| | 1 | /** @file\r |
| | 2 | SSL/TLS Configuration Library Wrapper Implementation over OpenSSL.\r |
| | 3 | \r |
| | 4 | Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>\r |
| | 5 | (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>\r |
| | 6 | This program and the accompanying materials\r |
| | 7 | are licensed and made available under the terms and conditions of the BSD License\r |
| | 8 | which accompanies this distribution. The full text of the license may be found at\r |
| | 9 | http://opensource.org/licenses/bsd-license.php\r |
| | 10 | \r |
| | 11 | THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r |
| | 12 | WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r |
| | 13 | \r |
| | 14 | **/\r |
| | 15 | \r |
| | 16 | #include "InternalTlsLib.h"\r |
| | 17 | \r |
| | 18 | typedef struct {\r |
| | 19 | //\r |
| | 20 | // IANA/IETF defined Cipher Suite ID\r |
| | 21 | //\r |
| | 22 | UINT16 IanaCipher;\r |
| | 23 | //\r |
| | 24 | // OpenSSL-used Cipher Suite String\r |
| | 25 | //\r |
| | 26 | CONST CHAR8 *OpensslCipher;\r |
| | 27 | //\r |
| | 28 | // Length of OpensslCipher\r |
| | 29 | //\r |
| | 30 | UINTN OpensslCipherLength;\r |
| | 31 | } TLS_CIPHER_MAPPING;\r |
| | 32 | \r |
| | 33 | //\r |
| | 34 | // Create a TLS_CIPHER_MAPPING initializer from IanaCipher and OpensslCipher so\r |
| | 35 | // that OpensslCipherLength is filled in automatically. IanaCipher must be an\r |
| | 36 | // integer constant expression, and OpensslCipher must be a string literal.\r |
| | 37 | //\r |
| | 38 | #define MAP(IanaCipher, OpensslCipher) \\r |
| | 39 | { (IanaCipher), (OpensslCipher), sizeof (OpensslCipher) - 1 }\r |
| | 40 | \r |
| | 41 | //\r |
| | 42 | // The mapping table between IANA/IETF Cipher Suite definitions and\r |
| | 43 | // OpenSSL-used Cipher Suite name.\r |
| | 44 | //\r |
| | 45 | // Keep the table uniquely sorted by the IanaCipher field, in increasing order.\r |
| | 46 | //\r |
| | 47 | STATIC CONST TLS_CIPHER_MAPPING TlsCipherMappingTable[] = {\r |
| | 48 | MAP ( 0x0001, "NULL-MD5" ), /// TLS_RSA_WITH_NULL_MD5\r |
| | 49 | MAP ( 0x0002, "NULL-SHA" ), /// TLS_RSA_WITH_NULL_SHA\r |
| | 50 | MAP ( 0x0004, "RC4-MD5" ), /// TLS_RSA_WITH_RC4_128_MD5\r |
| | 51 | MAP ( 0x0005, "RC4-SHA" ), /// TLS_RSA_WITH_RC4_128_SHA\r |
| | 52 | MAP ( 0x000A, "DES-CBC3-SHA" ), /// TLS_RSA_WITH_3DES_EDE_CBC_SHA, mandatory TLS 1.1\r |
| | 53 | MAP ( 0x0016, "DHE-RSA-DES-CBC3-SHA" ), /// TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA\r |
| | 54 | MAP ( 0x002F, "AES128-SHA" ), /// TLS_RSA_WITH_AES_128_CBC_SHA, mandatory TLS 1.2\r |
| | 55 | MAP ( 0x0030, "DH-DSS-AES128-SHA" ), /// TLS_DH_DSS_WITH_AES_128_CBC_SHA\r |
| | 56 | MAP ( 0x0031, "DH-RSA-AES128-SHA" ), /// TLS_DH_RSA_WITH_AES_128_CBC_SHA\r |
| | 57 | MAP ( 0x0033, "DHE-RSA-AES128-SHA" ), /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA\r |
| | 58 | MAP ( 0x0035, "AES256-SHA" ), /// TLS_RSA_WITH_AES_256_CBC_SHA\r |
| | 59 | MAP ( 0x0036, "DH-DSS-AES256-SHA" ), /// TLS_DH_DSS_WITH_AES_256_CBC_SHA\r |
| | 60 | MAP ( 0x0037, "DH-RSA-AES256-SHA" ), /// TLS_DH_RSA_WITH_AES_256_CBC_SHA\r |
| | 61 | MAP ( 0x0039, "DHE-RSA-AES256-SHA" ), /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA\r |
| | 62 | MAP ( 0x003B, "NULL-SHA256" ), /// TLS_RSA_WITH_NULL_SHA256\r |
| | 63 | MAP ( 0x003C, "AES128-SHA256" ), /// TLS_RSA_WITH_AES_128_CBC_SHA256\r |
| | 64 | MAP ( 0x003D, "AES256-SHA256" ), /// TLS_RSA_WITH_AES_256_CBC_SHA256\r |
| | 65 | MAP ( 0x003E, "DH-DSS-AES128-SHA256" ), /// TLS_DH_DSS_WITH_AES_128_CBC_SHA256\r |
| | 66 | MAP ( 0x003F, "DH-RSA-AES128-SHA256" ), /// TLS_DH_RSA_WITH_AES_128_CBC_SHA256\r |
| | 67 | MAP ( 0x0067, "DHE-RSA-AES128-SHA256" ), /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA256\r |
| | 68 | MAP ( 0x0068, "DH-DSS-AES256-SHA256" ), /// TLS_DH_DSS_WITH_AES_256_CBC_SHA256\r |
| | 69 | MAP ( 0x0069, "DH-RSA-AES256-SHA256" ), /// TLS_DH_RSA_WITH_AES_256_CBC_SHA256\r |
| | 70 | MAP ( 0x006B, "DHE-RSA-AES256-SHA256" ), /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA256\r |
| | 71 | };\r |
| | 72 | \r |
| | 73 | /**\r |
| | 74 | Gets the OpenSSL cipher suite mapping for the supplied IANA TLS cipher suite.\r |
| | 75 | \r |
| | 76 | @param[in] CipherId The supplied IANA TLS cipher suite ID.\r |
| | 77 | \r |
| | 78 | @return The corresponding OpenSSL cipher suite mapping if found,\r |
| | 79 | NULL otherwise.\r |
| | 80 | \r |
| | 81 | **/\r |
| | 82 | STATIC\r |
| | 83 | CONST TLS_CIPHER_MAPPING *\r |
| | 84 | TlsGetCipherMapping (\r |
| | 85 | IN UINT16 CipherId\r |
| | 86 | )\r |
| | 87 | {\r |
| | 88 | INTN Left;\r |
| | 89 | INTN Right;\r |
| | 90 | INTN Middle;\r |
| | 91 | \r |
| | 92 | //\r |
| | 93 | // Binary Search Cipher Mapping Table for IANA-OpenSSL Cipher Translation\r |
| | 94 | //\r |
| | 95 | Left = 0;\r |
| | 96 | Right = ARRAY_SIZE (TlsCipherMappingTable) - 1;\r |
| | 97 | \r |
| | 98 | while (Right >= Left) {\r |
| | 99 | Middle = (Left + Right) / 2;\r |
| | 100 | \r |
| | 101 | if (CipherId == TlsCipherMappingTable[Middle].IanaCipher) {\r |
