]>
Commit | Line | Data |
---|---|---|
264702a0 HW |
1 | /** @file\r |
2 | SSL/TLS Process Library Wrapper Implementation over OpenSSL.\r | |
3 | The process includes the TLS handshake and packet I/O.\r | |
4 | \r | |
5 | Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>\r | |
6 | (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>\r | |
2009f6b4 | 7 | SPDX-License-Identifier: BSD-2-Clause-Patent\r |
264702a0 HW |
8 | \r |
9 | **/\r | |
10 | \r | |
11 | #include "InternalTlsLib.h"\r | |
12 | \r | |
13 | #define MAX_BUFFER_SIZE 32768\r | |
14 | \r | |
15 | /**\r | |
16 | Checks if the TLS handshake was done.\r | |
17 | \r | |
18 | This function will check if the specified TLS handshake was done.\r | |
19 | \r | |
20 | @param[in] Tls Pointer to the TLS object for handshake state checking.\r | |
21 | \r | |
22 | @retval TRUE The TLS handshake was done.\r | |
23 | @retval FALSE The TLS handshake was not done.\r | |
24 | \r | |
25 | **/\r | |
26 | BOOLEAN\r | |
27 | EFIAPI\r | |
28 | TlsInHandshake (\r | |
29 | IN VOID *Tls\r | |
30 | )\r | |
31 | {\r | |
32 | TLS_CONNECTION *TlsConn;\r | |
33 | \r | |
34 | TlsConn = (TLS_CONNECTION *) Tls;\r | |
35 | if (TlsConn == NULL || TlsConn->Ssl == NULL) {\r | |
36 | return FALSE;\r | |
37 | }\r | |
38 | \r | |
39 | //\r | |
40 | // Return the status which indicates if the TLS handshake was done.\r | |
41 | //\r | |
42 | return !SSL_is_init_finished (TlsConn->Ssl);\r | |
43 | }\r | |
44 | \r | |
45 | /**\r | |
46 | Perform a TLS/SSL handshake.\r | |
47 | \r | |
48 | This function will perform a TLS/SSL handshake.\r | |
49 | \r | |
50 | @param[in] Tls Pointer to the TLS object for handshake operation.\r | |
51 | @param[in] BufferIn Pointer to the most recently received TLS Handshake packet.\r | |
52 | @param[in] BufferInSize Packet size in bytes for the most recently received TLS\r | |
53 | Handshake packet.\r | |
54 | @param[out] BufferOut Pointer to the buffer to hold the built packet.\r | |
55 | @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On input, it is\r | |
56 | the buffer size provided by the caller. On output, it\r | |
57 | is the buffer size in fact needed to contain the\r | |
58 | packet.\r | |
59 | \r | |
60 | @retval EFI_SUCCESS The required TLS packet is built successfully.\r | |
61 | @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:\r | |
62 | Tls is NULL.\r | |
63 | BufferIn is NULL but BufferInSize is NOT 0.\r | |
64 | BufferInSize is 0 but BufferIn is NOT NULL.\r | |
65 | BufferOutSize is NULL.\r | |
66 | BufferOut is NULL if *BufferOutSize is not zero.\r | |
67 | @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the response packet.\r | |
68 | @retval EFI_ABORTED Something wrong during handshake.\r | |
69 | \r | |
70 | **/\r | |
71 | EFI_STATUS\r | |
72 | EFIAPI\r | |
73 | TlsDoHandshake (\r | |
74 | IN VOID *Tls,\r | |
75 | IN UINT8 *BufferIn, OPTIONAL\r | |
76 | IN UINTN BufferInSize, OPTIONAL\r | |
77 | OUT UINT8 *BufferOut, OPTIONAL\r | |
78 | IN OUT UINTN *BufferOutSize\r | |
79 | )\r | |
80 | {\r | |
81 | TLS_CONNECTION *TlsConn;\r | |
82 | UINTN PendingBufferSize;\r | |
83 | INTN Ret;\r | |
84 | UINTN ErrorCode;\r | |
85 | \r | |
86 | TlsConn = (TLS_CONNECTION *) Tls;\r | |
87 | PendingBufferSize = 0;\r | |
88 | Ret = 1;\r | |
89 | \r | |
90 | if (TlsConn == NULL || \\r | |
91 | TlsConn->Ssl == NULL || TlsConn->InBio == NULL || TlsConn->OutBio == NULL || \\r | |
