-/** @file
- SSL/TLS Initialization Library Wrapper Implementation over OpenSSL.
-
-Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
-(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
-This program and the accompanying materials
-are licensed and made available under the terms and conditions of the BSD License
-which accompanies this distribution. The full text of the license may be found at
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#include "InternalTlsLib.h"
-
-/**
- Initializes the OpenSSL library.
-
- This function registers ciphers and digests used directly and indirectly
- by SSL/TLS, and initializes the readable error messages.
- This function must be called before any other action takes places.
-
-**/
-VOID
-EFIAPI
-TlsInitialize (
- VOID
- )
-{
- //
- // Performs initialization of crypto and ssl library, and loads required
- // algorithms.
- //
- OPENSSL_init_ssl (
- OPENSSL_INIT_LOAD_SSL_STRINGS | OPENSSL_INIT_LOAD_CRYPTO_STRINGS,
- NULL
- );
-
- //
- // Initialize the pseudorandom number generator.
- //
- RandomSeed (NULL, 0);
-}
-
-/**
- Free an allocated SSL_CTX object.
-
- @param[in] TlsCtx Pointer to the SSL_CTX object to be released.
-
-**/
-VOID
-EFIAPI
-TlsCtxFree (
- IN VOID *TlsCtx
- )
-{
- if (TlsCtx == NULL) {
- return;
- }
-
- if (TlsCtx != NULL) {
- SSL_CTX_free ((SSL_CTX *) (TlsCtx));
- }
-}
-
-/**
- Creates a new SSL_CTX object as framework to establish TLS/SSL enabled
- connections.
-
- @param[in] MajorVer Major Version of TLS/SSL Protocol.
- @param[in] MinorVer Minor Version of TLS/SSL Protocol.
-
- @return Pointer to an allocated SSL_CTX object.
- If the creation failed, TlsCtxNew() returns NULL.
-
-**/
-VOID *
-EFIAPI
-TlsCtxNew (
- IN UINT8 MajorVer,
- IN UINT8 MinorVer
- )
-{
- SSL_CTX *TlsCtx;
- UINT16 ProtoVersion;
-
- ProtoVersion = (MajorVer << 8) | MinorVer;
-
- TlsCtx = SSL_CTX_new (SSLv23_client_method ());
- if (TlsCtx == NULL) {
- return NULL;
- }
-
- //
- // Ensure SSLv3 is disabled
- //
- SSL_CTX_set_options (TlsCtx, SSL_OP_NO_SSLv3);
-
- //
- // Treat as minimum accepted versions by setting the minimal bound.
- // Client can use higher TLS version if server supports it
- //
- SSL_CTX_set_min_proto_version (TlsCtx, ProtoVersion);
-
- return (VOID *) TlsCtx;
-}
-
-/**
- Free an allocated TLS object.
-
- This function removes the TLS object pointed to by Tls and frees up the
- allocated memory. If Tls is NULL, nothing is done.
-
- @param[in] Tls Pointer to the TLS object to be freed.
-
-**/
-VOID
-EFIAPI
-TlsFree (
- IN VOID *Tls
- )
-{
- TLS_CONNECTION *TlsConn;
-
- TlsConn = (TLS_CONNECTION *) Tls;
- if (TlsConn == NULL) {
- return;
- }
-
- //
- // Free the internal TLS and BIO objects.
- //
- if (TlsConn->Ssl != NULL) {
- SSL_free (TlsConn->Ssl);
- }
-
- if (TlsConn->InBio != NULL) {
- BIO_free (TlsConn->InBio);
- }
-
- if (TlsConn->OutBio != NULL) {
- BIO_free (TlsConn->OutBio);
- }
-
- OPENSSL_free (Tls);
-}
-
-/**
- Create a new TLS object for a connection.
-
- This function creates a new TLS object for a connection. The new object
- inherits the setting of the underlying context TlsCtx: connection method,
- options, verification setting.
-
- @param[in] TlsCtx Pointer to the SSL_CTX object.
-
- @return Pointer to an allocated SSL object.
- If the creation failed, TlsNew() returns NULL.
