]> git.proxmox.com Git - mirror_edk2.git/blame_incremental - CryptoPkg/Library/TlsLib/TlsConfig.c
projects / mirror_edk2.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
CryptoPkg/TlsLib: use binary search in the TlsGetCipherMapping() function
[mirror_edk2.git] / CryptoPkg / Library / TlsLib / TlsConfig.c
... / ...
CommitLineData
1/** @file\r
2 SSL/TLS Configuration Library Wrapper Implementation over OpenSSL.\r
3\r
4Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>\r
5(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>\r
6This program and the accompanying materials\r
7are licensed and made available under the terms and conditions of the BSD License\r
8which accompanies this distribution. The full text of the license may be found at\r
9http://opensource.org/licenses/bsd-license.php\r
10\r
11THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
12WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
13\r
14**/\r
15\r
16#include "InternalTlsLib.h"\r
17\r
18typedef struct {\r
19 //\r
20 // IANA/IETF defined Cipher Suite ID\r
21 //\r
22 UINT16 IanaCipher;\r
23 //\r
24 // OpenSSL-used Cipher Suite String\r
25 //\r
26 CONST CHAR8 *OpensslCipher;\r
27} TLS_CIPHER_MAPPING;\r
28\r
29//\r
30// The mapping table between IANA/IETF Cipher Suite definitions and\r
31// OpenSSL-used Cipher Suite name.\r
32//\r
33// Keep the table uniquely sorted by the IanaCipher field, in increasing order.\r
34//\r
35STATIC CONST TLS_CIPHER_MAPPING TlsCipherMappingTable[] = {\r
36 { 0x0001, "NULL-MD5" }, /// TLS_RSA_WITH_NULL_MD5\r
37 { 0x0002, "NULL-SHA" }, /// TLS_RSA_WITH_NULL_SHA\r
38 { 0x0004, "RC4-MD5" }, /// TLS_RSA_WITH_RC4_128_MD5\r
39 { 0x0005, "RC4-SHA" }, /// TLS_RSA_WITH_RC4_128_SHA\r
40 { 0x000A, "DES-CBC3-SHA" }, /// TLS_RSA_WITH_3DES_EDE_CBC_SHA, mandatory TLS 1.1\r
41 { 0x0016, "DHE-RSA-DES-CBC3-SHA" }, /// TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA\r
42 { 0x002F, "AES128-SHA" }, /// TLS_RSA_WITH_AES_128_CBC_SHA, mandatory TLS 1.2\r
43 { 0x0030, "DH-DSS-AES128-SHA" }, /// TLS_DH_DSS_WITH_AES_128_CBC_SHA\r
44 { 0x0031, "DH-RSA-AES128-SHA" }, /// TLS_DH_RSA_WITH_AES_128_CBC_SHA\r
45 { 0x0033, "DHE-RSA-AES128-SHA" }, /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA\r
46 { 0x0035, "AES256-SHA" }, /// TLS_RSA_WITH_AES_256_CBC_SHA\r
47 { 0x0036, "DH-DSS-AES256-SHA" }, /// TLS_DH_DSS_WITH_AES_256_CBC_SHA\r
48 { 0x0037, "DH-RSA-AES256-SHA" }, /// TLS_DH_RSA_WITH_AES_256_CBC_SHA\r
49 { 0x0039, "DHE-RSA-AES256-SHA" }, /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA\r
50 { 0x003B, "NULL-SHA256" }, /// TLS_RSA_WITH_NULL_SHA256\r
51 { 0x003C, "AES128-SHA256" }, /// TLS_RSA_WITH_AES_128_CBC_SHA256\r
52 { 0x003D, "AES256-SHA256" }, /// TLS_RSA_WITH_AES_256_CBC_SHA256\r
53 { 0x003E, "DH-DSS-AES128-SHA256" }, /// TLS_DH_DSS_WITH_AES_128_CBC_SHA256\r
54 { 0x003F, "DH-RSA-AES128-SHA256" }, /// TLS_DH_RSA_WITH_AES_128_CBC_SHA256\r
55 { 0x0067, "DHE-RSA-AES128-SHA256" }, /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA256\r
56 { 0x0068, "DH-DSS-AES256-SHA256" }, /// TLS_DH_DSS_WITH_AES_256_CBC_SHA256\r
57 { 0x0069, "DH-RSA-AES256-SHA256" }, /// TLS_DH_RSA_WITH_AES_256_CBC_SHA256\r
58 { 0x006B, "DHE-RSA-AES256-SHA256" } /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA256\r
59};\r
60\r
61/**\r
62 Gets the OpenSSL cipher suite mapping for the supplied IANA TLS cipher suite.\r
63\r
64 @param[in] CipherId The supplied IANA TLS cipher suite ID.\r
65\r
66 @return The corresponding OpenSSL cipher suite mapping if found,\r
67 NULL otherwise.\r
68\r
69**/\r
70STATIC\r
71CONST TLS_CIPHER_MAPPING *\r
72TlsGetCipherMapping (\r
73 IN UINT16 CipherId\r
74 )\r
75{\r
76 INTN Left;\r
77 INTN Right;\r
78 INTN Middle;\r
79\r
80 //\r
81 // Binary Search Cipher Mapping Table for IANA-OpenSSL Cipher Translation\r
82 //\r
83 Left = 0;\r
84 Right = ARRAY_SIZE (TlsCipherMappingTable) - 1;\r
85\r
86 while (Right >= Left) {\r
