-/** @file
- Defines TLS Library APIs.
-
-Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
-This program and the accompanying materials
-are licensed and made available under the terms and conditions of the BSD License
-which accompanies this distribution. The full text of the license may be found at
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#ifndef __TLS_LIB_H__
-#define __TLS_LIB_H__
-
-/**
- Initializes the OpenSSL library.
-
- This function registers ciphers and digests used directly and indirectly
- by SSL/TLS, and initializes the readable error messages.
- This function must be called before any other action takes places.
-
-**/
-VOID
-EFIAPI
-TlsInitialize (
- VOID
- );
-
-/**
- Free an allocated SSL_CTX object.
-
- @param[in] TlsCtx Pointer to the SSL_CTX object to be released.
-
-**/
-VOID
-EFIAPI
-TlsCtxFree (
- IN VOID *TlsCtx
- );
-
-/**
- Creates a new SSL_CTX object as framework to establish TLS/SSL enabled
- connections.
-
- @param[in] MajorVer Major Version of TLS/SSL Protocol.
- @param[in] MinorVer Minor Version of TLS/SSL Protocol.
-
- @return Pointer to an allocated SSL_CTX object.
- If the creation failed, TlsCtxNew() returns NULL.
-
-**/
-VOID *
-EFIAPI
-TlsCtxNew (
- IN UINT8 MajorVer,
- IN UINT8 MinorVer
- );
-
-/**
- Free an allocated TLS object.
-
- This function removes the TLS object pointed to by Tls and frees up the
- allocated memory. If Tls is NULL, nothing is done.
-
- @param[in] Tls Pointer to the TLS object to be freed.
-
-**/
-VOID
-EFIAPI
-TlsFree (
- IN VOID *Tls
- );
-
-/**
- Create a new TLS object for a connection.
-
- This function creates a new TLS object for a connection. The new object
- inherits the setting of the underlying context TlsCtx: connection method,
- options, verification setting.
-
- @param[in] TlsCtx Pointer to the SSL_CTX object.
-
- @return Pointer to an allocated SSL object.
- If the creation failed, TlsNew() returns NULL.
-
-**/
-VOID *
-EFIAPI
-TlsNew (
- IN VOID *TlsCtx
- );
-
-/**
- Checks if the TLS handshake was done.
-
- This function will check if the specified TLS handshake was done.
-
- @param[in] Tls Pointer to the TLS object for handshake state checking.
-
- @retval TRUE The TLS handshake was done.
- @retval FALSE The TLS handshake was not done.
-
-**/
-BOOLEAN
-EFIAPI
-TlsInHandshake (
- IN VOID *Tls
- );
-
-/**
- Perform a TLS/SSL handshake.
-
- This function will perform a TLS/SSL handshake.
-
- @param[in] Tls Pointer to the TLS object for handshake operation.
- @param[in] BufferIn Pointer to the most recently received TLS Handshake packet.
- @param[in] BufferInSize Packet size in bytes for the most recently received TLS
- Handshake packet.
- @param[out] BufferOut Pointer to the buffer to hold the built packet.
- @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On input, it is
- the buffer size provided by the caller. On output, it
- is the buffer size in fact needed to contain the
- packet.
-
- @retval EFI_SUCCESS The required TLS packet is built successfully.
- @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:
- Tls is NULL.
- BufferIn is NULL but BufferInSize is NOT 0.
- BufferInSize is 0 but BufferIn is NOT NULL.
- BufferOutSize is NULL.
- BufferOut is NULL if *BufferOutSize is not zero.
- @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the response packet.
- @retval EFI_ABORTED Something wrong during handshake.
-
-**/
-EFI_STATUS
-EFIAPI
-TlsDoHandshake (
- IN VOID *Tls,
- IN UINT8 *BufferIn, OPTIONAL
- IN UINTN BufferInSize, OPTIONAL
- OUT UINT8 *BufferOut, OPTIONAL
- IN OUT UINTN *BufferOutSize
- );
-
-/**
- Handle Alert message recorded in BufferIn. If BufferIn is NULL and BufferInSize is zero,
- TLS session has errors and the response packet needs to be Alert message based on error type.
-
- @param[in] Tls Pointer to the TLS object for state checking.
- @param[in] BufferIn Pointer to the most recently received TLS Alert packet.
- @param[in] BufferInSize Packet size in bytes for the most recently received TLS
- Alert packet.
- @param[out] BufferOut Pointer to the buffer to hold the built packet.
- @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On input, it is
- the buffer size provided by the caller. On output, it
- is the buffer size in fact needed to contain the
- packet.
-
- @retval EFI_SUCCESS The required TLS packet is built successfully.
- @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:
- Tls is NULL.
- BufferIn is NULL but BufferInSize is NOT 0.
- BufferInSize is 0 but BufferIn is NOT NULL.
- BufferOutSize is NULL.
- BufferOut is NULL if *BufferOutSize is not zero.
- @retval EFI_ABORTED An error occurred.
- @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the response packet.
-
-**/
-EFI_STATUS
-EFIAPI
-TlsHandleAlert (
- IN VOID *Tls,
- IN UINT8 *BufferIn, OPTIONAL
- IN UINTN BufferInSize, OPTIONAL
- OUT UINT8 *BufferOut, OPTIONAL
- IN OUT UINTN *BufferOutSize
- );
-
-/**
- Build the CloseNotify packet.
-
- @param[in] Tls Pointer to the TLS object for state checking.
- @param[in, out] Buffer Pointer to the buffer to hold the built packet.
- @param[in, out] BufferSize Pointer to the buffer size in bytes. On input, it is
- the buffer size provided by the caller. On output, it
- is the buffer size in fact needed to contain the
- packet.
-
- @retval EFI_SUCCESS The required TLS packet is built successfully.
- @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:
- Tls is NULL.
- BufferSize is NULL.
- Buffer is NULL if *BufferSize is not zero.
- @retval EFI_BUFFER_TOO_SMALL BufferSize is too small to hold the response packet.
-
-**/
-EFI_STATUS
-EFIAPI
-TlsCloseNotify (
- IN VOID *Tls,
- IN OUT UINT8 *Buffer,
- IN OUT UINTN *BufferSize
- );
-
-/**
- Attempts to read bytes from one TLS object and places the data in Buffer.
-
- This function will attempt to read BufferSize bytes from the TLS object
- and places the data in Buffer.
-
- @param[in] Tls Pointer to the TLS object.
- @param[in,out] Buffer Pointer to the buffer to store the data.
- @param[in] BufferSize The size of Buffer in bytes.
-
- @retval >0 The amount of data successfully read from the TLS object.
- @retval <=0 No data was successfully read.
-
-**/
-INTN
-EFIAPI
-TlsCtrlTrafficOut (
- IN VOID *Tls,
- IN OUT VOID *Buffer,
- IN UINTN BufferSize
- );
-
-/**
- Attempts to write data from the buffer to TLS object.
-
- This function will attempt to write BufferSize bytes data from the Buffer
- to the TLS object.
-
- @param[in] Tls Pointer to the TLS object.
- @param[in] Buffer Pointer to the data buffer.
- @param[in] BufferSize The size of Buffer in bytes.
-
- @retval >0 The amount of data successfully written to the TLS object.
- @retval <=0 No data was successfully written.
-
-**/
-INTN
-EFIAPI
-TlsCtrlTrafficIn (
- IN VOID *Tls,
- IN VOID *Buffer,
- IN UINTN BufferSize
- );
-
-/**
- Attempts to read bytes from the specified TLS connection into the buffer.
-
- This function tries to read BufferSize bytes data from the specified TLS
- connection into the Buffer.
-
- @param[in] Tls Pointer to the TLS connection for data reading.
- @param[in,out] Buffer Pointer to the data buffer.
- @param[in] BufferSize The size of Buffer in bytes.
-
- @retval >0 The read operation was successful, and return value is the
- number of bytes actually read from the TLS connection.
- @retval <=0 The read operation was not successful.
-
-**/
-INTN
-EFIAPI
-TlsRead (
- IN VOID *Tls,
- IN OUT VOID *Buffer,
- IN UINTN BufferSize
- );
-
-/**
- Attempts to write data to a TLS connection.
-
- This function tries to write BufferSize bytes data from the Buffer into the
- specified TLS connection.
-
- @param[in] Tls Pointer to the TLS connection for data writing.
- @param[in] Buffer Pointer to the data buffer.
- @param[in] BufferSize The size of Buffer in bytes.
-
- @retval >0 The write operation was successful, and return value is the
- number of bytes actually written to the TLS connection.
- @retval <=0 The write operation was not successful.
-
-**/
-INTN
-EFIAPI
-TlsWrite (
- IN VOID *Tls,
- IN VOID *Buffer,
- IN UINTN BufferSize
- );
-
-/**
- Set a new TLS/SSL method for a particular TLS object.
-
- This function sets a new TLS/SSL method for a particular TLS object.
-
- @param[in] Tls Pointer to a TLS object.
- @param[in] MajorVer Major Version of TLS/SSL Protocol.
- @param[in] MinorVer Minor Version of TLS/SSL Protocol.
-
- @retval EFI_SUCCESS The TLS/SSL method was set successfully.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval EFI_UNSUPPORTED Unsupported TLS/SSL method.
-
-**/
-EFI_STATUS
-EFIAPI
-TlsSetVersion (
- IN VOID *Tls,
- IN UINT8 MajorVer,
- IN UINT8 MinorVer
- );
-
-/**
- Set TLS object to work in client or server mode.
-
- This function prepares a TLS object to work in client or server mode.
-
- @param[in] Tls Pointer to a TLS object.
- @param[in] IsServer Work in server mode.
-
- @retval EFI_SUCCESS The TLS/SSL work mode was set successfully.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval EFI_UNSUPPORTED Unsupported TLS/SSL work mode.
-
-**/
-EFI_STATUS
-EFIAPI
-TlsSetConnectionEnd (
- IN VOID *Tls,
- IN BOOLEAN IsServer
- );
-
-/**
- Set the ciphers list to be used by the TLS object.
-
- This function sets the ciphers for use by a specified TLS object.
-
- @param[in] Tls Pointer to a TLS object.
- @param[in] CipherId Pointer to a string that contains one or more
- ciphers separated by a colon.
- @param[in] CipherNum The number of cipher in the list.
-
- @retval EFI_SUCCESS The ciphers list was set successfully.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval EFI_UNSUPPORTED Unsupported TLS cipher in the list.
-
-**/
-EFI_STATUS
-EFIAPI
-TlsSetCipherList (
- IN VOID *Tls,
- IN UINT16 *CipherId,
- IN UINTN CipherNum
- );
-
-/**
- Set the compression method for TLS/SSL operations.
-
- This function handles TLS/SSL integrated compression methods.
-
- @param[in] CompMethod The compression method ID.
-
- @retval EFI_SUCCESS The compression method for the communication was
- set successfully.
- @retval EFI_UNSUPPORTED Unsupported compression method.
-
-**/
-EFI_STATUS
-EFIAPI
-TlsSetCompressionMethod (
- IN UINT8 CompMethod
- );
-
-/**
- Set peer certificate verification mode for the TLS connection.
-
- This function sets the verification mode flags for the TLS connection.
-
- @param[in] Tls Pointer to the TLS object.
- @param[in] VerifyMode A set of logically or'ed verification mode flags.
-
-**/
-VOID
-EFIAPI
-TlsSetVerify (
- IN VOID *Tls,
- IN UINT32 VerifyMode
- );
-
-/**
- Sets a TLS/SSL session ID to be used during TLS/SSL connect.
-
- This function sets a session ID to be used when the TLS/SSL connection is
- to be established.
-
- @param[in] Tls Pointer to the TLS object.
- @param[in] SessionId Session ID data used for session resumption.
- @param[in] SessionIdLen Length of Session ID in bytes.
-
- @retval EFI_SUCCESS Session ID was set successfully.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval EFI_UNSUPPORTED No available session for ID setting.
-
-**/
-EFI_STATUS
-EFIAPI
-TlsSetSessionId (
- IN VOID *Tls,
- IN UINT8 *SessionId,
- IN UINT16 SessionIdLen
- );
-
-/**
- Adds the CA to the cert store when requesting Server or Client authentication.
-
- This function adds the CA certificate to the list of CAs when requesting
- Server or Client authentication for the chosen TLS connection.
-
- @param[in] Tls Pointer to the TLS object.
- @param[in] Data Pointer to the data buffer of a DER-encoded binary
- X.509 certificate or PEM-encoded X.509 certificate.
- @param[in] DataSize The size of data buffer in bytes.
-
- @retval EFI_SUCCESS The operation succeeded.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated.
- @retval EFI_ABORTED Invalid X.509 certificate.
-
-**/
-EFI_STATUS
-EFIAPI
-TlsSetCaCertificate (
- IN VOID *Tls,
- IN VOID *Data,
- IN UINTN DataSize
- );
-
-/**
- Loads the local public certificate into the specified TLS object.
-
- This function loads the X.509 certificate into the specified TLS object
- for TLS negotiation.
-
- @param[in] Tls Pointer to the TLS object.
- @param[in] Data Pointer to the data buffer of a DER-encoded binary
- X.509 certificate or PEM-encoded X.509 certificate.
- @param[in] DataSize The size of data buffer in bytes.
-
- @retval EFI_SUCCESS The operation succeeded.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated.
- @retval EFI_ABORTED Invalid X.509 certificate.
-
-**/
-EFI_STATUS
-EFIAPI
-TlsSetHostPublicCert (
- IN VOID *Tls,
- IN VOID *Data,
- IN UINTN DataSize
- );
-
-/**
- Adds the local private key to the specified TLS object.
-
- This function adds the local private key (PEM-encoded RSA or PKCS#8 private
- key) into the specified TLS object for TLS negotiation.
-
- @param[in] Tls Pointer to the TLS object.
- @param[in] Data Pointer to the data buffer of a PEM-encoded RSA
- or PKCS#8 private key.
- @param[in] DataSize The size of data buffer in bytes.
-
- @retval EFI_SUCCESS The operation succeeded.
- @retval EFI_UNSUPPORTED This function is not supported.
- @retval EFI_ABORTED Invalid private key data.
-
-**/
-EFI_STATUS
-EFIAPI
-TlsSetHostPrivateKey (
- IN VOID *Tls,
- IN VOID *Data,
- IN UINTN DataSize
- );
-
-/**
- Adds the CA-supplied certificate revocation list for certificate validation.
-
- This function adds the CA-supplied certificate revocation list data for
- certificate validity checking.
-
- @param[in] Data Pointer to the data buffer of a DER-encoded CRL data.
- @param[in] DataSize The size of data buffer in bytes.
-
- @retval EFI_SUCCESS The operation succeeded.
- @retval EFI_UNSUPPORTED This function is not supported.
- @retval EFI_ABORTED Invalid CRL data.
-
-**/
-EFI_STATUS
-EFIAPI
-TlsSetCertRevocationList (
- IN VOID *Data,
- IN UINTN DataSize
- );
-
-/**
- Gets the protocol version used by the specified TLS connection.
-
- This function returns the protocol version used by the specified TLS
- connection.
-
- @param[in] Tls Pointer to the TLS object.
-
- @return The protocol version of the specified TLS connection.
-
-**/
-UINT16
-EFIAPI
-TlsGetVersion (
- IN VOID *Tls
- );
-
-/**
- Gets the connection end of the specified TLS connection.
-
- This function returns the connection end (as client or as server) used by
- the specified TLS connection.
-
- @param[in] Tls Pointer to the TLS object.
-
- @return The connection end used by the specified TLS connection.
-
-**/
-UINT8
-EFIAPI
-TlsGetConnectionEnd (
- IN VOID *Tls
- );
-
-/**
- Gets the cipher suite used by the specified TLS connection.
-
- This function returns current cipher suite used by the specified
- TLS connection.
-
- @param[in] Tls Pointer to the TLS object.
- @param[in,out] CipherId The cipher suite used by the TLS object.
-
- @retval EFI_SUCCESS The cipher suite was returned successfully.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval EFI_UNSUPPORTED Unsupported cipher suite.
-
-**/
-EFI_STATUS
-EFIAPI
-TlsGetCurrentCipher (
- IN VOID *Tls,
- IN OUT UINT16 *CipherId
- );
-
-/**
- Gets the compression methods used by the specified TLS connection.
-
- This function returns current integrated compression methods used by
- the specified TLS connection.
-
- @param[in] Tls Pointer to the TLS object.
- @param[in,out] CompressionId The current compression method used by
- the TLS object.
-
- @retval EFI_SUCCESS The compression method was returned successfully.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval EFI_ABORTED Invalid Compression method.
- @retval EFI_UNSUPPORTED This function is not supported.
-
-**/
-EFI_STATUS
-EFIAPI
-TlsGetCurrentCompressionId (
- IN VOID *Tls,
- IN OUT UINT8 *CompressionId
- );
-
-/**
- Gets the verification mode currently set in the TLS connection.
-
- This function returns the peer verification mode currently set in the
- specified TLS connection.
-
- @param[in] Tls Pointer to the TLS object.
-
- @return The verification mode set in the specified TLS connection.
-
-**/
-UINT32
-EFIAPI
-TlsGetVerify (
- IN VOID *Tls
- );
-
-/**
- Gets the session ID used by the specified TLS connection.
-
- This function returns the TLS/SSL session ID currently used by the
- specified TLS connection.
-
- @param[in] Tls Pointer to the TLS object.
- @param[in,out] SessionId Buffer to contain the returned session ID.
- @param[in,out] SessionIdLen The length of Session ID in bytes.
-
- @retval EFI_SUCCESS The Session ID was returned successfully.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval EFI_UNSUPPORTED Invalid TLS/SSL session.
-
-**/
-EFI_STATUS
-EFIAPI
-TlsGetSessionId (
- IN VOID *Tls,
- IN OUT UINT8 *SessionId,
- IN OUT UINT16 *SessionIdLen
- );
-
-/**
- Gets the client random data used in the specified TLS connection.
-
- This function returns the TLS/SSL client random data currently used in
- the specified TLS connection.
-
- @param[in] Tls Pointer to the TLS object.
- @param[in,out] ClientRandom Buffer to contain the returned client
- random data (32 bytes).
-
-**/
-VOID
-EFIAPI
-TlsGetClientRandom (
- IN VOID *Tls,
- IN OUT UINT8 *ClientRandom
- );
-
-/**
- Gets the server random data used in the specified TLS connection.
-
- This function returns the TLS/SSL server random data currently used in
- the specified TLS connection.
-
- @param[in] Tls Pointer to the TLS object.
- @param[in,out] ServerRandom Buffer to contain the returned server
- random data (32 bytes).
-
-**/
-VOID
-EFIAPI
-TlsGetServerRandom (
- IN VOID *Tls,
- IN OUT UINT8 *ServerRandom
- );
-
-/**
- Gets the master key data used in the specified TLS connection.
-
- This function returns the TLS/SSL master key material currently used in
- the specified TLS connection.
-
- @param[in] Tls Pointer to the TLS object.
- @param[in,out] KeyMaterial Buffer to contain the returned key material.
-
- @retval EFI_SUCCESS Key material was returned successfully.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval EFI_UNSUPPORTED Invalid TLS/SSL session.
-
-**/
-EFI_STATUS
-EFIAPI
-TlsGetKeyMaterial (
- IN VOID *Tls,
- IN OUT UINT8 *KeyMaterial
- );
-
-/**
- Gets the CA Certificate from the cert store.
-
- This function returns the CA certificate for the chosen
- TLS connection.
-
- @param[in] Tls Pointer to the TLS object.
- @param[out] Data Pointer to the data buffer to receive the CA
- certificate data sent to the client.
- @param[in,out] DataSize The size of data buffer in bytes.
-
- @retval EFI_SUCCESS The operation succeeded.
- @retval EFI_UNSUPPORTED This function is not supported.
- @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
-
-**/
-EFI_STATUS
-EFIAPI
-TlsGetCaCertificate (
- IN VOID *Tls,
- OUT VOID *Data,
- IN OUT UINTN *DataSize
- );
-
-/**
- Gets the local public Certificate set in the specified TLS object.
-
- This function returns the local public certificate which was currently set
- in the specified TLS object.
-
- @param[in] Tls Pointer to the TLS object.
- @param[out] Data Pointer to the data buffer to receive the local
- public certificate.
- @param[in,out] DataSize The size of data buffer in bytes.
-
- @retval EFI_SUCCESS The operation succeeded.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval EFI_NOT_FOUND The certificate is not found.
- @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
-
-**/
-EFI_STATUS
-EFIAPI
-TlsGetHostPublicCert (
- IN VOID *Tls,
- OUT VOID *Data,
- IN OUT UINTN *DataSize
- );
-
-/**
- Gets the local private key set in the specified TLS object.
-
- This function returns the local private key data which was currently set
- in the specified TLS object.
-
- @param[in] Tls Pointer to the TLS object.
- @param[out] Data Pointer to the data buffer to receive the local
- private key data.
- @param[in,out] DataSize The size of data buffer in bytes.
-
- @retval EFI_SUCCESS The operation succeeded.
- @retval EFI_UNSUPPORTED This function is not supported.
- @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
-
-**/
-EFI_STATUS
-EFIAPI
-TlsGetHostPrivateKey (
- IN VOID *Tls,
- OUT VOID *Data,
- IN OUT UINTN *DataSize
- );
-
-/**
- Gets the CA-supplied certificate revocation list data set in the specified
- TLS object.
-
- This function returns the CA-supplied certificate revocation list data which
- was currently set in the specified TLS object.
-
- @param[out] Data Pointer to the data buffer to receive the CRL data.
- @param[in,out] DataSize The size of data buffer in bytes.
-
- @retval EFI_SUCCESS The operation succeeded.
- @retval EFI_UNSUPPORTED This function is not supported.
