CryptoPkg/TlsLib: pre-compute OpensslCipherLength in TlsCipherMappingTable
[mirror_edk2.git] / CryptoPkg / Library / TlsLib / TlsConfig.c
CommitLineData
264702a0
HW
1/** @file\r
2 SSL/TLS Configuration Library Wrapper Implementation over OpenSSL.\r
3\r
4Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>\r
5(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>\r
6This program and the accompanying materials\r
7are licensed and made available under the terms and conditions of the BSD License\r
8which accompanies this distribution. The full text of the license may be found at\r
9http://opensource.org/licenses/bsd-license.php\r
10\r
11THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
12WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
13\r
14**/\r
15\r
16#include "InternalTlsLib.h"\r
17\r
18typedef struct {\r
19 //\r
20 // IANA/IETF defined Cipher Suite ID\r
21 //\r
22 UINT16 IanaCipher;\r
23 //\r
24 // OpenSSL-used Cipher Suite String\r
25 //\r
26 CONST CHAR8 *OpensslCipher;\r
96015d5f
LE
27 //\r
28 // Length of OpensslCipher\r
29 //\r
30 UINTN OpensslCipherLength;\r
ecfd37ba 31} TLS_CIPHER_MAPPING;\r
264702a0 32\r
96015d5f
LE
33//\r
34// Create a TLS_CIPHER_MAPPING initializer from IanaCipher and OpensslCipher so\r
35// that OpensslCipherLength is filled in automatically. IanaCipher must be an\r
36// integer constant expression, and OpensslCipher must be a string literal.\r
37//\r
38#define MAP(IanaCipher, OpensslCipher) \\r
39 { (IanaCipher), (OpensslCipher), sizeof (OpensslCipher) - 1 }\r
40\r
264702a0
HW
41//\r
42// The mapping table between IANA/IETF Cipher Suite definitions and\r
43// OpenSSL-used Cipher Suite name.\r
44//\r
5eadb54e
LE
45// Keep the table uniquely sorted by the IanaCipher field, in increasing order.\r
46//\r
ecfd37ba 47STATIC CONST TLS_CIPHER_MAPPING TlsCipherMappingTable[] = {\r
96015d5f
LE
48 MAP ( 0x0001, "NULL-MD5" ), /// TLS_RSA_WITH_NULL_MD5\r
49 MAP ( 0x0002, "NULL-SHA" ), /// TLS_RSA_WITH_NULL_SHA\r
50 MAP ( 0x0004, "RC4-MD5" ), /// TLS_RSA_WITH_RC4_128_MD5\r
51 MAP ( 0x0005, "RC4-SHA" ), /// TLS_RSA_WITH_RC4_128_SHA\r
52 MAP ( 0x000A, "DES-CBC3-SHA" ), /// TLS_RSA_WITH_3DES_EDE_CBC_SHA, mandatory TLS 1.1\r
53 MAP ( 0x0016, "DHE-RSA-DES-CBC3-SHA" ), /// TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA\r
54 MAP ( 0x002F, "AES128-SHA" ), /// TLS_RSA_WITH_AES_128_CBC_SHA, mandatory TLS 1.2\r
55 MAP ( 0x0030, "DH-DSS-AES128-SHA" ), /// TLS_DH_DSS_WITH_AES_128_CBC_SHA\r
56 MAP ( 0x0031, "DH-RSA-AES128-SHA" ), /// TLS_DH_RSA_WITH_AES_128_CBC_SHA\r
57 MAP ( 0x0033, "DHE-RSA-AES128-SHA" ), /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA\r
58 MAP ( 0x0035, "AES256-SHA" ), /// TLS_RSA_WITH_AES_256_CBC_SHA\r
59 MAP ( 0x0036, "DH-DSS-AES256-SHA" ), /// TLS_DH_DSS_WITH_AES_256_CBC_SHA\r
60 MAP ( 0x0037, "DH-RSA-AES256-SHA" ), /// TLS_DH_RSA_WITH_AES_256_CBC_SHA\r
61 MAP ( 0x0039, "DHE-RSA-AES256-SHA" ), /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA\r
62 MAP ( 0x003B, "NULL-SHA256" ), /// TLS_RSA_WITH_NULL_SHA256\r
63 MAP ( 0x003C, "AES128-SHA256" ), /// TLS_RSA_WITH_AES_128_CBC_SHA256\r
64 MAP ( 0x003D, "AES256-SHA256" ), /// TLS_RSA_WITH_AES_256_CBC_SHA256\r
65 MAP ( 0x003E, "DH-DSS-AES128-SHA256" ), /// TLS_DH_DSS_WITH_AES_128_CBC_SHA256\r
66 MAP ( 0x003F, "DH-RSA-AES128-SHA256" ), /// TLS_DH_RSA_WITH_AES_128_CBC_SHA256\r
67 MAP ( 0x0067, "DHE-RSA-AES128-SHA256" ), /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA256\r
68 MAP ( 0x0068, "DH-DSS-AES256-SHA256" ), /// TLS_DH_DSS_WITH_AES_256_CBC_SHA256\r
69 MAP ( 0x0069, "DH-RSA-AES256-SHA256" ), /// TLS_DH_RSA_WITH_AES_256_CBC_SHA256\r
70 MAP ( 0x006B, "DHE-RSA-AES256-SHA256" ), /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA256\r
264702a0
HW
71};\r
72\r
73/**\r
ecfd37ba 74 Gets the OpenSSL cipher suite mapping for the supplied IANA TLS cipher suite.\r
264702a0
HW
75\r
76 @param[in] CipherId The supplied IANA TLS cipher suite ID.\r
77\r
ecfd37ba 78 @return The corresponding OpenSSL cipher suite mapping if found,\r