87 Middle = (Left + Right) / 2;\r
88\r
89 if (CipherId == TlsCipherMappingTable[Middle].IanaCipher) {\r
90 //\r
91 // Translate IANA cipher suite ID to OpenSSL name.\r
92 //\r
93 return &TlsCipherMappingTable[Middle];\r
94 }\r
95\r
96 if (CipherId < TlsCipherMappingTable[Middle].IanaCipher) {\r
97 Right = Middle - 1;\r
98 } else {\r
99 Left = Middle + 1;\r
100 }\r
101 }\r
102\r
103 //\r
104 // No Cipher Mapping found, return NULL.\r
105 //\r
106 return NULL;\r
107}\r
108\r
109/**\r
110 Set a new TLS/SSL method for a particular TLS object.\r
111\r
112 This function sets a new TLS/SSL method for a particular TLS object.\r
113\r
114 @param[in] Tls Pointer to a TLS object.\r
115 @param[in] MajorVer Major Version of TLS/SSL Protocol.\r
116 @param[in] MinorVer Minor Version of TLS/SSL Protocol.\r
117\r
118 @retval EFI_SUCCESS The TLS/SSL method was set successfully.\r
119 @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
120 @retval EFI_UNSUPPORTED Unsupported TLS/SSL method.\r
121\r
122**/\r
123EFI_STATUS\r
124EFIAPI\r
125TlsSetVersion (\r
126 IN VOID *Tls,\r
127 IN UINT8 MajorVer,\r
128 IN UINT8 MinorVer\r
129 )\r
130{\r
131 TLS_CONNECTION *TlsConn;\r
132 UINT16 ProtoVersion;\r
133\r
134 TlsConn = (TLS_CONNECTION *)Tls;\r
135 if (TlsConn == NULL || TlsConn->Ssl == NULL) {\r
136 return EFI_INVALID_PARAMETER;\r
137 }\r
138\r
139 ProtoVersion = (MajorVer << 8) | MinorVer;\r
140\r
141 //\r
142 // Bound TLS method to the particular specified version.\r
143 //\r
144 switch (ProtoVersion) {\r
145 case TLS1_VERSION:\r
146 //\r
147 // TLS 1.0\r
148 //\r
149 SSL_set_min_proto_version (TlsConn->Ssl, TLS1_VERSION);\r
150 SSL_set_max_proto_version (TlsConn->Ssl, TLS1_VERSION);\r
151 break;\r
152 case TLS1_1_VERSION:\r
153 //\r
154 // TLS 1.1\r
155 //\r
156 SSL_set_min_proto_version (TlsConn->Ssl, TLS1_1_VERSION);\r
157 SSL_set_max_proto_version (TlsConn->Ssl, TLS1_1_VERSION);\r
158 break;\r
159 case TLS1_2_VERSION:\r
160 //\r
161 // TLS 1.2\r
162 //\r
163 SSL_set_min_proto_version (TlsConn->Ssl, TLS1_2_VERSION);\r
164 SSL_set_max_proto_version (TlsConn->Ssl, TLS1_2_VERSION);\r
165 break;\r
166 default:\r
167 //\r
168 // Unsupported Protocol Version\r
169 //\r
170 return EFI_UNSUPPORTED;\r
171 }\r
172\r
173 return EFI_SUCCESS;;\r
174}\r
175\r
176/**\r
177 Set TLS object to work in client or server mode.\r
178\r
179 This function prepares a TLS object to work in client or server mode.\r
180\r
181 @param[in] Tls Pointer to a TLS object.\r
182 @param[in] IsServer Work in server mode.\r
183\r
184 @retval EFI_SUCCESS The TLS/SSL work mode was set successfully.\r
185 @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
186 @retval EFI_UNSUPPORTED Unsupported TLS/SSL work mode.\r
187\r
188**/\r
189EFI_STATUS\r
190EFIAPI\r
191TlsSetConnectionEnd (\r
192 IN VOID *Tls,\r
193 IN BOOLEAN IsServer\r
194 )\r
195{\r
196 TLS_CONNECTION *TlsConn;\r
197\r
198 TlsConn = (TLS_CONNECTION *) Tls;\r
199 if (TlsConn == NULL || TlsConn->Ssl == NULL) {\r
200 return EFI_INVALID_PARAMETER;\r
201 }\r
202\r
203 if (!IsServer) {\r
204 //\r
205 // Set TLS to work in Client mode.\r
206 //\r
207 SSL_set_connect_state (TlsConn->Ssl);\r
208 } else {\r
209 //\r
210 // Set TLS to work in Server mode.\r
211 // It is unsupported for UEFI version currently.\r
212 //\r
213 //SSL_set_accept_state (TlsConn->Ssl);\r
214 return EFI_UNSUPPORTED;\r
215 }\r
216\r
217 return EFI_SUCCESS;\r
218}\r
219\r
220/**\r
221 Set the ciphers list to be used by the TLS object.\r
222\r
223 This function sets the ciphers for use by a specified TLS object.\r
224\r
225 @param[in] Tls Pointer to a TLS object.\r
226 @param[in] CipherId Pointer to a UINT16 cipher Id.\r
227 @param[in] CipherNum The number of cipher in the list.\r
228\r
229 @retval EFI_SUCCESS The ciphers list was set successfully.\r
230 @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
