CryptoPkg/TlsLib: sanitize lib classes in internal header and INF
[mirror_edk2.git] / CryptoPkg / Library / TlsLib / TlsConfig.c
1 /** @file
2 SSL/TLS Configuration Library Wrapper Implementation over OpenSSL.
3
4 Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
5 (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
6 This program and the accompanying materials
7 are licensed and made available under the terms and conditions of the BSD License
8 which accompanies this distribution. The full text of the license may be found at
9 http://opensource.org/licenses/bsd-license.php
10
11 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
12 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
13
14 **/
15
16 #include "InternalTlsLib.h"
17
18 typedef struct {
19 //
20 // IANA/IETF defined Cipher Suite ID
21 //
22 UINT16 IanaCipher;
23 //
24 // OpenSSL-used Cipher Suite String
25 //
26 CONST CHAR8 *OpensslCipher;
27 //
28 // Length of OpensslCipher
29 //
30 UINTN OpensslCipherLength;
31 } TLS_CIPHER_MAPPING;
32
33 //
34 // Create a TLS_CIPHER_MAPPING initializer from IanaCipher and OpensslCipher so
35 // that OpensslCipherLength is filled in automatically. IanaCipher must be an
36 // integer constant expression, and OpensslCipher must be a string literal.
37 //
38 #define MAP(IanaCipher, OpensslCipher) \
39 { (IanaCipher), (OpensslCipher), sizeof (OpensslCipher) - 1 }
40
41 //
42 // The mapping table between IANA/IETF Cipher Suite definitions and
43 // OpenSSL-used Cipher Suite name.
44 //
45 // Keep the table uniquely sorted by the IanaCipher field, in increasing order.
46 //
47 STATIC CONST TLS_CIPHER_MAPPING TlsCipherMappingTable[] = {
48 MAP ( 0x0001, "NULL-MD5" ), /// TLS_RSA_WITH_NULL_MD5
49 MAP ( 0x0002, "NULL-SHA" ), /// TLS_RSA_WITH_NULL_SHA
50 MAP ( 0x0004, "RC4-MD5" ), /// TLS_RSA_WITH_RC4_128_MD5
51 MAP ( 0x0005, "RC4-SHA" ), /// TLS_RSA_WITH_RC4_128_SHA
52 MAP ( 0x000A, "DES-CBC3-SHA" ), /// TLS_RSA_WITH_3DES_EDE_CBC_SHA, mandatory TLS 1.1
53 MAP ( 0x0016, "DHE-RSA-DES-CBC3-SHA" ), /// TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
54 MAP ( 0x002F, "AES128-SHA" ), /// TLS_RSA_WITH_AES_128_CBC_SHA, mandatory TLS 1.2
55 MAP ( 0x0030, "DH-DSS-AES128-SHA" ), /// TLS_DH_DSS_WITH_AES_128_CBC_SHA
56 MAP ( 0x0031, "DH-RSA-AES128-SHA" ), /// TLS_DH_RSA_WITH_AES_128_CBC_SHA
57 MAP ( 0x0033, "DHE-RSA-AES128-SHA" ), /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA
58 MAP ( 0x0035, "AES256-SHA" ), /// TLS_RSA_WITH_AES_256_CBC_SHA
59 MAP ( 0x0036, "DH-DSS-AES256-SHA" ), /// TLS_DH_DSS_WITH_AES_256_CBC_SHA
60 MAP ( 0x0037, "DH-RSA-AES256-SHA" ), /// TLS_DH_RSA_WITH_AES_256_CBC_SHA
61 MAP ( 0x0039, "DHE-RSA-AES256-SHA" ), /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA
62 MAP ( 0x003B, "NULL-SHA256" ), /// TLS_RSA_WITH_NULL_SHA256
63 MAP ( 0x003C, "AES128-SHA256" ), /// TLS_RSA_WITH_AES_128_CBC_SHA256
64 MAP ( 0x003D, "AES256-SHA256" ), /// TLS_RSA_WITH_AES_256_CBC_SHA256
65 MAP ( 0x003E, "DH-DSS-AES128-SHA256" ), /// TLS_DH_DSS_WITH_AES_128_CBC_SHA256
66 MAP ( 0x003F, "DH-RSA-AES128-SHA256" ), /// TLS_DH_RSA_WITH_AES_128_CBC_SHA256
67 MAP ( 0x0067, "DHE-RSA-AES128-SHA256" ), /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
68 MAP ( 0x0068, "DH-DSS-AES256-SHA256" ), /// TLS_DH_DSS_WITH_AES_256_CBC_SHA256
69 MAP ( 0x0069, "DH-RSA-AES256-SHA256" ), /// TLS_DH_RSA_WITH_AES_256_CBC_SHA256
70 MAP ( 0x006B, "DHE-RSA-AES256-SHA256" ), /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
71 };
72
73 /**
74 Gets the OpenSSL cipher suite mapping for the supplied IANA TLS cipher suite.
75
76 @param[in] CipherId The supplied IANA TLS cipher suite ID.
