diff options
author | Hao Wu <hao.a.wu@intel.com> | 2017-04-06 09:53:07 +0800 |
---|---|---|
committer | Hao Wu <hao.a.wu@intel.com> | 2017-04-06 15:42:34 +0800 |
commit | 264702a04b88e612f44615a8b968ca06c9d5435e (patch) | |
tree | 05e30fdcf9611e60d9165265b1b9431ccf8bb6ae /CryptoPkg | |
parent | 6035094da8b68c0d66cce327309efee551caa5dc (diff) | |
download | edk2-264702a04b88e612f44615a8b968ca06c9d5435e.zip edk2-264702a04b88e612f44615a8b968ca06c9d5435e.tar.gz edk2-264702a04b88e612f44615a8b968ca06c9d5435e.tar.bz2 |
CryptoPkg: Convert files to CRLF line ending
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
Diffstat (limited to 'CryptoPkg')
-rw-r--r-- | CryptoPkg/Include/Library/TlsLib.h | 1575 | ||||
-rw-r--r-- | CryptoPkg/Library/OpensslLib/process_files.pl | 447 | ||||
-rw-r--r-- | CryptoPkg/Library/TlsLib/InternalTlsLib.h | 85 | ||||
-rw-r--r-- | CryptoPkg/Library/TlsLib/TlsConfig.c | 2119 | ||||
-rw-r--r-- | CryptoPkg/Library/TlsLib/TlsInit.c | 537 | ||||
-rw-r--r-- | CryptoPkg/Library/TlsLib/TlsLib.inf | 113 | ||||
-rw-r--r-- | CryptoPkg/Library/TlsLib/TlsLib.uni | 38 | ||||
-rw-r--r-- | CryptoPkg/Library/TlsLib/TlsProcess.c | 925 |
8 files changed, 2923 insertions, 2916 deletions
diff --git a/CryptoPkg/Include/Library/TlsLib.h b/CryptoPkg/Include/Library/TlsLib.h index 45564f1..fa6cb99 100644 --- a/CryptoPkg/Include/Library/TlsLib.h +++ b/CryptoPkg/Include/Library/TlsLib.h @@ -1,787 +1,788 @@ -/** @file - Defines TLS Library APIs. - -Copyright (c) 2016, Intel Corporation. All rights reserved.<BR> -This program and the accompanying materials -are licensed and made available under the terms and conditions of the BSD License -which accompanies this distribution. The full text of the license may be found at -http://opensource.org/licenses/bsd-license.php - -THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. - -**/ - -#ifndef __TLS_LIB_H__ -#define __TLS_LIB_H__ - -/** - Initializes the OpenSSL library. - - This function registers ciphers and digests used directly and indirectly - by SSL/TLS, and initializes the readable error messages. - This function must be called before any other action takes places. - -**/ -VOID -EFIAPI -TlsInitialize ( - VOID - ); - -/** - Free an allocated SSL_CTX object. - - @param[in] TlsCtx Pointer to the SSL_CTX object to be released. - -**/ -VOID -EFIAPI -TlsCtxFree ( - IN VOID *TlsCtx - ); - -/** - Creates a new SSL_CTX object as framework to establish TLS/SSL enabled - connections. - - @param[in] MajorVer Major Version of TLS/SSL Protocol. - @param[in] MinorVer Minor Version of TLS/SSL Protocol. - - @return Pointer to an allocated SSL_CTX object. - If the creation failed, TlsCtxNew() returns NULL. - -**/ -VOID * -EFIAPI -TlsCtxNew ( - IN UINT8 MajorVer, - IN UINT8 MinorVer - ); - -/** - Free an allocated TLS object. - - This function removes the TLS object pointed to by Tls and frees up the - allocated memory. If Tls is NULL, nothing is done. - - @param[in] Tls Pointer to the TLS object to be freed. - -**/ -VOID -EFIAPI -TlsFree ( - IN VOID *Tls - ); - -/** - Create a new TLS object for a connection. - - This function creates a new TLS object for a connection. The new object - inherits the setting of the underlying context TlsCtx: connection method, - options, verification setting. - - @param[in] TlsCtx Pointer to the SSL_CTX object. - - @return Pointer to an allocated SSL object. - If the creation failed, TlsNew() returns NULL. - -**/ -VOID * -EFIAPI -TlsNew ( - IN VOID *TlsCtx - ); - -/** - Checks if the TLS handshake was done. - - This function will check if the specified TLS handshake was done. - - @param[in] Tls Pointer to the TLS object for handshake state checking. - - @retval TRUE The TLS handshake was done. - @retval FALSE The TLS handshake was not done. - -**/ -BOOLEAN -EFIAPI -TlsInHandshake ( - IN VOID *Tls - ); - -/** - Perform a TLS/SSL handshake. - - This function will perform a TLS/SSL handshake. - - @param[in] Tls Pointer to the TLS object for handshake operation. - @param[in] BufferIn Pointer to the most recently received TLS Handshake packet. - @param[in] BufferInSize Packet size in bytes for the most recently received TLS - Handshake packet. - @param[out] BufferOut Pointer to the buffer to hold the built packet. - @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On input, it is - the buffer size provided by the caller. On output, it - is the buffer size in fact needed to contain the - packet. - - @retval EFI_SUCCESS The required TLS packet is built successfully. - @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE: - Tls is NULL. - BufferIn is NULL but BufferInSize is NOT 0. - BufferInSize is 0 but BufferIn is NOT NULL. - BufferOutSize is NULL. - BufferOut is NULL if *BufferOutSize is not zero. - @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the response packet. - @retval EFI_ABORTED Something wrong during handshake. - -**/ -EFI_STATUS -EFIAPI -TlsDoHandshake ( - IN VOID *Tls, - IN UINT8 *BufferIn, OPTIONAL - IN UINTN BufferInSize, OPTIONAL - OUT UINT8 *BufferOut, OPTIONAL - IN OUT UINTN *BufferOutSize - ); - -/** - Handle Alert message recorded in BufferIn. If BufferIn is NULL and BufferInSize is zero, - TLS session has errors and the response packet needs to be Alert message based on error type. - - @param[in] Tls Pointer to the TLS object for state checking. - @param[in] BufferIn Pointer to the most recently received TLS Alert packet. - @param[in] BufferInSize Packet size in bytes for the most recently received TLS - Alert packet. - @param[out] BufferOut Pointer to the buffer to hold the built packet. - @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On input, it is - the buffer size provided by the caller. On output, it - is the buffer size in fact needed to contain the - packet. - - @retval EFI_SUCCESS The required TLS packet is built successfully. - @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE: - Tls is NULL. - BufferIn is NULL but BufferInSize is NOT 0. - BufferInSize is 0 but BufferIn is NOT NULL. - BufferOutSize is NULL. - BufferOut is NULL if *BufferOutSize is not zero. - @retval EFI_ABORTED An error occurred. - @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the response packet. - -**/ -EFI_STATUS -EFIAPI -TlsHandleAlert ( - IN VOID *Tls, - IN UINT8 *BufferIn, OPTIONAL - IN UINTN BufferInSize, OPTIONAL - OUT UINT8 *BufferOut, OPTIONAL - IN OUT UINTN *BufferOutSize - ); - -/** - Build the CloseNotify packet. - - @param[in] Tls Pointer to the TLS object for state checking. - @param[in, out] Buffer Pointer to the buffer to hold the built packet. - @param[in, out] BufferSize Pointer to the buffer size in bytes. On input, it is - the buffer size provided by the caller. On output, it - is the buffer size in fact needed to contain the - packet. - - @retval EFI_SUCCESS The required TLS packet is built successfully. - @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE: - Tls is NULL. - BufferSize is NULL. - Buffer is NULL if *BufferSize is not zero. - @retval EFI_BUFFER_TOO_SMALL BufferSize is too small to hold the response packet. - -**/ -EFI_STATUS -EFIAPI -TlsCloseNotify ( - IN VOID *Tls, - IN OUT UINT8 *Buffer, - IN OUT UINTN *BufferSize - ); - -/** - Attempts to read bytes from one TLS object and places the data in Buffer. - - This function will attempt to read BufferSize bytes from the TLS object - and places the data in Buffer. - - @param[in] Tls Pointer to the TLS object. - @param[in,out] Buffer Pointer to the buffer to store the data. - @param[in] BufferSize The size of Buffer in bytes. - - @retval >0 The amount of data successfully read from the TLS object. - @retval <=0 No data was successfully read. - -**/ -INTN -EFIAPI -TlsCtrlTrafficOut ( - IN VOID *Tls, - IN OUT VOID *Buffer, - IN UINTN BufferSize - ); - -/** - Attempts to write data from the buffer to TLS object. - - This function will attempt to write BufferSize bytes data from the Buffer - to the TLS object. - - @param[in] Tls Pointer to the TLS object. - @param[in] Buffer Pointer to the data buffer. - @param[in] BufferSize The size of Buffer in bytes. - - @retval >0 The amount of data successfully written to the TLS object. - @retval <=0 No data was successfully written. - -**/ -INTN -EFIAPI -TlsCtrlTrafficIn ( - IN VOID *Tls, - IN VOID *Buffer, - IN UINTN BufferSize - ); - -/** - Attempts to read bytes from the specified TLS connection into the buffer. - - This function tries to read BufferSize bytes data from the specified TLS - connection into the Buffer. - - @param[in] Tls Pointer to the TLS connection for data reading. - @param[in,out] Buffer Pointer to the data buffer. - @param[in] BufferSize The size of Buffer in bytes. - - @retval >0 The read operation was successful, and return value is the - number of bytes actually read from the TLS connection. - @retval <=0 The read operation was not successful. - -**/ -INTN -EFIAPI -TlsRead ( - IN VOID *Tls, - IN OUT VOID *Buffer, - IN UINTN BufferSize - ); - -/** - Attempts to write data to a TLS connection. - - This function tries to write BufferSize bytes data from the Buffer into the - specified TLS connection. - - @param[in] Tls Pointer to the TLS connection for data writing. - @param[in] Buffer Pointer to the data buffer. - @param[in] BufferSize The size of Buffer in bytes. - - @retval >0 The write operation was successful, and return value is the - number of bytes actually written to the TLS connection. - @retval <=0 The write operation was not successful. - -**/ -INTN -EFIAPI -TlsWrite ( - IN VOID *Tls, - IN VOID *Buffer, - IN UINTN BufferSize - ); - -/** - Set a new TLS/SSL method for a particular TLS object. - - This function sets a new TLS/SSL method for a particular TLS object. - - @param[in] Tls Pointer to a TLS object. - @param[in] MajorVer Major Version of TLS/SSL Protocol. - @param[in] MinorVer Minor Version of TLS/SSL Protocol. - - @retval EFI_SUCCESS The TLS/SSL method was set successfully. - @retval EFI_INVALID_PARAMETER The parameter is invalid. - @retval EFI_UNSUPPORTED Unsupported TLS/SSL method. - -**/ -EFI_STATUS -EFIAPI -TlsSetVersion ( - IN VOID *Tls, - IN UINT8 MajorVer, - IN UINT8 MinorVer - ); - -/** - Set TLS object to work in client or server mode. - - This function prepares a TLS object to work in client or server mode. - - @param[in] Tls Pointer to a TLS object. - @param[in] IsServer Work in server mode. - - @retval EFI_SUCCESS The TLS/SSL work mode was set successfully. - @retval EFI_INVALID_PARAMETER The parameter is invalid. - @retval EFI_UNSUPPORTED Unsupported TLS/SSL work mode. - -**/ -EFI_STATUS -EFIAPI -TlsSetConnectionEnd ( - IN VOID *Tls, - IN BOOLEAN IsServer - ); - -/** - Set the ciphers list to be used by the TLS object. - - This function sets the ciphers for use by a specified TLS object. - - @param[in] Tls Pointer to a TLS object. - @param[in] CipherId Pointer to a string that contains one or more - ciphers separated by a colon. - @param[in] CipherNum The number of cipher in the list. - - @retval EFI_SUCCESS The ciphers list was set successfully. - @retval EFI_INVALID_PARAMETER The parameter is invalid. - @retval EFI_UNSUPPORTED Unsupported TLS cipher in the list. - -**/ -EFI_STATUS -EFIAPI -TlsSetCipherList ( - IN VOID *Tls, - IN UINT16 *CipherId, - IN UINTN CipherNum - ); - -/** - Set the compression method for TLS/SSL operations. - - This function handles TLS/SSL integrated compression methods. - - @param[in] CompMethod The compression method ID. - - @retval EFI_SUCCESS The compression method for the communication was - set successfully. - @retval EFI_UNSUPPORTED Unsupported compression method. - -**/ -EFI_STATUS -EFIAPI -TlsSetCompressionMethod ( - IN UINT8 CompMethod - ); - -/** - Set peer certificate verification mode for the TLS connection. - - This function sets the verification mode flags for the TLS connection. - - @param[in] Tls Pointer to the TLS object. - @param[in] VerifyMode A set of logically or'ed verification mode flags. - -**/ -VOID -EFIAPI -TlsSetVerify ( - IN VOID *Tls, - IN UINT32 VerifyMode - ); - -/** - Sets a TLS/SSL session ID to be used during TLS/SSL connect. - - This function sets a session ID to be used when the TLS/SSL connection is - to be established. - - @param[in] Tls Pointer to the TLS object. - @param[in] SessionId Session ID data used for session resumption. - @param[in] SessionIdLen Length of Session ID in bytes. - - @retval EFI_SUCCESS Session ID was set successfully. - @retval EFI_INVALID_PARAMETER The parameter is invalid. - @retval EFI_UNSUPPORTED No available session for ID setting. - -**/ -EFI_STATUS -EFIAPI -TlsSetSessionId ( - IN VOID *Tls, - IN UINT8 *SessionId, - IN UINT16 SessionIdLen - ); - -/** - Adds the CA to the cert store when requesting Server or Client authentication. - - This function adds the CA certificate to the list of CAs when requesting - Server or Client authentication for the chosen TLS connection. - - @param[in] Tls Pointer to the TLS object. - @param[in] Data Pointer to the data buffer of a DER-encoded binary - X.509 certificate or PEM-encoded X.509 certificate. - @param[in] DataSize The size of data buffer in bytes. - - @retval EFI_SUCCESS The operation succeeded. - @retval EFI_INVALID_PARAMETER The parameter is invalid. - @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated. - @retval EFI_ABORTED Invalid X.509 certificate. - -**/ -EFI_STATUS -EFIAPI -TlsSetCaCertificate ( - IN VOID *Tls, - IN VOID *Data, - IN UINTN DataSize - ); - -/** - Loads the local public certificate into the specified TLS object. - - This function loads the X.509 certificate into the specified TLS object - for TLS negotiation. - - @param[in] Tls Pointer to the TLS object. - @param[in] Data Pointer to the data buffer of a DER-encoded binary - X.509 certificate or PEM-encoded X.509 certificate. - @param[in] DataSize The size of data buffer in bytes. - - @retval EFI_SUCCESS The operation succeeded. - @retval EFI_INVALID_PARAMETER The parameter is invalid. - @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated. - @retval EFI_ABORTED Invalid X.509 certificate. - -**/ -EFI_STATUS -EFIAPI -TlsSetHostPublicCert ( - IN VOID *Tls, - IN VOID *Data, - IN UINTN DataSize - ); - -/** - Adds the local private key to the specified TLS object. - - This function adds the local private key (PEM-encoded RSA or PKCS#8 private - key) into the specified TLS object for TLS negotiation. - - @param[in] Tls Pointer to the TLS object. - @param[in] Data Pointer to the data buffer of a PEM-encoded RSA - or PKCS#8 private key. - @param[in] DataSize The size of data buffer in bytes. - - @retval EFI_SUCCESS The operation succeeded. - @retval EFI_UNSUPPORTED This function is not supported. - @retval EFI_ABORTED Invalid private key data. - -**/ -EFI_STATUS -EFIAPI -TlsSetHostPrivateKey ( - IN VOID *Tls, - IN VOID *Data, - IN UINTN DataSize - ); - -/** - Adds the CA-supplied certificate revocation list for certificate validation. - - This function adds the CA-supplied certificate revocation list data for - certificate validity checking. - - @param[in] Data Pointer to the data buffer of a DER-encoded CRL data. - @param[in] DataSize The size of data buffer in bytes. - - @retval EFI_SUCCESS The operation succeeded. - @retval EFI_UNSUPPORTED This function is not supported. - @retval EFI_ABORTED Invalid CRL data. - -**/ -EFI_STATUS -EFIAPI -TlsSetCertRevocationList ( - IN VOID *Data, - IN UINTN DataSize - ); - -/** - Gets the protocol version used by the specified TLS connection. - - This function returns the protocol version used by the specified TLS - connection. - - @param[in] Tls Pointer to the TLS object. - - @return The protocol version of the specified TLS connection. - -**/ -UINT16 -EFIAPI -TlsGetVersion ( - IN VOID *Tls - ); - -/** - Gets the connection end of the specified TLS connection. - - This function returns the connection end (as client or as server) used by - the specified TLS connection. - - @param[in] Tls Pointer to the TLS object. - - @return The connection end used by the specified TLS connection. - -**/ -UINT8 -EFIAPI -TlsGetConnectionEnd ( - IN VOID *Tls - ); - -/** - Gets the cipher suite used by the specified TLS connection. - - This function returns current cipher suite used by the specified - TLS connection. - - @param[in] Tls Pointer to the TLS object. - @param[in,out] CipherId The cipher suite used by the TLS object. - - @retval EFI_SUCCESS The cipher suite was returned successfully. - @retval EFI_INVALID_PARAMETER The parameter is invalid. - @retval EFI_UNSUPPORTED Unsupported cipher suite. - -**/ -EFI_STATUS -EFIAPI -TlsGetCurrentCipher ( - IN VOID *Tls, - IN OUT UINT16 *CipherId - ); - -/** - Gets the compression methods used by the specified TLS connection. - - This function returns current integrated compression methods used by - the specified TLS connection. - - @param[in] Tls Pointer to the TLS object. - @param[in,out] CompressionId The current compression method used by - the TLS object. - - @retval EFI_SUCCESS The compression method was returned successfully. - @retval EFI_INVALID_PARAMETER The parameter is invalid. - @retval EFI_ABORTED Invalid Compression method. - @retval EFI_UNSUPPORTED This function is not supported. - -**/ -EFI_STATUS -EFIAPI -TlsGetCurrentCompressionId ( - IN VOID *Tls, - IN OUT UINT8 *CompressionId - ); - -/** - Gets the verification mode currently set in the TLS connection. - - This function returns the peer verification mode currently set in the - specified TLS connection. - - @param[in] Tls Pointer to the TLS object. - - @return The verification mode set in the specified TLS connection. - -**/ -UINT32 -EFIAPI -TlsGetVerify ( - IN VOID *Tls - ); - -/** - Gets the session ID used by the specified TLS connection. - - This function returns the TLS/SSL session ID currently used by the - specified TLS connection. - - @param[in] Tls Pointer to the TLS object. - @param[in,out] SessionId Buffer to contain the returned session ID. - @param[in,out] SessionIdLen The length of Session ID in bytes. - - @retval EFI_SUCCESS The Session ID was returned successfully. - @retval EFI_INVALID_PARAMETER The parameter is invalid. - @retval EFI_UNSUPPORTED Invalid TLS/SSL session. - -**/ -EFI_STATUS -EFIAPI -TlsGetSessionId ( - IN VOID *Tls, - IN OUT UINT8 *SessionId, - IN OUT UINT16 *SessionIdLen - ); - -/** - Gets the client random data used in the specified TLS connection. - - This function returns the TLS/SSL client random data currently used in - the specified TLS connection. - - @param[in] Tls Pointer to the TLS object. - @param[in,out] ClientRandom Buffer to contain the returned client - random data (32 bytes). - -**/ -VOID -EFIAPI -TlsGetClientRandom ( - IN VOID *Tls, - IN OUT UINT8 *ClientRandom - ); - -/** - Gets the server random data used in the specified TLS connection. - - This function returns the TLS/SSL server random data currently used in - the specified TLS connection. - - @param[in] Tls Pointer to the TLS object. - @param[in,out] ServerRandom Buffer to contain the returned server - random data (32 bytes). - -**/ -VOID -EFIAPI -TlsGetServerRandom ( - IN VOID *Tls, - IN OUT UINT8 *ServerRandom - ); - -/** - Gets the master key data used in the specified TLS connection. - - This function returns the TLS/SSL master key material currently used in - the specified TLS connection. - - @param[in] Tls Pointer to the TLS object. - @param[in,out] KeyMaterial Buffer to contain the returned key material. - - @retval EFI_SUCCESS Key material was returned successfully. - @retval EFI_INVALID_PARAMETER The parameter is invalid. - @retval EFI_UNSUPPORTED Invalid TLS/SSL session. - -**/ -EFI_STATUS -EFIAPI -TlsGetKeyMaterial ( - IN VOID *Tls, - IN OUT UINT8 *KeyMaterial - ); - -/** - Gets the CA Certificate from the cert store. - - This function returns the CA certificate for the chosen - TLS connection. - - @param[in] Tls Pointer to the TLS object. - @param[out] Data Pointer to the data buffer to receive the CA - certificate data sent to the client. - @param[in,out] DataSize The size of data buffer in bytes. - - @retval EFI_SUCCESS The operation succeeded. - @retval EFI_UNSUPPORTED This function is not supported. - @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data. - -**/ -EFI_STATUS -EFIAPI -TlsGetCaCertificate ( - IN VOID *Tls, - OUT VOID *Data, - IN OUT UINTN *DataSize - ); - -/** - Gets the local public Certificate set in the specified TLS object. - - This function returns the local public certificate which was currently set - in the specified TLS object. - - @param[in] Tls Pointer to the TLS object. - @param[out] Data Pointer to the data buffer to receive the local - public certificate. - @param[in,out] DataSize The size of data buffer in bytes. - - @retval EFI_SUCCESS The operation succeeded. - @retval EFI_INVALID_PARAMETER The parameter is invalid. - @retval EFI_NOT_FOUND The certificate is not found. - @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data. - -**/ -EFI_STATUS -EFIAPI -TlsGetHostPublicCert ( - IN VOID *Tls, - OUT VOID *Data, - IN OUT UINTN *DataSize - ); - -/** - Gets the local private key set in the specified TLS object. - - This function returns the local private key data which was currently set - in the specified TLS object. - - @param[in] Tls Pointer to the TLS object. - @param[out] Data Pointer to the data buffer to receive the local - private key data. - @param[in,out] DataSize The size of data buffer in bytes. - - @retval EFI_SUCCESS The operation succeeded. - @retval EFI_UNSUPPORTED This function is not supported. - @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data. - -**/ -EFI_STATUS -EFIAPI -TlsGetHostPrivateKey ( - IN VOID *Tls, - OUT VOID *Data, - IN OUT UINTN *DataSize - ); - -/** - Gets the CA-supplied certificate revocation list data set in the specified - TLS object. - - This function returns the CA-supplied certificate revocation list data which - was currently set in the specified TLS object. - - @param[out] Data Pointer to the data buffer to receive the CRL data. - @param[in,out] DataSize The size of data buffer in bytes. - - @retval EFI_SUCCESS The operation succeeded. - @retval EFI_UNSUPPORTED This function is not supported. - @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data. - -**/ -EFI_STATUS -EFIAPI -TlsGetCertRevocationList ( - OUT VOID *Data, - IN OUT UINTN *DataSize - ); - -#endif // __TLS_LIB_H__ +/** @file
+ Defines TLS Library APIs.
