c1d91a599482528228520f078eae79779e63a4d1
[mirror_edk2.git] / CryptoPkg / Library / TlsLib / TlsConfig.c
1 /** @file
2 SSL/TLS Configuration Library Wrapper Implementation over OpenSSL.
3
4 Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
5 (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
6 This program and the accompanying materials
7 are licensed and made available under the terms and conditions of the BSD License
8 which accompanies this distribution. The full text of the license may be found at
9 http://opensource.org/licenses/bsd-license.php
10
11 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
12 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
13
14 **/
15
16 #include "InternalTlsLib.h"
17
18 typedef struct {
19 //
20 // IANA/IETF defined Cipher Suite ID
21 //
22 UINT16 IanaCipher;
23 //
24 // OpenSSL-used Cipher Suite String
25 //
26 CONST CHAR8 *OpensslCipher;
27 } TLS_CIPHER_MAPPING;
28
29 //
30 // The mapping table between IANA/IETF Cipher Suite definitions and
31 // OpenSSL-used Cipher Suite name.
32 //
33 // Keep the table uniquely sorted by the IanaCipher field, in increasing order.
34 //
35 STATIC CONST TLS_CIPHER_MAPPING TlsCipherMappingTable[] = {
36 { 0x0001, "NULL-MD5" }, /// TLS_RSA_WITH_NULL_MD5
37 { 0x0002, "NULL-SHA" }, /// TLS_RSA_WITH_NULL_SHA
38 { 0x0004, "RC4-MD5" }, /// TLS_RSA_WITH_RC4_128_MD5
39 { 0x0005, "RC4-SHA" }, /// TLS_RSA_WITH_RC4_128_SHA
40 { 0x000A, "DES-CBC3-SHA" }, /// TLS_RSA_WITH_3DES_EDE_CBC_SHA, mandatory TLS 1.1
41 { 0x0016, "DHE-RSA-DES-CBC3-SHA" }, /// TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
42 { 0x002F, "AES128-SHA" }, /// TLS_RSA_WITH_AES_128_CBC_SHA, mandatory TLS 1.2
43 { 0x0030, "DH-DSS-AES128-SHA" }, /// TLS_DH_DSS_WITH_AES_128_CBC_SHA
44 { 0x0031, "DH-RSA-AES128-SHA" }, /// TLS_DH_RSA_WITH_AES_128_CBC_SHA
45 { 0x0033, "DHE-RSA-AES128-SHA" }, /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA
46 { 0x0035, "AES256-SHA" }, /// TLS_RSA_WITH_AES_256_CBC_SHA
47 { 0x0036, "DH-DSS-AES256-SHA" }, /// TLS_DH_DSS_WITH_AES_256_CBC_SHA
48 { 0x0037, "DH-RSA-AES256-SHA" }, /// TLS_DH_RSA_WITH_AES_256_CBC_SHA
49 { 0x0039, "DHE-RSA-AES256-SHA" }, /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA
50 { 0x003B, "NULL-SHA256" }, /// TLS_RSA_WITH_NULL_SHA256
51 { 0x003C, "AES128-SHA256" }, /// TLS_RSA_WITH_AES_128_CBC_SHA256
52 { 0x003D, "AES256-SHA256" }, /// TLS_RSA_WITH_AES_256_CBC_SHA256
53 { 0x003E, "DH-DSS-AES128-SHA256" }, /// TLS_DH_DSS_WITH_AES_128_CBC_SHA256
54 { 0x003F, "DH-RSA-AES128-SHA256" }, /// TLS_DH_RSA_WITH_AES_128_CBC_SHA256
55 { 0x0067, "DHE-RSA-AES128-SHA256" }, /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
56 { 0x0068, "DH-DSS-AES256-SHA256" }, /// TLS_DH_DSS_WITH_AES_256_CBC_SHA256
57 { 0x0069, "DH-RSA-AES256-SHA256" }, /// TLS_DH_RSA_WITH_AES_256_CBC_SHA256
58 { 0x006B, "DHE-RSA-AES256-SHA256" } /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
59 };
60
61 /**
62 Gets the OpenSSL cipher suite mapping for the supplied IANA TLS cipher suite.
63
64 @param[in] CipherId The supplied IANA TLS cipher suite ID.
65
66 @return The corresponding OpenSSL cipher suite mapping if found,
67 NULL otherwise.
68
69 **/
70 STATIC
71 CONST TLS_CIPHER_MAPPING *
72 TlsGetCipherMapping (
73 IN UINT16 CipherId
74 )
75 {
76 INTN Left;
77 INTN Right;
78 INTN Middle;
79
80 //
81 // Binary Search Cipher Mapping Table for IANA-OpenSSL Cipher Translation
82 //
83 Left = 0;
84 Right = ARRAY_SIZE (TlsCipherMappingTable) - 1;
85
86 while (Right >= Left) {
87 Middle = (Left + Right) / 2;
88
89 if (CipherId == TlsCipherMappingTable[Middle].IanaCipher) {
90 //
91 // Translate IANA cipher suite ID to OpenSSL name.
