/** @file\r
SSL/TLS Configuration Library Wrapper Implementation over OpenSSL.\r
\r
-Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>\r
+Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>\r
(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>\r
SPDX-License-Identifier: BSD-2-Clause-Patent\r
\r
//\r
// IANA/IETF defined Cipher Suite ID\r
//\r
- UINT16 IanaCipher;\r
+ UINT16 IanaCipher;\r
//\r
// OpenSSL-used Cipher Suite String\r
//\r
- CONST CHAR8 *OpensslCipher;\r
+ CONST CHAR8 *OpensslCipher;\r
//\r
// Length of OpensslCipher\r
//\r
- UINTN OpensslCipherLength;\r
+ UINTN OpensslCipherLength;\r
} TLS_CIPHER_MAPPING;\r
\r
//\r
//\r
// Keep the table uniquely sorted by the IanaCipher field, in increasing order.\r
//\r
-STATIC CONST TLS_CIPHER_MAPPING TlsCipherMappingTable[] = {\r
- MAP ( 0x0001, "NULL-MD5" ), /// TLS_RSA_WITH_NULL_MD5\r
- MAP ( 0x0002, "NULL-SHA" ), /// TLS_RSA_WITH_NULL_SHA\r
- MAP ( 0x0004, "RC4-MD5" ), /// TLS_RSA_WITH_RC4_128_MD5\r
- MAP ( 0x0005, "RC4-SHA" ), /// TLS_RSA_WITH_RC4_128_SHA\r
- MAP ( 0x000A, "DES-CBC3-SHA" ), /// TLS_RSA_WITH_3DES_EDE_CBC_SHA, mandatory TLS 1.1\r
- MAP ( 0x0016, "DHE-RSA-DES-CBC3-SHA" ), /// TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA\r
- MAP ( 0x002F, "AES128-SHA" ), /// TLS_RSA_WITH_AES_128_CBC_SHA, mandatory TLS 1.2\r
- MAP ( 0x0030, "DH-DSS-AES128-SHA" ), /// TLS_DH_DSS_WITH_AES_128_CBC_SHA\r
- MAP ( 0x0031, "DH-RSA-AES128-SHA" ), /// TLS_DH_RSA_WITH_AES_128_CBC_SHA\r
- MAP ( 0x0033, "DHE-RSA-AES128-SHA" ), /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA\r
- MAP ( 0x0035, "AES256-SHA" ), /// TLS_RSA_WITH_AES_256_CBC_SHA\r
- MAP ( 0x0036, "DH-DSS-AES256-SHA" ), /// TLS_DH_DSS_WITH_AES_256_CBC_SHA\r
- MAP ( 0x0037, "DH-RSA-AES256-SHA" ), /// TLS_DH_RSA_WITH_AES_256_CBC_SHA\r
- MAP ( 0x0039, "DHE-RSA-AES256-SHA" ), /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA\r
- MAP ( 0x003B, "NULL-SHA256" ), /// TLS_RSA_WITH_NULL_SHA256\r
- MAP ( 0x003C, "AES128-SHA256" ), /// TLS_RSA_WITH_AES_128_CBC_SHA256\r
- MAP ( 0x003D, "AES256-SHA256" ), /// TLS_RSA_WITH_AES_256_CBC_SHA256\r
- MAP ( 0x003E, "DH-DSS-AES128-SHA256" ), /// TLS_DH_DSS_WITH_AES_128_CBC_SHA256\r
- MAP ( 0x003F, "DH-RSA-AES128-SHA256" ), /// TLS_DH_RSA_WITH_AES_128_CBC_SHA256\r
- MAP ( 0x0067, "DHE-RSA-AES128-SHA256" ), /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA256\r
- MAP ( 0x0068, "DH-DSS-AES256-SHA256" ), /// TLS_DH_DSS_WITH_AES_256_CBC_SHA256\r
- MAP ( 0x0069, "DH-RSA-AES256-SHA256" ), /// TLS_DH_RSA_WITH_AES_256_CBC_SHA256\r
- MAP ( 0x006B, "DHE-RSA-AES256-SHA256" ), /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA256\r
+STATIC CONST TLS_CIPHER_MAPPING TlsCipherMappingTable[] = {\r
+ MAP (0x0001, "NULL-MD5"), /// TLS_RSA_WITH_NULL_MD5\r
+ MAP (0x0002, "NULL-SHA"), /// TLS_RSA_WITH_NULL_SHA\r
+ MAP (0x0004, "RC4-MD5"), /// TLS_RSA_WITH_RC4_128_MD5\r
+ MAP (0x0005, "RC4-SHA"), /// TLS_RSA_WITH_RC4_128_SHA\r
+ MAP (0x000A, "DES-CBC3-SHA"), /// TLS_RSA_WITH_3DES_EDE_CBC_SHA, mandatory TLS 1.1\r
+ MAP (0x0016, "DHE-RSA-DES-CBC3-SHA"), /// TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA\r
+ MAP (0x002F, "AES128-SHA"), /// TLS_RSA_WITH_AES_128_CBC_SHA, mandatory TLS 1.2\r
+ MAP (0x0030, "DH-DSS-AES128-SHA"), /// TLS_DH_DSS_WITH_AES_128_CBC_SHA\r
+ MAP (0x0031, "DH-RSA-AES128-SHA"), /// TLS_DH_RSA_WITH_AES_128_CBC_SHA\r
+ MAP (0x0033, "DHE-RSA-AES128-SHA"), /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA\r
+ MAP (0x0035, "AES256-SHA"), /// TLS_RSA_WITH_AES_256_CBC_SHA\r
+ MAP (0x0036, "DH-DSS-AES256-SHA"), /// TLS_DH_DSS_WITH_AES_256_CBC_SHA\r
+ MAP (0x0037, "DH-RSA-AES256-SHA"), /// TLS_DH_RSA_WITH_AES_256_CBC_SHA\r
+ MAP (0x0039, "DHE-RSA-AES256-SHA"), /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA\r
+ MAP (0x003B, "NULL-SHA256"), /// TLS_RSA_WITH_NULL_SHA256\r
+ MAP (0x003C, "AES128-SHA256"), /// TLS_RSA_WITH_AES_128_CBC_SHA256\r
+ MAP (0x003D, "AES256-SHA256"), /// TLS_RSA_WITH_AES_256_CBC_SHA256\r
+ MAP (0x003E, "DH-DSS-AES128-SHA256"), /// TLS_DH_DSS_WITH_AES_128_CBC_SHA256\r
+ MAP (0x003F, "DH-RSA-AES128-SHA256"), /// TLS_DH_RSA_WITH_AES_128_CBC_SHA256\r
+ MAP (0x0067, "DHE-RSA-AES128-SHA256"), /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA256\r
+ MAP (0x0068, "DH-DSS-AES256-SHA256"), /// TLS_DH_DSS_WITH_AES_256_CBC_SHA256\r