77
78 @return The corresponding OpenSSL cipher suite mapping if found,
79 NULL otherwise.
80
81 **/
82 STATIC
83 CONST TLS_CIPHER_MAPPING *
84 TlsGetCipherMapping (
85 IN UINT16 CipherId
86 )
87 {
88 INTN Left;
89 INTN Right;
90 INTN Middle;
91
92 //
93 // Binary Search Cipher Mapping Table for IANA-OpenSSL Cipher Translation
94 //
95 Left = 0;
96 Right = ARRAY_SIZE (TlsCipherMappingTable) - 1;
97
98 while (Right >= Left) {
99 Middle = (Left + Right) / 2;
100
101 if (CipherId == TlsCipherMappingTable[Middle].IanaCipher) {
102 //
103 // Translate IANA cipher suite ID to OpenSSL name.
104 //
105 return &TlsCipherMappingTable[Middle];
106 }
107
108 if (CipherId < TlsCipherMappingTable[Middle].IanaCipher) {
109 Right = Middle - 1;
110 } else {
111 Left = Middle + 1;
112 }
113 }
114
115 //
116 // No Cipher Mapping found, return NULL.
117 //
118 return NULL;
119 }
120
121 /**
122 Set a new TLS/SSL method for a particular TLS object.
123
124 This function sets a new TLS/SSL method for a particular TLS object.
125
126 @param[in] Tls Pointer to a TLS object.
127 @param[in] MajorVer Major Version of TLS/SSL Protocol.
128 @param[in] MinorVer Minor Version of TLS/SSL Protocol.
129
130 @retval EFI_SUCCESS The TLS/SSL method was set successfully.
131 @retval EFI_INVALID_PARAMETER The parameter is invalid.
132 @retval EFI_UNSUPPORTED Unsupported TLS/SSL method.
133
134 **/
135 EFI_STATUS
136 EFIAPI
137 TlsSetVersion (
138 IN VOID *Tls,
139 IN UINT8 MajorVer,
140 IN UINT8 MinorVer
141 )
142 {
143 TLS_CONNECTION *TlsConn;
144 UINT16 ProtoVersion;
145
146 TlsConn = (TLS_CONNECTION *)Tls;
147 if (TlsConn == NULL || TlsConn->Ssl == NULL) {
148 return EFI_INVALID_PARAMETER;
149 }
150
151 ProtoVersion = (MajorVer << 8) | MinorVer;
152
153 //
154 // Bound TLS method to the particular specified version.
155 //
156 switch (ProtoVersion) {
157 case TLS1_VERSION:
158 //
159 // TLS 1.0
160 //
161 SSL_set_min_proto_version (TlsConn->Ssl, TLS1_VERSION);
162 SSL_set_max_proto_version (TlsConn->Ssl, TLS1_VERSION);
163 break;
164 case TLS1_1_VERSION:
165 //
166 // TLS 1.1
167 //
168 SSL_set_min_proto_version (TlsConn->Ssl, TLS1_1_VERSION);
169 SSL_set_max_proto_version (TlsConn->Ssl, TLS1_1_VERSION);
170 break;
171 case TLS1_2_VERSION:
172 //
173 // TLS 1.2
174 //
175 SSL_set_min_proto_version (TlsConn->Ssl, TLS1_2_VERSION);
176 SSL_set_max_proto_version (TlsConn->Ssl, TLS1_2_VERSION);
177 break;
178 default:
179 //
180 // Unsupported Protocol Version
181 //
182 return EFI_UNSUPPORTED;
183 }
184
185 return EFI_SUCCESS;;
186 }
187
188 /**
189 Set TLS object to work in client or server mode.
190
191 This function prepares a TLS object to work in client or server mode.
192
193 @param[in] Tls Pointer to a TLS object.
194 @param[in] IsServer Work in server mode.
195
196 @retval EFI_SUCCESS The TLS/SSL work mode was set successfully.
197 @retval EFI_INVALID_PARAMETER The parameter is invalid.
198 @retval EFI_UNSUPPORTED Unsupported TLS/SSL work mode.
199
200 **/
201 EFI_STATUS
202 EFIAPI
203 TlsSetConnectionEnd (
204 IN VOID *Tls,
205 IN BOOLEAN IsServer
206 )
207 {
208 TLS_CONNECTION *TlsConn;
209
210 TlsConn = (TLS_CONNECTION *) Tls;
211 if (TlsConn == NULL || TlsConn->Ssl == NULL) {
212 return EFI_INVALID_PARAMETER;
213 }
214
215 if (!IsServer) {
216 //
217 // Set TLS to work in Client mode.
