHA256" ), /// TLS_RSA_PSK_WITH_A= ES_128_GCM_SHA256 + MAP ( 0x00AD, "RSA-PSK-AES256-GCM-SHA384" ), /// TLS_RSA_PSK_WITH_A= ES_256_GCM_SHA384 + MAP ( 0x00AE, "PSK-AES128-CBC-SHA256" ), /// TLS_PSK_WITH_AES_1= 28_CBC_SHA256 + MAP ( 0x00AF, "PSK-AES256-CBC-SHA384" ), /// TLS_PSK_WITH_AES_2= 56_CBC_SHA384 + MAP ( 0x00B2, "DHE-PSK-AES128-CBC-SHA256" ), /// TLS_DHE_PSK_WITH_A= ES_128_CBC_SHA256 + MAP ( 0x00B3, "DHE-PSK-AES256-CBC-SHA384" ), /// TLS_DHE_PSK_WITH_A= ES_256_CBC_SHA384 + MAP ( 0x00B6, "RSA-PSK-AES128-CBC-SHA256" ), /// TLS_RSA_PSK_WITH_A= ES_128_CBC_SHA256 + MAP ( 0x00B7, "RSA-PSK-AES256-CBC-SHA384" ), /// TLS_RSA_PSK_WITH_A= ES_256_CBC_SHA384 + MAP ( 0x00BA, "CAMELLIA128-SHA256" ), /// TLS_RSA_WITH_CAMEL= LIA_128_CBC_SHA256 + MAP ( 0x00BD, "DHE-DSS-CAMELLIA128-SHA256" ), /// TLS_DHE_DSS_WITH_C= AMELLIA_128_CBC_SHA256 + MAP ( 0x00BE, "DHE-RSA-CAMELLIA128-SHA256" ), /// TLS_DHE_RSA_WITH_C= AMELLIA_128_CBC_SHA256 + MAP ( 0x00BF, "ADH-CAMELLIA128-SHA256" ), /// TLS_DH_anon_WITH_C= AMELLIA_128_CBC_SHA256 + MAP ( 0x00C0, "CAMELLIA256-SHA256" ), /// TLS_RSA_WITH_CAMEL= LIA_256_CBC_SHA256 + MAP ( 0x00C3, "DHE-DSS-CAMELLIA256-SHA256" ), /// TLS_DHE_DSS_WITH_C= AMELLIA_256_CBC_SHA256 + MAP ( 0x00C4, "DHE-RSA-CAMELLIA256-SHA256" ), /// TLS_DHE_RSA_WITH_C= AMELLIA_256_CBC_SHA256 + MAP ( 0x00C5, "ADH-CAMELLIA256-SHA256" ), /// TLS_DH_anon_WITH_C= AMELLIA_256_CBC_SHA256 + MAP ( 0xC002, "ECDH-ECDSA-RC4-SHA" ), /// TLS_ECDH_ECDSA_WIT= H_RC4_128_SHA + MAP ( 0xC003, "ECDH-ECDSA-DES-CBC3-SHA" ), /// TLS_ECDH_ECDSA_WIT= H_3DES_EDE_CBC_SHA + MAP ( 0xC004, "ECDH-ECDSA-AES128-SHA" ), /// TLS_ECDH_ECDSA_WIT= H_AES_128_CBC_SHA + MAP ( 0xC005, "ECDH-ECDSA-AES256-SHA" ), /// TLS_ECDH_ECDSA_WIT= H_AES_256_CBC_SHA + MAP ( 0xC007, "ECDHE-ECDSA-RC4-SHA" ), /// TLS_ECDHE_ECDSA_WI= TH_RC4_128_SHA + MAP ( 0xC008, "ECDHE-ECDSA-DES-CBC3-SHA" ), /// TLS_ECDHE_ECDSA_WI= TH_3DES_EDE_CBC_SHA + MAP ( 0xC009, "ECDHE-ECDSA-AES128-SHA" ), /// TLS_ECDHE_ECDSA_WI= TH_AES_128_CBC_SHA + MAP ( 0xC00A, "ECDHE-ECDSA-AES256-SHA" ), /// TLS_ECDHE_ECDSA_WI= TH_AES_256_CBC_SHA + MAP ( 0xC00C, "ECDH-RSA-RC4-SHA" ), /// TLS_ECDH_RSA_WITH_= RC4_128_SHA + MAP ( 0xC00D, "ECDH-RSA-DES-CBC3-SHA" ), /// TLS_ECDH_RSA_WITH_= 3DES_EDE_CBC_SHA + MAP ( 0xC00E, "ECDH-RSA-AES128-SHA" ), /// TLS_ECDH_RSA_WITH_= AES_128_CBC_SHA + MAP ( 0xC00F, "ECDH-RSA-AES256-SHA" ), /// TLS_ECDH_RSA_WITH_= AES_256_CBC_SHA + MAP ( 0xC011, "ECDHE-RSA-RC4-SHA" ), /// TLS_ECDHE_RSA_WITH= _RC4_128_SHA + MAP ( 0xC012, "ECDHE-RSA-DES-CBC3-SHA" ), /// TLS_ECDHE_RSA_WITH= _3DES_EDE_CBC_SHA + MAP ( 0xC013, "ECDHE-RSA-AES128-SHA" ), /// TLS_ECDHE_RSA_WITH= _AES_128_CBC_SHA + MAP ( 0xC014, "ECDHE-RSA-AES256-SHA" ), /// TLS_ECDHE_RSA_WITH= _AES_256_CBC_SHA + MAP ( 0xC016, "AECDH-RC4-SHA" ), /// TLS_ECDH_anon_WITH= _RC4_128_SHA + MAP ( 0xC017, "AECDH-DES-CBC3-SHA" ), /// TLS_ECDH_anon_WITH= _3DES_EDE_CBC_SHA + MAP ( 0xC018, "AECDH-AES128-SHA" ), /// TLS_ECDH_anon_WITH= _AES_128_CBC_SHA + MAP ( 0xC019, "AECDH-AES256-SHA" ), /// TLS_ECDH_anon_WITH= _AES_256_CBC_SHA + MAP ( 0xC01A, "SRP-3DES-EDE-CBC-SHA" ), /// TLS_SRP_SHA_WITH_3= DES_EDE_CBC_SHA + MAP ( 0xC01B, "SRP-RSA-3DES-EDE-CBC-SHA" ), /// TLS_SRP_SHA_RSA_WI= TH_3DES_EDE_CBC_SHA + MAP ( 0xC01C, "SRP-DSS-3DES-EDE-CBC-SHA" ), /// TLS_SRP_SHA_DSS_WI= TH_3DES_EDE_CBC_SHA + MAP ( 0xC01D, "SRP-AES-128-CBC-SHA" ), /// TLS_SRP_SHA_WITH_A= ES_128_CBC_SHA + MAP ( 0xC01E, "SRP-RSA-AES-128-CBC-SHA" ), /// TLS_SRP_SHA_RSA_WI= TH_AES_128_CBC_SHA + MAP ( 0xC01F, "SRP-DSS-AES-128-CBC-SHA" ), /// TLS_SRP_SHA_DSS_WI= TH_AES_128_CBC_SHA + MAP ( 0xC020, "SRP-AES-256-CBC-SHA" ), /// TLS_SRP_SHA_WITH_A= ES_256_CBC_SHA + MAP ( 0xC021, "SRP-RSA-AES-256-CBC-SHA" ), /// TLS_SRP_SHA_RSA_WI= TH_AES_256_CBC_SHA + MAP ( 0xC022, "SRP-DSS-AES-256-CBC-SHA" ), /// TLS_SRP_SHA_DSS_WI= TH_AES_256_CBC_SHA + MAP ( 0xC023, "ECDHE-ECDSA-AES128-SHA256" ), /// TLS_ECDHE_ECDSA_WI= TH_AES_128_CBC_SHA256 + MAP ( 0xC024, "ECDHE-ECDSA-AES256-SHA384" ), /// TLS_ECDHE_ECDSA_WI= TH_AES_256_CBC_SHA384 + MAP ( 0xC025, "ECDH-ECDSA-AES128-SHA256" ), /// TLS_ECDH_ECDSA_WIT= H_AES_128_CBC_SHA256 + MAP ( 0xC026, "ECDH-ECDSA-AES256-SHA384" ), /// TLS_ECDH_ECDSA_WIT= H_AES_256_CBC_SHA384 + MAP ( 0xC027, "ECDHE-RSA-AES128-SHA256" ), /// TLS_ECDHE_RSA_WITH= _AES_128_CBC_SHA256 + MAP ( 0xC028, "ECDHE-RSA-AES256-SHA384" ), /// TLS_ECDHE_RSA_WITH= _AES_256_CBC_SHA384 + MAP ( 0xC029, "ECDH-RSA-AES128-SHA256" ), /// TLS_ECDH_RSA_WITH_= AES_128_CBC_SHA256 + MAP ( 0xC02A, "ECDH-RSA-AES256-SHA384" ), /// TLS_ECDH_RSA_WITH_= AES_256_CBC_SHA384 + MAP ( 0xC02B, "ECDHE-ECDSA-AES128-GCM-SHA256" ), /// TLS_ECDHE_ECDSA_WI= TH_AES_128_GCM_SHA256 + MAP ( 0xC02C, "ECDHE-ECDSA-AES256-GCM-SHA384" ), /// TLS_ECDHE_ECDSA_WI= TH_AES_256_GCM_SHA384 + MAP ( 0xC02D, "ECDH-ECDSA-AES128-GCM-SHA256" ), /// TLS_ECDH_ECDSA_WIT= H_AES_128_GCM_SHA256 + MAP ( 0xC02E, "ECDH-ECDSA-AES256-GCM-SHA384" ), /// TLS_ECDH_ECDSA_WIT= H_AES_256_GCM_SHA384 + MAP ( 0xC02F, "ECDHE-RSA-AES128-GCM-SHA256" ), /// TLS_ECDHE_RSA_WITH= _AES_128_GCM_SHA256 + MAP ( 0xC030, "ECDHE-RSA-AES256-GCM-SHA384" ), /// TLS_ECDHE_RSA_WITH= _AES_256_GCM_SHA384 + MAP ( 0xC031, "ECDH-RSA-AES128-GCM-SHA256" ), /// TLS_ECDH_RSA_WITH_= AES_128_GCM_SHA256 + MAP ( 0xC032, "ECDH-RSA-AES256-GCM-SHA384" ), /// TLS_ECDH_RSA_WITH_= AES_256_GCM_SHA384 + MAP ( 0xC034, "ECDHE-PSK-3DES-EDE-CBC-SHA" ), /// TLS_ECDHE_PSK_WITH= _3DES_EDE_CBC_SHA + MAP ( 0xC035, "ECDHE-PSK-AES128-CBC-SHA" ), /// TLS_ECDHE_PSK_WITH= _AES_128_CBC_SHA + MAP ( 0xC036, "ECDHE-PSK-AES256-CBC-SHA" ), /// TLS_ECDHE_PSK_WITH= _AES_256_CBC_SHA + MAP ( 0xC037, "ECDHE-PSK-AES128-CBC-SHA256" ), /// TLS_ECDHE_PSK_WITH= _AES_128_CBC_SHA256 + MAP ( 0xC038, "ECDHE-PSK-AES256-CBC-SHA384" ), /// TLS_ECDHE_PSK_WITH= _AES_256_CBC_SHA384 + MAP ( 0xC072, "ECDHE-ECDSA-CAMELLIA128-SHA256" ), /// TLS_ECDHE_ECDSA_WI= TH_CAMELLIA_128_CBC_SHA256 + MAP ( 0xC073, "ECDHE-ECDSA-CAMELLIA256-SHA384" ), /// TLS_ECDHE_ECDSA_WI= TH_CAMELLIA_256_CBC_SHA384 + MAP ( 0xC076, "ECDHE-RSA-CAMELLIA128-SHA256" ), /// TLS_ECDHE_RSA_WITH= _CAMELLIA_128_CBC_SHA256 + MAP ( 0xC077, "ECDHE-RSA-CAMELLIA256-SHA384" ), /// TLS_ECDHE_RSA_WITH= _CAMELLIA_256_CBC_SHA384 + MAP ( 0xC094, "PSK-CAMELLIA128-SHA256" ), /// TLS_PSK_WITH_CAMEL= LIA_128_CBC_SHA256 + MAP ( 0xC095, "PSK-CAMELLIA256-SHA384" ), /// TLS_PSK_WITH_CAMEL= LIA_256_CBC_SHA384 + MAP ( 0xC096, "DHE-PSK-CAMELLIA128-SHA256" ), /// TLS_DHE_PSK_WITH_C= AMELLIA_128_CBC_SHA256 + MAP ( 0xC097, "DHE-PSK-CAMELLIA256-SHA384" ), /// TLS_DHE_PSK_WITH_C= AMELLIA_256_CBC_SHA384 + MAP ( 0xC098, "RSA-PSK-CAMELLIA128-SHA256" ), /// TLS_RSA_PSK_WITH_C= AMELLIA_128_CBC_SHA256 + MAP ( 0xC099, "RSA-PSK-CAMELLIA256-SHA384" ), /// TLS_RSA_PSK_WITH_C= AMELLIA_256_CBC_SHA384 + MAP ( 0xC09A, "ECDHE-PSK-CAMELLIA128-SHA256" ), /// TLS_ECDHE_PSK_WITH= _CAMELLIA_128_CBC_SHA256 + MAP ( 0xC09B, "ECDHE-PSK-CAMELLIA256-SHA384" ), /// TLS_ECDHE_PSK_WITH= _CAMELLIA_256_CBC_SHA384 + MAP ( 0xC09C, "AES128-CCM" ), /// TLS_RSA_WITH_AES_1= 28_CCM + MAP ( 0xC09D, "AES256-CCM" ), /// TLS_RSA_WITH_AES_2= 56_CCM + MAP ( 0xC09E, "DHE-RSA-AES128-CCM" ), /// TLS_DHE_RSA_WITH_A= ES_128_CCM + MAP ( 0xC09F, "DHE-RSA-AES256-CCM" ), /// TLS_DHE_RSA_WITH_A= ES_256_CCM + MAP ( 0xC0A0, "AES128-CCM8" ), /// TLS_RSA_WITH_AES_1= 28_CCM_8 + MAP ( 0xC0A1, "AES256-CCM8" ), /// TLS_RSA_WITH_AES_2= 56_CCM_8 + MAP ( 0xC0A2, "DHE-RSA-AES128-CCM8" ), /// TLS_DHE_RSA_WITH_A= ES_128_CCM_8 + MAP ( 0xC0A3, "DHE-RSA-AES256-CCM8" ), /// TLS_DHE_RSA_WITH_A= ES_256_CCM_8 + MAP ( 0xC0A4, "PSK-AES128-CCM" ), /// TLS_PSK_WITH_AES_1= 28_CCM + MAP ( 0xC0A5, "PSK-AES256-CCM" ), /// TLS_PSK_WITH_AES_2= 56_CCM + MAP ( 0xC0A6, "DHE-PSK-AES128-CCM" ), /// TLS_DHE_PSK_WITH_A= ES_128_CCM + MAP ( 0xC0A7, "DHE-PSK-AES256-CCM" ), /// TLS_DHE_PSK_WITH_A= ES_256_CCM + MAP ( 0xC0A8, "PSK-AES128-CCM8" ), /// TLS_PSK_WITH_AES_1= 28_CCM_8 + MAP ( 0xC0A9, "PSK-AES256-CCM8" ), /// TLS_PSK_WITH_AES_2= 56_CCM_8 + MAP ( 0xC0AA, "DHE-PSK-AES128-CCM8" ), /// TLS_PSK_DHE_WITH_A= ES_128_CCM_8 + MAP ( 0xC0AB, "DHE-PSK-AES256-CCM8" ), /// TLS_PSK_DHE_WITH_A= ES_256_CCM_8 + MAP ( 0xC0AC, "ECDHE-ECDSA-AES128-CCM" ), /// TLS_ECDHE_ECDSA_WI= TH_AES_128_CCM + MAP ( 0xC0AD, "ECDHE-ECDSA-AES256-CCM" ), /// TLS_ECDHE_ECDSA_WI= TH_AES_256_CCM + MAP ( 0xC0AE, "ECDHE-ECDSA-AES128-CCM8" ), /// TLS_ECDHE_ECDSA_WI= TH_AES_128_CCM_8 + MAP ( 0xC0AF, "ECDHE-ECDSA-AES256-CCM8" ), /// TLS_ECDHE_ECDSA_WI= TH_AES_256_CCM_8 + MAP ( 0xCCA8, "ECDHE-RSA-CHACHA20-POLY1305" ), /// TLS_ECDHE_RSA_WITH= _CHACHA20_POLY1305_SHA256 + MAP ( 0xCCA9, "ECDHE-ECDSA-CHACHA20-POLY1305" ), /// TLS_ECDHE_ECDSA_WI= TH_CHACHA20_POLY1305_SHA256 + MAP ( 0xCCAA, "DHE-RSA-CHACHA20-POLY1305" ), /// TLS_DHE_RSA_WITH_C= HACHA20_POLY1305_SHA256 + MAP ( 0xCCAB, "PSK-CHACHA20-POLY1305" ), /// TLS_PSK_WITH_CHACH= A20_POLY1305_SHA256 + MAP ( 0xCCAC, "ECDHE-PSK-CHACHA20-POLY1305" ), /// TLS_ECDHE_PSK_WITH= _CHACHA20_POLY1305_SHA256 + MAP ( 0xCCAD, "DHE-PSK-CHACHA20-POLY1305" ), /// TLS_DHE_PSK_WITH_C= HACHA20_POLY1305_SHA256 + MAP ( 0xCCAE, "RSA-PSK-CHACHA20-POLY1305" ), /// TLS_RSA_PSK_WITH_C= HACHA20_POLY1305_SHA256 }; =20 /** Gets the OpenSSL cipher suite mapping for the supplied IANA TLS cipher s= uite. =20 @param[in] CipherId The supplied IANA TLS cipher suite ID. --=20 2.14.1.3.gb7cf6e02401b _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel From nobody Mon Apr 29 03:31:42 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1522767155616122.49820171866043; Tue, 3 Apr 2018 07:52:35 -0700 (PDT) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 160E1226C7C2E; Tue, 3 Apr 2018 07:52:16 -0700 (PDT) Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id B31F4226C7C20 for ; Tue, 3 Apr 2018 07:52:14 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 02881406E8A4; Tue, 3 Apr 2018 14:52:14 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-185.rdu2.redhat.com [10.10.120.185]) by smtp.corp.redhat.com (Postfix) with ESMTP id 872B92026E0E; Tue, 3 Apr 2018 14:52:12 +0000 (UTC) X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=66.187.233.73; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org From: Laszlo Ersek To: edk2-devel-01 Date: Tue, 3 Apr 2018 16:51:46 +0200 Message-Id: <20180403145149.8925-11-lersek@redhat.com> In-Reply-To: <20180403145149.8925-1-lersek@redhat.com> References: <20180403145149.8925-1-lersek@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.7]); Tue, 03 Apr 2018 14:52:14 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.7]); Tue, 03 Apr 2018 14:52:14 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'lersek@redhat.com' RCPT:'' Subject: [edk2] [PATCH 10/13] CryptoPkg/TlsLib: sort [LibraryClasses] section in the INF file X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Ting Ye , Siyuan Fu , Jiaxin Wu , Qin Long MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" In the next patches, we'll update the library classes in "InternalTlsLib.h" and "TlsLib.inf". It is easier to verify correctness if those sections are sorted. Cc: Jiaxin Wu Cc: Qin Long Cc: Siyuan Fu Cc: Ting Ye Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D915 Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek --- CryptoPkg/Library/TlsLib/TlsLib.inf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/CryptoPkg/Library/TlsLib/TlsLib.inf b/CryptoPkg/Library/TlsLib= /TlsLib.inf index dc7f3a5dbd23..44789ceeefa3 100644 --- a/CryptoPkg/Library/TlsLib/TlsLib.inf +++ b/CryptoPkg/Library/TlsLib/TlsLib.inf @@ -38,18 +38,18 @@ [Packages] MdePkg/MdePkg.dec CryptoPkg/CryptoPkg.dec =20 [LibraryClasses] BaseLib BaseMemoryLib - MemoryAllocationLib - UefiRuntimeServicesTableLib DebugLib - OpensslLib