+
+Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
+This program and the accompanying materials
+are licensed and made available under the terms and conditions of the BSD License
+which accompanies this distribution. The full text of the license may be found at
+http://opensource.org/licenses/bsd-license.php
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#ifndef __TLS_LIB_H__
+#define __TLS_LIB_H__
+
+/**
+ Initializes the OpenSSL library.
+
+ This function registers ciphers and digests used directly and indirectly
+ by SSL/TLS, and initializes the readable error messages.
+ This function must be called before any other action takes places.
+
+**/
+VOID
+EFIAPI
+TlsInitialize (
+ VOID
+ );
+
+/**
+ Free an allocated SSL_CTX object.
+
+ @param[in] TlsCtx Pointer to the SSL_CTX object to be released.
+
+**/
+VOID
+EFIAPI
+TlsCtxFree (
+ IN VOID *TlsCtx
+ );
+
+/**
+ Creates a new SSL_CTX object as framework to establish TLS/SSL enabled
+ connections.
+
+ @param[in] MajorVer Major Version of TLS/SSL Protocol.
+ @param[in] MinorVer Minor Version of TLS/SSL Protocol.
+
+ @return Pointer to an allocated SSL_CTX object.
+ If the creation failed, TlsCtxNew() returns NULL.
+
+**/
+VOID *
+EFIAPI
+TlsCtxNew (
+ IN UINT8 MajorVer,
+ IN UINT8 MinorVer
+ );
+
+/**
+ Free an allocated TLS object.
+
+ This function removes the TLS object pointed to by Tls and frees up the
+ allocated memory. If Tls is NULL, nothing is done.
+
+ @param[in] Tls Pointer to the TLS object to be freed.
+
+**/
+VOID
+EFIAPI
+TlsFree (
+ IN VOID *Tls
+ );
+
+/**
+ Create a new TLS object for a connection.
+
+ This function creates a new TLS object for a connection. The new object
+ inherits the setting of the underlying context TlsCtx: connection method,
+ options, verification setting.
+
+ @param[in] TlsCtx Pointer to the SSL_CTX object.
+
+ @return Pointer to an allocated SSL object.
+ If the creation failed, TlsNew() returns NULL.
+
+**/
+VOID *
+EFIAPI
+TlsNew (
+ IN VOID *TlsCtx
+ );
+
+/**
+ Checks if the TLS handshake was done.
+
+ This function will check if the specified TLS handshake was done.
+
+ @param[in] Tls Pointer to the TLS object for handshake state checking.
+
+ @retval TRUE The TLS handshake was done.
+ @retval FALSE The TLS handshake was not done.
+
+**/
+BOOLEAN
+EFIAPI
+TlsInHandshake (
+ IN VOID *Tls
+ );
+
+/**
+ Perform a TLS/SSL handshake.
+
+ This function will perform a TLS/SSL handshake.
+
+ @param[in] Tls Pointer to the TLS object for handshake operation.
+ @param[in] BufferIn Pointer to the most recently received TLS Handshake packet.
+ @param[in] BufferInSize Packet size in bytes for the most recently received TLS
+ Handshake packet.
+ @param[out] BufferOut Pointer to the buffer to hold the built packet.
+ @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On input, it is
+ the buffer size provided by the caller. On output, it
+ is the buffer size in fact needed to contain the
+ packet.
+
+ @retval EFI_SUCCESS The required TLS packet is built successfully.
+ @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:
+ Tls is NULL.
+ BufferIn is NULL but BufferInSize is NOT 0.
+ BufferInSize is 0 but BufferIn is NOT NULL.
+ BufferOutSize is NULL.
+ BufferOut is NULL if *BufferOutSize is not zero.
+ @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the response packet.
+ @retval EFI_ABORTED Something wrong during handshake.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsDoHandshake (
+ IN VOID *Tls,
+ IN UINT8 *BufferIn, OPTIONAL
+ IN UINTN BufferInSize, OPTIONAL
+ OUT UINT8 *BufferOut, OPTIONAL
+ IN OUT UINTN *BufferOutSize
+ );
+
+/**
+ Handle Alert message recorded in BufferIn. If BufferIn is NULL and BufferInSize is zero,
+ TLS session has errors and the response packet needs to be Alert message based on error type.
+
+ @param[in] Tls Pointer to the TLS object for state checking.
+ @param[in] BufferIn Pointer to the most recently received TLS Alert packet.
+ @param[in] BufferInSize Packet size in bytes for the most recently received TLS
+ Alert packet.
+ @param[out] BufferOut Pointer to the buffer to hold the built packet.
+ @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On input, it is
+ the buffer size provided by the caller. On output, it
+ is the buffer size in fact needed to contain the
+ packet.
+
+ @retval EFI_SUCCESS The required TLS packet is built successfully.
+ @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:
+ Tls is NULL.
+ BufferIn is NULL but BufferInSize is NOT 0.
+ BufferInSize is 0 but BufferIn is NOT NULL.
+ BufferOutSize is NULL.
+ BufferOut is NULL if *BufferOutSize is not zero.
+ @retval EFI_ABORTED An error occurred.
+ @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the response packet.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsHandleAlert (
+ IN VOID *Tls,
+ IN UINT8 *BufferIn, OPTIONAL
+ IN UINTN BufferInSize, OPTIONAL
+ OUT UINT8 *BufferOut, OPTIONAL
+ IN OUT UINTN *BufferOutSize
+ );
+
+/**
+ Build the CloseNotify packet.
+
+ @param[in] Tls Pointer to the TLS object for state checking.
+ @param[in, out] Buffer Pointer to the buffer to hold the built packet.
+ @param[in, out] BufferSize Pointer to the buffer size in bytes. On input, it is
+ the buffer size provided by the caller. On output, it
+ is the buffer size in fact needed to contain the
+ packet.
+
+ @retval EFI_SUCCESS The required TLS packet is built successfully.
+ @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:
+ Tls is NULL.
+ BufferSize is NULL.
+ Buffer is NULL if *BufferSize is not zero.
+ @retval EFI_BUFFER_TOO_SMALL BufferSize is too small to hold the response packet.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsCloseNotify (
+ IN VOID *Tls,
+ IN OUT UINT8 *Buffer,
+ IN OUT UINTN *BufferSize
+ );
+
+/**
+ Attempts to read bytes from one TLS object and places the data in Buffer.
+
+ This function will attempt to read BufferSize bytes from the TLS object
+ and places the data in Buffer.
+
+ @param[in] Tls Pointer to the TLS object.
+ @param[in,out] Buffer Pointer to the buffer to store the data.
+ @param[in] BufferSize The size of Buffer in bytes.
+
+ @retval >0 The amount of data successfully read from the TLS object.
+ @retval <=0 No data was successfully read.
+
+**/
+INTN
+EFIAPI
+TlsCtrlTrafficOut (
+ IN VOID *Tls,
+ IN OUT VOID *Buffer,
+ IN UINTN BufferSize
+ );
+
+/**
+ Attempts to write data from the buffer to TLS object.
+
+ This function will attempt to write BufferSize bytes data from the Buffer
+ to the TLS object.
+
+ @param[in] Tls Pointer to the TLS object.
+ @param[in] Buffer Pointer to the data buffer.
+ @param[in] BufferSize The size of Buffer in bytes.
+
+ @retval >0 The amount of data successfully written to the TLS object.
+ @retval <=0 No data was successfully written.
+
+**/
+INTN
+EFIAPI
+TlsCtrlTrafficIn (
+ IN VOID *Tls,
+ IN VOID *Buffer,
+ IN UINTN BufferSize
+ );
+
+/**
+ Attempts to read bytes from the specified TLS connection into the buffer.
+
+ This function tries to read BufferSize bytes data from the specified TLS
+ connection into the Buffer.
+
+ @param[in] Tls Pointer to the TLS connection for data reading.
+ @param[in,out] Buffer Pointer to the data buffer.
+ @param[in] BufferSize The size of Buffer in bytes.
+
+ @retval >0 The read operation was successful, and return value is the
+ number of bytes actually read from the TLS connection.
+ @retval <=0 The read operation was not successful.
+
+**/
+INTN
+EFIAPI
+TlsRead (
+ IN VOID *Tls,
+ IN OUT VOID *Buffer,
+ IN UINTN BufferSize
+ );
+
+/**
+ Attempts to write data to a TLS connection.
+
+ This function tries to write BufferSize bytes data from the Buffer into the
+ specified TLS connection.
+
+ @param[in] Tls Pointer to the TLS connection for data writing.
+ @param[in] Buffer Pointer to the data buffer.
+ @param[in] BufferSize The size of Buffer in bytes.
+
+ @retval >0 The write operation was successful, and return value is the
+ number of bytes actually written to the TLS connection.
+ @retval <=0 The write operation was not successful.
+
+**/
+INTN
+EFIAPI
+TlsWrite (
+ IN VOID *Tls,
+ IN VOID *Buffer,
+ IN UINTN BufferSize
+ );
+
+/**
+ Set a new TLS/SSL method for a particular TLS object.
+
+ This function sets a new TLS/SSL method for a particular TLS object.
+
+ @param[in] Tls Pointer to a TLS object.
+ @param[in] MajorVer Major Version of TLS/SSL Protocol.
+ @param[in] MinorVer Minor Version of TLS/SSL Protocol.
+
+ @retval EFI_SUCCESS The TLS/SSL method was set successfully.
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.
+ @retval EFI_UNSUPPORTED Unsupported TLS/SSL method.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetVersion (
+ IN VOID *Tls,
+ IN UINT8 MajorVer,
+ IN UINT8 MinorVer
+ );
+
+/**
+ Set TLS object to work in client or server mode.
+
+ This function prepares a TLS object to work in client or server mode.
+
+ @param[in] Tls Pointer to a TLS object.
+ @param[in] IsServer Work in server mode.
+
+ @retval EFI_SUCCESS The TLS/SSL work mode was set successfully.
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.
+ @retval EFI_UNSUPPORTED Unsupported TLS/SSL work mode.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetConnectionEnd (
+ IN VOID *Tls,
+ IN BOOLEAN IsServer
+ );
+
+/**
+ Set the ciphers list to be used by the TLS object.
+
+ This function sets the ciphers for use by a specified TLS object.
+
+ @param[in] Tls Pointer to a TLS object.
+ @param[in] CipherId Pointer to a string that contains one or more
+ ciphers separated by a colon.
+ @param[in] CipherNum The number of cipher in the list.
+
+ @retval EFI_SUCCESS The ciphers list was set successfully.
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.
+ @retval EFI_UNSUPPORTED Unsupported TLS cipher in the list.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetCipherList (
+ IN VOID *Tls,
+ IN UINT16 *CipherId,
+ IN UINTN CipherNum
+ );
+
+/**
+ Set the compression method for TLS/SSL operations.
+
+ This function handles TLS/SSL integrated compression methods.
+
+ @param[in] CompMethod The compression method ID.
+
+ @retval EFI_SUCCESS The compression method for the communication was
+ set successfully.
+ @retval EFI_UNSUPPORTED Unsupported compression method.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetCompressionMethod (
+ IN UINT8 CompMethod
+ );
+
+/**
+ Set peer certificate verification mode for the TLS connection.
+
+ This function sets the verification mode flags for the TLS connection.
+
+ @param[in] Tls Pointer to the TLS object.
+ @param[in] VerifyMode A set of logically or'ed verification mode flags.
+
+**/
+VOID
+EFIAPI
+TlsSetVerify (
+ IN VOID *Tls,
+ IN UINT32 VerifyMode
+ );
+
+/**
+ Sets a TLS/SSL session ID to be used during TLS/SSL connect.
+
+ This function sets a session ID to be used when the TLS/SSL connection is
+ to be established.
+
+ @param[in] Tls Pointer to the TLS object.
+ @param[in] SessionId Session ID data used for session resumption.
+ @param[in] SessionIdLen Length of Session ID in bytes.
+
+ @retval EFI_SUCCESS Session ID was set successfully.
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.
+ @retval EFI_UNSUPPORTED No available session for ID setting.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetSessionId (
+ IN VOID *Tls,
+ IN UINT8 *SessionId,
+ IN UINT16 SessionIdLen
+ );
+
+/**
+ Adds the CA to the cert store when requesting Server or Client authentication.
+
+ This function adds the CA certificate to the list of CAs when requesting
+ Server or Client authentication for the chosen TLS connection.
+
+ @param[in] Tls Pointer to the TLS object.
+ @param[in] Data Pointer to the data buffer of a DER-encoded binary
+ X.509 certificate or PEM-encoded X.509 certificate.
+ @param[in] DataSize The size of data buffer in bytes.
+
+ @retval EFI_SUCCESS The operation succeeded.
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.
+ @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated.
+ @retval EFI_ABORTED Invalid X.509 certificate.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetCaCertificate (
+ IN VOID *Tls,
+ IN VOID *Data,
+ IN UINTN DataSize
+ );
+
+/**
+ Loads the local public certificate into the specified TLS object.
+
+ This function loads the X.509 certificate into the specified TLS object
+ for TLS negotiation.
+
+ @param[in] Tls Pointer to the TLS object.
+ @param[in] Data Pointer to the data buffer of a DER-encoded binary
+ X.509 certificate or PEM-encoded X.509 certificate.
+ @param[in] DataSize The size of data buffer in bytes.
+
+ @retval EFI_SUCCESS The operation succeeded.
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.
+ @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated.
+ @retval EFI_ABORTED Invalid X.509 certificate.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetHostPublicCert (
+ IN VOID *Tls,
+ IN VOID *Data,
+ IN UINTN DataSize
+ );
+
+/**
+ Adds the local private key to the specified TLS object.
+
+ This function adds the local private key (PEM-encoded RSA or PKCS#8 private
+ key) into the specified TLS object for TLS negotiation.
+
+ @param[in] Tls Pointer to the TLS object.
+ @param[in] Data Pointer to the data buffer of a PEM-encoded RSA
+ or PKCS#8 private key.
+ @param[in] DataSize The size of data buffer in bytes.
+
+ @retval EFI_SUCCESS The operation succeeded.
+ @retval EFI_UNSUPPORTED This function is not supported.
+ @retval EFI_ABORTED Invalid private key data.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetHostPrivateKey (
+ IN VOID *Tls,
+ IN VOID *Data,
+ IN UINTN DataSize
+ );
+
+/**
+ Adds the CA-supplied certificate revocation list for certificate validation.
+
+ This function adds the CA-supplied certificate revocation list data for
+ certificate validity checking.
+
+ @param[in] Data Pointer to the data buffer of a DER-encoded CRL data.
+ @param[in] DataSize The size of data buffer in bytes.
+
+ @retval EFI_SUCCESS The operation succeeded.
+ @retval EFI_UNSUPPORTED This function is not supported.
+ @retval EFI_ABORTED Invalid CRL data.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetCertRevocationList (
+ IN VOID *Data,
+ IN UINTN DataSize
+ );
+
+/**
+ Gets the protocol version used by the specified TLS connection.
+
+ This function returns the protocol version used by the specified TLS
+ connection.
+
+ @param[in] Tls Pointer to the TLS object.
+
+ @return The protocol version of the specified TLS connection.
+
+**/
+UINT16
+EFIAPI
+TlsGetVersion (
+ IN VOID *Tls
+ );
+
+/**
+ Gets the connection end of the specified TLS connection.
+
+ This function returns the connection end (as client or as server) used by
+ the specified TLS connection.
+
+ @param[in] Tls Pointer to the TLS object.
+
+ @return The connection end used by the specified TLS connection.
+
+**/
+UINT8
+EFIAPI
+TlsGetConnectionEnd (
+ IN VOID *Tls
+ );
+
+/**
+ Gets the cipher suite used by the specified TLS connection.
+
+ This function returns current cipher suite used by the specified
+ TLS connection.
+
+ @param[in] Tls Pointer to the TLS object.
+ @param[in,out] CipherId The cipher suite used by the TLS object.
+
+ @retval EFI_SUCCESS The cipher suite was returned successfully.
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.
+ @retval EFI_UNSUPPORTED Unsupported cipher suite.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsGetCurrentCipher (
+ IN VOID *Tls,
+ IN OUT UINT16 *CipherId
+ );
+
+/**
+ Gets the compression methods used by the specified TLS connection.
+
+ This function returns current integrated compression methods used by
+ the specified TLS connection.
+
+ @param[in] Tls Pointer to the TLS object.
+ @param[in,out] CompressionId The current compression method used by
+ the TLS object.
+
+ @retval EFI_SUCCESS The compression method was returned successfully.
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.
+ @retval EFI_ABORTED Invalid Compression method.
+ @retval EFI_UNSUPPORTED This function is not supported.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsGetCurrentCompressionId (
+ IN VOID *Tls,
+ IN OUT UINT8 *CompressionId
+ );
+
+/**
+ Gets the verification mode currently set in the TLS connection.
+
+ This function returns the peer verification mode currently set in the
+ specified TLS connection.
+
+ @param[in] Tls Pointer to the TLS object.
+
+ @return The verification mode set in the specified TLS connection.
+
+**/
+UINT32
+EFIAPI
+TlsGetVerify (
+ IN VOID *Tls
+ );
+
+/**
+ Gets the session ID used by the specified TLS connection.
+
+ This function returns the TLS/SSL session ID currently used by the
+ specified TLS connection.
+
+ @param[in] Tls Pointer to the TLS object.
+ @param[in,out] SessionId Buffer to contain the returned session ID.
+ @param[in,out] SessionIdLen The length of Session ID in bytes.
+
+ @retval EFI_SUCCESS The Session ID was returned successfully.
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.
+ @retval EFI_UNSUPPORTED Invalid TLS/SSL session.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsGetSessionId (
+ IN VOID *Tls,
+ IN OUT UINT8 *SessionId,
+ IN OUT UINT16 *SessionIdLen
+ );
+
+/**
+ Gets the client random data used in the specified TLS connection.
+
+ This function returns the TLS/SSL client random data currently used in
+ the specified TLS connection.
+
+ @param[in] Tls Pointer to the TLS object.
+ @param[in,out] ClientRandom Buffer to contain the returned client
+ random data (32 bytes).
+
+**/
+VOID
+EFIAPI
+TlsGetClientRandom (
+ IN VOID *Tls,
+ IN OUT UINT8 *ClientRandom
+ );
+
+/**
+ Gets the server random data used in the specified TLS connection.
+
+ This function returns the TLS/SSL server random data currently used in
+ the specified TLS connection.
+
+ @param[in] Tls Pointer to the TLS object.
+ @param[in,out] ServerRandom Buffer to contain the returned server
+ random data (32 bytes).
+
+**/
+VOID
+EFIAPI
+TlsGetServerRandom (
+ IN VOID *Tls,
+ IN OUT UINT8 *ServerRandom
+ );
+
+/**
+ Gets the master key data used in the specified TLS connection.
+
+ This function returns the TLS/SSL master key material currently used in
+ the specified TLS connection.
+
+ @param[in] Tls Pointer to the TLS object.
+ @param[in,out] KeyMaterial Buffer to contain the returned key material.
+
+ @retval EFI_SUCCESS Key material was returned successfully.
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.
+ @retval EFI_UNSUPPORTED Invalid TLS/SSL session.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsGetKeyMaterial (
+ IN VOID *Tls,
+ IN OUT UINT8 *KeyMaterial
+ );
+
+/**
+ Gets the CA Certificate from the cert store.
+
+ This function returns the CA certificate for the chosen
+ TLS connection.
+
+ @param[in] Tls Pointer to the TLS object.
+ @param[out] Data Pointer to the data buffer to receive the CA
+ certificate data sent to the client.
+ @param[in,out] DataSize The size of data buffer in bytes.
+
+ @retval EFI_SUCCESS The operation succeeded.
+ @retval EFI_UNSUPPORTED This function is not supported.
