MdePkg/Include/Protocol/Tls.h: pack structures from the TLS RFC
[mirror_edk2.git] / MdePkg / Include / Protocol / Tls.h
CommitLineData
973f8862
HW
1/** @file\r
2 EFI TLS Protocols as defined in UEFI 2.5.\r
3\r
4 The EFI TLS Service Binding Protocol is used to locate EFI TLS Protocol drivers\r
5 to create and destroy child of the driver to communicate with other host using\r
6 TLS protocol.\r
7 The EFI TLS Protocol provides the ability to manage TLS session.\r
8\r
9 Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>\r
10 This program and the accompanying materials\r
11 are licensed and made available under the terms and conditions of the BSD License\r
12 which accompanies this distribution. The full text of the license may be found at\r
13 http://opensource.org/licenses/bsd-license.php\r
14\r
15 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
16 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
17\r
18 @par Revision Reference:\r
19 This Protocol is introduced in UEFI Specification 2.5\r
20\r
21**/\r
22\r
23#ifndef __EFI_TLS_PROTOCOL_H__\r
24#define __EFI_TLS_PROTOCOL_H__\r
25\r
26///\r
27/// The EFI TLS Service Binding Protocol is used to locate EFI TLS Protocol drivers to\r
28/// create and destroy child of the driver to communicate with other host using TLS\r
29/// protocol.\r
30///\r
31#define EFI_TLS_SERVICE_BINDING_PROTOCOL_GUID \\r
32 { \\r
33 0x952cb795, 0xff36, 0x48cf, {0xa2, 0x49, 0x4d, 0xf4, 0x86, 0xd6, 0xab, 0x8d } \\r
34 }\r
35\r
36///\r
37/// The EFI TLS protocol provides the ability to manage TLS session.\r
38///\r
39#define EFI_TLS_PROTOCOL_GUID \\r
40 { \\r
41 0xca959f, 0x6cfa, 0x4db1, {0x95, 0xbc, 0xe4, 0x6c, 0x47, 0x51, 0x43, 0x90 } \\r
42 }\r
43\r
44typedef struct _EFI_TLS_PROTOCOL EFI_TLS_PROTOCOL;\r
45\r
46///\r
47/// EFI_TLS_SESSION_DATA_TYPE\r
48///\r
49typedef enum {\r
50 ///\r
51 /// Session Configuration\r
52 ///\r
53\r
54 ///\r
55 /// TLS session Version. The corresponding Data is of type EFI_TLS_VERSION.\r
56 ///\r
57 EfiTlsVersion,\r
58 ///\r
59 /// TLS session as client or as server. The corresponding Data is of\r
60 /// EFI_TLS_CONNECTION_END.\r
61 ///\r
62 EfiTlsConnectionEnd,\r
63 ///\r
64 /// A priority list of preferred algorithms for the TLS session.\r
65 /// The corresponding Data is a list of EFI_TLS_CIPHER.\r
66 ///\r
67 EfiTlsCipherList,\r
68 ///\r
69 /// TLS session compression method.\r
70 /// The corresponding Data is of type EFI_TLS_COMPRESSION.\r
71 ///\r
72 EfiTlsCompressionMethod,\r
73 ///\r
74 /// TLS session extension data.\r
75 /// The corresponding Data is a list of type EFI_TLS_EXTENSION .\r
76 ///\r
77 EfiTlsExtensionData,\r
78 ///\r
79 /// TLS session verify method.\r
80 /// The corresponding Data is of type EFI_TLS_VERIFY.\r
81 ///\r
82 EfiTlsVerifyMethod,\r
83 ///\r
84 /// TLS session data session ID.\r
85 /// For SetSessionData(), it is TLS session ID used for session resumption.\r
86 /// For GetSessionData(), it is the TLS session ID used for current session.\r
87 /// The corresponding Data is of type EFI_TLS_SESSION_ID.\r
88 ///\r
89 EfiTlsSessionID,\r
90 ///\r
91 /// TLS session data session state.\r
92 /// The corresponding Data is of type EFI_TLS_SESSION_STATE.\r
93 ///\r
94 EfiTlsSessionState,\r
95\r
96 ///\r
97 /// Session information\r
98 ///\r
99\r
100 ///\r
101 /// TLS session data client random.\r