218 //
219 SSL_set_connect_state (TlsConn->Ssl);
220 } else {
221 //
222 // Set TLS to work in Server mode.
223 // It is unsupported for UEFI version currently.
224 //
225 //SSL_set_accept_state (TlsConn->Ssl);
226 return EFI_UNSUPPORTED;
227 }
228
229 return EFI_SUCCESS;
230 }
231
232 /**
233 Set the ciphers list to be used by the TLS object.
234
235 This function sets the ciphers for use by a specified TLS object.
236
237 @param[in] Tls Pointer to a TLS object.
238 @param[in] CipherId Pointer to a UINT16 cipher Id.
239 @param[in] CipherNum The number of cipher in the list.
240
241 @retval EFI_SUCCESS The ciphers list was set successfully.
242 @retval EFI_INVALID_PARAMETER The parameter is invalid.
243 @retval EFI_UNSUPPORTED Unsupported TLS cipher in the list.
244
245 **/
246 EFI_STATUS
247 EFIAPI
248 TlsSetCipherList (
249 IN VOID *Tls,
250 IN UINT16 *CipherId,
251 IN UINTN CipherNum
252 )
253 {
254 TLS_CONNECTION *TlsConn;
255 UINTN Index;
256 CONST TLS_CIPHER_MAPPING *Mapping;
257 CONST CHAR8 *MappingName;
258 CHAR8 CipherString[500];
259
260 TlsConn = (TLS_CONNECTION *) Tls;
261 if (TlsConn == NULL || TlsConn->Ssl == NULL || CipherId == NULL) {
262 return EFI_INVALID_PARAMETER;
263 }
264
265 Mapping = NULL;
266 MappingName = NULL;
267
268 memset (CipherString, 0, sizeof (CipherString));
269
270 for (Index = 0; Index < CipherNum; Index++) {
271 //
272 // Handling OpenSSL / RFC Cipher name mapping.
273 //
274 Mapping = TlsGetCipherMapping (*(CipherId + Index));
275 if (Mapping == NULL) {
276 return EFI_UNSUPPORTED;
277 }
278 MappingName = Mapping->OpensslCipher;
279
280 if (Index != 0) {
281 //
282 // The ciphers were separated by a colon.
283 //
284 AsciiStrCatS (CipherString, sizeof (CipherString), ":");
285 }
286
287 AsciiStrCatS (CipherString, sizeof (CipherString), MappingName);
288 }
289
290 AsciiStrCatS (CipherString, sizeof (CipherString), ":@STRENGTH");
291
292 //
293 // Sets the ciphers for use by the Tls object.
294 //
295 if (SSL_set_cipher_list (TlsConn->Ssl, CipherString) <= 0) {
296 return EFI_UNSUPPORTED;
297 }
298
299 return EFI_SUCCESS;
300 }
301
302 /**
303 Set the compression method for TLS/SSL operations.
304
305 This function handles TLS/SSL integrated compression methods.
306
307 @param[in] CompMethod The compression method ID.
308
309 @retval EFI_SUCCESS The compression method for the communication was
310 set successfully.
311 @retval EFI_UNSUPPORTED Unsupported compression method.
312
313 **/
314 EFI_STATUS
315 EFIAPI
316 TlsSetCompressionMethod (
317 IN UINT8 CompMethod
318 )
319 {
320 COMP_METHOD *Cm;
321 INTN Ret;
322
323 Cm = NULL;
324 Ret = 0;
325
326 if (CompMethod == 0) {
327 //
328 // TLS defines one standard compression method, CompressionMethod.null (0),
329 // which specifies that data exchanged via the record protocol will not be compressed.
330 // So, return EFI_SUCCESS directly (RFC 3749).
331 //
332 return EFI_SUCCESS;
333 } else if (CompMethod == 1) {
334 Cm = COMP_zlib();
335 } else {
336 return EFI_UNSUPPORTED;
337 }
338
339 //
340 // Adds the compression method to the list of available
341 // compression methods.
342 //
343 Ret = SSL_COMP_add_compression_method (CompMethod, Cm);
344 if (Ret != 0) {
345 return EFI_UNSUPPORTED;
346 }
347
348 return EFI_SUCCESS;
349 }
350
351 /**
352 Set peer certificate verification mode for the TLS connection.
353
354 This function sets the verification mode flags for the TLS connection.
355
356 @param[in] Tls Pointer to the TLS object.
357 @param[in] VerifyMode A set of logically or'ed verification mode flags.