- @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
-
-**/
-EFI_STATUS
-EFIAPI
-TlsGetCertRevocationList (
- OUT VOID *Data,
- IN OUT UINTN *DataSize
- );
-
-#endif // __TLS_LIB_H__
+/** @file\r
+ Defines TLS Library APIs.\r
+\r
+Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>\r
+This program and the accompanying materials\r
+are licensed and made available under the terms and conditions of the BSD License\r
+which accompanies this distribution. The full text of the license may be found at\r
+http://opensource.org/licenses/bsd-license.php\r
+\r
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
+\r
+**/\r
+\r
+#ifndef __TLS_LIB_H__\r
+#define __TLS_LIB_H__\r
+\r
+/**\r
+ Initializes the OpenSSL library.\r
+\r
+ This function registers ciphers and digests used directly and indirectly\r
+ by SSL/TLS, and initializes the readable error messages.\r
+ This function must be called before any other action takes places.\r
+\r
+**/\r
+VOID\r
+EFIAPI\r
+TlsInitialize (\r
+ VOID\r
+ );\r
+\r
+/**\r
+ Free an allocated SSL_CTX object.\r
+\r
+ @param[in] TlsCtx Pointer to the SSL_CTX object to be released.\r
+\r
+**/\r
+VOID\r
+EFIAPI\r
+TlsCtxFree (\r
+ IN VOID *TlsCtx\r
+ );\r
+\r
+/**\r
+ Creates a new SSL_CTX object as framework to establish TLS/SSL enabled\r
+ connections.\r
+\r
+ @param[in] MajorVer Major Version of TLS/SSL Protocol.\r
+ @param[in] MinorVer Minor Version of TLS/SSL Protocol.\r
+\r
+ @return Pointer to an allocated SSL_CTX object.\r
+ If the creation failed, TlsCtxNew() returns NULL.\r
+\r
+**/\r
+VOID *\r
+EFIAPI\r
+TlsCtxNew (\r
+ IN UINT8 MajorVer,\r
+ IN UINT8 MinorVer\r
+ );\r
+\r
+/**\r
+ Free an allocated TLS object.\r
+\r
+ This function removes the TLS object pointed to by Tls and frees up the\r
+ allocated memory. If Tls is NULL, nothing is done.\r
+\r
+ @param[in] Tls Pointer to the TLS object to be freed.\r
+\r
+**/\r
+VOID\r
+EFIAPI\r
+TlsFree (\r
+ IN VOID *Tls\r
+ );\r
+\r
+/**\r
+ Create a new TLS object for a connection.\r
+\r
+ This function creates a new TLS object for a connection. The new object\r
+ inherits the setting of the underlying context TlsCtx: connection method,\r
+ options, verification setting.\r
+\r
+ @param[in] TlsCtx Pointer to the SSL_CTX object.\r
+\r
+ @return Pointer to an allocated SSL object.\r
+ If the creation failed, TlsNew() returns NULL.\r
+\r
+**/\r
+VOID *\r
+EFIAPI\r
+TlsNew (\r
+ IN VOID *TlsCtx\r
+ );\r
+\r
+/**\r
+ Checks if the TLS handshake was done.\r
+\r
+ This function will check if the specified TLS handshake was done.\r
+\r
+ @param[in] Tls Pointer to the TLS object for handshake state checking.\r
+\r
+ @retval TRUE The TLS handshake was done.\r
+ @retval FALSE The TLS handshake was not done.\r
+\r
+**/\r
+BOOLEAN\r
+EFIAPI\r
+TlsInHandshake (\r
+ IN VOID *Tls\r
+ );\r
+\r
+/**\r
+ Perform a TLS/SSL handshake.\r
+\r
+ This function will perform a TLS/SSL handshake.\r
+\r
+ @param[in] Tls Pointer to the TLS object for handshake operation.\r
+ @param[in] BufferIn Pointer to the most recently received TLS Handshake packet.\r
+ @param[in] BufferInSize Packet size in bytes for the most recently received TLS\r
+ Handshake packet.\r
+ @param[out] BufferOut Pointer to the buffer to hold the built packet.\r
+ @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On input, it is\r
+ the buffer size provided by the caller. On output, it\r
+ is the buffer size in fact needed to contain the\r
+ packet.\r
+\r
+ @retval EFI_SUCCESS The required TLS packet is built successfully.\r
+ @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:\r
+ Tls is NULL.\r
+ BufferIn is NULL but BufferInSize is NOT 0.\r
+ BufferInSize is 0 but BufferIn is NOT NULL.\r
+ BufferOutSize is NULL.\r
+ BufferOut is NULL if *BufferOutSize is not zero.\r
+ @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the response packet.\r
+ @retval EFI_ABORTED Something wrong during handshake.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsDoHandshake (\r
+ IN VOID *Tls,\r
+ IN UINT8 *BufferIn, OPTIONAL\r
+ IN UINTN BufferInSize, OPTIONAL\r
+ OUT UINT8 *BufferOut, OPTIONAL\r
+ IN OUT UINTN *BufferOutSize\r
+ );\r
+\r
+/**\r
+ Handle Alert message recorded in BufferIn. If BufferIn is NULL and BufferInSize is zero,\r
+ TLS session has errors and the response packet needs to be Alert message based on error type.\r
+\r
+ @param[in] Tls Pointer to the TLS object for state checking.\r
+ @param[in] BufferIn Pointer to the most recently received TLS Alert packet.\r
+ @param[in] BufferInSize Packet size in bytes for the most recently received TLS\r
+ Alert packet.\r
+ @param[out] BufferOut Pointer to the buffer to hold the built packet.\r
+ @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On input, it is\r
+ the buffer size provided by the caller. On output, it\r
+ is the buffer size in fact needed to contain the\r
+ packet.\r
+\r
+ @retval EFI_SUCCESS The required TLS packet is built successfully.\r
+ @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:\r
+ Tls is NULL.\r
+ BufferIn is NULL but BufferInSize is NOT 0.\r
+ BufferInSize is 0 but BufferIn is NOT NULL.\r
+ BufferOutSize is NULL.\r
+ BufferOut is NULL if *BufferOutSize is not zero.\r
+ @retval EFI_ABORTED An error occurred.\r
+ @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the response packet.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsHandleAlert (\r
+ IN VOID *Tls,\r
+ IN UINT8 *BufferIn, OPTIONAL\r
+ IN UINTN BufferInSize, OPTIONAL\r
+ OUT UINT8 *BufferOut, OPTIONAL\r
+ IN OUT UINTN *BufferOutSize\r
+ );\r
+\r
+/**\r
+ Build the CloseNotify packet.\r
+\r
+ @param[in] Tls Pointer to the TLS object for state checking.\r
+ @param[in, out] Buffer Pointer to the buffer to hold the built packet.\r
+ @param[in, out] BufferSize Pointer to the buffer size in bytes. On input, it is\r
+ the buffer size provided by the caller. On output, it\r
+ is the buffer size in fact needed to contain the\r
+ packet.\r
+\r
+ @retval EFI_SUCCESS The required TLS packet is built successfully.\r
+ @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:\r
+ Tls is NULL.\r
+ BufferSize is NULL.\r
+ Buffer is NULL if *BufferSize is not zero.\r
+ @retval EFI_BUFFER_TOO_SMALL BufferSize is too small to hold the response packet.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsCloseNotify (\r
+ IN VOID *Tls,\r
+ IN OUT UINT8 *Buffer,\r
+ IN OUT UINTN *BufferSize\r
+ );\r
+\r
+/**\r
+ Attempts to read bytes from one TLS object and places the data in Buffer.\r
+\r
+ This function will attempt to read BufferSize bytes from the TLS object\r
+ and places the data in Buffer.\r
+\r
+ @param[in] Tls Pointer to the TLS object.\r
+ @param[in,out] Buffer Pointer to the buffer to store the data.\r
+ @param[in] BufferSize The size of Buffer in bytes.\r
+\r
+ @retval >0 The amount of data successfully read from the TLS object.\r
+ @retval <=0 No data was successfully read.\r
+\r
+**/\r
+INTN\r
+EFIAPI\r
+TlsCtrlTrafficOut (\r
+ IN VOID *Tls,\r
+ IN OUT VOID *Buffer,\r
+ IN UINTN BufferSize\r
+ );\r
+\r
+/**\r
+ Attempts to write data from the buffer to TLS object.\r
+\r
+ This function will attempt to write BufferSize bytes data from the Buffer\r
+ to the TLS object.\r
+\r
+ @param[in] Tls Pointer to the TLS object.\r
+ @param[in] Buffer Pointer to the data buffer.\r
+ @param[in] BufferSize The size of Buffer in bytes.\r
+\r
+ @retval >0 The amount of data successfully written to the TLS object.\r
+ @retval <=0 No data was successfully written.\r
+\r
+**/\r
+INTN\r
+EFIAPI\r
+TlsCtrlTrafficIn (\r
+ IN VOID *Tls,\r
+ IN VOID *Buffer,\r
+ IN UINTN BufferSize\r
+ );\r
+\r
+/**\r
+ Attempts to read bytes from the specified TLS connection into the buffer.\r
+\r
+ This function tries to read BufferSize bytes data from the specified TLS\r
+ connection into the Buffer.\r
+\r
+ @param[in] Tls Pointer to the TLS connection for data reading.\r
+ @param[in,out] Buffer Pointer to the data buffer.\r
+ @param[in] BufferSize The size of Buffer in bytes.\r
+\r
+ @retval >0 The read operation was successful, and return value is the\r
+ number of bytes actually read from the TLS connection.\r
+ @retval <=0 The read operation was not successful.\r
+\r
+**/\r
+INTN\r
+EFIAPI\r
+TlsRead (\r
+ IN VOID *Tls,\r
+ IN OUT VOID *Buffer,\r
+ IN UINTN BufferSize\r
+ );\r
+\r
+/**\r
+ Attempts to write data to a TLS connection.\r
+\r
+ This function tries to write BufferSize bytes data from the Buffer into the\r
+ specified TLS connection.\r
+\r
+ @param[in] Tls Pointer to the TLS connection for data writing.\r
+ @param[in] Buffer Pointer to the data buffer.\r
+ @param[in] BufferSize The size of Buffer in bytes.\r
+\r
+ @retval >0 The write operation was successful, and return value is the\r
+ number of bytes actually written to the TLS connection.\r
+ @retval <=0 The write operation was not successful.\r
+\r
+**/\r
+INTN\r
+EFIAPI\r
+TlsWrite (\r
+ IN VOID *Tls,\r
+ IN VOID *Buffer,\r
+ IN UINTN BufferSize\r
+ );\r
+\r
+/**\r
+ Set a new TLS/SSL method for a particular TLS object.\r
+\r
+ This function sets a new TLS/SSL method for a particular TLS object.\r
+\r
+ @param[in] Tls Pointer to a TLS object.\r
+ @param[in] MajorVer Major Version of TLS/SSL Protocol.\r
+ @param[in] MinorVer Minor Version of TLS/SSL Protocol.\r
+\r
+ @retval EFI_SUCCESS The TLS/SSL method was set successfully.\r
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
+ @retval EFI_UNSUPPORTED Unsupported TLS/SSL method.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsSetVersion (\r
+ IN VOID *Tls,\r
+ IN UINT8 MajorVer,\r
+ IN UINT8 MinorVer\r
+ );\r
+\r
+/**\r
+ Set TLS object to work in client or server mode.\r
+\r
+ This function prepares a TLS object to work in client or server mode.\r
+\r
+ @param[in] Tls Pointer to a TLS object.\r
+ @param[in] IsServer Work in server mode.\r
+\r
+ @retval EFI_SUCCESS The TLS/SSL work mode was set successfully.\r
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
+ @retval EFI_UNSUPPORTED Unsupported TLS/SSL work mode.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsSetConnectionEnd (\r
+ IN VOID *Tls,\r
+ IN BOOLEAN IsServer\r
+ );\r
+\r
+/**\r
+ Set the ciphers list to be used by the TLS object.\r
+\r
+ This function sets the ciphers for use by a specified TLS object.\r
+\r
+ @param[in] Tls Pointer to a TLS object.\r
+ @param[in] CipherId Pointer to a string that contains one or more\r
+ ciphers separated by a colon.\r
+ @param[in] CipherNum The number of cipher in the list.\r
+\r
+ @retval EFI_SUCCESS The ciphers list was set successfully.\r
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
+ @retval EFI_UNSUPPORTED Unsupported TLS cipher in the list.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsSetCipherList (\r
+ IN VOID *Tls,\r
+ IN UINT16 *CipherId,\r
+ IN UINTN CipherNum\r
+ );\r
+\r
+/**\r
+ Set the compression method for TLS/SSL operations.\r
+\r
+ This function handles TLS/SSL integrated compression methods.\r
+\r
+ @param[in] CompMethod The compression method ID.\r
+\r
+ @retval EFI_SUCCESS The compression method for the communication was\r
+ set successfully.\r
+ @retval EFI_UNSUPPORTED Unsupported compression method.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsSetCompressionMethod (\r
+ IN UINT8 CompMethod\r
+ );\r
+\r
+/**\r
+ Set peer certificate verification mode for the TLS connection.\r
+\r
+ This function sets the verification mode flags for the TLS connection.\r
+\r
+ @param[in] Tls Pointer to the TLS object.\r
+ @param[in] VerifyMode A set of logically or'ed verification mode flags.\r
+\r
+**/\r
+VOID\r
+EFIAPI\r
+TlsSetVerify (\r
+ IN VOID *Tls,\r
+ IN UINT32 VerifyMode\r
+ );\r
+\r
+/**\r
+ Sets a TLS/SSL session ID to be used during TLS/SSL connect.\r
+\r
+ This function sets a session ID to be used when the TLS/SSL connection is\r
+ to be established.\r
+\r
+ @param[in] Tls Pointer to the TLS object.\r
+ @param[in] SessionId Session ID data used for session resumption.\r
+ @param[in] SessionIdLen Length of Session ID in bytes.\r
+\r
+ @retval EFI_SUCCESS Session ID was set successfully.\r
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
+ @retval EFI_UNSUPPORTED No available session for ID setting.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsSetSessionId (\r
+ IN VOID *Tls,\r
+ IN UINT8 *SessionId,\r
+ IN UINT16 SessionIdLen\r
+ );\r
+\r
+/**\r
+ Adds the CA to the cert store when requesting Server or Client authentication.\r
+\r
+ This function adds the CA certificate to the list of CAs when requesting\r
+ Server or Client authentication for the chosen TLS connection.\r
+\r
+ @param[in] Tls Pointer to the TLS object.\r
+ @param[in] Data Pointer to the data buffer of a DER-encoded binary\r
+ X.509 certificate or PEM-encoded X.509 certificate.\r
+ @param[in] DataSize The size of data buffer in bytes.\r
+\r
+ @retval EFI_SUCCESS The operation succeeded.\r
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
+ @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated.\r
+ @retval EFI_ABORTED Invalid X.509 certificate.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsSetCaCertificate (\r
+ IN VOID *Tls,\r
+ IN VOID *Data,\r
+ IN UINTN DataSize\r
+ );\r
+\r
+/**\r
+ Loads the local public certificate into the specified TLS object.\r
+\r
+ This function loads the X.509 certificate into the specified TLS object\r
+ for TLS negotiation.\r
+\r
+ @param[in] Tls Pointer to the TLS object.\r
+ @param[in] Data Pointer to the data buffer of a DER-encoded binary\r
+ X.509 certificate or PEM-encoded X.509 certificate.\r
+ @param[in] DataSize The size of data buffer in bytes.\r
+\r
+ @retval EFI_SUCCESS The operation succeeded.\r
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
+ @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated.\r
+ @retval EFI_ABORTED Invalid X.509 certificate.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsSetHostPublicCert (\r
+ IN VOID *Tls,\r
+ IN VOID *Data,\r
+ IN UINTN DataSize\r
+ );\r
+\r
+/**\r
+ Adds the local private key to the specified TLS object.\r
+\r
+ This function adds the local private key (PEM-encoded RSA or PKCS#8 private\r
+ key) into the specified TLS object for TLS negotiation.\r
+\r
+ @param[in] Tls Pointer to the TLS object.\r
+ @param[in] Data Pointer to the data buffer of a PEM-encoded RSA\r
+ or PKCS#8 private key.\r
+ @param[in] DataSize The size of data buffer in bytes.\r
+\r
+ @retval EFI_SUCCESS The operation succeeded.\r
+ @retval EFI_UNSUPPORTED This function is not supported.\r
+ @retval EFI_ABORTED Invalid private key data.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsSetHostPrivateKey (\r
+ IN VOID *Tls,\r
+ IN VOID *Data,\r
+ IN UINTN DataSize\r
+ );\r
+\r
+/**\r
+ Adds the CA-supplied certificate revocation list for certificate validation.\r
+\r
+ This function adds the CA-supplied certificate revocation list data for\r
+ certificate validity checking.\r
+\r
+ @param[in] Data Pointer to the data buffer of a DER-encoded CRL data.\r
+ @param[in] DataSize The size of data buffer in bytes.\r
+\r
+ @retval EFI_SUCCESS The operation succeeded.\r
+ @retval EFI_UNSUPPORTED This function is not supported.\r
+ @retval EFI_ABORTED Invalid CRL data.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsSetCertRevocationList (\r
+ IN VOID *Data,\r
+ IN UINTN DataSize\r
+ );\r
+\r
+/**\r
+ Gets the protocol version used by the specified TLS connection.\r
+\r
+ This function returns the protocol version used by the specified TLS\r
+ connection.\r
+\r
+ @param[in] Tls Pointer to the TLS object.\r
+\r
+ @return The protocol version of the specified TLS connection.\r
+\r
+**/\r
+UINT16\r
+EFIAPI\r
+TlsGetVersion (\r
+ IN VOID *Tls\r
+ );\r
+\r
+/**\r
+ Gets the connection end of the specified TLS connection.\r
+\r
+ This function returns the connection end (as client or as server) used by\r
+ the specified TLS connection.\r
+\r
+ @param[in] Tls Pointer to the TLS object.\r
+\r
+ @return The connection end used by the specified TLS connection.\r
+\r
+**/\r
+UINT8\r
+EFIAPI\r
+TlsGetConnectionEnd (\r
+ IN VOID *Tls\r
+ );\r
+\r
+/**\r
+ Gets the cipher suite used by the specified TLS connection.\r
+\r
+ This function returns current cipher suite used by the specified\r
+ TLS connection.\r
+\r
+ @param[in] Tls Pointer to the TLS object.\r
+ @param[in,out] CipherId The cipher suite used by the TLS object.\r
+\r
+ @retval EFI_SUCCESS The cipher suite was returned successfully.\r
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
+ @retval EFI_UNSUPPORTED Unsupported cipher suite.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsGetCurrentCipher (\r
+ IN VOID *Tls,\r
+ IN OUT UINT16 *CipherId\r
+ );\r
+\r
+/**\r
+ Gets the compression methods used by the specified TLS connection.\r
+\r
+ This function returns current integrated compression methods used by\r
+ the specified TLS connection.\r
+\r
+ @param[in] Tls Pointer to the TLS object.\r
+ @param[in,out] CompressionId The current compression method used by\r
+ the TLS object.\r
+\r
+ @retval EFI_SUCCESS The compression method was returned successfully.\r
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
+ @retval EFI_ABORTED Invalid Compression method.\r
+ @retval EFI_UNSUPPORTED This function is not supported.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsGetCurrentCompressionId (\r
+ IN VOID *Tls,\r
+ IN OUT UINT8 *CompressionId\r
+ );\r
+\r
+/**\r
+ Gets the verification mode currently set in the TLS connection.\r
+\r
+ This function returns the peer verification mode currently set in the\r
+ specified TLS connection.\r
+\r
+ @param[in] Tls Pointer to the TLS object.\r
+\r
+ @return The verification mode set in the specified TLS connection.\r
+\r
+**/\r
+UINT32\r
+EFIAPI\r
+TlsGetVerify (\r
+ IN VOID *Tls\r
+ );\r
+\r
+/**\r
+ Gets the session ID used by the specified TLS connection.\r
+\r
+ This function returns the TLS/SSL session ID currently used by the\r
+ specified TLS connection.\r
+\r
+ @param[in] Tls Pointer to the TLS object.\r
+ @param[in,out] SessionId Buffer to contain the returned session ID.\r
+ @param[in,out] SessionIdLen The length of Session ID in bytes.\r
+\r
+ @retval EFI_SUCCESS The Session ID was returned successfully.\r
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
+ @retval EFI_UNSUPPORTED Invalid TLS/SSL session.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsGetSessionId (\r
+ IN VOID *Tls,\r
+ IN OUT UINT8 *SessionId,\r
+ IN OUT UINT16 *SessionIdLen\r
+ );\r
+\r
+/**\r
+ Gets the client random data used in the specified TLS connection.\r
+\r
+ This function returns the TLS/SSL client random data currently used in\r
+ the specified TLS connection.\r
+\r
+ @param[in] Tls Pointer to the TLS object.\r
+ @param[in,out] ClientRandom Buffer to contain the returned client\r
+ random data (32 bytes).\r
+\r
+**/\r
+VOID\r
+EFIAPI\r
+TlsGetClientRandom (\r
+ IN VOID *Tls,\r
+ IN OUT UINT8 *ClientRandom\r
+ );\r
+\r
+/**\r
+ Gets the server random data used in the specified TLS connection.\r
+\r
+ This function returns the TLS/SSL server random data currently used in\r
+ the specified TLS connection.\r
+\r
+ @param[in] Tls Pointer to the TLS object.\r
+ @param[in,out] ServerRandom Buffer to contain the returned server\r
+ random data (32 bytes).\r
+\r
+**/\r
+VOID\r
+EFIAPI\r
+TlsGetServerRandom (\r
+ IN VOID *Tls,\r
+ IN OUT UINT8 *ServerRandom\r
+ );\r
+\r
+/**\r
+ Gets the master key data used in the specified TLS connection.\r
+\r
+ This function returns the TLS/SSL master key material currently used in\r
+ the specified TLS connection.\r
+\r
+ @param[in] Tls Pointer to the TLS object.\r
+ @param[in,out] KeyMaterial Buffer to contain the returned key material.\r
+\r
+ @retval EFI_SUCCESS Key material was returned successfully.\r
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
+ @retval EFI_UNSUPPORTED Invalid TLS/SSL session.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsGetKeyMaterial (\r
+ IN VOID *Tls,\r
+ IN OUT UINT8 *KeyMaterial\r
+ );\r
+\r
+/**\r
+ Gets the CA Certificate from the cert store.\r
+\r
+ This function returns the CA certificate for the chosen\r
+ TLS connection.\r
+\r
+ @param[in] Tls Pointer to the TLS object.\r
+ @param[out] Data Pointer to the data buffer to receive the CA\r
+ certificate data sent to the client.\r
+ @param[in,out] DataSize The size of data buffer in bytes.\r
+\r
+ @retval EFI_SUCCESS The operation succeeded.\r
+ @retval EFI_UNSUPPORTED This function is not supported.\r
+ @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsGetCaCertificate (\r
+ IN VOID *Tls,\r
+ OUT VOID *Data,\r
+ IN OUT UINTN *DataSize\r
+ );\r
+\r
+/**\r
+ Gets the local public Certificate set in the specified TLS object.\r
+\r
+ This function returns the local public certificate which was currently set\r
+ in the specified TLS object.\r
+\r
+ @param[in] Tls Pointer to the TLS object.\r
+ @param[out] Data Pointer to the data buffer to receive the local\r
+ public certificate.\r
+ @param[in,out] DataSize The size of data buffer in bytes.\r
+\r
+ @retval EFI_SUCCESS The operation succeeded.\r
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
+ @retval EFI_NOT_FOUND The certificate is not found.\r
+ @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsGetHostPublicCert (\r
+ IN VOID *Tls,\r
+ OUT VOID *Data,\r
+ IN OUT UINTN *DataSize\r
+ );\r
+\r
+/**\r
+ Gets the local private key set in the specified TLS object.\r
+\r
+ This function returns the local private key data which was currently set\r
+ in the specified TLS object.\r
+\r
+ @param[in] Tls Pointer to the TLS object.\r
+ @param[out] Data Pointer to the data buffer to receive the local\r
+ private key data.\r
+ @param[in,out] DataSize The size of data buffer in bytes.\r
+\r
+ @retval EFI_SUCCESS The operation succeeded.\r
+ @retval EFI_UNSUPPORTED This function is not supported.\r
+ @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsGetHostPrivateKey (\r
+ IN VOID *Tls,\r
+ OUT VOID *Data,\r
+ IN OUT UINTN *DataSize\r
+ );\r
+\r
+/**\r
+ Gets the CA-supplied certificate revocation list data set in the specified\r
+ TLS object.\r
+\r
+ This function returns the CA-supplied certificate revocation list data which\r
+ was currently set in the specified TLS object.\r
+\r
+ @param[out] Data Pointer to the data buffer to receive the CRL data.\r
+ @param[in,out] DataSize The size of data buffer in bytes.\r
+\r
+ @retval EFI_SUCCESS The operation succeeded.\r
+ @retval EFI_UNSUPPORTED This function is not supported.\r
+ @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsGetCertRevocationList (\r
+ OUT VOID *Data,\r
+ IN OUT UINTN *DataSize\r
+ );\r
+\r
+#endif // __TLS_LIB_H__\r
+\r
-#!/usr/bin/perl -w
-#
-# This script runs the OpenSSL Configure script, then processes the
-# resulting file list into our local OpensslLib[Crypto].inf and also
-# takes a copy of opensslconf.h.