102 /// The corresponding Data is of type EFI_TLS_RANDOM.\r
103 ///\r
104 EfiTlsClientRandom,\r
105 ///\r
106 /// TLS session data server random.\r
107 /// The corresponding Data is of type EFI_TLS_RANDOM.\r
108 ///\r
109 EfiTlsServerRandom,\r
110 ///\r
111 /// TLS session data key material.\r
112 /// The corresponding Data is of type EFI_TLS_MASTER_SECRET.\r
113 ///\r
114 EfiTlsKeyMaterial,\r
115\r
116 EfiTlsSessionDataTypeMaximum\r
117\r
118} EFI_TLS_SESSION_DATA_TYPE;\r
119\r
120///\r
121/// EFI_TLS_VERSION\r
122/// Note: The TLS version definition is from SSL3.0 to the latest TLS (e.g. 1.2).\r
123/// SSL2.0 is obsolete and should not be used.\r
124///\r
125typedef struct {\r
126 UINT8 Major;\r
127 UINT8 Minor;\r
128} EFI_TLS_VERSION;\r
129\r
130///\r
131/// EFI_TLS_CONNECTION_END to define TLS session as client or server.\r
132///\r
133typedef enum {\r
134 EfiTlsClient,\r
135 EfiTlsServer,\r
136} EFI_TLS_CONNECTION_END;\r
137\r
138///\r
139/// EFI_TLS_CIPHER\r
140/// Note: The definition of EFI_TLS_CIPHER definition is from "RFC 5246, A.4.1.\r
141/// Hello Messages". The value of EFI_TLS_CIPHER is from TLS Cipher\r
142/// Suite Registry of IANA.\r
143///\r
344d057a 144#pragma pack (1)\r
973f8862
HW
145typedef struct {\r
146 UINT8 Data1;\r
147 UINT8 Data2;\r
148} EFI_TLS_CIPHER;\r
344d057a 149#pragma pack ()\r
973f8862
HW
150\r
151///\r
152/// EFI_TLS_COMPRESSION\r
153/// Note: The value of EFI_TLS_COMPRESSION definition is from "RFC 3749".\r
154///\r
155typedef UINT8 EFI_TLS_COMPRESSION;\r
156\r
157///\r
158/// EFI_TLS_EXTENSION\r
159/// Note: The definition of EFI_TLS_EXTENSION if from "RFC 5246 A.4.1.\r
160/// Hello Messages".\r
161///\r
344d057a 162#pragma pack (1)\r
973f8862
HW
163typedef struct {\r
164 UINT16 ExtensionType;\r
165 UINT16 Length;\r
166 UINT8 Data[1];\r
167} EFI_TLS_EXTENSION;\r
344d057a 168#pragma pack ()\r
973f8862
HW
169\r
170///\r
171/// EFI_TLS_VERIFY\r
172/// Use either EFI_TLS_VERIFY_NONE or EFI_TLS_VERIFY_PEER, the last two options\r
173/// are 'ORed' with EFI_TLS_VERIFY_PEER if they are desired.\r
174///\r
175typedef UINT32 EFI_TLS_VERIFY;\r
176///\r
177/// No certificates will be sent or the TLS/SSL handshake will be continued regardless\r
178/// of the certificate verification result.\r
179///\r
180#define EFI_TLS_VERIFY_NONE 0x0\r
181///\r
182/// The TLS/SSL handshake is immediately terminated with an alert message containing\r
183/// the reason for the certificate verification failure.\r
184///\r
185#define EFI_TLS_VERIFY_PEER 0x1\r
186///\r
187/// TLS session will fail peer certificate is absent.\r
188///\r
189#define EFI_TLS_VERIFY_FAIL_IF_NO_PEER_CERT 0x2\r
190///\r
191/// TLS session only verify client once, and doesn't request certificate during\r
192/// re-negotiation.\r
193///\r
194#define EFI_TLS_VERIFY_CLIENT_ONCE 0x4\r
195\r
196///\r
197/// EFI_TLS_RANDOM\r
198/// Note: The definition of EFI_TLS_RANDOM is from "RFC 5246 A.4.1.\r
199/// Hello Messages".\r
200///\r
344d057a 201#pragma pack (1)\r
973f8862
HW
202typedef struct {\r
203 UINT32 GmtUnixTime;\r
204 UINT8 RandomBytes[28];\r
205} EFI_TLS_RANDOM;\r
344d057a 206#pragma pack ()\r
973f8862
HW
207\r
208///\r
209/// EFI_TLS_MASTER_SECRET\r
210/// Note: The definition of EFI_TLS_MASTER_SECRET is from "RFC 5246 8.1.\r
211/// Computing the Master Secret".\r
212///\r
344d057a 213#pragma pack (1)\r
973f8862
HW
214typedef struct {\r