+ @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsGetCaCertificate (
+ IN VOID *Tls,
+ OUT VOID *Data,
+ IN OUT UINTN *DataSize
+ );
+
+/**
+ Gets the local public Certificate set in the specified TLS object.
+
+ This function returns the local public certificate which was currently set
+ in the specified TLS object.
+
+ @param[in] Tls Pointer to the TLS object.
+ @param[out] Data Pointer to the data buffer to receive the local
+ public certificate.
+ @param[in,out] DataSize The size of data buffer in bytes.
+
+ @retval EFI_SUCCESS The operation succeeded.
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.
+ @retval EFI_NOT_FOUND The certificate is not found.
+ @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsGetHostPublicCert (
+ IN VOID *Tls,
+ OUT VOID *Data,
+ IN OUT UINTN *DataSize
+ );
+
+/**
+ Gets the local private key set in the specified TLS object.
+
+ This function returns the local private key data which was currently set
+ in the specified TLS object.
+
+ @param[in] Tls Pointer to the TLS object.
+ @param[out] Data Pointer to the data buffer to receive the local
+ private key data.
+ @param[in,out] DataSize The size of data buffer in bytes.
+
+ @retval EFI_SUCCESS The operation succeeded.
+ @retval EFI_UNSUPPORTED This function is not supported.
+ @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsGetHostPrivateKey (
+ IN VOID *Tls,
+ OUT VOID *Data,
+ IN OUT UINTN *DataSize
+ );
+
+/**
+ Gets the CA-supplied certificate revocation list data set in the specified
+ TLS object.
+
+ This function returns the CA-supplied certificate revocation list data which
+ was currently set in the specified TLS object.
+
+ @param[out] Data Pointer to the data buffer to receive the CRL data.
+ @param[in,out] DataSize The size of data buffer in bytes.
+
+ @retval EFI_SUCCESS The operation succeeded.
+ @retval EFI_UNSUPPORTED This function is not supported.
+ @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsGetCertRevocationList (
+ OUT VOID *Data,
+ IN OUT UINTN *DataSize
+ );
+
+#endif // __TLS_LIB_H__
+
diff --git a/CryptoPkg/Library/OpensslLib/process_files.pl b/CryptoPkg/Library/OpensslLib/process_files.pl index 210811b..4a60073 100644 --- a/CryptoPkg/Library/OpensslLib/process_files.pl +++ b/CryptoPkg/Library/OpensslLib/process_files.pl @@ -1,223 +1,224 @@ -#!/usr/bin/perl -w -# -# This script runs the OpenSSL Configure script, then processes the -# resulting file list into our local OpensslLib[Crypto].inf and also -# takes a copy of opensslconf.h. -# -# This only needs to be done once by a developer when updating to a -# new version of OpenSSL (or changing options, etc.). Normal users -# do not need to do this, since the results are stored in the EDK2 -# git repository for them. -# -use strict; -use Cwd; -use File::Copy; - -# -# Find the openssl directory name for use lib. We have to do this -# inside of BEGIN. The variables we create here, however, don't seem -# to be available to the main script, so we have to repeat the -# exercise. -# -my $inf_file; -my $OPENSSL_PATH; -my @inf; - -BEGIN { - $inf_file = "OpensslLib.inf"; - - # Read the contents of the inf file - open( FD, "<" . $inf_file ) || - die "Cannot open \"" . $inf_file . "\"!"; - @inf = (<FD>); - close(FD) || - die "Cannot close \"" . $inf_file . "\"!"; - - foreach (@inf) { - if (/DEFINE\s+OPENSSL_PATH\s*=\s*([a-z]+)/) { - - # We need to run Configure before we can include its result... - $OPENSSL_PATH = $1; - - my $basedir = getcwd(); - - chdir($OPENSSL_PATH) || - die "Cannot change to OpenSSL directory \"" . $OPENSSL_PATH . "\""; - - # Configure UEFI - system( - "./Configure", - "UEFI", - "no-afalgeng", - "no-asm", - "no-async", - "no-autoalginit", - "no-autoerrinit", - "no-bf", - "no-blake2", - "no-camellia", - "no-capieng", - "no-cast", - "no-chacha", - "no-cms", - "no-ct", - "no-deprecated", - "no-dgram", - "no-dsa", - "no-dynamic-engine", - "no-ec", - "no-ec2m", - "no-engine", - "no-err", - "no-filenames", - "no-gost", - "no-hw", - "no-idea", - "no-mdc2", - "no-pic", - "no-ocb", - "no-poly1305", - "no-posix-io", - "no-rc2", - "no-rfc3779", - "no-rmd160", - "no-scrypt", - "no-seed", - "no-sock", - "no-srp", - "no-ssl", - "no-stdio", - "no-threads", - "no-ts", - "no-ui", - "no-whirlpool" - ) == 0 || - die "OpenSSL Configure failed!\n"; - - # Generate opensslconf.h per config data - system( - "perl -I. -Mconfigdata util/dofile.pl " . - "include/openssl/opensslconf.h.in " . - "> include/openssl/opensslconf.h" - ) == 0 || - die "Failed to generate opensslconf.h!\n"; - - chdir($basedir) || - die "Cannot change to base directory \"" . $basedir . "\""; - - push @INC, $1; - last; - } - } -} - -# -# Retrieve file lists from OpenSSL configdata -# -use configdata qw/%unified_info/; - -my @cryptofilelist = (); -my @sslfilelist = (); -foreach my $product ((@{$unified_info{libraries}}, - @{$unified_info{engines}})) { - foreach my $o (@{$unified_info{sources}->{$product}}) { - foreach my $s (@{$unified_info{sources}->{$o}}) { - next if ($unified_info{generate}->{$s}); - next if $s =~ "crypto/bio/b_print.c"; - if ($product =~ "libssl") { - push @sslfilelist, ' $(OPENSSL_PATH)/' . $s . "\r\n"; - next; - } - push @cryptofilelist, ' $(OPENSSL_PATH)/' . $s . "\r\n"; - } - } -} - -# -# Update OpensslLib.inf with autogenerated file list -# -my @new_inf = (); -my $subbing = 0; -print "\n--> Updating OpensslLib.inf ... "; -foreach (@inf) { - if ( $_ =~ "# Autogenerated files list starts here" ) { - push @new_inf, $_, @cryptofilelist, @sslfilelist; - $subbing = 1; - next; - } - if ( $_ =~ "# Autogenerated files list ends here" ) { - push @new_inf, $_; - $subbing = 0; - next; - } - - push @new_inf, $_ - unless ($subbing); -} - -my $new_inf_file = $inf_file . ".new"; -open( FD, ">" . $new_inf_file ) || - die $new_inf_file; -print( FD @new_inf ) || - die $new_inf_file; -close(FD) || - die $new_inf_file; -rename( $new_inf_file, $inf_file ) || - die "rename $inf_file"; -print "Done!"; - -# -# Update OpensslLibCrypto.inf with auto-generated file list (no libssl) -# -$inf_file = "OpensslLibCrypto.inf"; - -# Read the contents of the inf file -@inf = (); -@new_inf = (); -open( FD, "<" . $inf_file ) || - die "Cannot open \"" . $inf_file . "\"!"; -@inf = (<FD>); -close(FD) || - die "Cannot close \"" . $inf_file . "\"!"; - -$subbing = 0; -print "\n--> Updating OpensslLibCrypto.inf ... "; -foreach (@inf) { - if ( $_ =~ "# Autogenerated files list starts here" ) { - push @new_inf, $_, @cryptofilelist; - $subbing = 1; - next; - } - if ( $_ =~ "# Autogenerated files list ends here" ) { - push @new_inf, $_; - $subbing = 0; - next; - } - - push @new_inf, $_ - unless ($subbing); -} - -$new_inf_file = $inf_file . ".new"; -open( FD, ">" . $new_inf_file ) || - die $new_inf_file; -print( FD @new_inf ) || - die $new_inf_file; -close(FD) || - die $new_inf_file; -rename( $new_inf_file, $inf_file ) || - die "rename $inf_file"; -print "Done!"; - -# -# Copy opensslconf.h generated from OpenSSL Configuration -# -print "\n--> Duplicating opensslconf.h into Include/openssl ... "; -copy($OPENSSL_PATH . "/include/openssl/opensslconf.h", - $OPENSSL_PATH . "/../../../Include/openssl/") || - die "Cannot copy opensslconf.h!"; -print "Done!\n"; - -print "\nProcessing Files Done!\n"; - -exit(0); +#!/usr/bin/perl -w
+#
+# This script runs the OpenSSL Configure script, then processes the
+# resulting file list into our local OpensslLib[Crypto].inf and also
+# takes a copy of opensslconf.h.
+#
+# This only needs to be done once by a developer when updating to a
+# new version of OpenSSL (or changing options, etc.). Normal users
+# do not need to do this, since the results are stored in the EDK2
+# git repository for them.
+#
+use strict;
+use Cwd;
+use File::Copy;
+
+#
+# Find the openssl directory name for use lib. We have to do this
+# inside of BEGIN. The variables we create here, however, don't seem
+# to be available to the main script, so we have to repeat the
+# exercise.
+#
+my $inf_file;
+my $OPENSSL_PATH;
+my @inf;
+
+BEGIN {
+ $inf_file = "OpensslLib.inf";
+
+ # Read the contents of the inf file
+ open( FD, "<" . $inf_file ) ||
+ die "Cannot open \"" . $inf_file . "\"!";
+ @inf = (<FD>);
+ close(FD) ||
+ die "Cannot close \"" . $inf_file . "\"!";
+
+ foreach (@inf) {
+ if (/DEFINE\s+OPENSSL_PATH\s*=\s*([a-z]+)/) {
+
+ # We need to run Configure before we can include its result...
+ $OPENSSL_PATH = $1;
+
+ my $basedir = getcwd();
+
+ chdir($OPENSSL_PATH) ||
+ die "Cannot change to OpenSSL directory \"" . $OPENSSL_PATH . "\"";
+
+ # Configure UEFI
+ system(
+ "./Configure",
+ "UEFI",
+ "no-afalgeng",
+ "no-asm",
+ "no-async",
+ "no-autoalginit",
+ "no-autoerrinit",
+ "no-bf",
+ "no-blake2",
+ "no-camellia",
+ "no-capieng",
+ "no-cast",
+ "no-chacha",
+ "no-cms",
+ "no-ct",
+ "no-deprecated",
+ "no-dgram",
+ "no-dsa",
+ "no-dynamic-engine",
+ "no-ec",
+ "no-ec2m",
+ "no-engine",
+ "no-err",
+ "no-filenames",
+ "no-gost",
+ "no-hw",
+ "no-idea",
+ "no-mdc2",
+ "no-pic",
+ "no-ocb",
+ "no-poly1305",
+ "no-posix-io",
+ "no-rc2",
+ "no-rfc3779",
+ "no-rmd160",
+ "no-scrypt",
+ "no-seed",
+ "no-sock",
+ "no-srp",
+ "no-ssl",
+ "no-stdio",
+ "no-threads",
+ "no-ts",
+ "no-ui",
+ "no-whirlpool"
+ ) == 0 ||
+ die "OpenSSL Configure failed!\n";
+
+ # Generate opensslconf.h per config data
+ system(
+ "perl -I. -Mconfigdata util/dofile.pl " .
+ "include/openssl/opensslconf.h.in " .
+ "> include/openssl/opensslconf.h"
+ ) == 0 ||
+ die "Failed to generate opensslconf.h!\n";
+
+ chdir($basedir) ||
+ die "Cannot change to base directory \"" . $basedir . "\"";
+
+ push @INC, $1;
+ last;
+ }
+ }
+}
+
+#
+# Retrieve file lists from OpenSSL configdata
+#
+use configdata qw/%unified_info/;
+
+my @cryptofilelist = ();
+my @sslfilelist = ();
+foreach my $product ((@{$unified_info{libraries}},
+ @{$unified_info{engines}})) {
+ foreach my $o (@{$unified_info{sources}->{$product}}) {
+ foreach my $s (@{$unified_info{sources}->{$o}}) {
+ next if ($unified_info{generate}->{$s});
+ next if $s =~ "crypto/bio/b_print.c";
+ if ($product =~ "libssl") {
+ push @sslfilelist, ' $(OPENSSL_PATH)/' . $s . "\r\n";
+ next;
+ }
+ push @cryptofilelist, ' $(OPENSSL_PATH)/' . $s . "\r\n";
+ }
+ }
+}
+
+#
+# Update OpensslLib.inf with autogenerated file list
+#
+my @new_inf = ();
+my $subbing = 0;
+print "\n--> Updating OpensslLib.inf ... ";
+foreach (@inf) {
+ if ( $_ =~ "# Autogenerated files list starts here" ) {
+ push @new_inf, $_, @cryptofilelist, @sslfilelist;
+ $subbing = 1;
+ next;
+ }
+ if ( $_ =~ "# Autogenerated files list ends here" ) {
+ push @new_inf, $_;
+ $subbing = 0;
+ next;
+ }
+
+ push @new_inf, $_
+ unless ($subbing);
+}
+
+my $new_inf_file = $inf_file . ".new";
+open( FD, ">" . $new_inf_file ) ||
+ die $new_inf_file;
+print( FD @new_inf ) ||
+ die $new_inf_file;
+close(FD) ||
+ die $new_inf_file;
+rename( $new_inf_file, $inf_file ) ||
+ die "rename $inf_file";
+print "Done!";
+
+#
+# Update OpensslLibCrypto.inf with auto-generated file list (no libssl)
+#
+$inf_file = "OpensslLibCrypto.inf";
+
+# Read the contents of the inf file
+@inf = ();
+@new_inf = ();
+open( FD, "<" . $inf_file ) ||
+ die "Cannot open \"" . $inf_file . "\"!";
+@inf = (<FD>);
+close(FD) ||
+ die "Cannot close \"" . $inf_file . "\"!";
+
+$subbing = 0;
+print "\n--> Updating OpensslLibCrypto.inf ... ";
+foreach (@inf) {
+ if ( $_ =~ "# Autogenerated files list starts here" ) {
+ push @new_inf, $_, @cryptofilelist;
+ $subbing = 1;
+ next;
+ }
+ if ( $_ =~ "# Autogenerated files list ends here" ) {
+ push @new_inf, $_;
+ $subbing = 0;
+ next;
+ }
+
+ push @new_inf, $_
+ unless ($subbing);
+}
+
+$new_inf_file = $inf_file . ".new";
+open( FD, ">" . $new_inf_file ) ||
+ die $new_inf_file;
+print( FD @new_inf ) ||
+ die $new_inf_file;
+close(FD) ||
+ die $new_inf_file;
+rename( $new_inf_file, $inf_file ) ||
+ die "rename $inf_file";
+print "Done!";
+
+#
+# Copy opensslconf.h generated from OpenSSL Configuration
+#
+print "\n--> Duplicating opensslconf.h into Include/openssl ... ";
+copy($OPENSSL_PATH . "/include/openssl/opensslconf.h",
+ $OPENSSL_PATH . "/../../../Include/openssl/") ||
+ die "Cannot copy opensslconf.h!";
+print "Done!\n";
+
+print "\nProcessing Files Done!\n";
+
+exit(0);
+
diff --git a/CryptoPkg/Library/TlsLib/InternalTlsLib.h b/CryptoPkg/Library/TlsLib/InternalTlsLib.h index 9772736..88c4e3b 100644 --- a/CryptoPkg/Library/TlsLib/InternalTlsLib.h +++ b/CryptoPkg/Library/TlsLib/InternalTlsLib.h @@ -1,42 +1,43 @@ -/** @file - Internal include file for TlsLib. - -Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR> -This program and the accompanying materials -are licensed and made available under the terms and conditions of the BSD License -which accompanies this distribution. The full text of the license may be found at -http://opensource.org/licenses/bsd-license.php - -THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. - -**/ - -#ifndef __INTERNAL_TLS_LIB_H__ -#define __INTERNAL_TLS_LIB_H__ - -#undef _WIN32 -#undef _WIN64 - -#include <Library/BaseCryptLib.h> -#include <openssl/ssl.h> -#include <openssl/bio.h> -#include <openssl/err.h> - -typedef struct { - // - // Main SSL Connection which is created by a server or a client - // per established connection. - // - SSL *Ssl; - // - // Memory BIO for the TLS/SSL Reading operations. - // - BIO *InBio; - // - // Memory BIO for the TLS/SSL Writing operations. - // - BIO *OutBio; -} TLS_CONNECTION; - -#endif +/** @file
+ Internal include file for TlsLib.
+
+Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
+This program and the accompanying materials
+are licensed and made available under the terms and conditions of the BSD License
+which accompanies this distribution. The full text of the license may be found at
+http://opensource.org/licenses/bsd-license.php
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#ifndef __INTERNAL_TLS_LIB_H__
+#define __INTERNAL_TLS_LIB_H__
+
+#undef _WIN32
+#undef _WIN64
+
+#include <Library/BaseCryptLib.h>
+#include <openssl/ssl.h>
+#include <openssl/bio.h>
+#include <openssl/err.h>
+
+typedef struct {
+ //
+ // Main SSL Connection which is created by a server or a client
+ // per established connection.
+ //
+ SSL *Ssl;
+ //
+ // Memory BIO for the TLS/SSL Reading operations.
+ //
+ BIO *InBio;
+ //
+ // Memory BIO for the TLS/SSL Writing operations.
