2 SSL/TLS Configuration Library Wrapper Implementation over OpenSSL.
4 Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
5 (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
6 This program and the accompanying materials
7 are licensed and made available under the terms and conditions of the BSD License
8 which accompanies this distribution. The full text of the license may be found at
9 http://opensource.org/licenses/bsd-license.php
11 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
12 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
16 #include "InternalTlsLib.h"
20 // IANA/IETF defined Cipher Suite ID
24 // OpenSSL-used Cipher Suite String
26 CONST CHAR8
*OpensslCipher
;
30 // The mapping table between IANA/IETF Cipher Suite definitions and
31 // OpenSSL-used Cipher Suite name.
33 STATIC CONST TLS_CIPHER_PAIR TlsCipherMappingTable
[] = {
34 { 0x0001, "NULL-MD5" }, /// TLS_RSA_WITH_NULL_MD5
35 { 0x0002, "NULL-SHA" }, /// TLS_RSA_WITH_NULL_SHA
36 { 0x0004, "RC4-MD5" }, /// TLS_RSA_WITH_RC4_128_MD5
37 { 0x0005, "RC4-SHA" }, /// TLS_RSA_WITH_RC4_128_SHA
38 { 0x000A, "DES-CBC3-SHA" }, /// TLS_RSA_WITH_3DES_EDE_CBC_SHA, mandatory TLS 1.1
39 { 0x0016, "DHE-RSA-DES-CBC3-SHA" }, /// TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
40 { 0x002F, "AES128-SHA" }, /// TLS_RSA_WITH_AES_128_CBC_SHA, mandatory TLS 1.2
41 { 0x0030, "DH-DSS-AES128-SHA" }, /// TLS_DH_DSS_WITH_AES_128_CBC_SHA
42 { 0x0031, "DH-RSA-AES128-SHA" }, /// TLS_DH_RSA_WITH_AES_128_CBC_SHA
43 { 0x0033, "DHE-RSA-AES128-SHA" }, /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA
44 { 0x0035, "AES256-SHA" }, /// TLS_RSA_WITH_AES_256_CBC_SHA
45 { 0x0036, "DH-DSS-AES256-SHA" }, /// TLS_DH_DSS_WITH_AES_256_CBC_SHA
46 { 0x0037, "DH-RSA-AES256-SHA" }, /// TLS_DH_RSA_WITH_AES_256_CBC_SHA
47 { 0x0039, "DHE-RSA-AES256-SHA" }, /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA
48 { 0x003B, "NULL-SHA256" }, /// TLS_RSA_WITH_NULL_SHA256
49 { 0x003C, "AES128-SHA256" }, /// TLS_RSA_WITH_AES_128_CBC_SHA256
50 { 0x003D, "AES256-SHA256" }, /// TLS_RSA_WITH_AES_256_CBC_SHA256
51 { 0x003E, "DH-DSS-AES128-SHA256" }, /// TLS_DH_DSS_WITH_AES_128_CBC_SHA256
52 { 0x003F, "DH-RSA-AES128-SHA256" }, /// TLS_DH_RSA_WITH_AES_128_CBC_SHA256
53 { 0x0067, "DHE-RSA-AES128-SHA256" }, /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
54 { 0x0068, "DH-DSS-AES256-SHA256" }, /// TLS_DH_DSS_WITH_AES_256_CBC_SHA256
55 { 0x0069, "DH-RSA-AES256-SHA256" }, /// TLS_DH_RSA_WITH_AES_256_CBC_SHA256
56 { 0x006B, "DHE-RSA-AES256-SHA256" } /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
60 Gets the OpenSSL cipher suite string for the supplied IANA TLS cipher suite.
62 @param[in] CipherId The supplied IANA TLS cipher suite ID.