264702a0
HW
79 NULL otherwise.\r
80\r
81**/\r
82STATIC\r
ecfd37ba
LE
83CONST TLS_CIPHER_MAPPING *\r
84TlsGetCipherMapping (\r
264702a0
HW
85 IN UINT16 CipherId\r
86 )\r
87{\r
5eadb54e
LE
88 INTN Left;\r
89 INTN Right;\r
90 INTN Middle;\r
264702a0
HW
91\r
92 //\r
5eadb54e 93 // Binary Search Cipher Mapping Table for IANA-OpenSSL Cipher Translation\r
264702a0 94 //\r
5eadb54e
LE
95 Left = 0;\r
96 Right = ARRAY_SIZE (TlsCipherMappingTable) - 1;\r
97\r
98 while (Right >= Left) {\r
99 Middle = (Left + Right) / 2;\r
100\r
101 if (CipherId == TlsCipherMappingTable[Middle].IanaCipher) {\r
102 //\r
103 // Translate IANA cipher suite ID to OpenSSL name.\r
104 //\r
105 return &TlsCipherMappingTable[Middle];\r
106 }\r
107\r
108 if (CipherId < TlsCipherMappingTable[Middle].IanaCipher) {\r
109 Right = Middle - 1;\r
110 } else {\r
111 Left = Middle + 1;\r
264702a0
HW
112 }\r
113 }\r
114\r
115 //\r
116 // No Cipher Mapping found, return NULL.\r
117 //\r
118 return NULL;\r
119}\r
120\r
121/**\r
122 Set a new TLS/SSL method for a particular TLS object.\r
123\r
124 This function sets a new TLS/SSL method for a particular TLS object.\r
125\r
126 @param[in] Tls Pointer to a TLS object.\r
127 @param[in] MajorVer Major Version of TLS/SSL Protocol.\r
128 @param[in] MinorVer Minor Version of TLS/SSL Protocol.\r
129\r
130 @retval EFI_SUCCESS The TLS/SSL method was set successfully.\r
131 @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
132 @retval EFI_UNSUPPORTED Unsupported TLS/SSL method.\r
133\r
134**/\r
135EFI_STATUS\r
136EFIAPI\r
137TlsSetVersion (\r
138 IN VOID *Tls,\r
139 IN UINT8 MajorVer,\r
140 IN UINT8 MinorVer\r
141 )\r
142{\r
143 TLS_CONNECTION *TlsConn;\r
144 UINT16 ProtoVersion;\r
145\r
146 TlsConn = (TLS_CONNECTION *)Tls;\r
147 if (TlsConn == NULL || TlsConn->Ssl == NULL) {\r
148 return EFI_INVALID_PARAMETER;\r
149 }\r
150\r
151 ProtoVersion = (MajorVer << 8) | MinorVer;\r
152\r
153 //\r
154 // Bound TLS method to the particular specified version.\r
155 //\r
156 switch (ProtoVersion) {\r
157 case TLS1_VERSION:\r
158 //\r
159 // TLS 1.0\r
160 //\r
161 SSL_set_min_proto_version (TlsConn->Ssl, TLS1_VERSION);\r
162 SSL_set_max_proto_version (TlsConn->Ssl, TLS1_VERSION);\r
163 break;\r
164 case TLS1_1_VERSION:\r
165 //\r
166 // TLS 1.1\r
167 //\r
168 SSL_set_min_proto_version (TlsConn->Ssl, TLS1_1_VERSION);\r
169 SSL_set_max_proto_version (TlsConn->Ssl, TLS1_1_VERSION);\r
170 break;\r
171 case TLS1_2_VERSION:\r
172 //\r
173 // TLS 1.2\r
174 //\r
175 SSL_set_min_proto_version (TlsConn->Ssl, TLS1_2_VERSION);\r
176 SSL_set_max_proto_version (TlsConn->Ssl, TLS1_2_VERSION);\r
177 break;\r
178 default:\r
179 //\r
180 // Unsupported Protocol Version\r
181 //\r
182 return EFI_UNSUPPORTED;\r
183 }\r
184\r
185 return EFI_SUCCESS;;\r
186}\r
187\r
188/**\r
189 Set TLS object to work in client or server mode.\r
190\r
191 This function prepares a TLS object to work in client or server mode.\r
192\r
193 @param[in] Tls Pointer to a TLS object.\r
194 @param[in] IsServer Work in server mode.\r
195\r
196 @retval EFI_SUCCESS The TLS/SSL work mode was set successfully.\r
197 @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
198 @retval EFI_UNSUPPORTED Unsupported TLS/SSL work mode.\r
199\r
200**/\r
201EFI_STATUS\r
202EFIAPI\r
203TlsSetConnectionEnd (\r
204 IN VOID *Tls,\r
205 IN BOOLEAN IsServer\r
206 )\r
207{\r
208 TLS_CONNECTION *TlsConn;\r
209\r
210 TlsConn = (TLS_CONNECTION *) Tls;\r
211 if (TlsConn == NULL || TlsConn->Ssl == NULL) {\r
212 return EFI_INVALID_PARAMETER;\r
213 }\r
214\r
215 if (!IsServer) {\r
216 //\r
217 // Set TLS to work in Client mode.\r
218 //\r
219 SSL_set_connect_state (TlsConn->Ssl);\r
220 } else {\r
221 //\r
222 // Set TLS to work in Server mode.\r
223 // It is unsupported for UEFI version currently.\r
224 //\r
225 //SSL_set_accept_state (TlsConn->Ssl);\r
226 return EFI_UNSUPPORTED;\r
227 }\r
228\r
229 return EFI_SUCCESS;\r
230}\r
231\r
232/**\r