-#
-# This only needs to be done once by a developer when updating to a
-# new version of OpenSSL (or changing options, etc.). Normal users
-# do not need to do this, since the results are stored in the EDK2
-# git repository for them.
-#
-use strict;
-use Cwd;
-use File::Copy;
-
-#
-# Find the openssl directory name for use lib. We have to do this
-# inside of BEGIN. The variables we create here, however, don't seem
-# to be available to the main script, so we have to repeat the
-# exercise.
-#
-my $inf_file;
-my $OPENSSL_PATH;
-my @inf;
-
-BEGIN {
- $inf_file = "OpensslLib.inf";
-
- # Read the contents of the inf file
- open( FD, "<" . $inf_file ) ||
- die "Cannot open \"" . $inf_file . "\"!";
- @inf = (<FD>);
- close(FD) ||
- die "Cannot close \"" . $inf_file . "\"!";
-
- foreach (@inf) {
- if (/DEFINE\s+OPENSSL_PATH\s*=\s*([a-z]+)/) {
-
- # We need to run Configure before we can include its result...
- $OPENSSL_PATH = $1;
-
- my $basedir = getcwd();
-
- chdir($OPENSSL_PATH) ||
- die "Cannot change to OpenSSL directory \"" . $OPENSSL_PATH . "\"";
-
- # Configure UEFI
- system(
- "./Configure",
- "UEFI",
- "no-afalgeng",
- "no-asm",
- "no-async",
- "no-autoalginit",
- "no-autoerrinit",
- "no-bf",
- "no-blake2",
- "no-camellia",
- "no-capieng",
- "no-cast",
- "no-chacha",
- "no-cms",
- "no-ct",
- "no-deprecated",
- "no-dgram",
- "no-dsa",
- "no-dynamic-engine",
- "no-ec",
- "no-ec2m",
- "no-engine",
- "no-err",
- "no-filenames",
- "no-gost",
- "no-hw",
- "no-idea",
- "no-mdc2",
- "no-pic",
- "no-ocb",
- "no-poly1305",
- "no-posix-io",
- "no-rc2",
- "no-rfc3779",
- "no-rmd160",
- "no-scrypt",
- "no-seed",
- "no-sock",
- "no-srp",
- "no-ssl",
- "no-stdio",
- "no-threads",
- "no-ts",
- "no-ui",
- "no-whirlpool"
- ) == 0 ||
- die "OpenSSL Configure failed!\n";
-
- # Generate opensslconf.h per config data
- system(
- "perl -I. -Mconfigdata util/dofile.pl " .
- "include/openssl/opensslconf.h.in " .
- "> include/openssl/opensslconf.h"
- ) == 0 ||
- die "Failed to generate opensslconf.h!\n";
-
- chdir($basedir) ||
- die "Cannot change to base directory \"" . $basedir . "\"";
-
- push @INC, $1;
- last;
- }
- }
-}
-
-#
-# Retrieve file lists from OpenSSL configdata
-#
-use configdata qw/%unified_info/;
-
-my @cryptofilelist = ();
-my @sslfilelist = ();
-foreach my $product ((@{$unified_info{libraries}},
- @{$unified_info{engines}})) {
- foreach my $o (@{$unified_info{sources}->{$product}}) {
- foreach my $s (@{$unified_info{sources}->{$o}}) {
- next if ($unified_info{generate}->{$s});
- next if $s =~ "crypto/bio/b_print.c";
- if ($product =~ "libssl") {
- push @sslfilelist, ' $(OPENSSL_PATH)/' . $s . "\r\n";
- next;
- }
- push @cryptofilelist, ' $(OPENSSL_PATH)/' . $s . "\r\n";
- }
- }
-}
-
-#
-# Update OpensslLib.inf with autogenerated file list
-#
-my @new_inf = ();
-my $subbing = 0;
-print "\n--> Updating OpensslLib.inf ... ";
-foreach (@inf) {
- if ( $_ =~ "# Autogenerated files list starts here" ) {
- push @new_inf, $_, @cryptofilelist, @sslfilelist;
- $subbing = 1;
- next;
- }
- if ( $_ =~ "# Autogenerated files list ends here" ) {
- push @new_inf, $_;
- $subbing = 0;
- next;
- }
-
- push @new_inf, $_
- unless ($subbing);
-}
-
-my $new_inf_file = $inf_file . ".new";
-open( FD, ">" . $new_inf_file ) ||
- die $new_inf_file;
-print( FD @new_inf ) ||
- die $new_inf_file;
-close(FD) ||
- die $new_inf_file;
-rename( $new_inf_file, $inf_file ) ||
- die "rename $inf_file";
-print "Done!";
-
-#
-# Update OpensslLibCrypto.inf with auto-generated file list (no libssl)
-#
-$inf_file = "OpensslLibCrypto.inf";
-
-# Read the contents of the inf file
-@inf = ();
-@new_inf = ();
-open( FD, "<" . $inf_file ) ||
- die "Cannot open \"" . $inf_file . "\"!";
-@inf = (<FD>);
-close(FD) ||
- die "Cannot close \"" . $inf_file . "\"!";
-
-$subbing = 0;
-print "\n--> Updating OpensslLibCrypto.inf ... ";
-foreach (@inf) {
- if ( $_ =~ "# Autogenerated files list starts here" ) {
- push @new_inf, $_, @cryptofilelist;
- $subbing = 1;
- next;
- }
- if ( $_ =~ "# Autogenerated files list ends here" ) {
- push @new_inf, $_;
- $subbing = 0;
- next;
- }
-
- push @new_inf, $_
- unless ($subbing);
-}
-
-$new_inf_file = $inf_file . ".new";
-open( FD, ">" . $new_inf_file ) ||
- die $new_inf_file;
-print( FD @new_inf ) ||
- die $new_inf_file;
-close(FD) ||
- die $new_inf_file;
-rename( $new_inf_file, $inf_file ) ||
- die "rename $inf_file";
-print "Done!";
-
-#
-# Copy opensslconf.h generated from OpenSSL Configuration
-#
-print "\n--> Duplicating opensslconf.h into Include/openssl ... ";
-copy($OPENSSL_PATH . "/include/openssl/opensslconf.h",
- $OPENSSL_PATH . "/../../../Include/openssl/") ||
- die "Cannot copy opensslconf.h!";
-print "Done!\n";
-
-print "\nProcessing Files Done!\n";
-
-exit(0);
+#!/usr/bin/perl -w\r
+#\r
+# This script runs the OpenSSL Configure script, then processes the\r
+# resulting file list into our local OpensslLib[Crypto].inf and also\r
+# takes a copy of opensslconf.h.\r
+#\r
+# This only needs to be done once by a developer when updating to a\r
+# new version of OpenSSL (or changing options, etc.). Normal users\r
+# do not need to do this, since the results are stored in the EDK2\r
+# git repository for them.\r
+#\r
+use strict;\r
+use Cwd;\r
+use File::Copy;\r
+\r
+#\r
+# Find the openssl directory name for use lib. We have to do this\r
+# inside of BEGIN. The variables we create here, however, don't seem\r
+# to be available to the main script, so we have to repeat the\r
+# exercise.\r
+#\r
+my $inf_file;\r
+my $OPENSSL_PATH;\r
+my @inf;\r
+\r
+BEGIN {\r
+ $inf_file = "OpensslLib.inf";\r
+\r
+ # Read the contents of the inf file\r
+ open( FD, "<" . $inf_file ) ||\r
+ die "Cannot open \"" . $inf_file . "\"!";\r
+ @inf = (<FD>);\r
+ close(FD) ||\r
+ die "Cannot close \"" . $inf_file . "\"!";\r
+\r
+ foreach (@inf) {\r
+ if (/DEFINE\s+OPENSSL_PATH\s*=\s*([a-z]+)/) {\r
+\r
+ # We need to run Configure before we can include its result...\r
+ $OPENSSL_PATH = $1;\r
+\r
+ my $basedir = getcwd();\r
+\r
+ chdir($OPENSSL_PATH) ||\r
+ die "Cannot change to OpenSSL directory \"" . $OPENSSL_PATH . "\"";\r
+\r
+ # Configure UEFI\r
+ system(\r
+ "./Configure",\r
+ "UEFI",\r
+ "no-afalgeng",\r
+ "no-asm",\r
+ "no-async",\r
+ "no-autoalginit",\r
+ "no-autoerrinit",\r
+ "no-bf",\r
+ "no-blake2",\r
+ "no-camellia",\r
+ "no-capieng",\r
+ "no-cast",\r
+ "no-chacha",\r
+ "no-cms",\r
+ "no-ct",\r
+ "no-deprecated",\r
+ "no-dgram",\r
+ "no-dsa",\r
+ "no-dynamic-engine",\r
+ "no-ec",\r
+ "no-ec2m",\r
+ "no-engine",\r
+ "no-err",\r
+ "no-filenames",\r
+ "no-gost",\r
+ "no-hw",\r
+ "no-idea",\r
+ "no-mdc2",\r
+ "no-pic",\r
+ "no-ocb",\r
+ "no-poly1305",\r
+ "no-posix-io",\r
+ "no-rc2",\r
+ "no-rfc3779",\r
+ "no-rmd160",\r
+ "no-scrypt",\r
+ "no-seed",\r
+ "no-sock",\r
+ "no-srp",\r
+ "no-ssl",\r
+ "no-stdio",\r
+ "no-threads",\r
+ "no-ts",\r
+ "no-ui",\r
+ "no-whirlpool"\r
+ ) == 0 ||\r
+ die "OpenSSL Configure failed!\n";\r
+\r
+ # Generate opensslconf.h per config data\r
+ system(\r
+ "perl -I. -Mconfigdata util/dofile.pl " .\r
+ "include/openssl/opensslconf.h.in " .\r
+ "> include/openssl/opensslconf.h"\r
+ ) == 0 ||\r
+ die "Failed to generate opensslconf.h!\n";\r
+\r
+ chdir($basedir) ||\r
+ die "Cannot change to base directory \"" . $basedir . "\"";\r
+\r
+ push @INC, $1;\r
+ last;\r
+ }\r
+ }\r
+}\r
+\r
+#\r
+# Retrieve file lists from OpenSSL configdata\r
+#\r
+use configdata qw/%unified_info/;\r
+\r
+my @cryptofilelist = ();\r
+my @sslfilelist = ();\r
+foreach my $product ((@{$unified_info{libraries}},\r
+ @{$unified_info{engines}})) {\r
+ foreach my $o (@{$unified_info{sources}->{$product}}) {\r
+ foreach my $s (@{$unified_info{sources}->{$o}}) {\r
+ next if ($unified_info{generate}->{$s});\r
+ next if $s =~ "crypto/bio/b_print.c";\r
+ if ($product =~ "libssl") {\r
+ push @sslfilelist, ' $(OPENSSL_PATH)/' . $s . "\r\n";\r
+ next;\r
+ }\r
+ push @cryptofilelist, ' $(OPENSSL_PATH)/' . $s . "\r\n";\r
+ }\r
+ }\r
+}\r
+\r
+#\r
+# Update OpensslLib.inf with autogenerated file list\r
+#\r
+my @new_inf = ();\r
+my $subbing = 0;\r
+print "\n--> Updating OpensslLib.inf ... ";\r
+foreach (@inf) {\r
+ if ( $_ =~ "# Autogenerated files list starts here" ) {\r
+ push @new_inf, $_, @cryptofilelist, @sslfilelist;\r
+ $subbing = 1;\r
+ next;\r
+ }\r
+ if ( $_ =~ "# Autogenerated files list ends here" ) {\r
+ push @new_inf, $_;\r
+ $subbing = 0;\r
+ next;\r
+ }\r
+\r
+ push @new_inf, $_\r
+ unless ($subbing);\r
+}\r
+\r
+my $new_inf_file = $inf_file . ".new";\r
+open( FD, ">" . $new_inf_file ) ||\r
+ die $new_inf_file;\r
+print( FD @new_inf ) ||\r
+ die $new_inf_file;\r
+close(FD) ||\r
+ die $new_inf_file;\r
+rename( $new_inf_file, $inf_file ) ||\r
+ die "rename $inf_file";\r
+print "Done!";\r
+\r
+#\r
+# Update OpensslLibCrypto.inf with auto-generated file list (no libssl)\r
+#\r
+$inf_file = "OpensslLibCrypto.inf";\r
+\r
+# Read the contents of the inf file\r
+@inf = ();\r
+@new_inf = ();\r
+open( FD, "<" . $inf_file ) ||\r
+ die "Cannot open \"" . $inf_file . "\"!";\r
+@inf = (<FD>);\r
+close(FD) ||\r
+ die "Cannot close \"" . $inf_file . "\"!";\r
+\r
+$subbing = 0;\r
+print "\n--> Updating OpensslLibCrypto.inf ... ";\r
+foreach (@inf) {\r
+ if ( $_ =~ "# Autogenerated files list starts here" ) {\r
+ push @new_inf, $_, @cryptofilelist;\r
+ $subbing = 1;\r
+ next;\r
+ }\r
+ if ( $_ =~ "# Autogenerated files list ends here" ) {\r
+ push @new_inf, $_;\r
+ $subbing = 0;\r
+ next;\r
+ }\r
+\r
+ push @new_inf, $_\r
+ unless ($subbing);\r
+}\r
+\r
+$new_inf_file = $inf_file . ".new";\r
+open( FD, ">" . $new_inf_file ) ||\r
+ die $new_inf_file;\r
+print( FD @new_inf ) ||\r
+ die $new_inf_file;\r
+close(FD) ||\r
+ die $new_inf_file;\r
+rename( $new_inf_file, $inf_file ) ||\r
+ die "rename $inf_file";\r
+print "Done!";\r
+\r
+#\r
+# Copy opensslconf.h generated from OpenSSL Configuration\r
+#\r
+print "\n--> Duplicating opensslconf.h into Include/openssl ... ";\r
+copy($OPENSSL_PATH . "/include/openssl/opensslconf.h",\r
+ $OPENSSL_PATH . "/../../../Include/openssl/") ||\r
+ die "Cannot copy opensslconf.h!";\r
+print "Done!\n";\r
+\r
+print "\nProcessing Files Done!\n";\r
+\r
+exit(0);\r
+\r
-/** @file
- Internal include file for TlsLib.
-
-Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
-This program and the accompanying materials
-are licensed and made available under the terms and conditions of the BSD License
-which accompanies this distribution. The full text of the license may be found at
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#ifndef __INTERNAL_TLS_LIB_H__
-#define __INTERNAL_TLS_LIB_H__
-
-#undef _WIN32
-#undef _WIN64
-
-#include <Library/BaseCryptLib.h>
-#include <openssl/ssl.h>
-#include <openssl/bio.h>
-#include <openssl/err.h>
-
-typedef struct {
- //
- // Main SSL Connection which is created by a server or a client
- // per established connection.
- //
- SSL *Ssl;
- //
- // Memory BIO for the TLS/SSL Reading operations.
- //
- BIO *InBio;
- //
- // Memory BIO for the TLS/SSL Writing operations.
- //
- BIO *OutBio;
-} TLS_CONNECTION;
-
-#endif
+/** @file\r
+ Internal include file for TlsLib.\r
+\r
+Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>\r
+This program and the accompanying materials\r
+are licensed and made available under the terms and conditions of the BSD License\r
+which accompanies this distribution. The full text of the license may be found at\r
+http://opensource.org/licenses/bsd-license.php\r
+\r
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
+\r
+**/\r
+\r
+#ifndef __INTERNAL_TLS_LIB_H__\r
+#define __INTERNAL_TLS_LIB_H__\r
+\r
+#undef _WIN32\r
+#undef _WIN64\r
+\r
+#include <Library/BaseCryptLib.h>\r
+#include <openssl/ssl.h>\r
+#include <openssl/bio.h>\r
+#include <openssl/err.h>\r
+\r
+typedef struct {\r
+ //\r
+ // Main SSL Connection which is created by a server or a client\r
+ // per established connection.\r
+ //\r
+ SSL *Ssl;\r
+ //\r
+ // Memory BIO for the TLS/SSL Reading operations.\r
+ //\r
+ BIO *InBio;\r
+ //\r
+ // Memory BIO for the TLS/SSL Writing operations.\r
+ //\r
+ BIO *OutBio;\r
+} TLS_CONNECTION;\r
+\r
+#endif\r
+\r
-/** @file
- SSL/TLS Configuration Library Wrapper Implementation over OpenSSL.
-
-Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
-(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
-This program and the accompanying materials
-are licensed and made available under the terms and conditions of the BSD License
-which accompanies this distribution. The full text of the license may be found at
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#include "InternalTlsLib.h"
-
-typedef struct {
- //
- // IANA/IETF defined Cipher Suite ID
- //
- UINT16 IanaCipher;
- //
- // OpenSSL-used Cipher Suite String
- //
- CONST CHAR8 *OpensslCipher;
-} TLS_CIPHER_PAIR;
-
-//
-// The mapping table between IANA/IETF Cipher Suite definitions and
-// OpenSSL-used Cipher Suite name.
-//
-STATIC CONST TLS_CIPHER_PAIR TlsCipherMappingTable[] = {
- { 0x0001, "NULL-MD5" }, /// TLS_RSA_WITH_NULL_MD5
- { 0x0002, "NULL-SHA" }, /// TLS_RSA_WITH_NULL_SHA
- { 0x0004, "RC4-MD5" }, /// TLS_RSA_WITH_RC4_128_MD5
- { 0x0005, "RC4-SHA" }, /// TLS_RSA_WITH_RC4_128_SHA
- { 0x000A, "DES-CBC3-SHA" }, /// TLS_RSA_WITH_3DES_EDE_CBC_SHA, mandatory TLS 1.1
- { 0x0016, "DHE-RSA-DES-CBC3-SHA" }, /// TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
- { 0x002F, "AES128-SHA" }, /// TLS_RSA_WITH_AES_128_CBC_SHA, mandatory TLS 1.2
- { 0x0030, "DH-DSS-AES128-SHA" }, /// TLS_DH_DSS_WITH_AES_128_CBC_SHA
- { 0x0031, "DH-RSA-AES128-SHA" }, /// TLS_DH_RSA_WITH_AES_128_CBC_SHA
- { 0x0033, "DHE-RSA-AES128-SHA" }, /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA
- { 0x0035, "AES256-SHA" }, /// TLS_RSA_WITH_AES_256_CBC_SHA
- { 0x0036, "DH-DSS-AES256-SHA" }, /// TLS_DH_DSS_WITH_AES_256_CBC_SHA
- { 0x0037, "DH-RSA-AES256-SHA" }, /// TLS_DH_RSA_WITH_AES_256_CBC_SHA
- { 0x0039, "DHE-RSA-AES256-SHA" }, /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA
- { 0x003B, "NULL-SHA256" }, /// TLS_RSA_WITH_NULL_SHA256
- { 0x003C, "AES128-SHA256" }, /// TLS_RSA_WITH_AES_128_CBC_SHA256
- { 0x003D, "AES256-SHA256" }, /// TLS_RSA_WITH_AES_256_CBC_SHA256
- { 0x003E, "DH-DSS-AES128-SHA256" }, /// TLS_DH_DSS_WITH_AES_128_CBC_SHA256
- { 0x003F, "DH-RSA-AES128-SHA256" }, /// TLS_DH_RSA_WITH_AES_128_CBC_SHA256
- { 0x0067, "DHE-RSA-AES128-SHA256" }, /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
- { 0x0068, "DH-DSS-AES256-SHA256" }, /// TLS_DH_DSS_WITH_AES_256_CBC_SHA256
- { 0x0069, "DH-RSA-AES256-SHA256" }, /// TLS_DH_RSA_WITH_AES_256_CBC_SHA256
- { 0x006B, "DHE-RSA-AES256-SHA256" } /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
-};
-
-/**
- Gets the OpenSSL cipher suite string for the supplied IANA TLS cipher suite.
-
- @param[in] CipherId The supplied IANA TLS cipher suite ID.
-
- @return The corresponding OpenSSL cipher suite string if found,
- NULL otherwise.
-
-**/
-STATIC
-CONST CHAR8 *
-TlsGetCipherString (
- IN UINT16 CipherId
- )
-{
- CONST TLS_CIPHER_PAIR *CipherEntry;
- UINTN TableSize;
- UINTN Index;
-
- CipherEntry = TlsCipherMappingTable;
- TableSize = sizeof (TlsCipherMappingTable) / sizeof (TLS_CIPHER_PAIR);
-
- //
- // Search Cipher Mapping Table for IANA-OpenSSL Cipher Translation
- //
- for (Index = 0; Index < TableSize; Index++, CipherEntry++) {
- //
- // Translate IANA cipher suite name to OpenSSL name.
- //
- if (CipherEntry->IanaCipher == CipherId) {
- return CipherEntry->OpensslCipher;
- }
- }
-
- //
- // No Cipher Mapping found, return NULL.
- //
- return NULL;
-}
-
-/**
- Set a new TLS/SSL method for a particular TLS object.
-
- This function sets a new TLS/SSL method for a particular TLS object.
-
- @param[in] Tls Pointer to a TLS object.
- @param[in] MajorVer Major Version of TLS/SSL Protocol.
- @param[in] MinorVer Minor Version of TLS/SSL Protocol.
-
- @retval EFI_SUCCESS The TLS/SSL method was set successfully.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval EFI_UNSUPPORTED Unsupported TLS/SSL method.
-
-**/
-EFI_STATUS
-EFIAPI
-TlsSetVersion (
- IN VOID *Tls,
- IN UINT8 MajorVer,
- IN UINT8 MinorVer
- )
-{
- TLS_CONNECTION *TlsConn;
- UINT16 ProtoVersion;
-
- TlsConn = (TLS_CONNECTION *)Tls;
- if (TlsConn == NULL || TlsConn->Ssl == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- ProtoVersion = (MajorVer << 8) | MinorVer;
-
- //
- // Bound TLS method to the particular specified version.