215 UINT8 Data[48];\r
216} EFI_TLS_MASTER_SECRET;\r
344d057a 217#pragma pack ()\r
973f8862
HW
218\r
219///\r
220/// EFI_TLS_SESSION_ID\r
221/// Note: The definition of EFI_TLS_SESSION_ID is from "RFC 5246 A.4.1. Hello Messages".\r
222///\r
223#define MAX_TLS_SESSION_ID_LENGTH 32\r
344d057a 224#pragma pack (1)\r
973f8862
HW
225typedef struct {\r
226 UINT16 Length;\r
227 UINT8 Data[MAX_TLS_SESSION_ID_LENGTH];\r
228} EFI_TLS_SESSION_ID;\r
344d057a 229#pragma pack ()\r
973f8862
HW
230\r
231///\r
232/// EFI_TLS_SESSION_STATE\r
233///\r
234typedef enum {\r
235 ///\r
236 /// When a new child of TLS protocol is created, the initial state of TLS session\r
237 /// is EfiTlsSessionNotStarted.\r
238 ///\r
239 EfiTlsSessionNotStarted,\r
240 ///\r
241 /// The consumer can call BuildResponsePacket() with NULL to get ClientHello to\r
242 /// start the TLS session. Then the status is EfiTlsSessionHandShaking.\r
243 ///\r
244 EfiTlsSessionHandShaking,\r
245 ///\r
246 /// During handshake, the consumer need call BuildResponsePacket() with input\r
247 /// data from peer, then get response packet and send to peer. After handshake\r
248 /// finish, the TLS session status becomes EfiTlsSessionDataTransferring, and\r
249 /// consumer can use ProcessPacket() for data transferring.\r
250 ///\r
251 EfiTlsSessionDataTransferring,\r
252 ///\r
253 /// Finally, if consumer wants to active close TLS session, consumer need\r
254 /// call SetSessionData to set TLS session state to EfiTlsSessionClosing, and\r
255 /// call BuildResponsePacket() with NULL to get CloseNotify alert message,\r
256 /// and sent it out.\r
257 ///\r
258 EfiTlsSessionClosing,\r
259 ///\r
260 /// If any error happen during parsing ApplicationData content type, EFI_ABORT\r
261 /// will be returned by ProcessPacket(), and TLS session state will become\r
262 /// EfiTlsSessionError. Then consumer need call BuildResponsePacket() with\r
263 /// NULL to get alert message and sent it out.\r
264 ///\r
265 EfiTlsSessionError,\r
266\r
267 EfiTlsSessionStateMaximum\r
268\r
269} EFI_TLS_SESSION_STATE;\r
270\r
271///\r
272/// EFI_TLS_FRAGMENT_DATA\r
273///\r
274typedef struct {\r
275 ///\r
276 /// Length of data buffer in the fragment.\r
277 ///\r
278 UINT32 FragmentLength;\r
279 ///\r
280 /// Pointer to the data buffer in the fragment.\r
281 ///\r
282 VOID *FragmentBuffer;\r
283} EFI_TLS_FRAGMENT_DATA;\r
284\r
285///\r
286/// EFI_TLS_CRYPT_MODE\r
287///\r
288typedef enum {\r
289 ///\r
290 /// Encrypt data provided in the fragment buffers.\r
291 ///\r
292 EfiTlsEncrypt,\r
293 ///\r
294 /// Decrypt data provided in the fragment buffers.\r
295 ///\r
296 EfiTlsDecrypt,\r
297} EFI_TLS_CRYPT_MODE;\r
298\r
299/**\r
300 Set TLS session data.\r
301\r
302 The SetSessionData() function set data for a new TLS session. All session data should\r
303 be set before BuildResponsePacket() invoked.\r
304\r
305 @param[in] This Pointer to the EFI_TLS_PROTOCOL instance.\r
306 @param[in] DataType TLS session data type.\r
307 @param[in] Data Pointer to session data.\r
308 @param[in] DataSize Total size of session data.\r
309\r
310 @retval EFI_SUCCESS The TLS session data is set successfully.\r
311 @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:\r
312 This is NULL.\r
313 Data is NULL.\r
314 DataSize is 0.\r
315 @retval EFI_UNSUPPORTED The DataType is unsupported.\r