358
359 **/
360 VOID
361 EFIAPI
362 TlsSetVerify (
363 IN VOID *Tls,
364 IN UINT32 VerifyMode
365 )
366 {
367 TLS_CONNECTION *TlsConn;
368
369 TlsConn = (TLS_CONNECTION *) Tls;
370 if (TlsConn == NULL || TlsConn->Ssl == NULL) {
371 return;
372 }
373
374 //
375 // Set peer certificate verification parameters with NULL callback.
376 //
377 SSL_set_verify (TlsConn->Ssl, VerifyMode, NULL);
378 }
379
380 /**
381 Sets a TLS/SSL session ID to be used during TLS/SSL connect.
382
383 This function sets a session ID to be used when the TLS/SSL connection is
384 to be established.
385
386 @param[in] Tls Pointer to the TLS object.
387 @param[in] SessionId Session ID data used for session resumption.
388 @param[in] SessionIdLen Length of Session ID in bytes.
389
390 @retval EFI_SUCCESS Session ID was set successfully.
391 @retval EFI_INVALID_PARAMETER The parameter is invalid.
392 @retval EFI_UNSUPPORTED No available session for ID setting.
393
394 **/
395 EFI_STATUS
396 EFIAPI
397 TlsSetSessionId (
398 IN VOID *Tls,
399 IN UINT8 *SessionId,
400 IN UINT16 SessionIdLen
401 )
402 {
403 TLS_CONNECTION *TlsConn;
404 SSL_SESSION *Session;
405
406 TlsConn = (TLS_CONNECTION *) Tls;
407 Session = NULL;
408
409 if (TlsConn == NULL || TlsConn->Ssl == NULL || SessionId == NULL) {
410 return EFI_INVALID_PARAMETER;
411 }
412
413 Session = SSL_get_session (TlsConn->Ssl);
414 if (Session == NULL) {
415 return EFI_UNSUPPORTED;
416 }
417
418 SSL_SESSION_set1_id (Session, (const unsigned char *)SessionId, SessionIdLen);
419
420 return EFI_SUCCESS;
421 }
422
423 /**
424 Adds the CA to the cert store when requesting Server or Client authentication.
425
426 This function adds the CA certificate to the list of CAs when requesting
427 Server or Client authentication for the chosen TLS connection.
428
429 @param[in] Tls Pointer to the TLS object.
430 @param[in] Data Pointer to the data buffer of a DER-encoded binary
431 X.509 certificate or PEM-encoded X.509 certificate.
432 @param[in] DataSize The size of data buffer in bytes.
433
434 @retval EFI_SUCCESS The operation succeeded.
435 @retval EFI_INVALID_PARAMETER The parameter is invalid.
436 @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated.
437 @retval EFI_ABORTED Invalid X.509 certificate.
438
439 **/
440 EFI_STATUS
441 EFIAPI
442 TlsSetCaCertificate (
443 IN VOID *Tls,
444 IN VOID *Data,
445 IN UINTN DataSize
446 )
447 {
448 BIO *BioCert;
449 X509 *Cert;
450 X509_STORE *X509Store;
451 EFI_STATUS Status;
452 TLS_CONNECTION *TlsConn;
453 SSL_CTX *SslCtx;
454 INTN Ret;
455 UINTN ErrorCode;
456
457 BioCert = NULL;
458 Cert = NULL;
459 X509Store = NULL;
460 Status = EFI_SUCCESS;
461 TlsConn = (TLS_CONNECTION *) Tls;
462 Ret = 0;
463
464 if (TlsConn == NULL || TlsConn->Ssl == NULL || Data == NULL || DataSize == 0) {
465 return EFI_INVALID_PARAMETER;
466 }
467
468 //
469 // DER-encoded binary X.509 certificate or PEM-encoded X.509 certificate.
470 // Determine whether certificate is from DER encoding, if so, translate it to X509 structure.
471 //
472 Cert = d2i_X509 (NULL, (const unsigned char ** )&Data, (long) DataSize);
473 if (Cert == NULL) {
474 //
475 // Certificate is from PEM encoding.