| | 102 | //\r |
| | 103 | // Translate IANA cipher suite ID to OpenSSL name.\r |
| | 104 | //\r |
| | 105 | return &TlsCipherMappingTable[Middle];\r |
| | 106 | }\r |
| | 107 | \r |
| | 108 | if (CipherId < TlsCipherMappingTable[Middle].IanaCipher) {\r |
| | 109 | Right = Middle - 1;\r |
| | 110 | } else {\r |
| | 111 | Left = Middle + 1;\r |
| | 112 | }\r |
| | 113 | }\r |
| | 114 | \r |
| | 115 | //\r |
| | 116 | // No Cipher Mapping found, return NULL.\r |
| | 117 | //\r |
| | 118 | return NULL;\r |
| | 119 | }\r |
| | 120 | \r |
| | 121 | /**\r |
| | 122 | Set a new TLS/SSL method for a particular TLS object.\r |
| | 123 | \r |
| | 124 | This function sets a new TLS/SSL method for a particular TLS object.\r |
| | 125 | \r |
| | 126 | @param[in] Tls Pointer to a TLS object.\r |
| | 127 | @param[in] MajorVer Major Version of TLS/SSL Protocol.\r |
| | 128 | @param[in] MinorVer Minor Version of TLS/SSL Protocol.\r |
| | 129 | \r |
| | 130 | @retval EFI_SUCCESS The TLS/SSL method was set successfully.\r |
| | 131 | @retval EFI_INVALID_PARAMETER The parameter is invalid.\r |
| | 132 | @retval EFI_UNSUPPORTED Unsupported TLS/SSL method.\r |
| | 133 | \r |
| | 134 | **/\r |
| | 135 | EFI_STATUS\r |
| | 136 | EFIAPI\r |
| | 137 | TlsSetVersion (\r |
| | 138 | IN VOID *Tls,\r |
| | 139 | IN UINT8 MajorVer,\r |
| | 140 | IN UINT8 MinorVer\r |
| | 141 | )\r |
| | 142 | {\r |
| | 143 | TLS_CONNECTION *TlsConn;\r |
| | 144 | UINT16 ProtoVersion;\r |
| | 145 | \r |
| | 146 | TlsConn = (TLS_CONNECTION *)Tls;\r |
| | 147 | if (TlsConn == NULL || TlsConn->Ssl == NULL) {\r |
| | 148 | return EFI_INVALID_PARAMETER;\r |
| | 149 | }\r |
| | 150 | \r |
| | 151 | ProtoVersion = (MajorVer << 8) | MinorVer;\r |
| | 152 | \r |
| | 153 | //\r |
| | 154 | // Bound TLS method to the particular specified version.\r |
| | 155 | //\r |
| | 156 | switch (ProtoVersion) {\r |
| | 157 | case TLS1_VERSION:\r |
| | 158 | //\r |
| | 159 | // TLS 1.0\r |
| | 160 | //\r |
| | 161 | SSL_set_min_proto_version (TlsConn->Ssl, TLS1_VERSION);\r |
| | 162 | SSL_set_max_proto_version (TlsConn->Ssl, TLS1_VERSION);\r |
| | 163 | break;\r |
| | 164 | case TLS1_1_VERSION:\r |
| | 165 | //\r |
| | 166 | // TLS 1.1\r |
| | 167 | //\r |
| | 168 | SSL_set_min_proto_version (TlsConn->Ssl, TLS1_1_VERSION);\r |
| | 169 | SSL_set_max_proto_version (TlsConn->Ssl, TLS1_1_VERSION);\r |
| | 170 | break;\r |
| | 171 | case TLS1_2_VERSION:\r |
| | 172 | //\r |
| | 173 | // TLS 1.2\r |
| | 174 | //\r |
| | 175 | SSL_set_min_proto_version (TlsConn->Ssl, TLS1_2_VERSION);\r |
| | 176 | SSL_set_max_proto_version (TlsConn->Ssl, TLS1_2_VERSION);\r |
| | 177 | break;\r |
| | 178 | default:\r |
| | 179 | //\r |
| | 180 | // Unsupported Protocol Version\r |
| | 181 | //\r |
| | 182 | return EFI_UNSUPPORTED;\r |
| | 183 | }\r |
| | 184 | \r |
| | 185 | return EFI_SUCCESS;;\r |
| | 186 | }\r |
| | 187 | \r |
| | 188 | /**\r |
| | 189 | Set TLS object to work in client or server mode.\r |
| | 190 | \r |
| | 191 | This function prepares a TLS object to work in client or server mode.\r |
| | 192 | \r |
| | 193 | @param[in] Tls Pointer to a TLS object.\r |
| | 194 | @param[in] IsServer Work in server mode.\r |
| | 195 | \r |
| | 196 | @retval EFI_SUCCESS The TLS/SSL work mode was set successfully.\r |
| | 197 | @retval EFI_INVALID_PARAMETER The parameter is invalid.\r |
| | 198 | @retval EFI_UNSUPPORTED Unsupported TLS/SSL work mode.\r |
| | 199 | \r |
| | 200 | **/\r |
| | 201 | EFI_STATUS\r |
| | 202 | EFIAPI\r |
| | 203 | TlsSetConnectionEnd (\r |
| | 204 | IN VOID *Tls,\r |
| | 205 | IN BOOLEAN IsServer\r |
| | 206 | )\r |
| | 207 | {\r |
| | 208 | TLS_CONNECTION *TlsConn;\r |
| | 209 | \r |
| | 210 | TlsConn = (TLS_CONNECTION *) Tls;\r |
| | 211 | if (TlsConn == NULL || TlsConn->Ssl == NULL) {\r |
| | 212 | return EFI_INVALID_PARAMETER;\r |
| | 213 | }\r |
| | 214 | \r |
| | 215 | if (!IsServer) {\r |
| | 216 | //\r |
| | 217 | // Set TLS to work in Client mode.\r |
| | 218 | //\r |
| | 219 | SSL_set_connect_state (TlsConn->Ssl);\r |
| | 220 | } else {\r |
| | 221 | //\r |
| | 222 | // Set TLS to work in Server mode.\r |
| | 223 | // It is unsupported for UEFI version currently.\r |
| | 224 | //\r |
| | 225 | //SSL_set_accept_state (TlsConn->Ssl);\r |
| | 226 | return EFI_UNSUPPORTED;\r |
| | 227 | }\r |
| | 228 | \r |
| | 229 | return EFI_SUCCESS;\r |
| | 230 | }\r |
| | 231 | \r |
| | 232 | /**\r |
| | 233 | Set the ciphers list to be used by the TLS object.\r |
| | 234 | \r |
| | 235 | This function sets the ciphers for use by a specified TLS object.\r |
| | 236 | \r |
| | 237 | @param[in] Tls Pointer to a TLS object.\r |
| | 238 | @param[in] CipherId Pointer to a UINT16 cipher Id.\r |
| | 239 | @param[in] CipherNum The number of cipher in the list.\r |
| | 240 | \r |
| | 241 | @retval EFI_SUCCESS The ciphers list was set successfully.\r |
| | 242 | @retval EFI_INVALID_PARAMETER The parameter is invalid.\r |
| | 243 | @retval EFI_UNSUPPORTED Unsupported TLS cipher in the list.\r |
| | 244 | \r |
| | 245 | **/\r |
