This patch is used to add new TlsLib library, which is wrapped over OpenSSL. The implementation provides TLS library functions for EFI TLS protocol.
Cc: Long Qin <qin.l...@intel.com> Cc: Ye Ting <ting...@intel.com> Cc: Fu Siyuan <siyuan...@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Jiaxin Wu <jiaxin...@intel.com> --- CryptoPkg/CryptoPkg.dec | 6 +- CryptoPkg/CryptoPkg.dsc | 1 + CryptoPkg/Include/Library/TlsLib.h | 802 ++++++++++++++++ CryptoPkg/Library/TlsLib/TlsLib.c | 1772 +++++++++++++++++++++++++++++++++++ CryptoPkg/Library/TlsLib/TlsLib.inf | 46 + CryptoPkg/Library/TlsLib/TlsLib.uni | 19 + 6 files changed, 2645 insertions(+), 1 deletion(-) create mode 100644 CryptoPkg/Include/Library/TlsLib.h create mode 100644 CryptoPkg/Library/TlsLib/TlsLib.c create mode 100644 CryptoPkg/Library/TlsLib/TlsLib.inf create mode 100644 CryptoPkg/Library/TlsLib/TlsLib.uni diff --git a/CryptoPkg/CryptoPkg.dec b/CryptoPkg/CryptoPkg.dec index 4561f3f..dc8c698 100644 --- a/CryptoPkg/CryptoPkg.dec +++ b/CryptoPkg/CryptoPkg.dec @@ -2,11 +2,11 @@ # Package for cryptography modules. # # This Package provides cryptographic-related libraries for UEFI security modules. # It also provides a test application to test libraries. # -# Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR> +# Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR> # This program and the accompanying materials # are licensed and made available under the terms and conditions of the BSD License # which accompanies this distribution. The full text of the license may be found at # http://opensource.org/licenses/bsd-license.php # @@ -28,10 +28,14 @@ [LibraryClasses] ## @libraryclass Provides basic library functions for cryptographic primitives. ## BaseCryptLib|Include/Library/BaseCryptLib.h + ## @libraryclass Provides TLS library functions for EFI TLS protocol. + ## + TlsLib|Include/Library/TlsLib.h + [Protocols] ## Include/Protocol/RuntimeCrypt.h gEfiRuntimeCryptProtocolGuid = { 0xe1475e0c, 0x1746, 0x4802, {0x86, 0x2e, 0x1, 0x1c, 0x2c, 0x2d, 0x9d, 0x86 }} [UserExtensions.TianoCore."ExtraFiles"] diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc index bb7f082..c81d349 100644 --- a/CryptoPkg/CryptoPkg.dsc +++ b/CryptoPkg/CryptoPkg.dsc @@ -122,10 +122,11 @@ ################################################################################################### [Components] CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf + CryptoPkg/Library/TlsLib/TlsLib.inf CryptoPkg/Application/Cryptest/Cryptest.inf CryptoPkg/CryptRuntimeDxe/CryptRuntimeDxe.inf diff --git a/CryptoPkg/Include/Library/TlsLib.h b/CryptoPkg/Include/Library/TlsLib.h new file mode 100644 index 0000000..d62375b --- /dev/null +++ b/CryptoPkg/Include/Library/TlsLib.h @@ -0,0 +1,802 @@ +/** @file + Defines TLS Library APIs. + +Copyright (c) 2016, Intel Corporation. All rights reserved.<BR> +This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD License +which accompanies this distribution. The full text of the license may be found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + +**/ + +#ifndef __TLS_LIB_H__ +#define __TLS_LIB_H__ + +/** + Initializes the OpenSSL library. + + This function registers ciphers and digests used directly and indirectly + by SSL/TLS, and initializes the readable error messages. + This function must be called before any other action takes places. + +**/ +VOID +EFIAPI +TlsInitialize ( + VOID + ); + +/** + Free an allocated SSL_CTX object. + + @param[in] TlsCtx Pointer to the SSL_CTX object to be released. + +**/ +VOID +EFIAPI +TlsCtxFree ( + IN VOID *TlsCtx + ); + +/** + Creates a new SSL_CTX object as framework to establish TLS/SSL enabled + connections. + + @param[in] MajorVer Major Version of TLS/SSL Protocol. + @param[in] MinorVer Minor Version of TLS/SSL Protocol. + + @return Pointer to an allocated SSL_CTX object. + If the creation failed, TlsCtxNew() returns NULL. + +**/ +VOID * +EFIAPI +TlsCtxNew ( + IN UINT8 MajorVer, + IN UINT8 MinorVer + ); + +/** + Free an allocated TLS object. + + This function removes the TLS object pointed to by Tls and frees up the + allocated memory. If Tls is NULL, nothing is done. + + @param[in] Tls Pointer to the TLS object to be freed. + +**/ +VOID +EFIAPI +TlsFree ( + IN VOID *Tls + ); + +/** + Create a new TLS object for a connection. + + This function creates a new TLS object for a connection. The new object + inherits the setting of the underlying context TlsCtx: connection method, + options, verification setting. + + @param[in] TlsCtx Pointer to the SSL_CTX object. + + @return Pointer to an allocated SSL object. + If the creation failed, TlsNew() returns NULL. + +**/ +VOID * +EFIAPI +TlsNew ( + IN VOID *TlsCtx + ); + +/** + Checks if the TLS handshake was done. + + This function will check if the specified TLS handshake was done. + + @param[in] Tls Pointer to the TLS object for handshake state checking. + + @retval TRUE The TLS handshake was done. + @retval FALSE The TLS handshake was not done. + +**/ +BOOLEAN +EFIAPI +TlsInHandshake ( + IN VOID *Tls + ); + +/** + Checks if any error state of an TLS object. + + This function will check if any error state of an TLS object. + + @param[in] Tls Pointer to the TLS object for state checking. + + @retval TRUE The TLS object is in error state. + @retval FALSE The TLS object is not in any error state. + +**/ +BOOLEAN +EFIAPI +TlsInStateError ( + IN VOID *Tls + ); + +/** + Hande Alert message recorded in BufferIn. If BufferIn is NULL and BufferInSize is zero, + TLS session has errors and the response packet needs to be Alert message based on error type. + + @param[in] Tls Pointer to the TLS object for state checking. + @param[in] BufferIn Pointer to the most recently received TLS Alert packet. + @param[in] BufferInSize Packet size in bytes for the most recently received TLS + Alert packet. + @param[out] BufferOut Pointer to the buffer to hold the built packet. + @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On input, it is + the buffer size provided by the caller. On output, it + is the buffer size in fact needed to contain the + packet. + + @retval EFI_SUCCESS The required TLS packet is built successfully. + @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE: + Tls is NULL. + BufferIn is NULL but BufferInSize is NOT 0. + BufferInSize is 0 but BufferIn is NOT NULL. + BufferOutSize is NULL. + BufferOut is NULL if *BufferOutSize is not zero. + @retval EFI_ABORTED An error occured. + @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the response packet. + +**/ +EFI_STATUS +EFIAPI +TlsHandeAlert ( + IN VOID *Tls, + IN UINT8 *BufferIn, OPTIONAL + IN UINTN BufferInSize, OPTIONAL + OUT UINT8 *BufferOut, OPTIONAL + IN OUT UINTN *BufferOutSize + ); + +/** + Build the CloseNotify packet. + + @param[in] Tls Pointer to the TLS object for state checking. + @param[in, out] Buffer Pointer to the buffer to hold the built packet. + @param[in, out] BufferSize Pointer to the buffer size in bytes. On input, it is + the buffer size provided by the caller. On output, it + is the buffer size in fact needed to contain the + packet. + + @retval EFI_SUCCESS The required TLS packet is built successfully. + @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE: + Tls is NULL. + BufferSize is NULL. + Buffer is NULL if *BufferSize is not zero. + @retval EFI_BUFFER_TOO_SMALL BufferSize is too small to hold the response packet. + +**/ +EFI_STATUS +EFIAPI +TlsCloseNotify ( + IN VOID *Tls, + IN OUT UINT8 *Buffer, + IN OUT UINTN *BufferSize + ); + +/** + Perform a TLS/SSL handshake. + + This function will perform a TLS/SSL handshake. + + @param[in] Tls Pointer to the TLS object for handshake operation. + @param[in] BufferIn Pointer to the most recently received TLS Handshake packet. + @param[in] BufferInSize Packet size in bytes for the most recently received TLS + Handshake packet. + @param[out] BufferOut Pointer to the buffer to hold the built packet. + @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On input, it is + the buffer size provided by the caller. On output, it + is the buffer size in fact needed to contain the + packet. + + @retval EFI_SUCCESS The required TLS packet is built successfully. + @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE: + Tls is NULL. + BufferIn is NULL but BufferInSize is NOT 0. + BufferInSize is 0 but BufferIn is NOT NULL. + BufferOutSize is NULL. + BufferOut is NULL if *BufferOutSize is not zero. + @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the response packet. + +**/ +EFI_STATUS +EFIAPI +TlsDoHandshake ( + IN VOID *Tls, + IN UINT8 *BufferIn, OPTIONAL + IN UINTN BufferInSize, OPTIONAL + OUT UINT8 *BufferOut, OPTIONAL + IN OUT UINTN *BufferOutSize + ); + +/** + Attempts to read bytes from one TLS object and places the data in Buffer. + + This function will attempt to read BufferSize bytes from the TLS object + and places the data in Buffer. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] Buffer Pointer to the buffer to store the data. + @param[in] BufferSize The size of Buffer in bytes. + + @retval >0 The amount of data successfully read from the TLS object. + @retval <=0 No data was successfully read. + +**/ +INTN +EFIAPI +TlsCtrlTrafficOut ( + IN VOID *Tls, + IN OUT VOID *Buffer, + IN UINTN BufferSize + ); + +/** + Attempts to write data from the buffer to TLS object. + + This function will attempt to write BufferSize bytes data from the Buffer + to the TLS object. + + @param[in] Tls Pointer to the TLS object. + @param[in] Buffer Pointer to the data buffer. + @param[in] BufferSize The size of Buffer in bytes. + + @retval >0 The amount of data successfully written to the TLS object. + @retval <=0 No data was successfully written. + +**/ +INTN +EFIAPI +TlsCtrlTrafficIn ( + IN VOID *Tls, + IN VOID *Buffer, + IN UINTN BufferSize + ); + +/** + Attempts to read bytes from the specified TLS connection into the buffer. + + This function tries to read BufferSize bytes data from the specified TLS + connection into the Buffer. + + @param[in] Tls Pointer to the TLS connection for data reading. + @param[in,out] Buffer Pointer to the data buffer. + @param[in] BufferSize The size of Buffer in bytes. + + @retval >0 The read operation was successful, and return value is the + number of bytes actually read from the TLS connection. + @retval <=0 The read operation was not successful. + +**/ +INTN +EFIAPI +TlsRead ( + IN VOID *Tls, + IN OUT VOID *Buffer, + IN UINTN BufferSize + ); + +/** + Attempts to write data to a TLS connection. + + This function tries to write BufferSize bytes data from the Buffer into the + specified TLS connection. + + @param[in] Tls Pointer to the TLS connection for data writing. + @param[in] Buffer Pointer to the data buffer. + @param[in] BufferSize The size of Buffer in bytes. + + @retval >0 The write operation was successful, and return value is the + number of bytes actually written to the TLS connection. + @retval <=0 The write operation was not successful. + +**/ +INTN +EFIAPI +TlsWrite ( + IN VOID *Tls, + IN VOID *Buffer, + IN UINTN BufferSize + ); + +/** + Set a new TLS/SSL method for a particular TLS object. + + This function sets a new TLS/SSL method for a particular TLS object. + + @param[in] Tls Pointer to a TLS object. + @param[in] MajorVer Major Version of TLS/SSL Protocol. + @param[in] MinorVer Minor Version of TLS/SSL Protocol. + + @retval EFI_SUCCESS The TLS/SSL method was set successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Unsupported TLS/SSL method. + +**/ +EFI_STATUS +EFIAPI +TlsSetVersion ( + IN VOID *Tls, + IN UINT8 MajorVer, + IN UINT8 MinorVer + ); + +/** + Set TLS object to work in client or server mode. + + This function prepares a TLS object to work in client or server mode. + + @param[in] Tls Pointer to a TLS object. + @param[in] IsServer Work in server mode. + + @retval EFI_SUCCESS The TLS/SSL work mode was set successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Unsupported TLS/SSL work mode. + +**/ +EFI_STATUS +EFIAPI +TlsSetConnectionEnd ( + IN VOID *Tls, + IN BOOLEAN IsServer + ); + +/** + Set the ciphers list to be used by the TLS object. + + This function sets the ciphers for use by a specified TLS object. + + @param[in] Tls Pointer to a TLS object. + @param[in] CipherId Pointer to a string that contains one or more + ciphers sperated by a colon. + @param[in] CipherNum The number of cipher in the list. + + @retval EFI_SUCCESS The ciphers list was set successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Unsupported TLS cipher in the list. + +**/ +EFI_STATUS +EFIAPI +TlsSetCipherList ( + IN VOID *Tls, + IN UINT16 *CipherId, + IN UINTN CipherNum + ); + +/** + Set the compression method for TLS/SSL operations. + + This function handles TLS/SSL integrated compression methods. + + @param[in] ComMethod The compression method ID. + + @retval EFI_SUCCESS The compression method for the communication was + set successfully. + @retval EFI_UNSUPPORTED Unsupported compression method. + +**/ +EFI_STATUS +EFIAPI +TlsSetCompressionMethod ( + IN UINT8 CompMethod + ); + +/** + Set peer certificate verification mode for the TLS connection. + + This function sets the verification mode flags for the TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in] VerifyMode A set of logically or'ed verification mode flags. + +**/ +VOID +EFIAPI +TlsSetVerify ( + IN VOID *Tls, + IN UINT32 VerifyMode + ); + +/** + Sets a TLS/SSL session ID to be used during TLS/SSL connect. + + This function sets a session ID to be used when the TLS/SSL connection is + to be established. + + @param[in] Tls Pointer to the TLS object. + @param[in] SessionId Session ID data used for session resumption. + @param[in] SessionIdLen Length of Session ID in bytes. + + @retval EFI_SUCCESS Session ID was set successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED No available session for ID setting. + +**/ +EFI_STATUS +EFIAPI +TlsSetSessionId ( + IN VOID *Tls, + IN UINT8 *SessionId, + IN UINT16 SessionIdLen + ); + +/** + Gets the protocol version used by the specified TLS connection. + + This function returns the protocol version used by the specified TLS + connection. + + @param[in] Tls Pointer to the TLS object. + + @return The protocol version of the specified TLS connection. + +**/ +UINT16 +EFIAPI +TlsGetVersion ( + IN VOID *Tls + ); + +/** + Gets the connection end of the specifed TLS connection. + + This function returns the connection end (as client or as server) used by + the specified TLS connection. + + @param[in] Tls Pointer to the TLS object. + + @return The connection end used by the specified TLS connection. + +**/ +UINT8 +EFIAPI +TlsGetConnectionEnd ( + IN VOID *Tls + ); + +/** + Gets the cipher suite used by the specified TLS connection. + + This function returns current cipher suite used by the specified + TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] CipherId The cipher suite used by the TLS object. + + @retval EFI_SUCCESS The cipher suite was returned successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Unsupported cipher suite. + +**/ +EFI_STATUS +EFIAPI +TlsGetCurrentCipher ( + IN VOID *Tls, + IN OUT UINT16 *CipherId + ); + +/** + Gets the compression methods used by the specified TLS connection. + + This function returns current integrated compression methods used by + the specified TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] CompressionId The current compression method used by + the TLS object. + + @retval EFI_SUCCESS The compression method was returned successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Unsupported compression method. + +**/ +EFI_STATUS +EFIAPI +TlsGetCurrentCompressionId ( + IN VOID *Tls, + IN OUT UINT8 *CompressionId + ); + +/** + Gets the verification mode currently set in the TLS connection. + + This function returns the peer verification mode currently set in the + specified TLS connection. + + @param[in] Tls Pointer to the TLS object. + + @return The verification mode set in the specified TLS connection. + +**/ +UINT32 +EFIAPI +TlsGetVerify ( + IN VOID *Tls + ); + +/** + Gets the session ID used by the specified TLS connection. + + This function returns the TLS/SSL session ID currently used by the + specified TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] SessionId Buffer to contain the returned session ID. + @param[in,out] SessionIdLen The length of Session ID in bytes. + + @retval EFI_SUCCESS The Session ID was returned successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Invalid TLS/SSL session. + +**/ +EFI_STATUS +EFIAPI +TlsGetSessionId ( + IN VOID *Tls, + IN OUT UINT8 *SessionId, + IN OUT UINT16 *SessionIdLen + ); + +/** + Gets the client random data used in the specified TLS connection. + + This function returns the TLS/SSL client random data currently used in + the specified TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] ClientRandom Buffer to contain the returned client + random data (32 bytes). + +**/ +VOID +EFIAPI +TlsGetClientRandom ( + IN VOID *Tls, + IN OUT UINT8 *ClientRandom + ); + +/** + Gets the server random data used in the specified TLS connection. + + This function returns the TLS/SSL server random data currently used in + the specified TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] ServerRandom Buffer to contain the returned server + random data (32 bytes). + +**/ +VOID +EFIAPI +TlsGetServerRandom ( + IN VOID *Tls, + IN OUT UINT8 *ServerRandom + ); + +/** + Gets the master key data used in the specified TLS connection. + + This function returns the TLS/SSL master key material currently used in + the specified TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] KeyMaterial Buffer to contain the returned key material. + + @retval EFI_SUCCESS Key meterial was returned successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Invalid TLS/SSL session. + +**/ +EFI_STATUS +EFIAPI +TlsGetKeyMaterial ( + IN VOID *Tls, + IN OUT UINT8 *KeyMaterial + ); + +/** + Adds the CA to the cert store when requesting Server or Client authentication. + + This function adds the CA certificate to the list of CAs when requesting + Server or Client authentication for the chosen TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in] Data Pointer to the data buffer of a DER-encoded binary + X.509 certificate or PEM-encoded X.509 certificate. + @param[in] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated. + @retval EFI_ABORTED Invalid X.509 certificate. + +**/ +EFI_STATUS +EFIAPI +TlsSetCaCertificate ( + IN VOID *Tls, + IN VOID *Data, + IN UINTN DataSize + ); + +/** + Loads the local public certificate into the specified TLS object. + + This function loads the X.509 certificate into the specified TLS object + for TLS negotiation. + + @param[in] Tls Pointer to the TLS object. + @param[in] Data Pointer to the data buffer of a DER-encoded binary + X.509 certificate or PEM-encoded X.509 certificate. + @param[in] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated. + @retval EFI_ABORTED Invalid X.509 certificate. + +**/ +EFI_STATUS +EFIAPI +TlsSetHostPublicCert ( + IN VOID *Tls, + IN VOID *Data, + IN UINTN DataSize + ); + +/** + Adds the local private key to the specified TLS object. + + This function adds the local private key (PEM-encoded RSA or PKCS#8 private + key) into the specified TLS object for TLS negotiation. + + @param[in] Tls Pointer to the TLS object. + @param[in] Data Pointer to the data buffer of a PEM-encoded RSA + or PKCS#8 private key. + @param[in] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_ABORTED Invalid private key data. + +**/ +EFI_STATUS +EFIAPI +TlsSetHostPrivateKey ( + IN VOID *Tls, + IN VOID *Data, + IN UINTN DataSize + ); + +/** + Adds the CA-supplied certificate revocation list for certificate validition. + + This function adds the CA-supplied certificate revocation list data for + certificate validity checking. + + @param[in] Data Pointer to the data buffer of a DER-encoded CRL data. + @param[in] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_ABORTED Invalid CRL data. + +**/ +EFI_STATUS +EFIAPI +TlsSetCertRevocationList ( + IN VOID *Data, + IN UINTN DataSize + ); + +/** + Gets the CA Certificate from the cert store. + + This function returns the CA certificate for the chosen + TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[out] Data Pointer to the data buffer to receive the CA + certificate data sent to the client. + @param[in,out] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data. + +**/ +EFI_STATUS +EFIAPI +TlsGetCaCertificate ( + IN VOID *Tls, + OUT VOID *Data, + IN OUT UINTN *DataSize + ); + +/** + Gets the local public Certificate set in the specified TLS object. + + This function returns the local public certificate which was currently set + in the specified TLS object. + + @param[in] Tls Pointer to the TLS object. + @param[out] Data Pointer to the data buffer to receive the local + public certificate. + @param[in,out] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_NOT_FOUND The certificate is not found. + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data. + +**/ +EFI_STATUS +EFIAPI +TlsGetHostPublicCert ( + IN VOID *Tls, + OUT VOID *Data, + IN OUT UINTN *DataSize + ); + +/** + Gets the local private key set in the specified TLS object. + + This function returns the local private key data which was currently set + in the specified TLS object. + + @param[in] Tls Pointer to the TLS object. + @param[out] Data Pointer to the data buffer to receive the local + private key data. + @param[in,out] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data. + +**/ +EFI_STATUS +EFIAPI +TlsGetHostPrivateKey ( + IN VOID *Tls, + OUT VOID *Data, + IN OUT UINTN *DataSize + ); + +/** + Gets the CA-supplied certificate revocation list data set in the specified + TLS object. + + This function returns the CA-supplied certificate revocation list data which + was currently set in the specified TLS object. + + @param[out] Data Pointer to the data buffer to receive the CRL data. + @param[in,out] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data. + +**/ +EFI_STATUS +EFIAPI +TlsGetCertRevocationList ( + IN VOID *Data, + IN UINTN *DataSize + ); + +#endif // __TLS_LIB_H__ diff --git a/CryptoPkg/Library/TlsLib/TlsLib.c b/CryptoPkg/Library/TlsLib/TlsLib.c new file mode 100644 index 0000000..7c72b48 --- /dev/null +++ b/CryptoPkg/Library/TlsLib/TlsLib.c @@ -0,0 +1,1772 @@ +/** @file + SSL/TLS Library Wrapper Implementation over OpenSSL. + +Copyright (c) 2016, Intel Corporation. All rights reserved.<BR> +This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD License +which accompanies this distribution. The full text of the license may be found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + +**/ + +#include <Library/BaseCryptLib.h> + +#include <openssl/ssl.h> +#include <openssl/bio.h> + +#define MAX_BUFFER_SIZE 16384 + +typedef struct { + // + // Main SSL Connection which is created by a server or a client + // per established connection. + // + SSL *Ssl; + // + // Memory BIO for the TLS/SSL Reading operations. + // + BIO *InBio; + // + // Memory BIO for the TLS/SSL Writing operations. + // + BIO *OutBio; +} TLS_CONNECTION; + +typedef struct { + // + // IANA/IETF defined Cipher Suite ID + // + UINT16 IanaCipher; + // + // OpenSSL-used Cipher Suite String + // + CONST CHAR8 *OpensslCipher; +} TLS_CIPHER_PAIR; + +// +// The mapping table between IANA/IETF Cipher Suite definitions and +// OpenSSL-used Cipher Suite name. +// +STATIC CONST TLS_CIPHER_PAIR TlsCipherMappingTable[] = { + { 0x0000, "NULL" }, /// TLS_NULL_WITH_NULL_NULL + { 0x0001, "NULL-MD5" }, /// TLS_RSA_WITH_NULL_MD5 + { 0x0002, "NULL-SHA" }, /// TLS_RSA_WITH_NULL_SHA + { 0x0004, "RC4-MD5" }, /// TLS_RSA_WITH_RC4_128_MD5 + { 0x0005, "RC4-SHA" }, /// TLS_RSA_WITH_RC4_128_SHA + { 0x0009, "DES-CBC-SHA" }, /// TLS_RSA_WITH_DES_CBC_SHA + { 0x000A, "DES-CBC3-SHA" }, /// TLS_RSA_WITH_3DES_EDE_CBC_SHA + { 0x002F, "AES128-SHA" }, /// TLS_RSA_WITH_AES_128_CBC_SHA + { 0x0035, "AES256-SHA" }, /// TLS_RSA_WITH_AES_256_CBC_SHA + { 0x003C, "AES128-SHA256" }, /// TLS_RSA_WITH_AES_128_CBC_SHA256 + { 0x003D, "AES256-SHA256" } /// TLS_RSA_WITH_AES_256_CBC_SHA256 +}; + +/** + Gets the OpenSSL cipher suite string for the supplied IANA TLS cipher suite. + + @param[in] CipherId The supplied IANA TLS cipher suite