316 @retval EFI_ACCESS_DENIED If the DataType is one of below:\r
317 EfiTlsClientRandom\r
318 EfiTlsServerRandom\r
319 EfiTlsKeyMaterial\r
320 @retval EFI_NOT_READY Current TLS session state is NOT\r
321 EfiTlsSessionStateNotStarted.\r
322 @retval EFI_OUT_OF_RESOURCES Required system resources could not be allocated.\r
323**/\r
324typedef\r
325EFI_STATUS\r
326(EFIAPI *EFI_TLS_SET_SESSION_DATA) (\r
327 IN EFI_TLS_PROTOCOL *This,\r
328 IN EFI_TLS_SESSION_DATA_TYPE DataType,\r
329 IN VOID *Data,\r
330 IN UINTN DataSize\r
331 );\r
332\r
333/**\r
334 Get TLS session data.\r
335\r
336 The GetSessionData() function return the TLS session information.\r
337\r
338 @param[in] This Pointer to the EFI_TLS_PROTOCOL instance.\r
339 @param[in] DataType TLS session data type.\r
340 @param[in, out] Data Pointer to session data.\r
341 @param[in, out] DataSize Total size of session data. On input, it means\r
342 the size of Data buffer. On output, it means the size\r
343 of copied Data buffer if EFI_SUCCESS, and means the\r
344 size of desired Data buffer if EFI_BUFFER_TOO_SMALL.\r
345\r
346 @retval EFI_SUCCESS The TLS session data is got successfully.\r
347 @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:\r
348 This is NULL.\r
349 DataSize is NULL.\r
350 Data is NULL if *DataSize is not zero.\r
351 @retval EFI_UNSUPPORTED The DataType is unsupported.\r
352 @retval EFI_NOT_FOUND The TLS session data is not found.\r
353 @retval EFI_NOT_READY The DataType is not ready in current session state.\r
354 @retval EFI_BUFFER_TOO_SMALL The buffer is too small to hold the data.\r
355**/\r
356typedef\r
357EFI_STATUS\r
358(EFIAPI *EFI_TLS_GET_SESSION_DATA) (\r
359 IN EFI_TLS_PROTOCOL *This,\r
360 IN EFI_TLS_SESSION_DATA_TYPE DataType,\r
361 IN OUT VOID *Data, OPTIONAL\r
362 IN OUT UINTN *DataSize\r
363 );\r
364\r
365/**\r
366 Build response packet according to TLS state machine. This function is only valid for\r
367 alert, handshake and change_cipher_spec content type.\r
368\r
369 The BuildResponsePacket() function builds TLS response packet in response to the TLS\r
370 request packet specified by RequestBuffer and RequestSize. If RequestBuffer is NULL and\r
371 RequestSize is 0, and TLS session status is EfiTlsSessionNotStarted, the TLS session\r
372 will be initiated and the response packet needs to be ClientHello. If RequestBuffer is\r
373 NULL and RequestSize is 0, and TLS session status is EfiTlsSessionClosing, the TLS\r
374 session will be closed and response packet needs to be CloseNotify. If RequestBuffer is\r
375 NULL and RequestSize is 0, and TLS session status is EfiTlsSessionError, the TLS\r
376 session has errors and the response packet needs to be Alert message based on error\r
377 type.\r
378\r
379 @param[in] This Pointer to the EFI_TLS_PROTOCOL instance.\r
380 @param[in] RequestBuffer Pointer to the most recently received TLS packet. NULL\r
381 means TLS need initiate the TLS session and response\r
382 packet need to be ClientHello.\r
383 @param[in] RequestSize Packet size in bytes for the most recently received TLS\r
384 packet. 0 is only valid when RequestBuffer is NULL.\r
385 @param[out] Buffer Pointer to the buffer to hold the built packet.\r
386 @param[in, out] BufferSize Pointer to the buffer size in bytes. On input, it is\r
387 the buffer size provided by the caller. On output, it\r
388 is the buffer size in fact needed to contain the\r