231 @retval EFI_UNSUPPORTED Unsupported TLS cipher in the list.\r
232\r
233**/\r
234EFI_STATUS\r
235EFIAPI\r
236TlsSetCipherList (\r
237 IN VOID *Tls,\r
238 IN UINT16 *CipherId,\r
239 IN UINTN CipherNum\r
240 )\r
241{\r
242 TLS_CONNECTION *TlsConn;\r
243 UINTN Index;\r
244 CONST TLS_CIPHER_MAPPING *Mapping;\r
245 CONST CHAR8 *MappingName;\r
246 CHAR8 CipherString[500];\r
247\r
248 TlsConn = (TLS_CONNECTION *) Tls;\r
249 if (TlsConn == NULL || TlsConn->Ssl == NULL || CipherId == NULL) {\r
250 return EFI_INVALID_PARAMETER;\r
251 }\r
252\r
253 Mapping = NULL;\r
254 MappingName = NULL;\r
255\r
256 memset (CipherString, 0, sizeof (CipherString));\r
257\r
258 for (Index = 0; Index < CipherNum; Index++) {\r
259 //\r
260 // Handling OpenSSL / RFC Cipher name mapping.\r
261 //\r
262 Mapping = TlsGetCipherMapping (*(CipherId + Index));\r
263 if (Mapping == NULL) {\r
264 return EFI_UNSUPPORTED;\r
265 }\r
266 MappingName = Mapping->OpensslCipher;\r
267\r
268 if (Index != 0) {\r
269 //\r
270 // The ciphers were separated by a colon.\r
271 //\r
272 AsciiStrCatS (CipherString, sizeof (CipherString), ":");\r
273 }\r
274\r
275 AsciiStrCatS (CipherString, sizeof (CipherString), MappingName);\r
276 }\r
277\r
278 AsciiStrCatS (CipherString, sizeof (CipherString), ":@STRENGTH");\r
279\r
280 //\r
281 // Sets the ciphers for use by the Tls object.\r
282 //\r
283 if (SSL_set_cipher_list (TlsConn->Ssl, CipherString) <= 0) {\r
284 return EFI_UNSUPPORTED;\r
285 }\r
286\r
287 return EFI_SUCCESS;\r
288}\r
289\r
290/**\r
291 Set the compression method for TLS/SSL operations.\r
292\r
293 This function handles TLS/SSL integrated compression methods.\r
294\r
295 @param[in] CompMethod The compression method ID.\r
296\r
297 @retval EFI_SUCCESS The compression method for the communication was\r
298 set successfully.\r
299 @retval EFI_UNSUPPORTED Unsupported compression method.\r
300\r
301**/\r
302EFI_STATUS\r
303EFIAPI\r
304TlsSetCompressionMethod (\r
305 IN UINT8 CompMethod\r
306 )\r
307{\r
308 COMP_METHOD *Cm;\r
309 INTN Ret;\r
310\r
311 Cm = NULL;\r
312 Ret = 0;\r
313\r
314 if (CompMethod == 0) {\r
315 //\r
316 // TLS defines one standard compression method, CompressionMethod.null (0),\r
317 // which specifies that data exchanged via the record protocol will not be compressed.\r
318 // So, return EFI_SUCCESS directly (RFC 3749).\r
319 //\r
320 return EFI_SUCCESS;\r
321 } else if (CompMethod == 1) {\r
322 Cm = COMP_zlib();\r
323 } else {\r
324 return EFI_UNSUPPORTED;\r
325 }\r
326\r
327 //\r
328 // Adds the compression method to the list of available\r
329 // compression methods.\r
330 //\r
331 Ret = SSL_COMP_add_compression_method (CompMethod, Cm);\r
332 if (Ret != 0) {\r
333 return EFI_UNSUPPORTED;\r
334 }\r
335\r
336 return EFI_SUCCESS;\r
337}\r
338\r
339/**\r
340 Set peer certificate verification mode for the TLS connection.\r
341\r
342 This function sets the verification mode flags for the TLS connection.\r
343\r
344 @param[in] Tls Pointer to the TLS object.\r
345 @param[in] VerifyMode A set of logically or'ed verification mode flags.\r
346\r
347**/\r
348VOID\r
349EFIAPI\r
350TlsSetVerify (\r
351 IN VOID *Tls,\r
352 IN UINT32 VerifyMode\r
353 )\r
354{\r
355 TLS_CONNECTION *TlsConn;\r
356\r
357 TlsConn = (TLS_CONNECTION *) Tls;\r
358 if (TlsConn == NULL || TlsConn->Ssl == NULL) {\r
359 return;\r
360 }\r
361\r
362 //\r
363 // Set peer certificate verification parameters with NULL callback.\r
364 //\r
365 SSL_set_verify (TlsConn->Ssl, VerifyMode, NULL);\r
366}\r
367\r
368/**\r
369 Sets a TLS/SSL session ID to be used during TLS/SSL connect.\r
370\r
371 This function sets a session ID to be used when the TLS/SSL connection is\r
372 to be established.\r
373\r
374 @param[in] Tls Pointer to the TLS object.\r
375 @param[in] SessionId Session ID data used for session resumption.\r
376 @param[in] SessionIdLen Length of Session ID in bytes.\r
377\r