ID. + + @return The corresponding OpenSSL cipher suite string if found, + NULL otherwise. + +**/ +STATIC +CONST CHAR8 * +TlsGetCipherString ( + IN UINT16 CipherId + ) +{ + CONST TLS_CIPHER_PAIR *CipherEntry; + UINTN TableSize; + UINTN Index; + + CipherEntry = TlsCipherMappingTable; + TableSize = sizeof (TlsCipherMappingTable) / sizeof (TLS_CIPHER_PAIR); + + // + // Search Cipher Mapping Table for IANA-OpenSSL Cipher Translation + // + for (Index = 0; Index < TableSize; Index++, CipherEntry++) { + // + // Translate IANA cipher suite name to OpenSSL name. + // + if (CipherEntry->IanaCipher == CipherId) { + return CipherEntry->OpensslCipher; + } + } + + // + // No Cipher Mapping found, return NULL. + // + return NULL; +} + +/** + Initializes the OpenSSL library. + + This function registers ciphers and digests used directly and indirectly + by SSL/TLS, and initializes the readable error messages. + This function must be called before any other action takes places. + +**/ +VOID +EFIAPI +TlsInitialize ( + VOID + ) +{ + // + // Performs initialization of crypto and ssl library, and loads required + // algorithms. + // + SSL_library_init (); + + // + // Loads error strings from both crypto and ssl library. + // + SSL_load_error_strings (); + + /// OpenSSL_add_all_algorithms(); + + // + // Initialize the pseudorandom number generator. + // + RandomSeed (NULL, 0); +} + +/** + Free an allocated SSL_CTX object. + + @param[in] TlsCtx Pointer to the SSL_CTX object to be released. + +**/ +VOID +EFIAPI +TlsCtxFree ( + IN VOID *TlsCtx + ) +{ + if (TlsCtx == NULL) { + return; + } + + if (TlsCtx != NULL) { + SSL_CTX_free ((SSL_CTX *) (TlsCtx)); + } +} + +/** + Creates a new SSL_CTX object as framework to establish TLS/SSL enabled + connections. + + @param[in] MajorVer Major Version of TLS/SSL Protocol. + @param[in] MinorVer Minor Version of TLS/SSL Protocol. + + @return Pointer to an allocated SSL_CTX object. + If the creation failed, TlsCtxNew() returns NULL. + +**/ +VOID * +EFIAPI +TlsCtxNew ( + IN UINT8 MajorVer, + IN UINT8 MinorVer + ) +{ + SSL_CTX *TlsCtx; + UINT16 ProtoVersion; + + ProtoVersion = (MajorVer << 8) | MinorVer; + + TlsCtx = NULL; + + switch (ProtoVersion) { + case TLS1_VERSION: + // + // TLS 1.0 + // + TlsCtx = SSL_CTX_new (TLSv1_method ()); + break; + case TLS1_1_VERSION: + // + // TLS 1.1 + // + TlsCtx = SSL_CTX_new (TLSv1_1_method ()); + break; + case TLS1_2_VERSION: + // + // TLS 1.2 + // + TlsCtx = SSL_CTX_new (TLSv1_2_method ()); + break; + default: + // + // Unsupported TLS/SSL Protocol Version. + // + break; + } + + return (VOID *) TlsCtx; +} + +/** + Free an allocated TLS object. + + This function removes the TLS object pointed to by Tls and frees up the + allocated memory. If Tls is NULL, nothing is done. + + @param[in] Tls Pointer to the TLS object to be freed. + +**/ +VOID +EFIAPI +TlsFree ( + IN VOID *Tls + ) +{ + TLS_CONNECTION *TlsConn; + + TlsConn = (TLS_CONNECTION *) Tls; + if (TlsConn == NULL) { + return; + } + + // + // Free the internal TLS and BIO objects. + // + if (TlsConn->Ssl != NULL) { + SSL_free (TlsConn->Ssl); + } + + if (TlsConn->InBio != NULL) { + BIO_free (TlsConn->InBio); + } + + if (TlsConn->OutBio != NULL) { + BIO_free (TlsConn->OutBio); + } + + OPENSSL_free (Tls); +} + +/** + Create a new TLS object for a connection. + + This function creates a new TLS object for a connection. The new object + inherits the setting of the underlying context TlsCtx: connection method, + options, verification setting. + + @param[in] TlsCtx Pointer to the SSL_CTX object. + + @return Pointer to an allocated SSL object. + If the creation failed, TlsNew() returns NULL. + +**/ +VOID * +EFIAPI +TlsNew ( + IN VOID *TlsCtx + ) +{ + TLS_CONNECTION *TlsConn; + + TlsConn = NULL; + + // + // Allocate one new TLS_CONNECTION object + // + TlsConn = (TLS_CONNECTION *) OPENSSL_malloc (sizeof (TLS_CONNECTION)); + if (TlsConn == NULL) { + return NULL; + } + + TlsConn->Ssl = NULL; + + // + // Create a new SSL Object + // + TlsConn->Ssl = SSL_new ((SSL_CTX *) TlsCtx); + if (TlsConn->Ssl == NULL) { + TlsFree ((VOID *) TlsConn); + return NULL; + } + + // + // Initialize the created SSL Object + // + SSL_set_info_callback (TlsConn->Ssl, NULL); + + TlsConn->InBio = NULL; + + // + // Set up Reading BIO for TLS connection + // + TlsConn->InBio = BIO_new (BIO_s_mem ()); + if (TlsConn->InBio == NULL) { + TlsFree ((VOID *) TlsConn); + return NULL; + } + + // + // Sets the behaviour of memory BIO when it is empty. It will set the + // read retry flag. + // + BIO_set_mem_eof_return (TlsConn->InBio, -1); + + TlsConn->OutBio = NULL; + + // + // Set up Writing BIO for TLS connection + // + TlsConn->OutBio = BIO_new (BIO_s_mem ()); + if (TlsConn->OutBio == NULL) { + TlsFree ((VOID *) TlsConn); + return NULL; + } + + // + // Sets the behaviour of memory BIO when it is empty. It will set the + // write retry flag. + // + BIO_set_mem_eof_return (TlsConn->OutBio, -1); + + ASSERT (TlsConn->Ssl != NULL && TlsConn->InBio != NULL && TlsConn->OutBio != NULL); + + // + // Connects the InBio and OutBio for the read and write operations. + // + SSL_set_bio (TlsConn->Ssl, TlsConn->InBio, TlsConn->OutBio); + + return (VOID *) TlsConn; +} + +/** + Checks if the TLS handshake was done. + + This function will check if the specified TLS handshake was done. + + @param[in] Tls Pointer to the TLS object for handshake state checking. + + @retval TRUE The TLS handshake was done. + @retval FALSE The TLS handshake was not done. + +**/ +BOOLEAN +EFIAPI +TlsInHandshake ( + IN VOID *Tls + ) +{ + TLS_CONNECTION *TlsConn; + + TlsConn = (TLS_CONNECTION *) Tls; + if (TlsConn == NULL || TlsConn->Ssl == NULL) { + return FALSE; + } + + // + // Return the status which indicates if the TLS handshake was done. + // + return !SSL_is_init_finished (TlsConn->Ssl); +} + +/** + Checks if any error state of an TLS object. + + This function will check if any error state of an TLS object. + + @param[in] Tls Pointer to the TLS object for state checking. + + @retval TRUE The TLS object is in error state. + @retval FALSE The TLS object is not in any error state. + +**/ +BOOLEAN +EFIAPI +TlsInStateError ( + IN VOID *Tls + ) +{ + TLS_CONNECTION *TlsConn; + + TlsConn = (TLS_CONNECTION *) Tls; + if (TlsConn == NULL || TlsConn->Ssl == NULL) { + return FALSE; + } + + // + // Return if the TLS object is in any error state. + // + + return (SSL_get_state (TlsConn->Ssl) == SSL_ST_ERR); +} + +/** + Hande Alert message recorded in BufferIn. If BufferIn is NULL and BufferInSize is zero, + TLS session has errors and the response packet needs to be Alert message based on error type. + + @param[in] Tls Pointer to the TLS object for state checking. + @param[in] BufferIn Pointer to the most recently received TLS Alert packet. + @param[in] BufferInSize Packet size in bytes for the most recently received TLS + Alert packet. + @param[out] BufferOut Pointer to the buffer to hold the built packet. + @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On input, it is + the buffer size provided by the caller. On output, it + is the buffer size in fact needed to contain the + packet. + + @retval EFI_SUCCESS The required TLS packet is built successfully. + @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE: + Tls is NULL. + BufferIn is NULL but BufferInSize is NOT 0. + BufferInSize is 0 but BufferIn is NOT NULL. + BufferOutSize is NULL. + BufferOut is NULL if *BufferOutSize is not zero. + @retval EFI_ABORTED An error occured. + @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the response packet. + +**/ +EFI_STATUS +EFIAPI +TlsHandeAlert ( + IN VOID *Tls, + IN UINT8 *BufferIn, OPTIONAL + IN UINTN BufferInSize, OPTIONAL + OUT UINT8 *BufferOut, OPTIONAL + IN OUT UINTN *BufferOutSize + ) +{ + TLS_CONNECTION *TlsConn; + UINTN PendingBufferSize; + UINT8 *TempBuffer; + INTN Ret; + + TlsConn = (TLS_CONNECTION *) Tls; + PendingBufferSize = 0; + TempBuffer = NULL; + Ret = 0; + + if (TlsConn == NULL || \ + TlsConn->Ssl == NULL || TlsConn->InBio == NULL || TlsConn->OutBio == NULL || \ + BufferOutSize == NULL || \ + (BufferIn == NULL && BufferInSize != 0) || \ + (BufferIn != NULL && BufferInSize == 0) || \ + (BufferOut == NULL && *BufferOutSize != 0)) { + return EFI_INVALID_PARAMETER; + } + + PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio); + if (PendingBufferSize == 0 && BufferIn != NULL && BufferInSize != 0) { + Ret = BIO_write (TlsConn->InBio, BufferIn, (UINT32) BufferInSize); + if (Ret != (INTN) BufferInSize) { + return EFI_ABORTED; + } + + TempBuffer = (UINT8 *) OPENSSL_malloc (MAX_BUFFER_SIZE); + + // + // ssl3_send_alert() will be called in ssl3_read_bytes() function. + // TempBuffer[] is invalid since it's a Alert message, so just ignore it. + // + SSL_read (TlsConn->Ssl, TempBuffer, MAX_BUFFER_SIZE); + + OPENSSL_free (TempBuffer); + + PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio); + } + + if (PendingBufferSize > *BufferOutSize) { + *BufferOutSize = PendingBufferSize; + return EFI_BUFFER_TOO_SMALL; + } + + if (PendingBufferSize > 0) { + *BufferOutSize = BIO_read (TlsConn->OutBio, BufferOut, (UINT32) PendingBufferSize); + } else { + *BufferOutSize = 0; + } + + return EFI_SUCCESS; +} + +/** + Build the CloseNotify packet. + + @param[in] Tls Pointer to the TLS object for state checking. + @param[in, out] Buffer Pointer to the buffer to hold the built packet. + @param[in, out] BufferSize Pointer to the buffer size in bytes. On input, it is + the buffer size provided by the caller. On output, it + is the buffer size in fact needed to contain the + packet. + + @retval EFI_SUCCESS The required TLS packet is built successfully. + @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE: + Tls is NULL. + BufferSize is NULL. + Buffer is NULL if *BufferSize is not zero. + @retval EFI_BUFFER_TOO_SMALL BufferSize is too small to hold the response packet. + +**/ +EFI_STATUS +EFIAPI +TlsCloseNotify ( + IN VOID *Tls, + IN OUT UINT8 *Buffer, + IN OUT UINTN *BufferSize + ) +{ + TLS_CONNECTION *TlsConn; + UINTN PendingBufferSize; + + TlsConn = (TLS_CONNECTION *) Tls; + PendingBufferSize = 0; + + if (TlsConn == NULL || \ + TlsConn->Ssl == NULL || TlsConn->InBio == NULL || TlsConn->OutBio == NULL || \ + BufferSize == NULL || \ + (Buffer == NULL && *BufferSize != 0)) { + return EFI_INVALID_PARAMETER; + } + + PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio); + if (PendingBufferSize == 0) { + // + // ssl3_send_alert() and ssl3_dispatch_alert() function will be called. + // + SSL_shutdown (TlsConn->Ssl); + PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio); + } + + if (PendingBufferSize > *BufferSize) { + *BufferSize = PendingBufferSize; + return EFI_BUFFER_TOO_SMALL; + } + + if (PendingBufferSize > 0) { + *BufferSize = BIO_read (TlsConn->OutBio, Buffer, (UINT32) PendingBufferSize); + } else { + *BufferSize = 0; + } + + return EFI_SUCCESS; +} + +/** + Perform a TLS/SSL handshake. + + This function will perform a TLS/SSL handshake. + + @param[in] Tls Pointer to the TLS object for handshake operation. + @param[in] BufferIn Pointer to the most recently received TLS Handshake packet. + @param[in] BufferInSize Packet size in bytes for the most recently received TLS + Handshake packet. + @param[out] BufferOut Pointer to the buffer to hold the built packet. + @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On input, it is + the buffer size provided by the caller. On output, it + is the buffer size in fact needed to contain the + packet. + + @retval EFI_SUCCESS The required TLS packet is built successfully. + @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE: + Tls is NULL. + BufferIn is NULL but BufferInSize is NOT 0. + BufferInSize is 0 but BufferIn is NOT NULL. + BufferOutSize is NULL. + BufferOut is NULL if *BufferOutSize is not zero. + @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the response packet. + +**/ +EFI_STATUS +EFIAPI +TlsDoHandshake ( + IN VOID *Tls, + IN UINT8 *BufferIn, OPTIONAL + IN UINTN BufferInSize, OPTIONAL + OUT UINT8 *BufferOut, OPTIONAL + IN OUT UINTN *BufferOutSize + ) +{ + TLS_CONNECTION *TlsConn; + UINTN PendingBufferSize; + + TlsConn = (TLS_CONNECTION *) Tls; + PendingBufferSize = 0; + + if (TlsConn == NULL || \ + TlsConn->Ssl == NULL || TlsConn->InBio == NULL || TlsConn->OutBio == NULL || \ + BufferOutSize == NULL || \ + (BufferIn == NULL && BufferInSize != 0) || \ + (BufferIn != NULL && BufferInSize == 0) || \ + (BufferOut == NULL && *BufferOutSize != 0)) { + return EFI_INVALID_PARAMETER; + } + + if(BufferIn == NULL && BufferInSize == 0) { + // + // If RequestBuffer is NULL and RequestSize is 0, and TLS session + // status is EfiTlsSessionNotStarted, the TLS session will be initiated + // and the response packet needs to be ClientHello. + // + PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio); + if (PendingBufferSize == 0) { + SSL_set_connect_state (TlsConn->Ssl); + SSL_do_handshake (TlsConn->Ssl); + PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio); + } + } else { + PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio); + if (PendingBufferSize == 0) { + BIO_write (TlsConn->InBio, BufferIn, (UINT32) BufferInSize); + SSL_do_handshake (TlsConn->Ssl); + PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio); + } + } + + if (PendingBufferSize > *BufferOutSize) { + *BufferOutSize = PendingBufferSize; + return EFI_BUFFER_TOO_SMALL; + } + + if (PendingBufferSize > 0) { + *BufferOutSize = BIO_read (TlsConn->OutBio, BufferOut, (UINT32) PendingBufferSize); + } else { + *BufferOutSize = 0; + } + + return EFI_SUCCESS; +} + +/** + Attempts to read bytes from one TLS object and places the data in Buffer. + + This function will attempt to read BufferSize bytes from the TLS object + and places the data in Buffer. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] Buffer Pointer to the buffer to store the data. + @param[in] BufferSize The size of Buffer in bytes. + + @retval >0 The amount of data successfully read from the TLS object. + @retval <=0 No data was successfully read. + +**/ +INTN +EFIAPI +TlsCtrlTrafficOut ( + IN VOID *Tls, + IN OUT VOID *Buffer, + IN UINTN BufferSize + ) +{ + TLS_CONNECTION *TlsConn; + + TlsConn = (TLS_CONNECTION *) Tls; + if (TlsConn == NULL || TlsConn->OutBio == 0) { + return -1; + } + + // + // Read and return the amount of data from the BIO. + // + return BIO_read (TlsConn->OutBio, Buffer, (UINT32) BufferSize); +} + +/** + Attempts to write data from the buffer to TLS object. + + This function will attempt to write BufferSize bytes data from the Buffer + to the TLS object. + + @param[in] Tls Pointer to the TLS object. + @param[in] Buffer Pointer to the data buffer. + @param[in] BufferSize The size of Buffer in bytes. + + @retval >0 The amount of data successfully written to the TLS object. + @retval <=0 No data was successfully written. + +**/ +INTN +EFIAPI +TlsCtrlTrafficIn ( + IN VOID *Tls, + IN VOID *Buffer, + IN UINTN BufferSize + ) +{ + TLS_CONNECTION *TlsConn; + + TlsConn = (TLS_CONNECTION *) Tls; + if (TlsConn == NULL || TlsConn->InBio == 0) { + return -1; + } + + // + // Write and return the amount of data to the BIO. + // + return BIO_write (TlsConn->InBio, Buffer, (UINT32) BufferSize); +} +/** + Attempts to read bytes from the specified TLS connection into the buffer. + + This function tries to read BufferSize bytes data from the specified TLS + connection into the Buffer. + + @param[in] Tls Pointer to the TLS connection for data reading. + @param[in,out] Buffer Pointer to the data buffer. + @param[in] BufferSize The size of Buffer in bytes. + + @retval >0 The read operation was successful, and return value is the + number of bytes actually read from the TLS connection. + @retval <=0 The read operation was not successful. + +**/ +INTN +EFIAPI +TlsRead ( + IN VOID *Tls, + IN OUT VOID *Buffer, + IN UINTN BufferSize + ) +{ + TLS_CONNECTION *TlsConn; + + TlsConn = (TLS_CONNECTION *) Tls; + if (TlsConn == NULL || TlsConn->Ssl == NULL) { + return -1; + } + + // + // Read bytes from the specified TLS connection. + // + return SSL_read (TlsConn->Ssl, Buffer, (UINT32) BufferSize); +} + +/** + Attempts to write data to a TLS connection. + + This function tries to write BufferSize bytes