]>
Commit | Line | Data |
---|---|---|
1 | /** @file\r | |
2 | EFI TLS Protocols as defined in UEFI 2.5.\r | |
3 | \r | |
4 | The EFI TLS Service Binding Protocol is used to locate EFI TLS Protocol drivers\r | |
5 | to create and destroy child of the driver to communicate with other host using\r | |
6 | TLS protocol.\r | |
7 | The EFI TLS Protocol provides the ability to manage TLS session.\r | |
8 | \r | |
9 | Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>\r | |
10 | SPDX-License-Identifier: BSD-2-Clause-Patent\r | |
11 | \r | |
12 | @par Revision Reference:\r | |
13 | This Protocol is introduced in UEFI Specification 2.5\r | |
14 | \r | |
15 | **/\r | |
16 | \r | |
17 | #ifndef __EFI_TLS_PROTOCOL_H__\r | |
18 | #define __EFI_TLS_PROTOCOL_H__\r | |
19 | \r | |
20 | ///\r | |
21 | /// The EFI TLS Service Binding Protocol is used to locate EFI TLS Protocol drivers to\r | |
22 | /// create and destroy child of the driver to communicate with other host using TLS\r | |
23 | /// protocol.\r | |
24 | ///\r | |
25 | #define EFI_TLS_SERVICE_BINDING_PROTOCOL_GUID \\r | |
26 | { \\r | |
27 | 0x952cb795, 0xff36, 0x48cf, {0xa2, 0x49, 0x4d, 0xf4, 0x86, 0xd6, 0xab, 0x8d } \\r | |
28 | }\r | |
29 | \r | |
30 | ///\r | |
31 | /// The EFI TLS protocol provides the ability to manage TLS session.\r | |
32 | ///\r | |
33 | #define EFI_TLS_PROTOCOL_GUID \\r | |
34 | { \\r | |
35 | 0xca959f, 0x6cfa, 0x4db1, {0x95, 0xbc, 0xe4, 0x6c, 0x47, 0x51, 0x43, 0x90 } \\r | |
36 | }\r | |
37 | \r | |
38 | typedef struct _EFI_TLS_PROTOCOL EFI_TLS_PROTOCOL;\r | |
39 | \r | |
40 | ///\r | |
41 | /// EFI_TLS_SESSION_DATA_TYPE\r | |
42 | ///\r | |
43 | typedef enum {\r | |
44 | ///\r | |
45 | /// Session Configuration\r | |
46 | ///\r | |
47 | \r | |
48 | ///\r | |
49 | /// TLS session Version. The corresponding Data is of type EFI_TLS_VERSION.\r | |
50 | ///\r | |
51 | EfiTlsVersion,\r | |
52 | ///\r | |
53 | /// TLS session as client or as server. The corresponding Data is of\r | |
54 | /// EFI_TLS_CONNECTION_END.\r | |
55 | ///\r | |
56 | EfiTlsConnectionEnd,\r | |
57 | ///\r | |
58 | /// A priority list of preferred algorithms for the TLS session.\r | |
59 | /// The corresponding Data is a list of EFI_TLS_CIPHER.\r | |
60 | ///\r | |
61 | EfiTlsCipherList,\r | |
62 | ///\r | |
63 | /// TLS session compression method.\r | |
64 | /// The corresponding Data is of type EFI_TLS_COMPRESSION.\r | |
65 | ///\r | |
66 | EfiTlsCompressionMethod,\r | |
67 | ///\r | |
68 | /// TLS session extension data.\r | |
69 | /// The corresponding Data is a list of type EFI_TLS_EXTENSION .\r | |
70 | ///\r | |
71 | EfiTlsExtensionData,\r | |
72 | ///\r | |
73 | /// TLS session verify method.\r | |
74 | /// The corresponding Data is of type EFI_TLS_VERIFY.\r | |
75 | ///\r | |
76 | EfiTlsVerifyMethod,\r | |
77 | ///\r | |
78 | /// TLS session data session ID.\r | |
79 | /// For SetSessionData(), it is TLS session ID used for session resumption.\r | |
80 | /// For GetSessionData(), it is the TLS session ID used for current session.\r | |
81 | /// The corresponding Data is of type EFI_TLS_SESSION_ID.\r | |
82 | ///\r | |
83 | EfiTlsSessionID,\r | |
84 | ///\r | |