+ MAP (0x0069, "DH-RSA-AES256-SHA256"), /// TLS_DH_RSA_WITH_AES_256_CBC_SHA256\r
+ MAP (0x006B, "DHE-RSA-AES256-SHA256"), /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA256\r
+ MAP (0x009F, "DHE-RSA-AES256-GCM-SHA384"), /// TLS_DHE_RSA_WITH_AES_256_GCM_SHA384\r
+ MAP (0xC02B, "ECDHE-ECDSA-AES128-GCM-SHA256"), /// TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\r
+ MAP (0xC02C, "ECDHE-ECDSA-AES256-GCM-SHA384"), /// TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\r
+ MAP (0xC030, "ECDHE-RSA-AES256-GCM-SHA384"), /// TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\r
+};\r
+\r
+typedef struct {\r
+ //\r
+ // TLS Algorithm\r
+ //\r
+ UINT8 Algo;\r
+ //\r
+ // TLS Algorithm name\r
+ //\r
+ CONST CHAR8 *Name;\r
+} TLS_ALGO_TO_NAME;\r
+\r
+STATIC CONST TLS_ALGO_TO_NAME TlsHashAlgoToName[] = {\r
+ { TlsHashAlgoNone, NULL },\r
+ { TlsHashAlgoMd5, "MD5" },\r
+ { TlsHashAlgoSha1, "SHA1" },\r
+ { TlsHashAlgoSha224, "SHA224" },\r
+ { TlsHashAlgoSha256, "SHA256" },\r
+ { TlsHashAlgoSha384, "SHA384" },\r
+ { TlsHashAlgoSha512, "SHA512" },\r
+};\r
+\r
+STATIC CONST TLS_ALGO_TO_NAME TlsSignatureAlgoToName[] = {\r
+ { TlsSignatureAlgoAnonymous, NULL },\r
+ { TlsSignatureAlgoRsa, "RSA" },\r
+ { TlsSignatureAlgoDsa, "DSA" },\r
+ { TlsSignatureAlgoEcdsa, "ECDSA" },\r
};\r
\r
/**\r
STATIC\r
CONST TLS_CIPHER_MAPPING *\r
TlsGetCipherMapping (\r
- IN UINT16 CipherId\r
+ IN UINT16 CipherId\r
)\r
{\r
- INTN Left;\r
- INTN Right;\r
- INTN Middle;\r
+ INTN Left;\r
+ INTN Right;\r
+ INTN Middle;\r
\r
//\r
// Binary Search Cipher Mapping Table for IANA-OpenSSL Cipher Translation\r
if (CipherId < TlsCipherMappingTable[Middle].IanaCipher) {\r
Right = Middle - 1;\r
} else {\r
- Left = Middle + 1;\r
+ Left = Middle + 1;\r
}\r
}\r
\r
EFI_STATUS\r
EFIAPI\r
TlsSetVersion (\r
- IN VOID *Tls,\r
- IN UINT8 MajorVer,\r
- IN UINT8 MinorVer\r
+ IN VOID *Tls,\r
+ IN UINT8 MajorVer,\r
+ IN UINT8 MinorVer\r
)\r
{\r
TLS_CONNECTION *TlsConn;\r
UINT16 ProtoVersion;\r
\r
TlsConn = (TLS_CONNECTION *)Tls;\r
- if (TlsConn == NULL || TlsConn->Ssl == NULL) {\r
+ if ((TlsConn == NULL) || (TlsConn->Ssl == NULL)) {\r
return EFI_INVALID_PARAMETER;\r
}\r
\r
// Bound TLS method to the particular specified version.\r
//\r
switch (ProtoVersion) {\r
- case TLS1_VERSION:\r
- //\r
- // TLS 1.0\r
- //\r
- SSL_set_min_proto_version (TlsConn->Ssl, TLS1_VERSION);\r
- SSL_set_max_proto_version (TlsConn->Ssl, TLS1_VERSION);\r
- break;\r
- case TLS1_1_VERSION:\r
- //\r
- // TLS 1.1\r
- //\r
- SSL_set_min_proto_version (TlsConn->Ssl, TLS1_1_VERSION);\r
- SSL_set_max_proto_version (TlsConn->Ssl, TLS1_1_VERSION);\r
- break;\r
- case TLS1_2_VERSION:\r
- //\r
- // TLS 1.2\r
- //\r
- SSL_set_min_proto_version (TlsConn->Ssl, TLS1_2_VERSION);\r
- SSL_set_max_proto_version (TlsConn->Ssl, TLS1_2_VERSION);\r
- break;\r
- default:\r
- //\r
- // Unsupported Protocol Version\r
- //\r
- return EFI_UNSUPPORTED;\r
+ case TLS1_VERSION:\r
+ //\r
+ // TLS 1.0\r
+ //\r
+ SSL_set_min_proto_version (TlsConn->Ssl, TLS1_VERSION);\r
+ SSL_set_max_proto_version (TlsConn->Ssl, TLS1_VERSION);\r
+ break;\r
+ case TLS1_1_VERSION:\r
+ //\r
+ // TLS 1.1\r
+ //\r
+ SSL_set_min_proto_version (TlsConn->Ssl, TLS1_1_VERSION);\r
+ SSL_set_max_proto_version (TlsConn->Ssl, TLS1_1_VERSION);\r
+ break;\r
+ case TLS1_2_VERSION:\r
+ //\r
+ // TLS 1.2\r
+ //\r
+ SSL_set_min_proto_version (TlsConn->Ssl, TLS1_2_VERSION);\r
+ SSL_set_max_proto_version (TlsConn->Ssl, TLS1_2_VERSION);\r
+ break;\r
+ default:\r
+ //\r
+ // Unsupported Protocol Version\r
+ //\r
+ return EFI_UNSUPPORTED;\r
}\r
\r
- return EFI_SUCCESS;;\r
+ return EFI_SUCCESS;\r
}\r
\r
/**\r
EFI_STATUS\r
EFIAPI\r
TlsSetConnectionEnd (\r
- IN VOID *Tls,\r
- IN BOOLEAN IsServer\r
+ IN VOID *Tls,\r
+ IN BOOLEAN IsServer\r
)\r
{\r
TLS_CONNECTION *TlsConn;\r
\r
- TlsConn = (TLS_CONNECTION *) Tls;\r
- if (TlsConn == NULL || TlsConn->Ssl == NULL) {\r
+ TlsConn = (TLS_CONNECTION *)Tls;\r
+ if ((TlsConn == NULL) || (TlsConn->Ssl == NULL)) {\r
return EFI_INVALID_PARAMETER;\r
}\r
\r
// Set TLS to work in Server mode.\r
// It is unsupported for UEFI version currently.\r
//\r
- //SSL_set_accept_state (TlsConn->Ssl);\r
+ // SSL_set_accept_state (TlsConn->Ssl);\r
return EFI_UNSUPPORTED;\r
}\r
\r
EFI_STATUS\r
EFIAPI\r
TlsSetCipherList (\r
- IN VOID *Tls,\r
- IN UINT16 *CipherId,\r
- IN UINTN CipherNum\r
+ IN VOID *Tls,\r
+ IN UINT16 *CipherId,\r