378 @retval EFI_SUCCESS Session ID was set successfully.\r
379 @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
380 @retval EFI_UNSUPPORTED No available session for ID setting.\r
381\r
382**/\r
383EFI_STATUS\r
384EFIAPI\r
385TlsSetSessionId (\r
386 IN VOID *Tls,\r
387 IN UINT8 *SessionId,\r
388 IN UINT16 SessionIdLen\r
389 )\r
390{\r
391 TLS_CONNECTION *TlsConn;\r
392 SSL_SESSION *Session;\r
393\r
394 TlsConn = (TLS_CONNECTION *) Tls;\r
395 Session = NULL;\r
396\r
397 if (TlsConn == NULL || TlsConn->Ssl == NULL || SessionId == NULL) {\r
398 return EFI_INVALID_PARAMETER;\r
399 }\r
400\r
401 Session = SSL_get_session (TlsConn->Ssl);\r
402 if (Session == NULL) {\r
403 return EFI_UNSUPPORTED;\r
404 }\r
405\r
406 SSL_SESSION_set1_id (Session, (const unsigned char *)SessionId, SessionIdLen);\r
407\r
408 return EFI_SUCCESS;\r
409}\r
410\r
411/**\r
412 Adds the CA to the cert store when requesting Server or Client authentication.\r
413\r
414 This function adds the CA certificate to the list of CAs when requesting\r
415 Server or Client authentication for the chosen TLS connection.\r
416\r
417 @param[in] Tls Pointer to the TLS object.\r
418 @param[in] Data Pointer to the data buffer of a DER-encoded binary\r
419 X.509 certificate or PEM-encoded X.509 certificate.\r
420 @param[in] DataSize The size of data buffer in bytes.\r
421\r
422 @retval EFI_SUCCESS The operation succeeded.\r
423 @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
424 @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated.\r
425 @retval EFI_ABORTED Invalid X.509 certificate.\r
426\r
427**/\r
428EFI_STATUS\r
429EFIAPI\r
430TlsSetCaCertificate (\r
431 IN VOID *Tls,\r
432 IN VOID *Data,\r
433 IN UINTN DataSize\r
434 )\r
435{\r
436 BIO *BioCert;\r
437 X509 *Cert;\r
438 X509_STORE *X509Store;\r
439 EFI_STATUS Status;\r
440 TLS_CONNECTION *TlsConn;\r
441 SSL_CTX *SslCtx;\r
442 INTN Ret;\r
443 UINTN ErrorCode;\r
444\r
445 BioCert = NULL;\r
446 Cert = NULL;\r
447 X509Store = NULL;\r
448 Status = EFI_SUCCESS;\r
449 TlsConn = (TLS_CONNECTION *) Tls;\r
450 Ret = 0;\r
451\r
452 if (TlsConn == NULL || TlsConn->Ssl == NULL || Data == NULL || DataSize == 0) {\r
453 return EFI_INVALID_PARAMETER;\r
454 }\r
455\r
456 //\r
457 // DER-encoded binary X.509 certificate or PEM-encoded X.509 certificate.\r
458 // Determine whether certificate is from DER encoding, if so, translate it to X509 structure.\r
459 //\r
460 Cert = d2i_X509 (NULL, (const unsigned char ** )&Data, (long) DataSize);\r
461 if (Cert == NULL) {\r
462 //\r
463 // Certificate is from PEM encoding.\r
464 //\r
465 BioCert = BIO_new (BIO_s_mem ());\r
466 if (BioCert == NULL) {\r
467 Status = EFI_OUT_OF_RESOURCES;\r
468 goto ON_EXIT;\r
469 }\r
470\r
471 if (BIO_write (BioCert, Data, (UINT32) DataSize) <= 0) {\r
472 Status = EFI_ABORTED;\r
473 goto ON_EXIT;\r
474 }\r
475\r
476 Cert = PEM_read_bio_X509 (BioCert, NULL, NULL, NULL);\r
477 if (Cert == NULL) {\r
478 Status = EFI_ABORTED;\r
479 goto ON_EXIT;\r
480 }\r
481 }\r
482\r
483 SslCtx = SSL_get_SSL_CTX (TlsConn->Ssl);\r
484 X509Store = SSL_CTX_get_cert_store (SslCtx);\r
485 if (X509Store == NULL) {\r
486 Status = EFI_ABORTED;\r
487 goto ON_EXIT;\r
488 }\r
489\r
490 //\r
491 // Add certificate to X509 store\r
492 //\r
493 Ret = X509_STORE_add_cert (X509Store, Cert);\r
494 if (Ret != 1) {\r
495 ErrorCode = ERR_peek_last_error ();\r
496 //\r
497 // Ignore "already in table" errors\r
498 //\r
499 if (!(ERR_GET_FUNC (ErrorCode) == X509_F_X509_STORE_ADD_CERT &&\r
500 ERR_GET_REASON (ErrorCode) == X509_R_CERT_ALREADY_IN_HASH_TABLE)) {\r
501 Status = EFI_ABORTED;\r
502 goto ON_EXIT;\r
503 }\r
504 }\r
505\r
506ON_EXIT:\r
507 if (BioCert != NULL) {\r
508 BIO_free (BioCert);\r
509 }\r
510\r
511 if (Cert != NULL) {\r
512 X509_free (Cert);\r
513 }\r
514\r
515 return Status;\r
516}\r
517\r
518/**\r
519 Loads the local public certificate into the specified TLS object.\r