-
-**/
-VOID *
-EFIAPI
-TlsNew (
- IN VOID *TlsCtx
- )
-{
- TLS_CONNECTION *TlsConn;
- SSL_CTX *SslCtx;
- X509_STORE *X509Store;
-
- TlsConn = NULL;
-
- //
- // Allocate one new TLS_CONNECTION object
- //
- TlsConn = (TLS_CONNECTION *) OPENSSL_malloc (sizeof (TLS_CONNECTION));
- if (TlsConn == NULL) {
- return NULL;
- }
-
- TlsConn->Ssl = NULL;
-
- //
- // Create a new SSL Object
- //
- TlsConn->Ssl = SSL_new ((SSL_CTX *) TlsCtx);
- if (TlsConn->Ssl == NULL) {
- TlsFree ((VOID *) TlsConn);
- return NULL;
- }
-
- //
- // This retains compatibility with previous version of OpenSSL.
- //
- SSL_set_security_level (TlsConn->Ssl, 0);
-
- //
- // Initialize the created SSL Object
- //
- SSL_set_info_callback (TlsConn->Ssl, NULL);
-
- TlsConn->InBio = NULL;
-
- //
- // Set up Reading BIO for TLS connection
- //
- TlsConn->InBio = BIO_new (BIO_s_mem ());
- if (TlsConn->InBio == NULL) {
- TlsFree ((VOID *) TlsConn);
- return NULL;
- }
-
- //
- // Sets the behaviour of memory BIO when it is empty. It will set the
- // read retry flag.
- //
- BIO_set_mem_eof_return (TlsConn->InBio, -1);
-
- TlsConn->OutBio = NULL;
-
- //
- // Set up Writing BIO for TLS connection
- //
- TlsConn->OutBio = BIO_new (BIO_s_mem ());
- if (TlsConn->OutBio == NULL) {
- TlsFree ((VOID *) TlsConn);
- return NULL;
- }
-
- //
- // Sets the behaviour of memory BIO when it is empty. It will set the
- // write retry flag.
- //
- BIO_set_mem_eof_return (TlsConn->OutBio, -1);
-
- ASSERT (TlsConn->Ssl != NULL && TlsConn->InBio != NULL && TlsConn->OutBio != NULL);
-
- //
- // Connects the InBio and OutBio for the read and write operations.
- //
- SSL_set_bio (TlsConn->Ssl, TlsConn->InBio, TlsConn->OutBio);
-
- //
- // Create new X509 store if needed
- //
- SslCtx = SSL_get_SSL_CTX (TlsConn->Ssl);
- X509Store = SSL_CTX_get_cert_store (SslCtx);
- if (X509Store == NULL) {
- X509Store = X509_STORE_new ();
- if (X509Store == NULL) {
- TlsFree ((VOID *) TlsConn);
- return NULL;
- }
- SSL_CTX_set1_verify_cert_store (SslCtx, X509Store);
- X509_STORE_free (X509Store);
- }
-
- //
- // Set X509_STORE flags used in certificate validation
- //
- X509_STORE_set_flags (
- X509Store,
- X509_V_FLAG_PARTIAL_CHAIN | X509_V_FLAG_NO_CHECK_TIME
- );
- return (VOID *) TlsConn;
-}
+/** @file\r
+ SSL/TLS Initialization Library Wrapper Implementation over OpenSSL.\r
+\r
+Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>\r
+(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>\r
+SPDX-License-Identifier: BSD-2-Clause-Patent\r
+\r
+**/\r
+\r
+#include "InternalTlsLib.h"\r
+\r
+/**\r
+ Initializes the OpenSSL library.\r
+\r
+ This function registers ciphers and digests used directly and indirectly\r
+ by SSL/TLS, and initializes the readable error messages.\r