+ IN UINTN CipherNum\r
)\r
{\r
- TLS_CONNECTION *TlsConn;\r
- EFI_STATUS Status;\r
- CONST TLS_CIPHER_MAPPING **MappedCipher;\r
- UINTN MappedCipherBytes;\r
- UINTN MappedCipherCount;\r
- UINTN CipherStringSize;\r
- UINTN Index;\r
- CONST TLS_CIPHER_MAPPING *Mapping;\r
- CHAR8 *CipherString;\r
- CHAR8 *CipherStringPosition;\r
-\r
- TlsConn = (TLS_CONNECTION *) Tls;\r
- if (TlsConn == NULL || TlsConn->Ssl == NULL || CipherId == NULL) {\r
+ TLS_CONNECTION *TlsConn;\r
+ EFI_STATUS Status;\r
+ CONST TLS_CIPHER_MAPPING **MappedCipher;\r
+ UINTN MappedCipherBytes;\r
+ UINTN MappedCipherCount;\r
+ UINTN CipherStringSize;\r
+ UINTN Index;\r
+ CONST TLS_CIPHER_MAPPING *Mapping;\r
+ CHAR8 *CipherString;\r
+ CHAR8 *CipherStringPosition;\r
+\r
+ TlsConn = (TLS_CONNECTION *)Tls;\r
+ if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (CipherId == NULL)) {\r
return EFI_INVALID_PARAMETER;\r
}\r
\r
// Allocate the MappedCipher array for recording the mappings that we find\r
// for the input IANA identifiers in CipherId.\r
//\r
- Status = SafeUintnMult (CipherNum, sizeof (*MappedCipher),\r
- &MappedCipherBytes);\r
+ Status = SafeUintnMult (\r
+ CipherNum,\r
+ sizeof (*MappedCipher),\r
+ &MappedCipherBytes\r
+ );\r
if (EFI_ERROR (Status)) {\r
return EFI_OUT_OF_RESOURCES;\r
}\r
+\r
MappedCipher = AllocatePool (MappedCipherBytes);\r
if (MappedCipher == NULL) {\r
return EFI_OUT_OF_RESOURCES;\r
// CipherString.\r
//\r
MappedCipherCount = 0;\r
- CipherStringSize = 0;\r
+ CipherStringSize = 0;\r
for (Index = 0; Index < CipherNum; Index++) {\r
//\r
// Look up the IANA-to-OpenSSL mapping.\r
//\r
Mapping = TlsGetCipherMapping (CipherId[Index]);\r
if (Mapping == NULL) {\r
- DEBUG ((DEBUG_VERBOSE, "%a:%a: skipping CipherId=0x%04x\n",\r
- gEfiCallerBaseName, __FUNCTION__, CipherId[Index]));\r
+ DEBUG ((\r
+ DEBUG_VERBOSE,\r
+ "%a:%a: skipping CipherId=0x%04x\n",\r
+ gEfiCallerBaseName,\r
+ __FUNCTION__,\r
+ CipherId[Index]\r
+ ));\r
//\r
// Skipping the cipher is valid because CipherId is an ordered\r
// preference list of ciphers, thus we can filter it as long as we\r
//\r
continue;\r
}\r
+\r
//\r
// Accumulate Mapping->OpensslCipherLength into CipherStringSize. If this\r
// is not the first successful mapping, account for a colon (":") prefix\r
goto FreeMappedCipher;\r
}\r
}\r
- Status = SafeUintnAdd (CipherStringSize, Mapping->OpensslCipherLength,\r
- &CipherStringSize);\r
+\r
+ Status = SafeUintnAdd (\r
+ CipherStringSize,\r
+ Mapping->OpensslCipherLength,\r
+ &CipherStringSize\r
+ );\r
if (EFI_ERROR (Status)) {\r
Status = EFI_OUT_OF_RESOURCES;\r
goto FreeMappedCipher;\r
}\r
+\r
//\r
// Record the mapping.\r
//\r
// terminating NUL character in CipherStringSize; allocate CipherString.\r
//\r
if (MappedCipherCount == 0) {\r
- DEBUG ((DEBUG_ERROR, "%a:%a: no CipherId could be mapped\n",\r
- gEfiCallerBaseName, __FUNCTION__));\r
+ DEBUG ((\r
+ DEBUG_ERROR,\r
+ "%a:%a: no CipherId could be mapped\n",\r
+ gEfiCallerBaseName,\r
+ __FUNCTION__\r
+ ));\r
Status = EFI_UNSUPPORTED;\r
goto FreeMappedCipher;\r
}\r
+\r
Status = SafeUintnAdd (CipherStringSize, 1, &CipherStringSize);\r
if (EFI_ERROR (Status)) {\r
Status = EFI_OUT_OF_RESOURCES;\r
goto FreeMappedCipher;\r
}\r
+\r
CipherString = AllocatePool (CipherStringSize);\r
if (CipherString == NULL) {\r
Status = EFI_OUT_OF_RESOURCES;\r
if (Index > 0) {\r
*(CipherStringPosition++) = ':';\r
}\r
- CopyMem (CipherStringPosition, Mapping->OpensslCipher,\r
- Mapping->OpensslCipherLength);\r
+\r
+ CopyMem (\r
+ CipherStringPosition,\r
+ Mapping->OpensslCipher,\r
+ Mapping->OpensslCipherLength\r
+ );\r
CipherStringPosition += Mapping->OpensslCipherLength;\r
}\r
\r
// 79 non-newline characters. (MAX_DEBUG_MESSAGE_LENGTH is usually 0x100 in\r
// DebugLib instances.)\r
//\r
- DEBUG_CODE (\r
- UINTN FullLength;\r
- UINTN SegmentLength;\r
-\r
- FullLength = CipherStringSize - 1;\r
- DEBUG ((DEBUG_VERBOSE, "%a:%a: CipherString={\n", gEfiCallerBaseName,\r
- __FUNCTION__));\r
- for (CipherStringPosition = CipherString;\r
- CipherStringPosition < CipherString + FullLength;\r
- CipherStringPosition += SegmentLength) {\r
- SegmentLength = FullLength - (CipherStringPosition - CipherString);\r
- if (SegmentLength > 79) {\r
- SegmentLength = 79;\r
- }\r
- DEBUG ((DEBUG_VERBOSE, "%.*a\n", SegmentLength, CipherStringPosition));\r
+ DEBUG_CODE_BEGIN ();\r