+ //
+ BIO *OutBio;
+} TLS_CONNECTION;
+
+#endif
+
diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c b/CryptoPkg/Library/TlsLib/TlsConfig.c index 43e275d..4c88229 100644 --- a/CryptoPkg/Library/TlsLib/TlsConfig.c +++ b/CryptoPkg/Library/TlsLib/TlsConfig.c @@ -1,1059 +1,1060 @@ -/** @file - SSL/TLS Configuration Library Wrapper Implementation over OpenSSL. - -Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR> -(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR> -This program and the accompanying materials -are licensed and made available under the terms and conditions of the BSD License -which accompanies this distribution. The full text of the license may be found at -http://opensource.org/licenses/bsd-license.php - -THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. - -**/ - -#include "InternalTlsLib.h" - -typedef struct { - // - // IANA/IETF defined Cipher Suite ID - // - UINT16 IanaCipher; - // - // OpenSSL-used Cipher Suite String - // - CONST CHAR8 *OpensslCipher; -} TLS_CIPHER_PAIR; - -// -// The mapping table between IANA/IETF Cipher Suite definitions and -// OpenSSL-used Cipher Suite name. -// -STATIC CONST TLS_CIPHER_PAIR TlsCipherMappingTable[] = { - { 0x0001, "NULL-MD5" }, /// TLS_RSA_WITH_NULL_MD5 - { 0x0002, "NULL-SHA" }, /// TLS_RSA_WITH_NULL_SHA - { 0x0004, "RC4-MD5" }, /// TLS_RSA_WITH_RC4_128_MD5 - { 0x0005, "RC4-SHA" }, /// TLS_RSA_WITH_RC4_128_SHA - { 0x000A, "DES-CBC3-SHA" }, /// TLS_RSA_WITH_3DES_EDE_CBC_SHA, mandatory TLS 1.1 - { 0x0016, "DHE-RSA-DES-CBC3-SHA" }, /// TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - { 0x002F, "AES128-SHA" }, /// TLS_RSA_WITH_AES_128_CBC_SHA, mandatory TLS 1.2 - { 0x0030, "DH-DSS-AES128-SHA" }, /// TLS_DH_DSS_WITH_AES_128_CBC_SHA - { 0x0031, "DH-RSA-AES128-SHA" }, /// TLS_DH_RSA_WITH_AES_128_CBC_SHA - { 0x0033, "DHE-RSA-AES128-SHA" }, /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA - { 0x0035, "AES256-SHA" }, /// TLS_RSA_WITH_AES_256_CBC_SHA - { 0x0036, "DH-DSS-AES256-SHA" }, /// TLS_DH_DSS_WITH_AES_256_CBC_SHA - { 0x0037, "DH-RSA-AES256-SHA" }, /// TLS_DH_RSA_WITH_AES_256_CBC_SHA - { 0x0039, "DHE-RSA-AES256-SHA" }, /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA - { 0x003B, "NULL-SHA256" }, /// TLS_RSA_WITH_NULL_SHA256 - { 0x003C, "AES128-SHA256" }, /// TLS_RSA_WITH_AES_128_CBC_SHA256 - { 0x003D, "AES256-SHA256" }, /// TLS_RSA_WITH_AES_256_CBC_SHA256 - { 0x003E, "DH-DSS-AES128-SHA256" }, /// TLS_DH_DSS_WITH_AES_128_CBC_SHA256 - { 0x003F, "DH-RSA-AES128-SHA256" }, /// TLS_DH_RSA_WITH_AES_128_CBC_SHA256 - { 0x0067, "DHE-RSA-AES128-SHA256" }, /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - { 0x0068, "DH-DSS-AES256-SHA256" }, /// TLS_DH_DSS_WITH_AES_256_CBC_SHA256 - { 0x0069, "DH-RSA-AES256-SHA256" }, /// TLS_DH_RSA_WITH_AES_256_CBC_SHA256 - { 0x006B, "DHE-RSA-AES256-SHA256" } /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 -}; - -/** - Gets the OpenSSL cipher suite string for the supplied IANA TLS cipher suite. - - @param[in] CipherId The supplied IANA TLS cipher suite ID. - - @return The corresponding OpenSSL cipher suite string if found, - NULL otherwise. - -**/ -STATIC -CONST CHAR8 * -TlsGetCipherString ( - IN UINT16 CipherId - ) -{ - CONST TLS_CIPHER_PAIR *CipherEntry; - UINTN TableSize; - UINTN Index; - - CipherEntry = TlsCipherMappingTable; - TableSize = sizeof (TlsCipherMappingTable) / sizeof (TLS_CIPHER_PAIR); - - // - // Search Cipher Mapping Table for IANA-OpenSSL Cipher Translation - // - for (Index = 0; Index < TableSize; Index++, CipherEntry++) { - // - // Translate IANA cipher suite name to OpenSSL name. - // - if (CipherEntry->IanaCipher == CipherId) { - return CipherEntry->OpensslCipher; - } - } - - // - // No Cipher Mapping found, return NULL. - // - return NULL; -} - -/** - Set a new TLS/SSL method for a particular TLS object. - - This function sets a new TLS/SSL method for a particular TLS object. - - @param[in] Tls Pointer to a TLS object. - @param[in] MajorVer Major Version of TLS/SSL Protocol. - @param[in] MinorVer Minor Version of TLS/SSL Protocol. - - @retval EFI_SUCCESS The TLS/SSL method was set successfully. - @retval EFI_INVALID_PARAMETER The parameter is invalid. - @retval EFI_UNSUPPORTED Unsupported TLS/SSL method. - -**/ -EFI_STATUS -EFIAPI -TlsSetVersion ( - IN VOID *Tls, - IN UINT8 MajorVer, - IN UINT8 MinorVer - ) -{ - TLS_CONNECTION *TlsConn; - UINT16 ProtoVersion; - - TlsConn = (TLS_CONNECTION *)Tls; - if (TlsConn == NULL || TlsConn->Ssl == NULL) { - return EFI_INVALID_PARAMETER; - } - - ProtoVersion = (MajorVer << 8) | MinorVer; - - // - // Bound TLS method to the particular specified version. - // - switch (ProtoVersion) { - case TLS1_VERSION: - // - // TLS 1.0 - // - SSL_set_min_proto_version (TlsConn->Ssl, TLS1_VERSION); - SSL_set_max_proto_version (TlsConn->Ssl, TLS1_VERSION); - break; - case TLS1_1_VERSION: - // - // TLS 1.1 - // - SSL_set_min_proto_version (TlsConn->Ssl, TLS1_1_VERSION); - SSL_set_max_proto_version (TlsConn->Ssl, TLS1_1_VERSION); - break; - case TLS1_2_VERSION: - // - // TLS 1.2 - // - SSL_set_min_proto_version (TlsConn->Ssl, TLS1_2_VERSION); - SSL_set_max_proto_version (TlsConn->Ssl, TLS1_2_VERSION); - break; - default: - // - // Unsupported Protocol Version - // - return EFI_UNSUPPORTED; - } - - return EFI_SUCCESS;; -} - -/** - Set TLS object to work in client or server mode. - - This function prepares a TLS object to work in client or server mode. - - @param[in] Tls Pointer to a TLS object. - @param[in] IsServer Work in server mode. - - @retval EFI_SUCCESS The TLS/SSL work mode was set successfully. - @retval EFI_INVALID_PARAMETER The parameter is invalid. - @retval EFI_UNSUPPORTED Unsupported TLS/SSL work mode. - -**/ -EFI_STATUS -EFIAPI -TlsSetConnectionEnd ( - IN VOID *Tls, - IN BOOLEAN IsServer - ) -{ - TLS_CONNECTION *TlsConn; - - TlsConn = (TLS_CONNECTION *) Tls; - if (TlsConn == NULL || TlsConn->Ssl == NULL) { - return EFI_INVALID_PARAMETER; - } - - if (!IsServer) { - // - // Set TLS to work in Client mode. - // - SSL_set_connect_state (TlsConn->Ssl); - } else { - // - // Set TLS to work in Server mode. - // It is unsupported for UEFI version currently. - // - //SSL_set_accept_state (TlsConn->Ssl); - return EFI_UNSUPPORTED; - } - - return EFI_SUCCESS; -} - -/** - Set the ciphers list to be used by the TLS object. - - This function sets the ciphers for use by a specified TLS object. - - @param[in] Tls Pointer to a TLS object. - @param[in] CipherId Pointer to a UINT16 cipher Id. - @param[in] CipherNum The number of cipher in the list. - - @retval EFI_SUCCESS The ciphers list was set successfully. - @retval EFI_INVALID_PARAMETER The parameter is invalid. - @retval EFI_UNSUPPORTED Unsupported TLS cipher in the list. - -**/ -EFI_STATUS -EFIAPI -TlsSetCipherList ( - IN VOID *Tls, - IN UINT16 *CipherId, - IN UINTN CipherNum - ) -{ - TLS_CONNECTION *TlsConn; - UINTN Index; - CONST CHAR8 *MappingName; - CHAR8 CipherString[500]; - - TlsConn = (TLS_CONNECTION *) Tls; - if (TlsConn == NULL || TlsConn->Ssl == NULL || CipherId == NULL) { - return EFI_INVALID_PARAMETER; - } - - MappingName = NULL; - - memset (CipherString, 0, sizeof (CipherString)); - - for (Index = 0; Index < CipherNum; Index++) { - // - // Handling OpenSSL / RFC Cipher name mapping. - // - MappingName = TlsGetCipherString (*(CipherId + Index)); - if (MappingName == NULL) { - return EFI_UNSUPPORTED; - } - - if (Index != 0) { - // - // The ciphers were separated by a colon. - // - AsciiStrCatS (CipherString, sizeof (CipherString), ":"); - } - - AsciiStrCatS (CipherString, sizeof (CipherString), MappingName); - } - - AsciiStrCatS (CipherString, sizeof (CipherString), ":@STRENGTH"); - - // - // Sets the ciphers for use by the Tls object. - // - if (SSL_set_cipher_list (TlsConn->Ssl, CipherString) <= 0) { - return EFI_UNSUPPORTED; - } - - return EFI_SUCCESS; -} - -/** - Set the compression method for TLS/SSL operations. - - This function handles TLS/SSL integrated compression methods. - - @param[in] CompMethod The compression method ID. - - @retval EFI_SUCCESS The compression method for the communication was - set successfully. - @retval EFI_UNSUPPORTED Unsupported compression method. - -**/ -EFI_STATUS -EFIAPI -TlsSetCompressionMethod ( - IN UINT8 CompMethod - ) -{ - COMP_METHOD *Cm; - INTN Ret; - - Cm = NULL; - Ret = 0; - - if (CompMethod == 0) { - // - // TLS defines one standard compression method, CompressionMethod.null (0), - // which specifies that data exchanged via the record protocol will not be compressed. - // So, return EFI_SUCCESS directly (RFC 3749). - // - return EFI_SUCCESS; - } else if (CompMethod == 1) { - Cm = COMP_zlib(); - } else { - return EFI_UNSUPPORTED; - } - - // - // Adds the compression method to the list of available - // compression methods. - // - Ret = SSL_COMP_add_compression_method (CompMethod, Cm); - if (Ret != 0) { - return EFI_UNSUPPORTED; - } - - return EFI_SUCCESS; -} - -/** - Set peer certificate verification mode for the TLS connection. - - This function sets the verification mode flags for the TLS connection. - - @param[in] Tls Pointer to the TLS object. - @param[in] VerifyMode A set of logically or'ed verification mode flags. - -**/ -VOID -EFIAPI -TlsSetVerify ( - IN VOID *Tls, - IN UINT32 VerifyMode - ) -{ - TLS_CONNECTION *TlsConn; - - TlsConn = (TLS_CONNECTION *) Tls; - if (TlsConn == NULL || TlsConn->Ssl == NULL) { - return; - } - - // - // Set peer certificate verification parameters with NULL callback. - // - SSL_set_verify (TlsConn->Ssl, VerifyMode, NULL); -} - -/** - Sets a TLS/SSL session ID to be used during TLS/SSL connect. - - This function sets a session ID to be used when the TLS/SSL connection is - to be established. - - @param[in] Tls Pointer to the TLS object. - @param[in] SessionId Session ID data used for session resumption. - @param[in] SessionIdLen Length of Session ID in bytes. - - @retval EFI_SUCCESS Session ID was set successfully. - @retval EFI_INVALID_PARAMETER The parameter is invalid. - @retval EFI_UNSUPPORTED No available session for ID setting. - -**/ -EFI_STATUS -EFIAPI -TlsSetSessionId ( - IN VOID *Tls, - IN UINT8 *SessionId, - IN UINT16 SessionIdLen - ) -{ - TLS_CONNECTION *TlsConn; - SSL_SESSION *Session; - - TlsConn = (TLS_CONNECTION *) Tls; - Session = NULL; - - if (TlsConn == NULL || TlsConn->Ssl == NULL || SessionId == NULL) { - return EFI_INVALID_PARAMETER; - } - - Session = SSL_get_session (TlsConn->Ssl); - if (Session == NULL) { - return EFI_UNSUPPORTED; - } - - SSL_SESSION_set1_id (Session, (const unsigned char *)SessionId, SessionIdLen); - - return EFI_SUCCESS; -} - -/** - Adds the CA to the cert store when requesting Server or Client authentication. - - This function adds the CA certificate to the list of CAs when requesting - Server or Client authentication for the chosen TLS connection. - - @param[in] Tls Pointer to the TLS object. - @param[in] Data Pointer to the data buffer of a DER-encoded binary - X.509 certificate or PEM-encoded X.509 certificate. - @param[in] DataSize The size of data buffer in bytes. - - @retval EFI_SUCCESS The operation succeeded. - @retval EFI_INVALID_PARAMETER The parameter is invalid. - @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated. - @retval EFI_ABORTED Invalid X.509 certificate. - -**/ -EFI_STATUS -EFIAPI -TlsSetCaCertificate ( - IN VOID *Tls, - IN VOID *Data, - IN UINTN DataSize - ) -{ - BIO *BioCert; - X509 *Cert; - X509_STORE *X509Store; - EFI_STATUS Status; - TLS_CONNECTION *TlsConn; - SSL_CTX *SslCtx; - INTN Ret; - UINTN ErrorCode; - - BioCert = NULL; - Cert = NULL; - X509Store = NULL; - Status = EFI_SUCCESS; - TlsConn = (TLS_CONNECTION *) Tls; - Ret = 0; - - if (TlsConn == NULL || TlsConn->Ssl == NULL || Data == NULL || DataSize == 0) { - return EFI_INVALID_PARAMETER; - } - - // - // DER-encoded binary X.509 certificate or PEM-encoded X.509 certificate. - // Determine whether certificate is from DER encoding, if so, translate it to X509 structure. - // - Cert = d2i_X509 (NULL, (const unsigned char ** )&Data, (long) DataSize); - if (Cert == NULL) { - // - // Certificate is from PEM encoding. - // - BioCert = BIO_new (BIO_s_mem ()); - if (BioCert == NULL) { - Status = EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - - if (BIO_write (BioCert, Data, (UINT32) DataSize) <= 0) { - Status = EFI_ABORTED; - goto ON_EXIT; - } - - Cert = PEM_read_bio_X509 (BioCert, NULL, NULL, NULL); - if (Cert == NULL) { - Status = EFI_ABORTED; - goto ON_EXIT; - } - } - - SslCtx = SSL_get_SSL_CTX (TlsConn->Ssl); - X509Store = SSL_CTX_get_cert_store (SslCtx); - if (X509Store == NULL) { - Status = EFI_ABORTED; - goto ON_EXIT; - } - - // - // Add certificate to X509 store - // - Ret = X509_STORE_add_cert (X509Store, Cert); - if (Ret != 1) { - ErrorCode = ERR_peek_last_error (); - // - // Ignore "already in table" errors - // - if (!(ERR_GET_FUNC (ErrorCode) == X509_F_X509_STORE_ADD_CERT && - ERR_GET_REASON (ErrorCode) == X509_R_CERT_ALREADY_IN_HASH_TABLE)) { - Status = EFI_ABORTED; - goto ON_EXIT; - } - } - -ON_EXIT: - if (BioCert != NULL) { - BIO_free (BioCert); - } - - if (Cert != NULL) { - X509_free (Cert); - } - - return Status; -} - -/** - Loads the local public certificate into the specified TLS object. - - This function loads the X.509 certificate into the specified TLS object - for TLS negotiation. - - @param[in] Tls Pointer to the TLS object. - @param[in] Data Pointer to the data buffer of a DER-encoded binary - X.509 certificate or PEM-encoded X.509 certificate. - @param[in] DataSize The size of data buffer in bytes. - - @retval EFI_SUCCESS The operation succeeded. - @retval EFI_INVALID_PARAMETER The parameter is invalid. - @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated. - @retval EFI_ABORTED Invalid X.509 certificate. - -**/ -EFI_STATUS -EFIAPI -TlsSetHostPublicCert ( - IN VOID *Tls, - IN VOID *Data, - IN UINTN DataSize - ) -{ - BIO *BioCert; - X509 *Cert; - EFI_STATUS Status; - TLS_CONNECTION *TlsConn; - - BioCert = NULL; - Cert = NULL; - Status = EFI_SUCCESS; - TlsConn = (TLS_CONNECTION *) Tls; - - if (TlsConn == NULL || TlsConn->Ssl == NULL || Data == NULL || DataSize == 0) { - return EFI_INVALID_PARAMETER; - } - - // - // DER-encoded binary X.509 certificate or PEM-encoded X.509 certificate. - // Determine whether certificate is from DER encoding, if so, translate it to X509 structure. - // - Cert = d2i_X509 (NULL, (const unsigned char ** )&Data, (long) DataSize); - if (Cert == NULL) { - // - // Certificate is from PEM encoding. - // - BioCert = BIO_new (BIO_s_mem ()); - if (BioCert == NULL) { - Status = EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - - if (BIO_write (BioCert, Data, (UINT32) DataSize) <= 0) { - Status = EFI_ABORTED; - goto ON_EXIT; - } - - Cert = PEM_read_bio_X509 (BioCert, NULL, NULL, NULL); - if (Cert == NULL) { - Status = EFI_ABORTED; - goto ON_EXIT; - } - } - - if (SSL_use_certificate (TlsConn->Ssl, Cert) != 1) { - Status = EFI_ABORTED; - goto ON_EXIT; - } - -ON_EXIT: - if (BioCert != NULL) { - BIO_free (BioCert); - } - - if (Cert != NULL) { - X509_free (Cert); - } - - return Status; -} - -/** - Adds the local private key to the specified TLS object. - - This function adds the local private key (PEM-encoded RSA or PKCS#8 private - key) into the specified TLS object for TLS negotiation. - - @param[in] Tls Pointer to the TLS object. - @param[in] Data Pointer to the data buffer of a PEM-encoded RSA - or PKCS#8 private key. - @param[in] DataSize The size of data buffer in bytes. - - @retval EFI_SUCCESS The operation succeeded. - @retval EFI_UNSUPPORTED This function is not supported. - @retval EFI_ABORTED Invalid private key data. - -**/ -EFI_STATUS -EFIAPI -TlsSetHostPrivateKey ( - IN VOID *Tls, - IN VOID *Data, - IN UINTN DataSize - ) -{ - return EFI_UNSUPPORTED; -} - -/** - Adds the CA-supplied certificate revocation list for certificate validation. - - This function adds the CA-supplied certificate revocation list data for - certificate validity checking. - - @param[in] Data Pointer to the data buffer of a DER-encoded CRL data. - @param[in] DataSize The size of data buffer in bytes. - - @retval EFI_SUCCESS The operation succeeded. - @retval EFI_UNSUPPORTED This function is not supported. - @retval EFI_ABORTED Invalid CRL data. - -**/ -EFI_STATUS -EFIAPI -TlsSetCertRevocationList ( - IN VOID *Data, - IN UINTN DataSize - ) -{ - return EFI_UNSUPPORTED; -} - -/** - Gets the protocol version used by the specified TLS connection. - - This function returns the protocol version used by the specified TLS - connection. - - @param[in] Tls Pointer to the TLS object. - - @return The protocol version of the specified TLS connection. - -**/ -UINT16 -EFIAPI -TlsGetVersion ( - IN VOID *Tls - ) -{ - TLS_CONNECTION *TlsConn; - - TlsConn = (TLS_CONNECTION *) Tls; - - ASSERT (TlsConn != NULL); - - return (UINT16)(SSL_version (TlsConn->Ssl)); -} - -/** - Gets the connection end of the specified TLS connection. - - This function returns the connection end (as client or as server) used by - the specified TLS connection. - - @param[in] Tls Pointer to the TLS object. - - @return The connection end used by the specified TLS connection. - -**/ -UINT8 -EFIAPI -TlsGetConnectionEnd ( - IN VOID *Tls - ) -{ - TLS_CONNECTION *TlsConn; - - TlsConn = (TLS_CONNECTION *) Tls; - - ASSERT (TlsConn != NULL); - - return (UINT8)SSL_is_server (TlsConn->Ssl); -} - -/** - Gets the cipher suite used by the specified TLS connection. - - This function returns current cipher suite used by the specified - TLS connection. - - @param[in] Tls Pointer to the TLS object. - @param[in,out] CipherId The cipher suite used by the TLS object. - - @retval EFI_SUCCESS The cipher suite was returned successfully. - @retval EFI_INVALID_PARAMETER The parameter is invalid. - @retval EFI_UNSUPPORTED Unsupported cipher suite. - -**/ -EFI_STATUS -EFIAPI -TlsGetCurrentCipher ( - IN VOID *Tls, - IN OUT UINT16 *CipherId - ) -{ - TLS_CONNECTION *TlsConn; - CONST SSL_CIPHER *Cipher; - - TlsConn = (TLS_CONNECTION *) Tls; - Cipher = NULL; - - if (TlsConn == NULL || TlsConn->Ssl == NULL || CipherId == NULL) { - return EFI_INVALID_PARAMETER; - } - - Cipher = SSL_get_current_cipher (TlsConn->Ssl); - if (Cipher == NULL) { - return EFI_UNSUPPORTED; - } - - *CipherId = (SSL_CIPHER_get_id (Cipher)) & 0xFFFF; - - return EFI_SUCCESS; -} - -/** - Gets the compression methods used by the specified TLS connection. - - This function returns current integrated compression methods used by - the specified TLS connection. - - @param[in] Tls Pointer to the TLS object. - @param[in,out] CompressionId The current compression method used by - the TLS object. - - @retval EFI_SUCCESS The compression method was returned successfully. - @retval EFI_INVALID_PARAMETER The parameter is invalid. - @retval EFI_ABORTED Invalid Compression method. - @retval EFI_UNSUPPORTED This function is not supported. - -**/ -EFI_STATUS -EFIAPI -TlsGetCurrentCompressionId ( - IN VOID *Tls, - IN OUT UINT8 *CompressionId - ) -{ - return EFI_UNSUPPORTED; -} - -/** - Gets the verification mode currently set in the TLS connection. - - This function returns the peer verification mode currently set in the - specified TLS connection. - - @param[in] Tls Pointer to the TLS object. - - @return The verification mode set in the specified TLS connection. - -**/ -UINT32 -EFIAPI -TlsGetVerify ( - IN VOID *Tls - ) -{ - TLS_CONNECTION *TlsConn; - - TlsConn = (TLS_CONNECTION *) Tls; - - ASSERT (TlsConn != NULL); - - return SSL_get_verify_mode (TlsConn->Ssl); -} - -/** - Gets the session ID used by the specified TLS connection. - - This function returns the TLS/SSL session ID currently used by the - specified TLS connection. - - @param[in] Tls Pointer to the TLS object. - @param[in,out] SessionId Buffer to contain the returned session ID. - @param[in,out] SessionIdLen The length of Session ID in bytes. - - @retval EFI_SUCCESS The Session ID was returned successfully. - @retval EFI_INVALID_PARAMETER The parameter is invalid. - @retval EFI_UNSUPPORTED Invalid TLS/SSL session. - -**/ -EFI_STATUS -EFIAPI -TlsGetSessionId ( - IN VOID *Tls, - IN OUT UINT8 *SessionId, - IN OUT UINT16 *SessionIdLen - ) -{ - TLS_CONNECTION *TlsConn; - SSL_SESSION *Session; - CONST UINT8 *SslSessionId; - - TlsConn = (TLS_CONNECTION *) Tls; - Session = NULL; - - if (TlsConn == NULL || TlsConn->Ssl == NULL || SessionId == NULL || SessionIdLen == NULL) { - return EFI_INVALID_PARAMETER; - } - - Session = SSL_get_session (TlsConn->Ssl); - if (Session == NULL) { - return EFI_UNSUPPORTED; - } - - SslSessionId = SSL_SESSION_get_id (Session, (unsigned int *)SessionIdLen); - CopyMem (SessionId, SslSessionId, *SessionIdLen); - - return EFI_SUCCESS; -} - -/** - Gets the client random data used in the specified TLS connection. - - This function returns the TLS/SSL client random data currently used in - the specified TLS connection. - - @param[in] Tls Pointer to the TLS object. - @param[in,out] ClientRandom Buffer to contain the returned client - random data (32 bytes). - -**/ -VOID -EFIAPI -TlsGetClientRandom ( - IN VOID *Tls, - IN OUT UINT8 *ClientRandom - ) -{ - TLS_CONNECTION *TlsConn; - - TlsConn = (TLS_CONNECTION *) Tls; - - if (TlsConn == NULL || TlsConn->Ssl == NULL || ClientRandom == NULL) { - return; - } - - SSL_get_client_random (TlsConn->Ssl, ClientRandom, SSL3_RANDOM_SIZE); -} - -/** - Gets the server random data used in the specified TLS connection. - - This function returns the TLS/SSL server random data currently used in - the specified TLS connection. - - @param[in] Tls Pointer to the TLS object. - @param[in,out] ServerRandom Buffer to contain the returned server - random data (32 bytes). - -**/ -VOID -EFIAPI -TlsGetServerRandom ( - IN VOID *Tls, - IN OUT UINT8 *ServerRandom - ) -{ - TLS_CONNECTION *TlsConn; - - TlsConn = (TLS_CONNECTION *) Tls; - - if (TlsConn == NULL || TlsConn->Ssl == NULL || ServerRandom == NULL) { - return; - } - - SSL_get_server_random (TlsConn->Ssl, ServerRandom, SSL3_RANDOM_SIZE); -} - -/** - Gets the master key data used in the specified TLS connection. - - This function returns the TLS/SSL master key material currently used in - the specified TLS connection. - - @param[in] Tls Pointer to the TLS object. - @param[in,out] KeyMaterial Buffer to contain the returned key material. - - @retval EFI_SUCCESS Key material was returned successfully. - @retval EFI_INVALID_PARAMETER The parameter is invalid. - @retval EFI_UNSUPPORTED Invalid TLS/SSL session. - -**/ -EFI_STATUS -EFIAPI -TlsGetKeyMaterial ( - IN VOID *Tls, - IN OUT UINT8 *KeyMaterial - ) -{ - TLS_CONNECTION *TlsConn; - SSL_SESSION *Session; - - TlsConn = (TLS_CONNECTION *) Tls; - Session = NULL; - - if (TlsConn == NULL || TlsConn->Ssl == NULL || KeyMaterial == NULL) { - return EFI_INVALID_PARAMETER; - } - - Session = SSL_get_session (TlsConn->Ssl); - - if (Session == NULL) { - return EFI_UNSUPPORTED; - } - - SSL_SESSION_get_master_key (Session, KeyMaterial, SSL3_MASTER_SECRET_SIZE); - - return EFI_SUCCESS; -} - -/** - Gets the CA Certificate from the cert store. - - This function returns the CA certificate for the chosen - TLS connection. - - @param[in] Tls Pointer to the TLS object. - @param[out] Data Pointer to the data buffer to receive the CA - certificate data sent to the client. - @param[in,out] DataSize The size of data buffer in bytes. - - @retval EFI_SUCCESS The operation succeeded. - @retval EFI_UNSUPPORTED This function is not supported. - @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data. - -**/ -EFI_STATUS -EFIAPI -TlsGetCaCertificate ( - IN VOID *Tls, - OUT VOID *Data, - IN OUT UINTN *DataSize - ) -{ - return EFI_UNSUPPORTED; -} - -/** - Gets the local public Certificate set in the specified TLS object. - - This function returns the local public certificate which was currently set - in the specified TLS object. - - @param[in] Tls Pointer to the TLS object. - @param[out] Data Pointer to the data buffer to receive the local - public certificate. - @param[in,out] DataSize The size of data buffer in bytes. - - @retval EFI_SUCCESS The operation succeeded. - @retval EFI_INVALID_PARAMETER The parameter is invalid. - @retval EFI_NOT_FOUND The certificate is not found. - @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data. - -**/ -EFI_STATUS -EFIAPI -TlsGetHostPublicCert ( - IN VOID *Tls, - OUT VOID *Data, - IN OUT UINTN *DataSize - ) -{ - X509 *Cert; - TLS_CONNECTION *TlsConn; - - Cert = NULL; - TlsConn = (TLS_CONNECTION *) Tls; - - if (TlsConn == NULL || TlsConn->Ssl == NULL || DataSize == NULL) { - return EFI_INVALID_PARAMETER; - } - - Cert = SSL_get_certificate(TlsConn->Ssl); - if (Cert == NULL) { - return EFI_NOT_FOUND; - } - - // - // Only DER encoding is supported currently. - // - if (*DataSize < (UINTN) i2d_X509 (Cert, NULL)) { - *DataSize = (UINTN) i2d_X509 (Cert, NULL); - return EFI_BUFFER_TOO_SMALL; - } - - *DataSize = (UINTN) i2d_X509 (Cert, (unsigned char **) &Data); - - return EFI_SUCCESS; -} - -/** - Gets the local private key set in the specified TLS object. - - This function returns the local private key data which was currently set - in the specified TLS object. - - @param[in] Tls Pointer to the TLS object. - @param[out] Data Pointer to the data buffer to receive the local - private key data. - @param[in,out] DataSize The size of data buffer in bytes. - - @retval EFI_SUCCESS The operation succeeded. - @retval EFI_UNSUPPORTED This function is not supported. - @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data. - -**/ -EFI_STATUS -EFIAPI -TlsGetHostPrivateKey ( - IN VOID *Tls, - OUT VOID *Data, - IN OUT UINTN *DataSize - ) -{ - return EFI_UNSUPPORTED; -} - -/** - Gets the CA-supplied certificate revocation list data set in the specified - TLS object. - - This function returns the CA-supplied certificate revocation list data which - was currently set in the specified TLS object. - - @param[out] Data Pointer to the data buffer to receive the CRL data. - @param[in,out] DataSize The size of data buffer in bytes. - - @retval EFI_SUCCESS The operation succeeded. - @retval EFI_UNSUPPORTED This function is not supported. - @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data. - -**/ -EFI_STATUS -EFIAPI -TlsGetCertRevocationList ( - OUT VOID *Data, - IN OUT UINTN *DataSize - ) -{ - return EFI_UNSUPPORTED; -} +/** @file
+ SSL/TLS Configuration Library Wrapper Implementation over OpenSSL.