IntrinsicLib + MemoryAllocationLib + OpensslLib PrintLib + UefiRuntimeServicesTableLib =20 [BuildOptions] # # suppress the following warnings so we do not break the build with warn= ings-as-errors: # C4090: 'function' : different 'const' qualifiers # --=20 2.14.1.3.gb7cf6e02401b _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel From nobody Mon Apr 29 03:31:42 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1522767160416626.5610475740764; Tue, 3 Apr 2018 07:52:40 -0700 (PDT) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 3D3E9226C7C33; Tue, 3 Apr 2018 07:52:18 -0700 (PDT) Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id E9BB3226C7C21 for ; Tue, 3 Apr 2018 07:52:16 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 438C56166F; Tue, 3 Apr 2018 14:52:16 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-185.rdu2.redhat.com [10.10.120.185]) by smtp.corp.redhat.com (Postfix) with ESMTP id 607382026E0E; Tue, 3 Apr 2018 14:52:14 +0000 (UTC) X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=66.187.233.73; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org From: Laszlo Ersek To: edk2-devel-01 Date: Tue, 3 Apr 2018 16:51:47 +0200 Message-Id: <20180403145149.8925-12-lersek@redhat.com> In-Reply-To: <20180403145149.8925-1-lersek@redhat.com> References: <20180403145149.8925-1-lersek@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Tue, 03 Apr 2018 14:52:16 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Tue, 03 Apr 2018 14:52:16 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'lersek@redhat.com' RCPT:'' Subject: [edk2] [PATCH 11/13] CryptoPkg/TlsLib: sanitize lib classes in internal header and INF X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Ting Ye , Siyuan Fu , Jiaxin Wu , Qin Long MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" "InternalTlsLib.h" includes "BaseCryptLib.h", but the lib class is not listed in the INF file. The INF file lists a good number of lib classes, but none of the lib class headers are included by "InternalTlsLib.h". Synchronize both lists, while removing those library classes that aren't actually needed. (IntrinsicLib and OpensslLib have no edk2 class headers.) Cc: Jiaxin Wu Cc: Qin Long Cc: Siyuan Fu Cc: Ting Ye Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D915 Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek --- CryptoPkg/Library/TlsLib/TlsLib.inf | 4 +--- CryptoPkg/Library/TlsLib/InternalTlsLib.h | 3 +++ 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CryptoPkg/Library/TlsLib/TlsLib.inf b/CryptoPkg/Library/TlsLib= /TlsLib.inf index 44789ceeefa3..dbb737b2a147 100644 --- a/CryptoPkg/Library/TlsLib/TlsLib.inf +++ b/CryptoPkg/Library/TlsLib/TlsLib.inf @@ -36,20 +36,18 @@ [Sources] =20 [Packages] MdePkg/MdePkg.dec CryptoPkg/CryptoPkg.dec =20 [LibraryClasses] + BaseCryptLib BaseLib BaseMemoryLib DebugLib IntrinsicLib - MemoryAllocationLib OpensslLib - PrintLib - UefiRuntimeServicesTableLib =20 [BuildOptions] # # suppress the following warnings so we do not break the build with warn= ings-as-errors: # C4090: 'function' : different 'const' qualifiers # diff --git a/CryptoPkg/Library/TlsLib/InternalTlsLib.h b/CryptoPkg/Library/= TlsLib/InternalTlsLib.h index 88c4e3b38e4e..3f18a461a8d1 100644 --- a/CryptoPkg/Library/TlsLib/InternalTlsLib.h +++ b/CryptoPkg/Library/TlsLib/InternalTlsLib.h @@ -16,12 +16,15 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITH= ER EXPRESS OR IMPLIED. #define __INTERNAL_TLS_LIB_H__ =20 #undef _WIN32 #undef _WIN64 =20 #include +#include +#include +#include #include #include #include =20 typedef struct { // --=20 2.14.1.3.gb7cf6e02401b _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel From nobody Mon Apr 29 03:31:42 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1522767165628839.5984559156004; Tue, 3 Apr 2018 07:52:45 -0700 (PDT) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 