233 Set the ciphers list to be used by the TLS object.\r
234\r
235 This function sets the ciphers for use by a specified TLS object.\r
236\r
237 @param[in] Tls Pointer to a TLS object.\r
238 @param[in] CipherId Pointer to a UINT16 cipher Id.\r
239 @param[in] CipherNum The number of cipher in the list.\r
240\r
241 @retval EFI_SUCCESS The ciphers list was set successfully.\r
242 @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
243 @retval EFI_UNSUPPORTED Unsupported TLS cipher in the list.\r
244\r
245**/\r
246EFI_STATUS\r
247EFIAPI\r
248TlsSetCipherList (\r
249 IN VOID *Tls,\r
250 IN UINT16 *CipherId,\r
251 IN UINTN CipherNum\r
252 )\r
253{\r
ecfd37ba
LE
254 TLS_CONNECTION *TlsConn;\r
255 UINTN Index;\r
256 CONST TLS_CIPHER_MAPPING *Mapping;\r
257 CONST CHAR8 *MappingName;\r
258 CHAR8 CipherString[500];\r
264702a0
HW
259\r
260 TlsConn = (TLS_CONNECTION *) Tls;\r
261 if (TlsConn == NULL || TlsConn->Ssl == NULL || CipherId == NULL) {\r
262 return EFI_INVALID_PARAMETER;\r
263 }\r
264\r
ecfd37ba 265 Mapping = NULL;\r
264702a0
HW
266 MappingName = NULL;\r
267\r
268 memset (CipherString, 0, sizeof (CipherString));\r
269\r
270 for (Index = 0; Index < CipherNum; Index++) {\r
271 //\r
272 // Handling OpenSSL / RFC Cipher name mapping.\r
273 //\r
ecfd37ba
LE
274 Mapping = TlsGetCipherMapping (*(CipherId + Index));\r
275 if (Mapping == NULL) {\r
264702a0
HW
276 return EFI_UNSUPPORTED;\r
277 }\r
ecfd37ba 278 MappingName = Mapping->OpensslCipher;\r
264702a0
HW
279\r
280 if (Index != 0) {\r
281 //\r
282 // The ciphers were separated by a colon.\r
283 //\r
284 AsciiStrCatS (CipherString, sizeof (CipherString), ":");\r
285 }\r
286\r
287 AsciiStrCatS (CipherString, sizeof (CipherString), MappingName);\r
288 }\r
289\r
290 AsciiStrCatS (CipherString, sizeof (CipherString), ":@STRENGTH");\r
291\r
292 //\r
293 // Sets the ciphers for use by the Tls object.\r
294 //\r
295 if (SSL_set_cipher_list (TlsConn->Ssl, CipherString) <= 0) {\r
296 return EFI_UNSUPPORTED;\r
297 }\r
298\r
299 return EFI_SUCCESS;\r
300}\r
301\r
302/**\r
303 Set the compression method for TLS/SSL operations.\r
304\r
305 This function handles TLS/SSL integrated compression methods.\r
306\r
307 @param[in] CompMethod The compression method ID.\r
308\r
309 @retval EFI_SUCCESS The compression method for the communication was\r
310 set successfully.\r
311 @retval EFI_UNSUPPORTED Unsupported compression method.\r
312\r
313**/\r
314EFI_STATUS\r
315EFIAPI\r
316TlsSetCompressionMethod (\r
317 IN UINT8 CompMethod\r
318 )\r
319{\r
320 COMP_METHOD *Cm;\r
321 INTN Ret;\r
322\r
323 Cm = NULL;\r
324 Ret = 0;\r
325\r
326 if (CompMethod == 0) {\r
327 //\r
328 // TLS defines one standard compression method, CompressionMethod.null (0),\r
329 // which specifies that data exchanged via the record protocol will not be compressed.\r
330 // So, return EFI_SUCCESS directly (RFC 3749).\r
331 //\r
332 return EFI_SUCCESS;\r
333 } else if (CompMethod == 1) {\r
334 Cm = COMP_zlib();\r
335 } else {\r
336 return EFI_UNSUPPORTED;\r
337 }\r
338\r
339 //\r
340 // Adds the compression method to the list of available\r
341 // compression methods.\r
342 //\r
343 Ret = SSL_COMP_add_compression_method (CompMethod, Cm);\r
344 if (Ret != 0) {\r
345 return EFI_UNSUPPORTED;\r
346 }\r
347\r
348 return EFI_SUCCESS;\r
349}\r
350\r
351/**\r
352 Set peer certificate verification mode for the TLS connection.\r
353\r
354 This function sets the verification mode flags for the TLS connection.\r
355\r
356 @param[in] Tls Pointer to the TLS object.\r
357 @param[in] VerifyMode A set of logically or'ed verification mode flags.\r
358\r
359**/\r
360VOID\r
361EFIAPI\r
362TlsSetVerify (\r
363 IN VOID *Tls,\r
364 IN UINT32 VerifyMode\r
365 )\r
366{\r
367 TLS_CONNECTION *TlsConn;\r
368\r
369 TlsConn = (TLS_CONNECTION *) Tls;\r
370 if (TlsConn == NULL || TlsConn->Ssl == NULL) {\r
371 return;\r
372 }\r
373\r
374 //\r
375 // Set peer certificate verification parameters with NULL callback.\r
376 //\r
377 SSL_set_verify (TlsConn->Ssl, VerifyMode, NULL);\r