+
+Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
+(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
+This program and the accompanying materials
+are licensed and made available under the terms and conditions of the BSD License
+which accompanies this distribution. The full text of the license may be found at
+http://opensource.org/licenses/bsd-license.php
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#include "InternalTlsLib.h"
+
+typedef struct {
+ //
+ // IANA/IETF defined Cipher Suite ID
+ //
+ UINT16 IanaCipher;
+ //
+ // OpenSSL-used Cipher Suite String
+ //
+ CONST CHAR8 *OpensslCipher;
+} TLS_CIPHER_PAIR;
+
+//
+// The mapping table between IANA/IETF Cipher Suite definitions and
+// OpenSSL-used Cipher Suite name.
+//
+STATIC CONST TLS_CIPHER_PAIR TlsCipherMappingTable[] = {
+ { 0x0001, "NULL-MD5" }, /// TLS_RSA_WITH_NULL_MD5
+ { 0x0002, "NULL-SHA" }, /// TLS_RSA_WITH_NULL_SHA
+ { 0x0004, "RC4-MD5" }, /// TLS_RSA_WITH_RC4_128_MD5
+ { 0x0005, "RC4-SHA" }, /// TLS_RSA_WITH_RC4_128_SHA
+ { 0x000A, "DES-CBC3-SHA" }, /// TLS_RSA_WITH_3DES_EDE_CBC_SHA, mandatory TLS 1.1
+ { 0x0016, "DHE-RSA-DES-CBC3-SHA" }, /// TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
+ { 0x002F, "AES128-SHA" }, /// TLS_RSA_WITH_AES_128_CBC_SHA, mandatory TLS 1.2
+ { 0x0030, "DH-DSS-AES128-SHA" }, /// TLS_DH_DSS_WITH_AES_128_CBC_SHA
+ { 0x0031, "DH-RSA-AES128-SHA" }, /// TLS_DH_RSA_WITH_AES_128_CBC_SHA
+ { 0x0033, "DHE-RSA-AES128-SHA" }, /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA
+ { 0x0035, "AES256-SHA" }, /// TLS_RSA_WITH_AES_256_CBC_SHA
+ { 0x0036, "DH-DSS-AES256-SHA" }, /// TLS_DH_DSS_WITH_AES_256_CBC_SHA
+ { 0x0037, "DH-RSA-AES256-SHA" }, /// TLS_DH_RSA_WITH_AES_256_CBC_SHA
+ { 0x0039, "DHE-RSA-AES256-SHA" }, /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA
+ { 0x003B, "NULL-SHA256" }, /// TLS_RSA_WITH_NULL_SHA256
+ { 0x003C, "AES128-SHA256" }, /// TLS_RSA_WITH_AES_128_CBC_SHA256
+ { 0x003D, "AES256-SHA256" }, /// TLS_RSA_WITH_AES_256_CBC_SHA256
+ { 0x003E, "DH-DSS-AES128-SHA256" }, /// TLS_DH_DSS_WITH_AES_128_CBC_SHA256
+ { 0x003F, "DH-RSA-AES128-SHA256" }, /// TLS_DH_RSA_WITH_AES_128_CBC_SHA256
+ { 0x0067, "DHE-RSA-AES128-SHA256" }, /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+ { 0x0068, "DH-DSS-AES256-SHA256" }, /// TLS_DH_DSS_WITH_AES_256_CBC_SHA256
+ { 0x0069, "DH-RSA-AES256-SHA256" }, /// TLS_DH_RSA_WITH_AES_256_CBC_SHA256
+ { 0x006B, "DHE-RSA-AES256-SHA256" } /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
+};
+
+/**
+ Gets the OpenSSL cipher suite string for the supplied IANA TLS cipher suite.
+
+ @param[in] CipherId The supplied IANA TLS cipher suite ID.
+
+ @return The corresponding OpenSSL cipher suite string if found,
+ NULL otherwise.
+
+**/
+STATIC
+CONST CHAR8 *
+TlsGetCipherString (
+ IN UINT16 CipherId
+ )
+{
+ CONST TLS_CIPHER_PAIR *CipherEntry;
+ UINTN TableSize;
+ UINTN Index;
+
+ CipherEntry = TlsCipherMappingTable;
+ TableSize = sizeof (TlsCipherMappingTable) / sizeof (TLS_CIPHER_PAIR);
+
+ //
+ // Search Cipher Mapping Table for IANA-OpenSSL Cipher Translation
+ //
+ for (Index = 0; Index < TableSize; Index++, CipherEntry++) {
+ //
+ // Translate IANA cipher suite name to OpenSSL name.
+ //
+ if (CipherEntry->IanaCipher == CipherId) {
+ return CipherEntry->OpensslCipher;
+ }
+ }
+
+ //
+ // No Cipher Mapping found, return NULL.
+ //
+ return NULL;
+}
+
+/**
+ Set a new TLS/SSL method for a particular TLS object.
+
+ This function sets a new TLS/SSL method for a particular TLS object.
+
+ @param[in] Tls Pointer to a TLS object.
+ @param[in] MajorVer Major Version of TLS/SSL Protocol.
+ @param[in] MinorVer Minor Version of TLS/SSL Protocol.
+
+ @retval EFI_SUCCESS The TLS/SSL method was set successfully.
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.
+ @retval EFI_UNSUPPORTED Unsupported TLS/SSL method.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetVersion (
+ IN VOID *Tls,
+ IN UINT8 MajorVer,
+ IN UINT8 MinorVer
+ )
+{
+ TLS_CONNECTION *TlsConn;
+ UINT16 ProtoVersion;
+
+ TlsConn = (TLS_CONNECTION *)Tls;
+ if (TlsConn == NULL || TlsConn->Ssl == NULL) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ ProtoVersion = (MajorVer << 8) | MinorVer;
+
+ //
+ // Bound TLS method to the particular specified version.
+ //
+ switch (ProtoVersion) {
+ case TLS1_VERSION:
+ //
+ // TLS 1.0
+ //
+ SSL_set_min_proto_version (TlsConn->Ssl, TLS1_VERSION);
+ SSL_set_max_proto_version (TlsConn->Ssl, TLS1_VERSION);
+ break;
+ case TLS1_1_VERSION:
+ //
+ // TLS 1.1
+ //
+ SSL_set_min_proto_version (TlsConn->Ssl, TLS1_1_VERSION);
+ SSL_set_max_proto_version (TlsConn->Ssl, TLS1_1_VERSION);
+ break;
+ case TLS1_2_VERSION:
+ //
+ // TLS 1.2
+ //
+ SSL_set_min_proto_version (TlsConn->Ssl, TLS1_2_VERSION);
+ SSL_set_max_proto_version (TlsConn->Ssl, TLS1_2_VERSION);
+ break;
+ default:
+ //
+ // Unsupported Protocol Version
+ //
+ return EFI_UNSUPPORTED;
+ }
+
+ return EFI_SUCCESS;;
+}
+
+/**
+ Set TLS object to work in client or server mode.
+
+ This function prepares a TLS object to work in client or server mode.
+
+ @param[in] Tls Pointer to a TLS object.
+ @param[in] IsServer Work in server mode.
+
+ @retval EFI_SUCCESS The TLS/SSL work mode was set successfully.
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.
+ @retval EFI_UNSUPPORTED Unsupported TLS/SSL work mode.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetConnectionEnd (
+ IN VOID *Tls,
+ IN BOOLEAN IsServer
+ )
+{
+ TLS_CONNECTION *TlsConn;
+
+ TlsConn = (TLS_CONNECTION *) Tls;
+ if (TlsConn == NULL || TlsConn->Ssl == NULL) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ if (!IsServer) {
+ //
+ // Set TLS to work in Client mode.
+ //
+ SSL_set_connect_state (TlsConn->Ssl);
+ } else {
+ //
+ // Set TLS to work in Server mode.
+ // It is unsupported for UEFI version currently.
+ //
+ //SSL_set_accept_state (TlsConn->Ssl);
+ return EFI_UNSUPPORTED;
+ }
+
+ return EFI_SUCCESS;
+}
+
+/**
+ Set the ciphers list to be used by the TLS object.
+
+ This function sets the ciphers for use by a specified TLS object.
+
+ @param[in] Tls Pointer to a TLS object.
+ @param[in] CipherId Pointer to a UINT16 cipher Id.
+ @param[in] CipherNum The number of cipher in the list.
+
+ @retval EFI_SUCCESS The ciphers list was set successfully.
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.
+ @retval EFI_UNSUPPORTED Unsupported TLS cipher in the list.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetCipherList (
+ IN VOID *Tls,
+ IN UINT16 *CipherId,
+ IN UINTN CipherNum
+ )
+{
+ TLS_CONNECTION *TlsConn;
+ UINTN Index;
+ CONST CHAR8 *MappingName;
+ CHAR8 CipherString[500];
+
+ TlsConn = (TLS_CONNECTION *) Tls;
+ if (TlsConn == NULL || TlsConn->Ssl == NULL || CipherId == NULL) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ MappingName = NULL;
+
+ memset (CipherString, 0, sizeof (CipherString));
+
+ for (Index = 0; Index < CipherNum; Index++) {
+ //
+ // Handling OpenSSL / RFC Cipher name mapping.
+ //
+ MappingName = TlsGetCipherString (*(CipherId + Index));
+ if (MappingName == NULL) {
+ return EFI_UNSUPPORTED;
+ }
+
+ if (Index != 0) {
+ //
+ // The ciphers were separated by a colon.
+ //
+ AsciiStrCatS (CipherString, sizeof (CipherString), ":");
+ }
+
+ AsciiStrCatS (CipherString, sizeof (CipherString), MappingName);
+ }
+
+ AsciiStrCatS (CipherString, sizeof (CipherString), ":@STRENGTH");
+
+ //
+ // Sets the ciphers for use by the Tls object.
+ //
+ if (SSL_set_cipher_list (TlsConn->Ssl, CipherString) <= 0) {
+ return EFI_UNSUPPORTED;
+ }
+
+ return EFI_SUCCESS;
+}
+
+/**
+ Set the compression method for TLS/SSL operations.
+
+ This function handles TLS/SSL integrated compression methods.
+
+ @param[in] CompMethod The compression method ID.
+
+ @retval EFI_SUCCESS The compression method for the communication was
+ set successfully.
+ @retval EFI_UNSUPPORTED Unsupported compression method.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetCompressionMethod (
+ IN UINT8 CompMethod
+ )
+{
+ COMP_METHOD *Cm;
+ INTN Ret;
+
+ Cm = NULL;
+ Ret = 0;
+
+ if (CompMethod == 0) {
+ //
+ // TLS defines one standard compression method, CompressionMethod.null (0),
+ // which specifies that data exchanged via the record protocol will not be compressed.
+ // So, return EFI_SUCCESS directly (RFC 3749).
+ //
+ return EFI_SUCCESS;
+ } else if (CompMethod == 1) {
+ Cm = COMP_zlib();
+ } else {
+ return EFI_UNSUPPORTED;
+ }
+
+ //
+ // Adds the compression method to the list of available
+ // compression methods.
+ //
+ Ret = SSL_COMP_add_compression_method (CompMethod, Cm);
+ if (Ret != 0) {
+ return EFI_UNSUPPORTED;
+ }
+
+ return EFI_SUCCESS;
+}
+
+/**
+ Set peer certificate verification mode for the TLS connection.
+
+ This function sets the verification mode flags for the TLS connection.
+
+ @param[in] Tls Pointer to the TLS object.
+ @param[in] VerifyMode A set of logically or'ed verification mode flags.
+
+**/
+VOID
+EFIAPI
+TlsSetVerify (
+ IN VOID *Tls,
+ IN UINT32 VerifyMode
+ )
+{
+ TLS_CONNECTION *TlsConn;
+
+ TlsConn = (TLS_CONNECTION *) Tls;
+ if (TlsConn == NULL || TlsConn->Ssl == NULL) {
+ return;
+ }
+
+ //
+ // Set peer certificate verification parameters with NULL callback.
+ //
+ SSL_set_verify (TlsConn->Ssl, VerifyMode, NULL);
+}
+
+/**
+ Sets a TLS/SSL session ID to be used during TLS/SSL connect.
+
+ This function sets a session ID to be used when the TLS/SSL connection is
+ to be established.
+
+ @param[in] Tls Pointer to the TLS object.
+ @param[in] SessionId Session ID data used for session resumption.
+ @param[in] SessionIdLen Length of Session ID in bytes.
+
+ @retval EFI_SUCCESS Session ID was set successfully.
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.
+ @retval EFI_UNSUPPORTED No available session for ID setting.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetSessionId (
+ IN VOID *Tls,
+ IN UINT8 *SessionId,
+ IN UINT16 SessionIdLen
+ )
+{
+ TLS_CONNECTION *TlsConn;
+ SSL_SESSION *Session;
+
+ TlsConn = (TLS_CONNECTION *) Tls;
+ Session = NULL;
+
+ if (TlsConn == NULL || TlsConn->Ssl == NULL || SessionId == NULL) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ Session = SSL_get_session (TlsConn->Ssl);
+ if (Session == NULL) {
+ return EFI_UNSUPPORTED;
+ }
+
+ SSL_SESSION_set1_id (Session, (const unsigned char *)SessionId, SessionIdLen);
+
+ return EFI_SUCCESS;
+}
+
+/**
+ Adds the CA to the cert store when requesting Server or Client authentication.
+
+ This function adds the CA certificate to the list of CAs when requesting
+ Server or Client authentication for the chosen TLS connection.
+
+ @param[in] Tls Pointer to the TLS object.
+ @param[in] Data Pointer to the data buffer of a DER-encoded binary
+ X.509 certificate or PEM-encoded X.509 certificate.
+ @param[in] DataSize The size of data buffer in bytes.
+
+ @retval EFI_SUCCESS The operation succeeded.
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.
+ @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated.
+ @retval EFI_ABORTED Invalid X.509 certificate.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetCaCertificate (
+ IN VOID *Tls,
+ IN VOID *Data,
+ IN UINTN DataSize
+ )
+{
+ BIO *BioCert;
+ X509 *Cert;
+ X509_STORE *X509Store;
+ EFI_STATUS Status;
+ TLS_CONNECTION *TlsConn;
+ SSL_CTX *SslCtx;
+ INTN Ret;
+ UINTN ErrorCode;
+
+ BioCert = NULL;
+ Cert = NULL;
+ X509Store = NULL;
+ Status = EFI_SUCCESS;
+ TlsConn = (TLS_CONNECTION *) Tls;
+ Ret = 0;
+
+ if (TlsConn == NULL || TlsConn->Ssl == NULL || Data == NULL || DataSize == 0) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ //
+ // DER-encoded binary X.509 certificate or PEM-encoded X.509 certificate.
+ // Determine whether certificate is from DER encoding, if so, translate it to X509 structure.
+ //
+ Cert = d2i_X509 (NULL, (const unsigned char ** )&Data, (long) DataSize);
+ if (Cert == NULL) {
+ //
+ // Certificate is from PEM encoding.
+ //
+ BioCert = BIO_new (BIO_s_mem ());
+ if (BioCert == NULL) {
+ Status = EFI_OUT_OF_RESOURCES;
+ goto ON_EXIT;
+ }
+
+ if (BIO_write (BioCert, Data, (UINT32) DataSize) <= 0) {
+ Status = EFI_ABORTED;
+ goto ON_EXIT;
+ }
+
+ Cert = PEM_read_bio_X509 (BioCert, NULL, NULL, NULL);
+ if (Cert == NULL) {
+ Status = EFI_ABORTED;
+ goto ON_EXIT;
+ }
+ }
+
+ SslCtx = SSL_get_SSL_CTX (TlsConn->Ssl);
+ X509Store = SSL_CTX_get_cert_store (SslCtx);
+ if (X509Store == NULL) {
+ Status = EFI_ABORTED;
+ goto ON_EXIT;
+ }
+
+ //
+ // Add certificate to X509 store
+ //
+ Ret = X509_STORE_add_cert (X509Store, Cert);
+ if (Ret != 1) {
+ ErrorCode = ERR_peek_last_error ();
+ //
+ // Ignore "already in table" errors
+ //
+ if (!(ERR_GET_FUNC (ErrorCode) == X509_F_X509_STORE_ADD_CERT &&
+ ERR_GET_REASON (ErrorCode) == X509_R_CERT_ALREADY_IN_HASH_TABLE)) {
+ Status = EFI_ABORTED;
+ goto ON_EXIT;
+ }
+ }
+
+ON_EXIT:
+ if (BioCert != NULL) {
+ BIO_free (BioCert);
+ }
+
+ if (Cert != NULL) {
+ X509_free (Cert);
+ }
+
+ return Status;
+}
+
+/**
+ Loads the local public certificate into the specified TLS object.