64 @return The corresponding OpenSSL cipher suite string if found,
74 CONST TLS_CIPHER_PAIR
*CipherEntry
;
78 CipherEntry
= TlsCipherMappingTable
;
79 TableSize
= sizeof (TlsCipherMappingTable
) / sizeof (TLS_CIPHER_PAIR
);
82 // Search Cipher Mapping Table for IANA-OpenSSL Cipher Translation
84 for (Index
= 0; Index
< TableSize
; Index
++, CipherEntry
++) {
86 // Translate IANA cipher suite name to OpenSSL name.
88 if (CipherEntry
->IanaCipher
== CipherId
) {
89 return CipherEntry
->OpensslCipher
;
94 // No Cipher Mapping found, return NULL.
100 Set a new TLS/SSL method for a particular TLS object.
102 This function sets a new TLS/SSL method for a particular TLS object.
104 @param[in] Tls Pointer to a TLS object.
105 @param[in] MajorVer Major Version of TLS/SSL Protocol.
106 @param[in] MinorVer Minor Version of TLS/SSL Protocol.
108 @retval EFI_SUCCESS The TLS/SSL method was set successfully.
109 @retval EFI_INVALID_PARAMETER The parameter is invalid.
110 @retval EFI_UNSUPPORTED Unsupported TLS/SSL method.
121 TLS_CONNECTION
*TlsConn
;
124 TlsConn
= (TLS_CONNECTION
*)Tls
;
125 if (TlsConn
== NULL
|| TlsConn
->Ssl
== NULL
) {
126 return EFI_INVALID_PARAMETER
;
129 ProtoVersion
= (MajorVer
<< 8) | MinorVer
;
131 switch (ProtoVersion
) {
136 SSL_set_ssl_method (TlsConn
->Ssl
, TLSv1_method ());
142 SSL_set_ssl_method (TlsConn
->Ssl
, TLSv1_1_method ());
148 SSL_set_ssl_method (TlsConn
->Ssl
, TLSv1_2_method ());
152 // Unsupported Protocol Version
154 return EFI_UNSUPPORTED
;
161 Set TLS object to work in client or server mode.
163 This function prepares a TLS object to work in client or server mode.
165 @param[in] Tls Pointer to a TLS object.
166 @param[in] IsServer Work in server mode.
168 @retval EFI_SUCCESS The TLS/SSL work mode was set successfully.
169 @retval EFI_INVALID_PARAMETER The parameter is invalid.
170 @retval EFI_UNSUPPORTED Unsupported TLS/SSL work mode.
175 TlsSetConnectionEnd (
180 TLS_CONNECTION
*TlsConn
;
182 TlsConn
= (TLS_CONNECTION
*) Tls
;
183 if (TlsConn
== NULL
|| TlsConn
->Ssl
== NULL
) {
184 return EFI_INVALID_PARAMETER
;
189 // Set TLS to work in Client mode.
191 SSL_set_connect_state (TlsConn
->Ssl
);
194 // Set TLS to work in Server mode.
195 // It is unsupported for UEFI version currently.
197 //SSL_set_accept_state (TlsConn->Ssl);
198 return EFI_UNSUPPORTED
;
205 Set the ciphers list to be used by the TLS object.
207 This function sets the ciphers for use by a specified TLS object.
209 @param[in] Tls Pointer to a TLS object.
210 @param[in] CipherId Pointer to a UINT16 cipher Id.
211 @param[in] CipherNum The number of cipher in the list.
213 @retval EFI_SUCCESS The ciphers list was set successfully.
214 @retval EFI_INVALID_PARAMETER The parameter is invalid.
215 @retval EFI_UNSUPPORTED Unsupported TLS cipher in the list.
226 TLS_CONNECTION
*TlsConn
;
228 CONST CHAR8
*MappingName
;
229 CHAR8 CipherString
[500];
231 TlsConn
= (TLS_CONNECTION
*) Tls
;
232 if (TlsConn
== NULL
|| TlsConn
->Ssl
== NULL
|| CipherId
== NULL
) {
233 return EFI_INVALID_PARAMETER
;
238 memset (CipherString
, 0, sizeof (CipherString
));
240 for (Index
= 0; Index
< CipherNum
; Index
++) {
242 // Handling OpenSSL / RFC Cipher name mapping.