| | 246 | EFI_STATUS\r |
| | 247 | EFIAPI\r |
| | 248 | TlsSetCipherList (\r |
| | 249 | IN VOID *Tls,\r |
| | 250 | IN UINT16 *CipherId,\r |
| | 251 | IN UINTN CipherNum\r |
| | 252 | )\r |
| | 253 | {\r |
| | 254 | TLS_CONNECTION *TlsConn;\r |
| | 255 | UINTN Index;\r |
| | 256 | CONST TLS_CIPHER_MAPPING *Mapping;\r |
| | 257 | CONST CHAR8 *MappingName;\r |
| | 258 | CHAR8 CipherString[500];\r |
| | 259 | \r |
| | 260 | TlsConn = (TLS_CONNECTION *) Tls;\r |
| | 261 | if (TlsConn == NULL || TlsConn->Ssl == NULL || CipherId == NULL) {\r |
| | 262 | return EFI_INVALID_PARAMETER;\r |
| | 263 | }\r |
| | 264 | \r |
| | 265 | Mapping = NULL;\r |
| | 266 | MappingName = NULL;\r |
| | 267 | \r |
| | 268 | memset (CipherString, 0, sizeof (CipherString));\r |
| | 269 | \r |
| | 270 | for (Index = 0; Index < CipherNum; Index++) {\r |
| | 271 | //\r |
| | 272 | // Handling OpenSSL / RFC Cipher name mapping.\r |
| | 273 | //\r |
| | 274 | Mapping = TlsGetCipherMapping (*(CipherId + Index));\r |
| | 275 | if (Mapping == NULL) {\r |
| | 276 | return EFI_UNSUPPORTED;\r |
| | 277 | }\r |
| | 278 | MappingName = Mapping->OpensslCipher;\r |
| | 279 | \r |
| | 280 | if (Index != 0) {\r |
| | 281 | //\r |
| | 282 | // The ciphers were separated by a colon.\r |
| | 283 | //\r |
| | 284 | AsciiStrCatS (CipherString, sizeof (CipherString), ":");\r |
| | 285 | }\r |
| | 286 | \r |
| | 287 | AsciiStrCatS (CipherString, sizeof (CipherString), MappingName);\r |
| | 288 | }\r |
| | 289 | \r |
| | 290 | AsciiStrCatS (CipherString, sizeof (CipherString), ":@STRENGTH");\r |
| | 291 | \r |
| | 292 | //\r |
| | 293 | // Sets the ciphers for use by the Tls object.\r |
| | 294 | //\r |
| | 295 | if (SSL_set_cipher_list (TlsConn->Ssl, CipherString) <= 0) {\r |
| | 296 | return EFI_UNSUPPORTED;\r |
| | 297 | }\r |
| | 298 | \r |
| | 299 | return EFI_SUCCESS;\r |
| | 300 | }\r |
| | 301 | \r |
| | 302 | /**\r |
| | 303 | Set the compression method for TLS/SSL operations.\r |
| | 304 | \r |
| | 305 | This function handles TLS/SSL integrated compression methods.\r |
| | 306 | \r |
| | 307 | @param[in] CompMethod The compression method ID.\r |
| | 308 | \r |
| | 309 | @retval EFI_SUCCESS The compression method for the communication was\r |
| | 310 | set successfully.\r |
| | 311 | @retval EFI_UNSUPPORTED Unsupported compression method.\r |
| | 312 | \r |
| | 313 | **/\r |
| | 314 | EFI_STATUS\r |
| | 315 | EFIAPI\r |
| | 316 | TlsSetCompressionMethod (\r |
| | 317 | IN UINT8 CompMethod\r |
| | 318 | )\r |
| | 319 | {\r |
| | 320 | COMP_METHOD *Cm;\r |
| | 321 | INTN Ret;\r |
| | 322 | \r |
| | 323 | Cm = NULL;\r |
| | 324 | Ret = 0;\r |
| | 325 | \r |
| | 326 | if (CompMethod == 0) {\r |
| | 327 | //\r |
| | 328 | // TLS defines one standard compression method, CompressionMethod.null (0),\r |
| | 329 | // which specifies that data exchanged via the record protocol will not be compressed.\r |
| | 330 | // So, return EFI_SUCCESS directly (RFC 3749).\r |
| | 331 | //\r |
| | 332 | return EFI_SUCCESS;\r |
| | 333 | } else if (CompMethod == 1) {\r |
| | 334 | Cm = COMP_zlib();\r |
| | 335 | } else {\r |
| | 336 | return EFI_UNSUPPORTED;\r |
| | 337 | }\r |
| | 338 | \r |
| | 339 | //\r |
| | 340 | // Adds the compression method to the list of available\r |
| | 341 | // compression methods.\r |
| | 342 | //\r |
| | 343 | Ret = SSL_COMP_add_compression_method (CompMethod, Cm);\r |
| | 344 | if (Ret != 0) {\r |
| | 345 | return EFI_UNSUPPORTED;\r |
| | 346 | }\r |
| | 347 | \r |
| | 348 | return EFI_SUCCESS;\r |
| | 349 | }\r |
| | 350 | \r |
| | 351 | /**\r |
| | 352 | Set peer certificate verification mode for the TLS connection.\r |
| | 353 | \r |
| | 354 | This function sets the verification mode flags for the TLS connection.\r |
| | 355 | \r |
| | 356 | @param[in] Tls Pointer to the TLS object.\r |
| | 357 | @param[in] VerifyMode A set of logically or'ed verification mode flags.\r |
| | 358 | \r |
| | 359 | **/\r |
| | 360 | VOID\r |
| | 361 | EFIAPI\r |
| | 362 | TlsSetVerify (\r |
| | 363 | IN VOID *Tls,\r |
| | 364 | IN UINT32 VerifyMode\r |
| | 365 | )\r |
| | 366 | {\r |
| | 367 | TLS_CONNECTION *TlsConn;\r |
| | 368 | \r |
| | 369 | TlsConn = (TLS_CONNECTION *) Tls;\r |
| | 370 | if (TlsConn == NULL || TlsConn->Ssl == NULL) {\r |
| | 371 | return;\r |
| | 372 | }\r |
| | 373 | \r |
| | 374 | //\r |
| | 375 | // Set peer certificate verification parameters with NULL callback.\r |
| | 376 | //\r |
| | 377 | SSL_set_verify (TlsConn->Ssl, VerifyMode, NULL);\r |
| | 378 | }\r |
| | 379 | \r |
| | 380 | /**\r |
| | 381 | Sets a TLS/SSL session ID to be used during TLS/SSL connect.\r |
| | 382 | \r |
| | 383 | This function sets a session ID to be used when the TLS/SSL connection is\r |
| | 384 | to be established.\r |
| | 385 | \r |
| | 386 | @param[in] Tls Pointer to the TLS object.\r |
| | 387 | @param[in] SessionId Session ID data used for session resumption.\r |
| | 388 | @param[in] SessionIdLen Length of Session ID in bytes.\r |
| | 389 | \r |
| | 390 | @retval EFI_SUCCESS Session ID was set successfully.\r |