85 | /// TLS session data session state.\r | |
86 | /// The corresponding Data is of type EFI_TLS_SESSION_STATE.\r | |
87 | ///\r | |
88 | EfiTlsSessionState,\r | |
89 | \r | |
90 | ///\r | |
91 | /// Session information\r | |
92 | ///\r | |
93 | \r | |
94 | ///\r | |
95 | /// TLS session data client random.\r | |
96 | /// The corresponding Data is of type EFI_TLS_RANDOM.\r | |
97 | ///\r | |
98 | EfiTlsClientRandom,\r | |
99 | ///\r | |
100 | /// TLS session data server random.\r | |
101 | /// The corresponding Data is of type EFI_TLS_RANDOM.\r | |
102 | ///\r | |
103 | EfiTlsServerRandom,\r | |
104 | ///\r | |
105 | /// TLS session data key material.\r | |
106 | /// The corresponding Data is of type EFI_TLS_MASTER_SECRET.\r | |
107 | ///\r | |
108 | EfiTlsKeyMaterial,\r | |
109 | \r | |
110 | EfiTlsSessionDataTypeMaximum\r | |
111 | \r | |
112 | } EFI_TLS_SESSION_DATA_TYPE;\r | |
113 | \r | |
114 | ///\r | |
115 | /// EFI_TLS_VERSION\r | |
116 | /// Note: The TLS version definition is from SSL3.0 to the latest TLS (e.g. 1.2).\r | |
117 | /// SSL2.0 is obsolete and should not be used.\r | |
118 | ///\r | |
119 | typedef struct {\r | |
120 | UINT8 Major;\r | |
121 | UINT8 Minor;\r | |
122 | } EFI_TLS_VERSION;\r | |
123 | \r | |
124 | ///\r | |
125 | /// EFI_TLS_CONNECTION_END to define TLS session as client or server.\r | |
126 | ///\r | |
127 | typedef enum {\r | |
128 | EfiTlsClient,\r | |
129 | EfiTlsServer,\r | |
130 | } EFI_TLS_CONNECTION_END;\r | |
131 | \r | |
132 | ///\r | |
133 | /// EFI_TLS_CIPHER\r | |
134 | /// Note: The definition of EFI_TLS_CIPHER definition is from "RFC 5246, A.4.1.\r | |
135 | /// Hello Messages". The value of EFI_TLS_CIPHER is from TLS Cipher\r | |
136 | /// Suite Registry of IANA.\r | |
137 | ///\r | |
138 | #pragma pack (1)\r | |
139 | typedef struct {\r | |
140 | UINT8 Data1;\r | |
141 | UINT8 Data2;\r | |
142 | } EFI_TLS_CIPHER;\r | |
143 | #pragma pack ()\r | |
144 | \r | |
145 | ///\r | |
146 | /// EFI_TLS_COMPRESSION\r | |
147 | /// Note: The value of EFI_TLS_COMPRESSION definition is from "RFC 3749".\r | |
148 | ///\r | |
149 | typedef UINT8 EFI_TLS_COMPRESSION;\r | |
150 | \r | |
151 | ///\r | |
152 | /// EFI_TLS_EXTENSION\r | |
153 | /// Note: The definition of EFI_TLS_EXTENSION if from "RFC 5246 A.4.1.\r | |
154 | /// Hello Messages".\r | |
155 | ///\r | |
156 | #pragma pack (1)\r | |
157 | typedef struct {\r | |
158 | UINT16 ExtensionType;\r | |
159 | UINT16 Length;\r | |
160 | UINT8 Data[1];\r | |
161 | } EFI_TLS_EXTENSION;\r | |
162 | #pragma pack ()\r | |
163 | \r | |
164 | ///\r | |
165 | /// EFI_TLS_VERIFY\r | |
166 | /// Use either EFI_TLS_VERIFY_NONE or EFI_TLS_VERIFY_PEER, the last two options\r | |
167 | /// are 'ORed' with EFI_TLS_VERIFY_PEER if they are desired.\r | |
168 | ///\r | |
169 | typedef UINT32 EFI_TLS_VERIFY;\r | |
170 | ///\r | |
171 | /// No certificates will be sent or the TLS/SSL handshake will be continued regardless\r | |
172 | /// of the certificate verification result.\r | |
173 | ///\r | |
174 | #define EFI_TLS_VERIFY_NONE 0x0\r | |
175 | ///\r | |
176 | /// The TLS/SSL handshake is immediately terminated with an alert message containing\r | |