244 MappingName
= TlsGetCipherString (*(CipherId
+ Index
));
245 if (MappingName
== NULL
) {
246 return EFI_UNSUPPORTED
;
251 // The ciphers were separated by a colon.
253 AsciiStrCatS (CipherString
, sizeof (CipherString
), ":");
256 AsciiStrCatS (CipherString
, sizeof (CipherString
), MappingName
);
259 AsciiStrCatS (CipherString
, sizeof (CipherString
), ":@STRENGTH");
262 // Sets the ciphers for use by the Tls object.
264 if (SSL_set_cipher_list (TlsConn
->Ssl
, CipherString
) <= 0) {
265 return EFI_UNSUPPORTED
;
272 Set the compression method for TLS/SSL operations.
274 This function handles TLS/SSL integrated compression methods.
276 @param[in] CompMethod The compression method ID.
278 @retval EFI_SUCCESS The compression method for the communication was
280 @retval EFI_UNSUPPORTED Unsupported compression method.
285 TlsSetCompressionMethod (
295 if (CompMethod
== 0) {
297 // TLS defines one standard compression method, CompressionMethod.null (0),
298 // which specifies that data exchanged via the record protocol will not be compressed.
299 // So, return EFI_SUCCESS directly (RFC 3749).
302 } else if (CompMethod
== 1) {
305 return EFI_UNSUPPORTED
;
309 // Adds the compression method to the list of available
310 // compression methods.
312 Ret
= SSL_COMP_add_compression_method (CompMethod
, Cm
);
314 return EFI_UNSUPPORTED
;
321 Set peer certificate verification mode for the TLS connection.
323 This function sets the verification mode flags for the TLS connection.
325 @param[in] Tls Pointer to the TLS object.
326 @param[in] VerifyMode A set of logically or'ed verification mode flags.
336 TLS_CONNECTION
*TlsConn
;
338 TlsConn
= (TLS_CONNECTION
*) Tls
;
339 if (TlsConn
== NULL
|| TlsConn
->Ssl
== NULL
) {
344 // Set peer certificate verification parameters with NULL callback.
346 SSL_set_verify (TlsConn
->Ssl
, VerifyMode
, NULL
);
350 Sets a TLS/SSL session ID to be used during TLS/SSL connect.
352 This function sets a session ID to be used when the TLS/SSL connection is
355 @param[in] Tls Pointer to the TLS object.
356 @param[in] SessionId Session ID data used for session resumption.
357 @param[in] SessionIdLen Length of Session ID in bytes.
359 @retval EFI_SUCCESS Session ID was set successfully.
360 @retval EFI_INVALID_PARAMETER The parameter is invalid.
361 @retval EFI_UNSUPPORTED No available session for ID setting.
369 IN UINT16 SessionIdLen
372 TLS_CONNECTION
*TlsConn
;
373 SSL_SESSION
*Session
;
375 TlsConn
= (TLS_CONNECTION
*) Tls
;
378 if (TlsConn
== NULL
|| TlsConn
->Ssl
== NULL
|| SessionId
== NULL
) {
379 return EFI_INVALID_PARAMETER
;
382 Session
= SSL_get_session (TlsConn
->Ssl
);
383 if (Session
== NULL
) {
384 return EFI_UNSUPPORTED
;
387 Session
->session_id_length
= SessionIdLen
;
388 CopyMem (Session
->session_id
, SessionId
, Session
->session_id_length
);
394 Adds the CA to the cert store when requesting Server or Client authentication.
396 This function adds the CA certificate to the list of CAs when requesting
397 Server or Client authentication for the chosen TLS connection.
399 @param[in] Tls Pointer to the TLS object.
400 @param[in] Data Pointer to the data buffer of a DER-encoded binary
401 X.509 certificate or PEM-encoded X.509 certificate.
402 @param[in] DataSize The size of data buffer in bytes.
404 @retval EFI_SUCCESS The operation succeeded.
405 @retval EFI_INVALID_PARAMETER The parameter is invalid.
406 @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated.