+ This function must be called before any other action takes places.\r
+\r
+ @retval TRUE The OpenSSL library has been initialized.\r
+ @retval FALSE Failed to initialize the OpenSSL library.\r
+\r
+**/\r
+BOOLEAN\r
+EFIAPI\r
+TlsInitialize (\r
+ VOID\r
+ )\r
+{\r
+ INTN Ret;\r
+\r
+ //\r
+ // Performs initialization of crypto and ssl library, and loads required\r
+ // algorithms.\r
+ //\r
+ Ret = OPENSSL_init_ssl (\r
+ OPENSSL_INIT_LOAD_SSL_STRINGS | OPENSSL_INIT_LOAD_CRYPTO_STRINGS,\r
+ NULL\r
+ );\r
+ if (Ret != 1) {\r
+ return FALSE;\r
+ }\r
+\r
+ //\r
+ // Initialize the pseudorandom number generator.\r
+ //\r
+ return RandomSeed (NULL, 0);\r
+}\r
+\r
+/**\r
+ Free an allocated SSL_CTX object.\r
+\r
+ @param[in] TlsCtx Pointer to the SSL_CTX object to be released.\r
+\r
+**/\r
+VOID\r
+EFIAPI\r
+TlsCtxFree (\r
+ IN VOID *TlsCtx\r
+ )\r
+{\r
+ if (TlsCtx == NULL) {\r
+ return;\r
+ }\r
+\r
+ if (TlsCtx != NULL) {\r
+ SSL_CTX_free ((SSL_CTX *)(TlsCtx));\r
+ }\r
+}\r
+\r
+/**\r
+ Creates a new SSL_CTX object as framework to establish TLS/SSL enabled\r
+ connections.\r
+\r
+ @param[in] MajorVer Major Version of TLS/SSL Protocol.\r
+ @param[in] MinorVer Minor Version of TLS/SSL Protocol.\r
+\r
+ @return Pointer to an allocated SSL_CTX object.\r
+ If the creation failed, TlsCtxNew() returns NULL.\r
+\r
+**/\r
+VOID *\r
+EFIAPI\r
+TlsCtxNew (\r
+ IN UINT8 MajorVer,\r
+ IN UINT8 MinorVer\r
+ )\r
+{\r
+ SSL_CTX *TlsCtx;\r
+ UINT16 ProtoVersion;\r
+\r
+ ProtoVersion = (MajorVer << 8) | MinorVer;\r
+\r
+ TlsCtx = SSL_CTX_new (SSLv23_client_method ());\r
+ if (TlsCtx == NULL) {\r
+ return NULL;\r
+ }\r
+\r
+ //\r
+ // Ensure SSLv3 is disabled\r
+ //\r
+ SSL_CTX_set_options (TlsCtx, SSL_OP_NO_SSLv3);\r
+\r
+ //\r
+ // Treat as minimum accepted versions by setting the minimal bound.\r
+ // Client can use higher TLS version if server supports it\r
+ //\r
+ SSL_CTX_set_min_proto_version (TlsCtx, ProtoVersion);\r
+\r
+ return (VOID *)TlsCtx;\r
+}\r
+\r
+/**\r
+ Free an allocated TLS object.\r
+\r
+ This function removes the TLS object pointed to by Tls and frees up the\r
+ allocated memory. If Tls is NULL, nothing is done.\r
+\r
+ @param[in] Tls Pointer to the TLS object to be freed.\r
+\r
+**/\r
+VOID\r
+EFIAPI\r
+TlsFree (\r
+ IN VOID *Tls\r
+ )\r
+{\r
+ TLS_CONNECTION *TlsConn;\r
+\r
+ TlsConn = (TLS_CONNECTION *)Tls;\r
+ if (TlsConn == NULL) {\r
+ return;\r
+ }\r
+\r
+ //\r
+ // Free the internal TLS and related BIO objects.\r
+ //\r
+ if (TlsConn->Ssl != NULL) {\r
+ SSL_free (TlsConn->Ssl);\r
+ }\r
+\r
+ OPENSSL_free (Tls);\r
+}\r
+\r
+/**\r
+ Create a new TLS object for a connection.\r
+\r
+ This function creates a new TLS object for a connection. The new object\r