92 //
93 return &TlsCipherMappingTable[Middle];
94 }
95
96 if (CipherId < TlsCipherMappingTable[Middle].IanaCipher) {
97 Right = Middle - 1;
98 } else {
99 Left = Middle + 1;
100 }
101 }
102
103 //
104 // No Cipher Mapping found, return NULL.
105 //
106 return NULL;
107 }
108
109 /**
110 Set a new TLS/SSL method for a particular TLS object.
111
112 This function sets a new TLS/SSL method for a particular TLS object.
113
114 @param[in] Tls Pointer to a TLS object.
115 @param[in] MajorVer Major Version of TLS/SSL Protocol.
116 @param[in] MinorVer Minor Version of TLS/SSL Protocol.
117
118 @retval EFI_SUCCESS The TLS/SSL method was set successfully.
119 @retval EFI_INVALID_PARAMETER The parameter is invalid.
120 @retval EFI_UNSUPPORTED Unsupported TLS/SSL method.
121
122 **/
123 EFI_STATUS
124 EFIAPI
125 TlsSetVersion (
126 IN VOID *Tls,
127 IN UINT8 MajorVer,
128 IN UINT8 MinorVer
129 )
130 {
131 TLS_CONNECTION *TlsConn;
132 UINT16 ProtoVersion;
133
134 TlsConn = (TLS_CONNECTION *)Tls;
135 if (TlsConn == NULL || TlsConn->Ssl == NULL) {
136 return EFI_INVALID_PARAMETER;
137 }
138
139 ProtoVersion = (MajorVer << 8) | MinorVer;
140
141 //
142 // Bound TLS method to the particular specified version.
143 //
144 switch (ProtoVersion) {
145 case TLS1_VERSION:
146 //
147 // TLS 1.0
148 //
149 SSL_set_min_proto_version (TlsConn->Ssl, TLS1_VERSION);
150 SSL_set_max_proto_version (TlsConn->Ssl, TLS1_VERSION);
151 break;
152 case TLS1_1_VERSION:
153 //
154 // TLS 1.1
155 //
156 SSL_set_min_proto_version (TlsConn->Ssl, TLS1_1_VERSION);
157 SSL_set_max_proto_version (TlsConn->Ssl, TLS1_1_VERSION);
158 break;
159 case TLS1_2_VERSION:
160 //
161 // TLS 1.2
162 //
163 SSL_set_min_proto_version (TlsConn->Ssl, TLS1_2_VERSION);
164 SSL_set_max_proto_version (TlsConn->Ssl, TLS1_2_VERSION);
165 break;
166 default:
167 //
168 // Unsupported Protocol Version
169 //
170 return EFI_UNSUPPORTED;
171 }
172
173 return EFI_SUCCESS;;
174 }
175
176 /**
177 Set TLS object to work in client or server mode.
178
179 This function prepares a TLS object to work in client or server mode.
180
181 @param[in] Tls Pointer to a TLS object.
182 @param[in] IsServer Work in server mode.
183
184 @retval EFI_SUCCESS The TLS/SSL work mode was set successfully.
185 @retval EFI_INVALID_PARAMETER The parameter is invalid.
186 @retval EFI_UNSUPPORTED Unsupported TLS/SSL work mode.
187
188 **/
189 EFI_STATUS
190 EFIAPI
191 TlsSetConnectionEnd (
192 IN VOID *Tls,
193 IN BOOLEAN IsServer
194 )
195 {
196 TLS_CONNECTION *TlsConn;
197
198 TlsConn = (TLS_CONNECTION *) Tls;
199 if (TlsConn == NULL || TlsConn->Ssl == NULL) {
200 return EFI_INVALID_PARAMETER;
201 }
202
203 if (!IsServer) {
204 //
205 // Set TLS to work in Client mode.
206 //
207 SSL_set_connect_state (TlsConn->Ssl);
208 } else {
209 //
210 // Set TLS to work in Server mode.
211 // It is unsupported for UEFI version currently.
212 //
213 //SSL_set_accept_state (TlsConn->Ssl);
214 return EFI_UNSUPPORTED;
215 }
216
217 return EFI_SUCCESS;
218 }
219
220 /**
221 Set the ciphers list to be used by the TLS object.
222
223 This function sets the ciphers for use by a specified TLS object.
224
225 @param[in] Tls Pointer to a TLS object.