- //
- switch (ProtoVersion) {
- case TLS1_VERSION:
- //
- // TLS 1.0
- //
- SSL_set_min_proto_version (TlsConn->Ssl, TLS1_VERSION);
- SSL_set_max_proto_version (TlsConn->Ssl, TLS1_VERSION);
- break;
- case TLS1_1_VERSION:
- //
- // TLS 1.1
- //
- SSL_set_min_proto_version (TlsConn->Ssl, TLS1_1_VERSION);
- SSL_set_max_proto_version (TlsConn->Ssl, TLS1_1_VERSION);
- break;
- case TLS1_2_VERSION:
- //
- // TLS 1.2
- //
- SSL_set_min_proto_version (TlsConn->Ssl, TLS1_2_VERSION);
- SSL_set_max_proto_version (TlsConn->Ssl, TLS1_2_VERSION);
- break;
- default:
- //
- // Unsupported Protocol Version
- //
- return EFI_UNSUPPORTED;
- }
-
- return EFI_SUCCESS;;
-}
-
-/**
- Set TLS object to work in client or server mode.
-
- This function prepares a TLS object to work in client or server mode.
-
- @param[in] Tls Pointer to a TLS object.
- @param[in] IsServer Work in server mode.
-
- @retval EFI_SUCCESS The TLS/SSL work mode was set successfully.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval EFI_UNSUPPORTED Unsupported TLS/SSL work mode.
-
-**/
-EFI_STATUS
-EFIAPI
-TlsSetConnectionEnd (
- IN VOID *Tls,
- IN BOOLEAN IsServer
- )
-{
- TLS_CONNECTION *TlsConn;
-
- TlsConn = (TLS_CONNECTION *) Tls;
- if (TlsConn == NULL || TlsConn->Ssl == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- if (!IsServer) {
- //
- // Set TLS to work in Client mode.
- //
- SSL_set_connect_state (TlsConn->Ssl);
- } else {
- //
- // Set TLS to work in Server mode.
- // It is unsupported for UEFI version currently.
- //
- //SSL_set_accept_state (TlsConn->Ssl);
- return EFI_UNSUPPORTED;
- }
-
- return EFI_SUCCESS;
-}
-
-/**
- Set the ciphers list to be used by the TLS object.
-
- This function sets the ciphers for use by a specified TLS object.
-
- @param[in] Tls Pointer to a TLS object.
- @param[in] CipherId Pointer to a UINT16 cipher Id.
- @param[in] CipherNum The number of cipher in the list.
-
- @retval EFI_SUCCESS The ciphers list was set successfully.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval EFI_UNSUPPORTED Unsupported TLS cipher in the list.
-
-**/
-EFI_STATUS
-EFIAPI
-TlsSetCipherList (
- IN VOID *Tls,
- IN UINT16 *CipherId,
- IN UINTN CipherNum
- )
-{
- TLS_CONNECTION *TlsConn;
- UINTN Index;
- CONST CHAR8 *MappingName;
- CHAR8 CipherString[500];
-
- TlsConn = (TLS_CONNECTION *) Tls;
- if (TlsConn == NULL || TlsConn->Ssl == NULL || CipherId == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- MappingName = NULL;
-
- memset (CipherString, 0, sizeof (CipherString));
-
- for (Index = 0; Index < CipherNum; Index++) {
- //
- // Handling OpenSSL / RFC Cipher name mapping.
- //
- MappingName = TlsGetCipherString (*(CipherId + Index));
- if (MappingName == NULL) {
- return EFI_UNSUPPORTED;
- }
-
- if (Index != 0) {
- //
- // The ciphers were separated by a colon.
- //
- AsciiStrCatS (CipherString, sizeof (CipherString), ":");
- }
-
- AsciiStrCatS (CipherString, sizeof (CipherString), MappingName);
- }
-
- AsciiStrCatS (CipherString, sizeof (CipherString), ":@STRENGTH");
-
- //
- // Sets the ciphers for use by the Tls object.
- //
- if (SSL_set_cipher_list (TlsConn->Ssl, CipherString) <= 0) {
- return EFI_UNSUPPORTED;
- }
-
- return EFI_SUCCESS;
-}
-
-/**
- Set the compression method for TLS/SSL operations.
-
- This function handles TLS/SSL integrated compression methods.
-
- @param[in] CompMethod The compression method ID.
-
- @retval EFI_SUCCESS The compression method for the communication was
- set successfully.
- @retval EFI_UNSUPPORTED Unsupported compression method.
-
-**/
-EFI_STATUS
-EFIAPI
-TlsSetCompressionMethod (
- IN UINT8 CompMethod
- )
-{
- COMP_METHOD *Cm;
- INTN Ret;
-
- Cm = NULL;
- Ret = 0;
-
- if (CompMethod == 0) {
- //
- // TLS defines one standard compression method, CompressionMethod.null (0),
- // which specifies that data exchanged via the record protocol will not be compressed.
- // So, return EFI_SUCCESS directly (RFC 3749).
- //
- return EFI_SUCCESS;
- } else if (CompMethod == 1) {
- Cm = COMP_zlib();
- } else {
- return EFI_UNSUPPORTED;
- }
-
- //
- // Adds the compression method to the list of available
- // compression methods.
- //
- Ret = SSL_COMP_add_compression_method (CompMethod, Cm);
- if (Ret != 0) {
- return EFI_UNSUPPORTED;
- }
-
- return EFI_SUCCESS;
-}
-
-/**
- Set peer certificate verification mode for the TLS connection.
-
- This function sets the verification mode flags for the TLS connection.
-
- @param[in] Tls Pointer to the TLS object.
- @param[in] VerifyMode A set of logically or'ed verification mode flags.
-
-**/
-VOID
-EFIAPI
-TlsSetVerify (
- IN VOID *Tls,
- IN UINT32 VerifyMode
- )
-{
- TLS_CONNECTION *TlsConn;
-
- TlsConn = (TLS_CONNECTION *) Tls;
- if (TlsConn == NULL || TlsConn->Ssl == NULL) {
- return;
- }
-
- //
- // Set peer certificate verification parameters with NULL callback.
- //
- SSL_set_verify (TlsConn->Ssl, VerifyMode, NULL);
-}
-
-/**
- Sets a TLS/SSL session ID to be used during TLS/SSL connect.
-
- This function sets a session ID to be used when the TLS/SSL connection is
- to be established.
-
- @param[in] Tls Pointer to the TLS object.
- @param[in] SessionId Session ID data used for session resumption.
- @param[in] SessionIdLen Length of Session ID in bytes.
-
- @retval EFI_SUCCESS Session ID was set successfully.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval EFI_UNSUPPORTED No available session for ID setting.
-
-**/
-EFI_STATUS
-EFIAPI
-TlsSetSessionId (
- IN VOID *Tls,
- IN UINT8 *SessionId,
- IN UINT16 SessionIdLen
- )
-{
- TLS_CONNECTION *TlsConn;
- SSL_SESSION *Session;
-
- TlsConn = (TLS_CONNECTION *) Tls;
- Session = NULL;
-
- if (TlsConn == NULL || TlsConn->Ssl == NULL || SessionId == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- Session = SSL_get_session (TlsConn->Ssl);
- if (Session == NULL) {
- return EFI_UNSUPPORTED;
- }
-
- SSL_SESSION_set1_id (Session, (const unsigned char *)SessionId, SessionIdLen);
-
- return EFI_SUCCESS;
-}
-
-/**
- Adds the CA to the cert store when requesting Server or Client authentication.
-
- This function adds the CA certificate to the list of CAs when requesting
- Server or Client authentication for the chosen TLS connection.
-
- @param[in] Tls Pointer to the TLS object.
- @param[in] Data Pointer to the data buffer of a DER-encoded binary
- X.509 certificate or PEM-encoded X.509 certificate.
- @param[in] DataSize The size of data buffer in bytes.
-
- @retval EFI_SUCCESS The operation succeeded.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated.
- @retval EFI_ABORTED Invalid X.509 certificate.
-
-**/
-EFI_STATUS
-EFIAPI
-TlsSetCaCertificate (
- IN VOID *Tls,
- IN VOID *Data,
- IN UINTN DataSize
- )
-{
- BIO *BioCert;
- X509 *Cert;
- X509_STORE *X509Store;
- EFI_STATUS Status;
- TLS_CONNECTION *TlsConn;
- SSL_CTX *SslCtx;
- INTN Ret;
- UINTN ErrorCode;
-
- BioCert = NULL;
- Cert = NULL;
- X509Store = NULL;
- Status = EFI_SUCCESS;
- TlsConn = (TLS_CONNECTION *) Tls;
- Ret = 0;
-
- if (TlsConn == NULL || TlsConn->Ssl == NULL || Data == NULL || DataSize == 0) {
- return EFI_INVALID_PARAMETER;
- }
-
- //
- // DER-encoded binary X.509 certificate or PEM-encoded X.509 certificate.
- // Determine whether certificate is from DER encoding, if so, translate it to X509 structure.
- //
- Cert = d2i_X509 (NULL, (const unsigned char ** )&Data, (long) DataSize);
- if (Cert == NULL) {
- //
- // Certificate is from PEM encoding.
- //
- BioCert = BIO_new (BIO_s_mem ());
- if (BioCert == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- if (BIO_write (BioCert, Data, (UINT32) DataSize) <= 0) {
- Status = EFI_ABORTED;
- goto ON_EXIT;
- }
-
- Cert = PEM_read_bio_X509 (BioCert, NULL, NULL, NULL);
- if (Cert == NULL) {
- Status = EFI_ABORTED;
- goto ON_EXIT;
- }
- }
-
- SslCtx = SSL_get_SSL_CTX (TlsConn->Ssl);
- X509Store = SSL_CTX_get_cert_store (SslCtx);
- if (X509Store == NULL) {
- Status = EFI_ABORTED;
- goto ON_EXIT;
- }
-
- //
- // Add certificate to X509 store
- //
- Ret = X509_STORE_add_cert (X509Store, Cert);
- if (Ret != 1) {
- ErrorCode = ERR_peek_last_error ();
- //
- // Ignore "already in table" errors
- //
- if (!(ERR_GET_FUNC (ErrorCode) == X509_F_X509_STORE_ADD_CERT &&
- ERR_GET_REASON (ErrorCode) == X509_R_CERT_ALREADY_IN_HASH_TABLE)) {
- Status = EFI_ABORTED;
- goto ON_EXIT;
- }
- }
-
-ON_EXIT:
- if (BioCert != NULL) {
- BIO_free (BioCert);
- }
-
- if (Cert != NULL) {
- X509_free (Cert);
- }
-
- return Status;
-}
-
-/**
- Loads the local public certificate into the specified TLS object.
-
- This function loads the X.509 certificate into the specified TLS object
- for TLS negotiation.
-
- @param[in] Tls Pointer to the TLS object.
- @param[in] Data Pointer to the data buffer of a DER-encoded binary
- X.509 certificate or PEM-encoded X.509 certificate.
- @param[in] DataSize The size of data buffer in bytes.
-
- @retval EFI_SUCCESS The operation succeeded.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated.
- @retval EFI_ABORTED Invalid X.509 certificate.
-
-**/
-EFI_STATUS
-EFIAPI
-TlsSetHostPublicCert (
- IN VOID *Tls,
- IN VOID *Data,
- IN UINTN DataSize
- )
-{
- BIO *BioCert;
- X509 *Cert;
- EFI_STATUS Status;
- TLS_CONNECTION *TlsConn;
-
- BioCert = NULL;
- Cert = NULL;
- Status = EFI_SUCCESS;
- TlsConn = (TLS_CONNECTION *) Tls;
-
- if (TlsConn == NULL || TlsConn->Ssl == NULL || Data == NULL || DataSize == 0) {
- return EFI_INVALID_PARAMETER;
- }
-
- //
- // DER-encoded binary X.509 certificate or PEM-encoded X.509 certificate.
- // Determine whether certificate is from DER encoding, if so, translate it to X509 structure.
- //
- Cert = d2i_X509 (NULL, (const unsigned char ** )&Data, (long) DataSize);
- if (Cert == NULL) {
- //
- // Certificate is from PEM encoding.
- //
- BioCert = BIO_new (BIO_s_mem ());
- if (BioCert == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- if (BIO_write (BioCert, Data, (UINT32) DataSize) <= 0) {
- Status = EFI_ABORTED;
- goto ON_EXIT;
- }
-
- Cert = PEM_read_bio_X509 (BioCert, NULL, NULL, NULL);
- if (Cert == NULL) {
- Status = EFI_ABORTED;
- goto ON_EXIT;
- }
- }
-
- if (SSL_use_certificate (TlsConn->Ssl, Cert) != 1) {
- Status = EFI_ABORTED;
- goto ON_EXIT;
- }
-
-ON_EXIT:
- if (BioCert != NULL) {
- BIO_free (BioCert);
- }
-
- if (Cert != NULL) {
- X509_free (Cert);
- }
-
- return Status;
-}
-
-/**
- Adds the local private key to the specified TLS object.
-
- This function adds the local private key (PEM-encoded RSA or PKCS#8 private
- key) into the specified TLS object for TLS negotiation.
-
- @param[in] Tls Pointer to the TLS object.
- @param[in] Data Pointer to the data buffer of a PEM-encoded RSA
- or PKCS#8 private key.
- @param[in] DataSize The size of data buffer in bytes.
-
- @retval EFI_SUCCESS The operation succeeded.
- @retval EFI_UNSUPPORTED This function is not supported.
- @retval EFI_ABORTED Invalid private key data.
-
-**/
-EFI_STATUS
-EFIAPI
-TlsSetHostPrivateKey (
- IN VOID *Tls,
- IN VOID *Data,
- IN UINTN DataSize
- )
-{
- return EFI_UNSUPPORTED;
-}
-
-/**
- Adds the CA-supplied certificate revocation list for certificate validation.
-
- This function adds the CA-supplied certificate revocation list data for
- certificate validity checking.
-
- @param[in] Data Pointer to the data buffer of a DER-encoded CRL data.
- @param[in] DataSize The size of data buffer in bytes.
-
- @retval EFI_SUCCESS The operation succeeded.
- @retval EFI_UNSUPPORTED This function is not supported.
- @retval EFI_ABORTED Invalid CRL data.
-
-**/
-EFI_STATUS
-EFIAPI
-TlsSetCertRevocationList (
- IN VOID *Data,
- IN UINTN DataSize
- )
-{
- return EFI_UNSUPPORTED;
-}
-
-/**
- Gets the protocol version used by the specified TLS connection.
-
- This function returns the protocol version used by the specified TLS
- connection.
-
- @param[in] Tls Pointer to the TLS object.
-
- @return The protocol version of the specified TLS connection.
-
-**/
-UINT16
-EFIAPI
-TlsGetVersion (
- IN VOID *Tls
- )
-{
- TLS_CONNECTION *TlsConn;
-
- TlsConn = (TLS_CONNECTION *) Tls;
-
- ASSERT (TlsConn != NULL);
-
- return (UINT16)(SSL_version (TlsConn->Ssl));
-}
-
-/**
- Gets the connection end of the specified TLS connection.
-
- This function returns the connection end (as client or as server) used by
- the specified TLS connection.
-
- @param[in] Tls Pointer to the TLS object.
-
- @return The connection end used by the specified TLS connection.
-
-**/
-UINT8
-EFIAPI
-TlsGetConnectionEnd (
- IN VOID *Tls
- )
-{
- TLS_CONNECTION *TlsConn;
-
- TlsConn = (TLS_CONNECTION *) Tls;
-
- ASSERT (TlsConn != NULL);
-
- return (UINT8)SSL_is_server (TlsConn->Ssl);
-}
-
-/**
- Gets the cipher suite used by the specified TLS connection.
-
- This function returns current cipher suite used by the specified
- TLS connection.
-
- @param[in] Tls Pointer to the TLS object.
- @param[in,out] CipherId The cipher suite used by the TLS object.
-
- @retval EFI_SUCCESS The cipher suite was returned successfully.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval EFI_UNSUPPORTED Unsupported cipher suite.
-
-**/
-EFI_STATUS
-EFIAPI
-TlsGetCurrentCipher (
- IN VOID *Tls,
- IN OUT UINT16 *CipherId
- )
-{
- TLS_CONNECTION *TlsConn;
- CONST SSL_CIPHER *Cipher;
-
- TlsConn = (TLS_CONNECTION *) Tls;
- Cipher = NULL;
-
- if (TlsConn == NULL || TlsConn->Ssl == NULL || CipherId == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- Cipher = SSL_get_current_cipher (TlsConn->Ssl);
- if (Cipher == NULL) {
- return EFI_UNSUPPORTED;
- }
-
- *CipherId = (SSL_CIPHER_get_id (Cipher)) & 0xFFFF;
-
- return EFI_SUCCESS;
-}
-
-/**
- Gets the compression methods used by the specified TLS connection.
-
- This function returns current integrated compression methods used by
- the specified TLS connection.
-
- @param[in] Tls Pointer to the TLS object.
- @param[in,out] CompressionId The current compression method used by
- the TLS object.
-
- @retval EFI_SUCCESS The compression method was returned successfully.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval EFI_ABORTED Invalid Compression method.
- @retval EFI_UNSUPPORTED This function is not supported.
-
-**/
-EFI_STATUS
-EFIAPI
-TlsGetCurrentCompressionId (
- IN VOID *Tls,
- IN OUT UINT8 *CompressionId
- )
-{
- return EFI_UNSUPPORTED;
-}
-
-/**
- Gets the verification mode currently set in the TLS connection.
-
- This function returns the peer verification mode currently set in the
- specified TLS connection.
-
- @param[in] Tls Pointer to the TLS object.
-
- @return The verification mode set in the specified TLS connection.
-
-**/
-UINT32
-EFIAPI
-TlsGetVerify (
- IN VOID *Tls
- )
-{
- TLS_CONNECTION *TlsConn;
-
- TlsConn = (TLS_CONNECTION *) Tls;
-
- ASSERT (TlsConn != NULL);
-
- return SSL_get_verify_mode (TlsConn->Ssl);
-}
-
-/**
- Gets the session ID used by the specified TLS connection.
-
- This function returns the TLS/SSL session ID currently used by the
- specified TLS connection.
-
- @param[in] Tls Pointer to the TLS object.
- @param[in,out] SessionId Buffer to contain the returned session ID.
- @param[in,out] SessionIdLen The length of Session ID in bytes.
-
- @retval EFI_SUCCESS The Session ID was returned successfully.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval EFI_UNSUPPORTED Invalid TLS/SSL session.
-
-**/
-EFI_STATUS
-EFIAPI
-TlsGetSessionId (
- IN VOID *Tls,
- IN OUT UINT8 *SessionId,
- IN OUT UINT16 *SessionIdLen
- )
-{
- TLS_CONNECTION *TlsConn;
- SSL_SESSION *Session;
- CONST UINT8 *SslSessionId;
-
- TlsConn = (TLS_CONNECTION *) Tls;
- Session = NULL;
-
- if (TlsConn == NULL || TlsConn->Ssl == NULL || SessionId == NULL || SessionIdLen == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- Session = SSL_get_session (TlsConn->Ssl);
- if (Session == NULL) {
- return EFI_UNSUPPORTED;
- }
-
- SslSessionId = SSL_SESSION_get_id (Session, (unsigned int *)SessionIdLen);
- CopyMem (SessionId, SslSessionId, *SessionIdLen);
-
- return EFI_SUCCESS;
-}
-
-/**
- Gets the client random data used in the specified TLS connection.
-
- This function returns the TLS/SSL client random data currently used in
- the specified TLS connection.
-
- @param[in] Tls Pointer to the TLS object.
- @param[in,out] ClientRandom Buffer to contain the returned client
- random data (32 bytes).
-
-**/
-VOID
-EFIAPI
-TlsGetClientRandom (
- IN VOID *Tls,
- IN OUT UINT8 *ClientRandom
- )
-{
- TLS_CONNECTION *TlsConn;
-
- TlsConn = (TLS_CONNECTION *) Tls;
-
- if (TlsConn == NULL || TlsConn->Ssl == NULL || ClientRandom == NULL) {
- return;
- }
-
- SSL_get_client_random (TlsConn->Ssl, ClientRandom, SSL3_RANDOM_SIZE);
-}
-
-/**
- Gets the server random data used in the specified TLS connection.
-
- This function returns the TLS/SSL server random data currently used in
- the specified TLS connection.
-
- @param[in] Tls Pointer to the TLS object.
- @param[in,out] ServerRandom Buffer to contain the returned server
- random data (32 bytes).
-
-**/
-VOID
-EFIAPI
-TlsGetServerRandom (
- IN VOID *Tls,
- IN OUT UINT8 *ServerRandom
- )
-{
- TLS_CONNECTION *TlsConn;
-
- TlsConn = (TLS_CONNECTION *) Tls;
-
- if (TlsConn == NULL || TlsConn->Ssl == NULL || ServerRandom == NULL) {
- return;
- }
-
- SSL_get_server_random (TlsConn->Ssl, ServerRandom, SSL3_RANDOM_SIZE);
-}
-
-/**
- Gets the master key data used in the specified TLS connection.
-
- This function returns the TLS/SSL master key material currently used in
- the specified TLS connection.
-
- @param[in] Tls Pointer to the TLS object.
- @param[in,out] KeyMaterial Buffer to contain the returned key material.
-
- @retval EFI_SUCCESS Key material was returned successfully.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval EFI_UNSUPPORTED Invalid TLS/SSL session.
-
-**/
-EFI_STATUS
-EFIAPI
-TlsGetKeyMaterial (
- IN VOID *Tls,
- IN OUT UINT8 *KeyMaterial
- )
-{
- TLS_CONNECTION *TlsConn;
- SSL_SESSION *Session;
-
- TlsConn = (TLS_CONNECTION *) Tls;
- Session = NULL;
-
- if (TlsConn == NULL || TlsConn->Ssl == NULL || KeyMaterial == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- Session = SSL_get_session (TlsConn->Ssl);
-
- if (Session == NULL) {
- return EFI_UNSUPPORTED;
- }
-
- SSL_SESSION_get_master_key (Session, KeyMaterial, SSL3_MASTER_SECRET_SIZE);
-
- return EFI_SUCCESS;
-}
-
-/**
- Gets the CA Certificate from the cert store.
-
- This function returns the CA certificate for the chosen
- TLS connection.
-
- @param[in] Tls Pointer to the TLS object.
- @param[out] Data Pointer to the data buffer to receive the CA
- certificate data sent to the client.
- @param[in,out] DataSize The size of data buffer in bytes.
-
- @retval EFI_SUCCESS The operation succeeded.
- @retval EFI_UNSUPPORTED This function is not supported.
- @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
-
-**/
-EFI_STATUS
-EFIAPI
-TlsGetCaCertificate (
- IN VOID *Tls,
- OUT VOID *Data,
- IN OUT UINTN *DataSize
- )
-{
- return EFI_UNSUPPORTED;
-}
-
-/**
- Gets the local public Certificate set in the specified TLS object.
-
- This function returns the local public certificate which was currently set
- in the specified TLS object.
-
- @param[in] Tls Pointer to the TLS object.
- @param[out] Data Pointer to the data buffer to receive the local
- public certificate.
- @param[in,out] DataSize The size of data buffer in bytes.