520\r
521 This function loads the X.509 certificate into the specified TLS object\r
522 for TLS negotiation.\r
523\r
524 @param[in] Tls Pointer to the TLS object.\r
525 @param[in] Data Pointer to the data buffer of a DER-encoded binary\r
526 X.509 certificate or PEM-encoded X.509 certificate.\r
527 @param[in] DataSize The size of data buffer in bytes.\r
528\r
529 @retval EFI_SUCCESS The operation succeeded.\r
530 @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
531 @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated.\r
532 @retval EFI_ABORTED Invalid X.509 certificate.\r
533\r
534**/\r
535EFI_STATUS\r
536EFIAPI\r
537TlsSetHostPublicCert (\r
538 IN VOID *Tls,\r
539 IN VOID *Data,\r
540 IN UINTN DataSize\r
541 )\r
542{\r
543 BIO *BioCert;\r
544 X509 *Cert;\r
545 EFI_STATUS Status;\r
546 TLS_CONNECTION *TlsConn;\r
547\r
548 BioCert = NULL;\r
549 Cert = NULL;\r
550 Status = EFI_SUCCESS;\r
551 TlsConn = (TLS_CONNECTION *) Tls;\r
552\r
553 if (TlsConn == NULL || TlsConn->Ssl == NULL || Data == NULL || DataSize == 0) {\r
554 return EFI_INVALID_PARAMETER;\r
555 }\r
556\r
557 //\r
558 // DER-encoded binary X.509 certificate or PEM-encoded X.509 certificate.\r
559 // Determine whether certificate is from DER encoding, if so, translate it to X509 structure.\r
560 //\r
561 Cert = d2i_X509 (NULL, (const unsigned char ** )&Data, (long) DataSize);\r
562 if (Cert == NULL) {\r
563 //\r
564 // Certificate is from PEM encoding.\r
565 //\r
566 BioCert = BIO_new (BIO_s_mem ());\r
567 if (BioCert == NULL) {\r
568 Status = EFI_OUT_OF_RESOURCES;\r
569 goto ON_EXIT;\r
570 }\r
571\r
572 if (BIO_write (BioCert, Data, (UINT32) DataSize) <= 0) {\r
573 Status = EFI_ABORTED;\r
574 goto ON_EXIT;\r
575 }\r
576\r
577 Cert = PEM_read_bio_X509 (BioCert, NULL, NULL, NULL);\r
578 if (Cert == NULL) {\r
579 Status = EFI_ABORTED;\r
580 goto ON_EXIT;\r
581 }\r
582 }\r
583\r
584 if (SSL_use_certificate (TlsConn->Ssl, Cert) != 1) {\r
585 Status = EFI_ABORTED;\r
586 goto ON_EXIT;\r
587 }\r
588\r
589ON_EXIT:\r
590 if (BioCert != NULL) {\r
591 BIO_free (BioCert);\r
592 }\r
593\r
594 if (Cert != NULL) {\r
595 X509_free (Cert);\r
596 }\r
597\r
598 return Status;\r
599}\r
600\r
601/**\r
602 Adds the local private key to the specified TLS object.\r
603\r
604 This function adds the local private key (PEM-encoded RSA or PKCS#8 private\r
605 key) into the specified TLS object for TLS negotiation.\r
606\r
607 @param[in] Tls Pointer to the TLS object.\r
608 @param[in] Data Pointer to the data buffer of a PEM-encoded RSA\r
609 or PKCS#8 private key.\r
610 @param[in] DataSize The size of data buffer in bytes.\r
611\r
612 @retval EFI_SUCCESS The operation succeeded.\r
613 @retval EFI_UNSUPPORTED This function is not supported.\r
614 @retval EFI_ABORTED Invalid private key data.\r
615\r
616**/\r
617EFI_STATUS\r
618EFIAPI\r
619TlsSetHostPrivateKey (\r
620 IN VOID *Tls,\r
621 IN VOID *Data,\r
622 IN UINTN DataSize\r
623 )\r
624{\r
625 return EFI_UNSUPPORTED;\r
626}\r
627\r
628/**\r
629 Adds the CA-supplied certificate revocation list for certificate validation.\r
630\r
631 This function adds the CA-supplied certificate revocation list data for\r
632 certificate validity checking.\r
633\r
634 @param[in] Data Pointer to the data buffer of a DER-encoded CRL data.\r
635 @param[in] DataSize The size of data buffer in bytes.\r
636\r
637 @retval EFI_SUCCESS The operation succeeded.\r
638 @retval EFI_UNSUPPORTED This function is not supported.\r
639 @retval EFI_ABORTED Invalid CRL data.\r
640\r
641**/\r
642EFI_STATUS\r
643EFIAPI\r
644TlsSetCertRevocationList (\r
645 IN VOID *Data,\r
646 IN UINTN DataSize\r
647 )\r
648{\r
649 return EFI_UNSUPPORTED;\r
650}\r
651\r
652/**\r
653 Gets the protocol version used by the specified TLS connection.\r
654\r
655 This function returns the protocol version used by the specified TLS\r
656 connection.\r
657\r
658 If Tls is NULL, then ASSERT().\r