476 //
477 BioCert = BIO_new (BIO_s_mem ());
478 if (BioCert == NULL) {
479 Status = EFI_OUT_OF_RESOURCES;
480 goto ON_EXIT;
481 }
482
483 if (BIO_write (BioCert, Data, (UINT32) DataSize) <= 0) {
484 Status = EFI_ABORTED;
485 goto ON_EXIT;
486 }
487
488 Cert = PEM_read_bio_X509 (BioCert, NULL, NULL, NULL);
489 if (Cert == NULL) {
490 Status = EFI_ABORTED;
491 goto ON_EXIT;
492 }
493 }
494
495 SslCtx = SSL_get_SSL_CTX (TlsConn->Ssl);
496 X509Store = SSL_CTX_get_cert_store (SslCtx);
497 if (X509Store == NULL) {
498 Status = EFI_ABORTED;
499 goto ON_EXIT;
500 }
501
502 //
503 // Add certificate to X509 store
504 //
505 Ret = X509_STORE_add_cert (X509Store, Cert);
506 if (Ret != 1) {
507 ErrorCode = ERR_peek_last_error ();
508 //
509 // Ignore "already in table" errors
510 //
511 if (!(ERR_GET_FUNC (ErrorCode) == X509_F_X509_STORE_ADD_CERT &&
512 ERR_GET_REASON (ErrorCode) == X509_R_CERT_ALREADY_IN_HASH_TABLE)) {
513 Status = EFI_ABORTED;
514 goto ON_EXIT;
515 }
516 }
517
518 ON_EXIT:
519 if (BioCert != NULL) {
520 BIO_free (BioCert);
521 }
522
523 if (Cert != NULL) {
524 X509_free (Cert);
525 }
526
527 return Status;
528 }
529
530 /**
531 Loads the local public certificate into the specified TLS object.
532
533 This function loads the X.509 certificate into the specified TLS object
534 for TLS negotiation.
535
536 @param[in] Tls Pointer to the TLS object.
537 @param[in] Data Pointer to the data buffer of a DER-encoded binary
538 X.509 certificate or PEM-encoded X.509 certificate.
539 @param[in] DataSize The size of data buffer in bytes.
540
541 @retval EFI_SUCCESS The operation succeeded.
542 @retval EFI_INVALID_PARAMETER The parameter is invalid.
543 @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated.
544 @retval EFI_ABORTED Invalid X.509 certificate.
545
546 **/
547 EFI_STATUS
548 EFIAPI
549 TlsSetHostPublicCert (
550 IN VOID *Tls,
551 IN VOID *Data,
552 IN UINTN DataSize
553 )
554 {
555 BIO *BioCert;
556 X509 *Cert;
557 EFI_STATUS Status;
558 TLS_CONNECTION *TlsConn;
559
560 BioCert = NULL;
561 Cert = NULL;
562 Status = EFI_SUCCESS;
563 TlsConn = (TLS_CONNECTION *) Tls;
564
565 if (TlsConn == NULL || TlsConn->Ssl == NULL || Data == NULL || DataSize == 0) {
566 return EFI_INVALID_PARAMETER;
567 }
568
569 //
570 // DER-encoded binary X.509 certificate or PEM-encoded X.509 certificate.
571 // Determine whether certificate is from DER encoding, if so, translate it to X509 structure.
572 //
573 Cert = d2i_X509 (NULL, (const unsigned char ** )&Data, (long) DataSize);
574 if (Cert == NULL) {
575 //
576 // Certificate is from PEM encoding.
577 //
578 BioCert = BIO_new (BIO_s_mem ());
579 if (BioCert == NULL) {
580 Status = EFI_OUT_OF_RESOURCES;
581 goto ON_EXIT;
582 }
583
584 if (BIO_write (BioCert, Data, (UINT32) DataSize) <= 0) {
585 Status = EFI_ABORTED;
586 goto ON_EXIT;
587 }
588
589 Cert = PEM_read_bio_X509 (BioCert, NULL, NULL, NULL);
590 if (Cert == NULL) {
591 Status = EFI_ABORTED;
592 goto ON_EXIT;
593 }
594 }
595
596 if (SSL_use_certificate (TlsConn->Ssl, Cert) != 1) {
597 Status = EFI_ABORTED;
598 goto ON_EXIT;
599 }
600
601 ON_EXIT:
602 if (BioCert != NULL) {
603 BIO_free (BioCert);
604 }
605
606 if (Cert != NULL) {
607 X509_free (Cert);
608 }
609
610 return Status;
611 }
612
613 /**
614 Adds the local private key to the specified TLS object.
615
616 This function adds the local private key (PEM-encoded RSA or PKCS#8 private
617 key) into the specified TLS object for TLS negotiation.
618
619 @param[in] Tls Pointer to the TLS object.
620 @param[in] Data Pointer to the data buffer of a PEM-encoded RSA
621 or PKCS#8 private key.
622 @param[in] DataSize The size of data buffer in bytes.
623
624 @retval EFI_SUCCESS The operation succeeded.
625 @retval EFI_UNSUPPORTED This function is not supported.
626 @retval EFI_ABORTED Invalid private key data.
627
628 **/
629 EFI_STATUS
630 EFIAPI
631 TlsSetHostPrivateKey (
632 IN VOID *Tls,
633 IN VOID *Data,
634 IN UINTN DataSize
635 )
636 {
637 return EFI_UNSUPPORTED;
638 }
639
640 /**
641 Adds the CA-supplied certificate revocation list for certificate validation.
642
643 This function adds the CA-supplied certificate revocation list data for
644 certificate validity checking.