+ UINTN FullLength;\r
+ UINTN SegmentLength;\r
+\r
+ FullLength = CipherStringSize - 1;\r
+ DEBUG ((\r
+ DEBUG_VERBOSE,\r
+ "%a:%a: CipherString={\n",\r
+ gEfiCallerBaseName,\r
+ __FUNCTION__\r
+ ));\r
+ for (CipherStringPosition = CipherString;\r
+ CipherStringPosition < CipherString + FullLength;\r
+ CipherStringPosition += SegmentLength)\r
+ {\r
+ SegmentLength = FullLength - (CipherStringPosition - CipherString);\r
+ if (SegmentLength > 79) {\r
+ SegmentLength = 79;\r
}\r
- DEBUG ((DEBUG_VERBOSE, "}\n"));\r
- //\r
- // Restore the pre-debug value of CipherStringPosition by skipping over the\r
- // trailing NUL.\r
- //\r
- CipherStringPosition++;\r
- ASSERT (CipherStringPosition == CipherString + CipherStringSize);\r
- );\r
+\r
+ DEBUG ((DEBUG_VERBOSE, "%.*a\n", SegmentLength, CipherStringPosition));\r
+ }\r
+\r
+ DEBUG ((DEBUG_VERBOSE, "}\n"));\r
+ //\r
+ // Restore the pre-debug value of CipherStringPosition by skipping over the\r
+ // trailing NUL.\r
+ //\r
+ CipherStringPosition++;\r
+ ASSERT (CipherStringPosition == CipherString + CipherStringSize);\r
+ DEBUG_CODE_END ();\r
\r
//\r
// Sets the ciphers for use by the Tls object.\r
FreePool (CipherString);\r
\r
FreeMappedCipher:\r
- FreePool (MappedCipher);\r
+ FreePool ((VOID *)MappedCipher);\r
\r
return Status;\r
}\r
EFI_STATUS\r
EFIAPI\r
TlsSetCompressionMethod (\r
- IN UINT8 CompMethod\r
+ IN UINT8 CompMethod\r
)\r
{\r
COMP_METHOD *Cm;\r
//\r
return EFI_SUCCESS;\r
} else if (CompMethod == 1) {\r
- Cm = COMP_zlib();\r
+ Cm = COMP_zlib ();\r
} else {\r
return EFI_UNSUPPORTED;\r
}\r
VOID\r
EFIAPI\r
TlsSetVerify (\r
- IN VOID *Tls,\r
- IN UINT32 VerifyMode\r
+ IN VOID *Tls,\r
+ IN UINT32 VerifyMode\r
)\r
{\r
TLS_CONNECTION *TlsConn;\r
\r
- TlsConn = (TLS_CONNECTION *) Tls;\r
- if (TlsConn == NULL || TlsConn->Ssl == NULL) {\r
+ TlsConn = (TLS_CONNECTION *)Tls;\r
+ if ((TlsConn == NULL) || (TlsConn->Ssl == NULL)) {\r
return;\r
}\r
\r
SSL_set_verify (TlsConn->Ssl, VerifyMode, NULL);\r
}\r
\r
+/**\r
+ Set the specified host name to be verified.\r
+\r
+ @param[in] Tls Pointer to the TLS object.\r
+ @param[in] Flags The setting flags during the validation.\r
+ @param[in] HostName The specified host name to be verified.\r
+\r
+ @retval EFI_SUCCESS The HostName setting was set successfully.\r
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
+ @retval EFI_ABORTED Invalid HostName setting.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsSetVerifyHost (\r
+ IN VOID *Tls,\r
+ IN UINT32 Flags,\r
+ IN CHAR8 *HostName\r
+ )\r
+{\r
+ TLS_CONNECTION *TlsConn;\r
+ X509_VERIFY_PARAM *VerifyParam;\r
+ UINTN BinaryAddressSize;\r
+ UINT8 BinaryAddress[MAX (NS_INADDRSZ, NS_IN6ADDRSZ)];\r
+ INTN ParamStatus;\r
+\r
+ TlsConn = (TLS_CONNECTION *)Tls;\r
+ if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (HostName == NULL)) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ SSL_set_hostflags (TlsConn->Ssl, Flags);\r
+\r
+ VerifyParam = SSL_get0_param (TlsConn->Ssl);\r
+ ASSERT (VerifyParam != NULL);\r
+\r
+ BinaryAddressSize = 0;\r
+ if (inet_pton (AF_INET6, HostName, BinaryAddress) == 1) {\r
+ BinaryAddressSize = NS_IN6ADDRSZ;\r
+ } else if (inet_pton (AF_INET, HostName, BinaryAddress) == 1) {\r
+ BinaryAddressSize = NS_INADDRSZ;\r
+ }\r
+\r
+ if (BinaryAddressSize > 0) {\r
+ DEBUG ((\r
+ DEBUG_VERBOSE,\r
+ "%a:%a: parsed \"%a\" as an IPv%c address "\r
+ "literal\n",\r
+ gEfiCallerBaseName,\r
+ __FUNCTION__,\r
+ HostName,\r
+ (UINTN)((BinaryAddressSize == NS_IN6ADDRSZ) ? '6' : '4')\r
+ ));\r
+ ParamStatus = X509_VERIFY_PARAM_set1_ip (\r
+ VerifyParam,\r
+ BinaryAddress,\r
+ BinaryAddressSize\r
+ );\r
+ } else {\r
+ ParamStatus = X509_VERIFY_PARAM_set1_host (VerifyParam, HostName, 0);\r
+ }\r
+\r
+ return (ParamStatus == 1) ? EFI_SUCCESS : EFI_ABORTED;\r
+}\r
+\r
/**\r
Sets a TLS/SSL session ID to be used during TLS/SSL connect.\r
\r
EFI_STATUS\r
EFIAPI\r
TlsSetSessionId (\r
- IN VOID *Tls,\r
- IN UINT8 *SessionId,\r
- IN UINT16 SessionIdLen\r
+ IN VOID *Tls,\r
+ IN UINT8 *SessionId,\r
+ IN UINT16 SessionIdLen\r
)\r
{\r
TLS_CONNECTION *TlsConn;\r
SSL_SESSION *Session;\r
\r
- TlsConn = (TLS_CONNECTION *) Tls;\r
+ TlsConn = (TLS_CONNECTION *)Tls;\r
Session = NULL;\r
\r
- if (TlsConn == NULL || TlsConn->Ssl == NULL || SessionId == NULL) {\r
+ if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (SessionId == NULL)) {\r