177 | /// the reason for the certificate verification failure.\r | |
178 | ///\r | |
179 | #define EFI_TLS_VERIFY_PEER 0x1\r | |
180 | ///\r | |
181 | /// TLS session will fail peer certificate is absent.\r | |
182 | ///\r | |
183 | #define EFI_TLS_VERIFY_FAIL_IF_NO_PEER_CERT 0x2\r | |
184 | ///\r | |
185 | /// TLS session only verify client once, and doesn't request certificate during\r | |
186 | /// re-negotiation.\r | |
187 | ///\r | |
188 | #define EFI_TLS_VERIFY_CLIENT_ONCE 0x4\r | |
189 | \r | |
190 | ///\r | |
191 | /// EFI_TLS_RANDOM\r | |
192 | /// Note: The definition of EFI_TLS_RANDOM is from "RFC 5246 A.4.1.\r | |
193 | /// Hello Messages".\r | |
194 | ///\r | |
195 | #pragma pack (1)\r | |
196 | typedef struct {\r | |
197 | UINT32 GmtUnixTime;\r | |
198 | UINT8 RandomBytes[28];\r | |
199 | } EFI_TLS_RANDOM;\r | |
200 | #pragma pack ()\r | |
201 | \r | |
202 | ///\r | |
203 | /// EFI_TLS_MASTER_SECRET\r | |
204 | /// Note: The definition of EFI_TLS_MASTER_SECRET is from "RFC 5246 8.1.\r | |
205 | /// Computing the Master Secret".\r | |
206 | ///\r | |
207 | #pragma pack (1)\r | |
208 | typedef struct {\r | |
209 | UINT8 Data[48];\r | |
210 | } EFI_TLS_MASTER_SECRET;\r | |
211 | #pragma pack ()\r | |
212 | \r | |
213 | ///\r | |
214 | /// EFI_TLS_SESSION_ID\r | |
215 | /// Note: The definition of EFI_TLS_SESSION_ID is from "RFC 5246 A.4.1. Hello Messages".\r | |
216 | ///\r | |
217 | #define MAX_TLS_SESSION_ID_LENGTH 32\r | |
218 | #pragma pack (1)\r | |
219 | typedef struct {\r | |
220 | UINT16 Length;\r | |
221 | UINT8 Data[MAX_TLS_SESSION_ID_LENGTH];\r | |
222 | } EFI_TLS_SESSION_ID;\r | |
223 | #pragma pack ()\r | |
224 | \r | |
225 | ///\r | |
226 | /// EFI_TLS_SESSION_STATE\r | |
227 | ///\r | |
228 | typedef enum {\r | |
229 | ///\r | |
230 | /// When a new child of TLS protocol is created, the initial state of TLS session\r | |
231 | /// is EfiTlsSessionNotStarted.\r | |
232 | ///\r | |
233 | EfiTlsSessionNotStarted,\r | |
234 | ///\r | |
235 | /// The consumer can call BuildResponsePacket() with NULL to get ClientHello to\r | |
236 | /// start the TLS session. Then the status is EfiTlsSessionHandShaking.\r | |
237 | ///\r | |
238 | EfiTlsSessionHandShaking,\r | |
239 | ///\r | |
240 | /// During handshake, the consumer need call BuildResponsePacket() with input\r | |
241 | /// data from peer, then get response packet and send to peer. After handshake\r | |
242 | /// finish, the TLS session status becomes EfiTlsSessionDataTransferring, and\r | |
243 | /// consumer can use ProcessPacket() for data transferring.\r | |
244 | ///\r | |
245 | EfiTlsSessionDataTransferring,\r | |
246 | ///\r | |
247 | /// Finally, if consumer wants to active close TLS session, consumer need\r | |
248 | /// call SetSessionData to set TLS session state to EfiTlsSessionClosing, and\r | |
249 | /// call BuildResponsePacket() with NULL to get CloseNotify alert message,\r | |
250 | /// and sent it out.\r | |
251 | ///\r | |
252 | EfiTlsSessionClosing,\r | |
253 | ///\r | |
254 | /// If any error happen during parsing ApplicationData content type, EFI_ABORT\r | |
255 | /// will be returned by ProcessPacket(), and TLS session state will become\r | |