378}\r
379\r
380/**\r
381 Sets a TLS/SSL session ID to be used during TLS/SSL connect.\r
382\r
383 This function sets a session ID to be used when the TLS/SSL connection is\r
384 to be established.\r
385\r
386 @param[in] Tls Pointer to the TLS object.\r
387 @param[in] SessionId Session ID data used for session resumption.\r
388 @param[in] SessionIdLen Length of Session ID in bytes.\r
389\r
390 @retval EFI_SUCCESS Session ID was set successfully.\r
391 @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
392 @retval EFI_UNSUPPORTED No available session for ID setting.\r
393\r
394**/\r
395EFI_STATUS\r
396EFIAPI\r
397TlsSetSessionId (\r
398 IN VOID *Tls,\r
399 IN UINT8 *SessionId,\r
400 IN UINT16 SessionIdLen\r
401 )\r
402{\r
403 TLS_CONNECTION *TlsConn;\r
404 SSL_SESSION *Session;\r
405\r
406 TlsConn = (TLS_CONNECTION *) Tls;\r
407 Session = NULL;\r
408\r
409 if (TlsConn == NULL || TlsConn->Ssl == NULL || SessionId == NULL) {\r
410 return EFI_INVALID_PARAMETER;\r
411 }\r
412\r
413 Session = SSL_get_session (TlsConn->Ssl);\r
414 if (Session == NULL) {\r
415 return EFI_UNSUPPORTED;\r
416 }\r
417\r
418 SSL_SESSION_set1_id (Session, (const unsigned char *)SessionId, SessionIdLen);\r
419\r
420 return EFI_SUCCESS;\r
421}\r
422\r
423/**\r
424 Adds the CA to the cert store when requesting Server or Client authentication.\r
425\r
426 This function adds the CA certificate to the list of CAs when requesting\r
427 Server or Client authentication for the chosen TLS connection.\r
428\r
429 @param[in] Tls Pointer to the TLS object.\r
430 @param[in] Data Pointer to the data buffer of a DER-encoded binary\r
431 X.509 certificate or PEM-encoded X.509 certificate.\r
432 @param[in] DataSize The size of data buffer in bytes.\r
433\r
434 @retval EFI_SUCCESS The operation succeeded.\r
435 @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
436 @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated.\r
437 @retval EFI_ABORTED Invalid X.509 certificate.\r
438\r
439**/\r
440EFI_STATUS\r
441EFIAPI\r
442TlsSetCaCertificate (\r
443 IN VOID *Tls,\r
444 IN VOID *Data,\r
445 IN UINTN DataSize\r
446 )\r
447{\r
448 BIO *BioCert;\r
449 X509 *Cert;\r
450 X509_STORE *X509Store;\r
451 EFI_STATUS Status;\r
452 TLS_CONNECTION *TlsConn;\r
453 SSL_CTX *SslCtx;\r
454 INTN Ret;\r
455 UINTN ErrorCode;\r
456\r
457 BioCert = NULL;\r
458 Cert = NULL;\r
459 X509Store = NULL;\r
460 Status = EFI_SUCCESS;\r
461 TlsConn = (TLS_CONNECTION *) Tls;\r
462 Ret = 0;\r
463\r
464 if (TlsConn == NULL || TlsConn->Ssl == NULL || Data == NULL || DataSize == 0) {\r
465 return EFI_INVALID_PARAMETER;\r
466 }\r
467\r
468 //\r
469 // DER-encoded binary X.509 certificate or PEM-encoded X.509 certificate.\r
470 // Determine whether certificate is from DER encoding, if so, translate it to X509 structure.\r
471 //\r
472 Cert = d2i_X509 (NULL, (const unsigned char ** )&Data, (long) DataSize);\r
473 if (Cert == NULL) {\r
474 //\r
475 // Certificate is from PEM encoding.\r
476 //\r
477 BioCert = BIO_new (BIO_s_mem ());\r
478 if (BioCert == NULL) {\r
479 Status = EFI_OUT_OF_RESOURCES;\r
480 goto ON_EXIT;\r
481 }\r
482\r
483 if (BIO_write (BioCert, Data, (UINT32) DataSize) <= 0) {\r
484 Status = EFI_ABORTED;\r
485 goto ON_EXIT;\r
486 }\r
487\r
488 Cert = PEM_read_bio_X509 (BioCert, NULL, NULL, NULL);\r
489 if (Cert == NULL) {\r
490 Status = EFI_ABORTED;\r
491 goto ON_EXIT;\r
492 }\r
493 }\r
494\r
495 SslCtx = SSL_get_SSL_CTX (TlsConn->Ssl);\r
496 X509Store = SSL_CTX_get_cert_store (SslCtx);\r
497 if (X509Store == NULL) {\r
498 Status = EFI_ABORTED;\r
499 goto ON_EXIT;\r
500 }\r
501\r
502 //\r
503 // Add certificate to X509 store\r
504 //\r
505 Ret = X509_STORE_add_cert (X509Store, Cert);\r
506 if (Ret != 1) {\r
507 ErrorCode = ERR_peek_last_error ();\r
508 //\r
509 // Ignore "already in table" errors\r
510 //\r
511 if (!(ERR_GET_FUNC (ErrorCode) == X509_F_X509_STORE_ADD_CERT &&\r
512 ERR_GET_REASON (ErrorCode) == X509_R_CERT_ALREADY_IN_HASH_TABLE)) {\r
