]>
Commit | Line | Data |
---|---|---|
973f8862 HW |
1 | /** @file\r |
2 | EFI TLS Protocols as defined in UEFI 2.5.\r | |
3 | \r | |
4 | The EFI TLS Service Binding Protocol is used to locate EFI TLS Protocol drivers\r | |
5 | to create and destroy child of the driver to communicate with other host using\r | |
6 | TLS protocol.\r | |
7 | The EFI TLS Protocol provides the ability to manage TLS session.\r | |
8 | \r | |
9 | Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>\r | |
10 | This program and the accompanying materials\r | |
11 | are licensed and made available under the terms and conditions of the BSD License\r | |
12 | which accompanies this distribution. The full text of the license may be found at\r | |
13 | http://opensource.org/licenses/bsd-license.php\r | |
14 | \r | |
15 | THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r | |
16 | WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r | |
17 | \r | |
18 | @par Revision Reference:\r | |
19 | This Protocol is introduced in UEFI Specification 2.5\r | |
20 | \r | |
21 | **/\r | |
22 | \r | |
23 | #ifndef __EFI_TLS_PROTOCOL_H__\r | |
24 | #define __EFI_TLS_PROTOCOL_H__\r | |
25 | \r | |
26 | ///\r | |
27 | /// The EFI TLS Service Binding Protocol is used to locate EFI TLS Protocol drivers to\r | |
28 | /// create and destroy child of the driver to communicate with other host using TLS\r | |
29 | /// protocol.\r | |
30 | ///\r | |
31 | #define EFI_TLS_SERVICE_BINDING_PROTOCOL_GUID \\r | |
32 | { \\r | |
33 | 0x952cb795, 0xff36, 0x48cf, {0xa2, 0x49, 0x4d, 0xf4, 0x86, 0xd6, 0xab, 0x8d } \\r | |
34 | }\r | |
35 | \r | |
36 | ///\r | |
37 | /// The EFI TLS protocol provides the ability to manage TLS session.\r | |
38 | ///\r | |
39 | #define EFI_TLS_PROTOCOL_GUID \\r | |
40 | { \\r | |
41 | 0xca959f, 0x6cfa, 0x4db1, {0x95, 0xbc, 0xe4, 0x6c, 0x47, 0x51, 0x43, 0x90 } \\r | |
42 | }\r | |
43 | \r | |
44 | typedef struct _EFI_TLS_PROTOCOL EFI_TLS_PROTOCOL;\r | |
45 | \r | |
46 | ///\r | |
47 | /// EFI_TLS_SESSION_DATA_TYPE\r | |
48 | ///\r | |
49 | typedef enum {\r | |
50 | ///\r | |
51 | /// Session Configuration\r | |
52 | ///\r | |
53 | \r | |
54 | ///\r | |
55 | /// TLS session Version. The corresponding Data is of type EFI_TLS_VERSION.\r | |
56 | ///\r | |
57 | EfiTlsVersion,\r | |
58 | ///\r | |
59 | /// TLS session as client or as server. The corresponding Data is of\r | |
60 | /// EFI_TLS_CONNECTION_END.\r | |
61 | ///\r | |
62 | EfiTlsConnectionEnd,\r | |
63 | ///\r | |
64 | /// A priority list of preferred algorithms for the TLS session.\r | |
65 | /// The corresponding Data is a list of EFI_TLS_CIPHER.\r | |
66 | ///\r | |
67 | EfiTlsCipherList,\r | |
68 | ///\r | |
69 | /// TLS session compression method.\r | |
70 | /// The corresponding Data is of type EFI_TLS_COMPRESSION.\r | |
71 | ///\r | |
72 | EfiTlsCompressionMethod,\r | |
73 | ///\r | |
74 | /// TLS session extension data.\r | |
75 | /// The corresponding Data is a list of type EFI_TLS_EXTENSION .\r | |
76 | ///\r | |
77 | EfiTlsExtensionData,\r | |
78 | ///\r | |
79 | /// TLS session verify method.\r | |
80 | /// The corresponding Data is of type EFI_TLS_VERIFY.\r | |
81 | ///\r | |
82 | EfiTlsVerifyMethod,\r | |