return EFI_INVALID_PARAMETER;\r
}\r
\r
EFI_STATUS\r
EFIAPI\r
TlsSetCaCertificate (\r
- IN VOID *Tls,\r
- IN VOID *Data,\r
- IN UINTN DataSize\r
+ IN VOID *Tls,\r
+ IN VOID *Data,\r
+ IN UINTN DataSize\r
)\r
{\r
BIO *BioCert;\r
Cert = NULL;\r
X509Store = NULL;\r
Status = EFI_SUCCESS;\r
- TlsConn = (TLS_CONNECTION *) Tls;\r
+ TlsConn = (TLS_CONNECTION *)Tls;\r
Ret = 0;\r
\r
- if (TlsConn == NULL || TlsConn->Ssl == NULL || Data == NULL || DataSize == 0) {\r
+ if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (Data == NULL) || (DataSize == 0)) {\r
return EFI_INVALID_PARAMETER;\r
}\r
\r
// DER-encoded binary X.509 certificate or PEM-encoded X.509 certificate.\r
// Determine whether certificate is from DER encoding, if so, translate it to X509 structure.\r
//\r
- Cert = d2i_X509 (NULL, (const unsigned char ** )&Data, (long) DataSize);\r
+ Cert = d2i_X509 (NULL, (const unsigned char **)&Data, (long)DataSize);\r
if (Cert == NULL) {\r
//\r
// Certificate is from PEM encoding.\r
goto ON_EXIT;\r
}\r
\r
- if (BIO_write (BioCert, Data, (UINT32) DataSize) <= 0) {\r
+ if (BIO_write (BioCert, Data, (UINT32)DataSize) <= 0) {\r
Status = EFI_ABORTED;\r
goto ON_EXIT;\r
}\r
SslCtx = SSL_get_SSL_CTX (TlsConn->Ssl);\r
X509Store = SSL_CTX_get_cert_store (SslCtx);\r
if (X509Store == NULL) {\r
- Status = EFI_ABORTED;\r
- goto ON_EXIT;\r
+ Status = EFI_ABORTED;\r
+ goto ON_EXIT;\r
}\r
\r
//\r
//\r
// Ignore "already in table" errors\r
//\r
- if (!(ERR_GET_FUNC (ErrorCode) == X509_F_X509_STORE_ADD_CERT &&\r
- ERR_GET_REASON (ErrorCode) == X509_R_CERT_ALREADY_IN_HASH_TABLE)) {\r
+ if (!((ERR_GET_FUNC (ErrorCode) == X509_F_X509_STORE_ADD_CERT) &&\r
+ (ERR_GET_REASON (ErrorCode) == X509_R_CERT_ALREADY_IN_HASH_TABLE)))\r
+ {\r
Status = EFI_ABORTED;\r
goto ON_EXIT;\r
}\r
EFI_STATUS\r
EFIAPI\r
TlsSetHostPublicCert (\r
- IN VOID *Tls,\r
- IN VOID *Data,\r
- IN UINTN DataSize\r
+ IN VOID *Tls,\r
+ IN VOID *Data,\r
+ IN UINTN DataSize\r
)\r
{\r
BIO *BioCert;\r
BioCert = NULL;\r
Cert = NULL;\r
Status = EFI_SUCCESS;\r
- TlsConn = (TLS_CONNECTION *) Tls;\r
+ TlsConn = (TLS_CONNECTION *)Tls;\r
\r
- if (TlsConn == NULL || TlsConn->Ssl == NULL || Data == NULL || DataSize == 0) {\r
+ if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (Data == NULL) || (DataSize == 0)) {\r
return EFI_INVALID_PARAMETER;\r
}\r
\r
// DER-encoded binary X.509 certificate or PEM-encoded X.509 certificate.\r
// Determine whether certificate is from DER encoding, if so, translate it to X509 structure.\r
//\r
- Cert = d2i_X509 (NULL, (const unsigned char ** )&Data, (long) DataSize);\r
+ Cert = d2i_X509 (NULL, (const unsigned char **)&Data, (long)DataSize);\r
if (Cert == NULL) {\r
//\r
// Certificate is from PEM encoding.\r
goto ON_EXIT;\r
}\r
\r
- if (BIO_write (BioCert, Data, (UINT32) DataSize) <= 0) {\r
+ if (BIO_write (BioCert, Data, (UINT32)DataSize) <= 0) {\r
Status = EFI_ABORTED;\r
goto ON_EXIT;\r
}\r
/**\r
Adds the local private key to the specified TLS object.\r
\r
- This function adds the local private key (PEM-encoded RSA or PKCS#8 private\r
+ This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private\r
key) into the specified TLS object for TLS negotiation.\r
\r
@param[in] Tls Pointer to the TLS object.\r
- @param[in] Data Pointer to the data buffer of a PEM-encoded RSA\r
+ @param[in] Data Pointer to the data buffer of a DER-encoded or PEM-encoded\r
+ or PKCS#8 private key.\r
+ @param[in] DataSize The size of data buffer in bytes.\r
+ @param[in] Password Pointer to NULL-terminated private key password, set it to NULL\r
+ if private key not encrypted.\r
+\r
+ @retval EFI_SUCCESS The operation succeeded.\r
+ @retval EFI_UNSUPPORTED This function is not supported.\r
+ @retval EFI_ABORTED Invalid private key data.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsSetHostPrivateKeyEx (\r
+ IN VOID *Tls,\r
+ IN VOID *Data,\r
+ IN UINTN DataSize,\r
+ IN VOID *Password OPTIONAL\r
+ )\r
+{\r
+ TLS_CONNECTION *TlsConn;\r
+ BIO *Bio;\r
+ EVP_PKEY *Pkey;\r
+ BOOLEAN Verify;\r
+\r
+ TlsConn = (TLS_CONNECTION *)Tls;\r
+\r
+ if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (Data == NULL) || (DataSize == 0)) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ // Try to parse the private key in DER format or un-encrypted PKC#8\r
+ if (SSL_use_PrivateKey_ASN1 (\r
+ EVP_PKEY_RSA,\r
+ TlsConn->Ssl,\r
+ Data,\r