513 Status = EFI_ABORTED;\r
514 goto ON_EXIT;\r
515 }\r
516 }\r
517\r
518ON_EXIT:\r
519 if (BioCert != NULL) {\r
520 BIO_free (BioCert);\r
521 }\r
522\r
523 if (Cert != NULL) {\r
524 X509_free (Cert);\r
525 }\r
526\r
527 return Status;\r
528}\r
529\r
530/**\r
531 Loads the local public certificate into the specified TLS object.\r
532\r
533 This function loads the X.509 certificate into the specified TLS object\r
534 for TLS negotiation.\r
535\r
536 @param[in] Tls Pointer to the TLS object.\r
537 @param[in] Data Pointer to the data buffer of a DER-encoded binary\r
538 X.509 certificate or PEM-encoded X.509 certificate.\r
539 @param[in] DataSize The size of data buffer in bytes.\r
540\r
541 @retval EFI_SUCCESS The operation succeeded.\r
542 @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
543 @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated.\r
544 @retval EFI_ABORTED Invalid X.509 certificate.\r
545\r
546**/\r
547EFI_STATUS\r
548EFIAPI\r
549TlsSetHostPublicCert (\r
550 IN VOID *Tls,\r
551 IN VOID *Data,\r
552 IN UINTN DataSize\r
553 )\r
554{\r
555 BIO *BioCert;\r
556 X509 *Cert;\r
557 EFI_STATUS Status;\r
558 TLS_CONNECTION *TlsConn;\r
559\r
560 BioCert = NULL;\r
561 Cert = NULL;\r
562 Status = EFI_SUCCESS;\r
563 TlsConn = (TLS_CONNECTION *) Tls;\r
564\r
565 if (TlsConn == NULL || TlsConn->Ssl == NULL || Data == NULL || DataSize == 0) {\r
566 return EFI_INVALID_PARAMETER;\r
567 }\r
568\r
569 //\r
570 // DER-encoded binary X.509 certificate or PEM-encoded X.509 certificate.\r
571 // Determine whether certificate is from DER encoding, if so, translate it to X509 structure.\r
572 //\r
573 Cert = d2i_X509 (NULL, (const unsigned char ** )&Data, (long) DataSize);\r
574 if (Cert == NULL) {\r
575 //\r
576 // Certificate is from PEM encoding.\r
577 //\r
578 BioCert = BIO_new (BIO_s_mem ());\r
579 if (BioCert == NULL) {\r
580 Status = EFI_OUT_OF_RESOURCES;\r
581 goto ON_EXIT;\r
582 }\r
583\r
584 if (BIO_write (BioCert, Data, (UINT32) DataSize) <= 0) {\r
585 Status = EFI_ABORTED;\r
586 goto ON_EXIT;\r
587 }\r
588\r
589 Cert = PEM_read_bio_X509 (BioCert, NULL, NULL, NULL);\r
590 if (Cert == NULL) {\r
591 Status = EFI_ABORTED;\r
592 goto ON_EXIT;\r
593 }\r
594 }\r
595\r
596 if (SSL_use_certificate (TlsConn->Ssl, Cert) != 1) {\r
597 Status = EFI_ABORTED;\r
598 goto ON_EXIT;\r
599 }\r
600\r
601ON_EXIT:\r
602 if (BioCert != NULL) {\r
603 BIO_free (BioCert);\r
604 }\r
605\r
606 if (Cert != NULL) {\r
607 X509_free (Cert);\r
608 }\r
609\r
610 return Status;\r
611}\r
612\r
613/**\r
614 Adds the local private key to the specified TLS object.\r
615\r
616 This function adds the local private key (PEM-encoded RSA or PKCS#8 private\r
617 key) into the specified TLS object for TLS negotiation.\r
618\r
619 @param[in] Tls Pointer to the TLS object.\r
620 @param[in] Data Pointer to the data buffer of a PEM-encoded RSA\r
621 or PKCS#8 private key.\r
622 @param[in] DataSize The size of data buffer in bytes.\r
623\r
624 @retval EFI_SUCCESS The operation succeeded.\r
625 @retval EFI_UNSUPPORTED This function is not supported.\r
626 @retval EFI_ABORTED Invalid private key data.\r
627\r
628**/\r
629EFI_STATUS\r
630EFIAPI\r
631TlsSetHostPrivateKey (\r
632 IN VOID *Tls,\r
633 IN VOID *Data,\r
634 IN UINTN DataSize\r
635 )\r
636{\r
637 return EFI_UNSUPPORTED;\r
638}\r
639\r
640/**\r
641 Adds the CA-supplied certificate revocation list for certificate validation.\r
642\r
643 This function adds the CA-supplied certificate revocation list data for\r
644 certificate validity checking.\r
645\r
646 @param[in] Data Pointer to the data buffer of a DER-encoded CRL data.\r
647 @param[in] DataSize The size of data buffer in bytes.\r
648\r
649 @retval EFI_SUCCESS The operation succeeded.\r
650 @retval EFI_UNSUPPORTED This function is not supported.\r
651 @retval EFI_ABORTED Invalid CRL data.\r
652\r
653**/\r
654EFI_STATUS\r
655EFIAPI\r
656TlsSetCertRevocationList (\r
657 IN VOID *Data,\r
658 IN UINTN DataSize\r
659 )\r
660{\r
661 return EFI_UNSUPPORTED;\r
