Maintainers.txt: Update email address
[mirror_edk2.git] / CryptoPkg / Library / TlsLib / TlsConfig.c
CommitLineData
264702a0
HW
1/** @file\r
2 SSL/TLS Configuration Library Wrapper Implementation over OpenSSL.\r
3\r
2ca74e1a 4Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>\r
264702a0 5(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>\r
2009f6b4 6SPDX-License-Identifier: BSD-2-Clause-Patent\r
264702a0
HW
7\r
8**/\r
9\r
10#include "InternalTlsLib.h"\r
11\r
12typedef struct {\r
13 //\r
14 // IANA/IETF defined Cipher Suite ID\r
15 //\r
7c342378 16 UINT16 IanaCipher;\r
264702a0
HW
17 //\r
18 // OpenSSL-used Cipher Suite String\r
19 //\r
7c342378 20 CONST CHAR8 *OpensslCipher;\r
96015d5f
LE
21 //\r
22 // Length of OpensslCipher\r
23 //\r
7c342378 24 UINTN OpensslCipherLength;\r
ecfd37ba 25} TLS_CIPHER_MAPPING;\r
264702a0 26\r
96015d5f
LE
27//\r
28// Create a TLS_CIPHER_MAPPING initializer from IanaCipher and OpensslCipher so\r
29// that OpensslCipherLength is filled in automatically. IanaCipher must be an\r
30// integer constant expression, and OpensslCipher must be a string literal.\r
31//\r
32#define MAP(IanaCipher, OpensslCipher) \\r
33 { (IanaCipher), (OpensslCipher), sizeof (OpensslCipher) - 1 }\r
34\r
264702a0
HW
35//\r
36// The mapping table between IANA/IETF Cipher Suite definitions and\r
37// OpenSSL-used Cipher Suite name.\r
38//\r
5eadb54e
LE
39// Keep the table uniquely sorted by the IanaCipher field, in increasing order.\r
40//\r
7c342378
MK
41STATIC CONST TLS_CIPHER_MAPPING TlsCipherMappingTable[] = {\r
42 MAP (0x0001, "NULL-MD5"), /// TLS_RSA_WITH_NULL_MD5\r
43 MAP (0x0002, "NULL-SHA"), /// TLS_RSA_WITH_NULL_SHA\r
44 MAP (0x0004, "RC4-MD5"), /// TLS_RSA_WITH_RC4_128_MD5\r
45 MAP (0x0005, "RC4-SHA"), /// TLS_RSA_WITH_RC4_128_SHA\r
46 MAP (0x000A, "DES-CBC3-SHA"), /// TLS_RSA_WITH_3DES_EDE_CBC_SHA, mandatory TLS 1.1\r
47 MAP (0x0016, "DHE-RSA-DES-CBC3-SHA"), /// TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA\r
48 MAP (0x002F, "AES128-SHA"), /// TLS_RSA_WITH_AES_128_CBC_SHA, mandatory TLS 1.2\r
49 MAP (0x0030, "DH-DSS-AES128-SHA"), /// TLS_DH_DSS_WITH_AES_128_CBC_SHA\r
50 MAP (0x0031, "DH-RSA-AES128-SHA"), /// TLS_DH_RSA_WITH_AES_128_CBC_SHA\r
51 MAP (0x0033, "DHE-RSA-AES128-SHA"), /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA\r
52 MAP (0x0035, "AES256-SHA"), /// TLS_RSA_WITH_AES_256_CBC_SHA\r
53 MAP (0x0036, "DH-DSS-AES256-SHA"), /// TLS_DH_DSS_WITH_AES_256_CBC_SHA\r
54 MAP (0x0037, "DH-RSA-AES256-SHA"), /// TLS_DH_RSA_WITH_AES_256_CBC_SHA\r
55 MAP (0x0039, "DHE-RSA-AES256-SHA"), /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA\r
56 MAP (0x003B, "NULL-SHA256"), /// TLS_RSA_WITH_NULL_SHA256\r
57 MAP (0x003C, "AES128-SHA256"), /// TLS_RSA_WITH_AES_128_CBC_SHA256\r
58 MAP (0x003D, "AES256-SHA256"), /// TLS_RSA_WITH_AES_256_CBC_SHA256\r
59 MAP (0x003E, "DH-DSS-AES128-SHA256"), /// TLS_DH_DSS_WITH_AES_128_CBC_SHA256\r
60 MAP (0x003F, "DH-RSA-AES128-SHA256"), /// TLS_DH_RSA_WITH_AES_128_CBC_SHA256\r
61 MAP (0x0067, "DHE-RSA-AES128-SHA256"), /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA256\r
62 MAP (0x0068, "DH-DSS-AES256-SHA256"), /// TLS_DH_DSS_WITH_AES_256_CBC_SHA256\r
63 MAP (0x0069, "DH-RSA-AES256-SHA256"), /// TLS_DH_RSA_WITH_AES_256_CBC_SHA256\r
64 MAP (0x006B, "DHE-RSA-AES256-SHA256"), /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA256\r
264702a0
HW
65};\r
66\r
67/**\r
ecfd37ba 68 Gets the OpenSSL cipher suite mapping for the supplied IANA TLS cipher suite.\r
264702a0
HW
69\r
70 @param[in] CipherId The supplied IANA TLS cipher suite ID.\r
71\r
ecfd37ba 72 @return The corresponding OpenSSL cipher suite mapping if found,\r
264702a0
HW
73 NULL otherwise.\r
74\r
75**/\r
76STATIC\r
ecfd37ba
LE
77CONST TLS_CIPHER_MAPPING *\r
78TlsGetCipherMapping (\r
7c342378 79 IN UINT16 CipherId\r
264702a0
HW
80 )\r
81{\r
7c342378
MK
82 INTN Left;\r
83 INTN Right;\r
84 INTN Middle;\r
264702a0
HW
85\r
86 //\r
5eadb54e 87 // Binary Search Cipher Mapping Table for IANA-OpenSSL Cipher Translation\r
264702a0 88 //\r
5eadb54e
LE
89 Left = 0;\r
90 Right = ARRAY_SIZE (TlsCipherMappingTable) - 1;\r
91\r
92 while (Right >= Left) {\r
93 Middle = (Left + Right) / 2;\r
94\r
95 if (CipherId == TlsCipherMappingTable[Middle].IanaCipher) {\r
96 //\r
97 // Translate IANA cipher suite ID to OpenSSL name.\r
98 //\r
99 return &TlsCipherMappingTable[Middle];\r
100 }\r
101\r
102 if (CipherId < TlsCipherMappingTable[Middle].IanaCipher) {\r
103 Right = Middle - 1;\r
104 } else {\r
7c342378 105 Left = Middle + 1;\r
264702a0
HW
106 }\r
107 }\r
108\r
109 //\r
110 // No Cipher Mapping found, return NULL.\r
111 //\r
112 return NULL;\r
113}\r
114\r
115/**\r
116 Set a new TLS/SSL method for a particular TLS object.\r
117\r
118 This function sets a new TLS/SSL method for a particular TLS object.\r
119\r
120 @param[in] Tls Pointer to a TLS object.\r
121 @param[in] MajorVer Major Version of TLS/SSL Protocol.\r
122 @param[in] MinorVer Minor Version of TLS/SSL Protocol.\r
123\r
124 @retval EFI_SUCCESS The TLS/SSL method was set successfully.\r
