This patch update the wrapper implementation in TlsLib to align
with the latest OpenSSL-1.1.0xx API changes.
Cc: Ting Ye <ting.ye@intel.com>
Cc: Palmer Thomas <thomas.palmer@hpe.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Gary Lin <glin@suse.com>
Cc: Ronald Cron <ronald.cron@arm.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
---
CryptoPkg/Library/TlsLib/InternalTlsLib.h | 5 ++-
CryptoPkg/Library/TlsLib/TlsConfig.c | 21 ++++++++-----
CryptoPkg/Library/TlsLib/TlsInit.c | 51 +++++++++----------------------
3 files changed, 31 insertions(+), 46 deletions(-)
diff --git a/CryptoPkg/Library/TlsLib/InternalTlsLib.h b/CryptoPkg/Library/TlsLib/InternalTlsLib.h
index e75146648d..97727361e8 100644
--- a/CryptoPkg/Library/TlsLib/InternalTlsLib.h
+++ b/CryptoPkg/Library/TlsLib/InternalTlsLib.h
@@ -1,7 +1,7 @@
/** @file
Internal include file for TlsLib.
-Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -15,6 +15,9 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#ifndef __INTERNAL_TLS_LIB_H__
#define __INTERNAL_TLS_LIB_H__
+#undef _WIN32
+#undef _WIN64
+
#include <Library/BaseCryptLib.h>
#include <openssl/ssl.h>
#include <openssl/bio.h>
diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c b/CryptoPkg/Library/TlsLib/TlsConfig.c
index f103da4321..43e275d400 100644
--- a/CryptoPkg/Library/TlsLib/TlsConfig.c
+++ b/CryptoPkg/Library/TlsLib/TlsConfig.c
@@ -128,24 +128,30 @@ TlsSetVersion (
ProtoVersion = (MajorVer << 8) | MinorVer;
+ //
+ // Bound TLS method to the particular specified version.
+ //
switch (ProtoVersion) {
case TLS1_VERSION:
//
// TLS 1.0
//
- SSL_set_ssl_method (TlsConn->Ssl, TLSv1_method ());
+ SSL_set_min_proto_version (TlsConn->Ssl, TLS1_VERSION);
+ SSL_set_max_proto_version (TlsConn->Ssl, TLS1_VERSION);
break;
case TLS1_1_VERSION:
//
// TLS 1.1
//
- SSL_set_ssl_method (TlsConn->Ssl, TLSv1_1_method ());
+ SSL_set_min_proto_version (TlsConn->Ssl, TLS1_1_VERSION);
+ SSL_set_max_proto_version (TlsConn->Ssl, TLS1_1_VERSION);
break;
case TLS1_2_VERSION:
//
// TLS 1.2
//
- SSL_set_ssl_method (TlsConn->Ssl, TLSv1_2_method ());
+ SSL_set_min_proto_version (TlsConn->Ssl, TLS1_2_VERSION);
+ SSL_set_max_proto_version (TlsConn->Ssl, TLS1_2_VERSION);
break;
default:
//
@@ -384,8 +390,7 @@ TlsSetSessionId (
return EFI_UNSUPPORTED;
}
- Session->session_id_length = SessionIdLen;
- CopyMem (Session->session_id, SessionId, Session->session_id_length);
+ SSL_SESSION_set1_id (Session, (const unsigned char *)SessionId, SessionIdLen);
return EFI_SUCCESS;
}
@@ -847,7 +852,7 @@ TlsGetClientRandom (
return;
}
- CopyMem (ClientRandom, TlsConn->Ssl->s3->client_random, SSL3_RANDOM_SIZE);
+ SSL_get_client_random (TlsConn->Ssl, ClientRandom, SSL3_RANDOM_SIZE);
}
/**
@@ -876,7 +881,7 @@ TlsGetServerRandom (
return;
}
- CopyMem (ServerRandom, TlsConn->Ssl->s3->server_random, SSL3_RANDOM_SIZE);
+ SSL_get_server_random (TlsConn->Ssl, ServerRandom, SSL3_RANDOM_SIZE);
}
/**
@@ -916,7 +921,7 @@ TlsGetKeyMaterial (
return EFI_UNSUPPORTED;
}
- CopyMem (KeyMaterial, Session->master_key, Session->master_key_length);
+ SSL_SESSION_get_master_key (Session, KeyMaterial, SSL3_MASTER_SECRET_SIZE);
return EFI_SUCCESS;
}
diff --git a/CryptoPkg/Library/TlsLib/TlsInit.c b/CryptoPkg/Library/TlsLib/TlsInit.c
index 6b1fd93ea9..f32148ac9a 100644
--- a/CryptoPkg/Library/TlsLib/TlsInit.c
+++ b/CryptoPkg/Library/TlsLib/TlsInit.c
@@ -1,7 +1,7 @@
/** @file
SSL/TLS Initialization Library Wrapper Implementation over OpenSSL.
-Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
@@ -33,14 +33,10 @@ TlsInitialize (
// Performs initialization of crypto and ssl library, and loads required
// algorithms.
//
- SSL_library_init ();
-
- //
- // Loads error strings from both crypto and ssl library.
- //
- SSL_load_error_strings ();
-
- /// OpenSSL_add_all_algorithms();
+ OPENSSL_init_ssl (
+ OPENSSL_INIT_LOAD_SSL_STRINGS | OPENSSL_INIT_LOAD_CRYPTO_STRINGS,
+ NULL
+ );
//
// Initialize the pseudorandom number generator.
@@ -103,34 +99,10 @@ TlsCtxNew (
SSL_CTX_set_options (TlsCtx, SSL_OP_NO_SSLv3);
//
- // Treat as minimum accepted versions. Client can use higher
- // TLS version if server supports it
- //
- switch (ProtoVersion) {
- case TLS1_VERSION:
- //
- // TLS 1.0
- //
- break;
- case TLS1_1_VERSION:
- //
- // TLS 1.1
- //
- SSL_CTX_set_options (TlsCtx, SSL_OP_NO_TLSv1);
- break;
- case TLS1_2_VERSION:
- //
- // TLS 1.2
- //
- SSL_CTX_set_options (TlsCtx, SSL_OP_NO_TLSv1);
- SSL_CTX_set_options (TlsCtx, SSL_OP_NO_TLSv1_1);
- break;
- default:
- //
- // Unsupported TLS/SSL Protocol Version.
- //
- break;
- }
+ // Treat as minimum accepted versions by setting the minimal bound.
+ // Client can use higher TLS version if server supports it
+ //
+ SSL_CTX_set_min_proto_version (TlsCtx, ProtoVersion);
return (VOID *) TlsCtx;
}
@@ -220,6 +192,11 @@ TlsNew (
}
//
+ // This retains compatibility with previous version of OpenSSL.
+ //
+ SSL_set_security_level (TlsConn->Ssl, 0);
+
+ //
// Initialize the created SSL Object
//
SSL_set_info_callback (TlsConn->Ssl, NULL);
--
2.11.1.windows.1
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
This looks fine. I will do additional testing once I pull this into my tree. Thanks Qin/Jiaxin!
Regards,
Thomas Palmer
"I have only made this letter longer because I have not had the time to make it shorter" - Blaise Pascal
-----Original Message-----
From: Qin Long [mailto:qin.long@intel.com]
Sent: Thursday, March 23, 2017 8:20 AM
To: edk2-devel@lists.01.org
Cc: ting.ye@intel.com; jiaxin.wu@intel.com; lersek@redhat.com; ard.biesheuvel@linaro.org; glin@suse.com; ronald.cron@arm.com; Moso.Lee@citrix.com; Palmer, Thomas <thomas.palmer@hpe.com>
Subject: [PATCH v2 11/11] CryptoPkg/TlsLib: Update TLS Wrapper to align with OpenSSL changes.
This patch update the wrapper implementation in TlsLib to align with the latest OpenSSL-1.1.0xx API changes.