83 | ///\r | |
84 | /// TLS session data session ID.\r | |
85 | /// For SetSessionData(), it is TLS session ID used for session resumption.\r | |
86 | /// For GetSessionData(), it is the TLS session ID used for current session.\r | |
87 | /// The corresponding Data is of type EFI_TLS_SESSION_ID.\r | |
88 | ///\r | |
89 | EfiTlsSessionID,\r | |
90 | ///\r | |
91 | /// TLS session data session state.\r | |
92 | /// The corresponding Data is of type EFI_TLS_SESSION_STATE.\r | |
93 | ///\r | |
94 | EfiTlsSessionState,\r | |
95 | \r | |
96 | ///\r | |
97 | /// Session information\r | |
98 | ///\r | |
99 | \r | |
100 | ///\r | |
101 | /// TLS session data client random.\r | |
102 | /// The corresponding Data is of type EFI_TLS_RANDOM.\r | |
103 | ///\r | |
104 | EfiTlsClientRandom,\r | |
105 | ///\r | |
106 | /// TLS session data server random.\r | |
107 | /// The corresponding Data is of type EFI_TLS_RANDOM.\r | |
108 | ///\r | |
109 | EfiTlsServerRandom,\r | |
110 | ///\r | |
111 | /// TLS session data key material.\r | |
112 | /// The corresponding Data is of type EFI_TLS_MASTER_SECRET.\r | |
113 | ///\r | |
114 | EfiTlsKeyMaterial,\r | |
115 | \r | |
116 | EfiTlsSessionDataTypeMaximum\r | |
117 | \r | |
118 | } EFI_TLS_SESSION_DATA_TYPE;\r | |
119 | \r | |
120 | ///\r | |
121 | /// EFI_TLS_VERSION\r | |
122 | /// Note: The TLS version definition is from SSL3.0 to the latest TLS (e.g. 1.2).\r | |
123 | /// SSL2.0 is obsolete and should not be used.\r | |
124 | ///\r | |
125 | typedef struct {\r | |
126 | UINT8 Major;\r | |
127 | UINT8 Minor;\r | |
128 | } EFI_TLS_VERSION;\r | |
129 | \r | |
130 | ///\r | |
131 | /// EFI_TLS_CONNECTION_END to define TLS session as client or server.\r | |
132 | ///\r | |
133 | typedef enum {\r | |
134 | EfiTlsClient,\r | |
135 | EfiTlsServer,\r | |
136 | } EFI_TLS_CONNECTION_END;\r | |
137 | \r | |
138 | ///\r | |
139 | /// EFI_TLS_CIPHER\r | |
140 | /// Note: The definition of EFI_TLS_CIPHER definition is from "RFC 5246, A.4.1.\r | |
141 | /// Hello Messages". The value of EFI_TLS_CIPHER is from TLS Cipher\r | |
142 | /// Suite Registry of IANA.\r | |
143 | ///\r | |
144 | typedef struct {\r | |
145 | UINT8 Data1;\r | |
146 | UINT8 Data2;\r | |
147 | } EFI_TLS_CIPHER;\r | |
148 | \r | |
149 | ///\r | |
150 | /// EFI_TLS_COMPRESSION\r | |
151 | /// Note: The value of EFI_TLS_COMPRESSION definition is from "RFC 3749".\r | |
152 | ///\r | |
153 | typedef UINT8 EFI_TLS_COMPRESSION;\r | |
154 | \r | |
155 | ///\r | |
156 | /// EFI_TLS_EXTENSION\r | |
157 | /// Note: The definition of EFI_TLS_EXTENSION if from "RFC 5246 A.4.1.\r | |
158 | /// Hello Messages".\r | |
159 | ///\r | |
160 | typedef struct {\r | |
161 | UINT16 ExtensionType;\r | |
162 | UINT16 Length;\r | |
163 | UINT8 Data[1];\r | |
164 | } EFI_TLS_EXTENSION;\r | |
165 | \r | |
166 | ///\r | |
167 | /// EFI_TLS_VERIFY\r | |
168 | /// Use either EFI_TLS_VERIFY_NONE or EFI_TLS_VERIFY_PEER, the last two options\r | |
169 | /// are 'ORed' with EFI_TLS_VERIFY_PEER if they are desired.\r | |
170 | ///\r | |
171 | typedef UINT32 EFI_TLS_VERIFY;\r | |
172 | ///\r | |
173 | /// No certificates will be sent or the TLS/SSL handshake will be continued regardless\r | |
