2017-04-06 03:53:07 +02:00
|
|
|
## @file
|
|
|
|
|
# SSL/TLS Wrapper Library Instance based on OpenSSL.
|
|
|
|
|
#
|
2018-06-29 05:18:06 +02:00
|
|
|
# Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>
|
2017-04-06 03:53:07 +02:00
|
|
|
# (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
|
|
|
|
|
# This program and the accompanying materials
|
|
|
|
|
# are licensed and made available under the terms and conditions of the BSD License
|
|
|
|
|
# which accompanies this distribution. The full text of the license may be found at
|
|
|
|
|
# http://opensource.org/licenses/bsd-license.php
|
|
|
|
|
#
|
|
|
|
|
# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
|
|
|
|
|
# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
|
|
|
|
|
#
|
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
[Defines]
|
|
|
|
|
INF_VERSION = 0x00010005
|
|
|
|
|
BASE_NAME = TlsLib
|
|
|
|
|
MODULE_UNI_FILE = TlsLib.uni
|
|
|
|
|
FILE_GUID = CC729DC5-4E21-0B36-1A00-3A8E1B86A155
|
|
|
|
|
MODULE_TYPE = DXE_DRIVER
|
|
|
|
|
VERSION_STRING = 1.0
|
|
|
|
|
LIBRARY_CLASS = TlsLib|DXE_DRIVER DXE_CORE UEFI_APPLICATION UEFI_DRIVER
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# The following information is for reference only and not required by the build tools.
|
|
|
|
|
#
|
2018-06-29 05:18:06 +02:00
|
|
|
# VALID_ARCHITECTURES = IA32 X64 ARM AARCH64
|
2017-04-06 03:53:07 +02:00
|
|
|
#
|
|
|
|
|
|
|
|
|
|
[Sources]
|
|
|
|
|
InternalTlsLib.h
|
|
|
|
|
TlsInit.c
|
|
|
|
|
TlsConfig.c
|
|
|
|
|
TlsProcess.c
|
|
|
|
|
|
|
|
|
|
[Packages]
|
|
|
|
|
MdePkg/MdePkg.dec
|
|
|
|
|
CryptoPkg/CryptoPkg.dec
|
|
|
|
|
|
|
|
|
|
[LibraryClasses]
|
2018-03-31 22:25:15 +02:00
|
|
|
BaseCryptLib
|
2017-04-06 03:53:07 +02:00
|
|
|
BaseMemoryLib
|
|
|
|
|
DebugLib
|
|
|
|
|
IntrinsicLib
|
CryptoPkg/TlsLib: rewrite TlsSetCipherList()
Rewrite the TlsSetCipherList() function in order to fix the following
issues:
- Any cipher identifier in CipherId that is not recognized by
TlsGetCipherMapping() will cause the function to return EFI_UNSUPPORTED.
This is a problem because CipherId is an ordered preference list, and a
caller should not get EFI_UNSUPPORTED just because it has an elaborate
CipherId preference list. Instead, we can filter out cipher identifiers
that we don't recognize, as long as we keep the relative order intact.
- CipherString is allocated on the stack, with 500 bytes.
While processing a large CipherId preference list, this room may not be
enough. Although no buffer overflow is possible, CipherString exhaustion
can lead to a failed TLS connection, because any cipher names that don't
fit on CipherString cannot be negotiated.
Compute CipherStringSize first, and allocate CipherString dynamically.
- Finally, the "@STRENGTH" pseudo cipher name is appended to CipherString.
(Assuming there is enough room left in CipherString.) This causes
OpenSSL to sort the cipher list "in order of encryption algorithm key
length".
This is a bad idea. The caller specifically passes an ordered preference
list in CipherId. Therefore TlsSetCipherList() must not ask OpenSSL to
reorder the list, for any reason. Drop "@STRENGTH".
While at it, fix and unify the documentation of the CipherId parameter.
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Qin Long <qin.long@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=915
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Long Qin <qin.long@intel.com>
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
2018-03-31 17:33:14 +02:00
|
|
|
MemoryAllocationLib
|
2018-03-31 22:25:15 +02:00
|
|
|
OpensslLib
|
CryptoPkg/TlsLib: rewrite TlsSetCipherList()
Rewrite the TlsSetCipherList() function in order to fix the following
issues:
- Any cipher identifier in CipherId that is not recognized by
TlsGetCipherMapping() will cause the function to return EFI_UNSUPPORTED.
This is a problem because CipherId is an ordered preference list, and a
caller should not get EFI_UNSUPPORTED just because it has an elaborate
CipherId preference list. Instead, we can filter out cipher identifiers
that we don't recognize, as long as we keep the relative order intact.
- CipherString is allocated on the stack, with 500 bytes.
While processing a large CipherId preference list, this room may not be
enough. Although no buffer overflow is possible, CipherString exhaustion
can lead to a failed TLS connection, because any cipher names that don't
fit on CipherString cannot be negotiated.
Compute CipherStringSize first, and allocate CipherString dynamically.
- Finally, the "@STRENGTH" pseudo cipher name is appended to CipherString.
(Assuming there is enough room left in CipherString.) This causes
OpenSSL to sort the cipher list "in order of encryption algorithm key
length".
This is a bad idea. The caller specifically passes an ordered preference
list in CipherId. Therefore TlsSetCipherList() must not ask OpenSSL to
reorder the list, for any reason. Drop "@STRENGTH".
While at it, fix and unify the documentation of the CipherId parameter.
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Qin Long <qin.long@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=915
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Long Qin <qin.long@intel.com>
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
2018-03-31 17:33:14 +02:00
|
|
|
SafeIntLib
|
2017-04-06 03:53:07 +02:00
|
|
|
|
|
|
|
|
[BuildOptions]
|
|
|
|
|
#
|
|
|
|
|
# suppress the following warnings so we do not break the build with warnings-as-errors:
|
|
|
|
|
# C4090: 'function' : different 'const' qualifiers
|
|
|
|
|
#
|
|
|
|
|
MSFT:*_*_*_CC_FLAGS = /wd4090
|
|
|
|
|
|