Cc: Ting Ye <ting.ye@intel.com>
Cc: Palmer Thomas <thomas.palmer@hpe.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Gary Lin <glin@suse.com>
Cc: Ronald Cron <ronald.cron@arm.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
---
CryptoPkg/Library/TlsLib/InternalTlsLib.h | 5 ++-
CryptoPkg/Library/TlsLib/TlsConfig.c | 21 ++++++++-----
CryptoPkg/Library/TlsLib/TlsInit.c | 51 +++++++++----------------------
3 files changed, 31 insertions(+), 46 deletions(-)
diff --git a/CryptoPkg/Library/TlsLib/InternalTlsLib.h b/CryptoPkg/Library/TlsLib/InternalTlsLib.h
index e75146648d..97727361e8 100644
--- a/CryptoPkg/Library/TlsLib/InternalTlsLib.h
+++ b/CryptoPkg/Library/TlsLib/InternalTlsLib.h
@@ -1,7 +1,7 @@
/** @file
Internal include file for TlsLib.
-Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -15,6 +15,9 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#ifndef __INTERNAL_TLS_LIB_H__
#define __INTERNAL_TLS_LIB_H__
+#undef _WIN32
+#undef _WIN64
+
#include <Library/BaseCryptLib.h>
#include <openssl/ssl.h>
#include <openssl/bio.h>
diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c b/CryptoPkg/Library/TlsLib/TlsConfig.c
index f103da4321..43e275d400 100644
--- a/CryptoPkg/Library/TlsLib/TlsConfig.c
+++ b/CryptoPkg/Library/TlsLib/TlsConfig.c
@@ -128,24 +128,30 @@ TlsSetVersion (
ProtoVersion = (MajorVer << 8) | MinorVer;
+ //
+ // Bound TLS method to the particular specified version.
+ //
switch (ProtoVersion) {
case TLS1_VERSION:
//
// TLS 1.0
//
- SSL_set_ssl_method (TlsConn->Ssl, TLSv1_method ());
+ SSL_set_min_proto_version (TlsConn->Ssl, TLS1_VERSION);
+ SSL_set_max_proto_version (TlsConn->Ssl, TLS1_VERSION);
break;
case TLS1_1_VERSION:
//
// TLS 1.1
//
- SSL_set_ssl_method (TlsConn->Ssl, TLSv1_1_method ());
+ SSL_set_min_proto_version (TlsConn->Ssl, TLS1_1_VERSION);
+ SSL_set_max_proto_version (TlsConn->Ssl, TLS1_1_VERSION);
break;
case TLS1_2_VERSION:
//
// TLS 1.2
//
- SSL_set_ssl_method (TlsConn->Ssl, TLSv1_2_method ());
+ SSL_set_min_proto_version (TlsConn->Ssl, TLS1_2_VERSION);
+ SSL_set_max_proto_version (TlsConn->Ssl, TLS1_2_VERSION);
break;
default:
//
@@ -384,8 +390,7 @@ TlsSetSessionId (
return EFI_UNSUPPORTED;
}
- Session->session_id_length = SessionIdLen;
- CopyMem (Session->session_id, SessionId, Session->session_id_length);
+ SSL_SESSION_set1_id (Session, (const unsigned char *)SessionId,
+ SessionIdLen);
return EFI_SUCCESS;
}
@@ -847,7 +852,7 @@ TlsGetClientRandom (
return;
}
- CopyMem (ClientRandom, TlsConn->Ssl->s3->client_random, SSL3_RANDOM_SIZE);
+ SSL_get_client_random (TlsConn->Ssl, ClientRandom, SSL3_RANDOM_SIZE);
}
/**
@@ -876,7 +881,7 @@ TlsGetServerRandom (
return;
}
- CopyMem (ServerRandom, TlsConn->Ssl->s3->server_random, SSL3_RANDOM_SIZE);
+ SSL_get_server_random (TlsConn->Ssl, ServerRandom, SSL3_RANDOM_SIZE);
}
/**
@@ -916,7 +921,7 @@ TlsGetKeyMaterial (
return EFI_UNSUPPORTED;
}
- CopyMem (KeyMaterial, Session->master_key, Session->master_key_length);
+ SSL_SESSION_get_master_key (Session, KeyMaterial,
+ SSL3_MASTER_SECRET_SIZE);
return EFI_SUCCESS;
}
diff --git a/CryptoPkg/Library/TlsLib/TlsInit.c b/CryptoPkg/Library/TlsLib/TlsInit.c
index 6b1fd93ea9..f32148ac9a 100644
--- a/CryptoPkg/Library/TlsLib/TlsInit.c
+++ b/CryptoPkg/Library/TlsLib/TlsInit.c
@@ -1,7 +1,7 @@
/** @file
SSL/TLS Initialization Library Wrapper Implementation over OpenSSL.
-Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR> This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License @@ -33,14 +33,10 @@ TlsInitialize (
// Performs initialization of crypto and ssl library, and loads required
// algorithms.
//
- SSL_library_init ();
-
- //
- // Loads error strings from both crypto and ssl library.
- //
- SSL_load_error_strings ();
-
- /// OpenSSL_add_all_algorithms();
+ OPENSSL_init_ssl (
+ OPENSSL_INIT_LOAD_SSL_STRINGS | OPENSSL_INIT_LOAD_CRYPTO_STRINGS,
+ NULL
+ );
//
// Initialize the pseudorandom number generator.
@@ -103,34 +99,10 @@ TlsCtxNew (
SSL_CTX_set_options (TlsCtx, SSL_OP_NO_SSLv3);
//
- // Treat as minimum accepted versions. Client can use higher
- // TLS version if server supports it
- //
- switch (ProtoVersion) {
- case TLS1_VERSION:
- //
- // TLS 1.0
- //
- break;
- case TLS1_1_VERSION:
- //
- // TLS 1.1
- //
- SSL_CTX_set_options (TlsCtx, SSL_OP_NO_TLSv1);
- break;
- case TLS1_2_VERSION:
- //
- // TLS 1.2
- //
- SSL_CTX_set_options (TlsCtx, SSL_OP_NO_TLSv1);
- SSL_CTX_set_options (TlsCtx, SSL_OP_NO_TLSv1_1);
- break;
- default:
- //
- // Unsupported TLS/SSL Protocol Version.
- //
- break;
- }
+ // Treat as minimum accepted versions by setting the minimal bound.
+ // Client can use higher TLS version if server supports it //
+ SSL_CTX_set_min_proto_version (TlsCtx, ProtoVersion);
return (VOID *) TlsCtx;
}
@@ -220,6 +192,11 @@ TlsNew (
}
//
+ // This retains compatibility with previous version of OpenSSL.
+ //
+ SSL_set_security_level (TlsConn->Ssl, 0);
+
+ //
// Initialize the created SSL Object
//
SSL_set_info_callback (TlsConn->Ssl, NULL);
--
2.11.1.windows.1
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
Reviewed-by: Wu Jiaxin <jiaxin.wu@intel.com>
Thanks,
Jiaxin
> -----Original Message-----
> From: Long, Qin
> Sent: Thursday, March 23, 2017 9:20 PM
> To: edk2-devel@lists.01.org
> Cc: Ye, Ting <ting.ye@intel.com>; Wu, Jiaxin <jiaxin.wu@intel.com>;
> lersek@redhat.com; ard.biesheuvel@linaro.org; glin@suse.com;
> ronald.cron@arm.com; Moso.Lee@citrix.com; thomas.palmer@hpe.com
> Subject: [PATCH v2 11/11] CryptoPkg/TlsLib: Update TLS Wrapper to align
> with OpenSSL changes.
>
> This patch update the wrapper implementation in TlsLib to align
> with the latest OpenSSL-1.1.0xx API changes.