+ inherits the setting of the underlying context TlsCtx: connection method,\r
+ options, verification setting.\r
+\r
+ @param[in] TlsCtx Pointer to the SSL_CTX object.\r
+\r
+ @return Pointer to an allocated SSL object.\r
+ If the creation failed, TlsNew() returns NULL.\r
+\r
+**/\r
+VOID *\r
+EFIAPI\r
+TlsNew (\r
+ IN VOID *TlsCtx\r
+ )\r
+{\r
+ TLS_CONNECTION *TlsConn;\r
+ SSL_CTX *SslCtx;\r
+ X509_STORE *X509Store;\r
+\r
+ TlsConn = NULL;\r
+\r
+ //\r
+ // Allocate one new TLS_CONNECTION object\r
+ //\r
+ TlsConn = (TLS_CONNECTION *)OPENSSL_malloc (sizeof (TLS_CONNECTION));\r
+ if (TlsConn == NULL) {\r
+ return NULL;\r
+ }\r
+\r
+ TlsConn->Ssl = NULL;\r
+\r
+ //\r
+ // Create a new SSL Object\r
+ //\r
+ TlsConn->Ssl = SSL_new ((SSL_CTX *)TlsCtx);\r
+ if (TlsConn->Ssl == NULL) {\r
+ TlsFree ((VOID *)TlsConn);\r
+ return NULL;\r
+ }\r
+\r
+ //\r
+ // This retains compatibility with previous version of OpenSSL.\r
+ //\r
+ SSL_set_security_level (TlsConn->Ssl, 0);\r
+\r
+ //\r
+ // Initialize the created SSL Object\r
+ //\r
+ SSL_set_info_callback (TlsConn->Ssl, NULL);\r
+\r
+ TlsConn->InBio = NULL;\r
+\r
+ //\r
+ // Set up Reading BIO for TLS connection\r
+ //\r
+ TlsConn->InBio = BIO_new (BIO_s_mem ());\r
+ if (TlsConn->InBio == NULL) {\r
+ TlsFree ((VOID *)TlsConn);\r
+ return NULL;\r
+ }\r
+\r
+ //\r
+ // Sets the behaviour of memory BIO when it is empty. It will set the\r
+ // read retry flag.\r
+ //\r
+ BIO_set_mem_eof_return (TlsConn->InBio, -1);\r
+\r
+ TlsConn->OutBio = NULL;\r
+\r
+ //\r
+ // Set up Writing BIO for TLS connection\r
+ //\r
+ TlsConn->OutBio = BIO_new (BIO_s_mem ());\r
+ if (TlsConn->OutBio == NULL) {\r
+ TlsFree ((VOID *)TlsConn);\r
+ return NULL;\r
+ }\r
+\r
+ //\r
+ // Sets the behaviour of memory BIO when it is empty. It will set the\r
+ // write retry flag.\r
+ //\r
+ BIO_set_mem_eof_return (TlsConn->OutBio, -1);\r
+\r
+ ASSERT (TlsConn->Ssl != NULL && TlsConn->InBio != NULL && TlsConn->OutBio != NULL);\r
+\r
+ //\r
+ // Connects the InBio and OutBio for the read and write operations.\r
+ //\r
+ SSL_set_bio (TlsConn->Ssl, TlsConn->InBio, TlsConn->OutBio);\r
+\r
+ //\r
+ // Create new X509 store if needed\r
+ //\r
+ SslCtx = SSL_get_SSL_CTX (TlsConn->Ssl);\r
+ X509Store = SSL_CTX_get_cert_store (SslCtx);\r
+ if (X509Store == NULL) {\r
+ X509Store = X509_STORE_new ();\r
+ if (X509Store == NULL) {\r
+ TlsFree ((VOID *)TlsConn);\r
+ return NULL;\r
+ }\r
+\r
+ SSL_CTX_set1_verify_cert_store (SslCtx, X509Store);\r
+ X509_STORE_free (X509Store);\r
+ }\r
+\r
+ //\r
+ // Set X509_STORE flags used in certificate validation\r
+ //\r
+ X509_STORE_set_flags (\r
+ X509Store,\r
+ X509_V_FLAG_PARTIAL_CHAIN | X509_V_FLAG_NO_CHECK_TIME\r
+ );\r
+ return (VOID *)TlsConn;\r
+}\r
projects / mirror_edk2.git / blobdiff