226 @param[in] CipherId Pointer to a UINT16 cipher Id.
227 @param[in] CipherNum The number of cipher in the list.
228
229 @retval EFI_SUCCESS The ciphers list was set successfully.
230 @retval EFI_INVALID_PARAMETER The parameter is invalid.
231 @retval EFI_UNSUPPORTED Unsupported TLS cipher in the list.
232
233 **/
234 EFI_STATUS
235 EFIAPI
236 TlsSetCipherList (
237 IN VOID *Tls,
238 IN UINT16 *CipherId,
239 IN UINTN CipherNum
240 )
241 {
242 TLS_CONNECTION *TlsConn;
243 UINTN Index;
244 CONST TLS_CIPHER_MAPPING *Mapping;
245 CONST CHAR8 *MappingName;
246 CHAR8 CipherString[500];
247
248 TlsConn = (TLS_CONNECTION *) Tls;
249 if (TlsConn == NULL || TlsConn->Ssl == NULL || CipherId == NULL) {
250 return EFI_INVALID_PARAMETER;
251 }
252
253 Mapping = NULL;
254 MappingName = NULL;
255
256 memset (CipherString, 0, sizeof (CipherString));
257
258 for (Index = 0; Index < CipherNum; Index++) {
259 //
260 // Handling OpenSSL / RFC Cipher name mapping.
261 //
262 Mapping = TlsGetCipherMapping (*(CipherId + Index));
263 if (Mapping == NULL) {
264 return EFI_UNSUPPORTED;
265 }
266 MappingName = Mapping->OpensslCipher;
267
268 if (Index != 0) {
269 //
270 // The ciphers were separated by a colon.
271 //
272 AsciiStrCatS (CipherString, sizeof (CipherString), ":");
273 }
274
275 AsciiStrCatS (CipherString, sizeof (CipherString), MappingName);
276 }
277
278 AsciiStrCatS (CipherString, sizeof (CipherString), ":@STRENGTH");
279
280 //
281 // Sets the ciphers for use by the Tls object.
282 //
283 if (SSL_set_cipher_list (TlsConn->Ssl, CipherString) <= 0) {
284 return EFI_UNSUPPORTED;
285 }
286
287 return EFI_SUCCESS;
288 }
289
290 /**
291 Set the compression method for TLS/SSL operations.
292
293 This function handles TLS/SSL integrated compression methods.
294
295 @param[in] CompMethod The compression method ID.
296
297 @retval EFI_SUCCESS The compression method for the communication was
298 set successfully.
299 @retval EFI_UNSUPPORTED Unsupported compression method.
300
301 **/
302 EFI_STATUS
303 EFIAPI
304 TlsSetCompressionMethod (
305 IN UINT8 CompMethod
306 )
307 {
308 COMP_METHOD *Cm;
309 INTN Ret;
310
311 Cm = NULL;
312 Ret = 0;
313
314 if (CompMethod == 0) {
315 //
316 // TLS defines one standard compression method, CompressionMethod.null (0),
317 // which specifies that data exchanged via the record protocol will not be compressed.
318 // So, return EFI_SUCCESS directly (RFC 3749).
319 //
320 return EFI_SUCCESS;
321 } else if (CompMethod == 1) {
322 Cm = COMP_zlib();
323 } else {
324 return EFI_UNSUPPORTED;
325 }
326
327 //
328 // Adds the compression method to the list of available
329 // compression methods.
330 //
331 Ret = SSL_COMP_add_compression_method (CompMethod, Cm);
332 if (Ret != 0) {
333 return EFI_UNSUPPORTED;
334 }
335
336 return EFI_SUCCESS;
337 }
338
339 /**
340 Set peer certificate verification mode for the TLS connection.
341
342 This function sets the verification mode flags for the TLS connection.
343
344 @param[in] Tls Pointer to the TLS object.
345 @param[in] VerifyMode A set of logically or'ed verification mode flags.
346
347 **/
348 VOID
349 EFIAPI
350 TlsSetVerify (
351 IN VOID *Tls,
352 IN UINT32 VerifyMode
353 )
354 {
355 TLS_CONNECTION *TlsConn;
356
357 TlsConn = (TLS_CONNECTION *) Tls;
358 if (TlsConn == NULL || TlsConn->Ssl == NULL) {
359 return;
360 }
361
362 //
363 // Set peer certificate verification parameters with NULL callback.
364 //
365 SSL_set_verify (TlsConn->Ssl, VerifyMode, NULL);
366 }
367
368 /**
369 Sets a TLS/SSL session ID to be used during TLS/SSL connect.
370
371 This function sets a session ID to be used when the TLS/SSL connection is
372 to be established.