92 | BufferOutSize == NULL || \\r | |
93 | (BufferIn == NULL && BufferInSize != 0) || \\r | |
94 | (BufferIn != NULL && BufferInSize == 0) || \\r | |
95 | (BufferOut == NULL && *BufferOutSize != 0)) {\r | |
96 | return EFI_INVALID_PARAMETER;\r | |
97 | }\r | |
98 | \r | |
99 | if(BufferIn == NULL && BufferInSize == 0) {\r | |
100 | //\r | |
101 | // If RequestBuffer is NULL and RequestSize is 0, and TLS session\r | |
102 | // status is EfiTlsSessionNotStarted, the TLS session will be initiated\r | |
103 | // and the response packet needs to be ClientHello.\r | |
104 | //\r | |
105 | PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);\r | |
106 | if (PendingBufferSize == 0) {\r | |
107 | SSL_set_connect_state (TlsConn->Ssl);\r | |
108 | Ret = SSL_do_handshake (TlsConn->Ssl);\r | |
109 | PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);\r | |
110 | }\r | |
111 | } else {\r | |
112 | PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);\r | |
113 | if (PendingBufferSize == 0) {\r | |
114 | BIO_write (TlsConn->InBio, BufferIn, (UINT32) BufferInSize);\r | |
115 | Ret = SSL_do_handshake (TlsConn->Ssl);\r | |
116 | PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);\r | |
117 | }\r | |
118 | }\r | |
119 | \r | |
120 | if (Ret < 1) {\r | |
121 | Ret = SSL_get_error (TlsConn->Ssl, (int) Ret);\r | |
122 | if (Ret == SSL_ERROR_SSL ||\r | |
123 | Ret == SSL_ERROR_SYSCALL ||\r | |
124 | Ret == SSL_ERROR_ZERO_RETURN) {\r | |
125 | DEBUG ((\r | |
126 | DEBUG_ERROR,\r | |
127 | "%a SSL_HANDSHAKE_ERROR State=0x%x SSL_ERROR_%a\n",\r | |
128 | __FUNCTION__,\r | |
129 | SSL_get_state (TlsConn->Ssl),\r | |
130 | Ret == SSL_ERROR_SSL ? "SSL" : Ret == SSL_ERROR_SYSCALL ? "SYSCALL" : "ZERO_RETURN"\r | |
131 | ));\r | |
132 | DEBUG_CODE_BEGIN ();\r | |
133 | while (TRUE) {\r | |
134 | ErrorCode = ERR_get_error ();\r | |
135 | if (ErrorCode == 0) {\r | |
136 | break;\r | |
137 | }\r | |
138 | DEBUG ((\r | |
139 | DEBUG_ERROR,\r | |
140 | "%a ERROR 0x%x=L%x:F%x:R%x\n",\r | |
141 | __FUNCTION__,\r | |
142 | ErrorCode,\r | |
143 | ERR_GET_LIB (ErrorCode),\r | |
144 | ERR_GET_FUNC (ErrorCode),\r | |
145 | ERR_GET_REASON (ErrorCode)\r | |
146 | ));\r | |
147 | }\r | |
148 | DEBUG_CODE_END ();\r | |
149 | return EFI_ABORTED;\r | |
150 | }\r | |
151 | }\r | |
152 | \r | |
153 | if (PendingBufferSize > *BufferOutSize) {\r | |
154 | *BufferOutSize = PendingBufferSize;\r | |
155 | return EFI_BUFFER_TOO_SMALL;\r | |
156 | }\r | |
157 | \r | |
158 | if (PendingBufferSize > 0) {\r | |
159 | *BufferOutSize = BIO_read (TlsConn->OutBio, BufferOut, (UINT32) PendingBufferSize);\r | |
160 | } else {\r | |
161 | *BufferOutSize = 0;\r | |
162 | }\r | |
163 | \r | |
164 | return EFI_SUCCESS;\r | |
165 | }\r | |
166 | \r | |
167 | /**\r | |
168 | Handle Alert message recorded in BufferIn. If BufferIn is NULL and BufferInSize is zero,\r | |
169 | TLS session has errors and the response packet needs to be Alert message based on error type.\r | |
170 | \r | |
171 | @param[in] Tls Pointer to the TLS object for state checking.\r | |
172 | @param[in] BufferIn Pointer to the most recently received TLS Alert packet.\r | |
173 | @param[in] BufferInSize Packet size in bytes for the most recently received TLS\r | |
174 | Alert packet.\r | |
175 | @param[out] BufferOut Pointer to the buffer to hold the built packet.\r | |
176 | @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On input, it is\r | |