125 @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
126 @retval EFI_UNSUPPORTED Unsupported TLS/SSL method.\r
127\r
128**/\r
129EFI_STATUS\r
130EFIAPI\r
131TlsSetVersion (\r
7c342378
MK
132 IN VOID *Tls,\r
133 IN UINT8 MajorVer,\r
134 IN UINT8 MinorVer\r
264702a0
HW
135 )\r
136{\r
137 TLS_CONNECTION *TlsConn;\r
138 UINT16 ProtoVersion;\r
139\r
140 TlsConn = (TLS_CONNECTION *)Tls;\r
7c342378 141 if ((TlsConn == NULL) || (TlsConn->Ssl == NULL)) {\r
264702a0
HW
142 return EFI_INVALID_PARAMETER;\r
143 }\r
144\r
145 ProtoVersion = (MajorVer << 8) | MinorVer;\r
146\r
147 //\r
148 // Bound TLS method to the particular specified version.\r
149 //\r
150 switch (ProtoVersion) {\r
7c342378
MK
151 case TLS1_VERSION:\r
152 //\r
153 // TLS 1.0\r
154 //\r
155 SSL_set_min_proto_version (TlsConn->Ssl, TLS1_VERSION);\r
156 SSL_set_max_proto_version (TlsConn->Ssl, TLS1_VERSION);\r
157 break;\r
158 case TLS1_1_VERSION:\r
159 //\r
160 // TLS 1.1\r
161 //\r
162 SSL_set_min_proto_version (TlsConn->Ssl, TLS1_1_VERSION);\r
163 SSL_set_max_proto_version (TlsConn->Ssl, TLS1_1_VERSION);\r
164 break;\r
165 case TLS1_2_VERSION:\r
166 //\r
167 // TLS 1.2\r
168 //\r
169 SSL_set_min_proto_version (TlsConn->Ssl, TLS1_2_VERSION);\r
170 SSL_set_max_proto_version (TlsConn->Ssl, TLS1_2_VERSION);\r
171 break;\r
172 default:\r
173 //\r
174 // Unsupported Protocol Version\r
175 //\r
176 return EFI_UNSUPPORTED;\r
264702a0
HW
177 }\r
178\r
7c342378 179 return EFI_SUCCESS;\r
264702a0
HW
180}\r
181\r
182/**\r
183 Set TLS object to work in client or server mode.\r
184\r
185 This function prepares a TLS object to work in client or server mode.\r
186\r
187 @param[in] Tls Pointer to a TLS object.\r
188 @param[in] IsServer Work in server mode.\r
189\r
190 @retval EFI_SUCCESS The TLS/SSL work mode was set successfully.\r
191 @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
192 @retval EFI_UNSUPPORTED Unsupported TLS/SSL work mode.\r
193\r
194**/\r
195EFI_STATUS\r
196EFIAPI\r
197TlsSetConnectionEnd (\r
7c342378
MK
198 IN VOID *Tls,\r
199 IN BOOLEAN IsServer\r
264702a0
HW
200 )\r
201{\r
202 TLS_CONNECTION *TlsConn;\r
203\r
7c342378
MK
204 TlsConn = (TLS_CONNECTION *)Tls;\r
205 if ((TlsConn == NULL) || (TlsConn->Ssl == NULL)) {\r
264702a0
HW
206 return EFI_INVALID_PARAMETER;\r
207 }\r
208\r
209 if (!IsServer) {\r
210 //\r
211 // Set TLS to work in Client mode.\r
212 //\r
213 SSL_set_connect_state (TlsConn->Ssl);\r
214 } else {\r
215 //\r
216 // Set TLS to work in Server mode.\r
217 // It is unsupported for UEFI version currently.\r
218 //\r
7c342378 219 // SSL_set_accept_state (TlsConn->Ssl);\r
264702a0
HW
220 return EFI_UNSUPPORTED;\r
221 }\r
222\r
223 return EFI_SUCCESS;\r
224}\r
225\r
226/**\r
227 Set the ciphers list to be used by the TLS object.\r
228\r
229 This function sets the ciphers for use by a specified TLS object.\r
230\r
231 @param[in] Tls Pointer to a TLS object.\r
2167c7f7
LE
232 @param[in] CipherId Array of UINT16 cipher identifiers. Each UINT16\r
233 cipher identifier comes from the TLS Cipher Suite\r
234 Registry of the IANA, interpreting Byte1 and Byte2\r
235 in network (big endian) byte order.\r
264702a0
HW
236 @param[in] CipherNum The number of cipher in the list.\r
237\r
238 @retval EFI_SUCCESS The ciphers list was set successfully.\r
239 @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
2167c7f7
LE
240 @retval EFI_UNSUPPORTED No supported TLS cipher was found in CipherId.\r
241 @retval EFI_OUT_OF_RESOURCES Memory allocation failed.\r
264702a0
HW
242\r
243**/\r
244EFI_STATUS\r
245EFIAPI\r
246TlsSetCipherList (\r
7c342378
MK
247 IN VOID *Tls,\r
248 IN UINT16 *CipherId,\r
249 IN UINTN CipherNum\r
264702a0
HW
250 )\r
251{\r
7c342378
MK
252 TLS_CONNECTION *TlsConn;\r
253 EFI_STATUS Status;\r
254 CONST TLS_CIPHER_MAPPING **MappedCipher;\r
255 UINTN MappedCipherBytes;\r
256 UINTN MappedCipherCount;\r
257 UINTN CipherStringSize;\r
258 UINTN Index;\r
259 CONST TLS_CIPHER_MAPPING *Mapping;\r
260 CHAR8 *CipherString;\r
261 CHAR8 *CipherStringPosition;\r
262\r
263 TlsConn = (TLS_CONNECTION *)Tls;\r
264 if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (CipherId == NULL)) {\r
264702a0
HW
265 return EFI_INVALID_PARAMETER;\r
266 }\r
267\r
2167c7f7
LE
268 //\r
269 // Allocate the MappedCipher array for recording the mappings that we find\r
270 // for the input IANA identifiers in CipherId.\r
271 //\r
7c342378
MK
272 Status = SafeUintnMult (\r
273 CipherNum,\r
274 sizeof (*MappedCipher),\r
275 &MappedCipherBytes\r
276 );\r
2167c7f7
LE
277 if (EFI_ERROR (Status)) {\r
278 return EFI_OUT_OF_RESOURCES;\r
279 }\r
7c342378 280\r
2167c7f7
LE
281 MappedCipher = AllocatePool (MappedCipherBytes);\r
282 if (MappedCipher == NULL) {\r
283 return EFI_OUT_OF_RESOURCES;\r
284 }\r
264702a0 285\r
2167c7f7
LE
286 //\r
287 // Map the cipher IDs, and count the number of bytes for the full\r
288 // CipherString.\r
289 //\r
290 MappedCipherCount = 0;\r
7c342378 291 CipherStringSize = 0;\r
264702a0
HW
292 for (Index = 0; Index < CipherNum; Index++) {\r
293 //\r
2167c7f7 294 // Look up the IANA-to-OpenSSL mapping.\r