174 | /// of the certificate verification result.\r | |
175 | ///\r | |
176 | #define EFI_TLS_VERIFY_NONE 0x0\r | |
177 | ///\r | |
178 | /// The TLS/SSL handshake is immediately terminated with an alert message containing\r | |
179 | /// the reason for the certificate verification failure.\r | |
180 | ///\r | |
181 | #define EFI_TLS_VERIFY_PEER 0x1\r | |
182 | ///\r | |
183 | /// TLS session will fail peer certificate is absent.\r | |
184 | ///\r | |
185 | #define EFI_TLS_VERIFY_FAIL_IF_NO_PEER_CERT 0x2\r | |
186 | ///\r | |
187 | /// TLS session only verify client once, and doesn't request certificate during\r | |
188 | /// re-negotiation.\r | |
189 | ///\r | |
190 | #define EFI_TLS_VERIFY_CLIENT_ONCE 0x4\r | |
191 | \r | |
192 | ///\r | |
193 | /// EFI_TLS_RANDOM\r | |
194 | /// Note: The definition of EFI_TLS_RANDOM is from "RFC 5246 A.4.1.\r | |
195 | /// Hello Messages".\r | |
196 | ///\r | |
197 | typedef struct {\r | |
198 | UINT32 GmtUnixTime;\r | |
199 | UINT8 RandomBytes[28];\r | |
200 | } EFI_TLS_RANDOM;\r | |
201 | \r | |
202 | ///\r | |
203 | /// EFI_TLS_MASTER_SECRET\r | |
204 | /// Note: The definition of EFI_TLS_MASTER_SECRET is from "RFC 5246 8.1.\r | |
205 | /// Computing the Master Secret".\r | |
206 | ///\r | |
207 | typedef struct {\r | |
208 | UINT8 Data[48];\r | |
209 | } EFI_TLS_MASTER_SECRET;\r | |
210 | \r | |
211 | ///\r | |
212 | /// EFI_TLS_SESSION_ID\r | |
213 | /// Note: The definition of EFI_TLS_SESSION_ID is from "RFC 5246 A.4.1. Hello Messages".\r | |
214 | ///\r | |
215 | #define MAX_TLS_SESSION_ID_LENGTH 32\r | |
216 | typedef struct {\r | |
217 | UINT16 Length;\r | |
218 | UINT8 Data[MAX_TLS_SESSION_ID_LENGTH];\r | |
219 | } EFI_TLS_SESSION_ID;\r | |
220 | \r | |
221 | ///\r | |
222 | /// EFI_TLS_SESSION_STATE\r | |
223 | ///\r | |
224 | typedef enum {\r | |
225 | ///\r | |
226 | /// When a new child of TLS protocol is created, the initial state of TLS session\r | |
227 | /// is EfiTlsSessionNotStarted.\r | |
228 | ///\r | |
229 | EfiTlsSessionNotStarted,\r | |
230 | ///\r | |
231 | /// The consumer can call BuildResponsePacket() with NULL to get ClientHello to\r | |
232 | /// start the TLS session. Then the status is EfiTlsSessionHandShaking.\r | |
233 | ///\r | |
234 | EfiTlsSessionHandShaking,\r | |
235 | ///\r | |
236 | /// During handshake, the consumer need call BuildResponsePacket() with input\r | |
237 | /// data from peer, then get response packet and send to peer. After handshake\r | |
238 | /// finish, the TLS session status becomes EfiTlsSessionDataTransferring, and\r | |
239 | /// consumer can use ProcessPacket() for data transferring.\r | |
240 | ///\r | |
241 | EfiTlsSessionDataTransferring,\r | |
242 | ///\r | |
243 | /// Finally, if consumer wants to active close TLS session, consumer need\r | |
244 | /// call SetSessionData to set TLS session state to EfiTlsSessionClosing, and\r | |
245 | /// call BuildResponsePacket() with NULL to get CloseNotify alert message,\r | |
246 | /// and sent it out.\r | |
247 | ///\r | |
248 | EfiTlsSessionClosing,\r | |
249 | ///\r | |
250 | /// If any error happen during parsing ApplicationData content type, EFI_ABORT\r | |
251 | /// will be returned by ProcessPacket(), and TLS session state will become\r | |