177 | the buffer size provided by the caller. On output, it\r | |
178 | is the buffer size in fact needed to contain the\r | |
179 | packet.\r | |
180 | \r | |
181 | @retval EFI_SUCCESS The required TLS packet is built successfully.\r | |
182 | @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:\r | |
183 | Tls is NULL.\r | |
184 | BufferIn is NULL but BufferInSize is NOT 0.\r | |
185 | BufferInSize is 0 but BufferIn is NOT NULL.\r | |
186 | BufferOutSize is NULL.\r | |
187 | BufferOut is NULL if *BufferOutSize is not zero.\r | |
188 | @retval EFI_ABORTED An error occurred.\r | |
189 | @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the response packet.\r | |
190 | \r | |
191 | **/\r | |
192 | EFI_STATUS\r | |
193 | EFIAPI\r | |
194 | TlsHandleAlert (\r | |
195 | IN VOID *Tls,\r | |
196 | IN UINT8 *BufferIn, OPTIONAL\r | |
197 | IN UINTN BufferInSize, OPTIONAL\r | |
198 | OUT UINT8 *BufferOut, OPTIONAL\r | |
199 | IN OUT UINTN *BufferOutSize\r | |
200 | )\r | |
201 | {\r | |
202 | TLS_CONNECTION *TlsConn;\r | |
203 | UINTN PendingBufferSize;\r | |
204 | UINT8 *TempBuffer;\r | |
205 | INTN Ret;\r | |
206 | \r | |
207 | TlsConn = (TLS_CONNECTION *) Tls;\r | |
208 | PendingBufferSize = 0;\r | |
209 | TempBuffer = NULL;\r | |
210 | Ret = 0;\r | |
211 | \r | |
212 | if (TlsConn == NULL || \\r | |
213 | TlsConn->Ssl == NULL || TlsConn->InBio == NULL || TlsConn->OutBio == NULL || \\r | |
214 | BufferOutSize == NULL || \\r | |
215 | (BufferIn == NULL && BufferInSize != 0) || \\r | |
216 | (BufferIn != NULL && BufferInSize == 0) || \\r | |
217 | (BufferOut == NULL && *BufferOutSize != 0)) {\r | |
218 | return EFI_INVALID_PARAMETER;\r | |
219 | }\r | |
220 | \r | |
221 | PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);\r | |
222 | if (PendingBufferSize == 0 && BufferIn != NULL && BufferInSize != 0) {\r | |
223 | Ret = BIO_write (TlsConn->InBio, BufferIn, (UINT32) BufferInSize);\r | |
224 | if (Ret != (INTN) BufferInSize) {\r | |
225 | return EFI_ABORTED;\r | |
226 | }\r | |
227 | \r | |
228 | TempBuffer = (UINT8 *) OPENSSL_malloc (MAX_BUFFER_SIZE);\r | |
229 | \r | |
230 | //\r | |
231 | // ssl3_send_alert() will be called in ssl3_read_bytes() function.\r | |
232 | // TempBuffer is invalid since it's a Alert message, so just ignore it.\r | |
233 | //\r | |
234 | SSL_read (TlsConn->Ssl, TempBuffer, MAX_BUFFER_SIZE);\r | |
235 | \r | |
236 | OPENSSL_free (TempBuffer);\r | |
237 | \r | |
238 | PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);\r | |
239 | }\r | |
240 | \r | |
241 | if (PendingBufferSize > *BufferOutSize) {\r | |
242 | *BufferOutSize = PendingBufferSize;\r | |
243 | return EFI_BUFFER_TOO_SMALL;\r | |
244 | }\r | |
245 | \r | |
246 | if (PendingBufferSize > 0) {\r | |
247 | *BufferOutSize = BIO_read (TlsConn->OutBio, BufferOut, (UINT32) PendingBufferSize);\r | |
248 | } else {\r | |
249 | *BufferOutSize = 0;\r | |
250 | }\r | |
251 | \r | |
252 | return EFI_SUCCESS;\r | |
253 | }\r | |
254 | \r | |
255 | /**\r | |
256 | Build the CloseNotify packet.\r | |
257 | \r | |
258 | @param[in] Tls Pointer to the TLS object for state checking.\r | |
259 | @param[in, out] Buffer Pointer to the buffer to hold the built packet.\r | |
260 | @param[in, out] BufferSize Pointer to the buffer size in bytes. On input, it is\r | |
261 | the buffer size provided by the caller. On output, it\r | |