69535226C7C35; Tue, 3 Apr 2018 07:52:20 -0700 (PDT) Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id CC6B7226C7C21 for ; Tue, 3 Apr 2018 07:52:18 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 1B3914022909; Tue, 3 Apr 2018 14:52:18 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-185.rdu2.redhat.com [10.10.120.185]) by smtp.corp.redhat.com (Postfix) with ESMTP id 9E20F2026E0E; Tue, 3 Apr 2018 14:52:16 +0000 (UTC) X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=66.187.233.73; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org From: Laszlo Ersek To: edk2-devel-01 Date: Tue, 3 Apr 2018 16:51:48 +0200 Message-Id: <20180403145149.8925-13-lersek@redhat.com> In-Reply-To: <20180403145149.8925-1-lersek@redhat.com> References: <20180403145149.8925-1-lersek@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Tue, 03 Apr 2018 14:52:18 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Tue, 03 Apr 2018 14:52:18 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'lersek@redhat.com' RCPT:'' Subject: [edk2] [PATCH 12/13] CryptoPkg/TlsLib: clean up leading comment for TlsSetCipherList() X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Ting Ye , Siyuan Fu , Jiaxin Wu , Qin Long MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" The TlsSetCipherList() function documents its CipherId parameter incorrectly. Document the parameter precisely and use the same documentation in both the lib class header and the lib instance. Cc: Jiaxin Wu Cc: Qin Long Cc: Siyuan Fu Cc: Ting Ye Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D915 Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek --- CryptoPkg/Include/Library/TlsLib.h | 6 ++++-- CryptoPkg/Library/TlsLib/TlsConfig.c | 5 ++++- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/CryptoPkg/Include/Library/TlsLib.h b/CryptoPkg/Include/Library= /TlsLib.h index e19a38a214ce..0ffbcb2b7c2a 100644 --- a/CryptoPkg/Include/Library/TlsLib.h +++ b/CryptoPkg/Include/Library/TlsLib.h @@ -345,14 +345,16 @@ TlsSetConnectionEnd ( /** Set the ciphers list to be used by the TLS object. =20 This function sets the ciphers for use by a specified TLS object. =20 @param[in] Tls Pointer to a TLS object. - @param[in] CipherId Pointer to a string that contains one or more - ciphers separated by a colon. + @param[in] CipherId Array of UINT16 cipher identifiers. Each UINT16 + cipher identifier comes from the TLS Cipher Sui= te + Registry of the IANA, interpreting Byte1 and By= te2 + in network (big endian) byte order. @param[in] CipherNum The number of cipher in the list. =20 @retval EFI_SUCCESS The ciphers list was set successfully. @retval EFI_INVALID_PARAMETER The parameter is invalid. @retval EFI_UNSUPPORTED Unsupported TLS cipher in the list. =20 diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c b/CryptoPkg/Library/TlsLi= b/TlsConfig.c index 9d21e6c1466d..ab786fc23849 100644 --- a/CryptoPkg/Library/TlsLib/TlsConfig.c +++ b/CryptoPkg/Library/TlsLib/TlsConfig.c @@ -401,13 +401,16 @@ TlsSetConnectionEnd ( /** Set the ciphers list to be used by the TLS object. =20 This function sets the ciphers for use by a specified TLS object. =20 @param[in] Tls Pointer to a TLS object. - @param[in] CipherId Pointer to a UINT16 cipher Id. + @param[in] CipherId Array of UINT16 cipher identifiers. Each UINT16 + cipher identifier comes from the TLS Cipher Sui= te + Registry of the IANA, interpreting Byte1 and By= te2 + in network (big endian) byte order. @param[in] CipherNum The number of cipher in the list. =20 @retval EFI_SUCCESS The ciphers list was set successfully. @retval EFI_INVALID_PARAMETER The parameter is invalid. @retval EFI_UNSUPPORTED Unsupported TLS cipher in the list. =20 --=20 2.14.1.3.gb7cf6e02401b _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel From nobody Mon Apr 29 03:31:42 