| | 391 | @retval EFI_INVALID_PARAMETER The parameter is invalid.\r |
| | 392 | @retval EFI_UNSUPPORTED No available session for ID setting.\r |
| | 393 | \r |
| | 394 | **/\r |
| | 395 | EFI_STATUS\r |
| | 396 | EFIAPI\r |
| | 397 | TlsSetSessionId (\r |
| | 398 | IN VOID *Tls,\r |
| | 399 | IN UINT8 *SessionId,\r |
| | 400 | IN UINT16 SessionIdLen\r |
| | 401 | )\r |
| | 402 | {\r |
| | 403 | TLS_CONNECTION *TlsConn;\r |
| | 404 | SSL_SESSION *Session;\r |
| | 405 | \r |
| | 406 | TlsConn = (TLS_CONNECTION *) Tls;\r |
| | 407 | Session = NULL;\r |
| | 408 | \r |
| | 409 | if (TlsConn == NULL || TlsConn->Ssl == NULL || SessionId == NULL) {\r |
| | 410 | return EFI_INVALID_PARAMETER;\r |
| | 411 | }\r |
| | 412 | \r |
| | 413 | Session = SSL_get_session (TlsConn->Ssl);\r |
| | 414 | if (Session == NULL) {\r |
| | 415 | return EFI_UNSUPPORTED;\r |
| | 416 | }\r |
| | 417 | \r |
| | 418 | SSL_SESSION_set1_id (Session, (const unsigned char *)SessionId, SessionIdLen);\r |
| | 419 | \r |
| | 420 | return EFI_SUCCESS;\r |
| | 421 | }\r |
| | 422 | \r |
| | 423 | /**\r |
| | 424 | Adds the CA to the cert store when requesting Server or Client authentication.\r |
| | 425 | \r |
| | 426 | This function adds the CA certificate to the list of CAs when requesting\r |
| | 427 | Server or Client authentication for the chosen TLS connection.\r |
| | 428 | \r |
| | 429 | @param[in] Tls Pointer to the TLS object.\r |
| | 430 | @param[in] Data Pointer to the data buffer of a DER-encoded binary\r |
| | 431 | X.509 certificate or PEM-encoded X.509 certificate.\r |
| | 432 | @param[in] DataSize The size of data buffer in bytes.\r |
| | 433 | \r |
| | 434 | @retval EFI_SUCCESS The operation succeeded.\r |
| | 435 | @retval EFI_INVALID_PARAMETER The parameter is invalid.\r |
| | 436 | @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated.\r |
| | 437 | @retval EFI_ABORTED Invalid X.509 certificate.\r |
| | 438 | \r |
| | 439 | **/\r |
| | 440 | EFI_STATUS\r |
| | 441 | EFIAPI\r |
| | 442 | TlsSetCaCertificate (\r |
| | 443 | IN VOID *Tls,\r |
| | 444 | IN VOID *Data,\r |
| | 445 | IN UINTN DataSize\r |
| | 446 | )\r |
| | 447 | {\r |
| | 448 | BIO *BioCert;\r |
| | 449 | X509 *Cert;\r |
| | 450 | X509_STORE *X509Store;\r |
| | 451 | EFI_STATUS Status;\r |
| | 452 | TLS_CONNECTION *TlsConn;\r |
| | 453 | SSL_CTX *SslCtx;\r |
| | 454 | INTN Ret;\r |
| | 455 | UINTN ErrorCode;\r |
| | 456 | \r |
| | 457 | BioCert = NULL;\r |
| | 458 | Cert = NULL;\r |
| | 459 | X509Store = NULL;\r |
| | 460 | Status = EFI_SUCCESS;\r |
| | 461 | TlsConn = (TLS_CONNECTION *) Tls;\r |
| | 462 | Ret = 0;\r |
| | 463 | \r |
| | 464 | if (TlsConn == NULL || TlsConn->Ssl == NULL || Data == NULL || DataSize == 0) {\r |
| | 465 | return EFI_INVALID_PARAMETER;\r |
| | 466 | }\r |
| | 467 | \r |
| | 468 | //\r |
| | 469 | // DER-encoded binary X.509 certificate or PEM-encoded X.509 certificate.\r |
| | 470 | // Determine whether certificate is from DER encoding, if so, translate it to X509 structure.\r |
| | 471 | //\r |
| | 472 | Cert = d2i_X509 (NULL, (const unsigned char ** )&Data, (long) DataSize);\r |
| | 473 | if (Cert == NULL) {\r |
| | 474 | //\r |
| | 475 | // Certificate is from PEM encoding.\r |
| | 476 | //\r |
| | 477 | BioCert = BIO_new (BIO_s_mem ());\r |
| | 478 | if (BioCert == NULL) {\r |
| | 479 | Status = EFI_OUT_OF_RESOURCES;\r |
| | 480 | goto ON_EXIT;\r |
| | 481 | }\r |
| | 482 | \r |
| | 483 | if (BIO_write (BioCert, Data, (UINT32) DataSize) <= 0) {\r |
| | 484 | Status = EFI_ABORTED;\r |
| | 485 | goto ON_EXIT;\r |
| | 486 | }\r |
| | 487 | \r |
| | 488 | Cert = PEM_read_bio_X509 (BioCert, NULL, NULL, NULL);\r |
| | 489 | if (Cert == NULL) {\r |
| | 490 | Status = EFI_ABORTED;\r |
| | 491 | goto ON_EXIT;\r |
| | 492 | }\r |
| | 493 | }\r |
| | 494 | \r |
| | 495 | SslCtx = SSL_get_SSL_CTX (TlsConn->Ssl);\r |
| | 496 | X509Store = SSL_CTX_get_cert_store (SslCtx);\r |
| | 497 | if (X509Store == NULL) {\r |
| | 498 | Status = EFI_ABORTED;\r |
| | 499 | goto ON_EXIT;\r |
| | 500 | }\r |
| | 501 | \r |
| | 502 | //\r |
| | 503 | // Add certificate to X509 store\r |
| | 504 | //\r |
| | 505 | Ret = X509_STORE_add_cert (X509Store, Cert);\r |
| | 506 | if (Ret != 1) {\r |
| | 507 | ErrorCode = ERR_peek_last_error ();\r |
| | 508 | //\r |
| | 509 | // Ignore "already in table" errors\r |
| | 510 | //\r |
| | 511 | if (!(ERR_GET_FUNC (ErrorCode) == X509_F_X509_STORE_ADD_CERT &&\r |
| | 512 | ERR_GET_REASON (ErrorCode) == X509_R_CERT_ALREADY_IN_HASH_TABLE)) {\r |
| | 513 | Status = EFI_ABORTED;\r |
| | 514 | goto ON_EXIT;\r |
| | 515 | }\r |
| | 516 | }\r |
| | 517 | \r |
| | 518 | ON_EXIT:\r |
| | 519 | if (BioCert != NULL) {\r |
| | 520 | BIO_free (BioCert);\r |
| | 521 | }\r |
| | 522 | \r |
| | 523 | if (Cert != NULL) {\r |
| | 524 | X509_free (Cert);\r |
| | 525 | }\r |
| | 526 | \r |
| | 527 | return Status;\r |
| | 528 | }\r |
| | 529 | \r |
| | 530 | /**\r |
| | 531 | Loads the local public certificate into the specified TLS object.\r |
| | 532 | \r |