>
> Cc: Ting Ye <ting.ye@intel.com>
> Cc: Palmer Thomas <thomas.palmer@hpe.com>
> Cc: Jiaxin Wu <jiaxin.wu@intel.com>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> Cc: Gary Lin <glin@suse.com>
> Cc: Ronald Cron <ronald.cron@arm.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Qin Long <qin.long@intel.com>
> ---
> CryptoPkg/Library/TlsLib/InternalTlsLib.h | 5 ++-
> CryptoPkg/Library/TlsLib/TlsConfig.c | 21 ++++++++-----
> CryptoPkg/Library/TlsLib/TlsInit.c | 51 +++++++++----------------------
> 3 files changed, 31 insertions(+), 46 deletions(-)
>
> diff --git a/CryptoPkg/Library/TlsLib/InternalTlsLib.h
> b/CryptoPkg/Library/TlsLib/InternalTlsLib.h
> index e75146648d..97727361e8 100644
> --- a/CryptoPkg/Library/TlsLib/InternalTlsLib.h
> +++ b/CryptoPkg/Library/TlsLib/InternalTlsLib.h
> @@ -1,7 +1,7 @@
> /** @file
> Internal include file for TlsLib.
>
> -Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
> +Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
> This program and the accompanying materials
> are licensed and made available under the terms and conditions of the BSD
> License
> which accompanies this distribution. The full text of the license may be
> found at
> @@ -15,6 +15,9 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY
> KIND, EITHER EXPRESS OR IMPLIED.
> #ifndef __INTERNAL_TLS_LIB_H__
> #define __INTERNAL_TLS_LIB_H__
>
> +#undef _WIN32
> +#undef _WIN64
> +
> #include <Library/BaseCryptLib.h>
> #include <openssl/ssl.h>
> #include <openssl/bio.h>
> diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c
> b/CryptoPkg/Library/TlsLib/TlsConfig.c
> index f103da4321..43e275d400 100644
> --- a/CryptoPkg/Library/TlsLib/TlsConfig.c
> +++ b/CryptoPkg/Library/TlsLib/TlsConfig.c
> @@ -128,24 +128,30 @@ TlsSetVersion (
>
> ProtoVersion = (MajorVer << 8) | MinorVer;
>
> + //
> + // Bound TLS method to the particular specified version.
> + //
> switch (ProtoVersion) {
> case TLS1_VERSION:
> //
> // TLS 1.0
> //
> - SSL_set_ssl_method (TlsConn->Ssl, TLSv1_method ());
> + SSL_set_min_proto_version (TlsConn->Ssl, TLS1_VERSION);
> + SSL_set_max_proto_version (TlsConn->Ssl, TLS1_VERSION);
> break;
> case TLS1_1_VERSION:
> //
> // TLS 1.1
> //
> - SSL_set_ssl_method (TlsConn->Ssl, TLSv1_1_method ());
> + SSL_set_min_proto_version (TlsConn->Ssl, TLS1_1_VERSION);
> + SSL_set_max_proto_version (TlsConn->Ssl, TLS1_1_VERSION);
> break;
> case TLS1_2_VERSION:
> //
> // TLS 1.2
> //
> - SSL_set_ssl_method (TlsConn->Ssl, TLSv1_2_method ());
> + SSL_set_min_proto_version (TlsConn->Ssl, TLS1_2_VERSION);
> + SSL_set_max_proto_version (TlsConn->Ssl, TLS1_2_VERSION);
> break;
> default:
> //
> @@ -384,8 +390,7 @@ TlsSetSessionId (
> return EFI_UNSUPPORTED;
> }
>
> - Session->session_id_length = SessionIdLen;
> - CopyMem (Session->session_id, SessionId, Session->session_id_length);
> + SSL_SESSION_set1_id (Session, (const unsigned char *)SessionId,
> SessionIdLen);
>
> return EFI_SUCCESS;
> }
> @@ -847,7 +852,7 @@ TlsGetClientRandom (
> return;
> }
>