659\r
660 @param[in] Tls Pointer to the TLS object.\r
661\r
662 @return The protocol version of the specified TLS connection.\r
663\r
664**/\r
665UINT16\r
666EFIAPI\r
667TlsGetVersion (\r
668 IN VOID *Tls\r
669 )\r
670{\r
671 TLS_CONNECTION *TlsConn;\r
672\r
673 TlsConn = (TLS_CONNECTION *) Tls;\r
674\r
675 ASSERT (TlsConn != NULL);\r
676\r
677 return (UINT16)(SSL_version (TlsConn->Ssl));\r
678}\r
679\r
680/**\r
681 Gets the connection end of the specified TLS connection.\r
682\r
683 This function returns the connection end (as client or as server) used by\r
684 the specified TLS connection.\r
685\r
686 If Tls is NULL, then ASSERT().\r
687\r
688 @param[in] Tls Pointer to the TLS object.\r
689\r
690 @return The connection end used by the specified TLS connection.\r
691\r
692**/\r
693UINT8\r
694EFIAPI\r
695TlsGetConnectionEnd (\r
696 IN VOID *Tls\r
697 )\r
698{\r
699 TLS_CONNECTION *TlsConn;\r
700\r
701 TlsConn = (TLS_CONNECTION *) Tls;\r
702\r
703 ASSERT (TlsConn != NULL);\r
704\r
705 return (UINT8)SSL_is_server (TlsConn->Ssl);\r
706}\r
707\r
708/**\r
709 Gets the cipher suite used by the specified TLS connection.\r
710\r
711 This function returns current cipher suite used by the specified\r
712 TLS connection.\r
713\r
714 @param[in] Tls Pointer to the TLS object.\r
715 @param[in,out] CipherId The cipher suite used by the TLS object.\r
716\r
717 @retval EFI_SUCCESS The cipher suite was returned successfully.\r
718 @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
719 @retval EFI_UNSUPPORTED Unsupported cipher suite.\r
720\r
721**/\r
722EFI_STATUS\r
723EFIAPI\r
724TlsGetCurrentCipher (\r
725 IN VOID *Tls,\r
726 IN OUT UINT16 *CipherId\r
727 )\r
728{\r
729 TLS_CONNECTION *TlsConn;\r
730 CONST SSL_CIPHER *Cipher;\r
731\r
732 TlsConn = (TLS_CONNECTION *) Tls;\r
733 Cipher = NULL;\r
734\r
735 if (TlsConn == NULL || TlsConn->Ssl == NULL || CipherId == NULL) {\r
736 return EFI_INVALID_PARAMETER;\r
737 }\r
738\r
739 Cipher = SSL_get_current_cipher (TlsConn->Ssl);\r
740 if (Cipher == NULL) {\r
741 return EFI_UNSUPPORTED;\r
742 }\r
743\r
744 *CipherId = (SSL_CIPHER_get_id (Cipher)) & 0xFFFF;\r
745\r
746 return EFI_SUCCESS;\r
747}\r
748\r
749/**\r
750 Gets the compression methods used by the specified TLS connection.\r
751\r
752 This function returns current integrated compression methods used by\r
753 the specified TLS connection.\r
754\r
755 @param[in] Tls Pointer to the TLS object.\r
756 @param[in,out] CompressionId The current compression method used by\r
757 the TLS object.\r
758\r
759 @retval EFI_SUCCESS The compression method was returned successfully.\r
760 @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
761 @retval EFI_ABORTED Invalid Compression method.\r
762 @retval EFI_UNSUPPORTED This function is not supported.\r
763\r
764**/\r
765EFI_STATUS\r
766EFIAPI\r
767TlsGetCurrentCompressionId (\r
768 IN VOID *Tls,\r
769 IN OUT UINT8 *CompressionId\r
770 )\r
771{\r
772 return EFI_UNSUPPORTED;\r
773}\r
774\r
775/**\r
776 Gets the verification mode currently set in the TLS connection.\r
777\r
778 This function returns the peer verification mode currently set in the\r
779 specified TLS connection.\r
780\r
781 If Tls is NULL, then ASSERT().\r
782\r
783 @param[in] Tls Pointer to the TLS object.\r
784\r
785 @return The verification mode set in the specified TLS connection.\r
786\r
787**/\r
788UINT32\r
789EFIAPI\r
790TlsGetVerify (\r
791 IN VOID *Tls\r
792 )\r
793{\r
794 TLS_CONNECTION *TlsConn;\r
795\r
796 TlsConn = (TLS_CONNECTION *) Tls;\r
797\r
798 ASSERT (TlsConn != NULL);\r
799\r
800 return SSL_get_verify_mode (TlsConn->Ssl);\r
801}\r
802\r
803/**\r
804 Gets the session ID used by the specified TLS connection.\r
805\r
806 This function returns the TLS/SSL session ID currently used by the\r
807 specified TLS connection.\r
808\r
809 @param[in] Tls Pointer to the TLS object.\r