407 @retval EFI_ABORTED Invalid X.509 certificate.
412 TlsSetCaCertificate (
420 X509_STORE
*X509Store
;
422 TLS_CONNECTION
*TlsConn
;
430 Status
= EFI_SUCCESS
;
431 TlsConn
= (TLS_CONNECTION
*) Tls
;
434 if (TlsConn
== NULL
|| TlsConn
->Ssl
== NULL
|| Data
== NULL
|| DataSize
== 0) {
435 return EFI_INVALID_PARAMETER
;
439 // DER-encoded binary X.509 certificate or PEM-encoded X.509 certificate.
440 // Determine whether certificate is from DER encoding, if so, translate it to X509 structure.
442 Cert
= d2i_X509 (NULL
, (const unsigned char ** )&Data
, (long) DataSize
);
445 // Certificate is from PEM encoding.
447 BioCert
= BIO_new (BIO_s_mem ());
448 if (BioCert
== NULL
) {
449 Status
= EFI_OUT_OF_RESOURCES
;
453 if (BIO_write (BioCert
, Data
, (UINT32
) DataSize
) <= 0) {
454 Status
= EFI_ABORTED
;
458 Cert
= PEM_read_bio_X509 (BioCert
, NULL
, NULL
, NULL
);
460 Status
= EFI_ABORTED
;
465 SslCtx
= SSL_get_SSL_CTX (TlsConn
->Ssl
);
466 X509Store
= SSL_CTX_get_cert_store (SslCtx
);
467 if (X509Store
== NULL
) {
468 Status
= EFI_ABORTED
;
473 // Add certificate to X509 store
475 Ret
= X509_STORE_add_cert (X509Store
, Cert
);
477 ErrorCode
= ERR_peek_last_error ();
479 // Ignore "already in table" errors
481 if (!(ERR_GET_FUNC (ErrorCode
) == X509_F_X509_STORE_ADD_CERT
&&
482 ERR_GET_REASON (ErrorCode
) == X509_R_CERT_ALREADY_IN_HASH_TABLE
)) {
483 Status
= EFI_ABORTED
;
489 if (BioCert
!= NULL
) {
501 Loads the local public certificate into the specified TLS object.
503 This function loads the X.509 certificate into the specified TLS object
506 @param[in] Tls Pointer to the TLS object.
507 @param[in] Data Pointer to the data buffer of a DER-encoded binary
508 X.509 certificate or PEM-encoded X.509 certificate.
509 @param[in] DataSize The size of data buffer in bytes.
511 @retval EFI_SUCCESS The operation succeeded.
512 @retval EFI_INVALID_PARAMETER The parameter is invalid.
513 @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated.
514 @retval EFI_ABORTED Invalid X.509 certificate.
519 TlsSetHostPublicCert (
528 TLS_CONNECTION
*TlsConn
;
532 Status
= EFI_SUCCESS
;
533 TlsConn
= (TLS_CONNECTION
*) Tls
;
535 if (TlsConn
== NULL
|| TlsConn
->Ssl
== NULL
|| Data
== NULL
|| DataSize
== 0) {
536 return EFI_INVALID_PARAMETER
;
540 // DER-encoded binary X.509 certificate or PEM-encoded X.509 certificate.
541 // Determine whether certificate is from DER encoding, if so, translate it to X509 structure.
543 Cert
= d2i_X509 (NULL
, (const unsigned char ** )&Data
, (long) DataSize
);
546 // Certificate is from PEM encoding.
548 BioCert
= BIO_new (BIO_s_mem ());
549 if (BioCert
== NULL
) {
550 Status
= EFI_OUT_OF_RESOURCES
;
554 if (BIO_write (BioCert
, Data
, (UINT32
) DataSize
) <= 0) {
555 Status
= EFI_ABORTED
;
559 Cert
= PEM_read_bio_X509 (BioCert
, NULL
, NULL
, NULL
);
561 Status
= EFI_ABORTED
;
566 if (SSL_use_certificate (TlsConn
->Ssl
, Cert
) != 1) {
567 Status
= EFI_ABORTED
;
572 if (BioCert
!= NULL
) {
584 Adds the local private key to the specified TLS object.
586 This function adds the local private key (PEM-encoded RSA or PKCS#8 private
587 key) into the specified TLS object for TLS negotiation.