662}\r
663\r
664/**\r
665 Gets the protocol version used by the specified TLS connection.\r
666\r
667 This function returns the protocol version used by the specified TLS\r
668 connection.\r
669\r
9c14f76b
JW
670 If Tls is NULL, then ASSERT().\r
671\r
264702a0
HW
672 @param[in] Tls Pointer to the TLS object.\r
673\r
674 @return The protocol version of the specified TLS connection.\r
675\r
676**/\r
677UINT16\r
678EFIAPI\r
679TlsGetVersion (\r
680 IN VOID *Tls\r
681 )\r
682{\r
683 TLS_CONNECTION *TlsConn;\r
684\r
685 TlsConn = (TLS_CONNECTION *) Tls;\r
686\r
687 ASSERT (TlsConn != NULL);\r
688\r
689 return (UINT16)(SSL_version (TlsConn->Ssl));\r
690}\r
691\r
692/**\r
693 Gets the connection end of the specified TLS connection.\r
694\r
695 This function returns the connection end (as client or as server) used by\r
696 the specified TLS connection.\r
697\r
9c14f76b
JW
698 If Tls is NULL, then ASSERT().\r
699\r
264702a0
HW
700 @param[in] Tls Pointer to the TLS object.\r
701\r
702 @return The connection end used by the specified TLS connection.\r
703\r
704**/\r
705UINT8\r
706EFIAPI\r
707TlsGetConnectionEnd (\r
708 IN VOID *Tls\r
709 )\r
710{\r
711 TLS_CONNECTION *TlsConn;\r
712\r
713 TlsConn = (TLS_CONNECTION *) Tls;\r
714\r
715 ASSERT (TlsConn != NULL);\r
716\r
717 return (UINT8)SSL_is_server (TlsConn->Ssl);\r
718}\r
719\r
720/**\r
721 Gets the cipher suite used by the specified TLS connection.\r
722\r
723 This function returns current cipher suite used by the specified\r
724 TLS connection.\r
725\r
726 @param[in] Tls Pointer to the TLS object.\r
727 @param[in,out] CipherId The cipher suite used by the TLS object.\r
728\r
729 @retval EFI_SUCCESS The cipher suite was returned successfully.\r
730 @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
731 @retval EFI_UNSUPPORTED Unsupported cipher suite.\r
732\r
733**/\r
734EFI_STATUS\r
735EFIAPI\r
736TlsGetCurrentCipher (\r
737 IN VOID *Tls,\r
738 IN OUT UINT16 *CipherId\r
739 )\r
740{\r
741 TLS_CONNECTION *TlsConn;\r
742 CONST SSL_CIPHER *Cipher;\r
743\r
744 TlsConn = (TLS_CONNECTION *) Tls;\r
745 Cipher = NULL;\r
746\r
747 if (TlsConn == NULL || TlsConn->Ssl == NULL || CipherId == NULL) {\r
748 return EFI_INVALID_PARAMETER;\r
749 }\r
750\r
751 Cipher = SSL_get_current_cipher (TlsConn->Ssl);\r
752 if (Cipher == NULL) {\r
753 return EFI_UNSUPPORTED;\r
754 }\r
755\r
756 *CipherId = (SSL_CIPHER_get_id (Cipher)) & 0xFFFF;\r
757\r
758 return EFI_SUCCESS;\r
759}\r
760\r
761/**\r
762 Gets the compression methods used by the specified TLS connection.\r
763\r
764 This function returns current integrated compression methods used by\r
765 the specified TLS connection.\r
766\r
767 @param[in] Tls Pointer to the TLS object.\r
768 @param[in,out] CompressionId The current compression method used by\r
769 the TLS object.\r
770\r
771 @retval EFI_SUCCESS The compression method was returned successfully.\r
772 @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
773 @retval EFI_ABORTED Invalid Compression method.\r
774 @retval EFI_UNSUPPORTED This function is not supported.\r
775\r
776**/\r
777EFI_STATUS\r
778EFIAPI\r
779TlsGetCurrentCompressionId (\r
780 IN VOID *Tls,\r
781 IN OUT UINT8 *CompressionId\r
782 )\r
783{\r
784 return EFI_UNSUPPORTED;\r
785}\r
786\r
787/**\r
788 Gets the verification mode currently set in the TLS connection.\r
789\r
790 This function returns the peer verification mode currently set in the\r
791 specified TLS connection.\r
792\r
9c14f76b
JW
793 If Tls is NULL, then ASSERT().\r
794\r
264702a0
HW
795 @param[in] Tls Pointer to the TLS object.\r
796\r
797 @return The verification mode set in the specified TLS connection.\r
798\r
799**/\r
800UINT32\r
801EFIAPI\r
802TlsGetVerify (\r
803 IN VOID *Tls\r
804 )\r
805{\r
806 TLS_CONNECTION *TlsConn;\r
807\r
808 TlsConn = (TLS_CONNECTION *) Tls;\r
809\r
810 ASSERT (TlsConn != NULL);\r
811\r
812 return SSL_get_verify_mode (TlsConn->Ssl);\r
813}\r
814\r
815/**\r
816 Gets the session ID used by the specified TLS connection.\r