389 packet.\r
390\r
391 @retval EFI_SUCCESS The required TLS packet is built successfully.\r
392 @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:\r
393 This is NULL.\r
394 RequestBuffer is NULL but RequestSize is NOT 0.\r
395 RequestSize is 0 but RequestBuffer is NOT NULL.\r
396 BufferSize is NULL.\r
397 Buffer is NULL if *BufferSize is not zero.\r
398 @retval EFI_BUFFER_TOO_SMALL BufferSize is too small to hold the response packet.\r
399 @retval EFI_NOT_READY Current TLS session state is NOT ready to build\r
400 ResponsePacket.\r
401 @retval EFI_ABORTED Something wrong build response packet.\r
402**/\r
403typedef\r
404EFI_STATUS\r
405(EFIAPI *EFI_TLS_BUILD_RESPONSE_PACKET) (\r
406 IN EFI_TLS_PROTOCOL *This,\r
407 IN UINT8 *RequestBuffer, OPTIONAL\r
408 IN UINTN RequestSize, OPTIONAL\r
409 OUT UINT8 *Buffer, OPTIONAL\r
410 IN OUT UINTN *BufferSize\r
411 );\r
412\r
413/**\r
414 Decrypt or encrypt TLS packet during session. This function is only valid after\r
415 session connected and for application_data content type.\r
416\r
417 The ProcessPacket () function process each inbound or outbound TLS APP packet.\r
418\r
419 @param[in] This Pointer to the EFI_TLS_PROTOCOL instance.\r
420 @param[in, out] FragmentTable Pointer to a list of fragment. The caller will take\r
421 responsible to handle the original FragmentTable while\r
422 it may be reallocated in TLS driver. If CryptMode is\r
423 EfiTlsEncrypt, on input these fragments contain the TLS\r
424 header and plain text TLS APP payload; on output these\r
425 fragments contain the TLS header and cipher text TLS\r
426 APP payload. If CryptMode is EfiTlsDecrypt, on input\r
427 these fragments contain the TLS header and cipher text\r
428 TLS APP payload; on output these fragments contain the\r
429 TLS header and plain text TLS APP payload.\r
430 @param[in] FragmentCount Number of fragment.\r
431 @param[in] CryptMode Crypt mode.\r
432\r
433 @retval EFI_SUCCESS The operation completed successfully.\r
434 @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:\r
435 This is NULL.\r
436 FragmentTable is NULL.\r
437 FragmentCount is NULL.\r
438 CryptoMode is invalid.\r
439 @retval EFI_NOT_READY Current TLS session state is NOT\r
440 EfiTlsSessionDataTransferring.\r
441 @retval EFI_ABORTED Something wrong decryption the message. TLS session\r
442 status will become EfiTlsSessionError. The caller need\r
443 call BuildResponsePacket() to generate Error Alert\r
444 message and send it out.\r
445 @retval EFI_OUT_OF_RESOURCES No enough resource to finish the operation.\r
446**/\r
447typedef\r
448EFI_STATUS\r
449(EFIAPI *EFI_TLS_PROCESS_PACKET) (\r
450 IN EFI_TLS_PROTOCOL *This,\r
451 IN OUT EFI_TLS_FRAGMENT_DATA **FragmentTable,\r
452 IN UINT32 *FragmentCount,\r
453 IN EFI_TLS_CRYPT_MODE CryptMode\r
454 );\r
455\r
456///\r
457/// The EFI_TLS_PROTOCOL is used to create, destroy and manage TLS session.\r
458/// For detail of TLS, please refer to TLS related RFC.\r
459///\r
460struct _EFI_TLS_PROTOCOL {\r
461 EFI_TLS_SET_SESSION_DATA SetSessionData;\r
462 EFI_TLS_GET_SESSION_DATA GetSessionData;\r
463 EFI_TLS_BUILD_RESPONSE_PACKET BuildResponsePacket;\r
464 EFI_TLS_PROCESS_PACKET ProcessPacket;\r
465};\r
466\r
467extern EFI_GUID gEfiTlsServiceBindingProtocolGuid;\r
468extern EFI_GUID gEfiTlsProtocolGuid;\r
469\r
470#endif // __EFI_TLS_PROTOCOL_H__\r
471\r