Signed-off-by: Yi Li <yi1...@intel.com> --- CryptoPkg/Library/OpensslLib/OpensslLib.inf | 6 +- .../Library/OpensslLib/OpensslLibFull.inf | 6 +- CryptoPkg/Library/OpensslLib/SslExtServNull.c | 329 ++++++++++++++++++ .../Library/OpensslLib/SslStatServNull.c | 219 ++++++++++++ 4 files changed, 556 insertions(+), 4 deletions(-) create mode 100644 CryptoPkg/Library/OpensslLib/SslExtServNull.c create mode 100644 CryptoPkg/Library/OpensslLib/SslStatServNull.c
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf index 8641cd2521..048d804292 100644 --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf @@ -700,12 +700,12 @@ $(OPENSSL_PATH)/providers/implementations/kdfs/pbkdf2.h $(OPENSSL_PATH)/providers/implementations/rands/drbg_local.h $(OPENSSL_PATH)/providers/implementations/storemgmt/file_store_local.h - $(OPENSSL_PATH)/ssl/statem/statem_srvr.c + # $(OPENSSL_PATH)/ssl/statem/statem_srvr.c $(OPENSSL_PATH)/ssl/statem/statem_lib.c $(OPENSSL_PATH)/ssl/statem/statem_dtls.c $(OPENSSL_PATH)/ssl/statem/statem_clnt.c $(OPENSSL_PATH)/ssl/statem/statem.c - $(OPENSSL_PATH)/ssl/statem/extensions_srvr.c + # $(OPENSSL_PATH)/ssl/statem/extensions_srvr.c $(OPENSSL_PATH)/ssl/statem/extensions_cust.c $(OPENSSL_PATH)/ssl/statem/extensions_clnt.c $(OPENSSL_PATH)/ssl/statem/extensions.c @@ -757,6 +757,8 @@ ossl_store.c rand_pool.c # SslNull.c + SslStatServNull.c + SslExtServNull.c EcSm2Null.c DhNull.c EncoderNull.c diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibFull.inf b/CryptoPkg/Library/OpensslLib/OpensslLibFull.inf index 8cea86e6f0..7ad3c3fb85 100644 --- a/CryptoPkg/Library/OpensslLib/OpensslLibFull.inf +++ b/CryptoPkg/Library/OpensslLib/OpensslLibFull.inf @@ -705,12 +705,12 @@ $(OPENSSL_PATH)/providers/implementations/kdfs/pbkdf2.h $(OPENSSL_PATH)/providers/implementations/rands/drbg_local.h $(OPENSSL_PATH)/providers/implementations/storemgmt/file_store_local.h - $(OPENSSL_PATH)/ssl/statem/statem_srvr.c + # $(OPENSSL_PATH)/ssl/statem/statem_srvr.c $(OPENSSL_PATH)/ssl/statem/statem_lib.c $(OPENSSL_PATH)/ssl/statem/statem_dtls.c $(OPENSSL_PATH)/ssl/statem/statem_clnt.c $(OPENSSL_PATH)/ssl/statem/statem.c - $(OPENSSL_PATH)/ssl/statem/extensions_srvr.c + # $(OPENSSL_PATH)/ssl/statem/extensions_srvr.c $(OPENSSL_PATH)/ssl/statem/extensions_cust.c $(OPENSSL_PATH)/ssl/statem/extensions_clnt.c $(OPENSSL_PATH)/ssl/statem/extensions.c @@ -824,6 +824,8 @@ ossl_store.c rand_pool.c # SslNull.c + SslStatServNull.c + SslExtServNull.c # EcSm2Null.c DhNull.c EncoderNull.c diff --git a/CryptoPkg/Library/OpensslLib/SslExtServNull.c b/CryptoPkg/Library/OpensslLib/SslExtServNull.c new file mode 100644 index 0000000000..c256f17667 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/SslExtServNull.c @@ -0,0 +1,329 @@ +/* + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include <openssl/ocsp.h> +#include "../ssl_local.h" +#include "statem_local.h" +#include "internal/cryptlib.h" + +#define COOKIE_STATE_FORMAT_VERSION 1 + +/* + * Parse the client's renegotiation binding and abort if it's not right + */ +int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + return -1; +} + +/*- + * The servername extension is treated as follows: + * + * - Only the hostname type is supported with a maximum length of 255. + * - The servername is rejected if too long or if it contains zeros, + * in which case an fatal alert is generated. + * - The servername field is maintained together with the session cache. + * - When a session is resumed, the servername call back invoked in order + * to allow the application to position itself to the right context. + * - The servername is acknowledged if it is new for a session or when + * it is identical to a previously used for the same session. + * Applications can control the behaviour. They can at any time + * set a 'desirable' servername for a new SSL object. This can be the + * case for example with HTTPS when a Host: header field is received and + * a renegotiation is requested. In this case, a possible servername + * presented in the new client hello is only acknowledged if it matches + * the value of the Host: field. + * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION + * if they provide for changing an explicit servername context for the + * session, i.e. when the session has been established with a servername + * extension. + * - On session reconnect, the servername extension may be absent. + */ +int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + return 0; +} + +int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + return 0; +} + +#ifndef OPENSSL_NO_SRP +int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx) +{ + return 0; +} +#endif + +int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + return 0; +} + +int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + return 0; +} + +int tls_parse_ctos_sig_algs_cert(SSL *s, PACKET *pkt, + ossl_unused unsigned int context, + ossl_unused X509 *x, + ossl_unused size_t chainidx) +{ + return 0; +} + +int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx) +{ + return 0; +} + +#ifndef OPENSSL_NO_OCSP +int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + return 0; +} +#endif + +#ifndef OPENSSL_NO_NEXTPROTONEG +int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx) +{ + return 0; +} +#endif + +/* + * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN + * extension, not including type and length. Returns: 1 on success, 0 on error. + */ +int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx) +{ + return 0; +} + +#ifndef OPENSSL_NO_SRTP +int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx) +{ + return 0; +} +#endif + +int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx) +{ + return 0; +} + +/* + * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains + * the raw PACKET data for the extension. Returns 1 on success or 0 on failure. + */ +int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + return 0; +} + +/* + * Process a key_share extension received in the ClientHello. |pkt| contains + * the raw PACKET data for the extension. Returns 1 on success or 0 on failure. + */ +int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx) +{ + return 0; +} + +int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx) +{ + return 0; +} + +int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + return 0; +} + +int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx) +{ + return 0; +} + + +int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + return 0; +} + +static SSL_TICKET_STATUS tls_get_stateful_ticket(SSL *s, PACKET *tick, + SSL_SESSION **sess) +{ + return SSL_TICKET_NO_DECRYPT; +} + +int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx) +{ + return 0; +} + +int tls_parse_ctos_post_handshake_auth(SSL *s, PACKET *pkt, + ossl_unused unsigned int context, + ossl_unused X509 *x, + ossl_unused size_t chainidx) +{ + return 0; +} + +/* + * Add the server's renegotiation binding + */ +EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + return EXT_RETURN_FAIL; +} + +EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + return EXT_RETURN_FAIL; +} + +/* Add/include the server's max fragment len extension into ServerHello */ +EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + return EXT_RETURN_FAIL; +} + +EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + return EXT_RETURN_FAIL; +} + +EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + return EXT_RETURN_FAIL; +} + +EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + return EXT_RETURN_FAIL; +} + +#ifndef OPENSSL_NO_OCSP +EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + return EXT_RETURN_FAIL; +} +#endif + +#ifndef OPENSSL_NO_NEXTPROTONEG +EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + return EXT_RETURN_FAIL; +} +#endif + +EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + return EXT_RETURN_FAIL; +} + +#ifndef OPENSSL_NO_SRTP +EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + return EXT_RETURN_FAIL; +} +#endif + +EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + return EXT_RETURN_FAIL; +} + +EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + return EXT_RETURN_FAIL; +} + +EXT_RETURN tls_construct_stoc_supported_versions(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + return EXT_RETURN_FAIL; +} + +EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + return EXT_RETURN_FAIL; +} + +EXT_RETURN tls_construct_stoc_cookie(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + return EXT_RETURN_FAIL; +} + +EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + return EXT_RETURN_FAIL; +} + +EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + return EXT_RETURN_FAIL; +} + +EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + return EXT_RETURN_FAIL; +} diff --git a/CryptoPkg/Library/OpensslLib/SslStatServNull.c b/CryptoPkg/Library/OpensslLib/SslStatServNull.c new file mode 100644 index 0000000000..bb05ca772f --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/SslStatServNull.c @@ -0,0 +1,219 @@ +/* + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved + * Copyright 2005 Nokia. All rights reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include <stdio.h> +#include "../ssl_local.h" +#include "statem_local.h" +#include "internal/constant_time.h" +#include "internal/cryptlib.h" +#include <openssl/buffer.h> +#include <openssl/rand.h> +#include <openssl/objects.h> +#include <openssl/evp.h> +#include <openssl/x509.h> +#include <openssl/dh.h> +#include <openssl/rsa.h> +#include <openssl/bn.h> +#include <openssl/md5.h> +#include <openssl/trace.h> +#include <openssl/core_names.h> +#include <openssl/asn1t.h> + +#define TICKET_NONCE_SIZE 8 + +typedef struct { + ASN1_TYPE *kxBlob; + ASN1_TYPE *opaqueBlob; +} GOST_KX_MESSAGE; + +int ossl_statem_server_read_transition(SSL *s, int mt) +{ + return 0; +} + +/* + * Should we send a CertificateRequest message? + * + * Valid return values are: + * 1: Yes + * 0: No + */ +int send_certificate_request(SSL *s) +{ + return 0; +} + +/* + * ossl_statem_server_write_transition() works out what handshake state to move + * to next when the server is writing messages to be sent to the client. + */ +WRITE_TRAN ossl_statem_server_write_transition(SSL *s) +{ + return WRITE_TRAN_ERROR; +} + +WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst) +{ + return WORK_ERROR; +} +/* + * Perform any work that needs to be done after sending a message from the + * server to the client. + */ +WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) +{ + return WORK_ERROR; +} + +/* + * Get the message construction function and message type for sending from the + * server + * + * Valid return values are: + * 1: Success + * 0: Error + */ +int ossl_statem_server_construct_message(SSL *s, WPACKET *pkt, + confunc_f *confunc, int *mt) +{ + return 0; +} + +/* + * Returns the maximum allowed length for the current message that we are + * reading. Excludes the message header. + */ +size_t ossl_statem_server_max_message_size(SSL *s) +{ + return 0; +} + +/* + * Process a message that the server has received from the client. + */ +MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL *s, PACKET *pkt) +{ + return MSG_PROCESS_ERROR; +} + +/* + * Perform any further processing required following the receipt of a message + * from the client + */ +WORK_STATE ossl_statem_server_post_process_message(SSL *s, WORK_STATE wst) +{ + return WORK_ERROR; +} + +int dtls_raw_hello_verify_request(WPACKET *pkt, unsigned char *cookie, + size_t cookie_len) +{ + return 0; +} + +int dtls_construct_hello_verify_request(SSL *s, WPACKET *pkt) +{ + return 0; +} + +MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) +{ + return MSG_PROCESS_ERROR; +} + +/* + * Call the alpn_select callback if needed. Upon success, returns 1. + * Upon failure, returns 0. + */ +int tls_handle_alpn(SSL *s) +{ + return 0; +} + +WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst) +{ + return WORK_ERROR; +} + +int tls_construct_server_hello(SSL *s, WPACKET *pkt) +{ + return 0; +} + +int tls_construct_server_done(SSL *s, WPACKET *pkt) +{ + return 0; +} + +int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) +{ + return 0; +} + +int tls_construct_certificate_request(SSL *s, WPACKET *pkt) +{ + return 0; +} + +MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt) +{ + return MSG_PROCESS_ERROR; +} + +WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst) +{ + return WORK_ERROR; +} + +MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) +{ + return MSG_PROCESS_ERROR; +} + +int tls_construct_server_certificate(SSL *s, WPACKET *pkt) +{ + return 0; +} + +int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) +{ + return 0; +} + +/* + * In TLSv1.3 this is called from the extensions code, otherwise it is used to + * create a separate message. Returns 1 on success or 0 on failure. + */ +int tls_construct_cert_status_body(SSL *s, WPACKET *pkt) +{ + return 0; +} + +int tls_construct_cert_status(SSL *s, WPACKET *pkt) +{ + return 0; +} + +#ifndef OPENSSL_NO_NEXTPROTONEG +/* + * tls_process_next_proto reads a Next Protocol Negotiation handshake message. + * It sets the next_proto member in s if found + */ +MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt) +{ + return MSG_PROCESS_ERROR; +} +#endif + +MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL *s, PACKET *pkt) +{ + return MSG_PROCESS_ERROR; +} -- 2.31.1.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#102474): https://edk2.groups.io/g/devel/message/102474 Mute This Topic: https://groups.io/mt/98056477/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