817\r
818 This function returns the TLS/SSL session ID currently used by the\r
819 specified TLS connection.\r
820\r
821 @param[in] Tls Pointer to the TLS object.\r
822 @param[in,out] SessionId Buffer to contain the returned session ID.\r
823 @param[in,out] SessionIdLen The length of Session ID in bytes.\r
824\r
825 @retval EFI_SUCCESS The Session ID was returned successfully.\r
826 @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
827 @retval EFI_UNSUPPORTED Invalid TLS/SSL session.\r
828\r
829**/\r
830EFI_STATUS\r
831EFIAPI\r
832TlsGetSessionId (\r
833 IN VOID *Tls,\r
834 IN OUT UINT8 *SessionId,\r
835 IN OUT UINT16 *SessionIdLen\r
836 )\r
837{\r
838 TLS_CONNECTION *TlsConn;\r
839 SSL_SESSION *Session;\r
840 CONST UINT8 *SslSessionId;\r
841\r
842 TlsConn = (TLS_CONNECTION *) Tls;\r
843 Session = NULL;\r
844\r
845 if (TlsConn == NULL || TlsConn->Ssl == NULL || SessionId == NULL || SessionIdLen == NULL) {\r
846 return EFI_INVALID_PARAMETER;\r
847 }\r
848\r
849 Session = SSL_get_session (TlsConn->Ssl);\r
850 if (Session == NULL) {\r
851 return EFI_UNSUPPORTED;\r
852 }\r
853\r
854 SslSessionId = SSL_SESSION_get_id (Session, (unsigned int *)SessionIdLen);\r
855 CopyMem (SessionId, SslSessionId, *SessionIdLen);\r
856\r
857 return EFI_SUCCESS;\r
858}\r
859\r
860/**\r
861 Gets the client random data used in the specified TLS connection.\r
862\r
863 This function returns the TLS/SSL client random data currently used in\r
864 the specified TLS connection.\r
865\r
866 @param[in] Tls Pointer to the TLS object.\r
867 @param[in,out] ClientRandom Buffer to contain the returned client\r
868 random data (32 bytes).\r
869\r
870**/\r
871VOID\r
872EFIAPI\r
873TlsGetClientRandom (\r
874 IN VOID *Tls,\r
875 IN OUT UINT8 *ClientRandom\r
876 )\r
877{\r
878 TLS_CONNECTION *TlsConn;\r
879\r
880 TlsConn = (TLS_CONNECTION *) Tls;\r
881\r
882 if (TlsConn == NULL || TlsConn->Ssl == NULL || ClientRandom == NULL) {\r
883 return;\r
884 }\r
885\r
886 SSL_get_client_random (TlsConn->Ssl, ClientRandom, SSL3_RANDOM_SIZE);\r
887}\r
888\r
889/**\r
890 Gets the server random data used in the specified TLS connection.\r
891\r
892 This function returns the TLS/SSL server random data currently used in\r
893 the specified TLS connection.\r
894\r
895 @param[in] Tls Pointer to the TLS object.\r
896 @param[in,out] ServerRandom Buffer to contain the returned server\r
897 random data (32 bytes).\r
898\r
899**/\r
900VOID\r
901EFIAPI\r
902TlsGetServerRandom (\r
903 IN VOID *Tls,\r
904 IN OUT UINT8 *ServerRandom\r
905 )\r
906{\r
907 TLS_CONNECTION *TlsConn;\r
908\r
909 TlsConn = (TLS_CONNECTION *) Tls;\r
910\r
911 if (TlsConn == NULL || TlsConn->Ssl == NULL || ServerRandom == NULL) {\r
912 return;\r
913 }\r
914\r
915 SSL_get_server_random (TlsConn->Ssl, ServerRandom, SSL3_RANDOM_SIZE);\r
916}\r
917\r
918/**\r
919 Gets the master key data used in the specified TLS connection.\r
920\r
921 This function returns the TLS/SSL master key material currently used in\r
922 the specified TLS connection.\r
923\r
924 @param[in] Tls Pointer to the TLS object.\r
925 @param[in,out] KeyMaterial Buffer to contain the returned key material.\r
926\r
927 @retval EFI_SUCCESS Key material was returned successfully.\r
928 @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
929 @retval EFI_UNSUPPORTED Invalid TLS/SSL session.\r
930\r
931**/\r
932EFI_STATUS\r
933EFIAPI\r
934TlsGetKeyMaterial (\r
935 IN VOID *Tls,\r
936 IN OUT UINT8 *KeyMaterial\r
937 )\r
938{\r
939 TLS_CONNECTION *TlsConn;\r
940 SSL_SESSION *Session;\r
941\r
942 TlsConn = (TLS_CONNECTION *) Tls;\r
943 Session = NULL;\r
944\r
945 if (TlsConn == NULL || TlsConn->Ssl == NULL || KeyMaterial == NULL) {\r
946 return EFI_INVALID_PARAMETER;\r
947 }\r
948\r
949 Session = SSL_get_session (TlsConn->Ssl);\r
950\r
951 if (Session == NULL) {\r
952 return EFI_UNSUPPORTED;\r
953 }\r
954\r
955 SSL_SESSION_get_master_key (Session, KeyMaterial, SSL3_MASTER_SECRET_SIZE);\r
956\r
957 return EFI_SUCCESS;\r