-
- @retval EFI_SUCCESS The operation succeeded.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval EFI_NOT_FOUND The certificate is not found.
- @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
-
-**/
-EFI_STATUS
-EFIAPI
-TlsGetHostPublicCert (
- IN VOID *Tls,
- OUT VOID *Data,
- IN OUT UINTN *DataSize
- )
-{
- X509 *Cert;
- TLS_CONNECTION *TlsConn;
-
- Cert = NULL;
- TlsConn = (TLS_CONNECTION *) Tls;
-
- if (TlsConn == NULL || TlsConn->Ssl == NULL || DataSize == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- Cert = SSL_get_certificate(TlsConn->Ssl);
- if (Cert == NULL) {
- return EFI_NOT_FOUND;
- }
-
- //
- // Only DER encoding is supported currently.
- //
- if (*DataSize < (UINTN) i2d_X509 (Cert, NULL)) {
- *DataSize = (UINTN) i2d_X509 (Cert, NULL);
- return EFI_BUFFER_TOO_SMALL;
- }
-
- *DataSize = (UINTN) i2d_X509 (Cert, (unsigned char **) &Data);
-
- return EFI_SUCCESS;
-}
-
-/**
- Gets the local private key set in the specified TLS object.
-
- This function returns the local private key data which was currently set
- in the specified TLS object.
-
- @param[in] Tls Pointer to the TLS object.
- @param[out] Data Pointer to the data buffer to receive the local
- private key data.
- @param[in,out] DataSize The size of data buffer in bytes.
-
- @retval EFI_SUCCESS The operation succeeded.
- @retval EFI_UNSUPPORTED This function is not supported.
- @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
-
-**/
-EFI_STATUS
-EFIAPI
-TlsGetHostPrivateKey (
- IN VOID *Tls,
- OUT VOID *Data,
- IN OUT UINTN *DataSize
- )
-{
- return EFI_UNSUPPORTED;
-}
-
-/**
- Gets the CA-supplied certificate revocation list data set in the specified
- TLS object.
-
- This function returns the CA-supplied certificate revocation list data which
- was currently set in the specified TLS object.
-
- @param[out] Data Pointer to the data buffer to receive the CRL data.
- @param[in,out] DataSize The size of data buffer in bytes.
-
- @retval EFI_SUCCESS The operation succeeded.
- @retval EFI_UNSUPPORTED This function is not supported.
- @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
-
-**/
-EFI_STATUS
-EFIAPI
-TlsGetCertRevocationList (
- OUT VOID *Data,
- IN OUT UINTN *DataSize
- )
-{
- return EFI_UNSUPPORTED;
-}
+/** @file\r
+ SSL/TLS Configuration Library Wrapper Implementation over OpenSSL.\r
+\r
+Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>\r
+(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>\r
+This program and the accompanying materials\r
+are licensed and made available under the terms and conditions of the BSD License\r
+which accompanies this distribution. The full text of the license may be found at\r
+http://opensource.org/licenses/bsd-license.php\r
+\r
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
+\r
+**/\r
+\r
+#include "InternalTlsLib.h"\r
+\r
+typedef struct {\r
+ //\r
+ // IANA/IETF defined Cipher Suite ID\r
+ //\r
+ UINT16 IanaCipher;\r
+ //\r
+ // OpenSSL-used Cipher Suite String\r
+ //\r
+ CONST CHAR8 *OpensslCipher;\r
+} TLS_CIPHER_PAIR;\r
+\r
+//\r
+// The mapping table between IANA/IETF Cipher Suite definitions and\r
+// OpenSSL-used Cipher Suite name.\r
+//\r
+STATIC CONST TLS_CIPHER_PAIR TlsCipherMappingTable[] = {\r
+ { 0x0001, "NULL-MD5" }, /// TLS_RSA_WITH_NULL_MD5\r
+ { 0x0002, "NULL-SHA" }, /// TLS_RSA_WITH_NULL_SHA\r
+ { 0x0004, "RC4-MD5" }, /// TLS_RSA_WITH_RC4_128_MD5\r
+ { 0x0005, "RC4-SHA" }, /// TLS_RSA_WITH_RC4_128_SHA\r
+ { 0x000A, "DES-CBC3-SHA" }, /// TLS_RSA_WITH_3DES_EDE_CBC_SHA, mandatory TLS 1.1\r
+ { 0x0016, "DHE-RSA-DES-CBC3-SHA" }, /// TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA\r
+ { 0x002F, "AES128-SHA" }, /// TLS_RSA_WITH_AES_128_CBC_SHA, mandatory TLS 1.2\r
+ { 0x0030, "DH-DSS-AES128-SHA" }, /// TLS_DH_DSS_WITH_AES_128_CBC_SHA\r
+ { 0x0031, "DH-RSA-AES128-SHA" }, /// TLS_DH_RSA_WITH_AES_128_CBC_SHA\r
+ { 0x0033, "DHE-RSA-AES128-SHA" }, /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA\r
+ { 0x0035, "AES256-SHA" }, /// TLS_RSA_WITH_AES_256_CBC_SHA\r
+ { 0x0036, "DH-DSS-AES256-SHA" }, /// TLS_DH_DSS_WITH_AES_256_CBC_SHA\r
+ { 0x0037, "DH-RSA-AES256-SHA" }, /// TLS_DH_RSA_WITH_AES_256_CBC_SHA\r
+ { 0x0039, "DHE-RSA-AES256-SHA" }, /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA\r
+ { 0x003B, "NULL-SHA256" }, /// TLS_RSA_WITH_NULL_SHA256\r
+ { 0x003C, "AES128-SHA256" }, /// TLS_RSA_WITH_AES_128_CBC_SHA256\r
+ { 0x003D, "AES256-SHA256" }, /// TLS_RSA_WITH_AES_256_CBC_SHA256\r
+ { 0x003E, "DH-DSS-AES128-SHA256" }, /// TLS_DH_DSS_WITH_AES_128_CBC_SHA256\r
+ { 0x003F, "DH-RSA-AES128-SHA256" }, /// TLS_DH_RSA_WITH_AES_128_CBC_SHA256\r
+ { 0x0067, "DHE-RSA-AES128-SHA256" }, /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA256\r
+ { 0x0068, "DH-DSS-AES256-SHA256" }, /// TLS_DH_DSS_WITH_AES_256_CBC_SHA256\r
+ { 0x0069, "DH-RSA-AES256-SHA256" }, /// TLS_DH_RSA_WITH_AES_256_CBC_SHA256\r
+ { 0x006B, "DHE-RSA-AES256-SHA256" } /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA256\r
+};\r
+\r
+/**\r
+ Gets the OpenSSL cipher suite string for the supplied IANA TLS cipher suite.\r
+\r
+ @param[in] CipherId The supplied IANA TLS cipher suite ID.\r
+\r
+ @return The corresponding OpenSSL cipher suite string if found,\r
+ NULL otherwise.\r
+\r
+**/\r
+STATIC\r
+CONST CHAR8 *\r
+TlsGetCipherString (\r
+ IN UINT16 CipherId\r
+ )\r
+{\r
+ CONST TLS_CIPHER_PAIR *CipherEntry;\r
+ UINTN TableSize;\r
+ UINTN Index;\r
+\r
+ CipherEntry = TlsCipherMappingTable;\r
+ TableSize = sizeof (TlsCipherMappingTable) / sizeof (TLS_CIPHER_PAIR);\r
+\r
+ //\r
+ // Search Cipher Mapping Table for IANA-OpenSSL Cipher Translation\r
+ //\r
+ for (Index = 0; Index < TableSize; Index++, CipherEntry++) {\r
+ //\r
+ // Translate IANA cipher suite name to OpenSSL name.\r
+ //\r
+ if (CipherEntry->IanaCipher == CipherId) {\r
+ return CipherEntry->OpensslCipher;\r
+ }\r
+ }\r
+\r
+ //\r
+ // No Cipher Mapping found, return NULL.\r
+ //\r
+ return NULL;\r
+}\r
+\r
+/**\r
+ Set a new TLS/SSL method for a particular TLS object.\r
+\r
+ This function sets a new TLS/SSL method for a particular TLS object.\r
+\r
+ @param[in] Tls Pointer to a TLS object.\r
+ @param[in] MajorVer Major Version of TLS/SSL Protocol.\r
+ @param[in] MinorVer Minor Version of TLS/SSL Protocol.\r
+\r
+ @retval EFI_SUCCESS The TLS/SSL method was set successfully.\r
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
+ @retval EFI_UNSUPPORTED Unsupported TLS/SSL method.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsSetVersion (\r
+ IN VOID *Tls,\r
+ IN UINT8 MajorVer,\r
+ IN UINT8 MinorVer\r
+ )\r
+{\r
+ TLS_CONNECTION *TlsConn;\r
+ UINT16 ProtoVersion;\r
+\r
+ TlsConn = (TLS_CONNECTION *)Tls;\r
+ if (TlsConn == NULL || TlsConn->Ssl == NULL) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ ProtoVersion = (MajorVer << 8) | MinorVer;\r
+\r
+ //\r
+ // Bound TLS method to the particular specified version.\r
+ //\r
+ switch (ProtoVersion) {\r
+ case TLS1_VERSION:\r
+ //\r
+ // TLS 1.0\r
+ //\r
+ SSL_set_min_proto_version (TlsConn->Ssl, TLS1_VERSION);\r
+ SSL_set_max_proto_version (TlsConn->Ssl, TLS1_VERSION);\r
+ break;\r
+ case TLS1_1_VERSION:\r
+ //\r
+ // TLS 1.1\r
+ //\r
+ SSL_set_min_proto_version (TlsConn->Ssl, TLS1_1_VERSION);\r
+ SSL_set_max_proto_version (TlsConn->Ssl, TLS1_1_VERSION);\r
+ break;\r
+ case TLS1_2_VERSION:\r
+ //\r
+ // TLS 1.2\r
+ //\r
+ SSL_set_min_proto_version (TlsConn->Ssl, TLS1_2_VERSION);\r
+ SSL_set_max_proto_version (TlsConn->Ssl, TLS1_2_VERSION);\r
+ break;\r
+ default:\r
+ //\r
+ // Unsupported Protocol Version\r
+ //\r
+ return EFI_UNSUPPORTED;\r
+ }\r
+\r
+ return EFI_SUCCESS;;\r
+}\r
+\r
+/**\r
+ Set TLS object to work in client or server mode.\r
+\r
+ This function prepares a TLS object to work in client or server mode.\r
+\r
+ @param[in] Tls Pointer to a TLS object.\r
+ @param[in] IsServer Work in server mode.\r
+\r
+ @retval EFI_SUCCESS The TLS/SSL work mode was set successfully.\r
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
+ @retval EFI_UNSUPPORTED Unsupported TLS/SSL work mode.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsSetConnectionEnd (\r
+ IN VOID *Tls,\r
+ IN BOOLEAN IsServer\r
+ )\r
+{\r
+ TLS_CONNECTION *TlsConn;\r
+\r
+ TlsConn = (TLS_CONNECTION *) Tls;\r
+ if (TlsConn == NULL || TlsConn->Ssl == NULL) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ if (!IsServer) {\r
+ //\r
+ // Set TLS to work in Client mode.\r
+ //\r
+ SSL_set_connect_state (TlsConn->Ssl);\r
+ } else {\r
+ //\r
+ // Set TLS to work in Server mode.\r
+ // It is unsupported for UEFI version currently.\r
+ //\r
+ //SSL_set_accept_state (TlsConn->Ssl);\r
+ return EFI_UNSUPPORTED;\r
+ }\r
+\r
+ return EFI_SUCCESS;\r
+}\r
+\r
+/**\r
+ Set the ciphers list to be used by the TLS object.\r
+\r
+ This function sets the ciphers for use by a specified TLS object.\r
+\r
+ @param[in] Tls Pointer to a TLS object.\r
+ @param[in] CipherId Pointer to a UINT16 cipher Id.\r
+ @param[in] CipherNum The number of cipher in the list.\r
+\r
+ @retval EFI_SUCCESS The ciphers list was set successfully.\r
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
+ @retval EFI_UNSUPPORTED Unsupported TLS cipher in the list.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsSetCipherList (\r
+ IN VOID *Tls,\r
+ IN UINT16 *CipherId,\r
+ IN UINTN CipherNum\r
+ )\r
+{\r
+ TLS_CONNECTION *TlsConn;\r
+ UINTN Index;\r
+ CONST CHAR8 *MappingName;\r
+ CHAR8 CipherString[500];\r
+\r
+ TlsConn = (TLS_CONNECTION *) Tls;\r
+ if (TlsConn == NULL || TlsConn->Ssl == NULL || CipherId == NULL) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ MappingName = NULL;\r
+\r
+ memset (CipherString, 0, sizeof (CipherString));\r
+\r
+ for (Index = 0; Index < CipherNum; Index++) {\r
+ //\r
+ // Handling OpenSSL / RFC Cipher name mapping.\r
+ //\r
+ MappingName = TlsGetCipherString (*(CipherId + Index));\r
+ if (MappingName == NULL) {\r
+ return EFI_UNSUPPORTED;\r
+ }\r
+\r
+ if (Index != 0) {\r
+ //\r
+ // The ciphers were separated by a colon.\r
+ //\r
+ AsciiStrCatS (CipherString, sizeof (CipherString), ":");\r
+ }\r
+\r
+ AsciiStrCatS (CipherString, sizeof (CipherString), MappingName);\r
+ }\r
+\r
+ AsciiStrCatS (CipherString, sizeof (CipherString), ":@STRENGTH");\r
+\r
+ //\r
+ // Sets the ciphers for use by the Tls object.\r
+ //\r
+ if (SSL_set_cipher_list (TlsConn->Ssl, CipherString) <= 0) {\r
+ return EFI_UNSUPPORTED;\r
+ }\r
+\r
+ return EFI_SUCCESS;\r
+}\r
+\r
+/**\r
+ Set the compression method for TLS/SSL operations.\r
+\r
+ This function handles TLS/SSL integrated compression methods.\r
+\r
+ @param[in] CompMethod The compression method ID.\r
+\r
+ @retval EFI_SUCCESS The compression method for the communication was\r
+ set successfully.\r
+ @retval EFI_UNSUPPORTED Unsupported compression method.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsSetCompressionMethod (\r
+ IN UINT8 CompMethod\r
+ )\r
+{\r
+ COMP_METHOD *Cm;\r
+ INTN Ret;\r
+\r
+ Cm = NULL;\r
+ Ret = 0;\r
+\r
+ if (CompMethod == 0) {\r
+ //\r
+ // TLS defines one standard compression method, CompressionMethod.null (0),\r
+ // which specifies that data exchanged via the record protocol will not be compressed.\r
+ // So, return EFI_SUCCESS directly (RFC 3749).\r
+ //\r
+ return EFI_SUCCESS;\r
+ } else if (CompMethod == 1) {\r
+ Cm = COMP_zlib();\r
+ } else {\r
+ return EFI_UNSUPPORTED;\r
+ }\r
+\r
+ //\r
+ // Adds the compression method to the list of available\r
+ // compression methods.\r
+ //\r
+ Ret = SSL_COMP_add_compression_method (CompMethod, Cm);\r
+ if (Ret != 0) {\r
+ return EFI_UNSUPPORTED;\r
+ }\r
+\r
+ return EFI_SUCCESS;\r
+}\r
+\r
+/**\r
+ Set peer certificate verification mode for the TLS connection.\r
+\r
+ This function sets the verification mode flags for the TLS connection.\r
+\r
+ @param[in] Tls Pointer to the TLS object.\r
+ @param[in] VerifyMode A set of logically or'ed verification mode flags.\r
+\r
+**/\r
+VOID\r
+EFIAPI\r
+TlsSetVerify (\r
+ IN VOID *Tls,\r
+ IN UINT32 VerifyMode\r
+ )\r
+{\r
+ TLS_CONNECTION *TlsConn;\r
+\r
+ TlsConn = (TLS_CONNECTION *) Tls;\r
+ if (TlsConn == NULL || TlsConn->Ssl == NULL) {\r
+ return;\r
+ }\r
+\r
+ //\r
+ // Set peer certificate verification parameters with NULL callback.\r
+ //\r
+ SSL_set_verify (TlsConn->Ssl, VerifyMode, NULL);\r
+}\r
+\r
+/**\r
+ Sets a TLS/SSL session ID to be used during TLS/SSL connect.\r
+\r
+ This function sets a session ID to be used when the TLS/SSL connection is\r
+ to be established.\r
+\r
+ @param[in] Tls Pointer to the TLS object.\r
+ @param[in] SessionId Session ID data used for session resumption.\r
+ @param[in] SessionIdLen Length of Session ID in bytes.\r
+\r
+ @retval EFI_SUCCESS Session ID was set successfully.\r
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
+ @retval EFI_UNSUPPORTED No available session for ID setting.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsSetSessionId (\r
+ IN VOID *Tls,\r
+ IN UINT8 *SessionId,\r
+ IN UINT16 SessionIdLen\r
+ )\r
+{\r
+ TLS_CONNECTION *TlsConn;\r
+ SSL_SESSION *Session;\r
+\r
+ TlsConn = (TLS_CONNECTION *) Tls;\r
+ Session = NULL;\r
+\r
+ if (TlsConn == NULL || TlsConn->Ssl == NULL || SessionId == NULL) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ Session = SSL_get_session (TlsConn->Ssl);\r
+ if (Session == NULL) {\r
+ return EFI_UNSUPPORTED;\r
+ }\r
+\r
+ SSL_SESSION_set1_id (Session, (const unsigned char *)SessionId, SessionIdLen);\r
+\r
+ return EFI_SUCCESS;\r
+}\r
+\r
+/**\r
+ Adds the CA to the cert store when requesting Server or Client authentication.\r
+\r
+ This function adds the CA certificate to the list of CAs when requesting\r
+ Server or Client authentication for the chosen TLS connection.\r
+\r
+ @param[in] Tls Pointer to the TLS object.\r
+ @param[in] Data Pointer to the data buffer of a DER-encoded binary\r
+ X.509 certificate or PEM-encoded X.509 certificate.\r
+ @param[in] DataSize The size of data buffer in bytes.\r
+\r
+ @retval EFI_SUCCESS The operation succeeded.\r
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
+ @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated.\r
+ @retval EFI_ABORTED Invalid X.509 certificate.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsSetCaCertificate (\r
+ IN VOID *Tls,\r
+ IN VOID *Data,\r
+ IN UINTN DataSize\r
+ )\r
+{\r
+ BIO *BioCert;\r
+ X509 *Cert;\r
+ X509_STORE *X509Store;\r
+ EFI_STATUS Status;\r
+ TLS_CONNECTION *TlsConn;\r
+ SSL_CTX *SslCtx;\r
+ INTN Ret;\r
+ UINTN ErrorCode;\r
+\r
+ BioCert = NULL;\r
+ Cert = NULL;\r
+ X509Store = NULL;\r
+ Status = EFI_SUCCESS;\r
+ TlsConn = (TLS_CONNECTION *) Tls;\r
+ Ret = 0;\r
+\r
+ if (TlsConn == NULL || TlsConn->Ssl == NULL || Data == NULL || DataSize == 0) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ //\r
+ // DER-encoded binary X.509 certificate or PEM-encoded X.509 certificate.\r
+ // Determine whether certificate is from DER encoding, if so, translate it to X509 structure.\r
+ //\r
+ Cert = d2i_X509 (NULL, (const unsigned char ** )&Data, (long) DataSize);\r
+ if (Cert == NULL) {\r
+ //\r
+ // Certificate is from PEM encoding.\r
+ //\r
+ BioCert = BIO_new (BIO_s_mem ());\r
+ if (BioCert == NULL) {\r
+ Status = EFI_OUT_OF_RESOURCES;\r
+ goto ON_EXIT;\r
+ }\r
+\r
+ if (BIO_write (BioCert, Data, (UINT32) DataSize) <= 0) {\r
+ Status = EFI_ABORTED;\r
+ goto ON_EXIT;\r
+ }\r
+\r
+ Cert = PEM_read_bio_X509 (BioCert, NULL, NULL, NULL);\r
+ if (Cert == NULL) {\r
+ Status = EFI_ABORTED;\r
+ goto ON_EXIT;\r
+ }\r
+ }\r
+\r
+ SslCtx = SSL_get_SSL_CTX (TlsConn->Ssl);\r
+ X509Store = SSL_CTX_get_cert_store (SslCtx);\r
+ if (X509Store == NULL) {\r
+ Status = EFI_ABORTED;\r
+ goto ON_EXIT;\r
+ }\r
+\r
+ //\r
+ // Add certificate to X509 store\r
+ //\r
+ Ret = X509_STORE_add_cert (X509Store, Cert);\r
+ if (Ret != 1) {\r
+ ErrorCode = ERR_peek_last_error ();\r
+ //\r
+ // Ignore "already in table" errors\r
+ //\r
+ if (!(ERR_GET_FUNC (ErrorCode) == X509_F_X509_STORE_ADD_CERT &&\r
+ ERR_GET_REASON (ErrorCode) == X509_R_CERT_ALREADY_IN_HASH_TABLE)) {\r
+ Status = EFI_ABORTED;\r
+ goto ON_EXIT;\r
+ }\r
+ }\r
+\r
+ON_EXIT:\r
+ if (BioCert != NULL) {\r
+ BIO_free (BioCert);\r
+ }\r
+\r
+ if (Cert != NULL) {\r
+ X509_free (Cert);\r
+ }\r
+\r
+ return Status;\r
+}\r
+\r
+/**\r
+ Loads the local public certificate into the specified TLS object.\r
+\r
+ This function loads the X.509 certificate into the specified TLS object\r
+ for TLS negotiation.\r
+\r
+ @param[in] Tls Pointer to the TLS object.\r
+ @param[in] Data Pointer to the data buffer of a DER-encoded binary\r
+ X.509 certificate or PEM-encoded X.509 certificate.\r
+ @param[in] DataSize The size of data buffer in bytes.\r
+\r
+ @retval EFI_SUCCESS The operation succeeded.\r
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
+ @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated.\r
+ @retval EFI_ABORTED Invalid X.509 certificate.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsSetHostPublicCert (\r
+ IN VOID *Tls,\r
+ IN VOID *Data,\r
+ IN UINTN DataSize\r
+ )\r
+{\r
+ BIO *BioCert;\r
+ X509 *Cert;\r
+ EFI_STATUS Status;\r
+ TLS_CONNECTION *TlsConn;\r
+\r
+ BioCert = NULL;\r
+ Cert = NULL;\r
+ Status = EFI_SUCCESS;\r
+ TlsConn = (TLS_CONNECTION *) Tls;\r
+\r
+ if (TlsConn == NULL || TlsConn->Ssl == NULL || Data == NULL || DataSize == 0) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ //\r
+ // DER-encoded binary X.509 certificate or PEM-encoded X.509 certificate.\r
+ // Determine whether certificate is from DER encoding, if so, translate it to X509 structure.\r
+ //\r
+ Cert = d2i_X509 (NULL, (const unsigned char ** )&Data, (long) DataSize);\r
+ if (Cert == NULL) {\r
+ //\r
+ // Certificate is from PEM encoding.\r
+ //\r