373
374 @param[in] Tls Pointer to the TLS object.
375 @param[in] SessionId Session ID data used for session resumption.
376 @param[in] SessionIdLen Length of Session ID in bytes.
377
378 @retval EFI_SUCCESS Session ID was set successfully.
379 @retval EFI_INVALID_PARAMETER The parameter is invalid.
380 @retval EFI_UNSUPPORTED No available session for ID setting.
381
382 **/
383 EFI_STATUS
384 EFIAPI
385 TlsSetSessionId (
386 IN VOID *Tls,
387 IN UINT8 *SessionId,
388 IN UINT16 SessionIdLen
389 )
390 {
391 TLS_CONNECTION *TlsConn;
392 SSL_SESSION *Session;
393
394 TlsConn = (TLS_CONNECTION *) Tls;
395 Session = NULL;
396
397 if (TlsConn == NULL || TlsConn->Ssl == NULL || SessionId == NULL) {
398 return EFI_INVALID_PARAMETER;
399 }
400
401 Session = SSL_get_session (TlsConn->Ssl);
402 if (Session == NULL) {
403 return EFI_UNSUPPORTED;
404 }
405
406 SSL_SESSION_set1_id (Session, (const unsigned char *)SessionId, SessionIdLen);
407
408 return EFI_SUCCESS;
409 }
410
411 /**
412 Adds the CA to the cert store when requesting Server or Client authentication.
413
414 This function adds the CA certificate to the list of CAs when requesting
415 Server or Client authentication for the chosen TLS connection.
416
417 @param[in] Tls Pointer to the TLS object.
418 @param[in] Data Pointer to the data buffer of a DER-encoded binary
419 X.509 certificate or PEM-encoded X.509 certificate.
420 @param[in] DataSize The size of data buffer in bytes.
421
422 @retval EFI_SUCCESS The operation succeeded.
423 @retval EFI_INVALID_PARAMETER The parameter is invalid.
424 @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated.
425 @retval EFI_ABORTED Invalid X.509 certificate.
426
427 **/
428 EFI_STATUS
429 EFIAPI
430 TlsSetCaCertificate (
431 IN VOID *Tls,
432 IN VOID *Data,
433 IN UINTN DataSize
434 )
435 {
436 BIO *BioCert;
437 X509 *Cert;
438 X509_STORE *X509Store;
439 EFI_STATUS Status;
440 TLS_CONNECTION *TlsConn;
441 SSL_CTX *SslCtx;
442 INTN Ret;
443 UINTN ErrorCode;
444
445 BioCert = NULL;
446 Cert = NULL;
447 X509Store = NULL;
448 Status = EFI_SUCCESS;
449 TlsConn = (TLS_CONNECTION *) Tls;
450 Ret = 0;
451
452 if (TlsConn == NULL || TlsConn->Ssl == NULL || Data == NULL || DataSize == 0) {
453 return EFI_INVALID_PARAMETER;
454 }
455
456 //
457 // DER-encoded binary X.509 certificate or PEM-encoded X.509 certificate.
458 // Determine whether certificate is from DER encoding, if so, translate it to X509 structure.
459 //
460 Cert = d2i_X509 (NULL, (const unsigned char ** )&Data, (long) DataSize);
461 if (Cert == NULL) {
462 //
463 // Certificate is from PEM encoding.
464 //
465 BioCert = BIO_new (BIO_s_mem ());
466 if (BioCert == NULL) {
467 Status = EFI_OUT_OF_RESOURCES;
468 goto ON_EXIT;
469 }
470
471 if (BIO_write (BioCert, Data, (UINT32) DataSize) <= 0) {
472 Status = EFI_ABORTED;
473 goto ON_EXIT;
474 }
475
476 Cert = PEM_read_bio_X509 (BioCert, NULL, NULL, NULL);
477 if (Cert == NULL) {
478 Status = EFI_ABORTED;
479 goto ON_EXIT;
480 }
481 }
482
483 SslCtx = SSL_get_SSL_CTX (TlsConn->Ssl);
484 X509Store = SSL_CTX_get_cert_store (SslCtx);
485 if (X509Store == NULL) {
486 Status = EFI_ABORTED;
487 goto ON_EXIT;
488 }
489
490 //
491 // Add certificate to X509 store
492 //
493 Ret = X509_STORE_add_cert (X509Store, Cert);
494 if (Ret != 1) {
495 ErrorCode = ERR_peek_last_error ();
496 //
497 // Ignore "already in table" errors
498 //
499 if (!(ERR_GET_FUNC (ErrorCode) == X509_F_X509_STORE_ADD_CERT &&
500 ERR_GET_REASON (ErrorCode) == X509_R_CERT_ALREADY_IN_HASH_TABLE)) {
501 Status = EFI_ABORTED;
502 goto ON_EXIT;
503 }
504 }
505
506 ON_EXIT:
507 if (BioCert != NULL) {
508 BIO_free (BioCert);
509 }
510
511 if (Cert != NULL) {
512 X509_free (Cert);
513 }
514
515 return Status;
516 }
517
518 /**
519 Loads the local public certificate into the specified TLS object.
520
521 This function loads the X.509 certificate into the specified TLS object
522 for TLS negotiation.