| | 533 | This function loads the X.509 certificate into the specified TLS object\r |
| | 534 | for TLS negotiation.\r |
| | 535 | \r |
| | 536 | @param[in] Tls Pointer to the TLS object.\r |
| | 537 | @param[in] Data Pointer to the data buffer of a DER-encoded binary\r |
| | 538 | X.509 certificate or PEM-encoded X.509 certificate.\r |
| | 539 | @param[in] DataSize The size of data buffer in bytes.\r |
| | 540 | \r |
| | 541 | @retval EFI_SUCCESS The operation succeeded.\r |
| | 542 | @retval EFI_INVALID_PARAMETER The parameter is invalid.\r |
| | 543 | @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated.\r |
| | 544 | @retval EFI_ABORTED Invalid X.509 certificate.\r |
| | 545 | \r |
| | 546 | **/\r |
| | 547 | EFI_STATUS\r |
| | 548 | EFIAPI\r |
| | 549 | TlsSetHostPublicCert (\r |
| | 550 | IN VOID *Tls,\r |
| | 551 | IN VOID *Data,\r |
| | 552 | IN UINTN DataSize\r |
| | 553 | )\r |
| | 554 | {\r |
| | 555 | BIO *BioCert;\r |
| | 556 | X509 *Cert;\r |
| | 557 | EFI_STATUS Status;\r |
| | 558 | TLS_CONNECTION *TlsConn;\r |
| | 559 | \r |
| | 560 | BioCert = NULL;\r |
| | 561 | Cert = NULL;\r |
| | 562 | Status = EFI_SUCCESS;\r |
| | 563 | TlsConn = (TLS_CONNECTION *) Tls;\r |
| | 564 | \r |
| | 565 | if (TlsConn == NULL || TlsConn->Ssl == NULL || Data == NULL || DataSize == 0) {\r |
| | 566 | return EFI_INVALID_PARAMETER;\r |
| | 567 | }\r |
| | 568 | \r |
| | 569 | //\r |
| | 570 | // DER-encoded binary X.509 certificate or PEM-encoded X.509 certificate.\r |
| | 571 | // Determine whether certificate is from DER encoding, if so, translate it to X509 structure.\r |
| | 572 | //\r |
| | 573 | Cert = d2i_X509 (NULL, (const unsigned char ** )&Data, (long) DataSize);\r |
| | 574 | if (Cert == NULL) {\r |
| | 575 | //\r |
| | 576 | // Certificate is from PEM encoding.\r |
| | 577 | //\r |
| | 578 | BioCert = BIO_new (BIO_s_mem ());\r |
| | 579 | if (BioCert == NULL) {\r |
| | 580 | Status = EFI_OUT_OF_RESOURCES;\r |
| | 581 | goto ON_EXIT;\r |
| | 582 | }\r |
| | 583 | \r |
| | 584 | if (BIO_write (BioCert, Data, (UINT32) DataSize) <= 0) {\r |
| | 585 | Status = EFI_ABORTED;\r |
| | 586 | goto ON_EXIT;\r |
| | 587 | }\r |
| | 588 | \r |
| | 589 | Cert = PEM_read_bio_X509 (BioCert, NULL, NULL, NULL);\r |
| | 590 | if (Cert == NULL) {\r |
| | 591 | Status = EFI_ABORTED;\r |
| | 592 | goto ON_EXIT;\r |
| | 593 | }\r |
| | 594 | }\r |
| | 595 | \r |
| | 596 | if (SSL_use_certificate (TlsConn->Ssl, Cert) != 1) {\r |
| | 597 | Status = EFI_ABORTED;\r |
| | 598 | goto ON_EXIT;\r |
| | 599 | }\r |
| | 600 | \r |
| | 601 | ON_EXIT:\r |
| | 602 | if (BioCert != NULL) {\r |
| | 603 | BIO_free (BioCert);\r |
| | 604 | }\r |
| | 605 | \r |
| | 606 | if (Cert != NULL) {\r |
| | 607 | X509_free (Cert);\r |
| | 608 | }\r |
| | 609 | \r |
| | 610 | return Status;\r |
| | 611 | }\r |
| | 612 | \r |
| | 613 | /**\r |
| | 614 | Adds the local private key to the specified TLS object.\r |
| | 615 | \r |
| | 616 | This function adds the local private key (PEM-encoded RSA or PKCS#8 private\r |
| | 617 | key) into the specified TLS object for TLS negotiation.\r |
| | 618 | \r |
| | 619 | @param[in] Tls Pointer to the TLS object.\r |
| | 620 | @param[in] Data Pointer to the data buffer of a PEM-encoded RSA\r |
| | 621 | or PKCS#8 private key.\r |
| | 622 | @param[in] DataSize The size of data buffer in bytes.\r |
| | 623 | \r |
| | 624 | @retval EFI_SUCCESS The operation succeeded.\r |
| | 625 | @retval EFI_UNSUPPORTED This function is not supported.\r |
| | 626 | @retval EFI_ABORTED Invalid private key data.\r |
| | 627 | \r |
| | 628 | **/\r |
| | 629 | EFI_STATUS\r |
| | 630 | EFIAPI\r |
| | 631 | TlsSetHostPrivateKey (\r |
| | 632 | IN VOID *Tls,\r |
| | 633 | IN VOID *Data,\r |
| | 634 | IN UINTN DataSize\r |
| | 635 | )\r |
| | 636 | {\r |
| | 637 | return EFI_UNSUPPORTED;\r |
| | 638 | }\r |
| | 639 | \r |
| | 640 | /**\r |
| | 641 | Adds the CA-supplied certificate revocation list for certificate validation.\r |
| | 642 | \r |
| | 643 | This function adds the CA-supplied certificate revocation list data for\r |
| | 644 | certificate validity checking.\r |
| | 645 | \r |
| | 646 | @param[in] Data Pointer to the data buffer of a DER-encoded CRL data.\r |
| | 647 | @param[in] DataSize The size of data buffer in bytes.\r |
| | 648 | \r |
| | 649 | @retval EFI_SUCCESS The operation succeeded.\r |
| | 650 | @retval EFI_UNSUPPORTED This function is not supported.\r |
| | 651 | @retval EFI_ABORTED Invalid CRL data.\r |
| | 652 | \r |
| | 653 | **/\r |
| | 654 | EFI_STATUS\r |
| | 655 | EFIAPI\r |
| | 656 | TlsSetCertRevocationList (\r |
| | 657 | IN VOID *Data,\r |
| | 658 | IN UINTN DataSize\r |
| | 659 | )\r |
| | 660 | {\r |
| | 661 | return EFI_UNSUPPORTED;\r |
| | 662 | }\r |
| | 663 | \r |
| | 664 | /**\r |
| | 665 | Gets the protocol version used by the specified TLS connection.\r |
| | 666 | \r |
| | 667 | This function returns the protocol version used by the specified TLS\r |
| | 668 | connection.\r |
| | 669 | \r |
| | 670 | If Tls is NULL, then ASSERT().\r |
| | 671 | \r |
| | 672 | @param[in] Tls Pointer to the TLS object.\r |