645
646 @param[in] Data Pointer to the data buffer of a DER-encoded CRL data.
647 @param[in] DataSize The size of data buffer in bytes.
648
649 @retval EFI_SUCCESS The operation succeeded.
650 @retval EFI_UNSUPPORTED This function is not supported.
651 @retval EFI_ABORTED Invalid CRL data.
652
653 **/
654 EFI_STATUS
655 EFIAPI
656 TlsSetCertRevocationList (
657 IN VOID *Data,
658 IN UINTN DataSize
659 )
660 {
661 return EFI_UNSUPPORTED;
662 }
663
664 /**
665 Gets the protocol version used by the specified TLS connection.
666
667 This function returns the protocol version used by the specified TLS
668 connection.
669
670 If Tls is NULL, then ASSERT().
671
672 @param[in] Tls Pointer to the TLS object.
673
674 @return The protocol version of the specified TLS connection.
675
676 **/
677 UINT16
678 EFIAPI
679 TlsGetVersion (
680 IN VOID *Tls
681 )
682 {
683 TLS_CONNECTION *TlsConn;
684
685 TlsConn = (TLS_CONNECTION *) Tls;
686
687 ASSERT (TlsConn != NULL);
688
689 return (UINT16)(SSL_version (TlsConn->Ssl));
690 }
691
692 /**
693 Gets the connection end of the specified TLS connection.
694
695 This function returns the connection end (as client or as server) used by
696 the specified TLS connection.
697
698 If Tls is NULL, then ASSERT().
699
700 @param[in] Tls Pointer to the TLS object.
701
702 @return The connection end used by the specified TLS connection.
703
704 **/
705 UINT8
706 EFIAPI
707 TlsGetConnectionEnd (
708 IN VOID *Tls
709 )
710 {
711 TLS_CONNECTION *TlsConn;
712
713 TlsConn = (TLS_CONNECTION *) Tls;
714
715 ASSERT (TlsConn != NULL);
716
717 return (UINT8)SSL_is_server (TlsConn->Ssl);
718 }
719
720 /**
721 Gets the cipher suite used by the specified TLS connection.
722
723 This function returns current cipher suite used by the specified
724 TLS connection.
725
726 @param[in] Tls Pointer to the TLS object.
727 @param[in,out] CipherId The cipher suite used by the TLS object.
728
729 @retval EFI_SUCCESS The cipher suite was returned successfully.
730 @retval EFI_INVALID_PARAMETER The parameter is invalid.
731 @retval EFI_UNSUPPORTED Unsupported cipher suite.
732
733 **/
734 EFI_STATUS
735 EFIAPI
736 TlsGetCurrentCipher (
737 IN VOID *Tls,
738 IN OUT UINT16 *CipherId
739 )
740 {
741 TLS_CONNECTION *TlsConn;
742 CONST SSL_CIPHER *Cipher;
743
744 TlsConn = (TLS_CONNECTION *) Tls;
745 Cipher = NULL;
746
747 if (TlsConn == NULL || TlsConn->Ssl == NULL || CipherId == NULL) {
748 return EFI_INVALID_PARAMETER;
749 }
750
751 Cipher = SSL_get_current_cipher (TlsConn->Ssl);
752 if (Cipher == NULL) {
753 return EFI_UNSUPPORTED;
754 }
755
756 *CipherId = (SSL_CIPHER_get_id (Cipher)) & 0xFFFF;
757
758 return EFI_SUCCESS;
759 }
760
761 /**
762 Gets the compression methods used by the specified TLS connection.
763
764 This function returns current integrated compression methods used by
765 the specified TLS connection.
766
767 @param[in] Tls Pointer to the TLS object.
768 @param[in,out] CompressionId The current compression method used by
769 the TLS object.
770
771 @retval EFI_SUCCESS The compression method was returned successfully.
772 @retval EFI_INVALID_PARAMETER The parameter is invalid.
773 @retval EFI_ABORTED Invalid Compression method.
774 @retval EFI_UNSUPPORTED This function is not supported.
775
776 **/
777 EFI_STATUS
778 EFIAPI
779 TlsGetCurrentCompressionId (
780 IN VOID *Tls,
781 IN OUT UINT8 *CompressionId
782 )
783 {
784 return EFI_UNSUPPORTED;
785 }
786
787 /**
788 Gets the verification mode currently set in the TLS connection.
789
790 This function returns the peer verification mode currently set in the
791 specified TLS connection.
792
793 If Tls is NULL, then ASSERT().
794
795 @param[in] Tls Pointer to the TLS object.
796
797 @return The verification mode set in the specified TLS connection.