264702a0 295 //\r
2167c7f7 296 Mapping = TlsGetCipherMapping (CipherId[Index]);\r
ecfd37ba 297 if (Mapping == NULL) {\r
7c342378
MK
298 DEBUG ((\r
299 DEBUG_VERBOSE,\r
300 "%a:%a: skipping CipherId=0x%04x\n",\r
301 gEfiCallerBaseName,\r
302 __FUNCTION__,\r
303 CipherId[Index]\r
304 ));\r
264702a0 305 //\r
2167c7f7
LE
306 // Skipping the cipher is valid because CipherId is an ordered\r
307 // preference list of ciphers, thus we can filter it as long as we\r
308 // don't change the relative order of elements on it.\r
264702a0 309 //\r
2167c7f7
LE
310 continue;\r
311 }\r
7c342378 312\r
2167c7f7
LE
313 //\r
314 // Accumulate Mapping->OpensslCipherLength into CipherStringSize. If this\r
315 // is not the first successful mapping, account for a colon (":") prefix\r
316 // too.\r
317 //\r
318 if (MappedCipherCount > 0) {\r
319 Status = SafeUintnAdd (CipherStringSize, 1, &CipherStringSize);\r
320 if (EFI_ERROR (Status)) {\r
321 Status = EFI_OUT_OF_RESOURCES;\r
322 goto FreeMappedCipher;\r
323 }\r
324 }\r
7c342378
MK
325\r
326 Status = SafeUintnAdd (\r
327 CipherStringSize,\r
328 Mapping->OpensslCipherLength,\r
329 &CipherStringSize\r
330 );\r
2167c7f7
LE
331 if (EFI_ERROR (Status)) {\r
332 Status = EFI_OUT_OF_RESOURCES;\r
333 goto FreeMappedCipher;\r
264702a0 334 }\r
7c342378 335\r
2167c7f7
LE
336 //\r
337 // Record the mapping.\r
338 //\r
339 MappedCipher[MappedCipherCount++] = Mapping;\r
340 }\r
341\r
342 //\r
343 // Verify that at least one IANA cipher ID could be mapped; account for the\r
344 // terminating NUL character in CipherStringSize; allocate CipherString.\r
345 //\r
346 if (MappedCipherCount == 0) {\r
7c342378
MK
347 DEBUG ((\r
348 DEBUG_ERROR,\r
349 "%a:%a: no CipherId could be mapped\n",\r
350 gEfiCallerBaseName,\r
351 __FUNCTION__\r
352 ));\r
2167c7f7
LE
353 Status = EFI_UNSUPPORTED;\r
354 goto FreeMappedCipher;\r
355 }\r
7c342378 356\r
2167c7f7
LE
357 Status = SafeUintnAdd (CipherStringSize, 1, &CipherStringSize);\r
358 if (EFI_ERROR (Status)) {\r
359 Status = EFI_OUT_OF_RESOURCES;\r
360 goto FreeMappedCipher;\r
361 }\r
7c342378 362\r
2167c7f7
LE
363 CipherString = AllocatePool (CipherStringSize);\r
364 if (CipherString == NULL) {\r
365 Status = EFI_OUT_OF_RESOURCES;\r
366 goto FreeMappedCipher;\r
367 }\r
264702a0 368\r
2167c7f7
LE
369 //\r
370 // Go over the collected mappings and populate CipherString.\r
371 //\r
372 CipherStringPosition = CipherString;\r
373 for (Index = 0; Index < MappedCipherCount; Index++) {\r
374 Mapping = MappedCipher[Index];\r
375 //\r
376 // Append the colon (":") prefix except for the first mapping, then append\r
377 // Mapping->OpensslCipher.\r
378 //\r
379 if (Index > 0) {\r
380 *(CipherStringPosition++) = ':';\r
381 }\r
7c342378
MK
382\r
383 CopyMem (\r
384 CipherStringPosition,\r
385 Mapping->OpensslCipher,\r
386 Mapping->OpensslCipherLength\r
387 );\r
2167c7f7 388 CipherStringPosition += Mapping->OpensslCipherLength;\r
264702a0
HW
389 }\r
390\r
2167c7f7
LE
391 //\r
392 // NUL-terminate CipherString.\r
393 //\r
394 *(CipherStringPosition++) = '\0';\r
395 ASSERT (CipherStringPosition == CipherString + CipherStringSize);\r
396\r
397 //\r
398 // Log CipherString for debugging. CipherString can be very long if the\r
399 // caller provided a large CipherId array, so log CipherString in segments of\r
400 // 79 non-newline characters. (MAX_DEBUG_MESSAGE_LENGTH is usually 0x100 in\r
401 // DebugLib instances.)\r
402 //\r
e3b855f2 403 DEBUG_CODE_BEGIN ();\r
7c342378
MK
404 UINTN FullLength;\r
405 UINTN SegmentLength;\r
406\r
407 FullLength = CipherStringSize - 1;\r
408 DEBUG ((\r
409 DEBUG_VERBOSE,\r
410 "%a:%a: CipherString={\n",\r
411 gEfiCallerBaseName,\r
412 __FUNCTION__\r
413 ));\r
414 for (CipherStringPosition = CipherString;\r
415 CipherStringPosition < CipherString + FullLength;\r
416 CipherStringPosition += SegmentLength)\r
417 {\r
418 SegmentLength = FullLength - (CipherStringPosition - CipherString);\r
419 if (SegmentLength > 79) {\r
420 SegmentLength = 79;\r
2167c7f7 421 }\r
7c342378
MK
422\r
423 DEBUG ((DEBUG_VERBOSE, "%.*a\n", SegmentLength, CipherStringPosition));\r
424 }\r
425\r
426 DEBUG ((DEBUG_VERBOSE, "}\n"));\r
427 //\r
428 // Restore the pre-debug value of CipherStringPosition by skipping over the\r
429 // trailing NUL.\r
430 //\r
431 CipherStringPosition++;\r
432 ASSERT (CipherStringPosition == CipherString + CipherStringSize);\r
e3b855f2 433 DEBUG_CODE_END ();\r
264702a0
HW
434\r
435 //\r
436 // Sets the ciphers for use by the Tls object.\r
437 //\r
438 if (SSL_set_cipher_list (TlsConn->Ssl, CipherString) <= 0) {\r
2167c7f7
LE
439 Status = EFI_UNSUPPORTED;\r
440 goto FreeCipherString;\r
264702a0
HW
441 }\r
442\r
2167c7f7
LE
443 Status = EFI_SUCCESS;\r
444\r
445FreeCipherString:\r
446 FreePool (CipherString);\r
447\r
448FreeMappedCipher:\r
449 FreePool (MappedCipher);\r
450\r
451 return Status;\r
264702a0
HW
452}\r
453\r
454/**\r
455 Set the compression method for TLS/SSL operations.\r
456\r
457 This function handles TLS/SSL integrated compression methods.\r
458\r