+ (long)DataSize\r
+ ) == 1)\r
+ {\r
+ goto verify;\r
+ }\r
+\r
+ if (SSL_use_PrivateKey_ASN1 (\r
+ EVP_PKEY_DSA,\r
+ TlsConn->Ssl,\r
+ Data,\r
+ (long)DataSize\r
+ ) == 1)\r
+ {\r
+ goto verify;\r
+ }\r
+\r
+ if (SSL_use_PrivateKey_ASN1 (\r
+ EVP_PKEY_EC,\r
+ TlsConn->Ssl,\r
+ Data,\r
+ (long)DataSize\r
+ ) == 1)\r
+ {\r
+ goto verify;\r
+ }\r
+\r
+ // Try to parse the private key in PEM format or encrypted PKC#8\r
+ Bio = BIO_new_mem_buf (Data, (int)DataSize);\r
+ if (Bio != NULL) {\r
+ Verify = FALSE;\r
+ Pkey = PEM_read_bio_PrivateKey (Bio, NULL, NULL, Password);\r
+ if ((Pkey != NULL) && (SSL_use_PrivateKey (TlsConn->Ssl, Pkey) == 1)) {\r
+ Verify = TRUE;\r
+ }\r
+\r
+ EVP_PKEY_free (Pkey);\r
+ BIO_free (Bio);\r
+\r
+ if (Verify) {\r
+ goto verify;\r
+ }\r
+ }\r
+\r
+ return EFI_ABORTED;\r
+\r
+verify:\r
+ if (SSL_check_private_key (TlsConn->Ssl) == 1) {\r
+ return EFI_SUCCESS;\r
+ }\r
+\r
+ return EFI_ABORTED;\r
+}\r
+\r
+/**\r
+ Adds the local private key to the specified TLS object.\r
+\r
+ This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private\r
+ key) into the specified TLS object for TLS negotiation.\r
+\r
+ @param[in] Tls Pointer to the TLS object.\r
+ @param[in] Data Pointer to the data buffer of a DER-encoded or PEM-encoded\r
or PKCS#8 private key.\r
@param[in] DataSize The size of data buffer in bytes.\r
\r
EFI_STATUS\r
EFIAPI\r
TlsSetHostPrivateKey (\r
- IN VOID *Tls,\r
- IN VOID *Data,\r
- IN UINTN DataSize\r
+ IN VOID *Tls,\r
+ IN VOID *Data,\r
+ IN UINTN DataSize\r
)\r
{\r
- return EFI_UNSUPPORTED;\r
+ return TlsSetHostPrivateKeyEx (Tls, Data, DataSize, NULL);\r
}\r
\r
/**\r
EFI_STATUS\r
EFIAPI\r
TlsSetCertRevocationList (\r
- IN VOID *Data,\r
- IN UINTN DataSize\r
+ IN VOID *Data,\r
+ IN UINTN DataSize\r
)\r
{\r
return EFI_UNSUPPORTED;\r
}\r
\r
+/**\r
+ Set the signature algorithm list to used by the TLS object.\r
+\r
+ This function sets the signature algorithms for use by a specified TLS object.\r
+\r
+ @param[in] Tls Pointer to a TLS object.\r
+ @param[in] Data Array of UINT8 of signature algorithms. The array consists of\r
+ pairs of the hash algorithm and the signature algorithm as defined\r
+ in RFC 5246\r
+ @param[in] DataSize The length the SignatureAlgoList. Must be divisible by 2.\r
+\r
+ @retval EFI_SUCCESS The signature algorithm list was set successfully.\r
+ @retval EFI_INVALID_PARAMETER The parameters are invalid.\r
+ @retval EFI_UNSUPPORTED No supported TLS signature algorithm was found in SignatureAlgoList\r
+ @retval EFI_OUT_OF_RESOURCES Memory allocation failed.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsSetSignatureAlgoList (\r
+ IN VOID *Tls,\r
+ IN UINT8 *Data,\r
+ IN UINTN DataSize\r
+ )\r
+{\r
+ TLS_CONNECTION *TlsConn;\r
+ UINTN Index;\r
+ UINTN SignAlgoStrSize;\r
+ CHAR8 *SignAlgoStr;\r
+ CHAR8 *Pos;\r
+ UINT8 *SignatureAlgoList;\r
+ EFI_STATUS Status;\r
+\r
+ TlsConn = (TLS_CONNECTION *)Tls;\r
+\r
+ if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (Data == NULL) || (DataSize < 3) ||\r
+ ((DataSize % 2) == 0) || (Data[0] != DataSize - 1))\r
+ {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ SignatureAlgoList = Data + 1;\r
+ SignAlgoStrSize = 0;\r
+ for (Index = 0; Index < Data[0]; Index += 2) {\r
+ CONST CHAR8 *Tmp;\r
+\r
+ if (SignatureAlgoList[Index] >= ARRAY_SIZE (TlsHashAlgoToName)) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ Tmp = TlsHashAlgoToName[SignatureAlgoList[Index]].Name;\r
+ if (!Tmp) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ // Add 1 for the '+'\r
+ SignAlgoStrSize += AsciiStrLen (Tmp) + 1;\r
+\r
+ if (SignatureAlgoList[Index + 1] >= ARRAY_SIZE (TlsSignatureAlgoToName)) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ Tmp = TlsSignatureAlgoToName[SignatureAlgoList[Index + 1]].Name;\r
+ if (!Tmp) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ // Add 1 for the ':' or for the NULL terminator\r
+ SignAlgoStrSize += AsciiStrLen (Tmp) + 1;\r
+ }\r
+\r
+ if (!SignAlgoStrSize) {\r
+ return EFI_UNSUPPORTED;\r
+ }\r
+\r
+ SignAlgoStr = AllocatePool (SignAlgoStrSize);\r
+ if (SignAlgoStr == NULL) {\r
+ return EFI_OUT_OF_RESOURCES;\r
+ }\r
+\r
+ Pos = SignAlgoStr;\r
+ for (Index = 0; Index < Data[0]; Index += 2) {\r
+ CONST CHAR8 *Tmp;\r
+\r
+ Tmp = TlsHashAlgoToName[SignatureAlgoList[Index]].Name;\r
+ CopyMem (Pos, Tmp, AsciiStrLen (Tmp));\r