523
524 @param[in] Tls Pointer to the TLS object.
525 @param[in] Data Pointer to the data buffer of a DER-encoded binary
526 X.509 certificate or PEM-encoded X.509 certificate.
527 @param[in] DataSize The size of data buffer in bytes.
528
529 @retval EFI_SUCCESS The operation succeeded.
530 @retval EFI_INVALID_PARAMETER The parameter is invalid.
531 @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated.
532 @retval EFI_ABORTED Invalid X.509 certificate.
533
534 **/
535 EFI_STATUS
536 EFIAPI
537 TlsSetHostPublicCert (
538 IN VOID *Tls,
539 IN VOID *Data,
540 IN UINTN DataSize
541 )
542 {
543 BIO *BioCert;
544 X509 *Cert;
545 EFI_STATUS Status;
546 TLS_CONNECTION *TlsConn;
547
548 BioCert = NULL;
549 Cert = NULL;
550 Status = EFI_SUCCESS;
551 TlsConn = (TLS_CONNECTION *) Tls;
552
553 if (TlsConn == NULL || TlsConn->Ssl == NULL || Data == NULL || DataSize == 0) {
554 return EFI_INVALID_PARAMETER;
555 }
556
557 //
558 // DER-encoded binary X.509 certificate or PEM-encoded X.509 certificate.
559 // Determine whether certificate is from DER encoding, if so, translate it to X509 structure.
560 //
561 Cert = d2i_X509 (NULL, (const unsigned char ** )&Data, (long) DataSize);
562 if (Cert == NULL) {
563 //
564 // Certificate is from PEM encoding.
565 //
566 BioCert = BIO_new (BIO_s_mem ());
567 if (BioCert == NULL) {
568 Status = EFI_OUT_OF_RESOURCES;
569 goto ON_EXIT;
570 }
571
572 if (BIO_write (BioCert, Data, (UINT32) DataSize) <= 0) {
573 Status = EFI_ABORTED;
574 goto ON_EXIT;
575 }
576
577 Cert = PEM_read_bio_X509 (BioCert, NULL, NULL, NULL);
578 if (Cert == NULL) {
579 Status = EFI_ABORTED;
580 goto ON_EXIT;
581 }
582 }
583
584 if (SSL_use_certificate (TlsConn->Ssl, Cert) != 1) {
585 Status = EFI_ABORTED;
586 goto ON_EXIT;
587 }
588
589 ON_EXIT:
590 if (BioCert != NULL) {
591 BIO_free (BioCert);
592 }
593
594 if (Cert != NULL) {
595 X509_free (Cert);
596 }
597
598 return Status;
599 }
600
601 /**
602 Adds the local private key to the specified TLS object.
603
604 This function adds the local private key (PEM-encoded RSA or PKCS#8 private
605 key) into the specified TLS object for TLS negotiation.
606
607 @param[in] Tls Pointer to the TLS object.
608 @param[in] Data Pointer to the data buffer of a PEM-encoded RSA
609 or PKCS#8 private key.
610 @param[in] DataSize The size of data buffer in bytes.
611
612 @retval EFI_SUCCESS The operation succeeded.
613 @retval EFI_UNSUPPORTED This function is not supported.
614 @retval EFI_ABORTED Invalid private key data.
615
616 **/
617 EFI_STATUS
618 EFIAPI
619 TlsSetHostPrivateKey (
620 IN VOID *Tls,
621 IN VOID *Data,
622 IN UINTN DataSize
623 )
624 {
625 return EFI_UNSUPPORTED;
626 }
627
628 /**
629 Adds the CA-supplied certificate revocation list for certificate validation.
630
631 This function adds the CA-supplied certificate revocation list data for
632 certificate validity checking.
633
634 @param[in] Data Pointer to the data buffer of a DER-encoded CRL data.
635 @param[in] DataSize The size of data buffer in bytes.
636
637 @retval EFI_SUCCESS The operation succeeded.
638 @retval EFI_UNSUPPORTED This function is not supported.