256 | /// EfiTlsSessionError. Then consumer need call BuildResponsePacket() with\r | |
257 | /// NULL to get alert message and sent it out.\r | |
258 | ///\r | |
259 | EfiTlsSessionError,\r | |
260 | \r | |
261 | EfiTlsSessionStateMaximum\r | |
262 | \r | |
263 | } EFI_TLS_SESSION_STATE;\r | |
264 | \r | |
265 | ///\r | |
266 | /// EFI_TLS_FRAGMENT_DATA\r | |
267 | ///\r | |
268 | typedef struct {\r | |
269 | ///\r | |
270 | /// Length of data buffer in the fragment.\r | |
271 | ///\r | |
272 | UINT32 FragmentLength;\r | |
273 | ///\r | |
274 | /// Pointer to the data buffer in the fragment.\r | |
275 | ///\r | |
276 | VOID *FragmentBuffer;\r | |
277 | } EFI_TLS_FRAGMENT_DATA;\r | |
278 | \r | |
279 | ///\r | |
280 | /// EFI_TLS_CRYPT_MODE\r | |
281 | ///\r | |
282 | typedef enum {\r | |
283 | ///\r | |
284 | /// Encrypt data provided in the fragment buffers.\r | |
285 | ///\r | |
286 | EfiTlsEncrypt,\r | |
287 | ///\r | |
288 | /// Decrypt data provided in the fragment buffers.\r | |
289 | ///\r | |
290 | EfiTlsDecrypt,\r | |
291 | } EFI_TLS_CRYPT_MODE;\r | |
292 | \r | |
293 | /**\r | |
294 | Set TLS session data.\r | |
295 | \r | |
296 | The SetSessionData() function set data for a new TLS session. All session data should\r | |
297 | be set before BuildResponsePacket() invoked.\r | |
298 | \r | |
299 | @param[in] This Pointer to the EFI_TLS_PROTOCOL instance.\r | |
300 | @param[in] DataType TLS session data type.\r | |
301 | @param[in] Data Pointer to session data.\r | |
302 | @param[in] DataSize Total size of session data.\r | |
303 | \r | |
304 | @retval EFI_SUCCESS The TLS session data is set successfully.\r | |
305 | @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:\r | |
306 | This is NULL.\r | |
307 | Data is NULL.\r | |
308 | DataSize is 0.\r | |
309 | @retval EFI_UNSUPPORTED The DataType is unsupported.\r | |
310 | @retval EFI_ACCESS_DENIED If the DataType is one of below:\r | |
311 | EfiTlsClientRandom\r | |
312 | EfiTlsServerRandom\r | |
313 | EfiTlsKeyMaterial\r | |
314 | @retval EFI_NOT_READY Current TLS session state is NOT\r | |
315 | EfiTlsSessionStateNotStarted.\r | |
316 | @retval EFI_OUT_OF_RESOURCES Required system resources could not be allocated.\r | |
317 | **/\r | |
318 | typedef\r | |
319 | EFI_STATUS\r | |
320 | (EFIAPI *EFI_TLS_SET_SESSION_DATA) (\r | |
321 | IN EFI_TLS_PROTOCOL *This,\r | |
322 | IN EFI_TLS_SESSION_DATA_TYPE DataType,\r | |
323 | IN VOID *Data,\r | |
324 | IN UINTN DataSize\r | |
325 | );\r | |
326 | \r | |
327 | /**\r | |
328 | Get TLS session data.\r | |
329 | \r | |
330 | The GetSessionData() function return the TLS session information.\r | |
331 | \r | |
332 | @param[in] This Pointer to the EFI_TLS_PROTOCOL instance.\r | |
333 | @param[in] DataType TLS session data type.\r | |
334 | @param[in, out] Data Pointer to session data.\r | |
335 | @param[in, out] DataSize Total size of session data. On input, it means\r | |
336 | the size of Data buffer. On output, it means the size\r | |
337 | of copied Data buffer if EFI_SUCCESS, and means the\r | |
338 | size of desired Data buffer if EFI_BUFFER_TOO_SMALL.\r | |
339 | \r | |
340 | @retval EFI_SUCCESS The TLS session data is got successfully.\r | |