589 @param[in] Tls Pointer to the TLS object.
590 @param[in] Data Pointer to the data buffer of a PEM-encoded RSA
591 or PKCS#8 private key.
592 @param[in] DataSize The size of data buffer in bytes.
594 @retval EFI_SUCCESS The operation succeeded.
595 @retval EFI_UNSUPPORTED This function is not supported.
596 @retval EFI_ABORTED Invalid private key data.
601 TlsSetHostPrivateKey (
607 return EFI_UNSUPPORTED
;
611 Adds the CA-supplied certificate revocation list for certificate validation.
613 This function adds the CA-supplied certificate revocation list data for
614 certificate validity checking.
616 @param[in] Data Pointer to the data buffer of a DER-encoded CRL data.
617 @param[in] DataSize The size of data buffer in bytes.
619 @retval EFI_SUCCESS The operation succeeded.
620 @retval EFI_UNSUPPORTED This function is not supported.
621 @retval EFI_ABORTED Invalid CRL data.
626 TlsSetCertRevocationList (
631 return EFI_UNSUPPORTED
;
635 Gets the protocol version used by the specified TLS connection.
637 This function returns the protocol version used by the specified TLS
640 @param[in] Tls Pointer to the TLS object.
642 @return The protocol version of the specified TLS connection.
651 TLS_CONNECTION
*TlsConn
;
653 TlsConn
= (TLS_CONNECTION
*) Tls
;
655 ASSERT (TlsConn
!= NULL
);
657 return (UINT16
)(SSL_version (TlsConn
->Ssl
));
661 Gets the connection end of the specified TLS connection.
663 This function returns the connection end (as client or as server) used by
664 the specified TLS connection.
666 @param[in] Tls Pointer to the TLS object.
668 @return The connection end used by the specified TLS connection.
673 TlsGetConnectionEnd (
677 TLS_CONNECTION
*TlsConn
;
679 TlsConn
= (TLS_CONNECTION
*) Tls
;
681 ASSERT (TlsConn
!= NULL
);
683 return (UINT8
)SSL_is_server (TlsConn
->Ssl
);
687 Gets the cipher suite used by the specified TLS connection.
689 This function returns current cipher suite used by the specified
692 @param[in] Tls Pointer to the TLS object.
693 @param[in,out] CipherId The cipher suite used by the TLS object.
695 @retval EFI_SUCCESS The cipher suite was returned successfully.
696 @retval EFI_INVALID_PARAMETER The parameter is invalid.
697 @retval EFI_UNSUPPORTED Unsupported cipher suite.
702 TlsGetCurrentCipher (
704 IN OUT UINT16
*CipherId
707 TLS_CONNECTION
*TlsConn
;
708 CONST SSL_CIPHER
*Cipher
;
710 TlsConn
= (TLS_CONNECTION
*) Tls
;
713 if (TlsConn
== NULL
|| TlsConn
->Ssl
== NULL
|| CipherId
== NULL
) {
714 return EFI_INVALID_PARAMETER
;
717 Cipher
= SSL_get_current_cipher (TlsConn
->Ssl
);
718 if (Cipher
== NULL
) {
719 return EFI_UNSUPPORTED
;
722 *CipherId
= (SSL_CIPHER_get_id (Cipher
)) & 0xFFFF;
728 Gets the compression methods used by the specified TLS connection.
730 This function returns current integrated compression methods used by
731 the specified TLS connection.
733 @param[in] Tls Pointer to the TLS object.
734 @param[in,out] CompressionId The current compression method used by
737 @retval EFI_SUCCESS The compression method was returned successfully.
738 @retval EFI_INVALID_PARAMETER The parameter is invalid.
739 @retval EFI_ABORTED Invalid Compression method.