252 | /// EfiTlsSessionError. Then consumer need call BuildResponsePacket() with\r | |
253 | /// NULL to get alert message and sent it out.\r | |
254 | ///\r | |
255 | EfiTlsSessionError,\r | |
256 | \r | |
257 | EfiTlsSessionStateMaximum\r | |
258 | \r | |
259 | } EFI_TLS_SESSION_STATE;\r | |
260 | \r | |
261 | ///\r | |
262 | /// EFI_TLS_FRAGMENT_DATA\r | |
263 | ///\r | |
264 | typedef struct {\r | |
265 | ///\r | |
266 | /// Length of data buffer in the fragment.\r | |
267 | ///\r | |
268 | UINT32 FragmentLength;\r | |
269 | ///\r | |
270 | /// Pointer to the data buffer in the fragment.\r | |
271 | ///\r | |
272 | VOID *FragmentBuffer;\r | |
273 | } EFI_TLS_FRAGMENT_DATA;\r | |
274 | \r | |
275 | ///\r | |
276 | /// EFI_TLS_CRYPT_MODE\r | |
277 | ///\r | |
278 | typedef enum {\r | |
279 | ///\r | |
280 | /// Encrypt data provided in the fragment buffers.\r | |
281 | ///\r | |
282 | EfiTlsEncrypt,\r | |
283 | ///\r | |
284 | /// Decrypt data provided in the fragment buffers.\r | |
285 | ///\r | |
286 | EfiTlsDecrypt,\r | |
287 | } EFI_TLS_CRYPT_MODE;\r | |
288 | \r | |
289 | /**\r | |
290 | Set TLS session data.\r | |
291 | \r | |
292 | The SetSessionData() function set data for a new TLS session. All session data should\r | |
293 | be set before BuildResponsePacket() invoked.\r | |
294 | \r | |
295 | @param[in] This Pointer to the EFI_TLS_PROTOCOL instance.\r | |
296 | @param[in] DataType TLS session data type.\r | |
297 | @param[in] Data Pointer to session data.\r | |
298 | @param[in] DataSize Total size of session data.\r | |
299 | \r | |
300 | @retval EFI_SUCCESS The TLS session data is set successfully.\r | |
301 | @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:\r | |
302 | This is NULL.\r | |
303 | Data is NULL.\r | |
304 | DataSize is 0.\r | |
305 | @retval EFI_UNSUPPORTED The DataType is unsupported.\r | |
306 | @retval EFI_ACCESS_DENIED If the DataType is one of below:\r | |
307 | EfiTlsClientRandom\r | |
308 | EfiTlsServerRandom\r | |
309 | EfiTlsKeyMaterial\r | |
310 | @retval EFI_NOT_READY Current TLS session state is NOT\r | |
311 | EfiTlsSessionStateNotStarted.\r | |
312 | @retval EFI_OUT_OF_RESOURCES Required system resources could not be allocated.\r | |
313 | **/\r | |
314 | typedef\r | |
315 | EFI_STATUS\r | |
316 | (EFIAPI *EFI_TLS_SET_SESSION_DATA) (\r | |
317 | IN EFI_TLS_PROTOCOL *This,\r | |
318 | IN EFI_TLS_SESSION_DATA_TYPE DataType,\r | |
319 | IN VOID *Data,\r | |
320 | IN UINTN DataSize\r | |
321 | );\r | |
322 | \r | |
323 | /**\r | |
324 | Get TLS session data.\r | |
325 | \r | |
326 | The GetSessionData() function return the TLS session information.\r | |
327 | \r | |
328 | @param[in] This Pointer to the EFI_TLS_PROTOCOL instance.\r | |
329 | @param[in] DataType TLS session data type.\r | |
330 | @param[in, out] Data Pointer to session data.\r | |
331 | @param[in, out] DataSize Total size of session data. On input, it means\r | |
332 | the size of Data buffer. On output, it means the size\r | |
333 | of copied Data buffer if EFI_SUCCESS, and means the\r | |
334 | size of desired Data buffer if EFI_BUFFER_TOO_SMALL.\r | |
335 | \r | |