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1522767169911863.3625014849789; Tue, 3 Apr 2018 07:52:49 -0700 (PDT) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 90D0E226C7C39; Tue, 3 Apr 2018 07:52:21 -0700 (PDT) Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 9CEFE226C7C21 for ; Tue, 3 Apr 2018 07:52:20 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id E8D24406E8A4; Tue, 3 Apr 2018 14:52:19 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-185.rdu2.redhat.com [10.10.120.185]) by smtp.corp.redhat.com (Postfix) with ESMTP id 783CC2026E0E; Tue, 3 Apr 2018 14:52:18 +0000 (UTC) X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=66.187.233.73; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org From: Laszlo Ersek To: edk2-devel-01 Date: Tue, 3 Apr 2018 16:51:49 +0200 Message-Id: <20180403145149.8925-14-lersek@redhat.com> In-Reply-To: <20180403145149.8925-1-lersek@redhat.com> References: <20180403145149.8925-1-lersek@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.7]); Tue, 03 Apr 2018 14:52:19 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.7]); Tue, 03 Apr 2018 14:52:19 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'lersek@redhat.com' RCPT:'' Subject: [edk2] [PATCH 13/13] CryptoPkg/TlsLib: rewrite TlsSetCipherList() X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Ting Ye , Siyuan Fu , Jiaxin Wu , Qin Long MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Rewrite the TlsSetCipherList() function in order to fix the following issues: - Any cipher identifier in CipherId that is not recognized by TlsGetCipherMapping() will cause the function to return EFI_UNSUPPORTED. This is a problem because CipherId is an ordered preference list, and a caller should not get EFI_UNSUPPORTED just because it has an elaborate CipherId preference list. Instead, we can filter out cipher identifiers that we don't recognize, as long as we keep the relative order intact. - CipherString is allocated on the stack, with 500 bytes. While processing a large CipherId preference list, this room may not be enough. Although no buffer overflow is possible, CipherString exhaustion can lead to a failed TLS connection, because any cipher names that don't fit on CipherString cannot be negotiated. Compute CipherStringSize first, and allocate CipherString dynamically. - Finally, the "@STRENGTH" pseudo cipher name is appended to CipherString. (Assuming there is enough room left in CipherString.) This causes OpenSSL to sort the cipher list "in order of encryption algorithm key length". This is a bad idea. The caller specifically passes an ordered preference list in CipherId. Therefore TlsSetCipherList() must not ask OpenSSL to reorder the list, for any reason. Drop "@STRENGTH". Cc: Jiaxin Wu Cc: Qin Long Cc: Siyuan Fu Cc: Ting Ye Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D915 Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek --- CryptoPkg/Library/TlsLib/TlsLib.inf | 3 +- CryptoPkg/Include/Library/TlsLib.h | 3 +- CryptoPkg/Library/TlsLib/InternalTlsLib.h | 3 +- CryptoPkg/Library/TlsLib/TlsConfig.c | 163 +++++++++++++++++--- 4 files changed, 149 insertions(+), 23 deletions(-) diff --git a/CryptoPkg/Library/TlsLib/TlsLib.inf b/CryptoPkg/Library/TlsLib= /TlsLib.inf index dbb737b2a147..9b44c9cdab3a 100644 --- a/CryptoPkg/Library/TlsLib/TlsLib.inf +++ b/CryptoPkg/Library/TlsLib/TlsLib.inf @@ -37,17 +37,18 @@ [Sources] [Packages] MdePkg/MdePkg.dec CryptoPkg/CryptoPkg.dec =20 [LibraryClasses] BaseCryptLib - BaseLib BaseMemoryLib DebugLib IntrinsicLib + MemoryAllocationLib OpensslLib + SafeIntLib =20 [BuildOptions] # # suppress the following warnings so we do not break the build with warn= ings-as-errors: # C4090: 'function' : different 'const' qualifiers # diff --git a/CryptoPkg/Include/Library/TlsLib.h b/CryptoPkg/Include/Library= /TlsLib.h index 0ffbcb2b7c2a..e71291eaea45 100644 --- a/CryptoPkg/Include/Library/TlsLib.h +++ b/CryptoPkg/Include/Library/TlsLib.h @@ -353,13 +353,14 @@ TlsSetConnectionEnd ( Registry of the IANA, interpreting Byte1 and By= te2 in network (big endian) byte order. @param[in] CipherNum The number of cipher in the list. =20 @retval EFI_SUCCESS The ciphers list was set successfully. @retval EFI_INVALID_PARAMETER The parameter is invalid. - @retval EFI_UNSUPPORTED Unsupported TLS cipher in the list. + @retval EFI_UNSUPPORTED No supported TLS cipher was found in Ciph= erId. + @retval EFI_OUT_OF_RESOURCES Memory allocation failed. =20 **/ EFI_STATUS EFIAPI TlsSetCipherList ( IN VOID *Tls, diff --git a/CryptoPkg/Library/TlsLib/InternalTlsLib.h b/CryptoPkg/Library/= TlsLib/InternalTlsLib.h index 3f18a461a8d1..b6cf9816aa38 100644 --- a/CryptoPkg/Library/TlsLib/InternalTlsLib.h +++ b/CryptoPkg/Library/TlsLib/InternalTlsLib.h @@ -16,15 +16,16 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITH= ER EXPRESS OR IMPLIED. #define __INTERNAL_TLS_LIB_H__ =20 #undef _WIN32 #undef _WIN64 =20 #include -#include #include #include +#include +#include #include #include #include =20 typedef struct { // diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c b/CryptoPkg/Library/TlsLi= b/TlsConfig.c index ab786fc23849..c7d643fd81f7 100644 --- a/CryptoPkg/Library/TlsLib/TlsConfig.c +++ b/CryptoPkg/Library/TlsLib/TlsConfig.c @@ -409,69 +409,192 @@ TlsSetConnectionEnd ( Registry of the IANA, interpreting Byte1 and By= te2 in network (big endian) byte order. @param[in] CipherNum The number of cipher in the list. =20 @retval EFI_SUCCESS The ciphers list was set successfully. @retval EFI_INVALID_PARAMETER The parameter is invalid. - @retval EFI_UNSUPPORTED Unsupported TLS cipher in the list. + @retval EFI_UNSUPPORTED No supported TLS cipher was found in Ciph= erId. + @retval EFI_OUT_OF_RESOURCES Memory allocation failed. =20 **/ EFI_STATUS EFIAPI TlsSetCipherList ( IN VOID *Tls, IN UINT16 *CipherId, IN UINTN CipherNum ) { TLS_CONNECTION *TlsConn; + EFI_STATUS Status; + CONST TLS_CIPHER_MAPPING **MappedCipher; + UINTN MappedCipherBytes; + UINTN MappedCipherCount; + UINTN CipherStringSize; UINTN Index; CONST TLS_CIPHER_MAPPING *Mapping; - CONST CHAR8 *MappingName; - CHAR8 CipherString[500]; + CHAR8 *CipherString; + CHAR8 *CipherStringPosition; =20 TlsConn =3D (TLS_CONNECTION *) Tls; if (TlsConn =3D=3D NULL || TlsConn->Ssl =3D=3D NULL || CipherId =3D=3D N= ULL) { return EFI_INVALID_PARAMETER; } =20 - Mapping =3D NULL; - MappingName =3D NULL; - - memset (CipherString, 0, sizeof (CipherString)); + // + // Allocate the MappedCipher array for recording the mappings that we fi= nd + // for the input IANA identifiers in CipherId. + // + Status =3D SafeUintnMult (CipherNum, sizeof (*MappedCipher), + &MappedCipherBytes); + if (EFI_ERROR (Status)) { + return EFI_OUT_OF_RESOURCES; + } + MappedCipher =3D AllocatePool (MappedCipherBytes); + if (MappedCipher =3D=3D NULL) { + return EFI_OUT_OF_RESOURCES; + } =20 + // + // Map the cipher IDs, and count the number of bytes for the full + // CipherString. + // + MappedCipherCount =3D 0; + CipherStringSize =3D 0; for (Index =3D 0; Index < CipherNum; Index++) { // - // Handling OpenSSL / RFC Cipher name mapping. + // Look up the IANA-to-OpenSSL mapping. // - Mapping =3D TlsGetCipherMapping (*(CipherId + Index)); + Mapping =3D TlsGetCipherMapping (CipherId[Index]); if (Mapping =3D=3D NULL) { - return EFI_UNSUPPORTED; - } - MappingName =3D Mapping->OpensslCipher; - - if (Index !