810 @param[in,out] SessionId Buffer to contain the returned session ID.\r
811 @param[in,out] SessionIdLen The length of Session ID in bytes.\r
812\r
813 @retval EFI_SUCCESS The Session ID was returned successfully.\r
814 @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
815 @retval EFI_UNSUPPORTED Invalid TLS/SSL session.\r
816\r
817**/\r
818EFI_STATUS\r
819EFIAPI\r
820TlsGetSessionId (\r
821 IN VOID *Tls,\r
822 IN OUT UINT8 *SessionId,\r
823 IN OUT UINT16 *SessionIdLen\r
824 )\r
825{\r
826 TLS_CONNECTION *TlsConn;\r
827 SSL_SESSION *Session;\r
828 CONST UINT8 *SslSessionId;\r
829\r
830 TlsConn = (TLS_CONNECTION *) Tls;\r
831 Session = NULL;\r
832\r
833 if (TlsConn == NULL || TlsConn->Ssl == NULL || SessionId == NULL || SessionIdLen == NULL) {\r
834 return EFI_INVALID_PARAMETER;\r
835 }\r
836\r
837 Session = SSL_get_session (TlsConn->Ssl);\r
838 if (Session == NULL) {\r
839 return EFI_UNSUPPORTED;\r
840 }\r
841\r
842 SslSessionId = SSL_SESSION_get_id (Session, (unsigned int *)SessionIdLen);\r
843 CopyMem (SessionId, SslSessionId, *SessionIdLen);\r
844\r
845 return EFI_SUCCESS;\r
846}\r
847\r
848/**\r
849 Gets the client random data used in the specified TLS connection.\r
850\r
851 This function returns the TLS/SSL client random data currently used in\r
852 the specified TLS connection.\r
853\r
854 @param[in] Tls Pointer to the TLS object.\r
855 @param[in,out] ClientRandom Buffer to contain the returned client\r
856 random data (32 bytes).\r
857\r
858**/\r
859VOID\r
860EFIAPI\r
861TlsGetClientRandom (\r
862 IN VOID *Tls,\r
863 IN OUT UINT8 *ClientRandom\r
864 )\r
865{\r
866 TLS_CONNECTION *TlsConn;\r
867\r
868 TlsConn = (TLS_CONNECTION *) Tls;\r
869\r
870 if (TlsConn == NULL || TlsConn->Ssl == NULL || ClientRandom == NULL) {\r
871 return;\r
872 }\r
873\r
874 SSL_get_client_random (TlsConn->Ssl, ClientRandom, SSL3_RANDOM_SIZE);\r
875}\r
876\r
877/**\r
878 Gets the server random data used in the specified TLS connection.\r
879\r
880 This function returns the TLS/SSL server random data currently used in\r
881 the specified TLS connection.\r
882\r
883 @param[in] Tls Pointer to the TLS object.\r
884 @param[in,out] ServerRandom Buffer to contain the returned server\r
885 random data (32 bytes).\r
886\r
887**/\r
888VOID\r
889EFIAPI\r
890TlsGetServerRandom (\r
891 IN VOID *Tls,\r
892 IN OUT UINT8 *ServerRandom\r
893 )\r
894{\r
895 TLS_CONNECTION *TlsConn;\r
896\r
897 TlsConn = (TLS_CONNECTION *) Tls;\r
898\r
899 if (TlsConn == NULL || TlsConn->Ssl == NULL || ServerRandom == NULL) {\r
900 return;\r
901 }\r
902\r
903 SSL_get_server_random (TlsConn->Ssl, ServerRandom, SSL3_RANDOM_SIZE);\r
904}\r
905\r
906/**\r
907 Gets the master key data used in the specified TLS connection.\r
908\r
909 This function returns the TLS/SSL master key material currently used in\r
910 the specified TLS connection.\r
911\r
912 @param[in] Tls Pointer to the TLS object.\r
913 @param[in,out] KeyMaterial Buffer to contain the returned key material.\r
914\r
915 @retval EFI_SUCCESS Key material was returned successfully.\r
916 @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
917 @retval EFI_UNSUPPORTED Invalid TLS/SSL session.\r
918\r
919**/\r
920EFI_STATUS\r
921EFIAPI\r
922TlsGetKeyMaterial (\r
923 IN VOID *Tls,\r
924 IN OUT UINT8 *KeyMaterial\r
925 )\r
926{\r
927 TLS_CONNECTION *TlsConn;\r
928 SSL_SESSION *Session;\r
929\r
930 TlsConn = (TLS_CONNECTION *) Tls;\r
931 Session = NULL;\r
932\r
933 if (TlsConn == NULL || TlsConn->Ssl == NULL || KeyMaterial == NULL) {\r
934 return EFI_INVALID_PARAMETER;\r
935 }\r
936\r
937 Session = SSL_get_session (TlsConn->Ssl);\r
938\r
939 if (Session == NULL) {\r
940 return EFI_UNSUPPORTED;\r
941 }\r
942\r
943 SSL_SESSION_get_master_key (Session, KeyMaterial, SSL3_MASTER_SECRET_SIZE);\r
944\r
945 return EFI_SUCCESS;\r
946}\r
947\r
948/**\r
949 Gets the CA Certificate from the cert store.\r
950\r