336 | @retval EFI_SUCCESS The TLS session data is got successfully.\r | |
337 | @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:\r | |
338 | This is NULL.\r | |
339 | DataSize is NULL.\r | |
340 | Data is NULL if *DataSize is not zero.\r | |
341 | @retval EFI_UNSUPPORTED The DataType is unsupported.\r | |
342 | @retval EFI_NOT_FOUND The TLS session data is not found.\r | |
343 | @retval EFI_NOT_READY The DataType is not ready in current session state.\r | |
344 | @retval EFI_BUFFER_TOO_SMALL The buffer is too small to hold the data.\r | |
345 | **/\r | |
346 | typedef\r | |
347 | EFI_STATUS\r | |
348 | (EFIAPI *EFI_TLS_GET_SESSION_DATA) (\r | |
349 | IN EFI_TLS_PROTOCOL *This,\r | |
350 | IN EFI_TLS_SESSION_DATA_TYPE DataType,\r | |
351 | IN OUT VOID *Data, OPTIONAL\r | |
352 | IN OUT UINTN *DataSize\r | |
353 | );\r | |
354 | \r | |
355 | /**\r | |
356 | Build response packet according to TLS state machine. This function is only valid for\r | |
357 | alert, handshake and change_cipher_spec content type.\r | |
358 | \r | |
359 | The BuildResponsePacket() function builds TLS response packet in response to the TLS\r | |
360 | request packet specified by RequestBuffer and RequestSize. If RequestBuffer is NULL and\r | |
361 | RequestSize is 0, and TLS session status is EfiTlsSessionNotStarted, the TLS session\r | |
362 | will be initiated and the response packet needs to be ClientHello. If RequestBuffer is\r | |
363 | NULL and RequestSize is 0, and TLS session status is EfiTlsSessionClosing, the TLS\r | |
364 | session will be closed and response packet needs to be CloseNotify. If RequestBuffer is\r | |
365 | NULL and RequestSize is 0, and TLS session status is EfiTlsSessionError, the TLS\r | |
366 | session has errors and the response packet needs to be Alert message based on error\r | |
367 | type.\r | |
368 | \r | |
369 | @param[in] This Pointer to the EFI_TLS_PROTOCOL instance.\r | |
370 | @param[in] RequestBuffer Pointer to the most recently received TLS packet. NULL\r | |
371 | means TLS need initiate the TLS session and response\r | |
372 | packet need to be ClientHello.\r | |
373 | @param[in] RequestSize Packet size in bytes for the most recently received TLS\r | |
374 | packet. 0 is only valid when RequestBuffer is NULL.\r | |
375 | @param[out] Buffer Pointer to the buffer to hold the built packet.\r | |
376 | @param[in, out] BufferSize Pointer to the buffer size in bytes. On input, it is\r | |
377 | the buffer size provided by the caller. On output, it\r | |
378 | is the buffer size in fact needed to contain the\r | |
379 | packet.\r | |
380 | \r | |
381 | @retval EFI_SUCCESS The required TLS packet is built successfully.\r | |
382 | @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:\r | |
383 | This is NULL.\r | |
384 | RequestBuffer is NULL but RequestSize is NOT 0.\r | |
385 | RequestSize is 0 but RequestBuffer is NOT NULL.\r | |
386 | BufferSize is NULL.\r | |
387 | Buffer is NULL if *BufferSize is not zero.\r | |
388 | @retval EFI_BUFFER_TOO_SMALL BufferSize is too small to hold the response packet.\r | |
389 | @retval EFI_NOT_READY Current TLS session state is NOT ready to build\r | |
390 | ResponsePacket.\r | |
391 | @retval EFI_ABORTED Something wrong build response packet.\r | |