+
+ This function loads the X.509 certificate into the specified TLS object
+ for TLS negotiation.
+
+ @param[in] Tls Pointer to the TLS object.
+ @param[in] Data Pointer to the data buffer of a DER-encoded binary
+ X.509 certificate or PEM-encoded X.509 certificate.
+ @param[in] DataSize The size of data buffer in bytes.
+
+ @retval EFI_SUCCESS The operation succeeded.
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.
+ @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated.
+ @retval EFI_ABORTED Invalid X.509 certificate.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetHostPublicCert (
+ IN VOID *Tls,
+ IN VOID *Data,
+ IN UINTN DataSize
+ )
+{
+ BIO *BioCert;
+ X509 *Cert;
+ EFI_STATUS Status;
+ TLS_CONNECTION *TlsConn;
+
+ BioCert = NULL;
+ Cert = NULL;
+ Status = EFI_SUCCESS;
+ TlsConn = (TLS_CONNECTION *) Tls;
+
+ if (TlsConn == NULL || TlsConn->Ssl == NULL || Data == NULL || DataSize == 0) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ //
+ // DER-encoded binary X.509 certificate or PEM-encoded X.509 certificate.
+ // Determine whether certificate is from DER encoding, if so, translate it to X509 structure.
+ //
+ Cert = d2i_X509 (NULL, (const unsigned char ** )&Data, (long) DataSize);
+ if (Cert == NULL) {
+ //
+ // Certificate is from PEM encoding.
+ //
+ BioCert = BIO_new (BIO_s_mem ());
+ if (BioCert == NULL) {
+ Status = EFI_OUT_OF_RESOURCES;
+ goto ON_EXIT;
+ }
+
+ if (BIO_write (BioCert, Data, (UINT32) DataSize) <= 0) {
+ Status = EFI_ABORTED;
+ goto ON_EXIT;
+ }
+
+ Cert = PEM_read_bio_X509 (BioCert, NULL, NULL, NULL);
+ if (Cert == NULL) {
+ Status = EFI_ABORTED;
+ goto ON_EXIT;
+ }
+ }
+
+ if (SSL_use_certificate (TlsConn->Ssl, Cert) != 1) {
+ Status = EFI_ABORTED;
+ goto ON_EXIT;
+ }
+
+ON_EXIT:
+ if (BioCert != NULL) {
+ BIO_free (BioCert);
+ }
+
+ if (Cert != NULL) {
+ X509_free (Cert);
+ }
+
+ return Status;
+}
+
+/**
+ Adds the local private key to the specified TLS object.
+
+ This function adds the local private key (PEM-encoded RSA or PKCS#8 private
+ key) into the specified TLS object for TLS negotiation.
+
+ @param[in] Tls Pointer to the TLS object.
+ @param[in] Data Pointer to the data buffer of a PEM-encoded RSA
+ or PKCS#8 private key.
+ @param[in] DataSize The size of data buffer in bytes.
+
+ @retval EFI_SUCCESS The operation succeeded.
+ @retval EFI_UNSUPPORTED This function is not supported.
+ @retval EFI_ABORTED Invalid private key data.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetHostPrivateKey (
+ IN VOID *Tls,
+ IN VOID *Data,
+ IN UINTN DataSize
+ )
+{
+ return EFI_UNSUPPORTED;
+}
+
+/**
+ Adds the CA-supplied certificate revocation list for certificate validation.
+
+ This function adds the CA-supplied certificate revocation list data for
+ certificate validity checking.
+
+ @param[in] Data Pointer to the data buffer of a DER-encoded CRL data.
+ @param[in] DataSize The size of data buffer in bytes.
+
+ @retval EFI_SUCCESS The operation succeeded.
+ @retval EFI_UNSUPPORTED This function is not supported.
+ @retval EFI_ABORTED Invalid CRL data.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetCertRevocationList (
+ IN VOID *Data,
+ IN UINTN DataSize
+ )
+{
+ return EFI_UNSUPPORTED;
+}
+
+/**
+ Gets the protocol version used by the specified TLS connection.
+
+ This function returns the protocol version used by the specified TLS
+ connection.
+
+ @param[in] Tls Pointer to the TLS object.
+
+ @return The protocol version of the specified TLS connection.
+
+**/
+UINT16
+EFIAPI
+TlsGetVersion (
+ IN VOID *Tls
+ )
+{
+ TLS_CONNECTION *TlsConn;
+
+ TlsConn = (TLS_CONNECTION *) Tls;
+
+ ASSERT (TlsConn != NULL);
+
+ return (UINT16)(SSL_version (TlsConn->Ssl));
+}
+
+/**
+ Gets the connection end of the specified TLS connection.
+
+ This function returns the connection end (as client or as server) used by
+ the specified TLS connection.
+
+ @param[in] Tls Pointer to the TLS object.
+
+ @return The connection end used by the specified TLS connection.
+
+**/
+UINT8
+EFIAPI
+TlsGetConnectionEnd (
+ IN VOID *Tls
+ )
+{
+ TLS_CONNECTION *TlsConn;
+
+ TlsConn = (TLS_CONNECTION *) Tls;
+
+ ASSERT (TlsConn != NULL);
+
+ return (UINT8)SSL_is_server (TlsConn->Ssl);
+}
+
+/**
+ Gets the cipher suite used by the specified TLS connection.
+
+ This function returns current cipher suite used by the specified
+ TLS connection.
+
+ @param[in] Tls Pointer to the TLS object.
+ @param[in,out] CipherId The cipher suite used by the TLS object.
+
+ @retval EFI_SUCCESS The cipher suite was returned successfully.
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.
+ @retval EFI_UNSUPPORTED Unsupported cipher suite.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsGetCurrentCipher (
+ IN VOID *Tls,
+ IN OUT UINT16 *CipherId
+ )
+{
+ TLS_CONNECTION *TlsConn;
+ CONST SSL_CIPHER *Cipher;
+
+ TlsConn = (TLS_CONNECTION *) Tls;
+ Cipher = NULL;
+
+ if (TlsConn == NULL || TlsConn->Ssl == NULL || CipherId == NULL) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ Cipher = SSL_get_current_cipher (TlsConn->Ssl);
+ if (Cipher == NULL) {
+ return EFI_UNSUPPORTED;
+ }
+
+ *CipherId = (SSL_CIPHER_get_id (Cipher)) & 0xFFFF;
+
+ return EFI_SUCCESS;
+}
+
+/**
+ Gets the compression methods used by the specified TLS connection.
+
+ This function returns current integrated compression methods used by
+ the specified TLS connection.
+
+ @param[in] Tls Pointer to the TLS object.
+ @param[in,out] CompressionId The current compression method used by
+ the TLS object.
+
+ @retval EFI_SUCCESS The compression method was returned successfully.
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.
+ @retval EFI_ABORTED Invalid Compression method.
+ @retval EFI_UNSUPPORTED This function is not supported.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsGetCurrentCompressionId (
+ IN VOID *Tls,
+ IN OUT UINT8 *CompressionId
+ )
+{
+ return EFI_UNSUPPORTED;
+}
+
+/**
+ Gets the verification mode currently set in the TLS connection.
+
+ This function returns the peer verification mode currently set in the
+ specified TLS connection.
+
+ @param[in] Tls Pointer to the TLS object.
+
+ @return The verification mode set in the specified TLS connection.
+
+**/
+UINT32
+EFIAPI
+TlsGetVerify (
+ IN VOID *Tls
+ )
+{
+ TLS_CONNECTION *TlsConn;
+
+ TlsConn = (TLS_CONNECTION *) Tls;
+
+ ASSERT (TlsConn != NULL);
+
+ return SSL_get_verify_mode (TlsConn->Ssl);
+}
+
+/**
+ Gets the session ID used by the specified TLS connection.
+
+ This function returns the TLS/SSL session ID currently used by the
+ specified TLS connection.
+
+ @param[in] Tls Pointer to the TLS object.
+ @param[in,out] SessionId Buffer to contain the returned session ID.
+ @param[in,out] SessionIdLen The length of Session ID in bytes.
+
+ @retval EFI_SUCCESS The Session ID was returned successfully.
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.
+ @retval EFI_UNSUPPORTED Invalid TLS/SSL session.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsGetSessionId (
+ IN VOID *Tls,
+ IN OUT UINT8 *SessionId,
+ IN OUT UINT16 *SessionIdLen
+ )
+{
+ TLS_CONNECTION *TlsConn;
+ SSL_SESSION *Session;
+ CONST UINT8 *SslSessionId;
+
+ TlsConn = (TLS_CONNECTION *) Tls;
+ Session = NULL;
+
+ if (TlsConn == NULL || TlsConn->Ssl == NULL || SessionId == NULL || SessionIdLen == NULL) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ Session = SSL_get_session (TlsConn->Ssl);
+ if (Session == NULL) {
+ return EFI_UNSUPPORTED;
+ }
+
+ SslSessionId = SSL_SESSION_get_id (Session, (unsigned int *)SessionIdLen);
+ CopyMem (SessionId, SslSessionId, *SessionIdLen);
+
+ return EFI_SUCCESS;
+}
+
+/**
+ Gets the client random data used in the specified TLS connection.
+
+ This function returns the TLS/SSL client random data currently used in
+ the specified TLS connection.
+
+ @param[in] Tls Pointer to the TLS object.
+ @param[in,out] ClientRandom Buffer to contain the returned client
+ random data (32 bytes).
+
+**/
+VOID
+EFIAPI
+TlsGetClientRandom (
+ IN VOID *Tls,
+ IN OUT UINT8 *ClientRandom
+ )
+{
+ TLS_CONNECTION *TlsConn;
+
+ TlsConn = (TLS_CONNECTION *) Tls;
+
+ if (TlsConn == NULL || TlsConn->Ssl == NULL || ClientRandom == NULL) {
+ return;
+ }
+
+ SSL_get_client_random (TlsConn->Ssl, ClientRandom, SSL3_RANDOM_SIZE);
+}
+
+/**
+ Gets the server random data used in the specified TLS connection.
+
+ This function returns the TLS/SSL server random data currently used in
+ the specified TLS connection.
+
+ @param[in] Tls Pointer to the TLS object.
+ @param[in,out] ServerRandom Buffer to contain the returned server
+ random data (32 bytes).
+
+**/
+VOID
+EFIAPI
+TlsGetServerRandom (
+ IN VOID *Tls,
+ IN OUT UINT8 *ServerRandom
+ )
+{
+ TLS_CONNECTION *TlsConn;
+
+ TlsConn = (TLS_CONNECTION *) Tls;
+
+ if (TlsConn == NULL || TlsConn->Ssl == NULL || ServerRandom == NULL) {
+ return;
+ }
+
+ SSL_get_server_random (TlsConn->Ssl, ServerRandom, SSL3_RANDOM_SIZE);
+}
+
+/**
+ Gets the master key data used in the specified TLS connection.
+
+ This function returns the TLS/SSL master key material currently used in
+ the specified TLS connection.
+
+ @param[in] Tls Pointer to the TLS object.
+ @param[in,out] KeyMaterial Buffer to contain the returned key material.
+
+ @retval EFI_SUCCESS Key material was returned successfully.
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.
+ @retval EFI_UNSUPPORTED Invalid TLS/SSL session.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsGetKeyMaterial (
+ IN VOID *Tls,
+ IN OUT UINT8 *KeyMaterial
+ )
+{
+ TLS_CONNECTION *TlsConn;
+ SSL_SESSION *Session;
+
+ TlsConn = (TLS_CONNECTION *) Tls;
+ Session = NULL;
+
+ if (TlsConn == NULL || TlsConn->Ssl == NULL || KeyMaterial == NULL) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ Session = SSL_get_session (TlsConn->Ssl);
+
+ if (Session == NULL) {
+ return EFI_UNSUPPORTED;
+ }
+
+ SSL_SESSION_get_master_key (Session, KeyMaterial, SSL3_MASTER_SECRET_SIZE);
+
+ return EFI_SUCCESS;
+}
+
+/**
+ Gets the CA Certificate from the cert store.
+
+ This function returns the CA certificate for the chosen
+ TLS connection.
+
+ @param[in] Tls Pointer to the TLS object.
+ @param[out] Data Pointer to the data buffer to receive the CA
+ certificate data sent to the client.
+ @param[in,out] DataSize The size of data buffer in bytes.
+
+ @retval EFI_SUCCESS The operation succeeded.
+ @retval EFI_UNSUPPORTED This function is not supported.
+ @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsGetCaCertificate (
+ IN VOID *Tls,
+ OUT VOID *Data,
+ IN OUT UINTN *DataSize
+ )
+{
+ return EFI_UNSUPPORTED;
+}
+
+/**
+ Gets the local public Certificate set in the specified TLS object.
+
+ This function returns the local public certificate which was currently set
+ in the specified TLS object.
+
+ @param[in] Tls Pointer to the TLS object.
+ @param[out] Data Pointer to the data buffer to receive the local
+ public certificate.
+ @param[in,out] DataSize The size of data buffer in bytes.
+
+ @retval EFI_SUCCESS The operation succeeded.
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.
+ @retval EFI_NOT_FOUND The certificate is not found.
+ @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsGetHostPublicCert (
+ IN VOID *Tls,
+ OUT VOID *Data,
+ IN OUT UINTN *DataSize
+ )
+{
+ X509 *Cert;
+ TLS_CONNECTION *TlsConn;
+
+ Cert = NULL;
+ TlsConn = (TLS_CONNECTION *) Tls;
+
+ if (TlsConn == NULL || TlsConn->Ssl == NULL || DataSize == NULL) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ Cert = SSL_get_certificate(TlsConn->Ssl);
+ if (Cert == NULL) {
+ return EFI_NOT_FOUND;
+ }
+
+ //
+ // Only DER encoding is supported currently.
+ //
+ if (*DataSize < (UINTN) i2d_X509 (Cert, NULL)) {
+ *DataSize = (UINTN) i2d_X509 (Cert, NULL);
+ return EFI_BUFFER_TOO_SMALL;
+ }
+
+ *DataSize = (UINTN) i2d_X509 (Cert, (unsigned char **) &Data);
+
+ return EFI_SUCCESS;
+}
+
+/**
+ Gets the local private key set in the specified TLS object.
+
+ This function returns the local private key data which was currently set
+ in the specified TLS object.
+
+ @param[in] Tls Pointer to the TLS object.
+ @param[out] Data Pointer to the data buffer to receive the local
+ private key data.
+ @param[in,out] DataSize The size of data buffer in bytes.
+
+ @retval EFI_SUCCESS The operation succeeded.
+ @retval EFI_UNSUPPORTED This function is not supported.
+ @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsGetHostPrivateKey (
+ IN VOID *Tls,
+ OUT VOID *Data,
+ IN OUT UINTN *DataSize
+ )
+{
+ return EFI_UNSUPPORTED;
+}
+
+/**
+ Gets the CA-supplied certificate revocation list data set in the specified
+ TLS object.
+
+ This function returns the CA-supplied certificate revocation list data which
+ was currently set in the specified TLS object.
+
+ @param[out] Data Pointer to the data buffer to receive the CRL data.
+ @param[in,out] DataSize The size of data buffer in bytes.
+
+ @retval EFI_SUCCESS The operation succeeded.
+ @retval EFI_UNSUPPORTED This function is not supported.
+ @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsGetCertRevocationList (
+ OUT VOID *Data,
+ IN OUT UINTN *DataSize
+ )
+{
+ return EFI_UNSUPPORTED;
+}
+
diff --git a/CryptoPkg/Library/TlsLib/TlsInit.c b/CryptoPkg/Library/TlsLib/TlsInit.c index f32148a..e2c9744 100644 --- a/CryptoPkg/Library/TlsLib/TlsInit.c +++ b/CryptoPkg/Library/TlsLib/TlsInit.c @@ -1,268 +1,269 @@ -/** @file - SSL/TLS Initialization Library Wrapper Implementation over OpenSSL. - -Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR> -(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR> -This program and the accompanying materials -are licensed and made available under the terms and conditions of the BSD License -which accompanies this distribution. The full text of the license may be found at -http://opensource.org/licenses/bsd-license.php - -THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. - -**/ - -#include "InternalTlsLib.h" - -/** - Initializes the OpenSSL library. - - This function registers ciphers and digests used directly and indirectly - by SSL/TLS, and initializes the readable error messages. - This function must be called before any other action takes places. - -**/ -VOID -EFIAPI -TlsInitialize ( - VOID - ) -{ - // - // Performs initialization of crypto and ssl library, and loads required - // algorithms. - // - OPENSSL_init_ssl ( - OPENSSL_INIT_LOAD_SSL_STRINGS | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, - NULL - ); - - // - // Initialize the pseudorandom number generator. - // - RandomSeed (NULL, 0); -} - -/** - Free an allocated SSL_CTX object. - - @param[in] TlsCtx Pointer to the SSL_CTX object to be released. - -**/ -VOID -EFIAPI -TlsCtxFree ( - IN VOID *TlsCtx - ) -{ - if (TlsCtx == NULL) { - return; - } - - if (TlsCtx != NULL) { - SSL_CTX_free ((SSL_CTX *) (TlsCtx)); - } -} - -/** - Creates a new SSL_CTX object as framework to establish TLS/SSL enabled - connections. - - @param[in] MajorVer Major Version of TLS/SSL Protocol. - @param[in] MinorVer Minor Version of TLS/SSL Protocol. - - @return Pointer to an allocated SSL_CTX object. - If the creation failed, TlsCtxNew() returns NULL. - -**/ -VOID * -EFIAPI -TlsCtxNew ( - IN UINT8 MajorVer, - IN UINT8 MinorVer - ) -{ - SSL_CTX *TlsCtx; - UINT16 ProtoVersion; - - ProtoVersion = (MajorVer << 8) | MinorVer; - - TlsCtx = SSL_CTX_new (SSLv23_client_method ()); - if (TlsCtx == NULL) { - return NULL; - } - - // - // Ensure SSLv3 is disabled - // - SSL_CTX_set_options (TlsCtx, SSL_OP_NO_SSLv3); - - // - // Treat as minimum accepted versions by setting the minimal bound. - // Client can use higher TLS version if server supports it - // - SSL_CTX_set_min_proto_version (TlsCtx, ProtoVersion); - - return (VOID *) TlsCtx; -} - -/** - Free an allocated TLS object. - - This function removes the TLS object pointed to by Tls and frees up the - allocated memory. If Tls is NULL, nothing is done. - - @param[in] Tls Pointer to the TLS object to be freed. - -**/ -VOID -EFIAPI -TlsFree ( - IN VOID *Tls - ) -{ - TLS_CONNECTION *TlsConn; - - TlsConn = (TLS_CONNECTION *) Tls; - if (TlsConn == NULL) { - return; - } - - // - // Free the internal TLS and BIO objects. - // - if (TlsConn->Ssl != NULL) { - SSL_free (TlsConn->Ssl); - } - - if (TlsConn->InBio != NULL) { - BIO_free (TlsConn->InBio); - } - - if (TlsConn->OutBio != NULL) { - BIO_free (TlsConn->OutBio); - } - - OPENSSL_free (Tls); -} - -/** - Create a new TLS object for a connection. - - This function creates a new TLS object for a connection. The new object - inherits the setting of the underlying context TlsCtx: connection method, - options, verification setting. - - @param[in] TlsCtx Pointer to the SSL_CTX object. - - @return Pointer to an allocated SSL object. - If the creation failed, TlsNew() returns NULL. - -**/ -VOID * -EFIAPI -TlsNew ( - IN VOID *TlsCtx - ) -{ - TLS_CONNECTION *TlsConn; - SSL_CTX *SslCtx; - X509_STORE *X509Store; - - TlsConn = NULL; - - // - // Allocate one new TLS_CONNECTION object - // - TlsConn = (TLS_CONNECTION *) OPENSSL_malloc (sizeof (TLS_CONNECTION)); - if (TlsConn == NULL) { - return NULL; - } - - TlsConn->Ssl = NULL; - - // - // Create a new SSL Object - // - TlsConn->Ssl = SSL_new ((SSL_CTX *) TlsCtx); - if (TlsConn->Ssl == NULL) { - TlsFree ((VOID *) TlsConn); - return NULL; - } - - // - // This retains compatibility with previous version of OpenSSL. - // - SSL_set_security_level (TlsConn->Ssl, 0); - - // - // Initialize the created SSL Object - // - SSL_set_info_callback (TlsConn->Ssl, NULL); - - TlsConn->InBio = NULL; - - // - // Set up Reading BIO for TLS connection - // - TlsConn->InBio = BIO_new (BIO_s_mem ()); - if (TlsConn->InBio == NULL) { - TlsFree ((VOID *) TlsConn); - return NULL; - } - - // - // Sets the behaviour of memory BIO when it is empty. It will set the - // read retry flag. - // - BIO_set_mem_eof_return (TlsConn->InBio, -1); - - TlsConn->OutBio = NULL; - - // - // Set up Writing BIO for TLS connection - // - TlsConn->OutBio = BIO_new (BIO_s_mem ()); - if (TlsConn->OutBio == NULL) { - TlsFree ((VOID *) TlsConn); - return NULL; - } - - // - // Sets the behaviour of memory BIO when it is empty. It will set the - // write retry flag. - // - BIO_set_mem_eof_return (TlsConn->OutBio, -1); - - ASSERT (TlsConn->Ssl != NULL && TlsConn->InBio != NULL && TlsConn->OutBio != NULL); - - // - // Connects the InBio and OutBio for the read and write operations. - // - SSL_set_bio (TlsConn->Ssl, TlsConn->InBio, TlsConn->OutBio); - - // - // Create new X509 store if needed - // - SslCtx = SSL_get_SSL_CTX (TlsConn->Ssl); - X509Store = SSL_CTX_get_cert_store (SslCtx); - if (X509Store == NULL) { - X509Store = X509_STORE_new (); - if (X509Store == NULL) { - TlsFree ((VOID *) TlsConn); - return NULL; - } - SSL_CTX_set1_verify_cert_store (SslCtx, X509Store); - X509_STORE_free (X509Store); - } - - // - // Set X509_STORE flags used in certificate validation - // - X509_STORE_set_flags ( - X509Store, - X509_V_FLAG_PARTIAL_CHAIN | X509_V_FLAG_NO_CHECK_TIME - ); - return (VOID *) TlsConn; -} +/** @file
+ SSL/TLS Initialization Library Wrapper Implementation over OpenSSL.