798
799 **/
800 UINT32
801 EFIAPI
802 TlsGetVerify (
803 IN VOID *Tls
804 )
805 {
806 TLS_CONNECTION *TlsConn;
807
808 TlsConn = (TLS_CONNECTION *) Tls;
809
810 ASSERT (TlsConn != NULL);
811
812 return SSL_get_verify_mode (TlsConn->Ssl);
813 }
814
815 /**
816 Gets the session ID used by the specified TLS connection.
817
818 This function returns the TLS/SSL session ID currently used by the
819 specified TLS connection.
820
821 @param[in] Tls Pointer to the TLS object.
822 @param[in,out] SessionId Buffer to contain the returned session ID.
823 @param[in,out] SessionIdLen The length of Session ID in bytes.
824
825 @retval EFI_SUCCESS The Session ID was returned successfully.
826 @retval EFI_INVALID_PARAMETER The parameter is invalid.
827 @retval EFI_UNSUPPORTED Invalid TLS/SSL session.
828
829 **/
830 EFI_STATUS
831 EFIAPI
832 TlsGetSessionId (
833 IN VOID *Tls,
834 IN OUT UINT8 *SessionId,
835 IN OUT UINT16 *SessionIdLen
836 )
837 {
838 TLS_CONNECTION *TlsConn;
839 SSL_SESSION *Session;
840 CONST UINT8 *SslSessionId;
841
842 TlsConn = (TLS_CONNECTION *) Tls;
843 Session = NULL;
844
845 if (TlsConn == NULL || TlsConn->Ssl == NULL || SessionId == NULL || SessionIdLen == NULL) {
846 return EFI_INVALID_PARAMETER;
847 }
848
849 Session = SSL_get_session (TlsConn->Ssl);
850 if (Session == NULL) {
851 return EFI_UNSUPPORTED;
852 }
853
854 SslSessionId = SSL_SESSION_get_id (Session, (unsigned int *)SessionIdLen);
855 CopyMem (SessionId, SslSessionId, *SessionIdLen);
856
857 return EFI_SUCCESS;
858 }
859
860 /**
861 Gets the client random data used in the specified TLS connection.
862
863 This function returns the TLS/SSL client random data currently used in
864 the specified TLS connection.
865
866 @param[in] Tls Pointer to the TLS object.
867 @param[in,out] ClientRandom Buffer to contain the returned client
868 random data (32 bytes).
869
870 **/
871 VOID
872 EFIAPI
873 TlsGetClientRandom (
874 IN VOID *Tls,
875 IN OUT UINT8 *ClientRandom
876 )
877 {
878 TLS_CONNECTION *TlsConn;
879
880 TlsConn = (TLS_CONNECTION *) Tls;
881
882 if (TlsConn == NULL || TlsConn->Ssl == NULL || ClientRandom == NULL) {
883 return;
884 }
885
886 SSL_get_client_random (TlsConn->Ssl, ClientRandom, SSL3_RANDOM_SIZE);
887 }
888
889 /**
890 Gets the server random data used in the specified TLS connection.
891
892 This function returns the TLS/SSL server random data currently used in
893 the specified TLS connection.
894
895 @param[in] Tls Pointer to the TLS object.
896 @param[in,out] ServerRandom Buffer to contain the returned server
897 random data (32 bytes).
898
899 **/
900 VOID
901 EFIAPI
902 TlsGetServerRandom (
903 IN VOID *Tls,
904 IN OUT UINT8 *ServerRandom
905 )
906 {
907 TLS_CONNECTION *TlsConn;
908
909 TlsConn = (TLS_CONNECTION *) Tls;
910
911 if (TlsConn == NULL || TlsConn->Ssl == NULL || ServerRandom == NULL) {
912 return;
913 }
914
915 SSL_get_server_random (TlsConn->Ssl, ServerRandom, SSL3_RANDOM_SIZE);
916 }
917
918 /**
919 Gets the master key data used in the specified TLS connection.
920
921 This function returns the TLS/SSL master key material currently used in
922 the specified TLS connection.
923
924 @param[in] Tls Pointer to the TLS object.
925 @param[in,out] KeyMaterial Buffer to contain the returned key material.
926
927 @retval EFI_SUCCESS Key material was returned successfully.
928 @retval EFI_INVALID_PARAMETER The parameter is invalid.
929 @retval EFI_UNSUPPORTED Invalid TLS/SSL session.