262 | is the buffer size in fact needed to contain the\r | |
263 | packet.\r | |
264 | \r | |
265 | @retval EFI_SUCCESS The required TLS packet is built successfully.\r | |
266 | @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:\r | |
267 | Tls is NULL.\r | |
268 | BufferSize is NULL.\r | |
269 | Buffer is NULL if *BufferSize is not zero.\r | |
270 | @retval EFI_BUFFER_TOO_SMALL BufferSize is too small to hold the response packet.\r | |
271 | \r | |
272 | **/\r | |
273 | EFI_STATUS\r | |
274 | EFIAPI\r | |
275 | TlsCloseNotify (\r | |
276 | IN VOID *Tls,\r | |
277 | IN OUT UINT8 *Buffer,\r | |
278 | IN OUT UINTN *BufferSize\r | |
279 | )\r | |
280 | {\r | |
281 | TLS_CONNECTION *TlsConn;\r | |
282 | UINTN PendingBufferSize;\r | |
283 | \r | |
284 | TlsConn = (TLS_CONNECTION *) Tls;\r | |
285 | PendingBufferSize = 0;\r | |
286 | \r | |
287 | if (TlsConn == NULL || \\r | |
288 | TlsConn->Ssl == NULL || TlsConn->InBio == NULL || TlsConn->OutBio == NULL || \\r | |
289 | BufferSize == NULL || \\r | |
290 | (Buffer == NULL && *BufferSize != 0)) {\r | |
291 | return EFI_INVALID_PARAMETER;\r | |
292 | }\r | |
293 | \r | |
294 | PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);\r | |
295 | if (PendingBufferSize == 0) {\r | |
296 | //\r | |
297 | // ssl3_send_alert() and ssl3_dispatch_alert() function will be called.\r | |
298 | //\r | |
299 | SSL_shutdown (TlsConn->Ssl);\r | |
300 | PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);\r | |
301 | }\r | |
302 | \r | |
303 | if (PendingBufferSize > *BufferSize) {\r | |
304 | *BufferSize = PendingBufferSize;\r | |
305 | return EFI_BUFFER_TOO_SMALL;\r | |
306 | }\r | |
307 | \r | |
308 | if (PendingBufferSize > 0) {\r | |
309 | *BufferSize = BIO_read (TlsConn->OutBio, Buffer, (UINT32) PendingBufferSize);\r | |
310 | } else {\r | |
311 | *BufferSize = 0;\r | |
312 | }\r | |
313 | \r | |
314 | return EFI_SUCCESS;\r | |
315 | }\r | |
316 | \r | |
317 | /**\r | |
318 | Attempts to read bytes from one TLS object and places the data in Buffer.\r | |
319 | \r | |
320 | This function will attempt to read BufferSize bytes from the TLS object\r | |
321 | and places the data in Buffer.\r | |
322 | \r | |
323 | @param[in] Tls Pointer to the TLS object.\r | |
324 | @param[in,out] Buffer Pointer to the buffer to store the data.\r | |
325 | @param[in] BufferSize The size of Buffer in bytes.\r | |
326 | \r | |
327 | @retval >0 The amount of data successfully read from the TLS object.\r | |
328 | @retval <=0 No data was successfully read.\r | |
329 | \r | |
330 | **/\r | |
331 | INTN\r | |
332 | EFIAPI\r | |
333 | TlsCtrlTrafficOut (\r | |
334 | IN VOID *Tls,\r | |
335 | IN OUT VOID *Buffer,\r | |
336 | IN UINTN BufferSize\r | |
337 | )\r | |
338 | {\r | |
339 | TLS_CONNECTION *TlsConn;\r | |
340 | \r | |
341 | TlsConn = (TLS_CONNECTION *) Tls;\r | |
342 | if (TlsConn == NULL || TlsConn->OutBio == 0) {\r | |
343 | return -1;\r | |
344 | }\r | |
345 | \r | |
346 | //\r | |
347 | // Read and return the amount of data from the BIO.\r | |
348 | //\r | |
349 | return BIO_read (TlsConn->OutBio, Buffer, (UINT32) BufferSize);\r | |
350 | }\r | |
351 | \r | |
352 | /**\r | |
353 | Attempts to write data from the buffer to TLS object.\r | |
354 | \r | |
355 | This function will attempt to write BufferSize bytes data from the Buffer\r | |
356 | to the TLS object.\r | |
357 | \r | |
358 | @param[in] Tls Pointer to the TLS object.\r | |