958}\r
959\r
960/**\r
961 Gets the CA Certificate from the cert store.\r
962\r
963 This function returns the CA certificate for the chosen\r
964 TLS connection.\r
965\r
966 @param[in] Tls Pointer to the TLS object.\r
967 @param[out] Data Pointer to the data buffer to receive the CA\r
968 certificate data sent to the client.\r
969 @param[in,out] DataSize The size of data buffer in bytes.\r
970\r
971 @retval EFI_SUCCESS The operation succeeded.\r
972 @retval EFI_UNSUPPORTED This function is not supported.\r
973 @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.\r
974\r
975**/\r
976EFI_STATUS\r
977EFIAPI\r
978TlsGetCaCertificate (\r
979 IN VOID *Tls,\r
980 OUT VOID *Data,\r
981 IN OUT UINTN *DataSize\r
982 )\r
983{\r
984 return EFI_UNSUPPORTED;\r
985}\r
986\r
987/**\r
988 Gets the local public Certificate set in the specified TLS object.\r
989\r
990 This function returns the local public certificate which was currently set\r
991 in the specified TLS object.\r
992\r
993 @param[in] Tls Pointer to the TLS object.\r
994 @param[out] Data Pointer to the data buffer to receive the local\r
995 public certificate.\r
996 @param[in,out] DataSize The size of data buffer in bytes.\r
997\r
998 @retval EFI_SUCCESS The operation succeeded.\r
999 @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
1000 @retval EFI_NOT_FOUND The certificate is not found.\r
1001 @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.\r
1002\r
1003**/\r
1004EFI_STATUS\r
1005EFIAPI\r
1006TlsGetHostPublicCert (\r
1007 IN VOID *Tls,\r
1008 OUT VOID *Data,\r
1009 IN OUT UINTN *DataSize\r
1010 )\r
1011{\r
1012 X509 *Cert;\r
1013 TLS_CONNECTION *TlsConn;\r
1014\r
1015 Cert = NULL;\r
1016 TlsConn = (TLS_CONNECTION *) Tls;\r
1017\r
9c14f76b 1018 if (TlsConn == NULL || TlsConn->Ssl == NULL || DataSize == NULL || (*DataSize != 0 && Data == NULL)) {\r
264702a0
HW
1019 return EFI_INVALID_PARAMETER;\r
1020 }\r
1021\r
1022 Cert = SSL_get_certificate(TlsConn->Ssl);\r
1023 if (Cert == NULL) {\r
1024 return EFI_NOT_FOUND;\r
1025 }\r
1026\r
1027 //\r
1028 // Only DER encoding is supported currently.\r
1029 //\r
1030 if (*DataSize < (UINTN) i2d_X509 (Cert, NULL)) {\r
1031 *DataSize = (UINTN) i2d_X509 (Cert, NULL);\r
1032 return EFI_BUFFER_TOO_SMALL;\r
1033 }\r
1034\r
1035 *DataSize = (UINTN) i2d_X509 (Cert, (unsigned char **) &Data);\r
1036\r
1037 return EFI_SUCCESS;\r
1038}\r
1039\r
1040/**\r
1041 Gets the local private key set in the specified TLS object.\r
1042\r
1043 This function returns the local private key data which was currently set\r
1044 in the specified TLS object.\r
1045\r
1046 @param[in] Tls Pointer to the TLS object.\r
1047 @param[out] Data Pointer to the data buffer to receive the local\r
1048 private key data.\r
1049 @param[in,out] DataSize The size of data buffer in bytes.\r
1050\r
1051 @retval EFI_SUCCESS The operation succeeded.\r
1052 @retval EFI_UNSUPPORTED This function is not supported.\r
1053 @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.\r
1054\r
1055**/\r
1056EFI_STATUS\r
1057EFIAPI\r
1058TlsGetHostPrivateKey (\r
1059 IN VOID *Tls,\r
1060 OUT VOID *Data,\r
1061 IN OUT UINTN *DataSize\r
1062 )\r
1063{\r
1064 return EFI_UNSUPPORTED;\r
1065}\r
1066\r
1067/**\r
1068 Gets the CA-supplied certificate revocation list data set in the specified\r
1069 TLS object.\r
1070\r
1071 This function returns the CA-supplied certificate revocation list data which\r
1072 was currently set in the specified TLS object.\r
1073\r
1074 @param[out] Data Pointer to the data buffer to receive the CRL data.\r
1075 @param[in,out] DataSize The size of data buffer in bytes.\r
1076\r
1077 @retval EFI_SUCCESS The operation succeeded.\r
1078 @retval EFI_UNSUPPORTED This function is not supported.\r
1079 @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.\r
1080\r
1081**/\r
1082EFI_STATUS\r
1083EFIAPI\r
1084TlsGetCertRevocationList (\r
1085 OUT VOID *Data,\r
1086 IN OUT UINTN *DataSize\r
1087 )\r
1088{\r
1089 return EFI_UNSUPPORTED;\r
1090}\r
1091\r