+ BioCert = BIO_new (BIO_s_mem ());\r
+ if (BioCert == NULL) {\r
+ Status = EFI_OUT_OF_RESOURCES;\r
+ goto ON_EXIT;\r
+ }\r
+\r
+ if (BIO_write (BioCert, Data, (UINT32) DataSize) <= 0) {\r
+ Status = EFI_ABORTED;\r
+ goto ON_EXIT;\r
+ }\r
+\r
+ Cert = PEM_read_bio_X509 (BioCert, NULL, NULL, NULL);\r
+ if (Cert == NULL) {\r
+ Status = EFI_ABORTED;\r
+ goto ON_EXIT;\r
+ }\r
+ }\r
+\r
+ if (SSL_use_certificate (TlsConn->Ssl, Cert) != 1) {\r
+ Status = EFI_ABORTED;\r
+ goto ON_EXIT;\r
+ }\r
+\r
+ON_EXIT:\r
+ if (BioCert != NULL) {\r
+ BIO_free (BioCert);\r
+ }\r
+\r
+ if (Cert != NULL) {\r
+ X509_free (Cert);\r
+ }\r
+\r
+ return Status;\r
+}\r
+\r
+/**\r
+ Adds the local private key to the specified TLS object.\r
+\r
+ This function adds the local private key (PEM-encoded RSA or PKCS#8 private\r
+ key) into the specified TLS object for TLS negotiation.\r
+\r
+ @param[in] Tls Pointer to the TLS object.\r
+ @param[in] Data Pointer to the data buffer of a PEM-encoded RSA\r
+ or PKCS#8 private key.\r
+ @param[in] DataSize The size of data buffer in bytes.\r
+\r
+ @retval EFI_SUCCESS The operation succeeded.\r
+ @retval EFI_UNSUPPORTED This function is not supported.\r
+ @retval EFI_ABORTED Invalid private key data.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsSetHostPrivateKey (\r
+ IN VOID *Tls,\r
+ IN VOID *Data,\r
+ IN UINTN DataSize\r
+ )\r
+{\r
+ return EFI_UNSUPPORTED;\r
+}\r
+\r
+/**\r
+ Adds the CA-supplied certificate revocation list for certificate validation.\r
+\r
+ This function adds the CA-supplied certificate revocation list data for\r
+ certificate validity checking.\r
+\r
+ @param[in] Data Pointer to the data buffer of a DER-encoded CRL data.\r
+ @param[in] DataSize The size of data buffer in bytes.\r
+\r
+ @retval EFI_SUCCESS The operation succeeded.\r
+ @retval EFI_UNSUPPORTED This function is not supported.\r
+ @retval EFI_ABORTED Invalid CRL data.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsSetCertRevocationList (\r
+ IN VOID *Data,\r
+ IN UINTN DataSize\r
+ )\r
+{\r
+ return EFI_UNSUPPORTED;\r
+}\r
+\r
+/**\r
+ Gets the protocol version used by the specified TLS connection.\r
+\r
+ This function returns the protocol version used by the specified TLS\r
+ connection.\r
+\r
+ @param[in] Tls Pointer to the TLS object.\r
+\r
+ @return The protocol version of the specified TLS connection.\r
+\r
+**/\r
+UINT16\r
+EFIAPI\r
+TlsGetVersion (\r
+ IN VOID *Tls\r
+ )\r
+{\r
+ TLS_CONNECTION *TlsConn;\r
+\r
+ TlsConn = (TLS_CONNECTION *) Tls;\r
+\r
+ ASSERT (TlsConn != NULL);\r
+\r
+ return (UINT16)(SSL_version (TlsConn->Ssl));\r
+}\r
+\r
+/**\r
+ Gets the connection end of the specified TLS connection.\r
+\r
+ This function returns the connection end (as client or as server) used by\r
+ the specified TLS connection.\r
+\r
+ @param[in] Tls Pointer to the TLS object.\r
+\r
+ @return The connection end used by the specified TLS connection.\r
+\r
+**/\r
+UINT8\r
+EFIAPI\r
+TlsGetConnectionEnd (\r
+ IN VOID *Tls\r
+ )\r
+{\r
+ TLS_CONNECTION *TlsConn;\r
+\r
+ TlsConn = (TLS_CONNECTION *) Tls;\r
+\r
+ ASSERT (TlsConn != NULL);\r
+\r
+ return (UINT8)SSL_is_server (TlsConn->Ssl);\r
+}\r
+\r
+/**\r
+ Gets the cipher suite used by the specified TLS connection.\r
+\r
+ This function returns current cipher suite used by the specified\r
+ TLS connection.\r
+\r
+ @param[in] Tls Pointer to the TLS object.\r
+ @param[in,out] CipherId The cipher suite used by the TLS object.\r
+\r
+ @retval EFI_SUCCESS The cipher suite was returned successfully.\r
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
+ @retval EFI_UNSUPPORTED Unsupported cipher suite.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsGetCurrentCipher (\r
+ IN VOID *Tls,\r
+ IN OUT UINT16 *CipherId\r
+ )\r
+{\r
+ TLS_CONNECTION *TlsConn;\r
+ CONST SSL_CIPHER *Cipher;\r
+\r
+ TlsConn = (TLS_CONNECTION *) Tls;\r
+ Cipher = NULL;\r
+\r
+ if (TlsConn == NULL || TlsConn->Ssl == NULL || CipherId == NULL) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ Cipher = SSL_get_current_cipher (TlsConn->Ssl);\r
+ if (Cipher == NULL) {\r
+ return EFI_UNSUPPORTED;\r
+ }\r
+\r
+ *CipherId = (SSL_CIPHER_get_id (Cipher)) & 0xFFFF;\r
+\r
+ return EFI_SUCCESS;\r
+}\r
+\r
+/**\r
+ Gets the compression methods used by the specified TLS connection.\r
+\r
+ This function returns current integrated compression methods used by\r
+ the specified TLS connection.\r
+\r
+ @param[in] Tls Pointer to the TLS object.\r
+ @param[in,out] CompressionId The current compression method used by\r
+ the TLS object.\r
+\r
+ @retval EFI_SUCCESS The compression method was returned successfully.\r
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
+ @retval EFI_ABORTED Invalid Compression method.\r
+ @retval EFI_UNSUPPORTED This function is not supported.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsGetCurrentCompressionId (\r
+ IN VOID *Tls,\r
+ IN OUT UINT8 *CompressionId\r
+ )\r
+{\r
+ return EFI_UNSUPPORTED;\r
+}\r
+\r
+/**\r
+ Gets the verification mode currently set in the TLS connection.\r
+\r
+ This function returns the peer verification mode currently set in the\r
+ specified TLS connection.\r
+\r
+ @param[in] Tls Pointer to the TLS object.\r
+\r
+ @return The verification mode set in the specified TLS connection.\r
+\r
+**/\r
+UINT32\r
+EFIAPI\r
+TlsGetVerify (\r
+ IN VOID *Tls\r
+ )\r
+{\r
+ TLS_CONNECTION *TlsConn;\r
+\r
+ TlsConn = (TLS_CONNECTION *) Tls;\r
+\r
+ ASSERT (TlsConn != NULL);\r
+\r
+ return SSL_get_verify_mode (TlsConn->Ssl);\r
+}\r
+\r
+/**\r
+ Gets the session ID used by the specified TLS connection.\r
+\r
+ This function returns the TLS/SSL session ID currently used by the\r
+ specified TLS connection.\r
+\r
+ @param[in] Tls Pointer to the TLS object.\r
+ @param[in,out] SessionId Buffer to contain the returned session ID.\r
+ @param[in,out] SessionIdLen The length of Session ID in bytes.\r
+\r
+ @retval EFI_SUCCESS The Session ID was returned successfully.\r
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
+ @retval EFI_UNSUPPORTED Invalid TLS/SSL session.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsGetSessionId (\r
+ IN VOID *Tls,\r
+ IN OUT UINT8 *SessionId,\r
+ IN OUT UINT16 *SessionIdLen\r
+ )\r
+{\r
+ TLS_CONNECTION *TlsConn;\r
+ SSL_SESSION *Session;\r
+ CONST UINT8 *SslSessionId;\r
+\r
+ TlsConn = (TLS_CONNECTION *) Tls;\r
+ Session = NULL;\r
+\r
+ if (TlsConn == NULL || TlsConn->Ssl == NULL || SessionId == NULL || SessionIdLen == NULL) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ Session = SSL_get_session (TlsConn->Ssl);\r
+ if (Session == NULL) {\r
+ return EFI_UNSUPPORTED;\r
+ }\r
+\r
+ SslSessionId = SSL_SESSION_get_id (Session, (unsigned int *)SessionIdLen);\r
+ CopyMem (SessionId, SslSessionId, *SessionIdLen);\r
+\r
+ return EFI_SUCCESS;\r
+}\r
+\r
+/**\r
+ Gets the client random data used in the specified TLS connection.\r
+\r
+ This function returns the TLS/SSL client random data currently used in\r
+ the specified TLS connection.\r
+\r
+ @param[in] Tls Pointer to the TLS object.\r
+ @param[in,out] ClientRandom Buffer to contain the returned client\r
+ random data (32 bytes).\r
+\r
+**/\r
+VOID\r
+EFIAPI\r
+TlsGetClientRandom (\r
+ IN VOID *Tls,\r
+ IN OUT UINT8 *ClientRandom\r
+ )\r
+{\r
+ TLS_CONNECTION *TlsConn;\r
+\r
+ TlsConn = (TLS_CONNECTION *) Tls;\r
+\r
+ if (TlsConn == NULL || TlsConn->Ssl == NULL || ClientRandom == NULL) {\r
+ return;\r
+ }\r
+\r
+ SSL_get_client_random (TlsConn->Ssl, ClientRandom, SSL3_RANDOM_SIZE);\r
+}\r
+\r
+/**\r
+ Gets the server random data used in the specified TLS connection.\r
+\r
+ This function returns the TLS/SSL server random data currently used in\r
+ the specified TLS connection.\r
+\r
+ @param[in] Tls Pointer to the TLS object.\r
+ @param[in,out] ServerRandom Buffer to contain the returned server\r
+ random data (32 bytes).\r
+\r
+**/\r
+VOID\r
+EFIAPI\r
+TlsGetServerRandom (\r
+ IN VOID *Tls,\r
+ IN OUT UINT8 *ServerRandom\r
+ )\r
+{\r
+ TLS_CONNECTION *TlsConn;\r
+\r
+ TlsConn = (TLS_CONNECTION *) Tls;\r
+\r
+ if (TlsConn == NULL || TlsConn->Ssl == NULL || ServerRandom == NULL) {\r
+ return;\r
+ }\r
+\r
+ SSL_get_server_random (TlsConn->Ssl, ServerRandom, SSL3_RANDOM_SIZE);\r
+}\r
+\r
+/**\r
+ Gets the master key data used in the specified TLS connection.\r
+\r
+ This function returns the TLS/SSL master key material currently used in\r
+ the specified TLS connection.\r
+\r
+ @param[in] Tls Pointer to the TLS object.\r
+ @param[in,out] KeyMaterial Buffer to contain the returned key material.\r
+\r
+ @retval EFI_SUCCESS Key material was returned successfully.\r
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
+ @retval EFI_UNSUPPORTED Invalid TLS/SSL session.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsGetKeyMaterial (\r
+ IN VOID *Tls,\r
+ IN OUT UINT8 *KeyMaterial\r
+ )\r
+{\r
+ TLS_CONNECTION *TlsConn;\r
+ SSL_SESSION *Session;\r
+\r
+ TlsConn = (TLS_CONNECTION *) Tls;\r
+ Session = NULL;\r
+\r
+ if (TlsConn == NULL || TlsConn->Ssl == NULL || KeyMaterial == NULL) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ Session = SSL_get_session (TlsConn->Ssl);\r
+\r
+ if (Session == NULL) {\r
+ return EFI_UNSUPPORTED;\r
+ }\r
+\r
+ SSL_SESSION_get_master_key (Session, KeyMaterial, SSL3_MASTER_SECRET_SIZE);\r
+\r
+ return EFI_SUCCESS;\r
+}\r
+\r
+/**\r
+ Gets the CA Certificate from the cert store.\r
+\r
+ This function returns the CA certificate for the chosen\r
+ TLS connection.\r
+\r
+ @param[in] Tls Pointer to the TLS object.\r
+ @param[out] Data Pointer to the data buffer to receive the CA\r
+ certificate data sent to the client.\r
+ @param[in,out] DataSize The size of data buffer in bytes.\r
+\r
+ @retval EFI_SUCCESS The operation succeeded.\r
+ @retval EFI_UNSUPPORTED This function is not supported.\r
+ @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsGetCaCertificate (\r
+ IN VOID *Tls,\r
+ OUT VOID *Data,\r
+ IN OUT UINTN *DataSize\r
+ )\r
+{\r
+ return EFI_UNSUPPORTED;\r
+}\r
+\r
+/**\r
+ Gets the local public Certificate set in the specified TLS object.\r
+\r
+ This function returns the local public certificate which was currently set\r
+ in the specified TLS object.\r
+\r
+ @param[in] Tls Pointer to the TLS object.\r
+ @param[out] Data Pointer to the data buffer to receive the local\r
+ public certificate.\r
+ @param[in,out] DataSize The size of data buffer in bytes.\r
+\r
+ @retval EFI_SUCCESS The operation succeeded.\r
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
+ @retval EFI_NOT_FOUND The certificate is not found.\r
+ @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsGetHostPublicCert (\r
+ IN VOID *Tls,\r
+ OUT VOID *Data,\r
+ IN OUT UINTN *DataSize\r
+ )\r
+{\r
+ X509 *Cert;\r
+ TLS_CONNECTION *TlsConn;\r
+\r
+ Cert = NULL;\r
+ TlsConn = (TLS_CONNECTION *) Tls;\r
+\r
+ if (TlsConn == NULL || TlsConn->Ssl == NULL || DataSize == NULL) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ Cert = SSL_get_certificate(TlsConn->Ssl);\r
+ if (Cert == NULL) {\r
+ return EFI_NOT_FOUND;\r
+ }\r
+\r
+ //\r
+ // Only DER encoding is supported currently.\r
+ //\r
+ if (*DataSize < (UINTN) i2d_X509 (Cert, NULL)) {\r
+ *DataSize = (UINTN) i2d_X509 (Cert, NULL);\r
+ return EFI_BUFFER_TOO_SMALL;\r
+ }\r
+\r
+ *DataSize = (UINTN) i2d_X509 (Cert, (unsigned char **) &Data);\r
+\r
+ return EFI_SUCCESS;\r
+}\r
+\r
+/**\r
+ Gets the local private key set in the specified TLS object.\r
+\r
+ This function returns the local private key data which was currently set\r
+ in the specified TLS object.\r
+\r
+ @param[in] Tls Pointer to the TLS object.\r
+ @param[out] Data Pointer to the data buffer to receive the local\r
+ private key data.\r
+ @param[in,out] DataSize The size of data buffer in bytes.\r
+\r
+ @retval EFI_SUCCESS The operation succeeded.\r
+ @retval EFI_UNSUPPORTED This function is not supported.\r
+ @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsGetHostPrivateKey (\r
+ IN VOID *Tls,\r
+ OUT VOID *Data,\r
+ IN OUT UINTN *DataSize\r
+ )\r
+{\r
+ return EFI_UNSUPPORTED;\r
+}\r
+\r
+/**\r
+ Gets the CA-supplied certificate revocation list data set in the specified\r
+ TLS object.\r
+\r
+ This function returns the CA-supplied certificate revocation list data which\r
+ was currently set in the specified TLS object.\r
+\r
+ @param[out] Data Pointer to the data buffer to receive the CRL data.\r
+ @param[in,out] DataSize The size of data buffer in bytes.\r
+\r
+ @retval EFI_SUCCESS The operation succeeded.\r
+ @retval EFI_UNSUPPORTED This function is not supported.\r
+ @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsGetCertRevocationList (\r
+ OUT VOID *Data,\r
+ IN OUT UINTN *DataSize\r
+ )\r
+{\r
+ return EFI_UNSUPPORTED;\r
+}\r
+\r
-/** @file
- SSL/TLS Initialization Library Wrapper Implementation over OpenSSL.
-
-Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
-(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
-This program and the accompanying materials
-are licensed and made available under the terms and conditions of the BSD License
-which accompanies this distribution. The full text of the license may be found at
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#include "InternalTlsLib.h"
-
-/**
- Initializes the OpenSSL library.
-
- This function registers ciphers and digests used directly and indirectly
- by SSL/TLS, and initializes the readable error messages.
- This function must be called before any other action takes places.
-
-**/
-VOID
-EFIAPI
-TlsInitialize (
- VOID
- )
-{
- //
- // Performs initialization of crypto and ssl library, and loads required
- // algorithms.
- //
- OPENSSL_init_ssl (
- OPENSSL_INIT_LOAD_SSL_STRINGS | OPENSSL_INIT_LOAD_CRYPTO_STRINGS,
- NULL
- );
-
- //
- // Initialize the pseudorandom number generator.
- //
- RandomSeed (NULL, 0);
-}
-
-/**
- Free an allocated SSL_CTX object.
-
- @param[in] TlsCtx Pointer to the SSL_CTX object to be released.
-
-**/
-VOID
-EFIAPI
-TlsCtxFree (
- IN VOID *TlsCtx
- )
-{
- if (TlsCtx == NULL) {
- return;
- }
-
- if (TlsCtx != NULL) {
- SSL_CTX_free ((SSL_CTX *) (TlsCtx));
- }
-}
-
-/**
- Creates a new SSL_CTX object as framework to establish TLS/SSL enabled
- connections.
-
- @param[in] MajorVer Major Version of TLS/SSL Protocol.
- @param[in] MinorVer Minor Version of TLS/SSL Protocol.
-
- @return Pointer to an allocated SSL_CTX object.
- If the creation failed, TlsCtxNew() returns NULL.
-
-**/
-VOID *
-EFIAPI
-TlsCtxNew (
- IN UINT8 MajorVer,
- IN UINT8 MinorVer
- )
-{
- SSL_CTX *TlsCtx;
- UINT16 ProtoVersion;
-
- ProtoVersion = (MajorVer << 8) | MinorVer;
-
- TlsCtx = SSL_CTX_new (SSLv23_client_method ());
- if (TlsCtx == NULL) {
- return NULL;
- }
-
- //
- // Ensure SSLv3 is disabled
- //
- SSL_CTX_set_options (TlsCtx, SSL_OP_NO_SSLv3);
-
- //
- // Treat as minimum accepted versions by setting the minimal bound.
- // Client can use higher TLS version if server supports it
- //
- SSL_CTX_set_min_proto_version (TlsCtx, ProtoVersion);
-
- return (VOID *) TlsCtx;
-}
-
-/**
- Free an allocated TLS object.
-
- This function removes the TLS object pointed to by Tls and frees up the
- allocated memory. If Tls is NULL, nothing is done.
-
- @param[in] Tls Pointer to the TLS object to be freed.
-
-**/
-VOID
-EFIAPI
-TlsFree (
- IN VOID *Tls
- )
-{
- TLS_CONNECTION *TlsConn;
-
- TlsConn = (TLS_CONNECTION *) Tls;
- if (TlsConn == NULL) {
- return;
- }
-
- //
- // Free the internal TLS and BIO objects.
- //
- if (TlsConn->Ssl != NULL) {
- SSL_free (TlsConn->Ssl);
- }
-
- if (TlsConn->InBio != NULL) {
- BIO_free (TlsConn->InBio);
- }
-
- if (TlsConn->OutBio != NULL) {
- BIO_free (TlsConn->OutBio);
- }
-
- OPENSSL_free (Tls);
-}
-
-/**
- Create a new TLS object for a connection.
-
- This function creates a new TLS object for a connection. The new object
- inherits the setting of the underlying context TlsCtx: connection method,
- options, verification setting.
-
- @param[in] TlsCtx Pointer to the SSL_CTX object.
-
- @return Pointer to an allocated SSL object.
- If the creation failed, TlsNew() returns NULL.
-
-**/
-VOID *
-EFIAPI
-TlsNew (
- IN VOID *TlsCtx
- )
-{
- TLS_CONNECTION *TlsConn;
- SSL_CTX *SslCtx;
- X509_STORE *X509Store;
-
- TlsConn = NULL;
-
- //
- // Allocate one new TLS_CONNECTION object
- //
- TlsConn = (TLS_CONNECTION *) OPENSSL_malloc (sizeof (TLS_CONNECTION));
- if (TlsConn == NULL) {
- return NULL;
- }
-
- TlsConn->Ssl = NULL;
-
- //
- // Create a new SSL Object
- //
- TlsConn->Ssl = SSL_new ((SSL_CTX *) TlsCtx);
- if (TlsConn->Ssl == NULL) {
- TlsFree ((VOID *) TlsConn);
- return NULL;
- }
-
- //
- // This retains compatibility with previous version of OpenSSL.
- //
- SSL_set_security_level (TlsConn->Ssl, 0);
-
- //
- // Initialize the created SSL Object
- //
- SSL_set_info_callback (TlsConn->Ssl, NULL);
-
- TlsConn->InBio = NULL;
-
- //
- // Set up Reading BIO for TLS connection
- //
- TlsConn->InBio = BIO_new (BIO_s_mem ());
- if (TlsConn->InBio == NULL) {
- TlsFree ((VOID *) TlsConn);
- return NULL;
- }
-
- //
- // Sets the behaviour of memory BIO when it is empty. It will set the
- // read retry flag.
- //
- BIO_set_mem_eof_return (TlsConn->InBio, -1);
-
- TlsConn->OutBio = NULL;
-
- //
- // Set up Writing BIO for TLS connection
- //
- TlsConn->OutBio = BIO_new (BIO_s_mem ());
- if (TlsConn->OutBio == NULL) {
- TlsFree ((VOID *) TlsConn);
- return NULL;
- }
-
- //
- // Sets the behaviour of memory BIO when it is empty. It will set the
- // write retry flag.
- //
- BIO_set_mem_eof_return (TlsConn->OutBio, -1);
-
- ASSERT (TlsConn->Ssl != NULL && TlsConn->InBio != NULL && TlsConn->OutBio != NULL);
-
- //
- // Connects the InBio and OutBio for the read and write operations.