359 | @param[in] Buffer Pointer to the data buffer.\r | |
360 | @param[in] BufferSize The size of Buffer in bytes.\r | |
361 | \r | |
362 | @retval >0 The amount of data successfully written to the TLS object.\r | |
363 | @retval <=0 No data was successfully written.\r | |
364 | \r | |
365 | **/\r | |
366 | INTN\r | |
367 | EFIAPI\r | |
368 | TlsCtrlTrafficIn (\r | |
369 | IN VOID *Tls,\r | |
370 | IN VOID *Buffer,\r | |
371 | IN UINTN BufferSize\r | |
372 | )\r | |
373 | {\r | |
374 | TLS_CONNECTION *TlsConn;\r | |
375 | \r | |
376 | TlsConn = (TLS_CONNECTION *) Tls;\r | |
377 | if (TlsConn == NULL || TlsConn->InBio == 0) {\r | |
378 | return -1;\r | |
379 | }\r | |
380 | \r | |
381 | //\r | |
382 | // Write and return the amount of data to the BIO.\r | |
383 | //\r | |
384 | return BIO_write (TlsConn->InBio, Buffer, (UINT32) BufferSize);\r | |
385 | }\r | |
386 | /**\r | |
387 | Attempts to read bytes from the specified TLS connection into the buffer.\r | |
388 | \r | |
389 | This function tries to read BufferSize bytes data from the specified TLS\r | |
390 | connection into the Buffer.\r | |
391 | \r | |
392 | @param[in] Tls Pointer to the TLS connection for data reading.\r | |
393 | @param[in,out] Buffer Pointer to the data buffer.\r | |
394 | @param[in] BufferSize The size of Buffer in bytes.\r | |
395 | \r | |
396 | @retval >0 The read operation was successful, and return value is the\r | |
397 | number of bytes actually read from the TLS connection.\r | |
398 | @retval <=0 The read operation was not successful.\r | |
399 | \r | |
400 | **/\r | |
401 | INTN\r | |
402 | EFIAPI\r | |
403 | TlsRead (\r | |
404 | IN VOID *Tls,\r | |
405 | IN OUT VOID *Buffer,\r | |
406 | IN UINTN BufferSize\r | |
407 | )\r | |
408 | {\r | |
409 | TLS_CONNECTION *TlsConn;\r | |
410 | \r | |
411 | TlsConn = (TLS_CONNECTION *) Tls;\r | |
412 | if (TlsConn == NULL || TlsConn->Ssl == NULL) {\r | |
413 | return -1;\r | |
414 | }\r | |
415 | \r | |
416 | //\r | |
417 | // Read bytes from the specified TLS connection.\r | |
418 | //\r | |
419 | return SSL_read (TlsConn->Ssl, Buffer, (UINT32) BufferSize);\r | |
420 | }\r | |
421 | \r | |
422 | /**\r | |
423 | Attempts to write data to a TLS connection.\r | |
424 | \r | |
425 | This function tries to write BufferSize bytes data from the Buffer into the\r | |
426 | specified TLS connection.\r | |
427 | \r | |
428 | @param[in] Tls Pointer to the TLS connection for data writing.\r | |
429 | @param[in] Buffer Pointer to the data buffer.\r | |
430 | @param[in] BufferSize The size of Buffer in bytes.\r | |
431 | \r | |
432 | @retval >0 The write operation was successful, and return value is the\r | |
433 | number of bytes actually written to the TLS connection.\r | |
434 | @retval <=0 The write operation was not successful.\r | |
435 | \r | |
436 | **/\r | |
437 | INTN\r | |
438 | EFIAPI\r | |
439 | TlsWrite (\r | |
440 | IN VOID *Tls,\r | |
441 | IN VOID *Buffer,\r | |
442 | IN UINTN BufferSize\r | |
443 | )\r | |
444 | {\r | |
445 | TLS_CONNECTION *TlsConn;\r | |
446 | \r | |
447 | TlsConn = (TLS_CONNECTION *) Tls;\r | |
448 | if (TlsConn == NULL || TlsConn->Ssl == NULL) {\r | |
449 | return -1;\r | |
450 | }\r | |
451 | \r | |
452 | //\r | |
453 | // Write bytes to the specified TLS connection.\r | |
454 | //\r | |
455 | return SSL_write (TlsConn->Ssl, Buffer, (UINT32) BufferSize);\r | |
456 | }\r | |
457 | \r |