341 | @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:\r | |
342 | This is NULL.\r | |
343 | DataSize is NULL.\r | |
344 | Data is NULL if *DataSize is not zero.\r | |
345 | @retval EFI_UNSUPPORTED The DataType is unsupported.\r | |
346 | @retval EFI_NOT_FOUND The TLS session data is not found.\r | |
347 | @retval EFI_NOT_READY The DataType is not ready in current session state.\r | |
348 | @retval EFI_BUFFER_TOO_SMALL The buffer is too small to hold the data.\r | |
349 | **/\r | |
350 | typedef\r | |
351 | EFI_STATUS\r | |
352 | (EFIAPI *EFI_TLS_GET_SESSION_DATA) (\r | |
353 | IN EFI_TLS_PROTOCOL *This,\r | |
354 | IN EFI_TLS_SESSION_DATA_TYPE DataType,\r | |
355 | IN OUT VOID *Data, OPTIONAL\r | |
356 | IN OUT UINTN *DataSize\r | |
357 | );\r | |
358 | \r | |
359 | /**\r | |
360 | Build response packet according to TLS state machine. This function is only valid for\r | |
361 | alert, handshake and change_cipher_spec content type.\r | |
362 | \r | |
363 | The BuildResponsePacket() function builds TLS response packet in response to the TLS\r | |
364 | request packet specified by RequestBuffer and RequestSize. If RequestBuffer is NULL and\r | |
365 | RequestSize is 0, and TLS session status is EfiTlsSessionNotStarted, the TLS session\r | |
366 | will be initiated and the response packet needs to be ClientHello. If RequestBuffer is\r | |
367 | NULL and RequestSize is 0, and TLS session status is EfiTlsSessionClosing, the TLS\r | |
368 | session will be closed and response packet needs to be CloseNotify. If RequestBuffer is\r | |
369 | NULL and RequestSize is 0, and TLS session status is EfiTlsSessionError, the TLS\r | |
370 | session has errors and the response packet needs to be Alert message based on error\r | |
371 | type.\r | |
372 | \r | |
373 | @param[in] This Pointer to the EFI_TLS_PROTOCOL instance.\r | |
374 | @param[in] RequestBuffer Pointer to the most recently received TLS packet. NULL\r | |
375 | means TLS need initiate the TLS session and response\r | |
376 | packet need to be ClientHello.\r | |
377 | @param[in] RequestSize Packet size in bytes for the most recently received TLS\r | |
378 | packet. 0 is only valid when RequestBuffer is NULL.\r | |
379 | @param[out] Buffer Pointer to the buffer to hold the built packet.\r | |
380 | @param[in, out] BufferSize Pointer to the buffer size in bytes. On input, it is\r | |
381 | the buffer size provided by the caller. On output, it\r | |
382 | is the buffer size in fact needed to contain the\r | |
383 | packet.\r | |
384 | \r | |
385 | @retval EFI_SUCCESS The required TLS packet is built successfully.\r | |
386 | @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:\r | |
387 | This is NULL.\r | |
388 | RequestBuffer is NULL but RequestSize is NOT 0.\r | |
389 | RequestSize is 0 but RequestBuffer is NOT NULL.\r | |
390 | BufferSize is NULL.\r | |
391 | Buffer is NULL if *BufferSize is not zero.\r | |
392 | @retval EFI_BUFFER_TOO_SMALL BufferSize is too small to hold the response packet.\r | |
393 | @retval EFI_NOT_READY Current TLS session state is NOT ready to build\r | |
394 | ResponsePacket.\r | |
395 | @retval EFI_ABORTED Something wrong build response packet.\r | |