930
931 **/
932 EFI_STATUS
933 EFIAPI
934 TlsGetKeyMaterial (
935 IN VOID *Tls,
936 IN OUT UINT8 *KeyMaterial
937 )
938 {
939 TLS_CONNECTION *TlsConn;
940 SSL_SESSION *Session;
941
942 TlsConn = (TLS_CONNECTION *) Tls;
943 Session = NULL;
944
945 if (TlsConn == NULL || TlsConn->Ssl == NULL || KeyMaterial == NULL) {
946 return EFI_INVALID_PARAMETER;
947 }
948
949 Session = SSL_get_session (TlsConn->Ssl);
950
951 if (Session == NULL) {
952 return EFI_UNSUPPORTED;
953 }
954
955 SSL_SESSION_get_master_key (Session, KeyMaterial, SSL3_MASTER_SECRET_SIZE);
956
957 return EFI_SUCCESS;
958 }
959
960 /**
961 Gets the CA Certificate from the cert store.
962
963 This function returns the CA certificate for the chosen
964 TLS connection.
965
966 @param[in] Tls Pointer to the TLS object.
967 @param[out] Data Pointer to the data buffer to receive the CA
968 certificate data sent to the client.
969 @param[in,out] DataSize The size of data buffer in bytes.
970
971 @retval EFI_SUCCESS The operation succeeded.
972 @retval EFI_UNSUPPORTED This function is not supported.
973 @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
974
975 **/
976 EFI_STATUS
977 EFIAPI
978 TlsGetCaCertificate (
979 IN VOID *Tls,
980 OUT VOID *Data,
981 IN OUT UINTN *DataSize
982 )
983 {
984 return EFI_UNSUPPORTED;
985 }
986
987 /**
988 Gets the local public Certificate set in the specified TLS object.
989
990 This function returns the local public certificate which was currently set
991 in the specified TLS object.
992
993 @param[in] Tls Pointer to the TLS object.
994 @param[out] Data Pointer to the data buffer to receive the local
995 public certificate.
996 @param[in,out] DataSize The size of data buffer in bytes.
997
998 @retval EFI_SUCCESS The operation succeeded.
999 @retval EFI_INVALID_PARAMETER The parameter is invalid.
1000 @retval EFI_NOT_FOUND The certificate is not found.
1001 @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
1002
1003 **/
1004 EFI_STATUS
1005 EFIAPI
1006 TlsGetHostPublicCert (
1007 IN VOID *Tls,
1008 OUT VOID *Data,
1009 IN OUT UINTN *DataSize
1010 )
1011 {
1012 X509 *Cert;
1013 TLS_CONNECTION *TlsConn;
1014
1015 Cert = NULL;
1016 TlsConn = (TLS_CONNECTION *) Tls;
1017
1018 if (TlsConn == NULL || TlsConn->Ssl == NULL || DataSize == NULL || (*DataSize != 0 && Data == NULL)) {
1019 return EFI_INVALID_PARAMETER;
1020 }
1021
1022 Cert = SSL_get_certificate(TlsConn->Ssl);
1023 if (Cert == NULL) {
1024 return EFI_NOT_FOUND;
1025 }
1026
1027 //
1028 // Only DER encoding is supported currently.
1029 //
1030 if (*DataSize < (UINTN) i2d_X509 (Cert, NULL)) {
1031 *DataSize = (UINTN) i2d_X509 (Cert, NULL);
1032 return EFI_BUFFER_TOO_SMALL;
1033 }
1034
1035 *DataSize = (UINTN) i2d_X509 (Cert, (unsigned char **) &Data);
1036
1037 return EFI_SUCCESS;
1038 }
1039
1040 /**
1041 Gets the local private key set in the specified TLS object.
1042
1043 This function returns the local private key data which was currently set
1044 in the specified TLS object.
1045
1046 @param[in] Tls Pointer to the TLS object.
1047 @param[out] Data Pointer to the data buffer to receive the local
1048 private key data.
1049 @param[in,out] DataSize The size of data buffer in bytes.
1050
1051 @retval EFI_SUCCESS The operation succeeded.
1052 @retval EFI_UNSUPPORTED This function is not supported.
1053 @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
1054
1055 **/
1056 EFI_STATUS
1057 EFIAPI
1058 TlsGetHostPrivateKey (
1059 IN VOID *Tls,
1060 OUT VOID *Data,
1061 IN OUT UINTN *DataSize
1062 )
1063 {
1064 return EFI_UNSUPPORTED;
1065 }
1066
1067 /**
1068 Gets the CA-supplied certificate revocation list data set in the specified
1069 TLS object.
1070
1071 This function returns the CA-supplied certificate revocation list data which
1072 was currently set in the specified TLS object.
1073
1074 @param[out] Data Pointer to the data buffer to receive the CRL data.
1075 @param[in,out] DataSize The size of data buffer in bytes.
1076
1077 @retval EFI_SUCCESS The operation succeeded.
1078 @retval EFI_UNSUPPORTED This function is not supported.
1079 @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
1080
1081 **/
1082 EFI_STATUS
1083 EFIAPI
1084 TlsGetCertRevocationList (
1085 OUT VOID *Data,
1086 IN OUT UINTN *DataSize
1087 )
1088 {
1089 return EFI_UNSUPPORTED;
1090 }
1091