+ Pos += AsciiStrLen (Tmp);\r
+ *Pos++ = '+';\r
+\r
+ Tmp = TlsSignatureAlgoToName[SignatureAlgoList[Index + 1]].Name;\r
+ CopyMem (Pos, Tmp, AsciiStrLen (Tmp));\r
+ Pos += AsciiStrLen (Tmp);\r
+ *Pos++ = ':';\r
+ }\r
+\r
+ *(Pos - 1) = '\0';\r
+\r
+ if (SSL_set1_sigalgs_list (TlsConn->Ssl, SignAlgoStr) < 1) {\r
+ Status = EFI_INVALID_PARAMETER;\r
+ } else {\r
+ Status = EFI_SUCCESS;\r
+ }\r
+\r
+ FreePool (SignAlgoStr);\r
+ return Status;\r
+}\r
+\r
+/**\r
+ Set the EC curve to be used for TLS flows\r
+\r
+ This function sets the EC curve to be used for TLS flows.\r
+\r
+ @param[in] Tls Pointer to a TLS object.\r
+ @param[in] Data An EC named curve as defined in section 5.1.1 of RFC 4492.\r
+ @param[in] DataSize Size of Data, it should be sizeof (UINT32)\r
+\r
+ @retval EFI_SUCCESS The EC curve was set successfully.\r
+ @retval EFI_INVALID_PARAMETER The parameters are invalid.\r
+ @retval EFI_UNSUPPORTED The requested TLS EC curve is not supported\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsSetEcCurve (\r
+ IN VOID *Tls,\r
+ IN UINT8 *Data,\r
+ IN UINTN DataSize\r
+ )\r
+{\r
+ TLS_CONNECTION *TlsConn;\r
+ EC_KEY *EcKey;\r
+ INT32 Nid;\r
+ INT32 Ret;\r
+\r
+ TlsConn = (TLS_CONNECTION *)Tls;\r
+\r
+ if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (Data == NULL) || (DataSize != sizeof (UINT32))) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ switch (*((UINT32 *)Data)) {\r
+ case TlsEcNamedCurveSecp256r1:\r
+ return EFI_UNSUPPORTED;\r
+ case TlsEcNamedCurveSecp384r1:\r
+ Nid = NID_secp384r1;\r
+ break;\r
+ case TlsEcNamedCurveSecp521r1:\r
+ Nid = NID_secp521r1;\r
+ break;\r
+ case TlsEcNamedCurveX25519:\r
+ Nid = NID_X25519;\r
+ break;\r
+ case TlsEcNamedCurveX448:\r
+ Nid = NID_X448;\r
+ break;\r
+ default:\r
+ return EFI_UNSUPPORTED;\r
+ }\r
+\r
+ if (SSL_set1_curves (TlsConn->Ssl, &Nid, 1) != 1) {\r
+ return EFI_UNSUPPORTED;\r
+ }\r
+\r
+ EcKey = EC_KEY_new_by_curve_name (Nid);\r
+ if (EcKey == NULL) {\r
+ return EFI_UNSUPPORTED;\r
+ }\r
+\r
+ Ret = SSL_set_tmp_ecdh (TlsConn->Ssl, EcKey);\r
+ EC_KEY_free (EcKey);\r
+\r
+ if (Ret != 1) {\r
+ return EFI_UNSUPPORTED;\r
+ }\r
+\r
+ return EFI_SUCCESS;\r
+}\r
+\r
/**\r
Gets the protocol version used by the specified TLS connection.\r
\r
UINT16\r
EFIAPI\r
TlsGetVersion (\r
- IN VOID *Tls\r
+ IN VOID *Tls\r
)\r
{\r
TLS_CONNECTION *TlsConn;\r
\r
- TlsConn = (TLS_CONNECTION *) Tls;\r
+ TlsConn = (TLS_CONNECTION *)Tls;\r
\r
ASSERT (TlsConn != NULL);\r
\r
UINT8\r
EFIAPI\r
TlsGetConnectionEnd (\r
- IN VOID *Tls\r
+ IN VOID *Tls\r
)\r
{\r
TLS_CONNECTION *TlsConn;\r
\r
- TlsConn = (TLS_CONNECTION *) Tls;\r
+ TlsConn = (TLS_CONNECTION *)Tls;\r
\r
ASSERT (TlsConn != NULL);\r
\r
EFI_STATUS\r
EFIAPI\r
TlsGetCurrentCipher (\r
- IN VOID *Tls,\r
- IN OUT UINT16 *CipherId\r
+ IN VOID *Tls,\r
+ IN OUT UINT16 *CipherId\r
)\r
{\r
TLS_CONNECTION *TlsConn;\r
CONST SSL_CIPHER *Cipher;\r
\r
- TlsConn = (TLS_CONNECTION *) Tls;\r
+ TlsConn = (TLS_CONNECTION *)Tls;\r
Cipher = NULL;\r
\r
- if (TlsConn == NULL || TlsConn->Ssl == NULL || CipherId == NULL) {\r
+ if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (CipherId == NULL)) {\r
return EFI_INVALID_PARAMETER;\r
}\r
\r
EFI_STATUS\r
EFIAPI\r
TlsGetCurrentCompressionId (\r
- IN VOID *Tls,\r
- IN OUT UINT8 *CompressionId\r
+ IN VOID *Tls,\r
+ IN OUT UINT8 *CompressionId\r
)\r
{\r
return EFI_UNSUPPORTED;\r
UINT32\r
EFIAPI\r
TlsGetVerify (\r
- IN VOID *Tls\r
+ IN VOID *Tls\r
)\r
{\r
TLS_CONNECTION *TlsConn;\r
\r
- TlsConn = (TLS_CONNECTION *) Tls;\r
+ TlsConn = (TLS_CONNECTION *)Tls;\r
\r
ASSERT (TlsConn != NULL);\r
\r
EFI_STATUS\r
EFIAPI\r
TlsGetSessionId (\r
- IN VOID *Tls,\r
- IN OUT UINT8 *SessionId,\r
- IN OUT UINT16 *SessionIdLen\r
+ IN VOID *Tls,\r
+ IN OUT UINT8 *SessionId,\r
+ IN OUT UINT16 *SessionIdLen\r
)\r
{\r
TLS_CONNECTION *TlsConn;\r
SSL_SESSION *Session;\r
CONST UINT8 *SslSessionId;\r
\r
- TlsConn = (TLS_CONNECTION *) Tls;\r
+ TlsConn = (TLS_CONNECTION *)Tls;\r
Session = NULL;\r
\r
- if (TlsConn == NULL || TlsConn->Ssl == NULL || SessionId == NULL || SessionIdLen == NULL) {\r
+ if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (SessionId == NULL) || (SessionIdLen == NULL)) {\r
return EFI_INVALID_PARAMETER;\r
}\r
\r
VOID\r
EFIAPI\r
TlsGetClientRandom (\r
- IN VOID *Tls,\r
- IN OUT UINT8 *ClientRandom\r
+ IN VOID *Tls,\r
+ IN OUT UINT8 *ClientRandom\r
)\r
{\r