639 @retval EFI_ABORTED Invalid CRL data.
640
641 **/
642 EFI_STATUS
643 EFIAPI
644 TlsSetCertRevocationList (
645 IN VOID *Data,
646 IN UINTN DataSize
647 )
648 {
649 return EFI_UNSUPPORTED;
650 }
651
652 /**
653 Gets the protocol version used by the specified TLS connection.
654
655 This function returns the protocol version used by the specified TLS
656 connection.
657
658 If Tls is NULL, then ASSERT().
659
660 @param[in] Tls Pointer to the TLS object.
661
662 @return The protocol version of the specified TLS connection.
663
664 **/
665 UINT16
666 EFIAPI
667 TlsGetVersion (
668 IN VOID *Tls
669 )
670 {
671 TLS_CONNECTION *TlsConn;
672
673 TlsConn = (TLS_CONNECTION *) Tls;
674
675 ASSERT (TlsConn != NULL);
676
677 return (UINT16)(SSL_version (TlsConn->Ssl));
678 }
679
680 /**
681 Gets the connection end of the specified TLS connection.
682
683 This function returns the connection end (as client or as server) used by
684 the specified TLS connection.
685
686 If Tls is NULL, then ASSERT().
687
688 @param[in] Tls Pointer to the TLS object.
689
690 @return The connection end used by the specified TLS connection.
691
692 **/
693 UINT8
694 EFIAPI
695 TlsGetConnectionEnd (
696 IN VOID *Tls
697 )
698 {
699 TLS_CONNECTION *TlsConn;
700
701 TlsConn = (TLS_CONNECTION *) Tls;
702
703 ASSERT (TlsConn != NULL);
704
705 return (UINT8)SSL_is_server (TlsConn->Ssl);
706 }
707
708 /**
709 Gets the cipher suite used by the specified TLS connection.
710
711 This function returns current cipher suite used by the specified
712 TLS connection.
713
714 @param[in] Tls Pointer to the TLS object.
715 @param[in,out] CipherId The cipher suite used by the TLS object.
716
717 @retval EFI_SUCCESS The cipher suite was returned successfully.
718 @retval EFI_INVALID_PARAMETER The parameter is invalid.
719 @retval EFI_UNSUPPORTED Unsupported cipher suite.
720
721 **/
722 EFI_STATUS
723 EFIAPI
724 TlsGetCurrentCipher (
725 IN VOID *Tls,
726 IN OUT UINT16 *CipherId
727 )
728 {
729 TLS_CONNECTION *TlsConn;
730 CONST SSL_CIPHER *Cipher;
731
732 TlsConn = (TLS_CONNECTION *) Tls;
733 Cipher = NULL;
734
735 if (TlsConn == NULL || TlsConn->Ssl == NULL || CipherId == NULL) {
736 return EFI_INVALID_PARAMETER;
737 }
738
739 Cipher = SSL_get_current_cipher (TlsConn->Ssl);
740 if (Cipher == NULL) {
741 return EFI_UNSUPPORTED;
742 }
743
744 *CipherId = (SSL_CIPHER_get_id (Cipher)) & 0xFFFF;
745
746 return EFI_SUCCESS;
747 }
748
749 /**
750 Gets the compression methods used by the specified TLS connection.
751
752 This function returns current integrated compression methods used by
753 the specified TLS connection.
754
755 @param[in] Tls Pointer to the TLS object.
756 @param[in,out] CompressionId The current compression method used by
757 the TLS object.
758
759 @retval EFI_SUCCESS The compression method was returned successfully.
760 @retval EFI_INVALID_PARAMETER The parameter is invalid.
761 @retval EFI_ABORTED Invalid Compression method.
762 @retval EFI_UNSUPPORTED This function is not supported.
763
764 **/
765 EFI_STATUS
766 EFIAPI
767 TlsGetCurrentCompressionId (
768 IN VOID *Tls,
769 IN OUT UINT8 *CompressionId
770 )
771 {
772 return EFI_UNSUPPORTED;
773 }
774
775 /**
776 Gets the verification mode currently set in the TLS connection.
777
778 This function returns the peer verification mode currently set in the
779 specified TLS connection.
780
781 If Tls is NULL, then ASSERT().
782
783 @param[in] Tls Pointer to the TLS object.
784
785 @return The verification mode set in the specified TLS connection.
786
787 **/
788 UINT32
789 EFIAPI
790 TlsGetVerify (
791 IN VOID *Tls
792 )
793 {
794 TLS_CONNECTION *TlsConn;
795
796 TlsConn = (TLS_CONNECTION *) Tls;
797
798 ASSERT (TlsConn != NULL);
799
800 return SSL_get_verify_mode (TlsConn->Ssl);
801 }
802
803 /**
804 Gets the session ID used by the specified TLS connection.
805
806 This function returns the TLS/SSL session ID currently used by the
807 specified TLS connection.