data from the Buffer into the + specified TLS connection. + + @param[in] Tls Pointer to the TLS connection for data writing. + @param[in] Buffer Pointer to the data buffer. + @param[in] BufferSize The size of Buffer in bytes. + + @retval >0 The write operation was successful, and return value is the + number of bytes actually written to the TLS connection. + @retval <=0 The write operation was not successful. + +**/ +INTN +EFIAPI +TlsWrite ( + IN VOID *Tls, + IN VOID *Buffer, + IN UINTN BufferSize + ) +{ + TLS_CONNECTION *TlsConn; + + TlsConn = (TLS_CONNECTION *) Tls; + if (TlsConn == NULL || TlsConn->Ssl == NULL) { + return -1; + } + + // + // Write bytes to the specified TLS connection. + // + return SSL_write (TlsConn->Ssl, Buffer, (UINT32) BufferSize); +} + +/** + Set a new TLS/SSL method for a particular TLS object. + + This function sets a new TLS/SSL method for a particular TLS object. + + @param[in] Tls Pointer to a TLS object. + @param[in] MajorVer Major Version of TLS/SSL Protocol. + @param[in] MinorVer Minor Version of TLS/SSL Protocol. + + @retval EFI_SUCCESS The TLS/SSL method was set successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Unsupported TLS/SSL method. + +**/ +EFI_STATUS +EFIAPI +TlsSetVersion ( + IN VOID *Tls, + IN UINT8 MajorVer, + IN UINT8 MinorVer + ) +{ + TLS_CONNECTION *TlsConn; + UINT16 ProtoVersion; + + TlsConn = (TLS_CONNECTION *)Tls; + if (TlsConn == NULL || TlsConn->Ssl == NULL) { + return EFI_INVALID_PARAMETER; + } + + ProtoVersion = (MajorVer << 8) | MinorVer; + + switch (ProtoVersion) { + case TLS1_VERSION: + // + // TLS 1.0 + // + SSL_set_ssl_method (TlsConn->Ssl, TLSv1_method ()); + break; + case TLS1_1_VERSION: + // + // TLS 1.1 + // + SSL_set_ssl_method (TlsConn->Ssl, TLSv1_1_method ()); + break; + case TLS1_2_VERSION: + // + // TLS 1.2 + // + SSL_set_ssl_method (TlsConn->Ssl, TLSv1_2_method ()); + break; + default: + // + // Unsupported Protocol Version + // + return EFI_UNSUPPORTED; + } + + return EFI_SUCCESS;; +} + +/** + Set TLS object to work in client or server mode. + + This function prepares a TLS object to work in client or server mode. + + @param[in] Tls Pointer to a TLS object. + @param[in] IsServer Work in server mode. + + @retval EFI_SUCCESS The TLS/SSL work mode was set successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Unsupported TLS/SSL work mode. + +**/ +EFI_STATUS +EFIAPI +TlsSetConnectionEnd ( + IN VOID *Tls, + IN BOOLEAN IsServer + ) +{ + TLS_CONNECTION *TlsConn; + + TlsConn = (TLS_CONNECTION *) Tls; + if (TlsConn == NULL || TlsConn->Ssl == NULL) { + return EFI_INVALID_PARAMETER; + } + + if (!IsServer) { + // + // Set TLS to work in Client mode. + // + SSL_set_connect_state (TlsConn->Ssl); + } else { + // + // Set TLS to work in Server mode. + // It is unsupported for UEFI version currently. + // + //SSL_set_accept_state (TlsConn->Ssl); + return EFI_UNSUPPORTED; + } + + return EFI_SUCCESS; +} + +/** + Set the ciphers list to be used by the TLS object. + + This function sets the ciphers for use by a specified TLS object. + + @param[in] Tls Pointer to a TLS object. + @param[in] CipherId Pointer to a UINT16 cipher Id. + @param[in] CipherNum The number of cipher in the list. + + @retval EFI_SUCCESS The ciphers list was set successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Unsupported TLS cipher in the list. + +**/ +EFI_STATUS +EFIAPI +TlsSetCipherList ( + IN VOID *Tls, + IN UINT16 *CipherId, + IN UINTN CipherNum + ) +{ + TLS_CONNECTION *TlsConn; + UINTN Index; + CONST CHAR8 *MappingName; + CHAR8 CipherString[500]; + + TlsConn = (TLS_CONNECTION *) Tls; + if (TlsConn == NULL || TlsConn->Ssl == NULL || CipherId == NULL) { + return EFI_INVALID_PARAMETER; + } + + MappingName = NULL; + + memset (CipherString, 0, sizeof (CipherString)); + + for (Index = 0; Index < CipherNum; Index++) { + // + // Handling OpenSSL / RFC Cipher name mapping. + // + MappingName = TlsGetCipherString (*(CipherId + Index)); + if (MappingName == NULL) { + return EFI_UNSUPPORTED; + } + + if (Index != 0) { + // + // The ciphers were sperated by a colon. + // + AsciiStrCatS (CipherString, sizeof (CipherString), ":"); + } + + AsciiStrCatS (CipherString, sizeof (CipherString), MappingName); + } + + AsciiStrCatS (CipherString, sizeof (CipherString), ":@STRENGTH"); + + // + // Sets the ciphers for use by the Tls object. + // + if (SSL_set_cipher_list (TlsConn->Ssl, CipherString) <= 0) { + return EFI_UNSUPPORTED; + } + + return EFI_SUCCESS; +} + +/** + Set the compression method for TLS/SSL operations. + + This function handles TLS/SSL integrated compression methods. + + @param[in] ComMethod The compression method ID. + + @retval EFI_SUCCESS The compression method for the communication was + set successfully. + @retval EFI_UNSUPPORTED Unsupported compression method. + +**/ +EFI_STATUS +EFIAPI +TlsSetCompressionMethod ( + IN UINT8 CompMethod + ) +{ + COMP_METHOD *Cm; + INTN Ret; + + Cm = NULL; + Ret = 0; + + if (CompMethod == 0) { + Cm = NULL; + } else if (CompMethod == 1) { + Cm = COMP_zlib(); + } else { + return EFI_UNSUPPORTED; + } + + // + // Adds the compression method to the list of available + // compression methods. + // + Ret = SSL_COMP_add_compression_method (CompMethod, Cm); + if (Ret != 1) { + return EFI_UNSUPPORTED; + } + + return EFI_SUCCESS; +} + +/** + Set peer certificate verification mode for the TLS connection. + + This function sets the verification mode flags for the TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in] VerifyMode A set of logically or'ed verification mode flags. + +**/ +VOID +EFIAPI +TlsSetVerify ( + IN VOID *Tls, + IN UINT32 VerifyMode + ) +{ + TLS_CONNECTION *TlsConn; + + TlsConn = (TLS_CONNECTION *) Tls; + if (TlsConn == NULL || TlsConn->Ssl == NULL) { + return; + } + + // + // Set peer certificate verification parameters with NULL callback. + // + SSL_set_verify (TlsConn->Ssl, VerifyMode, NULL); +} + +/** + Sets a TLS/SSL session ID to be used during TLS/SSL connect. + + This function sets a session ID to be used when the TLS/SSL connection is + to be established. + + @param[in] Tls Pointer to the TLS object. + @param[in] SessionId Session ID data used for session resumption. + @param[in] SessionIdLen Length of Session ID in bytes. + + @retval EFI_SUCCESS Session ID was set successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED No available session for ID setting. + +**/ +EFI_STATUS +EFIAPI +TlsSetSessionId ( + IN VOID *Tls, + IN UINT8 *SessionId, + IN UINT16 SessionIdLen + ) +{ + TLS_CONNECTION *TlsConn; + SSL_SESSION *Session; + + TlsConn = (TLS_CONNECTION *) Tls; + Session = NULL; + + if (TlsConn == NULL || TlsConn->Ssl == NULL || SessionId == NULL) { + return EFI_INVALID_PARAMETER; + } + + Session = SSL_get_session (TlsConn->Ssl); + if (Session == NULL) { + return EFI_UNSUPPORTED; + } + + Session->session_id_length = SessionIdLen; + CopyMem (Session->session_id, SessionId, Session->session_id_length); + + return EFI_SUCCESS; +} + +/** + Gets the protocol version used by the specified TLS connection. + + This function returns the protocol version used by the specified TLS + connection. + + @param[in] Tls Pointer to the TLS object. + + @return The protocol version of the specified TLS connection. + +**/ +UINT16 +EFIAPI +TlsGetVersion ( + IN VOID *Tls + ) +{ + TLS_CONNECTION *TlsConn; + + TlsConn = (TLS_CONNECTION *) Tls; + + ASSERT (TlsConn != NULL); + + return (UINT16) (TlsConn->Ssl->version); +} + +/** + Gets the connection end of the specifed TLS connection. + + This function returns the connection end (as client or as server) used by + the specified TLS connection. + + @param[in] Tls Pointer to the TLS object. + + @return The connection end used by the specified TLS connection. + +**/ +UINT8 +EFIAPI +TlsGetConnectionEnd ( + IN VOID *Tls + ) +{ + TLS_CONNECTION *TlsConn; + + TlsConn = (TLS_CONNECTION *) Tls; + + ASSERT (TlsConn != NULL); + + return (UINT8)(TlsConn->Ssl->server); +} + +/** + Gets the cipher suite used by the specified TLS connection. + + This function returns current cipher suite used by the specified + TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] CipherId The cipher suite used by the TLS object. + + @retval EFI_SUCCESS The cipher suite was returned successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Unsupported cipher suite. + +**/ +EFI_STATUS +EFIAPI +TlsGetCurrentCipher ( + IN VOID *Tls, + IN OUT UINT16 *CipherId + ) +{ + TLS_CONNECTION *TlsConn; + CONST SSL_CIPHER *Cipher; + + TlsConn = (TLS_CONNECTION *) Tls; + Cipher = NULL; + + if (TlsConn == NULL || TlsConn->Ssl == NULL || CipherId == NULL) { + return EFI_INVALID_PARAMETER; + } + + Cipher = SSL_get_current_cipher (TlsConn->Ssl); + if (Cipher == NULL) { + return EFI_UNSUPPORTED; + } + + *CipherId = Cipher->id & 0xFFFF; + + return EFI_SUCCESS; +} + +/** + Gets the compression methods used by the specified TLS connection. + + This function returns current integrated compression methods used by + the specified TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] CompressionId The current compression method used by + the TLS object. + + @retval EFI_SUCCESS The compression method was returned successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Unsupported compression method. + +**/ +EFI_STATUS +EFIAPI +TlsGetCurrentCompressionId ( + IN VOID *Tls, + IN OUT UINT8 *CompressionId + ) +{ + TLS_CONNECTION *TlsConn; + STACK_OF(SSL_COMP) *StackSslComp; + SSL_COMP *SslComp; + const COMP_METHOD *CompMethod; + UINTN Index; + + TlsConn = (TLS_CONNECTION *) Tls; + StackSslComp = NULL; + SslComp = NULL; + CompMethod = NULL; + Index = 0; + + if (TlsConn == NULL || TlsConn->Ssl == NULL || CompressionId == NULL) { + return EFI_INVALID_PARAMETER; + } + + StackSslComp = SSL_COMP_get_compression_methods (); + if (StackSslComp == NULL) { + return EFI_UNSUPPORTED; + } + + CompMethod = SSL_get_current_compression (TlsConn->Ssl); + if (CompMethod == NULL) { + return EFI_UNSUPPORTED; + } + + for (Index = 0; Index < (UINTN) sk_SSL_COMP_num (StackSslComp); Index++) { + SslComp = sk_SSL_COMP_value (StackSslComp, (int) Index); + if (AsciiStrCmp (SSL_COMP_get_name (CompMethod), SslComp->name) == 0) { + break; + } + + SslComp = NULL; + } + + if (SslComp == NULL) { + return EFI_UNSUPPORTED; + } + + *CompressionId = (UINT8) (SslComp->id); + + return EFI_SUCCESS; +} + +/** + Gets the verification mode currently set in the TLS connection. + + This function returns the peer verification mode currently set in the + specified TLS connection. + + @param[in] Tls Pointer to the TLS object. + + @return The verification mode set in the specified TLS connection. + +**/ +UINT32 +EFIAPI +TlsGetVerify ( + IN VOID *Tls + ) +{ + TLS_CONNECTION *TlsConn; + + TlsConn = (TLS_CONNECTION *) Tls; + + ASSERT (TlsConn != NULL); + + return SSL_get_verify_mode (TlsConn->Ssl); +} + +/** + Gets the session ID used by the specified TLS connection. + + This function returns the TLS/SSL session ID currently used by the + specified TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] SessionId Buffer to contain the returned session ID. + @param[in,out] SessionIdLen The length of Session ID in bytes. + + @retval EFI_SUCCESS The Session ID was returned successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Invalid TLS/SSL session. + +**/ +EFI_STATUS +EFIAPI +TlsGetSessionId ( + IN VOID *Tls, + IN OUT UINT8 *SessionId, + IN OUT UINT16 *SessionIdLen + ) +{ + TLS_CONNECTION *TlsConn; + SSL_SESSION *Session; + + TlsConn = (TLS_CONNECTION *) Tls; + Session = NULL; + + if (TlsConn == NULL || TlsConn->Ssl == NULL || SessionId == NULL || SessionIdLen == NULL) { + return EFI_INVALID_PARAMETER; + } + + Session = SSL_get_session (TlsConn->Ssl); + if (Session == NULL) { + return EFI_UNSUPPORTED; + } + + *SessionIdLen = (UINT16) Session->session_id_length ; + CopyMem (SessionId, Session->session_id, *SessionIdLen); + + return EFI_SUCCESS; +} + +/** + Gets the client random data used in the specified TLS connection. + + This function returns the TLS/SSL client random data currently used in + the specified TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] ClientRandom Buffer to contain the returned client + random data (32 bytes). + +**/ +VOID +EFIAPI +TlsGetClientRandom ( + IN VOID *Tls, + IN OUT UINT8 *ClientRandom + ) +{ + TLS_CONNECTION *TlsConn; + + TlsConn = (TLS_CONNECTION *) Tls; + + if (TlsConn == NULL || TlsConn->Ssl == NULL || ClientRandom == NULL) { + return; + } + + CopyMem (ClientRandom, TlsConn->Ssl->s3->client_random, SSL3_RANDOM_SIZE); +} + +/** + Gets the server random data used in the specified TLS connection. + + This function returns the TLS/SSL server random data currently used in + the specified TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] ServerRandom Buffer to contain the returned server + random data (32 bytes). + +**/ +VOID +EFIAPI +TlsGetServerRandom ( + IN VOID *Tls, + IN OUT UINT8 *ServerRandom + ) +{ + TLS_CONNECTION *TlsConn; + + TlsConn = (TLS_CONNECTION *) Tls; + + if (TlsConn == NULL || TlsConn->Ssl == NULL || ServerRandom == NULL) { + return; + } + + CopyMem (ServerRandom, TlsConn->Ssl->s3->server_random, SSL3_RANDOM_SIZE); +} + +/** + Gets the master key data used in the specified TLS connection. + + This function returns the TLS/SSL master key material currently used in + the specified TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] KeyMaterial Buffer to contain the returned key material. + + @retval EFI_SUCCESS Key meterial was returned successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Invalid TLS/SSL session. + +**/ +EFI_STATUS +EFIAPI +TlsGetKeyMaterial ( + IN VOID *Tls, + IN OUT UINT8 *KeyMaterial + ) +{ + TLS_CONNECTION *TlsConn; + SSL_SESSION *Session; + + TlsConn = (TLS_CONNECTION *) Tls; + Session = NULL; + + if (TlsConn == NULL || TlsConn->Ssl == NULL || KeyMaterial == NULL) { + return EFI_INVALID_PARAMETER; + } + + Session = SSL_get_session (TlsConn->Ssl); + + if (Session == NULL) { + return EFI_UNSUPPORTED; + } + + CopyMem (KeyMaterial, Session->master_key, Session->master_key_length); + + return EFI_SUCCESS; +} + +/** + Adds the CA to the cert store when requesting Server or Client authentication. + + This function adds the CA certificate to the list of CAs when requesting + Server or Client authentication for the chosen TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in] Data Pointer to the data buffer of a DER-encoded binary + X.509 certificate or PEM-encoded X.509 certificate. + @param[in] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated. + @retval EFI_ABORTED Invalid X.509 certificate. + +**/ +EFI_STATUS +EFIAPI +TlsSetCaCertificate ( + IN VOID *Tls, + IN VOID *Data, + IN UINTN DataSize + ) +{ + BIO *BioCert; + X509 *Cert; + X509_STORE *X509Store; + EFI_STATUS Status; + TLS_CONNECTION *TlsConn; + INTN Ret; + + BioCert = NULL; + Cert = NULL; + X509Store = NULL; + Status = EFI_SUCCESS; + TlsConn = (TLS_CONNECTION *) Tls; + Ret = 0; + + if (TlsConn == NULL || TlsConn->Ssl == NULL || Data == NULL || DataSize == 0) { + return EFI_INVALID_PARAMETER; + } + + // + // DER-encoded binary X.509 certificate or PEM-encoded X.509 certificate. + // Determine whether certificate is from DER encoding, if so, translate it to X509 structure. + // + Cert = d2i_X509 (NULL, (const unsigned char ** )&Data, (long) DataSize); + if (Cert == NULL) { + // + // Certificate is from PEM encoding. + // + BioCert = BIO_new (BIO_s_mem ()); + if (BioCert == NULL) { + Status = EFI_OUT_OF_RESOURCES; + goto ON_EXIT; + } + + if (BIO_write (BioCert, Data, (UINT32) DataSize) <= 0) { + Status = EFI_ABORTED; + goto ON_EXIT; + } + + Cert = PEM_read_bio_X509 (BioCert, NULL, NULL, NULL); + if (Cert == NULL) { + Status = EFI_ABORTED; + goto ON_EXIT; + } + } + + X509Store = SSL_CTX_get_cert_store(TlsConn->Ssl->ctx); + if (X509Store == NULL) { + X509Store = X509_STORE_new(); + if (X509Store == NULL) { + Status = EFI_ABORTED; + goto ON_EXIT; + } + + SSL_CTX_set_cert_store(TlsConn->Ssl->ctx, X509Store); + } + + Ret = X509_STORE_add_cert (X509Store, Cert); + if (Ret != 1) { + Status = EFI_ABORTED; + goto ON_EXIT; + } + + X509_STORE_set_flags ( + X509Store, + X509_V_FLAG_PARTIAL_CHAIN | X509_V_FLAG_NO_CHECK_TIME + ); + +ON_EXIT: + if (BioCert != NULL) { + BIO_free (BioCert); + } + + if (Cert != NULL) { + X509_free (Cert); + } + + return Status; +} + +/** + Loads the local public certificate into the specified TLS object. + + This function loads the X.509 certificate into the specified TLS object + for TLS negotiation. + + @param[in] Tls Pointer to the TLS object. + @param[in] Data Pointer to the data buffer of a DER-encoded binary + X.509 certificate or PEM-encoded X.509 certificate. + @param[in] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated. + @retval EFI_ABORTED Invalid X.509 certificate. + +**/ +EFI_STATUS +EFIAPI +TlsSetHostPublicCert ( + IN VOID *Tls, + IN VOID *Data, + IN UINTN DataSize + ) +{ + BIO *BioCert; + X509 *Cert; + EFI_STATUS Status; + TLS_CONNECTION *TlsConn; + + BioCert = NULL; + Cert = NULL; + Status = EFI_SUCCESS; + TlsConn = (TLS_CONNECTION *) Tls; + + if (TlsConn == NULL || TlsConn->Ssl == NULL || Data == NULL || DataSize == 0) { + return EFI_INVALID_PARAMETER; + } + + // + // DER-encoded binary X.509 certificate or PEM-encoded X.509 certificate. + // Determine whether certificate is from DER encoding, if so, translate it to X509 structure. + // + Cert = d2i_X509 (NULL, (const unsigned char ** )&Data, (long) DataSize); + if (Cert == NULL) { + // + // Certificate is from PEM encoding. + // + BioCert = BIO_new (BIO_s_mem ()); + if (BioCert == NULL) { + Status = EFI_OUT_OF_RESOURCES; + goto ON_EXIT; + } + + if (BIO_write (BioCert, Data, (UINT32) DataSize) <= 0) { + Status = EFI_ABORTED; + goto ON_EXIT; + } + + Cert = PEM_read_bio_X509 (BioCert, NULL, NULL, NULL); + if (Cert == NULL) { + Status = EFI_ABORTED; + goto ON_EXIT; + } + } + + if (SSL_use_certificate (TlsConn->Ssl, Cert) != 1) { + Status = EFI_ABORTED; + goto ON_EXIT; + } + +ON_EXIT: + if (BioCert != NULL) { + BIO_free (BioCert); + } + + if (Cert != NULL) { + X509_free (Cert); + } + + return Status; +} + +/** + Adds the local private key to the specified TLS object. + + This function adds the local private key (PEM-encoded RSA or PKCS#8 private + key) into the specified TLS object for TLS negotiation. + + @param[in] Tls Pointer to the TLS object. + @param[in] Data Pointer to the data buffer of a PEM-encoded RSA + or PKCS#8 private key. + @param[in] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_ABORTED Invalid private key data. + +**/ +EFI_STATUS +EFIAPI +TlsSetHostPrivateKey ( + IN VOID *Tls, + IN VOID *Data, + IN UINTN DataSize + ) +{ + return EFI_UNSUPPORTED; +} + +/** + Adds the CA-supplied certificate revocation list for certificate validition. + + This function adds the CA-supplied certificate revocation list data for + certificate validity checking. + + @param[in] Data Pointer to the data buffer of a DER-encoded CRL data. + @param[in] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_ABORTED Invalid CRL data. + +**/ +EFI_STATUS +EFIAPI +TlsSetCertRevocationList ( + IN VOID *Data, + IN UINTN DataSize + ) +{ + return EFI_UNSUPPORTED; +} + +/** + Gets the CA Certificate from the cert store. + + This function returns the CA certificate for the chosen + TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[out] Data Pointer to the data buffer to receive the CA + certificate data sent to the client. + @param[in,out] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data. + +**/ +EFI_STATUS +EFIAPI +TlsGetCaCertificate ( + IN VOID *Tls, + OUT VOID *Data, + IN OUT UINTN *DataSize + ) +{ + return EFI_UNSUPPORTED; +} + +/** + Gets the local public Certificate set in the specified TLS object. + + This function returns the local public certificate which was currently set + in the specified TLS object. + + @param[in] Tls Pointer to the TLS object. + @param[out] Data Pointer to the data buffer to receive the local + public certificate. + @param[in,out] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_NOT_FOUND The certificate is not found. + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data. + +**/ +EFI_STATUS +EFIAPI +TlsGetHostPublicCert ( + IN VOID *Tls, + OUT VOID *Data, + IN OUT UINTN *DataSize + ) +{ + X509 *Cert; + EFI_STATUS Status; + TLS_CONNECTION *TlsConn; + + Cert = NULL; + Status = EFI_SUCCESS; + TlsConn = (TLS_CONNECTION *) Tls; + + if (TlsConn == NULL || TlsConn->Ssl == NULL || DataSize == NULL) { + return EFI_INVALID_PARAMETER; + } + + Cert = SSL_get_certificate(TlsConn->Ssl); + if (Cert == NULL) { + Status = EFI_NOT_FOUND; + } + + // + // Only DER encoding is supported currently. + // + if (*DataSize < (UINTN) i2d_X509 (Cert, NULL)) { + *DataSize = (UINTN) i2d_X509 (Cert, NULL); + return EFI_BUFFER_TOO_SMALL; + } + + i2d_X509 (Cert, Data); + + return Status; +} + +/** + Gets the local private key set in the specified TLS object. + + This function returns the local private key data which was currently set + in the specified TLS object. + + @param[in] Tls Pointer to the TLS object. + @param[out] Data Pointer to the data buffer to receive the local + private key data. + @param[in,out] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data. + +**/ +EFI_STATUS +EFIAPI +TlsGetHostPrivateKey ( + IN VOID *Tls, + OUT VOID *Data, + IN OUT UINTN *DataSize + ) +{ + return EFI_UNSUPPORTED; +} + +/** + Gets the CA-supplied certificate revocation list data set in the specified + TLS object. + + This function returns the CA-supplied certificate revocation list data which + was currently set in the specified TLS object. + + @param[out] Data Pointer to the data buffer to receive the CRL data. + @param[in,out] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data. + +**/ +EFI_STATUS +EFIAPI +TlsGetCertRevocationList ( + IN VOID *Data, + IN UINTN *DataSize + ) +{ + return EFI_UNSUPPORTED; +} + diff --git a/CryptoPkg/Library/TlsLib/TlsLib.inf b/CryptoPkg/Library/TlsLib/TlsLib.inf new file mode 100644 index 0000000..6194e95 --- /dev/null +++ b/CryptoPkg/Library/TlsLib/TlsLib.inf @@ -0,0 +1,46 @@ +## @file +# SSL/TLS Wrapper Library Instance based on OpenSSL. +# +# Copyright (c) 2016, Intel Corporation. All rights reserved.<BR> +# This program and the accompanying materials +# are licensed and made available under the terms and conditions of the BSD License +# which accompanies this distribution. The full text of the license may be found at +# http://opensource.org/licenses/bsd-license.php +# +# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. +# +## + +[Defines] + INF_VERSION = 0x00010005 + BASE_NAME = TlsLib + MODULE_UNI_FILE = TlsLib.uni + FILE_GUID = be3bb803-91b6-4da0-bd91-a8b21c18ca5d + MODULE_TYPE = DXE_DRIVER + VERSION_STRING = 1.0 + LIBRARY_CLASS = TlsLib|DXE_DRIVER DXE_CORE UEFI_APPLICATION UEFI_DRIVER + +# +# The following information is for reference only and not required by the build tools. +# +# VALID_ARCHITECTURES = IA32 X64 IPF ARM AARCH64 +# + +[Sources] + TlsLib.c + +[Packages] + MdePkg/MdePkg.dec + CryptoPkg/CryptoPkg.dec + +[LibraryClasses] + BaseLib + BaseMemoryLib + MemoryAllocationLib + UefiRuntimeServicesTableLib + DebugLib + OpensslLib + IntrinsicLib + PrintLib + OpensslTlsLib \ No newline at end of file diff --git a/CryptoPkg/Library/TlsLib/TlsLib.uni b/CryptoPkg/Library/TlsLib/TlsLib.uni new file mode 100644 index 0000000..77a65da --- /dev/null +++ b/CryptoPkg/Library/TlsLib/TlsLib.uni @@ -0,0 +1,19 @@ +// /** @file +// SSL/TLS Wrapper Library Instance based on OpenSSL. +// +// Copyright (c) 2016, Intel Corporation. All rights reserved.<BR> +// +// This program and the accompanying materials +// are licensed and made available under the terms and conditions of the BSD License +// which accompanies this distribution. The full text of the license may be found at +// http://opensource.org/licenses/bsd-license.php +// +// THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +// WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. +// +// **/ + + +#string STR_MODULE_ABSTRACT #language en-US "SSL/TLS Wrapper Library Instance" + +#string STR_MODULE_DESCRIPTION #language en-US "This module provides SSL/TLS Wrapper Library Instance." \ No newline at end of file -- 1.9.5.msysgit.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