459 @param[in] CompMethod The compression method ID.\r
460\r
461 @retval EFI_SUCCESS The compression method for the communication was\r
462 set successfully.\r
463 @retval EFI_UNSUPPORTED Unsupported compression method.\r
464\r
465**/\r
466EFI_STATUS\r
467EFIAPI\r
468TlsSetCompressionMethod (\r
7c342378 469 IN UINT8 CompMethod\r
264702a0
HW
470 )\r
471{\r
472 COMP_METHOD *Cm;\r
473 INTN Ret;\r
474\r
475 Cm = NULL;\r
476 Ret = 0;\r
477\r
478 if (CompMethod == 0) {\r
479 //\r
480 // TLS defines one standard compression method, CompressionMethod.null (0),\r
481 // which specifies that data exchanged via the record protocol will not be compressed.\r
482 // So, return EFI_SUCCESS directly (RFC 3749).\r
483 //\r
484 return EFI_SUCCESS;\r
485 } else if (CompMethod == 1) {\r
7c342378 486 Cm = COMP_zlib ();\r
264702a0
HW
487 } else {\r
488 return EFI_UNSUPPORTED;\r
489 }\r
490\r
491 //\r
492 // Adds the compression method to the list of available\r
493 // compression methods.\r
494 //\r
495 Ret = SSL_COMP_add_compression_method (CompMethod, Cm);\r
496 if (Ret != 0) {\r
497 return EFI_UNSUPPORTED;\r
498 }\r
499\r
500 return EFI_SUCCESS;\r
501}\r
502\r
503/**\r
504 Set peer certificate verification mode for the TLS connection.\r
505\r
506 This function sets the verification mode flags for the TLS connection.\r
507\r
508 @param[in] Tls Pointer to the TLS object.\r
509 @param[in] VerifyMode A set of logically or'ed verification mode flags.\r
510\r
511**/\r
512VOID\r
513EFIAPI\r
514TlsSetVerify (\r
7c342378
MK
515 IN VOID *Tls,\r
516 IN UINT32 VerifyMode\r
264702a0
HW
517 )\r
518{\r
519 TLS_CONNECTION *TlsConn;\r
520\r
7c342378
MK
521 TlsConn = (TLS_CONNECTION *)Tls;\r
522 if ((TlsConn == NULL) || (TlsConn->Ssl == NULL)) {\r
264702a0
HW
523 return;\r
524 }\r
525\r
526 //\r
527 // Set peer certificate verification parameters with NULL callback.\r
528 //\r
529 SSL_set_verify (TlsConn->Ssl, VerifyMode, NULL);\r
530}\r
531\r
2ca74e1a
WJ
532/**\r
533 Set the specified host name to be verified.\r
534\r
535 @param[in] Tls Pointer to the TLS object.\r
536 @param[in] Flags The setting flags during the validation.\r
537 @param[in] HostName The specified host name to be verified.\r
538\r
539 @retval EFI_SUCCESS The HostName setting was set successfully.\r
540 @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
541 @retval EFI_ABORTED Invalid HostName setting.\r
542\r
543**/\r
544EFI_STATUS\r
545EFIAPI\r
546TlsSetVerifyHost (\r
7c342378
MK
547 IN VOID *Tls,\r
548 IN UINT32 Flags,\r
549 IN CHAR8 *HostName\r
2ca74e1a
WJ
550 )\r
551{\r
7c342378
MK
552 TLS_CONNECTION *TlsConn;\r
553 X509_VERIFY_PARAM *VerifyParam;\r
554 UINTN BinaryAddressSize;\r
555 UINT8 BinaryAddress[MAX (NS_INADDRSZ, NS_IN6ADDRSZ)];\r
556 INTN ParamStatus;\r
557\r
558 TlsConn = (TLS_CONNECTION *)Tls;\r
559 if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (HostName == NULL)) {\r
560 return EFI_INVALID_PARAMETER;\r
2ca74e1a
WJ
561 }\r
562\r
7c342378 563 SSL_set_hostflags (TlsConn->Ssl, Flags);\r
2ca74e1a 564\r
1e72b1fb
LE
565 VerifyParam = SSL_get0_param (TlsConn->Ssl);\r
566 ASSERT (VerifyParam != NULL);\r
567\r
568 BinaryAddressSize = 0;\r
569 if (inet_pton (AF_INET6, HostName, BinaryAddress) == 1) {\r
570 BinaryAddressSize = NS_IN6ADDRSZ;\r
571 } else if (inet_pton (AF_INET, HostName, BinaryAddress) == 1) {\r
572 BinaryAddressSize = NS_INADDRSZ;\r
2ca74e1a
WJ
573 }\r
574\r
1e72b1fb 575 if (BinaryAddressSize > 0) {\r
7c342378
MK
576 DEBUG ((\r
577 DEBUG_VERBOSE,\r
578 "%a:%a: parsed \"%a\" as an IPv%c address "\r
579 "literal\n",\r
580 gEfiCallerBaseName,\r
581 __FUNCTION__,\r
582 HostName,\r
583 (UINTN)((BinaryAddressSize == NS_IN6ADDRSZ) ? '6' : '4')\r
584 ));\r
585 ParamStatus = X509_VERIFY_PARAM_set1_ip (\r
586 VerifyParam,\r
587 BinaryAddress,\r
588 BinaryAddressSize\r
589 );\r
1e72b1fb
LE
590 } else {\r
591 ParamStatus = X509_VERIFY_PARAM_set1_host (VerifyParam, HostName, 0);\r
592 }\r
593\r
594 return (ParamStatus == 1) ? EFI_SUCCESS : EFI_ABORTED;\r
2ca74e1a
WJ
595}\r
596\r
264702a0
HW
597/**\r
598 Sets a TLS/SSL session ID to be used during TLS/SSL connect.\r
599\r
600 This function sets a session ID to be used when the TLS/SSL connection is\r
601 to be established.\r
602\r
603 @param[in] Tls Pointer to the TLS object.\r
604 @param[in] SessionId Session ID data used for session resumption.\r
605 @param[in] SessionIdLen Length of Session ID in bytes.\r
606\r
607 @retval EFI_SUCCESS Session ID was set successfully.\r
608 @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
609 @retval EFI_UNSUPPORTED No available session for ID setting.\r
610\r
611**/\r
612EFI_STATUS\r
613EFIAPI\r
614TlsSetSessionId (\r
7c342378
MK
615 IN VOID *Tls,\r
616 IN UINT8 *SessionId,\r
617 IN UINT16 SessionIdLen\r
264702a0
HW
618 )\r
619{\r
620 TLS_CONNECTION *TlsConn;\r
621 SSL_SESSION *Session;\r
622\r
7c342378 623 TlsConn = (TLS_CONNECTION *)Tls;\r
264702a0
HW
624 Session = NULL;\r
625\r
7c342378 626 if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (SessionId == NULL)) {\r
264702a0
HW
627 return EFI_INVALID_PARAMETER;\r