=3D 0) { + DEBUG ((DEBUG_VERBOSE, "%a:%a: skipping CipherId=3D0x%04x\n", + gEfiCallerBaseName, __FUNCTION__, CipherId[Index])); // - // The ciphers were separated by a colon. + // Skipping the cipher is valid because CipherId is an ordered + // preference list of ciphers, thus we can filter it as long as we + // don't change the relative order of elements on it. // - AsciiStrCatS (CipherString, sizeof (CipherString), ":"); + continue; + } + // + // Accumulate Mapping->OpensslCipherLength into CipherStringSize. If t= his + // is not the first successful mapping, account for a colon (":") pref= ix + // too. + // + if (MappedCipherCount > 0) { + Status =3D SafeUintnAdd (CipherStringSize, 1, &CipherStringSize); + if (EFI_ERROR (Status)) { + Status =3D EFI_OUT_OF_RESOURCES; + goto FreeMappedCipher; + } + } + Status =3D SafeUintnAdd (CipherStringSize, Mapping->OpensslCipherLengt= h, + &CipherStringSize); + if (EFI_ERROR (Status)) { + Status =3D EFI_OUT_OF_RESOURCES; + goto FreeMappedCipher; } + // + // Record the mapping. + // + MappedCipher[MappedCipherCount++] =3D Mapping; + } =20 - AsciiStrCatS (CipherString, sizeof (CipherString), MappingName); + // + // Verify that at least one IANA cipher ID could be mapped; account for = the + // terminating NUL character in CipherStringSize; allocate CipherString. + // + if (MappedCipherCount =3D=3D 0) { + DEBUG ((DEBUG_ERROR, "%a:%a: no CipherId could be mapped\n", + gEfiCallerBaseName, __FUNCTION__)); + Status =3D EFI_UNSUPPORTED; + goto FreeMappedCipher; + } + Status =3D SafeUintnAdd (CipherStringSize, 1, &CipherStringSize); + if (EFI_ERROR (Status)) { + Status =3D EFI_OUT_OF_RESOURCES; + goto FreeMappedCipher; + } + CipherString =3D AllocatePool (CipherStringSize); + if (CipherString =3D=3D NULL) { + Status =3D EFI_OUT_OF_RESOURCES; + goto FreeMappedCipher; } =20 - AsciiStrCatS (CipherString, sizeof (CipherString), ":@STRENGTH"); + // + // Go over the collected mappings and populate CipherString. + // + CipherStringPosition =3D CipherString; + for (Index =3D 0; Index < MappedCipherCount; Index++) { + Mapping =3D MappedCipher[Index]; + // + // Append the colon (":") prefix except for the first mapping, then ap= pend + // Mapping->OpensslCipher. + // + if (Index > 0) { + *(CipherStringPosition++) =3D ':'; + } + CopyMem (CipherStringPosition, Mapping->OpensslCipher, + Mapping->OpensslCipherLength); + CipherStringPosition +=3D Mapping->OpensslCipherLength; + } + + // + // NUL-terminate CipherString. + // + *(CipherStringPosition++) =3D '\0'; + ASSERT (CipherStringPosition =3D=3D CipherString + CipherStringSize); + + // + // Log CipherString for debugging. CipherString can be very long if the + // caller provided a large CipherId array, so log CipherString in segmen= ts of + // 79 non-newline characters. (MAX_DEBUG_MESSAGE_LENGTH is usually 0x100= in + // DebugLib instances.) + // + DEBUG_CODE ( + UINTN FullLength; + UINTN SegmentLength; + + FullLength =3D CipherStringSize - 1; + DEBUG ((DEBUG_VERBOSE, "%a:%a: CipherString=3D{\n", gEfiCallerBaseName, + __FUNCTION__)); + for (CipherStringPosition =3D CipherString; + CipherStringPosition < CipherString + FullLength; + CipherStringPosition +=3D SegmentLength) { + SegmentLength =3D FullLength - (CipherStringPosition - CipherString); + if (SegmentLength > 79) { + SegmentLength =3D 79; + } + DEBUG ((DEBUG_VERBOSE, "%.*a\n", SegmentLength, CipherStringPosition= )); + } + DEBUG ((DEBUG_VERBOSE, "}\n")); + // + // Restore the pre-debug value of CipherStringPosition by skipping ove= r the + // trailing NUL. + // + CipherStringPosition++; + ASSERT (CipherStringPosition =3D=3D CipherString + CipherStringSize); + ); =20 // // Sets the ciphers for use by the Tls object. // if (SSL_set_cipher_list (TlsConn->Ssl, CipherString) <=3D 0) { - return EFI_UNSUPPORTED; + Status =3D EFI_UNSUPPORTED; + goto FreeCipherString; } =20 - return EFI_SUCCESS; + Status =3D EFI_SUCCESS; + +FreeCipherString: + FreePool (CipherString); + +FreeMappedCipher: + FreePool (MappedCipher); + + return Status; } =20 /** Set the compression method for TLS/SSL operations. =20 This function handles TLS/SSL integrated compression methods. --=20 2.14.1.3.gb7cf6e02401b _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel