[mirror_edk2.git] / MdePkg / Include / Protocol / Tls.h

/** @file\r
  EFI TLS Protocols as defined in UEFI 2.5.\r
\r
  The EFI TLS Service Binding Protocol is used to locate EFI TLS Protocol drivers\r
  to create and destroy child of the driver to communicate with other host using\r
  TLS protocol.\r
  The EFI TLS Protocol provides the ability to manage TLS session.\r
\r
  Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>\r
  SPDX-License-Identifier: BSD-2-Clause-Patent\r
\r
  @par Revision Reference:\r
  This Protocol is introduced in UEFI Specification 2.5\r
\r
**/\r
\r
#ifndef __EFI_TLS_PROTOCOL_H__\r
#define __EFI_TLS_PROTOCOL_H__\r
\r
///\r
/// The EFI TLS Service Binding Protocol is used to locate EFI TLS Protocol drivers to\r
/// create and destroy child of the driver to communicate with other host using TLS\r
/// protocol.\r
///\r
#define EFI_TLS_SERVICE_BINDING_PROTOCOL_GUID \\r
  { \\r
    0x952cb795, 0xff36, 0x48cf, {0xa2, 0x49, 0x4d, 0xf4, 0x86, 0xd6, 0xab, 0x8d } \\r
  }\r
\r
///\r
/// The EFI TLS protocol provides the ability to manage TLS session.\r
///\r
#define EFI_TLS_PROTOCOL_GUID \\r
  { \\r
    0xca959f, 0x6cfa, 0x4db1, {0x95, 0xbc, 0xe4, 0x6c, 0x47, 0x51, 0x43, 0x90 } \\r
  }\r
\r
typedef struct _EFI_TLS_PROTOCOL EFI_TLS_PROTOCOL;\r
\r
///\r
/// EFI_TLS_SESSION_DATA_TYPE\r
///\r
typedef enum {\r
  ///\r
  /// TLS session Version. The corresponding Data is of type EFI_TLS_VERSION.\r
  ///\r
  EfiTlsVersion,\r
  ///\r
  /// TLS session as client or as server. The corresponding Data is of\r
  /// EFI_TLS_CONNECTION_END.\r
  ///\r
  EfiTlsConnectionEnd,\r
  ///\r
  /// A priority list of preferred algorithms for the TLS session.\r
  /// The corresponding Data is a list of EFI_TLS_CIPHER.\r
  ///\r
  EfiTlsCipherList,\r
  ///\r
  /// TLS session compression method.\r
  /// The corresponding Data is of type EFI_TLS_COMPRESSION.\r
  ///\r
  EfiTlsCompressionMethod,\r
  ///\r
  /// TLS session extension data.\r
  /// The corresponding Data is a list of type EFI_TLS_EXTENSION .\r
  ///\r
  EfiTlsExtensionData,\r
  ///\r
  /// TLS session verify method.\r
  /// The corresponding Data is of type EFI_TLS_VERIFY.\r
  ///\r
  EfiTlsVerifyMethod,\r
  ///\r
  /// TLS session data session ID.\r
  /// For SetSessionData(), it is TLS session ID used for session resumption.\r
  /// For GetSessionData(), it is the TLS session ID used for current session.\r
  /// The corresponding Data is of type EFI_TLS_SESSION_ID.\r
  ///\r
  EfiTlsSessionID,\r
  ///\r
  /// TLS session data session state.\r
  /// The corresponding Data is of type EFI_TLS_SESSION_STATE.\r
  ///\r
  EfiTlsSessionState,\r
  ///\r
  /// TLS session data client random.\r
  /// The corresponding Data is of type EFI_TLS_RANDOM.\r
  ///\r
  EfiTlsClientRandom,\r
  ///\r
  /// TLS session data server random.\r
  /// The corresponding Data is of type EFI_TLS_RANDOM.\r
  ///\r
  EfiTlsServerRandom,\r
  ///\r
  /// TLS session data key material.\r
  /// The corresponding Data is of type EFI_TLS_MASTER_SECRET.\r
  ///\r
  EfiTlsKeyMaterial,\r
  ///\r
  /// TLS session hostname for validation which is used to verify whether the name\r
  /// within the peer certificate matches a given host name.\r
  /// This parameter is invalid when EfiTlsVerifyMethod is EFI_TLS_VERIFY_NONE.\r
  /// The corresponding Data is of type EFI_TLS_VERIFY_HOST.\r
  ///\r
  EfiTlsVerifyHost,\r
\r
  EfiTlsSessionDataTypeMaximum\r
} EFI_TLS_SESSION_DATA_TYPE;\r
\r
///\r
/// EFI_TLS_VERSION\r
/// Note: The TLS version definition is from SSL3.0 to the latest TLS (e.g. 1.2).\r
///       SSL2.0 is obsolete and should not be used.\r
///\r
typedef struct {\r
  UINT8    Major;\r
  UINT8    Minor;\r
} EFI_TLS_VERSION;\r
\r
///\r
/// EFI_TLS_CONNECTION_END to define TLS session as client or server.\r
///\r
typedef enum {\r
  EfiTlsClient,\r
  EfiTlsServer,\r
} EFI_TLS_CONNECTION_END;\r
\r
///\r
/// EFI_TLS_CIPHER\r
/// Note: The definition of EFI_TLS_CIPHER definition is from "RFC 5246, A.4.1.\r
///       Hello Messages". The value of EFI_TLS_CIPHER is from TLS Cipher\r
///       Suite Registry of IANA.\r
///\r
#pragma pack (1)\r
typedef struct {\r
  UINT8    Data1;\r
  UINT8    Data2;\r
} EFI_TLS_CIPHER;\r
#pragma pack ()\r
\r
///\r
/// EFI_TLS_COMPRESSION\r
/// Note: The value of EFI_TLS_COMPRESSION definition is from "RFC 3749".\r
///\r
typedef UINT8 EFI_TLS_COMPRESSION;\r
\r
///\r
/// EFI_TLS_EXTENSION\r
/// Note: The definition of EFI_TLS_EXTENSION if from "RFC 5246 A.4.1.\r
///       Hello Messages".\r
///\r
#pragma pack (1)\r
typedef struct {\r
  UINT16    ExtensionType;\r
  UINT16    Length;\r
  UINT8     Data[1];\r
} EFI_TLS_EXTENSION;\r
#pragma pack ()\r
\r
///\r
/// EFI_TLS_VERIFY\r
/// Use either EFI_TLS_VERIFY_NONE or EFI_TLS_VERIFY_PEER, the last two options\r
/// are 'ORed' with EFI_TLS_VERIFY_PEER if they are desired.\r
///\r
typedef UINT32 EFI_TLS_VERIFY;\r
///\r
/// No certificates will be sent or the TLS/SSL handshake will be continued regardless\r
/// of the certificate verification result.\r
///\r
#define EFI_TLS_VERIFY_NONE  0x0\r
///\r
/// The TLS/SSL handshake is immediately terminated with an alert message containing\r
/// the reason for the certificate verification failure.\r
///\r
#define EFI_TLS_VERIFY_PEER  0x1\r
///\r
/// EFI_TLS_VERIFY_FAIL_IF_NO_PEER_CERT is only meaningful in the server mode.\r
/// TLS session will fail if client certificate is absent.\r
///\r
#define EFI_TLS_VERIFY_FAIL_IF_NO_PEER_CERT  0x2\r
///\r
/// TLS session only verify client once, and doesn't request certificate during\r
/// re-negotiation.\r
///\r
#define EFI_TLS_VERIFY_CLIENT_ONCE  0x4\r
\r
///\r
/// EFI_TLS_VERIFY_HOST_FLAG\r
///\r
typedef UINT32 EFI_TLS_VERIFY_HOST_FLAG;\r
///\r
/// There is no additional flags set for hostname validation.\r
/// Wildcards are supported and they match only in the left-most label.\r
///\r
#define EFI_TLS_VERIFY_FLAG_NONE  0x00\r
///\r
/// Always check the Subject Distinguished Name (DN) in the peer certificate even if the\r
/// certificate contains Subject Alternative Name (SAN).\r
///\r
#define EFI_TLS_VERIFY_FLAG_ALWAYS_CHECK_SUBJECT  0x01\r
///\r
/// Disable the match of all wildcards.\r
///\r
#define EFI_TLS_VERIFY_FLAG_NO_WILDCARDS  0x02\r
///\r
/// Disable the "*" as wildcard in labels that have a prefix or suffix (e.g. "www*" or "*www").\r
///\r
#define EFI_TLS_VERIFY_FLAG_NO_PARTIAL_WILDCARDS  0x04\r
///\r
/// Allow the "*" to match more than one labels. Otherwise, only matches a single label.\r
///\r
#define EFI_TLS_VERIFY_FLAG_MULTI_LABEL_WILDCARDS  0x08\r
///\r
/// Restrict to only match direct child sub-domains which start with ".".\r
/// For example, a name of ".example.com" would match "www.example.com" with this flag,\r
/// but would not match "www.sub.example.com".\r
///\r
#define EFI_TLS_VERIFY_FLAG_SINGLE_LABEL_SUBDOMAINS  0x10\r
///\r
/// Never check the Subject Distinguished Name (DN) even there is no\r
/// Subject Alternative Name (SAN) in the certificate.\r
///\r
#define EFI_TLS_VERIFY_FLAG_NEVER_CHECK_SUBJECT  0x20\r
\r
///\r
/// EFI_TLS_VERIFY_HOST\r
///\r
#pragma pack (1)\r
typedef struct {\r
  EFI_TLS_VERIFY_HOST_FLAG    Flags;\r
  CHAR8                       *HostName;\r
} EFI_TLS_VERIFY_HOST;\r
#pragma pack ()\r
\r
///\r
/// EFI_TLS_RANDOM\r
/// Note: The definition of EFI_TLS_RANDOM is from "RFC 5246 A.4.1.\r
///       Hello Messages".\r
///\r
#pragma pack (1)\r
typedef struct {\r
  UINT32    GmtUnixTime;\r
  UINT8     RandomBytes[28];\r
} EFI_TLS_RANDOM;\r
#pragma pack ()\r
\r
///\r
/// EFI_TLS_MASTER_SECRET\r
/// Note: The definition of EFI_TLS_MASTER_SECRET is from "RFC 5246 8.1.\r
///       Computing the Master Secret".\r
///\r
#pragma pack (1)\r
typedef struct {\r
  UINT8    Data[48];\r
} EFI_TLS_MASTER_SECRET;\r
#pragma pack ()\r
\r
///\r
/// EFI_TLS_SESSION_ID\r
/// Note: The definition of EFI_TLS_SESSION_ID is from "RFC 5246 A.4.1. Hello Messages".\r
///\r
#define MAX_TLS_SESSION_ID_LENGTH  32\r
#pragma pack (1)\r
typedef struct {\r
  UINT16    Length;\r
  UINT8     Data[MAX_TLS_SESSION_ID_LENGTH];\r
} EFI_TLS_SESSION_ID;\r
#pragma pack ()\r
\r
///\r
/// EFI_TLS_SESSION_STATE\r
///\r
typedef enum {\r
  ///\r
  /// When a new child of TLS protocol is created, the initial state of TLS session\r
  /// is EfiTlsSessionNotStarted.\r
  ///\r
  EfiTlsSessionNotStarted,\r
  ///\r
  /// The consumer can call BuildResponsePacket() with NULL to get ClientHello to\r
  /// start the TLS session. Then the status is EfiTlsSessionHandShaking.\r
  ///\r
  EfiTlsSessionHandShaking,\r
  ///\r
  /// During handshake, the consumer need call BuildResponsePacket() with input\r
  /// data from peer, then get response packet and send to peer. After handshake\r
  /// finish, the TLS session status becomes EfiTlsSessionDataTransferring, and\r
  /// consumer can use ProcessPacket() for data transferring.\r
  ///\r
  EfiTlsSessionDataTransferring,\r
  ///\r
  /// Finally, if consumer wants to active close TLS session, consumer need\r
  /// call SetSessionData to set TLS session state to EfiTlsSessionClosing, and\r
  /// call BuildResponsePacket() with NULL to get CloseNotify alert message,\r
  /// and sent it out.\r
  ///\r
  EfiTlsSessionClosing,\r
  ///\r
  /// If any error happen during parsing ApplicationData content type, EFI_ABORT\r
  /// will be returned by ProcessPacket(), and TLS session state will become\r
  /// EfiTlsSessionError. Then consumer need call BuildResponsePacket() with\r
  /// NULL to get alert message and sent it out.\r
  ///\r
  EfiTlsSessionError,\r
\r
  EfiTlsSessionStateMaximum\r
} EFI_TLS_SESSION_STATE;\r
\r
///\r
/// EFI_TLS_FRAGMENT_DATA\r
///\r
typedef struct {\r
  ///\r
  /// Length of data buffer in the fragment.\r
  ///\r
  UINT32    FragmentLength;\r
  ///\r
  /// Pointer to the data buffer in the fragment.\r
  ///\r
  VOID      *FragmentBuffer;\r
} EFI_TLS_FRAGMENT_DATA;\r
\r
///\r
/// EFI_TLS_CRYPT_MODE\r
///\r
typedef enum {\r
  ///\r
  /// Encrypt data provided in the fragment buffers.\r
  ///\r
  EfiTlsEncrypt,\r
  ///\r
  /// Decrypt data provided in the fragment buffers.\r
  ///\r
  EfiTlsDecrypt,\r
} EFI_TLS_CRYPT_MODE;\r
\r
/**\r
  Set TLS session data.\r
\r
  The SetSessionData() function set data for a new TLS session. All session data should\r
  be set before BuildResponsePacket() invoked.\r
\r
  @param[in]  This                Pointer to the EFI_TLS_PROTOCOL instance.\r
  @param[in]  DataType            TLS session data type.\r
  @param[in]  Data                Pointer to session data.\r
  @param[in]  DataSize            Total size of session data.\r
\r
  @retval EFI_SUCCESS             The TLS session data is set successfully.\r
  @retval EFI_INVALID_PARAMETER   One or more of the following conditions is TRUE:\r
                                  This is NULL.\r
                                  Data is NULL.\r
                                  DataSize is 0.\r
  @retval EFI_UNSUPPORTED         The DataType is unsupported.\r
  @retval EFI_ACCESS_DENIED       If the DataType is one of below:\r
                                  EfiTlsClientRandom\r
                                  EfiTlsServerRandom\r
                                  EfiTlsKeyMaterial\r
  @retval EFI_NOT_READY           Current TLS session state is NOT\r
                                  EfiTlsSessionStateNotStarted.\r
  @retval EFI_OUT_OF_RESOURCES    Required system resources could not be allocated.\r
**/\r
typedef\r
EFI_STATUS\r
(EFIAPI *EFI_TLS_SET_SESSION_DATA)(\r
  IN EFI_TLS_PROTOCOL                *This,\r
  IN EFI_TLS_SESSION_DATA_TYPE       DataType,\r
  IN VOID                            *Data,\r
  IN UINTN                           DataSize\r
  );\r
\r
/**\r
  Get TLS session data.\r
\r
  The GetSessionData() function return the TLS session information.\r
\r
  @param[in]       This           Pointer to the EFI_TLS_PROTOCOL instance.\r
  @param[in]       DataType       TLS session data type.\r
  @param[in, out]  Data           Pointer to session data.\r
  @param[in, out]  DataSize       Total size of session data. On input, it means\r
                                  the size of Data buffer. On output, it means the size\r
                                  of copied Data buffer if EFI_SUCCESS, and means the\r
                                  size of desired Data buffer if EFI_BUFFER_TOO_SMALL.\r
\r
  @retval EFI_SUCCESS             The TLS session data is got successfully.\r
  @retval EFI_INVALID_PARAMETER   One or more of the following conditions is TRUE:\r
                                  This is NULL.\r
                                  DataSize is NULL.\r
                                  Data is NULL if *DataSize is not zero.\r
  @retval EFI_UNSUPPORTED         The DataType is unsupported.\r
  @retval EFI_NOT_FOUND           The TLS session data is not found.\r
  @retval EFI_NOT_READY           The DataType is not ready in current session state.\r
  @retval EFI_BUFFER_TOO_SMALL    The buffer is too small to hold the data.\r
**/\r
typedef\r
EFI_STATUS\r
(EFIAPI *EFI_TLS_GET_SESSION_DATA)(\r
  IN EFI_TLS_PROTOCOL                *This,\r
  IN EFI_TLS_SESSION_DATA_TYPE       DataType,\r
  IN OUT VOID                        *Data   OPTIONAL,\r
  IN OUT UINTN                       *DataSize\r
  );\r
\r
/**\r
  Build response packet according to TLS state machine. This function is only valid for\r
  alert, handshake and change_cipher_spec content type.\r
\r
  The BuildResponsePacket() function builds TLS response packet in response to the TLS\r
  request packet specified by RequestBuffer and RequestSize. If RequestBuffer is NULL and\r
  RequestSize is 0, and TLS session status is EfiTlsSessionNotStarted, the TLS session\r
  will be initiated and the response packet needs to be ClientHello. If RequestBuffer is\r
  NULL and RequestSize is 0, and TLS session status is EfiTlsSessionClosing, the TLS\r
  session will be closed and response packet needs to be CloseNotify. If RequestBuffer is\r
  NULL and RequestSize is 0, and TLS session status is EfiTlsSessionError, the TLS\r
  session has errors and the response packet needs to be Alert message based on error\r
  type.\r
\r
  @param[in]       This           Pointer to the EFI_TLS_PROTOCOL instance.\r
  @param[in]       RequestBuffer  Pointer to the most recently received TLS packet. NULL\r
                                  means TLS need initiate the TLS session and response\r
                                  packet need to be ClientHello.\r
  @param[in]       RequestSize    Packet size in bytes for the most recently received TLS\r
                                  packet. 0 is only valid when RequestBuffer is NULL.\r
  @param[out]      Buffer         Pointer to the buffer to hold the built packet.\r
  @param[in, out]  BufferSize     Pointer to the buffer size in bytes. On input, it is\r
                                  the buffer size provided by the caller. On output, it\r
                                  is the buffer size in fact needed to contain the\r
                                  packet.\r
\r
  @retval EFI_SUCCESS             The required TLS packet is built successfully.\r
  @retval EFI_INVALID_PARAMETER   One or more of the following conditions is TRUE:\r
                                  This is NULL.\r
                                  RequestBuffer is NULL but RequestSize is NOT 0.\r
                                  RequestSize is 0 but RequestBuffer is NOT NULL.\r
                                  BufferSize is NULL.\r
                                  Buffer is NULL if *BufferSize is not zero.\r
  @retval EFI_BUFFER_TOO_SMALL    BufferSize is too small to hold the response packet.\r
  @retval EFI_NOT_READY           Current TLS session state is NOT ready to build\r
                                  ResponsePacket.\r
  @retval EFI_ABORTED             Something wrong build response packet.\r
**/\r
typedef\r
EFI_STATUS\r
(EFIAPI *EFI_TLS_BUILD_RESPONSE_PACKET)(\r
  IN EFI_TLS_PROTOCOL                *This,\r
  IN UINT8                           *RequestBuffer  OPTIONAL,\r
  IN UINTN                           RequestSize  OPTIONAL,\r
  OUT UINT8                          *Buffer  OPTIONAL,\r
  IN OUT UINTN                       *BufferSize\r
  );\r
\r
/**\r
  Decrypt or encrypt TLS packet during session. This function is only valid after\r
  session connected and for application_data content type.\r
\r
  The ProcessPacket () function process each inbound or outbound TLS APP packet.\r
\r
  @param[in]       This           Pointer to the EFI_TLS_PROTOCOL instance.\r
  @param[in, out]  FragmentTable  Pointer to a list of fragment. The caller will take\r
                                  responsible to handle the original FragmentTable while\r
                                  it may be reallocated in TLS driver. If CryptMode is\r
                                  EfiTlsEncrypt, on input these fragments contain the TLS\r
                                  header and plain text TLS APP payload; on output these\r
                                  fragments contain the TLS header and cipher text TLS\r
                                  APP payload. If CryptMode is EfiTlsDecrypt, on input\r
                                  these fragments contain the TLS header and cipher text\r
                                  TLS APP payload; on output these fragments contain the\r
                                  TLS header and plain text TLS APP payload.\r
  @param[in]       FragmentCount  Number of fragment.\r
  @param[in]       CryptMode      Crypt mode.\r
\r
  @retval EFI_SUCCESS             The operation completed successfully.\r
  @retval EFI_INVALID_PARAMETER   One or more of the following conditions is TRUE:\r
                                  This is NULL.\r
                                  FragmentTable is NULL.\r
                                  FragmentCount is NULL.\r
                                  CryptoMode is invalid.\r
  @retval EFI_NOT_READY           Current TLS session state is NOT\r
                                  EfiTlsSessionDataTransferring.\r
  @retval EFI_ABORTED             Something wrong decryption the message. TLS session\r
                                  status will become EfiTlsSessionError. The caller need\r
                                  call BuildResponsePacket() to generate Error Alert\r
                                  message and send it out.\r
  @retval EFI_OUT_OF_RESOURCES    No enough resource to finish the operation.\r
**/\r
typedef\r
EFI_STATUS\r
(EFIAPI *EFI_TLS_PROCESS_PACKET)(\r
  IN EFI_TLS_PROTOCOL                *This,\r
  IN OUT EFI_TLS_FRAGMENT_DATA       **FragmentTable,\r
  IN UINT32                          *FragmentCount,\r
  IN EFI_TLS_CRYPT_MODE              CryptMode\r
  );\r
\r
///\r
/// The EFI_TLS_PROTOCOL is used to create, destroy and manage TLS session.\r
/// For detail of TLS, please refer to TLS related RFC.\r
///\r
struct _EFI_TLS_PROTOCOL {\r
  EFI_TLS_SET_SESSION_DATA         SetSessionData;\r
  EFI_TLS_GET_SESSION_DATA         GetSessionData;\r
  EFI_TLS_BUILD_RESPONSE_PACKET    BuildResponsePacket;\r
  EFI_TLS_PROCESS_PACKET           ProcessPacket;\r
};\r
\r
extern EFI_GUID  gEfiTlsServiceBindingProtocolGuid;\r
extern EFI_GUID  gEfiTlsProtocolGuid;\r
\r
#endif // __EFI_TLS_PROTOCOL_H__\r
Commit	Line	Data
973f8862 HW	1	/** @file\r
	2	EFI TLS Protocols as defined in UEFI 2.5.\r
	3	\r
	4	The EFI TLS Service Binding Protocol is used to locate EFI TLS Protocol drivers\r
	5	to create and destroy child of the driver to communicate with other host using\r
	6	TLS protocol.\r
	7	The EFI TLS Protocol provides the ability to manage TLS session.\r
	8	\r
	9	Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>\r
9344f092	10	SPDX-License-Identifier: BSD-2-Clause-Patent\r
973f8862 HW	11	\r
	12	@par Revision Reference:\r
	13	This Protocol is introduced in UEFI Specification 2.5\r
	14	\r
	15	**/\r
	16	\r
	17	#ifndef __EFI_TLS_PROTOCOL_H__\r
	18	#define __EFI_TLS_PROTOCOL_H__\r
	19	\r
	20	///\r
	21	/// The EFI TLS Service Binding Protocol is used to locate EFI TLS Protocol drivers to\r
	22	/// create and destroy child of the driver to communicate with other host using TLS\r
	23	/// protocol.\r
	24	///\r
	25	#define EFI_TLS_SERVICE_BINDING_PROTOCOL_GUID \\r
	26	{ \\r
	27	0x952cb795, 0xff36, 0x48cf, {0xa2, 0x49, 0x4d, 0xf4, 0x86, 0xd6, 0xab, 0x8d } \\r
	28	}\r
	29	\r
	30	///\r
	31	/// The EFI TLS protocol provides the ability to manage TLS session.\r
	32	///\r
	33	#define EFI_TLS_PROTOCOL_GUID \\r
	34	{ \\r
	35	0xca959f, 0x6cfa, 0x4db1, {0x95, 0xbc, 0xe4, 0x6c, 0x47, 0x51, 0x43, 0x90 } \\r
	36	}\r
	37	\r
	38	typedef struct _EFI_TLS_PROTOCOL EFI_TLS_PROTOCOL;\r
	39	\r
	40	///\r
	41	/// EFI_TLS_SESSION_DATA_TYPE\r
	42	///\r
	43	typedef enum {\r
973f8862 HW	44	///\r
	45	/// TLS session Version. The corresponding Data is of type EFI_TLS_VERSION.\r
	46	///\r
	47	EfiTlsVersion,\r
	48	///\r
	49	/// TLS session as client or as server. The corresponding Data is of\r
	50	/// EFI_TLS_CONNECTION_END.\r
	51	///\r
	52	EfiTlsConnectionEnd,\r
	53	///\r
	54	/// A priority list of preferred algorithms for the TLS session.\r
	55	/// The corresponding Data is a list of EFI_TLS_CIPHER.\r
	56	///\r
	57	EfiTlsCipherList,\r
	58	///\r
	59	/// TLS session compression method.\r
	60	/// The corresponding Data is of type EFI_TLS_COMPRESSION.\r
	61	///\r
	62	EfiTlsCompressionMethod,\r
	63	///\r
	64	/// TLS session extension data.\r
	65	/// The corresponding Data is a list of type EFI_TLS_EXTENSION .\r
	66	///\r
	67	EfiTlsExtensionData,\r
	68	///\r
	69	/// TLS session verify method.\r
	70	/// The corresponding Data is of type EFI_TLS_VERIFY.\r
	71	///\r
	72	EfiTlsVerifyMethod,\r
	73	///\r
	74	/// TLS session data session ID.\r
	75	/// For SetSessionData(), it is TLS session ID used for session resumption.\r
	76	/// For GetSessionData(), it is the TLS session ID used for current session.\r
	77	/// The corresponding Data is of type EFI_TLS_SESSION_ID.\r
	78	///\r
	79	EfiTlsSessionID,\r
	80	///\r
	81	/// TLS session data session state.\r
	82	/// The corresponding Data is of type EFI_TLS_SESSION_STATE.\r
	83	///\r
	84	EfiTlsSessionState,\r
973f8862 HW	85	///\r
	86	/// TLS session data client random.\r
	87	/// The corresponding Data is of type EFI_TLS_RANDOM.\r
	88	///\r
	89	EfiTlsClientRandom,\r
	90	///\r
	91	/// TLS session data server random.\r
	92	/// The corresponding Data is of type EFI_TLS_RANDOM.\r
	93	///\r
	94	EfiTlsServerRandom,\r
	95	///\r
	96	/// TLS session data key material.\r
	97	/// The corresponding Data is of type EFI_TLS_MASTER_SECRET.\r
	98	///\r
	99	EfiTlsKeyMaterial,\r
31efec82 WJ	100	///\r
	101	/// TLS session hostname for validation which is used to verify whether the name\r
	102	/// within the peer certificate matches a given host name.\r
	103	/// This parameter is invalid when EfiTlsVerifyMethod is EFI_TLS_VERIFY_NONE.\r
	104	/// The corresponding Data is of type EFI_TLS_VERIFY_HOST.\r
	105	///\r
	106	EfiTlsVerifyHost,\r
973f8862 HW	107	\r
973f8862 HW	108	EfiTlsSessionDataTypeMaximum\r
973f8862 HW	109	} EFI_TLS_SESSION_DATA_TYPE;\r
	110	\r
	111	///\r
	112	/// EFI_TLS_VERSION\r
	113	/// Note: The TLS version definition is from SSL3.0 to the latest TLS (e.g. 1.2).\r
	114	/// SSL2.0 is obsolete and should not be used.\r
	115	///\r
	116	typedef struct {\r
2f88bd3a MK	117	UINT8 Major;\r
2f88bd3a MK	118	UINT8 Minor;\r
973f8862 HW	119	} EFI_TLS_VERSION;\r
	120	\r
	121	///\r
	122	/// EFI_TLS_CONNECTION_END to define TLS session as client or server.\r
	123	///\r
	124	typedef enum {\r
	125	EfiTlsClient,\r
	126	EfiTlsServer,\r
	127	} EFI_TLS_CONNECTION_END;\r
	128	\r
	129	///\r
	130	/// EFI_TLS_CIPHER\r
	131	/// Note: The definition of EFI_TLS_CIPHER definition is from "RFC 5246, A.4.1.\r
	132	/// Hello Messages". The value of EFI_TLS_CIPHER is from TLS Cipher\r
	133	/// Suite Registry of IANA.\r
	134	///\r
344d057a	135	#pragma pack (1)\r
973f8862	136	typedef struct {\r
2f88bd3a MK	137	UINT8 Data1;\r
2f88bd3a MK	138	UINT8 Data2;\r
973f8862	139	} EFI_TLS_CIPHER;\r
344d057a	140	#pragma pack ()\r
973f8862 HW	141	\r
	142	///\r
	143	/// EFI_TLS_COMPRESSION\r
	144	/// Note: The value of EFI_TLS_COMPRESSION definition is from "RFC 3749".\r
	145	///\r
	146	typedef UINT8 EFI_TLS_COMPRESSION;\r
	147	\r
	148	///\r
	149	/// EFI_TLS_EXTENSION\r
	150	/// Note: The definition of EFI_TLS_EXTENSION if from "RFC 5246 A.4.1.\r
	151	/// Hello Messages".\r
	152	///\r
344d057a	153	#pragma pack (1)\r
973f8862	154	typedef struct {\r
2f88bd3a MK	155	UINT16 ExtensionType;\r
	156	UINT16 Length;\r
	157	UINT8 Data[1];\r
973f8862	158	} EFI_TLS_EXTENSION;\r
344d057a	159	#pragma pack ()\r
973f8862 HW	160	\r
	161	///\r
	162	/// EFI_TLS_VERIFY\r
	163	/// Use either EFI_TLS_VERIFY_NONE or EFI_TLS_VERIFY_PEER, the last two options\r
	164	/// are 'ORed' with EFI_TLS_VERIFY_PEER if they are desired.\r
	165	///\r
2f88bd3a	166	typedef UINT32 EFI_TLS_VERIFY;\r
973f8862 HW	167	///\r
	168	/// No certificates will be sent or the TLS/SSL handshake will be continued regardless\r
	169	/// of the certificate verification result.\r
	170	///\r
2f88bd3a	171	#define EFI_TLS_VERIFY_NONE 0x0\r
973f8862 HW	172	///\r
	173	/// The TLS/SSL handshake is immediately terminated with an alert message containing\r
	174	/// the reason for the certificate verification failure.\r
	175	///\r
2f88bd3a	176	#define EFI_TLS_VERIFY_PEER 0x1\r
973f8862	177	///\r
31efec82 WJ	178	/// EFI_TLS_VERIFY_FAIL_IF_NO_PEER_CERT is only meaningful in the server mode.\r
31efec82 WJ	179	/// TLS session will fail if client certificate is absent.\r
973f8862 HW	180	///\r
	181	#define EFI_TLS_VERIFY_FAIL_IF_NO_PEER_CERT 0x2\r
	182	///\r
	183	/// TLS session only verify client once, and doesn't request certificate during\r
	184	/// re-negotiation.\r
	185	///\r
2f88bd3a	186	#define EFI_TLS_VERIFY_CLIENT_ONCE 0x4\r
973f8862	187	\r
31efec82 WJ	188	///\r
	189	/// EFI_TLS_VERIFY_HOST_FLAG\r
	190	///\r
	191	typedef UINT32 EFI_TLS_VERIFY_HOST_FLAG;\r
	192	///\r
	193	/// There is no additional flags set for hostname validation.\r
	194	/// Wildcards are supported and they match only in the left-most label.\r
	195	///\r
2f88bd3a	196	#define EFI_TLS_VERIFY_FLAG_NONE 0x00\r
31efec82 WJ	197	///\r
	198	/// Always check the Subject Distinguished Name (DN) in the peer certificate even if the\r
	199	/// certificate contains Subject Alternative Name (SAN).\r
	200	///\r
2f88bd3a	201	#define EFI_TLS_VERIFY_FLAG_ALWAYS_CHECK_SUBJECT 0x01\r
31efec82 WJ	202	///\r
	203	/// Disable the match of all wildcards.\r
	204	///\r
2f88bd3a	205	#define EFI_TLS_VERIFY_FLAG_NO_WILDCARDS 0x02\r
31efec82 WJ	206	///\r
	207	/// Disable the "" as wildcard in labels that have a prefix or suffix (e.g. "www" or "*www").\r
	208	///\r
2f88bd3a	209	#define EFI_TLS_VERIFY_FLAG_NO_PARTIAL_WILDCARDS 0x04\r
31efec82 WJ	210	///\r
	211	/// Allow the "*" to match more than one labels. Otherwise, only matches a single label.\r
	212	///\r
2f88bd3a	213	#define EFI_TLS_VERIFY_FLAG_MULTI_LABEL_WILDCARDS 0x08\r
31efec82 WJ	214	///\r
	215	/// Restrict to only match direct child sub-domains which start with ".".\r
	216	/// For example, a name of ".example.com" would match "www.example.com" with this flag,\r
	217	/// but would not match "www.sub.example.com".\r
	218	///\r
2f88bd3a	219	#define EFI_TLS_VERIFY_FLAG_SINGLE_LABEL_SUBDOMAINS 0x10\r
31efec82 WJ	220	///\r
	221	/// Never check the Subject Distinguished Name (DN) even there is no\r
	222	/// Subject Alternative Name (SAN) in the certificate.\r
	223	///\r
2f88bd3a	224	#define EFI_TLS_VERIFY_FLAG_NEVER_CHECK_SUBJECT 0x20\r
31efec82 WJ	225	\r
	226	///\r
	227	/// EFI_TLS_VERIFY_HOST\r
	228	///\r
	229	#pragma pack (1)\r
	230	typedef struct {\r
2f88bd3a MK	231	EFI_TLS_VERIFY_HOST_FLAG Flags;\r
2f88bd3a MK	232	CHAR8 *HostName;\r
31efec82 WJ	233	} EFI_TLS_VERIFY_HOST;\r
	234	#pragma pack ()\r
	235	\r
973f8862 HW	236	///\r
	237	/// EFI_TLS_RANDOM\r
	238	/// Note: The definition of EFI_TLS_RANDOM is from "RFC 5246 A.4.1.\r
	239	/// Hello Messages".\r
	240	///\r
344d057a	241	#pragma pack (1)\r
973f8862	242	typedef struct {\r
2f88bd3a MK	243	UINT32 GmtUnixTime;\r
2f88bd3a MK	244	UINT8 RandomBytes[28];\r
973f8862	245	} EFI_TLS_RANDOM;\r
344d057a	246	#pragma pack ()\r
973f8862 HW	247	\r
	248	///\r
	249	/// EFI_TLS_MASTER_SECRET\r
	250	/// Note: The definition of EFI_TLS_MASTER_SECRET is from "RFC 5246 8.1.\r
	251	/// Computing the Master Secret".\r
	252	///\r
344d057a	253	#pragma pack (1)\r
973f8862	254	typedef struct {\r
2f88bd3a	255	UINT8 Data[48];\r
973f8862	256	} EFI_TLS_MASTER_SECRET;\r
344d057a	257	#pragma pack ()\r
973f8862 HW	258	\r
	259	///\r
	260	/// EFI_TLS_SESSION_ID\r
	261	/// Note: The definition of EFI_TLS_SESSION_ID is from "RFC 5246 A.4.1. Hello Messages".\r
	262	///\r
	263	#define MAX_TLS_SESSION_ID_LENGTH 32\r
344d057a	264	#pragma pack (1)\r
973f8862	265	typedef struct {\r
2f88bd3a MK	266	UINT16 Length;\r
2f88bd3a MK	267	UINT8 Data[MAX_TLS_SESSION_ID_LENGTH];\r
973f8862	268	} EFI_TLS_SESSION_ID;\r
344d057a	269	#pragma pack ()\r
973f8862 HW	270	\r
	271	///\r
	272	/// EFI_TLS_SESSION_STATE\r
	273	///\r
	274	typedef enum {\r
	275	///\r
	276	/// When a new child of TLS protocol is created, the initial state of TLS session\r
	277	/// is EfiTlsSessionNotStarted.\r
	278	///\r
	279	EfiTlsSessionNotStarted,\r
	280	///\r
	281	/// The consumer can call BuildResponsePacket() with NULL to get ClientHello to\r
	282	/// start the TLS session. Then the status is EfiTlsSessionHandShaking.\r
	283	///\r
	284	EfiTlsSessionHandShaking,\r
	285	///\r
	286	/// During handshake, the consumer need call BuildResponsePacket() with input\r
	287	/// data from peer, then get response packet and send to peer. After handshake\r
	288	/// finish, the TLS session status becomes EfiTlsSessionDataTransferring, and\r
	289	/// consumer can use ProcessPacket() for data transferring.\r
	290	///\r
	291	EfiTlsSessionDataTransferring,\r
	292	///\r
	293	/// Finally, if consumer wants to active close TLS session, consumer need\r
	294	/// call SetSessionData to set TLS session state to EfiTlsSessionClosing, and\r
	295	/// call BuildResponsePacket() with NULL to get CloseNotify alert message,\r
	296	/// and sent it out.\r
	297	///\r
	298	EfiTlsSessionClosing,\r
	299	///\r
	300	/// If any error happen during parsing ApplicationData content type, EFI_ABORT\r
	301	/// will be returned by ProcessPacket(), and TLS session state will become\r
	302	/// EfiTlsSessionError. Then consumer need call BuildResponsePacket() with\r
	303	/// NULL to get alert message and sent it out.\r
	304	///\r
	305	EfiTlsSessionError,\r
	306	\r
	307	EfiTlsSessionStateMaximum\r
973f8862 HW	308	} EFI_TLS_SESSION_STATE;\r
	309	\r
	310	///\r
	311	/// EFI_TLS_FRAGMENT_DATA\r
	312	///\r
	313	typedef struct {\r
	314	///\r
	315	/// Length of data buffer in the fragment.\r
	316	///\r
2f88bd3a	317	UINT32 FragmentLength;\r
973f8862 HW	318	///\r
	319	/// Pointer to the data buffer in the fragment.\r
	320	///\r
2f88bd3a	321	VOID *FragmentBuffer;\r
973f8862 HW	322	} EFI_TLS_FRAGMENT_DATA;\r
	323	\r
	324	///\r
	325	/// EFI_TLS_CRYPT_MODE\r
	326	///\r
	327	typedef enum {\r
	328	///\r
	329	/// Encrypt data provided in the fragment buffers.\r
	330	///\r
	331	EfiTlsEncrypt,\r
	332	///\r
	333	/// Decrypt data provided in the fragment buffers.\r
	334	///\r
	335	EfiTlsDecrypt,\r
	336	} EFI_TLS_CRYPT_MODE;\r
	337	\r
	338	/**\r
	339	Set TLS session data.\r
	340	\r
	341	The SetSessionData() function set data for a new TLS session. All session data should\r
	342	be set before BuildResponsePacket() invoked.\r
	343	\r
	344	@param[in] This Pointer to the EFI_TLS_PROTOCOL instance.\r
	345	@param[in] DataType TLS session data type.\r
	346	@param[in] Data Pointer to session data.\r
	347	@param[in] DataSize Total size of session data.\r
	348	\r
	349	@retval EFI_SUCCESS The TLS session data is set successfully.\r
	350	@retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:\r
	351	This is NULL.\r
	352	Data is NULL.\r
	353	DataSize is 0.\r
	354	@retval EFI_UNSUPPORTED The DataType is unsupported.\r
	355	@retval EFI_ACCESS_DENIED If the DataType is one of below:\r
	356	EfiTlsClientRandom\r
	357	EfiTlsServerRandom\r
	358	EfiTlsKeyMaterial\r
	359	@retval EFI_NOT_READY Current TLS session state is NOT\r
	360	EfiTlsSessionStateNotStarted.\r
	361	@retval EFI_OUT_OF_RESOURCES Required system resources could not be allocated.\r
	362	**/\r
	363	typedef\r
	364	EFI_STATUS\r
2f88bd3a	365	(EFIAPI *EFI_TLS_SET_SESSION_DATA)(\r
973f8862 HW	366	IN EFI_TLS_PROTOCOL *This,\r
	367	IN EFI_TLS_SESSION_DATA_TYPE DataType,\r
	368	IN VOID *Data,\r
	369	IN UINTN DataSize\r
	370	);\r
	371	\r
	372	/**\r
	373	Get TLS session data.\r
	374	\r
	375	The GetSessionData() function return the TLS session information.\r
	376	\r
	377	@param[in] This Pointer to the EFI_TLS_PROTOCOL instance.\r
	378	@param[in] DataType TLS session data type.\r
	379	@param[in, out] Data Pointer to session data.\r
	380	@param[in, out] DataSize Total size of session data. On input, it means\r
	381	the size of Data buffer. On output, it means the size\r
	382	of copied Data buffer if EFI_SUCCESS, and means the\r
	383	size of desired Data buffer if EFI_BUFFER_TOO_SMALL.\r
	384	\r
	385	@retval EFI_SUCCESS The TLS session data is got successfully.\r
	386	@retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:\r
	387	This is NULL.\r
	388	DataSize is NULL.\r
	389	Data is NULL if *DataSize is not zero.\r
	390	@retval EFI_UNSUPPORTED The DataType is unsupported.\r
	391	@retval EFI_NOT_FOUND The TLS session data is not found.\r
	392	@retval EFI_NOT_READY The DataType is not ready in current session state.\r
	393	@retval EFI_BUFFER_TOO_SMALL The buffer is too small to hold the data.\r
	394	**/\r
	395	typedef\r
	396	EFI_STATUS\r
2f88bd3a	397	(EFIAPI *EFI_TLS_GET_SESSION_DATA)(\r
973f8862 HW	398	IN EFI_TLS_PROTOCOL *This,\r
973f8862 HW	399	IN EFI_TLS_SESSION_DATA_TYPE DataType,\r
d0e2f823	400	IN OUT VOID *Data OPTIONAL,\r
973f8862 HW	401	IN OUT UINTN *DataSize\r
	402	);\r
	403	\r
	404	/**\r
	405	Build response packet according to TLS state machine. This function is only valid for\r
	406	alert, handshake and change_cipher_spec content type.\r
	407	\r
	408	The BuildResponsePacket() function builds TLS response packet in response to the TLS\r
	409	request packet specified by RequestBuffer and RequestSize. If RequestBuffer is NULL and\r
	410	RequestSize is 0, and TLS session status is EfiTlsSessionNotStarted, the TLS session\r
	411	will be initiated and the response packet needs to be ClientHello. If RequestBuffer is\r
	412	NULL and RequestSize is 0, and TLS session status is EfiTlsSessionClosing, the TLS\r
	413	session will be closed and response packet needs to be CloseNotify. If RequestBuffer is\r
	414	NULL and RequestSize is 0, and TLS session status is EfiTlsSessionError, the TLS\r
	415	session has errors and the response packet needs to be Alert message based on error\r
	416	type.\r
	417	\r
	418	@param[in] This Pointer to the EFI_TLS_PROTOCOL instance.\r
	419	@param[in] RequestBuffer Pointer to the most recently received TLS packet. NULL\r
	420	means TLS need initiate the TLS session and response\r
	421	packet need to be ClientHello.\r
	422	@param[in] RequestSize Packet size in bytes for the most recently received TLS\r
	423	packet. 0 is only valid when RequestBuffer is NULL.\r
	424	@param[out] Buffer Pointer to the buffer to hold the built packet.\r
	425	@param[in, out] BufferSize Pointer to the buffer size in bytes. On input, it is\r
	426	the buffer size provided by the caller. On output, it\r
	427	is the buffer size in fact needed to contain the\r
	428	packet.\r
	429	\r
	430	@retval EFI_SUCCESS The required TLS packet is built successfully.\r
	431	@retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:\r
	432	This is NULL.\r
	433	RequestBuffer is NULL but RequestSize is NOT 0.\r
	434	RequestSize is 0 but RequestBuffer is NOT NULL.\r
	435	BufferSize is NULL.\r
	436	Buffer is NULL if *BufferSize is not zero.\r
	437	@retval EFI_BUFFER_TOO_SMALL BufferSize is too small to hold the response packet.\r
	438	@retval EFI_NOT_READY Current TLS session state is NOT ready to build\r
	439	ResponsePacket.\r
	440	@retval EFI_ABORTED Something wrong build response packet.\r
	441	**/\r
	442	typedef\r
	443	EFI_STATUS\r
2f88bd3a	444	(EFIAPI *EFI_TLS_BUILD_RESPONSE_PACKET)(\r
973f8862	445	IN EFI_TLS_PROTOCOL *This,\r
d0e2f823 MK	446	IN UINT8 *RequestBuffer OPTIONAL,\r
	447	IN UINTN RequestSize OPTIONAL,\r
	448	OUT UINT8 *Buffer OPTIONAL,\r
973f8862 HW	449	IN OUT UINTN *BufferSize\r
	450	);\r
	451	\r
	452	/**\r
	453	Decrypt or encrypt TLS packet during session. This function is only valid after\r
	454	session connected and for application_data content type.\r
	455	\r
	456	The ProcessPacket () function process each inbound or outbound TLS APP packet.\r
	457	\r
	458	@param[in] This Pointer to the EFI_TLS_PROTOCOL instance.\r
	459	@param[in, out] FragmentTable Pointer to a list of fragment. The caller will take\r
	460	responsible to handle the original FragmentTable while\r
	461	it may be reallocated in TLS driver. If CryptMode is\r
	462	EfiTlsEncrypt, on input these fragments contain the TLS\r
	463	header and plain text TLS APP payload; on output these\r
	464	fragments contain the TLS header and cipher text TLS\r
	465	APP payload. If CryptMode is EfiTlsDecrypt, on input\r
	466	these fragments contain the TLS header and cipher text\r
	467	TLS APP payload; on output these fragments contain the\r
	468	TLS header and plain text TLS APP payload.\r
	469	@param[in] FragmentCount Number of fragment.\r
	470	@param[in] CryptMode Crypt mode.\r
	471	\r
	472	@retval EFI_SUCCESS The operation completed successfully.\r
	473	@retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:\r
	474	This is NULL.\r
	475	FragmentTable is NULL.\r
	476	FragmentCount is NULL.\r
	477	CryptoMode is invalid.\r
	478	@retval EFI_NOT_READY Current TLS session state is NOT\r
	479	EfiTlsSessionDataTransferring.\r
	480	@retval EFI_ABORTED Something wrong decryption the message. TLS session\r
	481	status will become EfiTlsSessionError. The caller need\r
	482	call BuildResponsePacket() to generate Error Alert\r
	483	message and send it out.\r
	484	@retval EFI_OUT_OF_RESOURCES No enough resource to finish the operation.\r
	485	**/\r
	486	typedef\r
	487	EFI_STATUS\r
2f88bd3a	488	(EFIAPI *EFI_TLS_PROCESS_PACKET)(\r
973f8862 HW	489	IN EFI_TLS_PROTOCOL *This,\r
	490	IN OUT EFI_TLS_FRAGMENT_DATA **FragmentTable,\r
	491	IN UINT32 *FragmentCount,\r
	492	IN EFI_TLS_CRYPT_MODE CryptMode\r
	493	);\r
	494	\r
	495	///\r
	496	/// The EFI_TLS_PROTOCOL is used to create, destroy and manage TLS session.\r
	497	/// For detail of TLS, please refer to TLS related RFC.\r
	498	///\r
	499	struct _EFI_TLS_PROTOCOL {\r
2f88bd3a MK	500	EFI_TLS_SET_SESSION_DATA SetSessionData;\r
	501	EFI_TLS_GET_SESSION_DATA GetSessionData;\r
	502	EFI_TLS_BUILD_RESPONSE_PACKET BuildResponsePacket;\r
	503	EFI_TLS_PROCESS_PACKET ProcessPacket;\r
973f8862 HW	504	};\r
973f8862 HW	505	\r
2f88bd3a MK	506	extern EFI_GUID gEfiTlsServiceBindingProtocolGuid;\r
2f88bd3a MK	507	extern EFI_GUID gEfiTlsProtocolGuid;\r
973f8862	508	\r
2f88bd3a	509	#endif // __EFI_TLS_PROTOCOL_H__\r