628 }\r
629\r
630 Session = SSL_get_session (TlsConn->Ssl);\r
631 if (Session == NULL) {\r
632 return EFI_UNSUPPORTED;\r
633 }\r
634\r
635 SSL_SESSION_set1_id (Session, (const unsigned char *)SessionId, SessionIdLen);\r
636\r
637 return EFI_SUCCESS;\r
638}\r
639\r
640/**\r
641 Adds the CA to the cert store when requesting Server or Client authentication.\r
642\r
643 This function adds the CA certificate to the list of CAs when requesting\r
644 Server or Client authentication for the chosen TLS connection.\r
645\r
646 @param[in] Tls Pointer to the TLS object.\r
647 @param[in] Data Pointer to the data buffer of a DER-encoded binary\r
648 X.509 certificate or PEM-encoded X.509 certificate.\r
649 @param[in] DataSize The size of data buffer in bytes.\r
650\r
651 @retval EFI_SUCCESS The operation succeeded.\r
652 @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
653 @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated.\r
654 @retval EFI_ABORTED Invalid X.509 certificate.\r
655\r
656**/\r
657EFI_STATUS\r
658EFIAPI\r
659TlsSetCaCertificate (\r
7c342378
MK
660 IN VOID *Tls,\r
661 IN VOID *Data,\r
662 IN UINTN DataSize\r
264702a0
HW
663 )\r
664{\r
665 BIO *BioCert;\r
666 X509 *Cert;\r
667 X509_STORE *X509Store;\r
668 EFI_STATUS Status;\r
669 TLS_CONNECTION *TlsConn;\r
670 SSL_CTX *SslCtx;\r
671 INTN Ret;\r
672 UINTN ErrorCode;\r
673\r
674 BioCert = NULL;\r
675 Cert = NULL;\r
676 X509Store = NULL;\r
677 Status = EFI_SUCCESS;\r
7c342378 678 TlsConn = (TLS_CONNECTION *)Tls;\r
264702a0
HW
679 Ret = 0;\r
680\r
7c342378 681 if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (Data == NULL) || (DataSize == 0)) {\r
264702a0
HW
682 return EFI_INVALID_PARAMETER;\r
683 }\r
684\r
685 //\r
686 // DER-encoded binary X.509 certificate or PEM-encoded X.509 certificate.\r
687 // Determine whether certificate is from DER encoding, if so, translate it to X509 structure.\r
688 //\r
7c342378 689 Cert = d2i_X509 (NULL, (const unsigned char **)&Data, (long)DataSize);\r
264702a0
HW
690 if (Cert == NULL) {\r
691 //\r
692 // Certificate is from PEM encoding.\r
693 //\r
694 BioCert = BIO_new (BIO_s_mem ());\r
695 if (BioCert == NULL) {\r
696 Status = EFI_OUT_OF_RESOURCES;\r
697 goto ON_EXIT;\r
698 }\r
699\r
7c342378 700 if (BIO_write (BioCert, Data, (UINT32)DataSize) <= 0) {\r
264702a0
HW
701 Status = EFI_ABORTED;\r
702 goto ON_EXIT;\r
703 }\r
704\r
705 Cert = PEM_read_bio_X509 (BioCert, NULL, NULL, NULL);\r
706 if (Cert == NULL) {\r
707 Status = EFI_ABORTED;\r
708 goto ON_EXIT;\r
709 }\r
710 }\r
711\r
712 SslCtx = SSL_get_SSL_CTX (TlsConn->Ssl);\r
713 X509Store = SSL_CTX_get_cert_store (SslCtx);\r
714 if (X509Store == NULL) {\r
7c342378
MK
715 Status = EFI_ABORTED;\r
716 goto ON_EXIT;\r
264702a0
HW
717 }\r
718\r
719 //\r
720 // Add certificate to X509 store\r
721 //\r
722 Ret = X509_STORE_add_cert (X509Store, Cert);\r
723 if (Ret != 1) {\r
724 ErrorCode = ERR_peek_last_error ();\r
725 //\r
726 // Ignore "already in table" errors\r
727 //\r
7c342378
MK
728 if (!((ERR_GET_FUNC (ErrorCode) == X509_F_X509_STORE_ADD_CERT) &&\r
729 (ERR_GET_REASON (ErrorCode) == X509_R_CERT_ALREADY_IN_HASH_TABLE)))\r
730 {\r
264702a0
HW
731 Status = EFI_ABORTED;\r
732 goto ON_EXIT;\r
733 }\r
734 }\r
735\r
736ON_EXIT:\r
737 if (BioCert != NULL) {\r
738 BIO_free (BioCert);\r
739 }\r
740\r
741 if (Cert != NULL) {\r
742 X509_free (Cert);\r
743 }\r
744\r
745 return Status;\r
746}\r
747\r
748/**\r
749 Loads the local public certificate into the specified TLS object.\r
750\r
751 This function loads the X.509 certificate into the specified TLS object\r
752 for TLS negotiation.\r
753\r
754 @param[in] Tls Pointer to the TLS object.\r
755 @param[in] Data Pointer to the data buffer of a DER-encoded binary\r
756 X.509 certificate or PEM-encoded X.509 certificate.\r
757 @param[in] DataSize The size of data buffer in bytes.\r
758\r
759 @retval EFI_SUCCESS The operation succeeded.\r
760 @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
761 @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated.\r
762 @retval EFI_ABORTED Invalid X.509 certificate.\r
763\r
764**/\r
765EFI_STATUS\r
766EFIAPI\r
767TlsSetHostPublicCert (\r
7c342378
MK
768 IN VOID *Tls,\r
769 IN VOID *Data,\r
770 IN UINTN DataSize\r
264702a0
HW
771 )\r
772{\r
773 BIO *BioCert;\r
774 X509 *Cert;\r
775 EFI_STATUS Status;\r
776 TLS_CONNECTION *TlsConn;\r
777\r
778 BioCert = NULL;\r
779 Cert = NULL;\r
780 Status = EFI_SUCCESS;\r
7c342378 781 TlsConn = (TLS_CONNECTION *)Tls;\r
264702a0 782\r
7c342378 783 if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (Data == NULL) || (DataSize == 0)) {\r
264702a0
HW
784 return EFI_INVALID_PARAMETER;\r
785 }\r
786\r
787 //\r
788 // DER-encoded binary X.509 certificate or PEM-encoded X.509 certificate.\r
789 // Determine whether certificate is from DER encoding, if so, translate it to X509 structure.\r
790 //\r
7c342378 791 Cert = d2i_X509 (NULL, (const unsigned char **)&Data, (long)DataSize);\r
264702a0
HW
792 if (Cert == NULL) {\r
793 //\r
794 // Certificate is from PEM encoding.\r