- //
- SSL_set_bio (TlsConn->Ssl, TlsConn->InBio, TlsConn->OutBio);
-
- //
- // Create new X509 store if needed
- //
- SslCtx = SSL_get_SSL_CTX (TlsConn->Ssl);
- X509Store = SSL_CTX_get_cert_store (SslCtx);
- if (X509Store == NULL) {
- X509Store = X509_STORE_new ();
- if (X509Store == NULL) {
- TlsFree ((VOID *) TlsConn);
- return NULL;
- }
- SSL_CTX_set1_verify_cert_store (SslCtx, X509Store);
- X509_STORE_free (X509Store);
- }
-
- //
- // Set X509_STORE flags used in certificate validation
- //
- X509_STORE_set_flags (
- X509Store,
- X509_V_FLAG_PARTIAL_CHAIN | X509_V_FLAG_NO_CHECK_TIME
- );
- return (VOID *) TlsConn;
-}
+/** @file\r
+ SSL/TLS Initialization Library Wrapper Implementation over OpenSSL.\r
+\r
+Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>\r
+(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>\r
+This program and the accompanying materials\r
+are licensed and made available under the terms and conditions of the BSD License\r
+which accompanies this distribution. The full text of the license may be found at\r
+http://opensource.org/licenses/bsd-license.php\r
+\r
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
+\r
+**/\r
+\r
+#include "InternalTlsLib.h"\r
+\r
+/**\r
+ Initializes the OpenSSL library.\r
+\r
+ This function registers ciphers and digests used directly and indirectly\r
+ by SSL/TLS, and initializes the readable error messages.\r
+ This function must be called before any other action takes places.\r
+\r
+**/\r
+VOID\r
+EFIAPI\r
+TlsInitialize (\r
+ VOID\r
+ )\r
+{\r
+ //\r
+ // Performs initialization of crypto and ssl library, and loads required\r
+ // algorithms.\r
+ //\r
+ OPENSSL_init_ssl (\r
+ OPENSSL_INIT_LOAD_SSL_STRINGS | OPENSSL_INIT_LOAD_CRYPTO_STRINGS,\r
+ NULL\r
+ );\r
+\r
+ //\r
+ // Initialize the pseudorandom number generator.\r
+ //\r
+ RandomSeed (NULL, 0);\r
+}\r
+\r
+/**\r
+ Free an allocated SSL_CTX object.\r
+\r
+ @param[in] TlsCtx Pointer to the SSL_CTX object to be released.\r
+\r
+**/\r
+VOID\r
+EFIAPI\r
+TlsCtxFree (\r
+ IN VOID *TlsCtx\r
+ )\r
+{\r
+ if (TlsCtx == NULL) {\r
+ return;\r
+ }\r
+\r
+ if (TlsCtx != NULL) {\r
+ SSL_CTX_free ((SSL_CTX *) (TlsCtx));\r
+ }\r
+}\r
+\r
+/**\r
+ Creates a new SSL_CTX object as framework to establish TLS/SSL enabled\r
+ connections.\r
+\r
+ @param[in] MajorVer Major Version of TLS/SSL Protocol.\r
+ @param[in] MinorVer Minor Version of TLS/SSL Protocol.\r
+\r
+ @return Pointer to an allocated SSL_CTX object.\r
+ If the creation failed, TlsCtxNew() returns NULL.\r
+\r
+**/\r
+VOID *\r
+EFIAPI\r
+TlsCtxNew (\r
+ IN UINT8 MajorVer,\r
+ IN UINT8 MinorVer\r
+ )\r
+{\r
+ SSL_CTX *TlsCtx;\r
+ UINT16 ProtoVersion;\r
+\r
+ ProtoVersion = (MajorVer << 8) | MinorVer;\r
+\r
+ TlsCtx = SSL_CTX_new (SSLv23_client_method ());\r
+ if (TlsCtx == NULL) {\r
+ return NULL;\r
+ }\r
+\r
+ //\r
+ // Ensure SSLv3 is disabled\r
+ //\r
+ SSL_CTX_set_options (TlsCtx, SSL_OP_NO_SSLv3);\r
+\r
+ //\r
+ // Treat as minimum accepted versions by setting the minimal bound.\r
+ // Client can use higher TLS version if server supports it\r
+ //\r
+ SSL_CTX_set_min_proto_version (TlsCtx, ProtoVersion);\r
+\r
+ return (VOID *) TlsCtx;\r
+}\r
+\r
+/**\r
+ Free an allocated TLS object.\r
+\r
+ This function removes the TLS object pointed to by Tls and frees up the\r
+ allocated memory. If Tls is NULL, nothing is done.\r
+\r
+ @param[in] Tls Pointer to the TLS object to be freed.\r
+\r
+**/\r
+VOID\r
+EFIAPI\r
+TlsFree (\r
+ IN VOID *Tls\r
+ )\r
+{\r
+ TLS_CONNECTION *TlsConn;\r
+\r
+ TlsConn = (TLS_CONNECTION *) Tls;\r
+ if (TlsConn == NULL) {\r
+ return;\r
+ }\r
+\r
+ //\r
+ // Free the internal TLS and BIO objects.\r
+ //\r
+ if (TlsConn->Ssl != NULL) {\r
+ SSL_free (TlsConn->Ssl);\r
+ }\r
+\r
+ if (TlsConn->InBio != NULL) {\r
+ BIO_free (TlsConn->InBio);\r
+ }\r
+\r
+ if (TlsConn->OutBio != NULL) {\r
+ BIO_free (TlsConn->OutBio);\r
+ }\r
+\r
+ OPENSSL_free (Tls);\r
+}\r
+\r
+/**\r
+ Create a new TLS object for a connection.\r
+\r
+ This function creates a new TLS object for a connection. The new object\r
+ inherits the setting of the underlying context TlsCtx: connection method,\r
+ options, verification setting.\r
+\r
+ @param[in] TlsCtx Pointer to the SSL_CTX object.\r
+\r
+ @return Pointer to an allocated SSL object.\r
+ If the creation failed, TlsNew() returns NULL.\r
+\r
+**/\r
+VOID *\r
+EFIAPI\r
+TlsNew (\r
+ IN VOID *TlsCtx\r
+ )\r
+{\r
+ TLS_CONNECTION *TlsConn;\r
+ SSL_CTX *SslCtx;\r
+ X509_STORE *X509Store;\r
+\r
+ TlsConn = NULL;\r
+\r
+ //\r
+ // Allocate one new TLS_CONNECTION object\r
+ //\r
+ TlsConn = (TLS_CONNECTION *) OPENSSL_malloc (sizeof (TLS_CONNECTION));\r
+ if (TlsConn == NULL) {\r
+ return NULL;\r
+ }\r
+\r
+ TlsConn->Ssl = NULL;\r
+\r
+ //\r
+ // Create a new SSL Object\r
+ //\r
+ TlsConn->Ssl = SSL_new ((SSL_CTX *) TlsCtx);\r
+ if (TlsConn->Ssl == NULL) {\r
+ TlsFree ((VOID *) TlsConn);\r
+ return NULL;\r
+ }\r
+\r
+ //\r
+ // This retains compatibility with previous version of OpenSSL.\r
+ //\r
+ SSL_set_security_level (TlsConn->Ssl, 0);\r
+\r
+ //\r
+ // Initialize the created SSL Object\r
+ //\r
+ SSL_set_info_callback (TlsConn->Ssl, NULL);\r
+\r
+ TlsConn->InBio = NULL;\r
+\r
+ //\r
+ // Set up Reading BIO for TLS connection\r
+ //\r
+ TlsConn->InBio = BIO_new (BIO_s_mem ());\r
+ if (TlsConn->InBio == NULL) {\r
+ TlsFree ((VOID *) TlsConn);\r
+ return NULL;\r
+ }\r
+\r
+ //\r
+ // Sets the behaviour of memory BIO when it is empty. It will set the\r
+ // read retry flag.\r
+ //\r
+ BIO_set_mem_eof_return (TlsConn->InBio, -1);\r
+\r
+ TlsConn->OutBio = NULL;\r
+\r
+ //\r
+ // Set up Writing BIO for TLS connection\r
+ //\r
+ TlsConn->OutBio = BIO_new (BIO_s_mem ());\r
+ if (TlsConn->OutBio == NULL) {\r
+ TlsFree ((VOID *) TlsConn);\r
+ return NULL;\r
+ }\r
+\r
+ //\r
+ // Sets the behaviour of memory BIO when it is empty. It will set the\r
+ // write retry flag.\r
+ //\r
+ BIO_set_mem_eof_return (TlsConn->OutBio, -1);\r
+\r
+ ASSERT (TlsConn->Ssl != NULL && TlsConn->InBio != NULL && TlsConn->OutBio != NULL);\r
+\r
+ //\r
+ // Connects the InBio and OutBio for the read and write operations.\r
+ //\r
+ SSL_set_bio (TlsConn->Ssl, TlsConn->InBio, TlsConn->OutBio);\r
+\r
+ //\r
+ // Create new X509 store if needed\r
+ //\r
+ SslCtx = SSL_get_SSL_CTX (TlsConn->Ssl);\r
+ X509Store = SSL_CTX_get_cert_store (SslCtx);\r
+ if (X509Store == NULL) {\r
+ X509Store = X509_STORE_new ();\r
+ if (X509Store == NULL) {\r
+ TlsFree ((VOID *) TlsConn);\r
+ return NULL;\r
+ }\r
+ SSL_CTX_set1_verify_cert_store (SslCtx, X509Store);\r
+ X509_STORE_free (X509Store);\r
+ }\r
+\r
+ //\r
+ // Set X509_STORE flags used in certificate validation\r
+ //\r
+ X509_STORE_set_flags (\r
+ X509Store,\r
+ X509_V_FLAG_PARTIAL_CHAIN | X509_V_FLAG_NO_CHECK_TIME\r
+ );\r
+ return (VOID *) TlsConn;\r
+}\r
+\r
-## @file
-# SSL/TLS Wrapper Library Instance based on OpenSSL.
-#
-# Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
-# (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
-# This program and the accompanying materials
-# are licensed and made available under the terms and conditions of the BSD License
-# which accompanies this distribution. The full text of the license may be found at
-# http://opensource.org/licenses/bsd-license.php
-#
-# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-#
-##
-
-[Defines]
- INF_VERSION = 0x00010005
- BASE_NAME = TlsLib
- MODULE_UNI_FILE = TlsLib.uni
- FILE_GUID = CC729DC5-4E21-0B36-1A00-3A8E1B86A155
- MODULE_TYPE = DXE_DRIVER
- VERSION_STRING = 1.0
- LIBRARY_CLASS = TlsLib|DXE_DRIVER DXE_CORE UEFI_APPLICATION UEFI_DRIVER
-
-#
-# The following information is for reference only and not required by the build tools.
-#
-# VALID_ARCHITECTURES = IA32 X64 IPF ARM AARCH64
-#
-
-[Sources]
- InternalTlsLib.h
- TlsInit.c
- TlsConfig.c
- TlsProcess.c
-
-[Packages]
- MdePkg/MdePkg.dec
- CryptoPkg/CryptoPkg.dec
-
-[LibraryClasses]
- BaseLib
- BaseMemoryLib
- MemoryAllocationLib
- UefiRuntimeServicesTableLib
- DebugLib
- OpensslLib
- IntrinsicLib
- PrintLib
-
-[BuildOptions]
- #
- # suppress the following warnings so we do not break the build with warnings-as-errors:
- # C4090: 'function' : different 'const' qualifiers
- #
- MSFT:*_*_*_CC_FLAGS = /wd4090
+## @file\r
+# SSL/TLS Wrapper Library Instance based on OpenSSL.\r
+#\r
+# Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>\r
+# (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>\r
+# This program and the accompanying materials\r
+# are licensed and made available under the terms and conditions of the BSD License\r
+# which accompanies this distribution. The full text of the license may be found at\r
+# http://opensource.org/licenses/bsd-license.php\r
+#\r
+# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
+# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
+#\r
+##\r
+\r
+[Defines]\r
+ INF_VERSION = 0x00010005\r
+ BASE_NAME = TlsLib\r
+ MODULE_UNI_FILE = TlsLib.uni\r
+ FILE_GUID = CC729DC5-4E21-0B36-1A00-3A8E1B86A155\r
+ MODULE_TYPE = DXE_DRIVER\r
+ VERSION_STRING = 1.0\r
+ LIBRARY_CLASS = TlsLib|DXE_DRIVER DXE_CORE UEFI_APPLICATION UEFI_DRIVER\r
+\r
+#\r
+# The following information is for reference only and not required by the build tools.\r
+#\r
+# VALID_ARCHITECTURES = IA32 X64 IPF ARM AARCH64\r
+#\r
+\r
+[Sources]\r
+ InternalTlsLib.h\r
+ TlsInit.c\r
+ TlsConfig.c\r
+ TlsProcess.c\r
+\r
+[Packages]\r
+ MdePkg/MdePkg.dec\r
+ CryptoPkg/CryptoPkg.dec\r
+\r
+[LibraryClasses]\r
+ BaseLib\r
+ BaseMemoryLib\r
+ MemoryAllocationLib\r
+ UefiRuntimeServicesTableLib\r
+ DebugLib\r
+ OpensslLib\r
+ IntrinsicLib\r
+ PrintLib\r
+\r
+[BuildOptions]\r
+ #\r
+ # suppress the following warnings so we do not break the build with warnings-as-errors:\r
+ # C4090: 'function' : different 'const' qualifiers\r
+ #\r
+ MSFT:*_*_*_CC_FLAGS = /wd4090\r
+\r
-// /** @file
-// SSL/TLS Wrapper Library Instance based on OpenSSL.
-//
-// Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
-//
-// This program and the accompanying materials
-// are licensed and made available under the terms and conditions of the BSD License
-// which accompanies this distribution. The full text of the license may be found at
-// http://opensource.org/licenses/bsd-license.php
-//
-// THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-// WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-//
-// **/
-
-
-#string STR_MODULE_ABSTRACT #language en-US "SSL/TLS Wrapper Library Instance"
-
-#string STR_MODULE_DESCRIPTION #language en-US "This module provides SSL/TLS Wrapper Library Instance."
\ No newline at end of file
+// /** @file\r
+// SSL/TLS Wrapper Library Instance based on OpenSSL.\r
+//\r
+// Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>\r
+//\r
+// This program and the accompanying materials\r
+// are licensed and made available under the terms and conditions of the BSD License\r
+// which accompanies this distribution. The full text of the license may be found at\r
+// http://opensource.org/licenses/bsd-license.php\r
+//\r
+// THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
+// WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
+//\r
+// **/\r
+\r
+\r
+#string STR_MODULE_ABSTRACT #language en-US "SSL/TLS Wrapper Library Instance"\r
+\r
+#string STR_MODULE_DESCRIPTION #language en-US "This module provides SSL/TLS Wrapper Library Instance."\r
-/** @file
- SSL/TLS Process Library Wrapper Implementation over OpenSSL.
- The process includes the TLS handshake and packet I/O.
-
-Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
-(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
-This program and the accompanying materials
-are licensed and made available under the terms and conditions of the BSD License
-which accompanies this distribution. The full text of the license may be found at
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#include "InternalTlsLib.h"
-
-#define MAX_BUFFER_SIZE 32768
-
-/**
- Checks if the TLS handshake was done.
-
- This function will check if the specified TLS handshake was done.
-
- @param[in] Tls Pointer to the TLS object for handshake state checking.
-
- @retval TRUE The TLS handshake was done.
- @retval FALSE The TLS handshake was not done.
-
-**/
-BOOLEAN
-EFIAPI
-TlsInHandshake (
- IN VOID *Tls
- )
-{
- TLS_CONNECTION *TlsConn;
-
- TlsConn = (TLS_CONNECTION *) Tls;
- if (TlsConn == NULL || TlsConn->Ssl == NULL) {
- return FALSE;
- }
-
- //
- // Return the status which indicates if the TLS handshake was done.
- //
- return !SSL_is_init_finished (TlsConn->Ssl);
-}
-
-/**
- Perform a TLS/SSL handshake.
-
- This function will perform a TLS/SSL handshake.
-
- @param[in] Tls Pointer to the TLS object for handshake operation.
- @param[in] BufferIn Pointer to the most recently received TLS Handshake packet.
- @param[in] BufferInSize Packet size in bytes for the most recently received TLS
- Handshake packet.
- @param[out] BufferOut Pointer to the buffer to hold the built packet.
- @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On input, it is
- the buffer size provided by the caller. On output, it
- is the buffer size in fact needed to contain the
- packet.
-
- @retval EFI_SUCCESS The required TLS packet is built successfully.
- @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:
- Tls is NULL.
- BufferIn is NULL but BufferInSize is NOT 0.
- BufferInSize is 0 but BufferIn is NOT NULL.
- BufferOutSize is NULL.
- BufferOut is NULL if *BufferOutSize is not zero.
- @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the response packet.
- @retval EFI_ABORTED Something wrong during handshake.
-
-**/
-EFI_STATUS
-EFIAPI
-TlsDoHandshake (
- IN VOID *Tls,
- IN UINT8 *BufferIn, OPTIONAL
- IN UINTN BufferInSize, OPTIONAL
- OUT UINT8 *BufferOut, OPTIONAL
- IN OUT UINTN *BufferOutSize
- )
-{
- TLS_CONNECTION *TlsConn;
- UINTN PendingBufferSize;
- INTN Ret;
- UINTN ErrorCode;
-
- TlsConn = (TLS_CONNECTION *) Tls;
- PendingBufferSize = 0;
- Ret = 1;
-
- if (TlsConn == NULL || \
- TlsConn->Ssl == NULL || TlsConn->InBio == NULL || TlsConn->OutBio == NULL || \
- BufferOutSize == NULL || \
- (BufferIn == NULL && BufferInSize != 0) || \
- (BufferIn != NULL && BufferInSize == 0) || \
- (BufferOut == NULL && *BufferOutSize != 0)) {
- return EFI_INVALID_PARAMETER;
- }
-
- if(BufferIn == NULL && BufferInSize == 0) {
- //
- // If RequestBuffer is NULL and RequestSize is 0, and TLS session
- // status is EfiTlsSessionNotStarted, the TLS session will be initiated
- // and the response packet needs to be ClientHello.
- //
- PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
- if (PendingBufferSize == 0) {
- SSL_set_connect_state (TlsConn->Ssl);
- Ret = SSL_do_handshake (TlsConn->Ssl);
- PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
- }
- } else {
- PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
- if (PendingBufferSize == 0) {
- BIO_write (TlsConn->InBio, BufferIn, (UINT32) BufferInSize);
- Ret = SSL_do_handshake (TlsConn->Ssl);
- PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
- }
- }
-
- if (Ret < 1) {
- Ret = SSL_get_error (TlsConn->Ssl, (int) Ret);
- if (Ret == SSL_ERROR_SSL ||
- Ret == SSL_ERROR_SYSCALL ||
- Ret == SSL_ERROR_ZERO_RETURN) {
- DEBUG ((
- DEBUG_ERROR,
- "%a SSL_HANDSHAKE_ERROR State=0x%x SSL_ERROR_%a\n",
- __FUNCTION__,
- SSL_get_state (TlsConn->Ssl),
- Ret == SSL_ERROR_SSL ? "SSL" : Ret == SSL_ERROR_SYSCALL ? "SYSCALL" : "ZERO_RETURN"
- ));
- DEBUG_CODE_BEGIN ();
- while (TRUE) {
- ErrorCode = ERR_get_error ();
- if (ErrorCode == 0) {
- break;
- }
- DEBUG ((
- DEBUG_ERROR,
- "%a ERROR 0x%x=L%x:F%x:R%x\n",
- __FUNCTION__,
- ErrorCode,
- ERR_GET_LIB (ErrorCode),
- ERR_GET_FUNC (ErrorCode),
- ERR_GET_REASON (ErrorCode)
- ));
- }
- DEBUG_CODE_END ();
- return EFI_ABORTED;
- }
- }
-
- if (PendingBufferSize > *BufferOutSize) {
- *BufferOutSize = PendingBufferSize;
- return EFI_BUFFER_TOO_SMALL;
- }
-
- if (PendingBufferSize > 0) {
- *BufferOutSize = BIO_read (TlsConn->OutBio, BufferOut, (UINT32) PendingBufferSize);
- } else {
- *BufferOutSize = 0;
- }
-
- return EFI_SUCCESS;
-}
-
-/**
- Handle Alert message recorded in BufferIn. If BufferIn is NULL and BufferInSize is zero,
- TLS session has errors and the response packet needs to be Alert message based on error type.
-
- @param[in] Tls Pointer to the TLS object for state checking.
- @param[in] BufferIn Pointer to the most recently received TLS Alert packet.
- @param[in] BufferInSize Packet size in bytes for the most recently received TLS
- Alert packet.
- @param[out] BufferOut Pointer to the buffer to hold the built packet.
- @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On input, it is
- the buffer size provided by the caller. On output, it
- is the buffer size in fact needed to contain the
- packet.
-
- @retval EFI_SUCCESS The required TLS packet is built successfully.
- @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:
- Tls is NULL.
- BufferIn is NULL but BufferInSize is NOT 0.
- BufferInSize is 0 but BufferIn is NOT NULL.
- BufferOutSize is NULL.
- BufferOut is NULL if *BufferOutSize is not zero.
- @retval EFI_ABORTED An error occurred.
- @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the response packet.
-
-**/
-EFI_STATUS
-EFIAPI
-TlsHandleAlert (
- IN VOID *Tls,
- IN UINT8 *BufferIn, OPTIONAL
- IN UINTN BufferInSize, OPTIONAL
- OUT UINT8 *BufferOut, OPTIONAL
- IN OUT UINTN *BufferOutSize
- )
-{
- TLS_CONNECTION *TlsConn;
- UINTN PendingBufferSize;
- UINT8 *TempBuffer;
- INTN Ret;
-
- TlsConn = (TLS_CONNECTION *) Tls;
- PendingBufferSize = 0;
- TempBuffer = NULL;
- Ret = 0;
-
- if (TlsConn == NULL || \
- TlsConn->Ssl == NULL || TlsConn->InBio == NULL || TlsConn->OutBio == NULL || \
- BufferOutSize == NULL || \
- (BufferIn == NULL && BufferInSize != 0) || \
- (BufferIn != NULL && BufferInSize == 0) || \
- (BufferOut == NULL && *BufferOutSize != 0)) {
- return EFI_INVALID_PARAMETER;
- }
-
- PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
- if (PendingBufferSize == 0 && BufferIn != NULL && BufferInSize != 0) {
- Ret = BIO_write (TlsConn->InBio, BufferIn, (UINT32) BufferInSize);
- if (Ret != (INTN) BufferInSize) {
- return EFI_ABORTED;
- }
-
- TempBuffer = (UINT8 *) OPENSSL_malloc (MAX_BUFFER_SIZE);
-
- //
- // ssl3_send_alert() will be called in ssl3_read_bytes() function.
- // TempBuffer is invalid since it's a Alert message, so just ignore it.
- //
- SSL_read (TlsConn->Ssl, TempBuffer, MAX_BUFFER_SIZE);
-
- OPENSSL_free (TempBuffer);
-
- PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
- }
-
- if (PendingBufferSize > *BufferOutSize) {
- *BufferOutSize = PendingBufferSize;
- return EFI_BUFFER_TOO_SMALL;
- }
-
- if (PendingBufferSize > 0) {
- *BufferOutSize = BIO_read (TlsConn->OutBio, BufferOut, (UINT32) PendingBufferSize);
- } else {
- *BufferOutSize = 0;
- }
-
- return EFI_SUCCESS;
-}
-
-/**
- Build the CloseNotify packet.
-
- @param[in] Tls Pointer to the TLS object for state checking.
- @param[in, out] Buffer Pointer to the buffer to hold the built packet.
- @param[in, out] BufferSize Pointer to the buffer size in bytes. On input, it is
- the buffer size provided by the caller. On output, it
- is the buffer size in fact needed to contain the
- packet.