396 | **/\r | |
397 | typedef\r | |
398 | EFI_STATUS\r | |
399 | (EFIAPI *EFI_TLS_BUILD_RESPONSE_PACKET) (\r | |
400 | IN EFI_TLS_PROTOCOL *This,\r | |
401 | IN UINT8 *RequestBuffer, OPTIONAL\r | |
402 | IN UINTN RequestSize, OPTIONAL\r | |
403 | OUT UINT8 *Buffer, OPTIONAL\r | |
404 | IN OUT UINTN *BufferSize\r | |
405 | );\r | |
406 | \r | |
407 | /**\r | |
408 | Decrypt or encrypt TLS packet during session. This function is only valid after\r | |
409 | session connected and for application_data content type.\r | |
410 | \r | |
411 | The ProcessPacket () function process each inbound or outbound TLS APP packet.\r | |
412 | \r | |
413 | @param[in] This Pointer to the EFI_TLS_PROTOCOL instance.\r | |
414 | @param[in, out] FragmentTable Pointer to a list of fragment. The caller will take\r | |
415 | responsible to handle the original FragmentTable while\r | |
416 | it may be reallocated in TLS driver. If CryptMode is\r | |
417 | EfiTlsEncrypt, on input these fragments contain the TLS\r | |
418 | header and plain text TLS APP payload; on output these\r | |
419 | fragments contain the TLS header and cipher text TLS\r | |
420 | APP payload. If CryptMode is EfiTlsDecrypt, on input\r | |
421 | these fragments contain the TLS header and cipher text\r | |
422 | TLS APP payload; on output these fragments contain the\r | |
423 | TLS header and plain text TLS APP payload.\r | |
424 | @param[in] FragmentCount Number of fragment.\r | |
425 | @param[in] CryptMode Crypt mode.\r | |
426 | \r | |
427 | @retval EFI_SUCCESS The operation completed successfully.\r | |
428 | @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:\r | |
429 | This is NULL.\r | |
430 | FragmentTable is NULL.\r | |
431 | FragmentCount is NULL.\r | |
432 | CryptoMode is invalid.\r | |
433 | @retval EFI_NOT_READY Current TLS session state is NOT\r | |
434 | EfiTlsSessionDataTransferring.\r | |
435 | @retval EFI_ABORTED Something wrong decryption the message. TLS session\r | |
436 | status will become EfiTlsSessionError. The caller need\r | |
437 | call BuildResponsePacket() to generate Error Alert\r | |
438 | message and send it out.\r | |
439 | @retval EFI_OUT_OF_RESOURCES No enough resource to finish the operation.\r | |
440 | **/\r | |
441 | typedef\r | |
442 | EFI_STATUS\r | |
443 | (EFIAPI *EFI_TLS_PROCESS_PACKET) (\r | |
444 | IN EFI_TLS_PROTOCOL *This,\r | |
445 | IN OUT EFI_TLS_FRAGMENT_DATA **FragmentTable,\r | |
446 | IN UINT32 *FragmentCount,\r | |
447 | IN EFI_TLS_CRYPT_MODE CryptMode\r | |
448 | );\r | |
449 | \r | |
450 | ///\r | |
451 | /// The EFI_TLS_PROTOCOL is used to create, destroy and manage TLS session.\r | |
452 | /// For detail of TLS, please refer to TLS related RFC.\r | |
453 | ///\r | |
454 | struct _EFI_TLS_PROTOCOL {\r | |
455 | EFI_TLS_SET_SESSION_DATA SetSessionData;\r | |
456 | EFI_TLS_GET_SESSION_DATA GetSessionData;\r | |
457 | EFI_TLS_BUILD_RESPONSE_PACKET BuildResponsePacket;\r | |
458 | EFI_TLS_PROCESS_PACKET ProcessPacket;\r | |
459 | };\r | |
460 | \r | |
461 | extern EFI_GUID gEfiTlsServiceBindingProtocolGuid;\r | |
462 | extern EFI_GUID gEfiTlsProtocolGuid;\r | |
463 | \r | |
464 | #endif // __EFI_TLS_PROTOCOL_H__\r | |
465 | \r |