795 //\r
796 BioCert = BIO_new (BIO_s_mem ());\r
797 if (BioCert == NULL) {\r
798 Status = EFI_OUT_OF_RESOURCES;\r
799 goto ON_EXIT;\r
800 }\r
801\r
7c342378 802 if (BIO_write (BioCert, Data, (UINT32)DataSize) <= 0) {\r
264702a0
HW
803 Status = EFI_ABORTED;\r
804 goto ON_EXIT;\r
805 }\r
806\r
807 Cert = PEM_read_bio_X509 (BioCert, NULL, NULL, NULL);\r
808 if (Cert == NULL) {\r
809 Status = EFI_ABORTED;\r
810 goto ON_EXIT;\r
811 }\r
812 }\r
813\r
814 if (SSL_use_certificate (TlsConn->Ssl, Cert) != 1) {\r
815 Status = EFI_ABORTED;\r
816 goto ON_EXIT;\r
817 }\r
818\r
819ON_EXIT:\r
820 if (BioCert != NULL) {\r
821 BIO_free (BioCert);\r
822 }\r
823\r
824 if (Cert != NULL) {\r
825 X509_free (Cert);\r
826 }\r
827\r
828 return Status;\r
829}\r
830\r
831/**\r
832 Adds the local private key to the specified TLS object.\r
833\r
834 This function adds the local private key (PEM-encoded RSA or PKCS#8 private\r
835 key) into the specified TLS object for TLS negotiation.\r
836\r
837 @param[in] Tls Pointer to the TLS object.\r
838 @param[in] Data Pointer to the data buffer of a PEM-encoded RSA\r
839 or PKCS#8 private key.\r
840 @param[in] DataSize The size of data buffer in bytes.\r
841\r
842 @retval EFI_SUCCESS The operation succeeded.\r
843 @retval EFI_UNSUPPORTED This function is not supported.\r
844 @retval EFI_ABORTED Invalid private key data.\r
845\r
846**/\r
847EFI_STATUS\r
848EFIAPI\r
849TlsSetHostPrivateKey (\r
7c342378
MK
850 IN VOID *Tls,\r
851 IN VOID *Data,\r
852 IN UINTN DataSize\r
264702a0
HW
853 )\r
854{\r
855 return EFI_UNSUPPORTED;\r
856}\r
857\r
858/**\r
859 Adds the CA-supplied certificate revocation list for certificate validation.\r
860\r
861 This function adds the CA-supplied certificate revocation list data for\r
862 certificate validity checking.\r
863\r
864 @param[in] Data Pointer to the data buffer of a DER-encoded CRL data.\r
865 @param[in] DataSize The size of data buffer in bytes.\r
866\r
867 @retval EFI_SUCCESS The operation succeeded.\r
868 @retval EFI_UNSUPPORTED This function is not supported.\r
869 @retval EFI_ABORTED Invalid CRL data.\r
870\r
871**/\r
872EFI_STATUS\r
873EFIAPI\r
874TlsSetCertRevocationList (\r
7c342378
MK
875 IN VOID *Data,\r
876 IN UINTN DataSize\r
264702a0
HW
877 )\r
878{\r
879 return EFI_UNSUPPORTED;\r
880}\r
881\r
882/**\r
883 Gets the protocol version used by the specified TLS connection.\r
884\r
885 This function returns the protocol version used by the specified TLS\r
886 connection.\r
887\r
9c14f76b
JW
888 If Tls is NULL, then ASSERT().\r
889\r
264702a0
HW
890 @param[in] Tls Pointer to the TLS object.\r
891\r
892 @return The protocol version of the specified TLS connection.\r
893\r
894**/\r
895UINT16\r
896EFIAPI\r
897TlsGetVersion (\r
7c342378 898 IN VOID *Tls\r
264702a0
HW
899 )\r
900{\r
901 TLS_CONNECTION *TlsConn;\r
902\r
7c342378 903 TlsConn = (TLS_CONNECTION *)Tls;\r
264702a0
HW
904\r
905 ASSERT (TlsConn != NULL);\r
906\r
907 return (UINT16)(SSL_version (TlsConn->Ssl));\r
908}\r
909\r
910/**\r
911 Gets the connection end of the specified TLS connection.\r
912\r
913 This function returns the connection end (as client or as server) used by\r
914 the specified TLS connection.\r
915\r
9c14f76b
JW
916 If Tls is NULL, then ASSERT().\r
917\r
264702a0
HW
918 @param[in] Tls Pointer to the TLS object.\r
919\r
920 @return The connection end used by the specified TLS connection.\r
921\r
922**/\r
923UINT8\r
924EFIAPI\r
925TlsGetConnectionEnd (\r
7c342378 926 IN VOID *Tls\r
264702a0
HW
927 )\r
928{\r
929 TLS_CONNECTION *TlsConn;\r
930\r
7c342378 931 TlsConn = (TLS_CONNECTION *)Tls;\r
264702a0
HW
932\r
933 ASSERT (TlsConn != NULL);\r
934\r
935 return (UINT8)SSL_is_server (TlsConn->Ssl);\r
936}\r
937\r
938/**\r
939 Gets the cipher suite used by the specified TLS connection.\r
940\r
941 This function returns current cipher suite used by the specified\r
942 TLS connection.\r
943\r
944 @param[in] Tls Pointer to the TLS object.\r
945 @param[in,out] CipherId The cipher suite used by the TLS object.\r
946\r
947 @retval EFI_SUCCESS The cipher suite was returned successfully.\r
948 @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
949 @retval EFI_UNSUPPORTED Unsupported cipher suite.\r
950\r
951**/\r
952EFI_STATUS\r
953EFIAPI\r
954TlsGetCurrentCipher (\r
7c342378
MK
955 IN VOID *Tls,\r
956 IN OUT UINT16 *CipherId\r
264702a0
HW
957 )\r
958{\r
959 TLS_CONNECTION *TlsConn;\r
960 CONST SSL_CIPHER *Cipher;\r
961\r
7c342378 962 TlsConn = (TLS_CONNECTION *)Tls;\r
264702a0
HW
963 Cipher = NULL;\r
964\r
7c342378 965 if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (CipherId == NULL)) {\r
264702a0
HW
966 return EFI_INVALID_PARAMETER;\r
967 }\r
968\r
969 Cipher = SSL_get_current_cipher (TlsConn->Ssl);\r
970 if (Cipher == NULL) {\r
971 return EFI_UNSUPPORTED;\r
972 }\r
973\r
974 *CipherId = (SSL_CIPHER_get_id (Cipher)) & 0xFFFF;\r
975\r
976 return EFI_SUCCESS;\r
977}\r
978\r
979/**\r
980 Gets the compression methods used by the specified TLS connection.\r
981\r
982 This function returns current integrated compression methods used by\r