951 This function returns the CA certificate for the chosen\r
952 TLS connection.\r
953\r
954 @param[in] Tls Pointer to the TLS object.\r
955 @param[out] Data Pointer to the data buffer to receive the CA\r
956 certificate data sent to the client.\r
957 @param[in,out] DataSize The size of data buffer in bytes.\r
958\r
959 @retval EFI_SUCCESS The operation succeeded.\r
960 @retval EFI_UNSUPPORTED This function is not supported.\r
961 @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.\r
962\r
963**/\r
964EFI_STATUS\r
965EFIAPI\r
966TlsGetCaCertificate (\r
967 IN VOID *Tls,\r
968 OUT VOID *Data,\r
969 IN OUT UINTN *DataSize\r
970 )\r
971{\r
972 return EFI_UNSUPPORTED;\r
973}\r
974\r
975/**\r
976 Gets the local public Certificate set in the specified TLS object.\r
977\r
978 This function returns the local public certificate which was currently set\r
979 in the specified TLS object.\r
980\r
981 @param[in] Tls Pointer to the TLS object.\r
982 @param[out] Data Pointer to the data buffer to receive the local\r
983 public certificate.\r
984 @param[in,out] DataSize The size of data buffer in bytes.\r
985\r
986 @retval EFI_SUCCESS The operation succeeded.\r
987 @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
988 @retval EFI_NOT_FOUND The certificate is not found.\r
989 @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.\r
990\r
991**/\r
992EFI_STATUS\r
993EFIAPI\r
994TlsGetHostPublicCert (\r
995 IN VOID *Tls,\r
996 OUT VOID *Data,\r
997 IN OUT UINTN *DataSize\r
998 )\r
999{\r
1000 X509 *Cert;\r
1001 TLS_CONNECTION *TlsConn;\r
1002\r
1003 Cert = NULL;\r
1004 TlsConn = (TLS_CONNECTION *) Tls;\r
1005\r
1006 if (TlsConn == NULL || TlsConn->Ssl == NULL || DataSize == NULL || (*DataSize != 0 && Data == NULL)) {\r
1007 return EFI_INVALID_PARAMETER;\r
1008 }\r
1009\r
1010 Cert = SSL_get_certificate(TlsConn->Ssl);\r
1011 if (Cert == NULL) {\r
1012 return EFI_NOT_FOUND;\r
1013 }\r
1014\r
1015 //\r
1016 // Only DER encoding is supported currently.\r
1017 //\r
1018 if (*DataSize < (UINTN) i2d_X509 (Cert, NULL)) {\r
1019 *DataSize = (UINTN) i2d_X509 (Cert, NULL);\r
1020 return EFI_BUFFER_TOO_SMALL;\r
1021 }\r
1022\r
1023 *DataSize = (UINTN) i2d_X509 (Cert, (unsigned char **) &Data);\r
1024\r
1025 return EFI_SUCCESS;\r
1026}\r
1027\r
1028/**\r
1029 Gets the local private key set in the specified TLS object.\r
1030\r
1031 This function returns the local private key data which was currently set\r
1032 in the specified TLS object.\r
1033\r
1034 @param[in] Tls Pointer to the TLS object.\r
1035 @param[out] Data Pointer to the data buffer to receive the local\r
1036 private key data.\r
1037 @param[in,out] DataSize The size of data buffer in bytes.\r
1038\r
1039 @retval EFI_SUCCESS The operation succeeded.\r
1040 @retval EFI_UNSUPPORTED This function is not supported.\r
1041 @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.\r
1042\r
1043**/\r
1044EFI_STATUS\r
1045EFIAPI\r
1046TlsGetHostPrivateKey (\r
1047 IN VOID *Tls,\r
1048 OUT VOID *Data,\r
1049 IN OUT UINTN *DataSize\r
1050 )\r
1051{\r
1052 return EFI_UNSUPPORTED;\r
1053}\r
1054\r
1055/**\r
1056 Gets the CA-supplied certificate revocation list data set in the specified\r
1057 TLS object.\r
1058\r
1059 This function returns the CA-supplied certificate revocation list data which\r
1060 was currently set in the specified TLS object.\r
1061\r
1062 @param[out] Data Pointer to the data buffer to receive the CRL data.\r
1063 @param[in,out] DataSize The size of data buffer in bytes.\r
1064\r
1065 @retval EFI_SUCCESS The operation succeeded.\r
1066 @retval EFI_UNSUPPORTED This function is not supported.\r
1067 @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.\r
1068\r
1069**/\r
1070EFI_STATUS\r
1071EFIAPI\r
1072TlsGetCertRevocationList (\r
1073 OUT VOID *Data,\r
1074 IN OUT UINTN *DataSize\r
1075 )\r
1076{\r
1077 return EFI_UNSUPPORTED;\r
1078}\r
1079\r
EFI Development Kit II mirror for PVE