/// EFI_TLS_SESSION_DATA_TYPE\r
///\r
typedef enum {\r
- ///\r
- /// Session Configuration\r
- ///\r
-\r
///\r
/// TLS session Version. The corresponding Data is of type EFI_TLS_VERSION.\r
///\r
/// The corresponding Data is of type EFI_TLS_SESSION_STATE.\r
///\r
EfiTlsSessionState,\r
-\r
- ///\r
- /// Session information\r
- ///\r
-\r
///\r
/// TLS session data client random.\r
/// The corresponding Data is of type EFI_TLS_RANDOM.\r
/// The corresponding Data is of type EFI_TLS_MASTER_SECRET.\r
///\r
EfiTlsKeyMaterial,\r
+ ///\r
+ /// TLS session hostname for validation which is used to verify whether the name\r
+ /// within the peer certificate matches a given host name.\r
+ /// This parameter is invalid when EfiTlsVerifyMethod is EFI_TLS_VERIFY_NONE.\r
+ /// The corresponding Data is of type EFI_TLS_VERIFY_HOST.\r
+ ///\r
+ EfiTlsVerifyHost,\r
\r
EfiTlsSessionDataTypeMaximum\r
-\r
} EFI_TLS_SESSION_DATA_TYPE;\r
\r
///\r
///\r
#define EFI_TLS_VERIFY_PEER 0x1\r
///\r
-/// TLS session will fail peer certificate is absent.\r
+/// EFI_TLS_VERIFY_FAIL_IF_NO_PEER_CERT is only meaningful in the server mode.\r
+/// TLS session will fail if client certificate is absent.\r
///\r
#define EFI_TLS_VERIFY_FAIL_IF_NO_PEER_CERT 0x2\r
///\r
///\r
#define EFI_TLS_VERIFY_CLIENT_ONCE 0x4\r
\r
+///\r
+/// EFI_TLS_VERIFY_HOST_FLAG\r
+///\r
+typedef UINT32 EFI_TLS_VERIFY_HOST_FLAG;\r
+///\r
+/// There is no additional flags set for hostname validation.\r
+/// Wildcards are supported and they match only in the left-most label.\r
+///\r
+#define EFI_TLS_VERIFY_FLAG_NONE 0x00\r
+///\r
+/// Always check the Subject Distinguished Name (DN) in the peer certificate even if the\r
+/// certificate contains Subject Alternative Name (SAN).\r
+///\r
+#define EFI_TLS_VERIFY_FLAG_ALWAYS_CHECK_SUBJECT 0x01\r
+///\r
+/// Disable the match of all wildcards.\r
+///\r
+#define EFI_TLS_VERIFY_FLAG_NO_WILDCARDS 0x02\r
+///\r
+/// Disable the "*" as wildcard in labels that have a prefix or suffix (e.g. "www*" or "*www").\r
+///\r
+#define EFI_TLS_VERIFY_FLAG_NO_PARTIAL_WILDCARDS 0x04\r
+///\r
+/// Allow the "*" to match more than one labels. Otherwise, only matches a single label.\r
+///\r
+#define EFI_TLS_VERIFY_FLAG_MULTI_LABEL_WILDCARDS 0x08\r
+///\r
+/// Restrict to only match direct child sub-domains which start with ".".\r
+/// For example, a name of ".example.com" would match "www.example.com" with this flag,\r
+/// but would not match "www.sub.example.com".\r
+///\r
+#define EFI_TLS_VERIFY_FLAG_SINGLE_LABEL_SUBDOMAINS 0x10\r
+///\r
+/// Never check the Subject Distinguished Name (DN) even there is no\r
+/// Subject Alternative Name (SAN) in the certificate.\r
+///\r
+#define EFI_TLS_VERIFY_FLAG_NEVER_CHECK_SUBJECT 0x20\r
+\r
+///\r
+/// EFI_TLS_VERIFY_HOST\r
+///\r
+#pragma pack (1)\r
+typedef struct {\r
+ EFI_TLS_VERIFY_HOST_FLAG Flags;\r
+ CHAR8 *HostName;\r
+} EFI_TLS_VERIFY_HOST;\r
+#pragma pack ()\r
+\r
///\r
/// EFI_TLS_RANDOM\r
/// Note: The definition of EFI_TLS_RANDOM is from "RFC 5246 A.4.1.\r