983 the specified TLS connection.\r
984\r
985 @param[in] Tls Pointer to the TLS object.\r
986 @param[in,out] CompressionId The current compression method used by\r
987 the TLS object.\r
988\r
989 @retval EFI_SUCCESS The compression method was returned successfully.\r
990 @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
991 @retval EFI_ABORTED Invalid Compression method.\r
992 @retval EFI_UNSUPPORTED This function is not supported.\r
993\r
994**/\r
995EFI_STATUS\r
996EFIAPI\r
997TlsGetCurrentCompressionId (\r
7c342378
MK
998 IN VOID *Tls,\r
999 IN OUT UINT8 *CompressionId\r
264702a0
HW
1000 )\r
1001{\r
1002 return EFI_UNSUPPORTED;\r
1003}\r
1004\r
1005/**\r
1006 Gets the verification mode currently set in the TLS connection.\r
1007\r
1008 This function returns the peer verification mode currently set in the\r
1009 specified TLS connection.\r
1010\r
9c14f76b
JW
1011 If Tls is NULL, then ASSERT().\r
1012\r
264702a0
HW
1013 @param[in] Tls Pointer to the TLS object.\r
1014\r
1015 @return The verification mode set in the specified TLS connection.\r
1016\r
1017**/\r
1018UINT32\r
1019EFIAPI\r
1020TlsGetVerify (\r
7c342378 1021 IN VOID *Tls\r
264702a0
HW
1022 )\r
1023{\r
1024 TLS_CONNECTION *TlsConn;\r
1025\r
7c342378 1026 TlsConn = (TLS_CONNECTION *)Tls;\r
264702a0
HW
1027\r
1028 ASSERT (TlsConn != NULL);\r
1029\r
1030 return SSL_get_verify_mode (TlsConn->Ssl);\r
1031}\r
1032\r
1033/**\r
1034 Gets the session ID used by the specified TLS connection.\r
1035\r
1036 This function returns the TLS/SSL session ID currently used by the\r
1037 specified TLS connection.\r
1038\r
1039 @param[in] Tls Pointer to the TLS object.\r
1040 @param[in,out] SessionId Buffer to contain the returned session ID.\r
1041 @param[in,out] SessionIdLen The length of Session ID in bytes.\r
1042\r
1043 @retval EFI_SUCCESS The Session ID was returned successfully.\r
1044 @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
1045 @retval EFI_UNSUPPORTED Invalid TLS/SSL session.\r
1046\r
1047**/\r
1048EFI_STATUS\r
1049EFIAPI\r
1050TlsGetSessionId (\r
7c342378
MK
1051 IN VOID *Tls,\r
1052 IN OUT UINT8 *SessionId,\r
1053 IN OUT UINT16 *SessionIdLen\r
264702a0
HW
1054 )\r
1055{\r
1056 TLS_CONNECTION *TlsConn;\r
1057 SSL_SESSION *Session;\r
1058 CONST UINT8 *SslSessionId;\r
1059\r
7c342378 1060 TlsConn = (TLS_CONNECTION *)Tls;\r
264702a0
HW
1061 Session = NULL;\r
1062\r
7c342378 1063 if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (SessionId == NULL) || (SessionIdLen == NULL)) {\r
264702a0
HW
1064 return EFI_INVALID_PARAMETER;\r
1065 }\r
1066\r
1067 Session = SSL_get_session (TlsConn->Ssl);\r
1068 if (Session == NULL) {\r
1069 return EFI_UNSUPPORTED;\r
1070 }\r
1071\r
1072 SslSessionId = SSL_SESSION_get_id (Session, (unsigned int *)SessionIdLen);\r
1073 CopyMem (SessionId, SslSessionId, *SessionIdLen);\r
1074\r
1075 return EFI_SUCCESS;\r
1076}\r
1077\r
1078/**\r
1079 Gets the client random data used in the specified TLS connection.\r
1080\r
1081 This function returns the TLS/SSL client random data currently used in\r
1082 the specified TLS connection.\r
1083\r
1084 @param[in] Tls Pointer to the TLS object.\r
1085 @param[in,out] ClientRandom Buffer to contain the returned client\r
1086 random data (32 bytes).\r
1087\r
1088**/\r
1089VOID\r
1090EFIAPI\r
1091TlsGetClientRandom (\r
7c342378
MK
1092 IN VOID *Tls,\r
1093 IN OUT UINT8 *ClientRandom\r
264702a0
HW
1094 )\r
1095{\r
1096 TLS_CONNECTION *TlsConn;\r
1097\r
7c342378 1098 TlsConn = (TLS_CONNECTION *)Tls;\r
264702a0 1099\r
7c342378 1100 if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (ClientRandom == NULL)) {\r
264702a0
HW
1101 return;\r
1102 }\r
1103\r
1104 SSL_get_client_random (TlsConn->Ssl, ClientRandom, SSL3_RANDOM_SIZE);\r
1105}\r
1106\r
1107/**\r
1108 Gets the server random data used in the specified TLS connection.\r
1109\r
1110 This function returns the TLS/SSL server random data currently used in\r
1111 the specified TLS connection.\r
1112\r
1113 @param[in] Tls Pointer to the TLS object.\r
1114 @param[in,out] ServerRandom Buffer to contain the returned server\r
1115 random data (32 bytes).\r
1116\r
1117**/\r
1118VOID\r
1119EFIAPI\r
1120TlsGetServerRandom (\r
7c342378
MK
1121 IN VOID *Tls,\r
1122 IN OUT UINT8 *ServerRandom\r
264702a0
HW
1123 )\r
1124{\r
1125 TLS_CONNECTION *TlsConn;\r
1126\r
7c342378 1127 TlsConn = (TLS_CONNECTION *)Tls;\r
264702a0 1128\r
7c342378 1129 if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (ServerRandom == NULL)) {\r
264702a0
HW
1130 return;\r
1131 }\r
1132\r
1133 SSL_get_server_random (TlsConn->Ssl, ServerRandom, SSL3_RANDOM_SIZE);\r
1134}\r
1135\r
1136/**\r
1137 Gets the master key data used in the specified TLS connection.\r
1138\r
1139 This function returns the TLS/SSL master key material currently used in\r
1140 the specified TLS connection.\r
1141\r
1142 @param[in] Tls Pointer to the TLS object.\r
1143 @param[in,out] KeyMaterial Buffer to contain the returned key material.\r
1144\r
1145 @retval EFI_SUCCESS Key material was returned successfully.\r