| | 673 | \r |
| | 674 | @return The protocol version of the specified TLS connection.\r |
| | 675 | \r |
| | 676 | **/\r |
| | 677 | UINT16\r |
| | 678 | EFIAPI\r |
| | 679 | TlsGetVersion (\r |
| | 680 | IN VOID *Tls\r |
| | 681 | )\r |
| | 682 | {\r |
| | 683 | TLS_CONNECTION *TlsConn;\r |
| | 684 | \r |
| | 685 | TlsConn = (TLS_CONNECTION *) Tls;\r |
| | 686 | \r |
| | 687 | ASSERT (TlsConn != NULL);\r |
| | 688 | \r |
| | 689 | return (UINT16)(SSL_version (TlsConn->Ssl));\r |
| | 690 | }\r |
| | 691 | \r |
| | 692 | /**\r |
| | 693 | Gets the connection end of the specified TLS connection.\r |
| | 694 | \r |
| | 695 | This function returns the connection end (as client or as server) used by\r |
| | 696 | the specified TLS connection.\r |
| | 697 | \r |
| | 698 | If Tls is NULL, then ASSERT().\r |
| | 699 | \r |
| | 700 | @param[in] Tls Pointer to the TLS object.\r |
| | 701 | \r |
| | 702 | @return The connection end used by the specified TLS connection.\r |
| | 703 | \r |
| | 704 | **/\r |
| | 705 | UINT8\r |
| | 706 | EFIAPI\r |
| | 707 | TlsGetConnectionEnd (\r |
| | 708 | IN VOID *Tls\r |
| | 709 | )\r |
| | 710 | {\r |
| | 711 | TLS_CONNECTION *TlsConn;\r |
| | 712 | \r |
| | 713 | TlsConn = (TLS_CONNECTION *) Tls;\r |
| | 714 | \r |
| | 715 | ASSERT (TlsConn != NULL);\r |
| | 716 | \r |
| | 717 | return (UINT8)SSL_is_server (TlsConn->Ssl);\r |
| | 718 | }\r |
| | 719 | \r |
| | 720 | /**\r |
| | 721 | Gets the cipher suite used by the specified TLS connection.\r |
| | 722 | \r |
| | 723 | This function returns current cipher suite used by the specified\r |
| | 724 | TLS connection.\r |
| | 725 | \r |
| | 726 | @param[in] Tls Pointer to the TLS object.\r |
| | 727 | @param[in,out] CipherId The cipher suite used by the TLS object.\r |
| | 728 | \r |
| | 729 | @retval EFI_SUCCESS The cipher suite was returned successfully.\r |
| | 730 | @retval EFI_INVALID_PARAMETER The parameter is invalid.\r |
| | 731 | @retval EFI_UNSUPPORTED Unsupported cipher suite.\r |
| | 732 | \r |
| | 733 | **/\r |
| | 734 | EFI_STATUS\r |
| | 735 | EFIAPI\r |
| | 736 | TlsGetCurrentCipher (\r |
| | 737 | IN VOID *Tls,\r |
| | 738 | IN OUT UINT16 *CipherId\r |
| | 739 | )\r |
| | 740 | {\r |
| | 741 | TLS_CONNECTION *TlsConn;\r |
| | 742 | CONST SSL_CIPHER *Cipher;\r |
| | 743 | \r |
| | 744 | TlsConn = (TLS_CONNECTION *) Tls;\r |
| | 745 | Cipher = NULL;\r |
| | 746 | \r |
| | 747 | if (TlsConn == NULL || TlsConn->Ssl == NULL || CipherId == NULL) {\r |
| | 748 | return EFI_INVALID_PARAMETER;\r |
| | 749 | }\r |
| | 750 | \r |
| | 751 | Cipher = SSL_get_current_cipher (TlsConn->Ssl);\r |
| | 752 | if (Cipher == NULL) {\r |
| | 753 | return EFI_UNSUPPORTED;\r |
| | 754 | }\r |
| | 755 | \r |
| | 756 | *CipherId = (SSL_CIPHER_get_id (Cipher)) & 0xFFFF;\r |
| | 757 | \r |
| | 758 | return EFI_SUCCESS;\r |
| | 759 | }\r |
| | 760 | \r |
| | 761 | /**\r |
| | 762 | Gets the compression methods used by the specified TLS connection.\r |
| | 763 | \r |
| | 764 | This function returns current integrated compression methods used by\r |
| | 765 | the specified TLS connection.\r |
| | 766 | \r |
| | 767 | @param[in] Tls Pointer to the TLS object.\r |
| | 768 | @param[in,out] CompressionId The current compression method used by\r |
| | 769 | the TLS object.\r |
| | 770 | \r |
| | 771 | @retval EFI_SUCCESS The compression method was returned successfully.\r |
| | 772 | @retval EFI_INVALID_PARAMETER The parameter is invalid.\r |
| | 773 | @retval EFI_ABORTED Invalid Compression method.\r |
| | 774 | @retval EFI_UNSUPPORTED This function is not supported.\r |
| | 775 | \r |
| | 776 | **/\r |
| | 777 | EFI_STATUS\r |
| | 778 | EFIAPI\r |
| | 779 | TlsGetCurrentCompressionId (\r |
| | 780 | IN VOID *Tls,\r |
| | 781 | IN OUT UINT8 *CompressionId\r |
| | 782 | )\r |
| | 783 | {\r |
| | 784 | return EFI_UNSUPPORTED;\r |
| | 785 | }\r |
| | 786 | \r |
| | 787 | /**\r |
| | 788 | Gets the verification mode currently set in the TLS connection.\r |
| | 789 | \r |
| | 790 | This function returns the peer verification mode currently set in the\r |
| | 791 | specified TLS connection.\r |
| | 792 | \r |
| | 793 | If Tls is NULL, then ASSERT().\r |
| | 794 | \r |
| | 795 | @param[in] Tls Pointer to the TLS object.\r |
| | 796 | \r |
| | 797 | @return The verification mode set in the specified TLS connection.\r |
| | 798 | \r |
| | 799 | **/\r |
| | 800 | UINT32\r |
| | 801 | EFIAPI\r |
| | 802 | TlsGetVerify (\r |
| | 803 | IN VOID *Tls\r |
| | 804 | )\r |
| | 805 | {\r |
| | 806 | TLS_CONNECTION *TlsConn;\r |
| | 807 | \r |
| | 808 | TlsConn = (TLS_CONNECTION *) Tls;\r |
| | 809 | \r |
| | 810 | ASSERT (TlsConn != NULL);\r |
| | 811 | \r |
| | 812 | return SSL_get_verify_mode (TlsConn->Ssl);\r |
| | 813 | }\r |
| | 814 | \r |
| | 815 | /**\r |
| | 816 | Gets the session ID used by the specified TLS connection.\r |
| | 817 | \r |
| | 818 | This function returns the TLS/SSL session ID currently used by the\r |
| | 819 | specified TLS connection.\r |
| | 820 | \r |