-
- @retval EFI_SUCCESS The required TLS packet is built successfully.
- @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:
- Tls is NULL.
- BufferSize is NULL.
- Buffer is NULL if *BufferSize is not zero.
- @retval EFI_BUFFER_TOO_SMALL BufferSize is too small to hold the response packet.
-
-**/
-EFI_STATUS
-EFIAPI
-TlsCloseNotify (
- IN VOID *Tls,
- IN OUT UINT8 *Buffer,
- IN OUT UINTN *BufferSize
- )
-{
- TLS_CONNECTION *TlsConn;
- UINTN PendingBufferSize;
-
- TlsConn = (TLS_CONNECTION *) Tls;
- PendingBufferSize = 0;
-
- if (TlsConn == NULL || \
- TlsConn->Ssl == NULL || TlsConn->InBio == NULL || TlsConn->OutBio == NULL || \
- BufferSize == NULL || \
- (Buffer == NULL && *BufferSize != 0)) {
- return EFI_INVALID_PARAMETER;
- }
-
- PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
- if (PendingBufferSize == 0) {
- //
- // ssl3_send_alert() and ssl3_dispatch_alert() function will be called.
- //
- SSL_shutdown (TlsConn->Ssl);
- PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
- }
-
- if (PendingBufferSize > *BufferSize) {
- *BufferSize = PendingBufferSize;
- return EFI_BUFFER_TOO_SMALL;
- }
-
- if (PendingBufferSize > 0) {
- *BufferSize = BIO_read (TlsConn->OutBio, Buffer, (UINT32) PendingBufferSize);
- } else {
- *BufferSize = 0;
- }
-
- return EFI_SUCCESS;
-}
-
-/**
- Attempts to read bytes from one TLS object and places the data in Buffer.
-
- This function will attempt to read BufferSize bytes from the TLS object
- and places the data in Buffer.
-
- @param[in] Tls Pointer to the TLS object.
- @param[in,out] Buffer Pointer to the buffer to store the data.
- @param[in] BufferSize The size of Buffer in bytes.
-
- @retval >0 The amount of data successfully read from the TLS object.
- @retval <=0 No data was successfully read.
-
-**/
-INTN
-EFIAPI
-TlsCtrlTrafficOut (
- IN VOID *Tls,
- IN OUT VOID *Buffer,
- IN UINTN BufferSize
- )
-{
- TLS_CONNECTION *TlsConn;
-
- TlsConn = (TLS_CONNECTION *) Tls;
- if (TlsConn == NULL || TlsConn->OutBio == 0) {
- return -1;
- }
-
- //
- // Read and return the amount of data from the BIO.
- //
- return BIO_read (TlsConn->OutBio, Buffer, (UINT32) BufferSize);
-}
-
-/**
- Attempts to write data from the buffer to TLS object.
-
- This function will attempt to write BufferSize bytes data from the Buffer
- to the TLS object.
-
- @param[in] Tls Pointer to the TLS object.
- @param[in] Buffer Pointer to the data buffer.
- @param[in] BufferSize The size of Buffer in bytes.
-
- @retval >0 The amount of data successfully written to the TLS object.
- @retval <=0 No data was successfully written.
-
-**/
-INTN
-EFIAPI
-TlsCtrlTrafficIn (
- IN VOID *Tls,
- IN VOID *Buffer,
- IN UINTN BufferSize
- )
-{
- TLS_CONNECTION *TlsConn;
-
- TlsConn = (TLS_CONNECTION *) Tls;
- if (TlsConn == NULL || TlsConn->InBio == 0) {
- return -1;
- }
-
- //
- // Write and return the amount of data to the BIO.
- //
- return BIO_write (TlsConn->InBio, Buffer, (UINT32) BufferSize);
-}
-/**
- Attempts to read bytes from the specified TLS connection into the buffer.
-
- This function tries to read BufferSize bytes data from the specified TLS
- connection into the Buffer.
-
- @param[in] Tls Pointer to the TLS connection for data reading.
- @param[in,out] Buffer Pointer to the data buffer.
- @param[in] BufferSize The size of Buffer in bytes.
-
- @retval >0 The read operation was successful, and return value is the
- number of bytes actually read from the TLS connection.
- @retval <=0 The read operation was not successful.
-
-**/
-INTN
-EFIAPI
-TlsRead (
- IN VOID *Tls,
- IN OUT VOID *Buffer,
- IN UINTN BufferSize
- )
-{
- TLS_CONNECTION *TlsConn;
-
- TlsConn = (TLS_CONNECTION *) Tls;
- if (TlsConn == NULL || TlsConn->Ssl == NULL) {
- return -1;
- }
-
- //
- // Read bytes from the specified TLS connection.
- //
- return SSL_read (TlsConn->Ssl, Buffer, (UINT32) BufferSize);
-}
-
-/**
- Attempts to write data to a TLS connection.
-
- This function tries to write BufferSize bytes data from the Buffer into the
- specified TLS connection.
-
- @param[in] Tls Pointer to the TLS connection for data writing.
- @param[in] Buffer Pointer to the data buffer.
- @param[in] BufferSize The size of Buffer in bytes.
-
- @retval >0 The write operation was successful, and return value is the
- number of bytes actually written to the TLS connection.
- @retval <=0 The write operation was not successful.
-
-**/
-INTN
-EFIAPI
-TlsWrite (
- IN VOID *Tls,
- IN VOID *Buffer,
- IN UINTN BufferSize
- )
-{
- TLS_CONNECTION *TlsConn;
-
- TlsConn = (TLS_CONNECTION *) Tls;
- if (TlsConn == NULL || TlsConn->Ssl == NULL) {
- return -1;
- }
-
- //
- // Write bytes to the specified TLS connection.
- //
- return SSL_write (TlsConn->Ssl, Buffer, (UINT32) BufferSize);
-}
+/** @file\r
+ SSL/TLS Process Library Wrapper Implementation over OpenSSL.\r
+ The process includes the TLS handshake and packet I/O.\r
+\r
+Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>\r
+(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>\r
+This program and the accompanying materials\r
+are licensed and made available under the terms and conditions of the BSD License\r
+which accompanies this distribution. The full text of the license may be found at\r
+http://opensource.org/licenses/bsd-license.php\r
+\r
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
+\r
+**/\r
+\r
+#include "InternalTlsLib.h"\r
+\r
+#define MAX_BUFFER_SIZE 32768\r
+\r
+/**\r
+ Checks if the TLS handshake was done.\r
+\r
+ This function will check if the specified TLS handshake was done.\r
+\r
+ @param[in] Tls Pointer to the TLS object for handshake state checking.\r
+\r
+ @retval TRUE The TLS handshake was done.\r
+ @retval FALSE The TLS handshake was not done.\r
+\r
+**/\r
+BOOLEAN\r
+EFIAPI\r
+TlsInHandshake (\r
+ IN VOID *Tls\r
+ )\r
+{\r
+ TLS_CONNECTION *TlsConn;\r
+\r
+ TlsConn = (TLS_CONNECTION *) Tls;\r
+ if (TlsConn == NULL || TlsConn->Ssl == NULL) {\r
+ return FALSE;\r
+ }\r
+\r
+ //\r
+ // Return the status which indicates if the TLS handshake was done.\r
+ //\r
+ return !SSL_is_init_finished (TlsConn->Ssl);\r
+}\r
+\r
+/**\r
+ Perform a TLS/SSL handshake.\r
+\r
+ This function will perform a TLS/SSL handshake.\r
+\r
+ @param[in] Tls Pointer to the TLS object for handshake operation.\r
+ @param[in] BufferIn Pointer to the most recently received TLS Handshake packet.\r
+ @param[in] BufferInSize Packet size in bytes for the most recently received TLS\r
+ Handshake packet.\r
+ @param[out] BufferOut Pointer to the buffer to hold the built packet.\r
+ @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On input, it is\r
+ the buffer size provided by the caller. On output, it\r
+ is the buffer size in fact needed to contain the\r
+ packet.\r
+\r
+ @retval EFI_SUCCESS The required TLS packet is built successfully.\r
+ @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:\r
+ Tls is NULL.\r
+ BufferIn is NULL but BufferInSize is NOT 0.\r
+ BufferInSize is 0 but BufferIn is NOT NULL.\r
+ BufferOutSize is NULL.\r
+ BufferOut is NULL if *BufferOutSize is not zero.\r
+ @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the response packet.\r
+ @retval EFI_ABORTED Something wrong during handshake.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsDoHandshake (\r
+ IN VOID *Tls,\r
+ IN UINT8 *BufferIn, OPTIONAL\r
+ IN UINTN BufferInSize, OPTIONAL\r
+ OUT UINT8 *BufferOut, OPTIONAL\r
+ IN OUT UINTN *BufferOutSize\r
+ )\r
+{\r
+ TLS_CONNECTION *TlsConn;\r
+ UINTN PendingBufferSize;\r
+ INTN Ret;\r
+ UINTN ErrorCode;\r
+\r
+ TlsConn = (TLS_CONNECTION *) Tls;\r
+ PendingBufferSize = 0;\r
+ Ret = 1;\r
+\r
+ if (TlsConn == NULL || \\r
+ TlsConn->Ssl == NULL || TlsConn->InBio == NULL || TlsConn->OutBio == NULL || \\r
+ BufferOutSize == NULL || \\r
+ (BufferIn == NULL && BufferInSize != 0) || \\r
+ (BufferIn != NULL && BufferInSize == 0) || \\r
+ (BufferOut == NULL && *BufferOutSize != 0)) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ if(BufferIn == NULL && BufferInSize == 0) {\r
+ //\r
+ // If RequestBuffer is NULL and RequestSize is 0, and TLS session\r
+ // status is EfiTlsSessionNotStarted, the TLS session will be initiated\r
+ // and the response packet needs to be ClientHello.\r
+ //\r
+ PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);\r
+ if (PendingBufferSize == 0) {\r
+ SSL_set_connect_state (TlsConn->Ssl);\r
+ Ret = SSL_do_handshake (TlsConn->Ssl);\r
+ PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);\r
+ }\r
+ } else {\r
+ PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);\r
+ if (PendingBufferSize == 0) {\r
+ BIO_write (TlsConn->InBio, BufferIn, (UINT32) BufferInSize);\r
+ Ret = SSL_do_handshake (TlsConn->Ssl);\r
+ PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);\r
+ }\r
+ }\r
+\r
+ if (Ret < 1) {\r
+ Ret = SSL_get_error (TlsConn->Ssl, (int) Ret);\r
+ if (Ret == SSL_ERROR_SSL ||\r
+ Ret == SSL_ERROR_SYSCALL ||\r
+ Ret == SSL_ERROR_ZERO_RETURN) {\r
+ DEBUG ((\r
+ DEBUG_ERROR,\r
+ "%a SSL_HANDSHAKE_ERROR State=0x%x SSL_ERROR_%a\n",\r
+ __FUNCTION__,\r
+ SSL_get_state (TlsConn->Ssl),\r
+ Ret == SSL_ERROR_SSL ? "SSL" : Ret == SSL_ERROR_SYSCALL ? "SYSCALL" : "ZERO_RETURN"\r
+ ));\r
+ DEBUG_CODE_BEGIN ();\r
+ while (TRUE) {\r
+ ErrorCode = ERR_get_error ();\r
+ if (ErrorCode == 0) {\r
+ break;\r
+ }\r
+ DEBUG ((\r
+ DEBUG_ERROR,\r
+ "%a ERROR 0x%x=L%x:F%x:R%x\n",\r
+ __FUNCTION__,\r
+ ErrorCode,\r
+ ERR_GET_LIB (ErrorCode),\r
+ ERR_GET_FUNC (ErrorCode),\r
+ ERR_GET_REASON (ErrorCode)\r
+ ));\r
+ }\r
+ DEBUG_CODE_END ();\r
+ return EFI_ABORTED;\r
+ }\r
+ }\r
+\r
+ if (PendingBufferSize > *BufferOutSize) {\r
+ *BufferOutSize = PendingBufferSize;\r
+ return EFI_BUFFER_TOO_SMALL;\r
+ }\r
+\r
+ if (PendingBufferSize > 0) {\r
+ *BufferOutSize = BIO_read (TlsConn->OutBio, BufferOut, (UINT32) PendingBufferSize);\r
+ } else {\r
+ *BufferOutSize = 0;\r
+ }\r
+\r
+ return EFI_SUCCESS;\r
+}\r
+\r
+/**\r
+ Handle Alert message recorded in BufferIn. If BufferIn is NULL and BufferInSize is zero,\r
+ TLS session has errors and the response packet needs to be Alert message based on error type.\r
+\r
+ @param[in] Tls Pointer to the TLS object for state checking.\r
+ @param[in] BufferIn Pointer to the most recently received TLS Alert packet.\r
+ @param[in] BufferInSize Packet size in bytes for the most recently received TLS\r
+ Alert packet.\r
+ @param[out] BufferOut Pointer to the buffer to hold the built packet.\r
+ @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On input, it is\r
+ the buffer size provided by the caller. On output, it\r
+ is the buffer size in fact needed to contain the\r
+ packet.\r
+\r
+ @retval EFI_SUCCESS The required TLS packet is built successfully.\r
+ @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:\r
+ Tls is NULL.\r
+ BufferIn is NULL but BufferInSize is NOT 0.\r
+ BufferInSize is 0 but BufferIn is NOT NULL.\r
+ BufferOutSize is NULL.\r
+ BufferOut is NULL if *BufferOutSize is not zero.\r
+ @retval EFI_ABORTED An error occurred.\r
+ @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the response packet.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsHandleAlert (\r
+ IN VOID *Tls,\r
+ IN UINT8 *BufferIn, OPTIONAL\r
+ IN UINTN BufferInSize, OPTIONAL\r
+ OUT UINT8 *BufferOut, OPTIONAL\r
+ IN OUT UINTN *BufferOutSize\r
+ )\r
+{\r
+ TLS_CONNECTION *TlsConn;\r
+ UINTN PendingBufferSize;\r
+ UINT8 *TempBuffer;\r
+ INTN Ret;\r
+\r
+ TlsConn = (TLS_CONNECTION *) Tls;\r
+ PendingBufferSize = 0;\r
+ TempBuffer = NULL;\r
+ Ret = 0;\r
+\r
+ if (TlsConn == NULL || \\r
+ TlsConn->Ssl == NULL || TlsConn->InBio == NULL || TlsConn->OutBio == NULL || \\r
+ BufferOutSize == NULL || \\r
+ (BufferIn == NULL && BufferInSize != 0) || \\r
+ (BufferIn != NULL && BufferInSize == 0) || \\r
+ (BufferOut == NULL && *BufferOutSize != 0)) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);\r
+ if (PendingBufferSize == 0 && BufferIn != NULL && BufferInSize != 0) {\r
+ Ret = BIO_write (TlsConn->InBio, BufferIn, (UINT32) BufferInSize);\r
+ if (Ret != (INTN) BufferInSize) {\r
+ return EFI_ABORTED;\r
+ }\r
+\r
+ TempBuffer = (UINT8 *) OPENSSL_malloc (MAX_BUFFER_SIZE);\r
+\r
+ //\r
+ // ssl3_send_alert() will be called in ssl3_read_bytes() function.\r
+ // TempBuffer is invalid since it's a Alert message, so just ignore it.\r
+ //\r
+ SSL_read (TlsConn->Ssl, TempBuffer, MAX_BUFFER_SIZE);\r
+\r
+ OPENSSL_free (TempBuffer);\r
+\r
+ PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);\r
+ }\r
+\r
+ if (PendingBufferSize > *BufferOutSize) {\r
+ *BufferOutSize = PendingBufferSize;\r
+ return EFI_BUFFER_TOO_SMALL;\r
+ }\r
+\r
+ if (PendingBufferSize > 0) {\r
+ *BufferOutSize = BIO_read (TlsConn->OutBio, BufferOut, (UINT32) PendingBufferSize);\r
+ } else {\r
+ *BufferOutSize = 0;\r
+ }\r
+\r
+ return EFI_SUCCESS;\r
+}\r
+\r
+/**\r
+ Build the CloseNotify packet.\r
+\r
+ @param[in] Tls Pointer to the TLS object for state checking.\r
+ @param[in, out] Buffer Pointer to the buffer to hold the built packet.\r
+ @param[in, out] BufferSize Pointer to the buffer size in bytes. On input, it is\r
+ the buffer size provided by the caller. On output, it\r
+ is the buffer size in fact needed to contain the\r
+ packet.\r
+\r
+ @retval EFI_SUCCESS The required TLS packet is built successfully.\r
+ @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:\r
+ Tls is NULL.\r
+ BufferSize is NULL.\r
+ Buffer is NULL if *BufferSize is not zero.\r
+ @retval EFI_BUFFER_TOO_SMALL BufferSize is too small to hold the response packet.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsCloseNotify (\r
+ IN VOID *Tls,\r
+ IN OUT UINT8 *Buffer,\r
+ IN OUT UINTN *BufferSize\r
+ )\r
+{\r
+ TLS_CONNECTION *TlsConn;\r
+ UINTN PendingBufferSize;\r
+\r
+ TlsConn = (TLS_CONNECTION *) Tls;\r
+ PendingBufferSize = 0;\r
+\r
+ if (TlsConn == NULL || \\r
+ TlsConn->Ssl == NULL || TlsConn->InBio == NULL || TlsConn->OutBio == NULL || \\r
+ BufferSize == NULL || \\r
+ (Buffer == NULL && *BufferSize != 0)) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);\r
+ if (PendingBufferSize == 0) {\r
+ //\r
+ // ssl3_send_alert() and ssl3_dispatch_alert() function will be called.\r
+ //\r
+ SSL_shutdown (TlsConn->Ssl);\r
+ PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);\r
+ }\r
+\r
+ if (PendingBufferSize > *BufferSize) {\r
+ *BufferSize = PendingBufferSize;\r
+ return EFI_BUFFER_TOO_SMALL;\r
+ }\r
+\r
+ if (PendingBufferSize > 0) {\r
+ *BufferSize = BIO_read (TlsConn->OutBio, Buffer, (UINT32) PendingBufferSize);\r
+ } else {\r
+ *BufferSize = 0;\r
+ }\r
+\r
+ return EFI_SUCCESS;\r
+}\r
+\r
+/**\r
+ Attempts to read bytes from one TLS object and places the data in Buffer.\r
+\r
+ This function will attempt to read BufferSize bytes from the TLS object\r
+ and places the data in Buffer.\r
+\r
+ @param[in] Tls Pointer to the TLS object.\r
+ @param[in,out] Buffer Pointer to the buffer to store the data.\r
+ @param[in] BufferSize The size of Buffer in bytes.\r
+\r
+ @retval >0 The amount of data successfully read from the TLS object.\r
+ @retval <=0 No data was successfully read.\r
+\r
+**/\r
+INTN\r
+EFIAPI\r
+TlsCtrlTrafficOut (\r
+ IN VOID *Tls,\r
+ IN OUT VOID *Buffer,\r
+ IN UINTN BufferSize\r
+ )\r
+{\r
+ TLS_CONNECTION *TlsConn;\r
+\r
+ TlsConn = (TLS_CONNECTION *) Tls;\r
+ if (TlsConn == NULL || TlsConn->OutBio == 0) {\r
+ return -1;\r
+ }\r
+\r
+ //\r
+ // Read and return the amount of data from the BIO.\r
+ //\r
+ return BIO_read (TlsConn->OutBio, Buffer, (UINT32) BufferSize);\r
+}\r
+\r
+/**\r
+ Attempts to write data from the buffer to TLS object.\r
+\r
+ This function will attempt to write BufferSize bytes data from the Buffer\r
+ to the TLS object.\r
+\r
+ @param[in] Tls Pointer to the TLS object.\r
+ @param[in] Buffer Pointer to the data buffer.\r
+ @param[in] BufferSize The size of Buffer in bytes.\r
+\r
+ @retval >0 The amount of data successfully written to the TLS object.\r
+ @retval <=0 No data was successfully written.\r
+\r
+**/\r
+INTN\r
+EFIAPI\r
+TlsCtrlTrafficIn (\r
+ IN VOID *Tls,\r
+ IN VOID *Buffer,\r
+ IN UINTN BufferSize\r
+ )\r
+{\r
+ TLS_CONNECTION *TlsConn;\r
+\r
+ TlsConn = (TLS_CONNECTION *) Tls;\r
+ if (TlsConn == NULL || TlsConn->InBio == 0) {\r
+ return -1;\r
+ }\r
+\r
+ //\r
+ // Write and return the amount of data to the BIO.\r
+ //\r
+ return BIO_write (TlsConn->InBio, Buffer, (UINT32) BufferSize);\r
+}\r
+/**\r
+ Attempts to read bytes from the specified TLS connection into the buffer.\r
+\r
+ This function tries to read BufferSize bytes data from the specified TLS\r
+ connection into the Buffer.\r
+\r
+ @param[in] Tls Pointer to the TLS connection for data reading.\r
+ @param[in,out] Buffer Pointer to the data buffer.\r
+ @param[in] BufferSize The size of Buffer in bytes.\r
+\r
+ @retval >0 The read operation was successful, and return value is the\r
+ number of bytes actually read from the TLS connection.\r
+ @retval <=0 The read operation was not successful.\r
+\r
+**/\r
+INTN\r
+EFIAPI\r
+TlsRead (\r
+ IN VOID *Tls,\r
+ IN OUT VOID *Buffer,\r
+ IN UINTN BufferSize\r
+ )\r
+{\r
+ TLS_CONNECTION *TlsConn;\r
+\r
+ TlsConn = (TLS_CONNECTION *) Tls;\r
+ if (TlsConn == NULL || TlsConn->Ssl == NULL) {\r
+ return -1;\r
+ }\r
+\r
+ //\r
+ // Read bytes from the specified TLS connection.\r
+ //\r
+ return SSL_read (TlsConn->Ssl, Buffer, (UINT32) BufferSize);\r
+}\r
+\r
+/**\r
+ Attempts to write data to a TLS connection.\r
+\r
+ This function tries to write BufferSize bytes data from the Buffer into the\r
+ specified TLS connection.\r
+\r
+ @param[in] Tls Pointer to the TLS connection for data writing.\r
+ @param[in] Buffer Pointer to the data buffer.\r
+ @param[in] BufferSize The size of Buffer in bytes.\r
+\r
+ @retval >0 The write operation was successful, and return value is the\r
+ number of bytes actually written to the TLS connection.\r
+ @retval <=0 The write operation was not successful.\r
+\r
+**/\r
+INTN\r
+EFIAPI\r
+TlsWrite (\r
+ IN VOID *Tls,\r
+ IN VOID *Buffer,\r
+ IN UINTN BufferSize\r
+ )\r
+{\r
+ TLS_CONNECTION *TlsConn;\r
+\r
+ TlsConn = (TLS_CONNECTION *) Tls;\r
+ if (TlsConn == NULL || TlsConn->Ssl == NULL) {\r
+ return -1;\r
+ }\r
+\r
+ //\r
+ // Write bytes to the specified TLS connection.\r
+ //\r
+ return SSL_write (TlsConn->Ssl, Buffer, (UINT32) BufferSize);\r
+}\r
+\r