392 | **/\r | |
393 | typedef\r | |
394 | EFI_STATUS\r | |
395 | (EFIAPI *EFI_TLS_BUILD_RESPONSE_PACKET) (\r | |
396 | IN EFI_TLS_PROTOCOL *This,\r | |
397 | IN UINT8 *RequestBuffer, OPTIONAL\r | |
398 | IN UINTN RequestSize, OPTIONAL\r | |
399 | OUT UINT8 *Buffer, OPTIONAL\r | |
400 | IN OUT UINTN *BufferSize\r | |
401 | );\r | |
402 | \r | |
403 | /**\r | |
404 | Decrypt or encrypt TLS packet during session. This function is only valid after\r | |
405 | session connected and for application_data content type.\r | |
406 | \r | |
407 | The ProcessPacket () function process each inbound or outbound TLS APP packet.\r | |
408 | \r | |
409 | @param[in] This Pointer to the EFI_TLS_PROTOCOL instance.\r | |
410 | @param[in, out] FragmentTable Pointer to a list of fragment. The caller will take\r | |
411 | responsible to handle the original FragmentTable while\r | |
412 | it may be reallocated in TLS driver. If CryptMode is\r | |
413 | EfiTlsEncrypt, on input these fragments contain the TLS\r | |
414 | header and plain text TLS APP payload; on output these\r | |
415 | fragments contain the TLS header and cipher text TLS\r | |
416 | APP payload. If CryptMode is EfiTlsDecrypt, on input\r | |
417 | these fragments contain the TLS header and cipher text\r | |
418 | TLS APP payload; on output these fragments contain the\r | |
419 | TLS header and plain text TLS APP payload.\r | |
420 | @param[in] FragmentCount Number of fragment.\r | |
421 | @param[in] CryptMode Crypt mode.\r | |
422 | \r | |
423 | @retval EFI_SUCCESS The operation completed successfully.\r | |
424 | @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:\r | |
425 | This is NULL.\r | |
426 | FragmentTable is NULL.\r | |
427 | FragmentCount is NULL.\r | |
428 | CryptoMode is invalid.\r | |
429 | @retval EFI_NOT_READY Current TLS session state is NOT\r | |
430 | EfiTlsSessionDataTransferring.\r | |
431 | @retval EFI_ABORTED Something wrong decryption the message. TLS session\r | |
432 | status will become EfiTlsSessionError. The caller need\r | |
433 | call BuildResponsePacket() to generate Error Alert\r | |
434 | message and send it out.\r | |
435 | @retval EFI_OUT_OF_RESOURCES No enough resource to finish the operation.\r | |
436 | **/\r | |
437 | typedef\r | |
438 | EFI_STATUS\r | |
439 | (EFIAPI *EFI_TLS_PROCESS_PACKET) (\r | |
440 | IN EFI_TLS_PROTOCOL *This,\r | |
441 | IN OUT EFI_TLS_FRAGMENT_DATA **FragmentTable,\r | |
442 | IN UINT32 *FragmentCount,\r | |
443 | IN EFI_TLS_CRYPT_MODE CryptMode\r | |
444 | );\r | |
445 | \r | |
446 | ///\r | |
447 | /// The EFI_TLS_PROTOCOL is used to create, destroy and manage TLS session.\r | |
448 | /// For detail of TLS, please refer to TLS related RFC.\r | |
449 | ///\r | |
450 | struct _EFI_TLS_PROTOCOL {\r | |
451 | EFI_TLS_SET_SESSION_DATA SetSessionData;\r | |
452 | EFI_TLS_GET_SESSION_DATA GetSessionData;\r | |
453 | EFI_TLS_BUILD_RESPONSE_PACKET BuildResponsePacket;\r | |
454 | EFI_TLS_PROCESS_PACKET ProcessPacket;\r | |
455 | };\r | |
456 | \r | |
457 | extern EFI_GUID gEfiTlsServiceBindingProtocolGuid;\r | |
458 | extern EFI_GUID gEfiTlsProtocolGuid;\r | |
459 | \r | |
460 | #endif // __EFI_TLS_PROTOCOL_H__\r | |
461 | \r |