> - CopyMem (ClientRandom, TlsConn->Ssl->s3->client_random,
> SSL3_RANDOM_SIZE);
> + SSL_get_client_random (TlsConn->Ssl, ClientRandom,
> SSL3_RANDOM_SIZE);
> }
>
> /**
> @@ -876,7 +881,7 @@ TlsGetServerRandom (
> return;
> }
>
> - CopyMem (ServerRandom, TlsConn->Ssl->s3->server_random,
> SSL3_RANDOM_SIZE);
> + SSL_get_server_random (TlsConn->Ssl, ServerRandom,
> SSL3_RANDOM_SIZE);
> }
>
> /**
> @@ -916,7 +921,7 @@ TlsGetKeyMaterial (
> return EFI_UNSUPPORTED;
> }
>
> - CopyMem (KeyMaterial, Session->master_key, Session-
> >master_key_length);
> + SSL_SESSION_get_master_key (Session, KeyMaterial,
> SSL3_MASTER_SECRET_SIZE);
>
> return EFI_SUCCESS;
> }
> diff --git a/CryptoPkg/Library/TlsLib/TlsInit.c
> b/CryptoPkg/Library/TlsLib/TlsInit.c
> index 6b1fd93ea9..f32148ac9a 100644
> --- a/CryptoPkg/Library/TlsLib/TlsInit.c
> +++ b/CryptoPkg/Library/TlsLib/TlsInit.c
> @@ -1,7 +1,7 @@
> /** @file
> SSL/TLS Initialization Library Wrapper Implementation over OpenSSL.
>
> -Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
> +Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
> (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
> This program and the accompanying materials
> are licensed and made available under the terms and conditions of the BSD
> License
> @@ -33,14 +33,10 @@ TlsInitialize (
> // Performs initialization of crypto and ssl library, and loads required
> // algorithms.
> //
> - SSL_library_init ();
> -
> - //
> - // Loads error strings from both crypto and ssl library.
> - //
> - SSL_load_error_strings ();
> -
> - /// OpenSSL_add_all_algorithms();
> + OPENSSL_init_ssl (
> + OPENSSL_INIT_LOAD_SSL_STRINGS |
> OPENSSL_INIT_LOAD_CRYPTO_STRINGS,
> + NULL
> + );
>
> //
> // Initialize the pseudorandom number generator.
> @@ -103,34 +99,10 @@ TlsCtxNew (
> SSL_CTX_set_options (TlsCtx, SSL_OP_NO_SSLv3);
>
> //
> - // Treat as minimum accepted versions. Client can use higher
> - // TLS version if server supports it
> - //
> - switch (ProtoVersion) {
> - case TLS1_VERSION:
> - //
> - // TLS 1.0
> - //
> - break;
> - case TLS1_1_VERSION:
> - //
> - // TLS 1.1
> - //
> - SSL_CTX_set_options (TlsCtx, SSL_OP_NO_TLSv1);
> - break;
> - case TLS1_2_VERSION:
> - //
> - // TLS 1.2
> - //
> - SSL_CTX_set_options (TlsCtx, SSL_OP_NO_TLSv1);
> - SSL_CTX_set_options (TlsCtx, SSL_OP_NO_TLSv1_1);
> - break;
> - default:
> - //
> - // Unsupported TLS/SSL Protocol Version.
> - //
> - break;
> - }
> + // Treat as minimum accepted versions by setting the minimal bound.
> + // Client can use higher TLS version if server supports it
> + //
> + SSL_CTX_set_min_proto_version (TlsCtx, ProtoVersion);
>
> return (VOID *) TlsCtx;
> }
> @@ -220,6 +192,11 @@ TlsNew (
> }
>
> //
> + // This retains compatibility with previous version of OpenSSL.
> + //
> + SSL_set_security_level (TlsConn->Ssl, 0);
> +
> + //
> // Initialize the created SSL Object
> //
> SSL_set_info_callback (TlsConn->Ssl, NULL);
> --
> 2.11.1.windows.1
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
© 2016 - 2024 Red Hat, Inc.