+
+Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
+(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
+This program and the accompanying materials
+are licensed and made available under the terms and conditions of the BSD License
+which accompanies this distribution. The full text of the license may be found at
+http://opensource.org/licenses/bsd-license.php
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#include "InternalTlsLib.h"
+
+/**
+ Initializes the OpenSSL library.
+
+ This function registers ciphers and digests used directly and indirectly
+ by SSL/TLS, and initializes the readable error messages.
+ This function must be called before any other action takes places.
+
+**/
+VOID
+EFIAPI
+TlsInitialize (
+ VOID
+ )
+{
+ //
+ // Performs initialization of crypto and ssl library, and loads required
+ // algorithms.
+ //
+ OPENSSL_init_ssl (
+ OPENSSL_INIT_LOAD_SSL_STRINGS | OPENSSL_INIT_LOAD_CRYPTO_STRINGS,
+ NULL
+ );
+
+ //
+ // Initialize the pseudorandom number generator.
+ //
+ RandomSeed (NULL, 0);
+}
+
+/**
+ Free an allocated SSL_CTX object.
+
+ @param[in] TlsCtx Pointer to the SSL_CTX object to be released.
+
+**/
+VOID
+EFIAPI
+TlsCtxFree (
+ IN VOID *TlsCtx
+ )
+{
+ if (TlsCtx == NULL) {
+ return;
+ }
+
+ if (TlsCtx != NULL) {
+ SSL_CTX_free ((SSL_CTX *) (TlsCtx));
+ }
+}
+
+/**
+ Creates a new SSL_CTX object as framework to establish TLS/SSL enabled
+ connections.
+
+ @param[in] MajorVer Major Version of TLS/SSL Protocol.
+ @param[in] MinorVer Minor Version of TLS/SSL Protocol.
+
+ @return Pointer to an allocated SSL_CTX object.
+ If the creation failed, TlsCtxNew() returns NULL.
+
+**/
+VOID *
+EFIAPI
+TlsCtxNew (
+ IN UINT8 MajorVer,
+ IN UINT8 MinorVer
+ )
+{
+ SSL_CTX *TlsCtx;
+ UINT16 ProtoVersion;
+
+ ProtoVersion = (MajorVer << 8) | MinorVer;
+
+ TlsCtx = SSL_CTX_new (SSLv23_client_method ());
+ if (TlsCtx == NULL) {
+ return NULL;
+ }
+
+ //
+ // Ensure SSLv3 is disabled
+ //
+ SSL_CTX_set_options (TlsCtx, SSL_OP_NO_SSLv3);
+
+ //
+ // Treat as minimum accepted versions by setting the minimal bound.
+ // Client can use higher TLS version if server supports it
+ //
+ SSL_CTX_set_min_proto_version (TlsCtx, ProtoVersion);
+
+ return (VOID *) TlsCtx;
+}
+
+/**
+ Free an allocated TLS object.
+
+ This function removes the TLS object pointed to by Tls and frees up the
+ allocated memory. If Tls is NULL, nothing is done.
+
+ @param[in] Tls Pointer to the TLS object to be freed.
+
+**/
+VOID
+EFIAPI
+TlsFree (
+ IN VOID *Tls
+ )
+{
+ TLS_CONNECTION *TlsConn;
+
+ TlsConn = (TLS_CONNECTION *) Tls;
+ if (TlsConn == NULL) {
+ return;
+ }
+
+ //
+ // Free the internal TLS and BIO objects.
+ //
+ if (TlsConn->Ssl != NULL) {
+ SSL_free (TlsConn->Ssl);
+ }
+
+ if (TlsConn->InBio != NULL) {
+ BIO_free (TlsConn->InBio);
+ }
+
+ if (TlsConn->OutBio != NULL) {
+ BIO_free (TlsConn->OutBio);
+ }
+
+ OPENSSL_free (Tls);
+}
+
+/**
+ Create a new TLS object for a connection.
+
+ This function creates a new TLS object for a connection. The new object
+ inherits the setting of the underlying context TlsCtx: connection method,
+ options, verification setting.
+
+ @param[in] TlsCtx Pointer to the SSL_CTX object.
+
+ @return Pointer to an allocated SSL object.
+ If the creation failed, TlsNew() returns NULL.
+
+**/
+VOID *
+EFIAPI
+TlsNew (
+ IN VOID *TlsCtx
+ )
+{
+ TLS_CONNECTION *TlsConn;
+ SSL_CTX *SslCtx;
+ X509_STORE *X509Store;
+
+ TlsConn = NULL;
+
+ //
+ // Allocate one new TLS_CONNECTION object
+ //
+ TlsConn = (TLS_CONNECTION *) OPENSSL_malloc (sizeof (TLS_CONNECTION));
+ if (TlsConn == NULL) {
+ return NULL;
+ }
+
+ TlsConn->Ssl = NULL;
+
+ //
+ // Create a new SSL Object
+ //
+ TlsConn->Ssl = SSL_new ((SSL_CTX *) TlsCtx);
+ if (TlsConn->Ssl == NULL) {
+ TlsFree ((VOID *) TlsConn);
+ return NULL;
+ }
+
+ //
+ // This retains compatibility with previous version of OpenSSL.
+ //
+ SSL_set_security_level (TlsConn->Ssl, 0);
+
+ //
+ // Initialize the created SSL Object
+ //
+ SSL_set_info_callback (TlsConn->Ssl, NULL);
+
+ TlsConn->InBio = NULL;
+
+ //
+ // Set up Reading BIO for TLS connection
+ //
+ TlsConn->InBio = BIO_new (BIO_s_mem ());
+ if (TlsConn->InBio == NULL) {
+ TlsFree ((VOID *) TlsConn);
+ return NULL;
+ }
+
+ //
+ // Sets the behaviour of memory BIO when it is empty. It will set the
+ // read retry flag.
+ //
+ BIO_set_mem_eof_return (TlsConn->InBio, -1);
+
+ TlsConn->OutBio = NULL;
+
+ //
+ // Set up Writing BIO for TLS connection
+ //
+ TlsConn->OutBio = BIO_new (BIO_s_mem ());
+ if (TlsConn->OutBio == NULL) {
+ TlsFree ((VOID *) TlsConn);
+ return NULL;
+ }
+
+ //
+ // Sets the behaviour of memory BIO when it is empty. It will set the
+ // write retry flag.
+ //
+ BIO_set_mem_eof_return (TlsConn->OutBio, -1);
+
+ ASSERT (TlsConn->Ssl != NULL && TlsConn->InBio != NULL && TlsConn->OutBio != NULL);
+
+ //
+ // Connects the InBio and OutBio for the read and write operations.
+ //
+ SSL_set_bio (TlsConn->Ssl, TlsConn->InBio, TlsConn->OutBio);
+
+ //
+ // Create new X509 store if needed
+ //
+ SslCtx = SSL_get_SSL_CTX (TlsConn->Ssl);
+ X509Store = SSL_CTX_get_cert_store (SslCtx);
+ if (X509Store == NULL) {
+ X509Store = X509_STORE_new ();
+ if (X509Store == NULL) {
+ TlsFree ((VOID *) TlsConn);
+ return NULL;
+ }
+ SSL_CTX_set1_verify_cert_store (SslCtx, X509Store);
+ X509_STORE_free (X509Store);
+ }
+
+ //
+ // Set X509_STORE flags used in certificate validation
+ //
+ X509_STORE_set_flags (
+ X509Store,
+ X509_V_FLAG_PARTIAL_CHAIN | X509_V_FLAG_NO_CHECK_TIME
+ );
+ return (VOID *) TlsConn;
+}
+
diff --git a/CryptoPkg/Library/TlsLib/TlsLib.inf b/CryptoPkg/Library/TlsLib/TlsLib.inf index d4ce646..a3f93e7 100644 --- a/CryptoPkg/Library/TlsLib/TlsLib.inf +++ b/CryptoPkg/Library/TlsLib/TlsLib.inf @@ -1,56 +1,57 @@ -## @file -# SSL/TLS Wrapper Library Instance based on OpenSSL. -# -# Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR> -# (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR> -# This program and the accompanying materials -# are licensed and made available under the terms and conditions of the BSD License -# which accompanies this distribution. The full text of the license may be found at -# http://opensource.org/licenses/bsd-license.php -# -# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. -# -## - -[Defines] - INF_VERSION = 0x00010005 - BASE_NAME = TlsLib - MODULE_UNI_FILE = TlsLib.uni - FILE_GUID = CC729DC5-4E21-0B36-1A00-3A8E1B86A155 - MODULE_TYPE = DXE_DRIVER - VERSION_STRING = 1.0 - LIBRARY_CLASS = TlsLib|DXE_DRIVER DXE_CORE UEFI_APPLICATION UEFI_DRIVER - -# -# The following information is for reference only and not required by the build tools. -# -# VALID_ARCHITECTURES = IA32 X64 IPF ARM AARCH64 -# - -[Sources] - InternalTlsLib.h - TlsInit.c - TlsConfig.c - TlsProcess.c - -[Packages] - MdePkg/MdePkg.dec - CryptoPkg/CryptoPkg.dec - -[LibraryClasses] - BaseLib - BaseMemoryLib - MemoryAllocationLib - UefiRuntimeServicesTableLib - DebugLib - OpensslLib - IntrinsicLib - PrintLib - -[BuildOptions] - # - # suppress the following warnings so we do not break the build with warnings-as-errors: - # C4090: 'function' : different 'const' qualifiers - # - MSFT:*_*_*_CC_FLAGS = /wd4090 +## @file
+# SSL/TLS Wrapper Library Instance based on OpenSSL.
+#
+# Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
+# (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
+# This program and the accompanying materials
+# are licensed and made available under the terms and conditions of the BSD License
+# which accompanies this distribution. The full text of the license may be found at
+# http://opensource.org/licenses/bsd-license.php
+#
+# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+#
+##
+
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = TlsLib
+ MODULE_UNI_FILE = TlsLib.uni
+ FILE_GUID = CC729DC5-4E21-0B36-1A00-3A8E1B86A155
+ MODULE_TYPE = DXE_DRIVER
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = TlsLib|DXE_DRIVER DXE_CORE UEFI_APPLICATION UEFI_DRIVER
+
+#
+# The following information is for reference only and not required by the build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64 IPF ARM AARCH64
+#
+
+[Sources]
+ InternalTlsLib.h
+ TlsInit.c
+ TlsConfig.c
+ TlsProcess.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ CryptoPkg/CryptoPkg.dec
+
+[LibraryClasses]
+ BaseLib
+ BaseMemoryLib
+ MemoryAllocationLib
+ UefiRuntimeServicesTableLib
+ DebugLib
+ OpensslLib
+ IntrinsicLib
+ PrintLib
+
+[BuildOptions]
+ #
+ # suppress the following warnings so we do not break the build with warnings-as-errors:
+ # C4090: 'function' : different 'const' qualifiers
+ #
+ MSFT:*_*_*_CC_FLAGS = /wd4090
+
diff --git a/CryptoPkg/Library/TlsLib/TlsLib.uni b/CryptoPkg/Library/TlsLib/TlsLib.uni index 9b79287..e43a5df 100644 --- a/CryptoPkg/Library/TlsLib/TlsLib.uni +++ b/CryptoPkg/Library/TlsLib/TlsLib.uni @@ -1,19 +1,19 @@ -// /** @file -// SSL/TLS Wrapper Library Instance based on OpenSSL. -// -// Copyright (c) 2016, Intel Corporation. All rights reserved.<BR> -// -// This program and the accompanying materials -// are licensed and made available under the terms and conditions of the BSD License -// which accompanies this distribution. The full text of the license may be found at -// http://opensource.org/licenses/bsd-license.php -// -// THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -// WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. -// -// **/ - - -#string STR_MODULE_ABSTRACT #language en-US "SSL/TLS Wrapper Library Instance" - -#string STR_MODULE_DESCRIPTION #language en-US "This module provides SSL/TLS Wrapper Library Instance."
\ No newline at end of file +// /** @file
+// SSL/TLS Wrapper Library Instance based on OpenSSL.
+//
+// Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
+//
+// This program and the accompanying materials
+// are licensed and made available under the terms and conditions of the BSD License
+// which accompanies this distribution. The full text of the license may be found at
+// http://opensource.org/licenses/bsd-license.php
+//
+// THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+// WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+//
+// **/
+
+
+#string STR_MODULE_ABSTRACT #language en-US "SSL/TLS Wrapper Library Instance"
+
+#string STR_MODULE_DESCRIPTION #language en-US "This module provides SSL/TLS Wrapper Library Instance."
diff --git a/CryptoPkg/Library/TlsLib/TlsProcess.c b/CryptoPkg/Library/TlsLib/TlsProcess.c index 8532dab..38baac0 100644 --- a/CryptoPkg/Library/TlsLib/TlsProcess.c +++ b/CryptoPkg/Library/TlsLib/TlsProcess.c @@ -1,462 +1,463 @@ -/** @file - SSL/TLS Process Library Wrapper Implementation over OpenSSL. - The process includes the TLS handshake and packet I/O. - -Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR> -(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR> -This program and the accompanying materials -are licensed and made available under the terms and conditions of the BSD License -which accompanies this distribution. The full text of the license may be found at -http://opensource.org/licenses/bsd-license.php - -THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. - -**/ - -#include "InternalTlsLib.h" - -#define MAX_BUFFER_SIZE 32768 - -/** - Checks if the TLS handshake was done. - - This function will check if the specified TLS handshake was done. - - @param[in] Tls Pointer to the TLS object for handshake state checking. - - @retval TRUE The TLS handshake was done. - @retval FALSE The TLS handshake was not done. - -**/ -BOOLEAN -EFIAPI -TlsInHandshake ( - IN VOID *Tls - ) -{ - TLS_CONNECTION *TlsConn; - - TlsConn = (TLS_CONNECTION *) Tls; - if (TlsConn == NULL || TlsConn->Ssl == NULL) { - return FALSE; - } - - // - // Return the status which indicates if the TLS handshake was done. - // - return !SSL_is_init_finished (TlsConn->Ssl); -} - -/** - Perform a TLS/SSL handshake. - - This function will perform a TLS/SSL handshake. - - @param[in] Tls Pointer to the TLS object for handshake operation. - @param[in] BufferIn Pointer to the most recently received TLS Handshake packet. - @param[in] BufferInSize Packet size in bytes for the most recently received TLS - Handshake packet. - @param[out] BufferOut Pointer to the buffer to hold the built packet. - @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On input, it is - the buffer size provided by the caller. On output, it - is the buffer size in fact needed to contain the - packet. - - @retval EFI_SUCCESS The required TLS packet is built successfully. - @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE: - Tls is NULL. - BufferIn is NULL but BufferInSize is NOT 0. - BufferInSize is 0 but BufferIn is NOT NULL. - BufferOutSize is NULL. - BufferOut is NULL if *BufferOutSize is not zero. - @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the response packet. - @retval EFI_ABORTED Something wrong during handshake. - -**/ -EFI_STATUS -EFIAPI -TlsDoHandshake ( - IN VOID *Tls, - IN UINT8 *BufferIn, OPTIONAL - IN UINTN BufferInSize, OPTIONAL - OUT UINT8 *BufferOut, OPTIONAL - IN OUT UINTN *BufferOutSize - ) -{ - TLS_CONNECTION *TlsConn; - UINTN PendingBufferSize; - INTN Ret; - UINTN ErrorCode; - - TlsConn = (TLS_CONNECTION *) Tls; - PendingBufferSize = 0; - Ret = 1; - - if (TlsConn == NULL || \ - TlsConn->Ssl == NULL || TlsConn->InBio == NULL || TlsConn->OutBio == NULL || \ - BufferOutSize == NULL || \ - (BufferIn == NULL && BufferInSize != 0) || \ - (BufferIn != NULL && BufferInSize == 0) || \ - (BufferOut == NULL && *BufferOutSize != 0)) { - return EFI_INVALID_PARAMETER; - } - - if(BufferIn == NULL && BufferInSize == 0) { - // - // If RequestBuffer is NULL and RequestSize is 0, and TLS session - // status is EfiTlsSessionNotStarted, the TLS session will be initiated - // and the response packet needs to be ClientHello. - // - PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio); - if (PendingBufferSize == 0) { - SSL_set_connect_state (TlsConn->Ssl); - Ret = SSL_do_handshake (TlsConn->Ssl); - PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio); - } - } else { - PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio); - if (PendingBufferSize == 0) { - BIO_write (TlsConn->InBio, BufferIn, (UINT32) BufferInSize); - Ret = SSL_do_handshake (TlsConn->Ssl); - PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio); - } - } - - if (Ret < 1) { - Ret = SSL_get_error (TlsConn->Ssl, (int) Ret); - if (Ret == SSL_ERROR_SSL || - Ret == SSL_ERROR_SYSCALL || - Ret == SSL_ERROR_ZERO_RETURN) { - DEBUG (( - DEBUG_ERROR, - "%a SSL_HANDSHAKE_ERROR State=0x%x SSL_ERROR_%a\n", - __FUNCTION__, - SSL_get_state (TlsConn->Ssl), - Ret == SSL_ERROR_SSL ? "SSL" : Ret == SSL_ERROR_SYSCALL ? "SYSCALL" : "ZERO_RETURN" - )); - DEBUG_CODE_BEGIN (); - while (TRUE) { - ErrorCode = ERR_get_error (); - if (ErrorCode == 0) { - break; - } - DEBUG (( - DEBUG_ERROR, - "%a ERROR 0x%x=L%x:F%x:R%x\n", - __FUNCTION__, - ErrorCode, - ERR_GET_LIB (ErrorCode), - ERR_GET_FUNC (ErrorCode), - ERR_GET_REASON (ErrorCode) - )); - } - DEBUG_CODE_END (); - return EFI_ABORTED; - } - } - - if (PendingBufferSize > *BufferOutSize) { - *BufferOutSize = PendingBufferSize; - return EFI_BUFFER_TOO_SMALL; - } - - if (PendingBufferSize > 0) { - *BufferOutSize = BIO_read (TlsConn->OutBio, BufferOut, (UINT32) PendingBufferSize); - } else { - *BufferOutSize = 0; - } - - return EFI_SUCCESS; -} - -/** - Handle Alert message recorded in BufferIn. If BufferIn is NULL and BufferInSize is zero, - TLS session has errors and the response packet needs to be Alert message based on error type. - - @param[in] Tls Pointer to the TLS object for state checking. - @param[in] BufferIn Pointer to the most recently received TLS Alert packet. - @param[in] BufferInSize Packet size in bytes for the most recently received TLS - Alert packet. - @param[out] BufferOut Pointer to the buffer to hold the built packet. - @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On input, it is - the buffer size provided by the caller. On output, it - is the buffer size in fact needed to contain the - packet. - - @retval EFI_SUCCESS The required TLS packet is built successfully. - @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE: - Tls is NULL. - BufferIn is NULL but BufferInSize is NOT 0. - BufferInSize is 0 but BufferIn is NOT NULL. - BufferOutSize is NULL. - BufferOut is NULL if *BufferOutSize is not zero. - @retval EFI_ABORTED An error occurred. - @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the response packet. - -**/ -EFI_STATUS -EFIAPI -TlsHandleAlert ( - IN VOID *Tls, - IN UINT8 *BufferIn, OPTIONAL - IN UINTN BufferInSize, OPTIONAL - OUT UINT8 *BufferOut, OPTIONAL - IN OUT UINTN *BufferOutSize - ) -{ - TLS_CONNECTION *TlsConn; - UINTN PendingBufferSize; - UINT8 *TempBuffer; - INTN Ret; - - TlsConn = (TLS_CONNECTION *) Tls; - PendingBufferSize = 0; - TempBuffer = NULL; - Ret = 0; - - if (TlsConn == NULL || \ - TlsConn->Ssl == NULL || TlsConn->InBio == NULL || TlsConn->OutBio == NULL || \ - BufferOutSize == NULL || \ - (BufferIn == NULL && BufferInSize != 0) || \ - (BufferIn != NULL && BufferInSize == 0) || \ - (BufferOut == NULL && *BufferOutSize != 0)) { - return EFI_INVALID_PARAMETER; - } - - PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio); - if (PendingBufferSize == 0 && BufferIn != NULL && BufferInSize != 0) { - Ret = BIO_write (TlsConn->InBio, BufferIn, (UINT32) BufferInSize); - if (Ret != (INTN) BufferInSize) { - return EFI_ABORTED; - } - - TempBuffer = (UINT8 *) OPENSSL_malloc (MAX_BUFFER_SIZE); - - // - // ssl3_send_alert() will be called in ssl3_read_bytes() function. - // TempBuffer is invalid since it's a Alert message, so just ignore it. - // - SSL_read (TlsConn->Ssl, TempBuffer, MAX_BUFFER_SIZE); - - OPENSSL_free (TempBuffer); - - PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio); - } - - if (PendingBufferSize > *BufferOutSize) { - *BufferOutSize = PendingBufferSize; - return EFI_BUFFER_TOO_SMALL; - } - - if (PendingBufferSize > 0) { - *BufferOutSize = BIO_read (TlsConn->OutBio, BufferOut, (UINT32) PendingBufferSize); - } else { - *BufferOutSize = 0; - } - - return EFI_SUCCESS; -} - -/** - Build the CloseNotify packet. - - @param[in] Tls Pointer to the TLS object for state checking. - @param[in, out] Buffer Pointer to the buffer to hold the built packet. - @param[in, out] BufferSize Pointer to the buffer size in bytes. On input, it is - the buffer size provided by the caller. On output, it - is the buffer size in fact needed to contain the - packet. - - @retval EFI_SUCCESS The required TLS packet is built successfully. - @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE: - Tls is NULL. - BufferSize is NULL. - Buffer is NULL if *BufferSize is not zero. - @retval EFI_BUFFER_TOO_SMALL BufferSize is too small to hold the response packet. - -**/ -EFI_STATUS -EFIAPI -TlsCloseNotify ( - IN VOID *Tls, - IN OUT UINT8 *Buffer, - IN OUT UINTN *BufferSize - ) -{ - TLS_CONNECTION *TlsConn; - UINTN PendingBufferSize; - - TlsConn = (TLS_CONNECTION *) Tls; - PendingBufferSize = 0; - - if (TlsConn == NULL || \ - TlsConn->Ssl == NULL || TlsConn->InBio == NULL || TlsConn->OutBio == NULL || \ - BufferSize == NULL || \ - (Buffer == NULL && *BufferSize != 0)) { - return EFI_INVALID_PARAMETER; - } - - PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio); - if (PendingBufferSize == 0) { - // - // ssl3_send_alert() and ssl3_dispatch_alert() function will be called. - // - SSL_shutdown (TlsConn->Ssl); - PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio); - } - - if (PendingBufferSize > *BufferSize) { - *BufferSize = PendingBufferSize; - return EFI_BUFFER_TOO_SMALL; - } - - if (PendingBufferSize > 0) { - *BufferSize = BIO_read (TlsConn->OutBio, Buffer, (UINT32) PendingBufferSize); - } else { - *BufferSize = 0; - } - - return EFI_SUCCESS; -} - -/** - Attempts to read bytes from one TLS object and places the data in Buffer. - - This function will attempt to read BufferSize bytes from the TLS object - and places the data in Buffer. - - @param[in] Tls Pointer to the TLS object. - @param[in,out] Buffer Pointer to the buffer to store the data. - @param[in] BufferSize The size of Buffer in bytes. - - @retval >0 The amount of data successfully read from the TLS object. - @retval <=0 No data was successfully read. - -**/ -INTN -EFIAPI -TlsCtrlTrafficOut ( - IN VOID *Tls, - IN OUT VOID *Buffer, - IN UINTN BufferSize - ) -{ - TLS_CONNECTION *TlsConn; - - TlsConn = (TLS_CONNECTION *) Tls; - if (TlsConn == NULL || TlsConn->OutBio == 0) { - return -1; - } - - // - // Read and return the amount of data from the BIO. - // - return BIO_read (TlsConn->OutBio, Buffer, (UINT32) BufferSize); -} - -/** - Attempts to write data from the buffer to TLS object. - - This function will attempt to write BufferSize bytes data from the Buffer - to the TLS object. - - @param[in] Tls Pointer to the TLS object. - @param[in] Buffer Pointer to the data buffer. - @param[in] BufferSize The size of Buffer in bytes. - - @retval >0 The amount of data successfully written to the TLS object. - @retval <=0 No data was successfully written. - -**/ -INTN -EFIAPI -TlsCtrlTrafficIn ( - IN VOID *Tls, - IN VOID *Buffer, - IN UINTN BufferSize - ) -{ - TLS_CONNECTION *TlsConn; - - TlsConn = (TLS_CONNECTION *) Tls; - if (TlsConn == NULL || TlsConn->InBio == 0) { - return -1; - } - - // - // Write and return the amount of data to the BIO. - // - return BIO_write (TlsConn->InBio, Buffer, (UINT32) BufferSize); -} -/** - Attempts to read bytes from the specified TLS connection into the buffer. - - This function tries to read BufferSize bytes data from the specified TLS - connection into the Buffer. - - @param[in] Tls Pointer to the TLS connection for data reading. - @param[in,out] Buffer Pointer to the data buffer. - @param[in] BufferSize The size of Buffer in bytes. - - @retval >0 The read operation was successful, and return value is the - number of bytes actually read from the TLS connection. - @retval <=0 The read operation was not successful. - -**/ -INTN -EFIAPI -TlsRead ( - IN VOID *Tls, - IN OUT VOID *Buffer, - IN UINTN BufferSize - ) -{ - TLS_CONNECTION *TlsConn; - - TlsConn = (TLS_CONNECTION *) Tls; - if (TlsConn == NULL || TlsConn->Ssl == NULL) { - return -1; - } - - // - // Read bytes from the specified TLS connection. - // - return SSL_read (TlsConn->Ssl, Buffer, (UINT32) BufferSize); -} - -/** - Attempts to write data to a TLS connection. - - This function tries to write BufferSize bytes data from the Buffer into the - specified TLS connection. - - @param[in] Tls Pointer to the TLS connection for data writing. - @param[in] Buffer Pointer to the data buffer. - @param[in] BufferSize The size of Buffer in bytes. - - @retval >0 The write operation was successful, and return value is the - number of bytes actually written to the TLS connection. - @retval <=0 The write operation was not successful. - -**/ -INTN -EFIAPI -TlsWrite ( - IN VOID *Tls, - IN VOID *Buffer, - IN UINTN BufferSize - ) -{ - TLS_CONNECTION *TlsConn; - - TlsConn = (TLS_CONNECTION *) Tls; - if (TlsConn == NULL || TlsConn->Ssl == NULL) { - return -1; - } - - // - // Write bytes to the specified TLS connection. - // - return SSL_write (TlsConn->Ssl, Buffer, (UINT32) BufferSize); -} +/** @file
+ SSL/TLS Process Library Wrapper Implementation over OpenSSL.