740 @retval EFI_UNSUPPORTED This function is not supported.
745 TlsGetCurrentCompressionId (
747 IN OUT UINT8
*CompressionId
750 return EFI_UNSUPPORTED
;
754 Gets the verification mode currently set in the TLS connection.
756 This function returns the peer verification mode currently set in the
757 specified TLS connection.
759 @param[in] Tls Pointer to the TLS object.
761 @return The verification mode set in the specified TLS connection.
770 TLS_CONNECTION
*TlsConn
;
772 TlsConn
= (TLS_CONNECTION
*) Tls
;
774 ASSERT (TlsConn
!= NULL
);
776 return SSL_get_verify_mode (TlsConn
->Ssl
);
780 Gets the session ID used by the specified TLS connection.
782 This function returns the TLS/SSL session ID currently used by the
783 specified TLS connection.
785 @param[in] Tls Pointer to the TLS object.
786 @param[in,out] SessionId Buffer to contain the returned session ID.
787 @param[in,out] SessionIdLen The length of Session ID in bytes.
789 @retval EFI_SUCCESS The Session ID was returned successfully.
790 @retval EFI_INVALID_PARAMETER The parameter is invalid.
791 @retval EFI_UNSUPPORTED Invalid TLS/SSL session.
798 IN OUT UINT8
*SessionId
,
799 IN OUT UINT16
*SessionIdLen
802 TLS_CONNECTION
*TlsConn
;
803 SSL_SESSION
*Session
;
804 CONST UINT8
*SslSessionId
;
806 TlsConn
= (TLS_CONNECTION
*) Tls
;
809 if (TlsConn
== NULL
|| TlsConn
->Ssl
== NULL
|| SessionId
== NULL
|| SessionIdLen
== NULL
) {
810 return EFI_INVALID_PARAMETER
;
813 Session
= SSL_get_session (TlsConn
->Ssl
);
814 if (Session
== NULL
) {
815 return EFI_UNSUPPORTED
;
818 SslSessionId
= SSL_SESSION_get_id (Session
, (unsigned int *)SessionIdLen
);
819 CopyMem (SessionId
, SslSessionId
, *SessionIdLen
);
825 Gets the client random data used in the specified TLS connection.
827 This function returns the TLS/SSL client random data currently used in
828 the specified TLS connection.
830 @param[in] Tls Pointer to the TLS object.
831 @param[in,out] ClientRandom Buffer to contain the returned client
832 random data (32 bytes).
839 IN OUT UINT8
*ClientRandom
842 TLS_CONNECTION
*TlsConn
;
844 TlsConn
= (TLS_CONNECTION
*) Tls
;
846 if (TlsConn
== NULL
|| TlsConn
->Ssl
== NULL
|| ClientRandom
== NULL
) {
850 CopyMem (ClientRandom
, TlsConn
->Ssl
->s3
->client_random
, SSL3_RANDOM_SIZE
);
854 Gets the server random data used in the specified TLS connection.
856 This function returns the TLS/SSL server random data currently used in
857 the specified TLS connection.
859 @param[in] Tls Pointer to the TLS object.
860 @param[in,out] ServerRandom Buffer to contain the returned server
861 random data (32 bytes).
868 IN OUT UINT8
*ServerRandom
871 TLS_CONNECTION
*TlsConn
;
873 TlsConn
= (TLS_CONNECTION
*) Tls
;
875 if (TlsConn
== NULL
|| TlsConn
->Ssl
== NULL
|| ServerRandom
== NULL
) {
879 CopyMem (ServerRandom
, TlsConn
->Ssl
->s3
->server_random
, SSL3_RANDOM_SIZE
);
883 Gets the master key data used in the specified TLS connection.
885 This function returns the TLS/SSL master key material currently used in
886 the specified TLS connection.
888 @param[in] Tls Pointer to the TLS object.
889 @param[in,out] KeyMaterial Buffer to contain the returned key material.
891 @retval EFI_SUCCESS Key material was returned successfully.
892 @retval EFI_INVALID_PARAMETER The parameter is invalid.