1146 @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
1147 @retval EFI_UNSUPPORTED Invalid TLS/SSL session.\r
1148\r
1149**/\r
1150EFI_STATUS\r
1151EFIAPI\r
1152TlsGetKeyMaterial (\r
7c342378
MK
1153 IN VOID *Tls,\r
1154 IN OUT UINT8 *KeyMaterial\r
264702a0
HW
1155 )\r
1156{\r
1157 TLS_CONNECTION *TlsConn;\r
1158 SSL_SESSION *Session;\r
1159\r
7c342378 1160 TlsConn = (TLS_CONNECTION *)Tls;\r
264702a0
HW
1161 Session = NULL;\r
1162\r
7c342378 1163 if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (KeyMaterial == NULL)) {\r
264702a0
HW
1164 return EFI_INVALID_PARAMETER;\r
1165 }\r
1166\r
1167 Session = SSL_get_session (TlsConn->Ssl);\r
1168\r
1169 if (Session == NULL) {\r
1170 return EFI_UNSUPPORTED;\r
1171 }\r
1172\r
1173 SSL_SESSION_get_master_key (Session, KeyMaterial, SSL3_MASTER_SECRET_SIZE);\r
1174\r
1175 return EFI_SUCCESS;\r
1176}\r
1177\r
1178/**\r
1179 Gets the CA Certificate from the cert store.\r
1180\r
1181 This function returns the CA certificate for the chosen\r
1182 TLS connection.\r
1183\r
1184 @param[in] Tls Pointer to the TLS object.\r
1185 @param[out] Data Pointer to the data buffer to receive the CA\r
1186 certificate data sent to the client.\r
1187 @param[in,out] DataSize The size of data buffer in bytes.\r
1188\r
1189 @retval EFI_SUCCESS The operation succeeded.\r
1190 @retval EFI_UNSUPPORTED This function is not supported.\r
1191 @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.\r
1192\r
1193**/\r
1194EFI_STATUS\r
1195EFIAPI\r
1196TlsGetCaCertificate (\r
7c342378
MK
1197 IN VOID *Tls,\r
1198 OUT VOID *Data,\r
1199 IN OUT UINTN *DataSize\r
264702a0
HW
1200 )\r
1201{\r
1202 return EFI_UNSUPPORTED;\r
1203}\r
1204\r
1205/**\r
1206 Gets the local public Certificate set in the specified TLS object.\r
1207\r
1208 This function returns the local public certificate which was currently set\r
1209 in the specified TLS object.\r
1210\r
1211 @param[in] Tls Pointer to the TLS object.\r
1212 @param[out] Data Pointer to the data buffer to receive the local\r
1213 public certificate.\r
1214 @param[in,out] DataSize The size of data buffer in bytes.\r
1215\r
1216 @retval EFI_SUCCESS The operation succeeded.\r
1217 @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
1218 @retval EFI_NOT_FOUND The certificate is not found.\r
1219 @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.\r
1220\r
1221**/\r
1222EFI_STATUS\r
1223EFIAPI\r
1224TlsGetHostPublicCert (\r
7c342378
MK
1225 IN VOID *Tls,\r
1226 OUT VOID *Data,\r
1227 IN OUT UINTN *DataSize\r
264702a0
HW
1228 )\r
1229{\r
1230 X509 *Cert;\r
1231 TLS_CONNECTION *TlsConn;\r
1232\r
1233 Cert = NULL;\r
7c342378 1234 TlsConn = (TLS_CONNECTION *)Tls;\r
264702a0 1235\r
7c342378 1236 if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (DataSize == NULL) || ((*DataSize != 0) && (Data == NULL))) {\r
264702a0
HW
1237 return EFI_INVALID_PARAMETER;\r
1238 }\r
1239\r
7c342378 1240 Cert = SSL_get_certificate (TlsConn->Ssl);\r
264702a0
HW
1241 if (Cert == NULL) {\r
1242 return EFI_NOT_FOUND;\r
1243 }\r
1244\r
1245 //\r
1246 // Only DER encoding is supported currently.\r
1247 //\r
7c342378
MK
1248 if (*DataSize < (UINTN)i2d_X509 (Cert, NULL)) {\r
1249 *DataSize = (UINTN)i2d_X509 (Cert, NULL);\r
264702a0
HW
1250 return EFI_BUFFER_TOO_SMALL;\r
1251 }\r
1252\r
7c342378 1253 *DataSize = (UINTN)i2d_X509 (Cert, (unsigned char **)&Data);\r
264702a0
HW
1254\r
1255 return EFI_SUCCESS;\r
1256}\r
1257\r
1258/**\r
1259 Gets the local private key set in the specified TLS object.\r
1260\r
1261 This function returns the local private key data which was currently set\r
1262 in the specified TLS object.\r
1263\r
1264 @param[in] Tls Pointer to the TLS object.\r
1265 @param[out] Data Pointer to the data buffer to receive the local\r
1266 private key data.\r
1267 @param[in,out] DataSize The size of data buffer in bytes.\r
1268\r
1269 @retval EFI_SUCCESS The operation succeeded.\r
1270 @retval EFI_UNSUPPORTED This function is not supported.\r
1271 @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.\r
1272\r
1273**/\r
1274EFI_STATUS\r
1275EFIAPI\r
1276TlsGetHostPrivateKey (\r
7c342378
MK
1277 IN VOID *Tls,\r
1278 OUT VOID *Data,\r
1279 IN OUT UINTN *DataSize\r
264702a0
HW
1280 )\r
1281{\r
1282 return EFI_UNSUPPORTED;\r
1283}\r
1284\r
1285/**\r
1286 Gets the CA-supplied certificate revocation list data set in the specified\r
1287 TLS object.\r
1288\r
1289 This function returns the CA-supplied certificate revocation list data which\r
1290 was currently set in the specified TLS object.\r
1291\r
1292 @param[out] Data Pointer to the data buffer to receive the CRL data.\r
1293 @param[in,out] DataSize The size of data buffer in bytes.\r
1294\r
1295 @retval EFI_SUCCESS The operation succeeded.\r
1296 @retval EFI_UNSUPPORTED This function is not supported.\r
1297 @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.\r
1298\r
1299**/\r
1300EFI_STATUS\r
1301EFIAPI\r
1302TlsGetCertRevocationList (\r
7c342378
MK
1303 OUT VOID *Data,\r
1304 IN OUT UINTN *DataSize\r
264702a0
HW
1305 )\r
1306{\r
1307 return EFI_UNSUPPORTED;\r
1308}\r