| | 821 | @param[in] Tls Pointer to the TLS object.\r |
| | 822 | @param[in,out] SessionId Buffer to contain the returned session ID.\r |
| | 823 | @param[in,out] SessionIdLen The length of Session ID in bytes.\r |
| | 824 | \r |
| | 825 | @retval EFI_SUCCESS The Session ID was returned successfully.\r |
| | 826 | @retval EFI_INVALID_PARAMETER The parameter is invalid.\r |
| | 827 | @retval EFI_UNSUPPORTED Invalid TLS/SSL session.\r |
| | 828 | \r |
| | 829 | **/\r |
| | 830 | EFI_STATUS\r |
| | 831 | EFIAPI\r |
| | 832 | TlsGetSessionId (\r |
| | 833 | IN VOID *Tls,\r |
| | 834 | IN OUT UINT8 *SessionId,\r |
| | 835 | IN OUT UINT16 *SessionIdLen\r |
| | 836 | )\r |
| | 837 | {\r |
| | 838 | TLS_CONNECTION *TlsConn;\r |
| | 839 | SSL_SESSION *Session;\r |
| | 840 | CONST UINT8 *SslSessionId;\r |
| | 841 | \r |
| | 842 | TlsConn = (TLS_CONNECTION *) Tls;\r |
| | 843 | Session = NULL;\r |
| | 844 | \r |
| | 845 | if (TlsConn == NULL || TlsConn->Ssl == NULL || SessionId == NULL || SessionIdLen == NULL) {\r |
| | 846 | return EFI_INVALID_PARAMETER;\r |
| | 847 | }\r |
| | 848 | \r |
| | 849 | Session = SSL_get_session (TlsConn->Ssl);\r |
| | 850 | if (Session == NULL) {\r |
| | 851 | return EFI_UNSUPPORTED;\r |
| | 852 | }\r |
| | 853 | \r |
| | 854 | SslSessionId = SSL_SESSION_get_id (Session, (unsigned int *)SessionIdLen);\r |
| | 855 | CopyMem (SessionId, SslSessionId, *SessionIdLen);\r |
| | 856 | \r |
| | 857 | return EFI_SUCCESS;\r |
| | 858 | }\r |
| | 859 | \r |
| | 860 | /**\r |
| | 861 | Gets the client random data used in the specified TLS connection.\r |
| | 862 | \r |
| | 863 | This function returns the TLS/SSL client random data currently used in\r |
| | 864 | the specified TLS connection.\r |
| | 865 | \r |
| | 866 | @param[in] Tls Pointer to the TLS object.\r |
| | 867 | @param[in,out] ClientRandom Buffer to contain the returned client\r |
| | 868 | random data (32 bytes).\r |
| | 869 | \r |
| | 870 | **/\r |
| | 871 | VOID\r |
| | 872 | EFIAPI\r |
| | 873 | TlsGetClientRandom (\r |
| | 874 | IN VOID *Tls,\r |
| | 875 | IN OUT UINT8 *ClientRandom\r |
| | 876 | )\r |
| | 877 | {\r |
| | 878 | TLS_CONNECTION *TlsConn;\r |
| | 879 | \r |
| | 880 | TlsConn = (TLS_CONNECTION *) Tls;\r |
| | 881 | \r |
| | 882 | if (TlsConn == NULL || TlsConn->Ssl == NULL || ClientRandom == NULL) {\r |
| | 883 | return;\r |
| | 884 | }\r |
| | 885 | \r |
| | 886 | SSL_get_client_random (TlsConn->Ssl, ClientRandom, SSL3_RANDOM_SIZE);\r |
| | 887 | }\r |
| | 888 | \r |
| | 889 | /**\r |
| | 890 | Gets the server random data used in the specified TLS connection.\r |
| | 891 | \r |
| | 892 | This function returns the TLS/SSL server random data currently used in\r |
| | 893 | the specified TLS connection.\r |
| | 894 | \r |
| | 895 | @param[in] Tls Pointer to the TLS object.\r |
| | 896 | @param[in,out] ServerRandom Buffer to contain the returned server\r |
| | 897 | random data (32 bytes).\r |
| | 898 | \r |
| | 899 | **/\r |
| | 900 | VOID\r |
| | 901 | EFIAPI\r |
| | 902 | TlsGetServerRandom (\r |
| | 903 | IN VOID *Tls,\r |
| | 904 | IN OUT UINT8 *ServerRandom\r |
| | 905 | )\r |
| | 906 | {\r |
| | 907 | TLS_CONNECTION *TlsConn;\r |
| | 908 | \r |
| | 909 | TlsConn = (TLS_CONNECTION *) Tls;\r |
| | 910 | \r |
| | 911 | if (TlsConn == NULL || TlsConn->Ssl == NULL || ServerRandom == NULL) {\r |
| | 912 | return;\r |
| | 913 | }\r |
| | 914 | \r |
| | 915 | SSL_get_server_random (TlsConn->Ssl, ServerRandom, SSL3_RANDOM_SIZE);\r |
| | 916 | }\r |
| | 917 | \r |
| | 918 | /**\r |
| | 919 | Gets the master key data used in the specified TLS connection.\r |
| | 920 | \r |
| | 921 | This function returns the TLS/SSL master key material currently used in\r |
| | 922 | the specified TLS connection.\r |
| | 923 | \r |
| | 924 | @param[in] Tls Pointer to the TLS object.\r |
| | 925 | @param[in,out] KeyMaterial Buffer to contain the returned key material.\r |
| | 926 | \r |
| | 927 | @retval EFI_SUCCESS Key material was returned successfully.\r |
| | 928 | @retval EFI_INVALID_PARAMETER The parameter is invalid.\r |
| | 929 | @retval EFI_UNSUPPORTED Invalid TLS/SSL session.\r |
| | 930 | \r |
| | 931 | **/\r |
| | 932 | EFI_STATUS\r |
| | 933 | EFIAPI\r |
| | 934 | TlsGetKeyMaterial (\r |
| | 935 | IN VOID *Tls,\r |
| | 936 | IN OUT UINT8 *KeyMaterial\r |
| | 937 | )\r |
| | 938 | {\r |
| | 939 | TLS_CONNECTION *TlsConn;\r |
| | 940 | SSL_SESSION *Session;\r |
| | 941 | \r |
| | 942 | TlsConn = (TLS_CONNECTION *) Tls;\r |
| | 943 | Session = NULL;\r |
| | 944 | \r |
| | 945 | if (TlsConn == NULL || TlsConn->Ssl == NULL || KeyMaterial == NULL) {\r |
| | 946 | return EFI_INVALID_PARAMETER;\r |
| | 947 | }\r |
| | 948 | \r |
| | 949 | Session = SSL_get_session (TlsConn->Ssl);\r |
| | 950 | \r |
| | 951 | if (Session == NULL) {\r |
| | 952 | return EFI_UNSUPPORTED;\r |
| | 953 | }\r |
| | 954 | \r |
| | 955 | SSL_SESSION_get_master_key (Session, KeyMaterial, SSL3_MASTER_SECRET_SIZE);\r |
| | 956 | \r |
| | 957 | return EFI_SUCCESS;\r |
| | 958 | }\r |
| | 959 | \r |
| | 960 | /**\r |
| | 961 | Gets the CA Certificate from the cert store.\r |
| | 962 | \r |
| | 963 | This function returns the CA certificate for the chosen\r |
| | 964 | TLS connection.\r |
| | 965 | \r |
| | 966 | @param[in] Tls Pointer to the TLS object.\r |
| | 967 | @param[out] Data Pointer to the data buffer to receive the CA\r |
| | 968 | certificate data sent to the client.\r |
| | 969 | @param[in,out] DataSize The size of data buffer in bytes.\r |
| | 970 | \r |
| | 971 | @retval EFI_SUCCESS The operation succeeded.\r |
| | 972 | @retval EFI_UNSUPPORTED This function is not supported.\r |
| | 973 | @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.\r |
| | 974 | \r |
| | 975 | **/\r |
| | 976 | EFI_STATUS\r |
| | 977 | EFIAPI\r |
| | 978 | TlsGetCaCertificate (\r |
| | 979 | IN VOID *Tls,\r |
| | 980 | OUT VOID *Data,\r |
| | 981 | IN OUT UINTN *DataSize\r |
| | 982 | )\r |
| | 983 | {\r |
| | 984 | return EFI_UNSUPPORTED;\r |
| | 985 | }\r |
| | 986 | \r |
| | 987 | /**\r |
| | 988 | Gets the local public Certificate set in the specified TLS object.\r |
| | 989 | \r |
| | 990 | This function returns the local public certificate which was currently set\r |
| | 991 | in the specified TLS object.\r |
| | 992 | \r |
| | 993 | @param[in] Tls Pointer to the TLS object.\r |
| | 994 | @param[out] Data Pointer to the data buffer to receive the local\r |
| | 995 | public certificate.\r |
| | 996 | @param[in,out] DataSize The size of data buffer in bytes.\r |
| | 997 | \r |
| | 998 | @retval EFI_SUCCESS The operation succeeded.\r |
| | 999 | @retval EFI_INVALID_PARAMETER The parameter is invalid.\r |
| | 1000 | @retval EFI_NOT_FOUND The certificate is not found.\r |
| | 1001 | @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.\r |
| | 1002 | \r |
| | 1003 | **/\r |
| | 1004 | EFI_STATUS\r |
| | 1005 | EFIAPI\r |
| | 1006 | TlsGetHostPublicCert (\r |
| | 1007 | IN VOID *Tls,\r |
| | 1008 | OUT VOID *Data,\r |
| | 1009 | IN OUT UINTN *DataSize\r |
| | 1010 | )\r |
| | 1011 | {\r |
| | 1012 | X509 *Cert;\r |
| | 1013 | TLS_CONNECTION *TlsConn;\r |
| | 1014 | \r |
| | 1015 | Cert = NULL;\r |
| | 1016 | TlsConn = (TLS_CONNECTION *) Tls;\r |
| | 1017 | \r |
| | 1018 | if (TlsConn == NULL || TlsConn->Ssl == NULL || DataSize == NULL || (*DataSize != 0 && Data == NULL)) {\r |
| | 1019 | return EFI_INVALID_PARAMETER;\r |
| | 1020 | }\r |
| | 1021 | \r |
| | 1022 | Cert = SSL_get_certificate(TlsConn->Ssl);\r |
| | 1023 | if (Cert == NULL) {\r |
| | 1024 | return EFI_NOT_FOUND;\r |
| | 1025 | }\r |
| | 1026 | \r |
| | 1027 | //\r |
| | 1028 | // Only DER encoding is supported currently.\r |
| | 1029 | //\r |
| | 1030 | if (*DataSize < (UINTN) i2d_X509 (Cert, NULL)) {\r |
| | 1031 | *DataSize = (UINTN) i2d_X509 (Cert, NULL);\r |
| | 1032 | return EFI_BUFFER_TOO_SMALL;\r |
| | 1033 | }\r |
| | 1034 | \r |
| | 1035 | *DataSize = (UINTN) i2d_X509 (Cert, (unsigned char **) &Data);\r |
| | 1036 | \r |
| | 1037 | return EFI_SUCCESS;\r |
| | 1038 | }\r |
| | 1039 | \r |
| | 1040 | /**\r |
| | 1041 | Gets the local private key set in the specified TLS object.\r |
| | 1042 | \r |
| | 1043 | This function returns the local private key data which was currently set\r |
| | 1044 | in the specified TLS object.\r |
| | 1045 | \r |
| | 1046 | @param[in] Tls Pointer to the TLS object.\r |
| | 1047 | @param[out] Data Pointer to the data buffer to receive the local\r |
| | 1048 | private key data.\r |
| | 1049 | @param[in,out] DataSize The size of data buffer in bytes.\r |
| | 1050 | \r |
| | 1051 | @retval EFI_SUCCESS The operation succeeded.\r |
| | 1052 | @retval EFI_UNSUPPORTED This function is not supported.\r |
| | 1053 | @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.\r |
| | 1054 | \r |
| | 1055 | **/\r |
| | 1056 | EFI_STATUS\r |
| | 1057 | EFIAPI\r |
| | 1058 | TlsGetHostPrivateKey (\r |
| | 1059 | IN VOID *Tls,\r |
| | 1060 | OUT VOID *Data,\r |
| | 1061 | IN OUT UINTN *DataSize\r |
| | 1062 | )\r |
| | 1063 | {\r |
| | 1064 | return EFI_UNSUPPORTED;\r |
| | 1065 | }\r |
| | 1066 | \r |
| | 1067 | /**\r |
| | 1068 | Gets the CA-supplied certificate revocation list data set in the specified\r |
| | 1069 | TLS object.\r |
| | 1070 | \r |
| | 1071 | This function returns the CA-supplied certificate revocation list data which\r |
| | 1072 | was currently set in the specified TLS object.\r |
| | 1073 | \r |
| | 1074 | @param[out] Data Pointer to the data buffer to receive the CRL data.\r |
| | 1075 | @param[in,out] DataSize The size of data buffer in bytes.\r |
| | 1076 | \r |
| | 1077 | @retval EFI_SUCCESS The operation succeeded.\r |
| | 1078 | @retval EFI_UNSUPPORTED This function is not supported.\r |
| | 1079 | @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.\r |
| | 1080 | \r |
| | 1081 | **/\r |
| | 1082 | EFI_STATUS\r |
| | 1083 | EFIAPI\r |
| | 1084 | TlsGetCertRevocationList (\r |
| | 1085 | OUT VOID *Data,\r |
| | 1086 | IN OUT UINTN *DataSize\r |
| | 1087 | )\r |
| | 1088 | {\r |
| | 1089 | return EFI_UNSUPPORTED;\r |
| | 1090 | }\r |
| | 1091 | \r |
projects / mirror_edk2.git / blame_incremental