808
809 @param[in] Tls Pointer to the TLS object.
810 @param[in,out] SessionId Buffer to contain the returned session ID.
811 @param[in,out] SessionIdLen The length of Session ID in bytes.
812
813 @retval EFI_SUCCESS The Session ID was returned successfully.
814 @retval EFI_INVALID_PARAMETER The parameter is invalid.
815 @retval EFI_UNSUPPORTED Invalid TLS/SSL session.
816
817 **/
818 EFI_STATUS
819 EFIAPI
820 TlsGetSessionId (
821 IN VOID *Tls,
822 IN OUT UINT8 *SessionId,
823 IN OUT UINT16 *SessionIdLen
824 )
825 {
826 TLS_CONNECTION *TlsConn;
827 SSL_SESSION *Session;
828 CONST UINT8 *SslSessionId;
829
830 TlsConn = (TLS_CONNECTION *) Tls;
831 Session = NULL;
832
833 if (TlsConn == NULL || TlsConn->Ssl == NULL || SessionId == NULL || SessionIdLen == NULL) {
834 return EFI_INVALID_PARAMETER;
835 }
836
837 Session = SSL_get_session (TlsConn->Ssl);
838 if (Session == NULL) {
839 return EFI_UNSUPPORTED;
840 }
841
842 SslSessionId = SSL_SESSION_get_id (Session, (unsigned int *)SessionIdLen);
843 CopyMem (SessionId, SslSessionId, *SessionIdLen);
844
845 return EFI_SUCCESS;
846 }
847
848 /**
849 Gets the client random data used in the specified TLS connection.
850
851 This function returns the TLS/SSL client random data currently used in
852 the specified TLS connection.
853
854 @param[in] Tls Pointer to the TLS object.
855 @param[in,out] ClientRandom Buffer to contain the returned client
856 random data (32 bytes).
857
858 **/
859 VOID
860 EFIAPI
861 TlsGetClientRandom (
862 IN VOID *Tls,
863 IN OUT UINT8 *ClientRandom
864 )
865 {
866 TLS_CONNECTION *TlsConn;
867
868 TlsConn = (TLS_CONNECTION *) Tls;
869
870 if (TlsConn == NULL || TlsConn->Ssl == NULL || ClientRandom == NULL) {
871 return;
872 }
873
874 SSL_get_client_random (TlsConn->Ssl, ClientRandom, SSL3_RANDOM_SIZE);
875 }
876
877 /**
878 Gets the server random data used in the specified TLS connection.
879
880 This function returns the TLS/SSL server random data currently used in
881 the specified TLS connection.
882
883 @param[in] Tls Pointer to the TLS object.
884 @param[in,out] ServerRandom Buffer to contain the returned server
885 random data (32 bytes).
886
887 **/
888 VOID
889 EFIAPI
890 TlsGetServerRandom (
891 IN VOID *Tls,
892 IN OUT UINT8 *ServerRandom
893 )
894 {
895 TLS_CONNECTION *TlsConn;
896
897 TlsConn = (TLS_CONNECTION *) Tls;
898
899 if (TlsConn == NULL || TlsConn->Ssl == NULL || ServerRandom == NULL) {
900 return;
901 }
902
903 SSL_get_server_random (TlsConn->Ssl, ServerRandom, SSL3_RANDOM_SIZE);
904 }
905
906 /**
907 Gets the master key data used in the specified TLS connection.
908
909 This function returns the TLS/SSL master key material currently used in
910 the specified TLS connection.
911
912 @param[in] Tls Pointer to the TLS object.
913 @param[in,out] KeyMaterial Buffer to contain the returned key material.
914
915 @retval EFI_SUCCESS Key material was returned successfully.
916 @retval EFI_INVALID_PARAMETER The parameter is invalid.
917 @retval EFI_UNSUPPORTED Invalid TLS/SSL session.
918
919 **/
920 EFI_STATUS
921 EFIAPI
922 TlsGetKeyMaterial (
923 IN VOID *Tls,
924 IN OUT UINT8 *KeyMaterial
925 )
926 {
927 TLS_CONNECTION *TlsConn;
928 SSL_SESSION *Session;
929
930 TlsConn = (TLS_CONNECTION *) Tls;
931 Session = NULL;
932
933 if (TlsConn == NULL || TlsConn->Ssl == NULL || KeyMaterial == NULL) {
934 return EFI_INVALID_PARAMETER;
935 }
936
937 Session = SSL_get_session (TlsConn->Ssl);
938
939 if (Session == NULL) {
940 return EFI_UNSUPPORTED;
941 }
942
943 SSL_SESSION_get_master_key (Session, KeyMaterial, SSL3_MASTER_SECRET_SIZE);
944
945 return EFI_SUCCESS;
946 }
947
948 /**
949 Gets the CA Certificate from the cert store.
950
951 This function returns the CA certificate for the chosen
952 TLS connection.
953
954 @param[in] Tls Pointer to the TLS object.