893 @retval EFI_UNSUPPORTED Invalid TLS/SSL session.
900 IN OUT UINT8
*KeyMaterial
903 TLS_CONNECTION
*TlsConn
;
904 SSL_SESSION
*Session
;
906 TlsConn
= (TLS_CONNECTION
*) Tls
;
909 if (TlsConn
== NULL
|| TlsConn
->Ssl
== NULL
|| KeyMaterial
== NULL
) {
910 return EFI_INVALID_PARAMETER
;
913 Session
= SSL_get_session (TlsConn
->Ssl
);
915 if (Session
== NULL
) {
916 return EFI_UNSUPPORTED
;
919 CopyMem (KeyMaterial
, Session
->master_key
, Session
->master_key_length
);
925 Gets the CA Certificate from the cert store.
927 This function returns the CA certificate for the chosen
930 @param[in] Tls Pointer to the TLS object.
931 @param[out] Data Pointer to the data buffer to receive the CA
932 certificate data sent to the client.
933 @param[in,out] DataSize The size of data buffer in bytes.
935 @retval EFI_SUCCESS The operation succeeded.
936 @retval EFI_UNSUPPORTED This function is not supported.
937 @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
942 TlsGetCaCertificate (
945 IN OUT UINTN
*DataSize
948 return EFI_UNSUPPORTED
;
952 Gets the local public Certificate set in the specified TLS object.
954 This function returns the local public certificate which was currently set
955 in the specified TLS object.
957 @param[in] Tls Pointer to the TLS object.
958 @param[out] Data Pointer to the data buffer to receive the local
960 @param[in,out] DataSize The size of data buffer in bytes.
962 @retval EFI_SUCCESS The operation succeeded.
963 @retval EFI_INVALID_PARAMETER The parameter is invalid.
964 @retval EFI_NOT_FOUND The certificate is not found.
965 @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
970 TlsGetHostPublicCert (
973 IN OUT UINTN
*DataSize
977 TLS_CONNECTION
*TlsConn
;
980 TlsConn
= (TLS_CONNECTION
*) Tls
;
982 if (TlsConn
== NULL
|| TlsConn
->Ssl
== NULL
|| DataSize
== NULL
) {
983 return EFI_INVALID_PARAMETER
;
986 Cert
= SSL_get_certificate(TlsConn
->Ssl
);
988 return EFI_NOT_FOUND
;
992 // Only DER encoding is supported currently.
994 if (*DataSize
< (UINTN
) i2d_X509 (Cert
, NULL
)) {
995 *DataSize
= (UINTN
) i2d_X509 (Cert
, NULL
);
996 return EFI_BUFFER_TOO_SMALL
;
999 *DataSize
= (UINTN
) i2d_X509 (Cert
, (unsigned char **) &Data
);
1005 Gets the local private key set in the specified TLS object.
1007 This function returns the local private key data which was currently set
1008 in the specified TLS object.
1010 @param[in] Tls Pointer to the TLS object.
1011 @param[out] Data Pointer to the data buffer to receive the local
1013 @param[in,out] DataSize The size of data buffer in bytes.
1015 @retval EFI_SUCCESS The operation succeeded.
1016 @retval EFI_UNSUPPORTED This function is not supported.
1017 @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
1022 TlsGetHostPrivateKey (
1025 IN OUT UINTN
*DataSize
1028 return EFI_UNSUPPORTED
;
1032 Gets the CA-supplied certificate revocation list data set in the specified
1035 This function returns the CA-supplied certificate revocation list data which
1036 was currently set in the specified TLS object.
1038 @param[out] Data Pointer to the data buffer to receive the CRL data.
1039 @param[in,out] DataSize The size of data buffer in bytes.
1041 @retval EFI_SUCCESS The operation succeeded.
1042 @retval EFI_UNSUPPORTED This function is not supported.
1043 @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
1048 TlsGetCertRevocationList (
1050 IN OUT UINTN
*DataSize
1053 return EFI_UNSUPPORTED
;