+ The process includes the TLS handshake and packet I/O.
+
+Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
+(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
+This program and the accompanying materials
+are licensed and made available under the terms and conditions of the BSD License
+which accompanies this distribution. The full text of the license may be found at
+http://opensource.org/licenses/bsd-license.php
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#include "InternalTlsLib.h"
+
+#define MAX_BUFFER_SIZE 32768
+
+/**
+ Checks if the TLS handshake was done.
+
+ This function will check if the specified TLS handshake was done.
+
+ @param[in] Tls Pointer to the TLS object for handshake state checking.
+
+ @retval TRUE The TLS handshake was done.
+ @retval FALSE The TLS handshake was not done.
+
+**/
+BOOLEAN
+EFIAPI
+TlsInHandshake (
+ IN VOID *Tls
+ )
+{
+ TLS_CONNECTION *TlsConn;
+
+ TlsConn = (TLS_CONNECTION *) Tls;
+ if (TlsConn == NULL || TlsConn->Ssl == NULL) {
+ return FALSE;
+ }
+
+ //
+ // Return the status which indicates if the TLS handshake was done.
+ //
+ return !SSL_is_init_finished (TlsConn->Ssl);
+}
+
+/**
+ Perform a TLS/SSL handshake.
+
+ This function will perform a TLS/SSL handshake.
+
+ @param[in] Tls Pointer to the TLS object for handshake operation.
+ @param[in] BufferIn Pointer to the most recently received TLS Handshake packet.
+ @param[in] BufferInSize Packet size in bytes for the most recently received TLS
+ Handshake packet.
+ @param[out] BufferOut Pointer to the buffer to hold the built packet.
+ @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On input, it is
+ the buffer size provided by the caller. On output, it
+ is the buffer size in fact needed to contain the
+ packet.
+
+ @retval EFI_SUCCESS The required TLS packet is built successfully.
+ @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:
+ Tls is NULL.
+ BufferIn is NULL but BufferInSize is NOT 0.
+ BufferInSize is 0 but BufferIn is NOT NULL.
+ BufferOutSize is NULL.
+ BufferOut is NULL if *BufferOutSize is not zero.
+ @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the response packet.
+ @retval EFI_ABORTED Something wrong during handshake.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsDoHandshake (
+ IN VOID *Tls,
+ IN UINT8 *BufferIn, OPTIONAL
+ IN UINTN BufferInSize, OPTIONAL
+ OUT UINT8 *BufferOut, OPTIONAL
+ IN OUT UINTN *BufferOutSize
+ )
+{
+ TLS_CONNECTION *TlsConn;
+ UINTN PendingBufferSize;
+ INTN Ret;
+ UINTN ErrorCode;
+
+ TlsConn = (TLS_CONNECTION *) Tls;
+ PendingBufferSize = 0;
+ Ret = 1;
+
+ if (TlsConn == NULL || \
+ TlsConn->Ssl == NULL || TlsConn->InBio == NULL || TlsConn->OutBio == NULL || \
+ BufferOutSize == NULL || \
+ (BufferIn == NULL && BufferInSize != 0) || \
+ (BufferIn != NULL && BufferInSize == 0) || \
+ (BufferOut == NULL && *BufferOutSize != 0)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ if(BufferIn == NULL && BufferInSize == 0) {
+ //
+ // If RequestBuffer is NULL and RequestSize is 0, and TLS session
+ // status is EfiTlsSessionNotStarted, the TLS session will be initiated
+ // and the response packet needs to be ClientHello.
+ //
+ PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
+ if (PendingBufferSize == 0) {
+ SSL_set_connect_state (TlsConn->Ssl);
+ Ret = SSL_do_handshake (TlsConn->Ssl);
+ PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
+ }
+ } else {
+ PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
+ if (PendingBufferSize == 0) {
+ BIO_write (TlsConn->InBio, BufferIn, (UINT32) BufferInSize);
+ Ret = SSL_do_handshake (TlsConn->Ssl);
+ PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
+ }
+ }
+
+ if (Ret < 1) {
+ Ret = SSL_get_error (TlsConn->Ssl, (int) Ret);
+ if (Ret == SSL_ERROR_SSL ||
+ Ret == SSL_ERROR_SYSCALL ||
+ Ret == SSL_ERROR_ZERO_RETURN) {
+ DEBUG ((
+ DEBUG_ERROR,
+ "%a SSL_HANDSHAKE_ERROR State=0x%x SSL_ERROR_%a\n",
+ __FUNCTION__,
+ SSL_get_state (TlsConn->Ssl),
+ Ret == SSL_ERROR_SSL ? "SSL" : Ret == SSL_ERROR_SYSCALL ? "SYSCALL" : "ZERO_RETURN"
+ ));
+ DEBUG_CODE_BEGIN ();
+ while (TRUE) {
+ ErrorCode = ERR_get_error ();
+ if (ErrorCode == 0) {
+ break;
+ }
+ DEBUG ((
+ DEBUG_ERROR,
+ "%a ERROR 0x%x=L%x:F%x:R%x\n",
+ __FUNCTION__,
+ ErrorCode,
+ ERR_GET_LIB (ErrorCode),
+ ERR_GET_FUNC (ErrorCode),
+ ERR_GET_REASON (ErrorCode)
+ ));
+ }
+ DEBUG_CODE_END ();
+ return EFI_ABORTED;
+ }
+ }
+
+ if (PendingBufferSize > *BufferOutSize) {
+ *BufferOutSize = PendingBufferSize;
+ return EFI_BUFFER_TOO_SMALL;
+ }
+
+ if (PendingBufferSize > 0) {
+ *BufferOutSize = BIO_read (TlsConn->OutBio, BufferOut, (UINT32) PendingBufferSize);
+ } else {
+ *BufferOutSize = 0;
+ }
+
+ return EFI_SUCCESS;
+}
+
+/**
+ Handle Alert message recorded in BufferIn. If BufferIn is NULL and BufferInSize is zero,
+ TLS session has errors and the response packet needs to be Alert message based on error type.
+
+ @param[in] Tls Pointer to the TLS object for state checking.
+ @param[in] BufferIn Pointer to the most recently received TLS Alert packet.
+ @param[in] BufferInSize Packet size in bytes for the most recently received TLS
+ Alert packet.
+ @param[out] BufferOut Pointer to the buffer to hold the built packet.
+ @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On input, it is
+ the buffer size provided by the caller. On output, it
+ is the buffer size in fact needed to contain the
+ packet.
+
+ @retval EFI_SUCCESS The required TLS packet is built successfully.
+ @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:
+ Tls is NULL.
+ BufferIn is NULL but BufferInSize is NOT 0.
+ BufferInSize is 0 but BufferIn is NOT NULL.
+ BufferOutSize is NULL.
+ BufferOut is NULL if *BufferOutSize is not zero.
+ @retval EFI_ABORTED An error occurred.
+ @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the response packet.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsHandleAlert (
+ IN VOID *Tls,
+ IN UINT8 *BufferIn, OPTIONAL
+ IN UINTN BufferInSize, OPTIONAL
+ OUT UINT8 *BufferOut, OPTIONAL
+ IN OUT UINTN *BufferOutSize
+ )
+{
+ TLS_CONNECTION *TlsConn;
+ UINTN PendingBufferSize;
+ UINT8 *TempBuffer;
+ INTN Ret;
+
+ TlsConn = (TLS_CONNECTION *) Tls;
+ PendingBufferSize = 0;
+ TempBuffer = NULL;
+ Ret = 0;
+
+ if (TlsConn == NULL || \
+ TlsConn->Ssl == NULL || TlsConn->InBio == NULL || TlsConn->OutBio == NULL || \
+ BufferOutSize == NULL || \
+ (BufferIn == NULL && BufferInSize != 0) || \
+ (BufferIn != NULL && BufferInSize == 0) || \
+ (BufferOut == NULL && *BufferOutSize != 0)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
+ if (PendingBufferSize == 0 && BufferIn != NULL && BufferInSize != 0) {
+ Ret = BIO_write (TlsConn->InBio, BufferIn, (UINT32) BufferInSize);
+ if (Ret != (INTN) BufferInSize) {
+ return EFI_ABORTED;
+ }
+
+ TempBuffer = (UINT8 *) OPENSSL_malloc (MAX_BUFFER_SIZE);
+
+ //
+ // ssl3_send_alert() will be called in ssl3_read_bytes() function.
+ // TempBuffer is invalid since it's a Alert message, so just ignore it.
+ //
+ SSL_read (TlsConn->Ssl, TempBuffer, MAX_BUFFER_SIZE);
+
+ OPENSSL_free (TempBuffer);
+
+ PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
+ }
+
+ if (PendingBufferSize > *BufferOutSize) {
+ *BufferOutSize = PendingBufferSize;
+ return EFI_BUFFER_TOO_SMALL;
+ }
+
+ if (PendingBufferSize > 0) {
+ *BufferOutSize = BIO_read (TlsConn->OutBio, BufferOut, (UINT32) PendingBufferSize);
+ } else {
+ *BufferOutSize = 0;
+ }
+
+ return EFI_SUCCESS;
+}
+
+/**
+ Build the CloseNotify packet.
+
+ @param[in] Tls Pointer to the TLS object for state checking.
+ @param[in, out] Buffer Pointer to the buffer to hold the built packet.
+ @param[in, out] BufferSize Pointer to the buffer size in bytes. On input, it is
+ the buffer size provided by the caller. On output, it
+ is the buffer size in fact needed to contain the
+ packet.
+
+ @retval EFI_SUCCESS The required TLS packet is built successfully.
+ @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:
+ Tls is NULL.
+ BufferSize is NULL.
+ Buffer is NULL if *BufferSize is not zero.
+ @retval EFI_BUFFER_TOO_SMALL BufferSize is too small to hold the response packet.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsCloseNotify (
+ IN VOID *Tls,
+ IN OUT UINT8 *Buffer,
+ IN OUT UINTN *BufferSize
+ )
+{
+ TLS_CONNECTION *TlsConn;
+ UINTN PendingBufferSize;
+
+ TlsConn = (TLS_CONNECTION *) Tls;
+ PendingBufferSize = 0;
+
+ if (TlsConn == NULL || \
+ TlsConn->Ssl == NULL || TlsConn->InBio == NULL || TlsConn->OutBio == NULL || \
+ BufferSize == NULL || \
+ (Buffer == NULL && *BufferSize != 0)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
+ if (PendingBufferSize == 0) {
+ //
+ // ssl3_send_alert() and ssl3_dispatch_alert() function will be called.
+ //
+ SSL_shutdown (TlsConn->Ssl);
+ PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
+ }
+
+ if (PendingBufferSize > *BufferSize) {
+ *BufferSize = PendingBufferSize;
+ return EFI_BUFFER_TOO_SMALL;
+ }
+
+ if (PendingBufferSize > 0) {
+ *BufferSize = BIO_read (TlsConn->OutBio, Buffer, (UINT32) PendingBufferSize);
+ } else {
+ *BufferSize = 0;
+ }
+
+ return EFI_SUCCESS;
+}
+
+/**
+ Attempts to read bytes from one TLS object and places the data in Buffer.
+
+ This function will attempt to read BufferSize bytes from the TLS object
+ and places the data in Buffer.
+
+ @param[in] Tls Pointer to the TLS object.
+ @param[in,out] Buffer Pointer to the buffer to store the data.
+ @param[in] BufferSize The size of Buffer in bytes.
+
+ @retval >0 The amount of data successfully read from the TLS object.
+ @retval <=0 No data was successfully read.
+
+**/
+INTN
+EFIAPI
+TlsCtrlTrafficOut (
+ IN VOID *Tls,
+ IN OUT VOID *Buffer,
+ IN UINTN BufferSize
+ )
+{
+ TLS_CONNECTION *TlsConn;
+
+ TlsConn = (TLS_CONNECTION *) Tls;
+ if (TlsConn == NULL || TlsConn->OutBio == 0) {
+ return -1;
+ }
+
+ //
+ // Read and return the amount of data from the BIO.
+ //
+ return BIO_read (TlsConn->OutBio, Buffer, (UINT32) BufferSize);
+}
+
+/**
+ Attempts to write data from the buffer to TLS object.
+
+ This function will attempt to write BufferSize bytes data from the Buffer
+ to the TLS object.
+
+ @param[in] Tls Pointer to the TLS object.
+ @param[in] Buffer Pointer to the data buffer.
+ @param[in] BufferSize The size of Buffer in bytes.
+
+ @retval >0 The amount of data successfully written to the TLS object.
+ @retval <=0 No data was successfully written.
+
+**/
+INTN
+EFIAPI
+TlsCtrlTrafficIn (
+ IN VOID *Tls,
+ IN VOID *Buffer,
+ IN UINTN BufferSize
+ )
+{
+ TLS_CONNECTION *TlsConn;
+
+ TlsConn = (TLS_CONNECTION *) Tls;
+ if (TlsConn == NULL || TlsConn->InBio == 0) {
+ return -1;
+ }
+
+ //
+ // Write and return the amount of data to the BIO.
+ //
+ return BIO_write (TlsConn->InBio, Buffer, (UINT32) BufferSize);
+}
+/**
+ Attempts to read bytes from the specified TLS connection into the buffer.
+
+ This function tries to read BufferSize bytes data from the specified TLS
+ connection into the Buffer.
+
+ @param[in] Tls Pointer to the TLS connection for data reading.
+ @param[in,out] Buffer Pointer to the data buffer.
+ @param[in] BufferSize The size of Buffer in bytes.
+
+ @retval >0 The read operation was successful, and return value is the
+ number of bytes actually read from the TLS connection.
+ @retval <=0 The read operation was not successful.
+
+**/
+INTN
+EFIAPI
+TlsRead (
+ IN VOID *Tls,
+ IN OUT VOID *Buffer,
+ IN UINTN BufferSize
+ )
+{
+ TLS_CONNECTION *TlsConn;
+
+ TlsConn = (TLS_CONNECTION *) Tls;
+ if (TlsConn == NULL || TlsConn->Ssl == NULL) {
+ return -1;
+ }
+
+ //
+ // Read bytes from the specified TLS connection.
+ //
+ return SSL_read (TlsConn->Ssl, Buffer, (UINT32) BufferSize);
+}
+
+/**
+ Attempts to write data to a TLS connection.
+
+ This function tries to write BufferSize bytes data from the Buffer into the
+ specified TLS connection.
+
+ @param[in] Tls Pointer to the TLS connection for data writing.
+ @param[in] Buffer Pointer to the data buffer.
+ @param[in] BufferSize The size of Buffer in bytes.
+
+ @retval >0 The write operation was successful, and return value is the
+ number of bytes actually written to the TLS connection.
+ @retval <=0 The write operation was not successful.
+
+**/
+INTN
+EFIAPI
+TlsWrite (
+ IN VOID *Tls,
+ IN VOID *Buffer,
+ IN UINTN BufferSize
+ )
+{
+ TLS_CONNECTION *TlsConn;
+
+ TlsConn = (TLS_CONNECTION *) Tls;
+ if (TlsConn == NULL || TlsConn->Ssl == NULL) {
+ return -1;
+ }
+
+ //
+ // Write bytes to the specified TLS connection.
+ //
+ return SSL_write (TlsConn->Ssl, Buffer, (UINT32) BufferSize);
+}
+
|