TLS_CONNECTION *TlsConn;\r
\r
- TlsConn = (TLS_CONNECTION *) Tls;\r
+ TlsConn = (TLS_CONNECTION *)Tls;\r
\r
- if (TlsConn == NULL || TlsConn->Ssl == NULL || ClientRandom == NULL) {\r
+ if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (ClientRandom == NULL)) {\r
return;\r
}\r
\r
VOID\r
EFIAPI\r
TlsGetServerRandom (\r
- IN VOID *Tls,\r
- IN OUT UINT8 *ServerRandom\r
+ IN VOID *Tls,\r
+ IN OUT UINT8 *ServerRandom\r
)\r
{\r
TLS_CONNECTION *TlsConn;\r
\r
- TlsConn = (TLS_CONNECTION *) Tls;\r
+ TlsConn = (TLS_CONNECTION *)Tls;\r
\r
- if (TlsConn == NULL || TlsConn->Ssl == NULL || ServerRandom == NULL) {\r
+ if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (ServerRandom == NULL)) {\r
return;\r
}\r
\r
EFI_STATUS\r
EFIAPI\r
TlsGetKeyMaterial (\r
- IN VOID *Tls,\r
- IN OUT UINT8 *KeyMaterial\r
+ IN VOID *Tls,\r
+ IN OUT UINT8 *KeyMaterial\r
)\r
{\r
TLS_CONNECTION *TlsConn;\r
SSL_SESSION *Session;\r
\r
- TlsConn = (TLS_CONNECTION *) Tls;\r
+ TlsConn = (TLS_CONNECTION *)Tls;\r
Session = NULL;\r
\r
- if (TlsConn == NULL || TlsConn->Ssl == NULL || KeyMaterial == NULL) {\r
+ if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (KeyMaterial == NULL)) {\r
return EFI_INVALID_PARAMETER;\r
}\r
\r
EFI_STATUS\r
EFIAPI\r
TlsGetCaCertificate (\r
- IN VOID *Tls,\r
- OUT VOID *Data,\r
- IN OUT UINTN *DataSize\r
+ IN VOID *Tls,\r
+ OUT VOID *Data,\r
+ IN OUT UINTN *DataSize\r
)\r
{\r
return EFI_UNSUPPORTED;\r
EFI_STATUS\r
EFIAPI\r
TlsGetHostPublicCert (\r
- IN VOID *Tls,\r
- OUT VOID *Data,\r
- IN OUT UINTN *DataSize\r
+ IN VOID *Tls,\r
+ OUT VOID *Data,\r
+ IN OUT UINTN *DataSize\r
)\r
{\r
X509 *Cert;\r
TLS_CONNECTION *TlsConn;\r
\r
Cert = NULL;\r
- TlsConn = (TLS_CONNECTION *) Tls;\r
+ TlsConn = (TLS_CONNECTION *)Tls;\r
\r
- if (TlsConn == NULL || TlsConn->Ssl == NULL || DataSize == NULL || (*DataSize != 0 && Data == NULL)) {\r
+ if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (DataSize == NULL) || ((*DataSize != 0) && (Data == NULL))) {\r
return EFI_INVALID_PARAMETER;\r
}\r
\r
- Cert = SSL_get_certificate(TlsConn->Ssl);\r
+ Cert = SSL_get_certificate (TlsConn->Ssl);\r
if (Cert == NULL) {\r
return EFI_NOT_FOUND;\r
}\r
//\r
// Only DER encoding is supported currently.\r
//\r
- if (*DataSize < (UINTN) i2d_X509 (Cert, NULL)) {\r
- *DataSize = (UINTN) i2d_X509 (Cert, NULL);\r
+ if (*DataSize < (UINTN)i2d_X509 (Cert, NULL)) {\r
+ *DataSize = (UINTN)i2d_X509 (Cert, NULL);\r
return EFI_BUFFER_TOO_SMALL;\r
}\r
\r
- *DataSize = (UINTN) i2d_X509 (Cert, (unsigned char **) &Data);\r
+ *DataSize = (UINTN)i2d_X509 (Cert, (unsigned char **)&Data);\r
\r
return EFI_SUCCESS;\r
}\r
EFI_STATUS\r
EFIAPI\r
TlsGetHostPrivateKey (\r
- IN VOID *Tls,\r
- OUT VOID *Data,\r
- IN OUT UINTN *DataSize\r
+ IN VOID *Tls,\r
+ OUT VOID *Data,\r
+ IN OUT UINTN *DataSize\r
)\r
{\r
return EFI_UNSUPPORTED;\r
EFI_STATUS\r
EFIAPI\r
TlsGetCertRevocationList (\r
- OUT VOID *Data,\r
- IN OUT UINTN *DataSize\r
+ OUT VOID *Data,\r
+ IN OUT UINTN *DataSize\r
)\r
{\r
return EFI_UNSUPPORTED;\r
}\r
\r
+/**\r
+ Derive keying material from a TLS connection.\r
+\r
+ This function exports keying material using the mechanism described in RFC\r
+ 5705.\r
+\r
+ @param[in] Tls Pointer to the TLS object\r
+ @param[in] Label Description of the key for the PRF function\r
+ @param[in] Context Optional context\r
+ @param[in] ContextLen The length of the context value in bytes\r
+ @param[out] KeyBuffer Buffer to hold the output of the TLS-PRF\r
+ @param[in] KeyBufferLen The length of the KeyBuffer\r
+\r
+ @retval EFI_SUCCESS The operation succeeded.\r
+ @retval EFI_INVALID_PARAMETER The TLS object is invalid.\r
+ @retval EFI_PROTOCOL_ERROR Some other error occurred.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsGetExportKey (\r
+ IN VOID *Tls,\r
+ IN CONST VOID *Label,\r
+ IN CONST VOID *Context,\r
+ IN UINTN ContextLen,\r
+ OUT VOID *KeyBuffer,\r
+ IN UINTN KeyBufferLen\r
+ )\r
+{\r
+ TLS_CONNECTION *TlsConn;\r
+\r
+ TlsConn = (TLS_CONNECTION *)Tls;\r
+\r
+ if ((TlsConn == NULL) || (TlsConn->Ssl == NULL)) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ return SSL_export_keying_material (\r
+ TlsConn->Ssl,\r
+ KeyBuffer,\r
+ KeyBufferLen,\r
+ Label,\r
+ AsciiStrLen (Label),\r
+ Context,\r
+ ContextLen,\r
+ Context != NULL\r
+ ) == 1 ?\r
+ EFI_SUCCESS : EFI_PROTOCOL_ERROR;\r
+}\r
projects / mirror_edk2.git / blobdiff