955 @param[out] Data Pointer to the data buffer to receive the CA
956 certificate data sent to the client.
957 @param[in,out] DataSize The size of data buffer in bytes.
958
959 @retval EFI_SUCCESS The operation succeeded.
960 @retval EFI_UNSUPPORTED This function is not supported.
961 @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
962
963 **/
964 EFI_STATUS
965 EFIAPI
966 TlsGetCaCertificate (
967 IN VOID *Tls,
968 OUT VOID *Data,
969 IN OUT UINTN *DataSize
970 )
971 {
972 return EFI_UNSUPPORTED;
973 }
974
975 /**
976 Gets the local public Certificate set in the specified TLS object.
977
978 This function returns the local public certificate which was currently set
979 in the specified TLS object.
980
981 @param[in] Tls Pointer to the TLS object.
982 @param[out] Data Pointer to the data buffer to receive the local
983 public certificate.
984 @param[in,out] DataSize The size of data buffer in bytes.
985
986 @retval EFI_SUCCESS The operation succeeded.
987 @retval EFI_INVALID_PARAMETER The parameter is invalid.
988 @retval EFI_NOT_FOUND The certificate is not found.
989 @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
990
991 **/
992 EFI_STATUS
993 EFIAPI
994 TlsGetHostPublicCert (
995 IN VOID *Tls,
996 OUT VOID *Data,
997 IN OUT UINTN *DataSize
998 )
999 {
1000 X509 *Cert;
1001 TLS_CONNECTION *TlsConn;
1002
1003 Cert = NULL;
1004 TlsConn = (TLS_CONNECTION *) Tls;
1005
1006 if (TlsConn == NULL || TlsConn->Ssl == NULL || DataSize == NULL || (*DataSize != 0 && Data == NULL)) {
1007 return EFI_INVALID_PARAMETER;
1008 }
1009
1010 Cert = SSL_get_certificate(TlsConn->Ssl);
1011 if (Cert == NULL) {
1012 return EFI_NOT_FOUND;
1013 }
1014
1015 //
1016 // Only DER encoding is supported currently.
1017 //
1018 if (*DataSize < (UINTN) i2d_X509 (Cert, NULL)) {
1019 *DataSize = (UINTN) i2d_X509 (Cert, NULL);
1020 return EFI_BUFFER_TOO_SMALL;
1021 }
1022
1023 *DataSize = (UINTN) i2d_X509 (Cert, (unsigned char **) &Data);
1024
1025 return EFI_SUCCESS;
1026 }
1027
1028 /**
1029 Gets the local private key set in the specified TLS object.
1030
1031 This function returns the local private key data which was currently set
1032 in the specified TLS object.
1033
1034 @param[in] Tls Pointer to the TLS object.
1035 @param[out] Data Pointer to the data buffer to receive the local
1036 private key data.
1037 @param[in,out] DataSize The size of data buffer in bytes.
1038
1039 @retval EFI_SUCCESS The operation succeeded.
1040 @retval EFI_UNSUPPORTED This function is not supported.
1041 @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
1042
1043 **/
1044 EFI_STATUS
1045 EFIAPI
1046 TlsGetHostPrivateKey (
1047 IN VOID *Tls,
1048 OUT VOID *Data,
1049 IN OUT UINTN *DataSize
1050 )
1051 {
1052 return EFI_UNSUPPORTED;
1053 }
1054
1055 /**
1056 Gets the CA-supplied certificate revocation list data set in the specified
1057 TLS object.
1058
1059 This function returns the CA-supplied certificate revocation list data which
1060 was currently set in the specified TLS object.
1061
1062 @param[out] Data Pointer to the data buffer to receive the CRL data.
1063 @param[in,out] DataSize The size of data buffer in bytes.
1064
1065 @retval EFI_SUCCESS The operation succeeded.
1066 @retval EFI_UNSUPPORTED This function is not supported.
1067 @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
1068
1069 **/
1070 EFI_STATUS
1071 EFIAPI
1072 TlsGetCertRevocationList (
1073 OUT VOID *Data,
1074 IN OUT UINTN *DataSize
1075 )
1076 {
1077 return EFI_UNSUPPORTED;
1078 }
1079