return CALL_BASECRYPTLIB (Tls.Services.Write, TlsWrite, (Tls, Buffer, BufferSize), 0);\r
}\r
\r
+/**\r
+ Shutdown a TLS connection.\r
+\r
+ Shutdown the TLS connection without releasing the resources, meaning a new\r
+ connection can be started without calling TlsNew() and without setting\r
+ certificates etc.\r
+\r
+ @param[in] Tls Pointer to the TLS object to shutdown.\r
+\r
+ @retval EFI_SUCCESS The TLS is shutdown successfully.\r
+ @retval EFI_INVALID_PARAMETER Tls is NULL.\r
+ @retval EFI_PROTOCOL_ERROR Some other error occurred.\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+CryptoServiceTlsShutdown (\r
+ IN VOID *Tls\r
+ )\r
+{\r
+ return CALL_BASECRYPTLIB (Tls.Services.Shutdown, TlsShutdown, (Tls), EFI_UNSUPPORTED);\r
+}\r
+\r
/**\r
Set a new TLS/SSL method for a particular TLS object.\r
\r
/**\r
Adds the local private key to the specified TLS object.\r
\r
- This function adds the local private key (PEM-encoded RSA or PKCS#8 private\r
+ This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private\r
+ key) into the specified TLS object for TLS negotiation.\r
+\r
+ @param[in] Tls Pointer to the TLS object.\r
+ @param[in] Data Pointer to the data buffer of a DER-encoded or PEM-encoded\r
+ or PKCS#8 private key.\r
+ @param[in] DataSize The size of data buffer in bytes.\r
+ @param[in] Password Pointer to NULL-terminated private key password, set it to NULL\r
+ if private key not encrypted.\r
+\r
+ @retval EFI_SUCCESS The operation succeeded.\r
+ @retval EFI_UNSUPPORTED This function is not supported.\r
+ @retval EFI_ABORTED Invalid private key data.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+CryptoServiceTlsSetHostPrivateKeyEx (\r
+ IN VOID *Tls,\r
+ IN VOID *Data,\r
+ IN UINTN DataSize,\r
+ IN VOID *Password OPTIONAL\r
+ )\r
+{\r
+ return CALL_BASECRYPTLIB (TlsSet.Services.HostPrivateKeyEx, TlsSetHostPrivateKeyEx, (Tls, Data, DataSize, Password), EFI_UNSUPPORTED);\r
+}\r
+\r
+/**\r
+ Adds the local private key to the specified TLS object.\r
+\r
+ This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private\r
key) into the specified TLS object for TLS negotiation.\r
\r
@param[in] Tls Pointer to the TLS object.\r
- @param[in] Data Pointer to the data buffer of a PEM-encoded RSA\r
+ @param[in] Data Pointer to the data buffer of a DER-encoded or PEM-encoded\r
or PKCS#8 private key.\r
@param[in] DataSize The size of data buffer in bytes.\r
\r
return CALL_BASECRYPTLIB (TlsSet.Services.CertRevocationList, TlsSetCertRevocationList, (Data, DataSize), EFI_UNSUPPORTED);\r
}\r
\r
+/**\r
+ Set the signature algorithm list to used by the TLS object.\r
+\r
+ This function sets the signature algorithms for use by a specified TLS object.\r
+\r
+ @param[in] Tls Pointer to a TLS object.\r
+ @param[in] Data Array of UINT8 of signature algorithms. The array consists of\r
+ pairs of the hash algorithm and the signature algorithm as defined\r
+ in RFC 5246\r
+ @param[in] DataSize The length the SignatureAlgoList. Must be divisible by 2.\r
+\r
+ @retval EFI_SUCCESS The signature algorithm list was set successfully.\r
+ @retval EFI_INVALID_PARAMETER The parameters are invalid.\r
+ @retval EFI_UNSUPPORTED No supported TLS signature algorithm was found in SignatureAlgoList\r
+ @retval EFI_OUT_OF_RESOURCES Memory allocation failed.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+CryptoServiceTlsSetSignatureAlgoList (\r
+ IN VOID *Tls,\r
+ IN UINT8 *Data,\r
+ IN UINTN DataSize\r
+ )\r
+{\r
+ return CALL_BASECRYPTLIB (TlsSet.Services.SignatureAlgoList, TlsSetSignatureAlgoList, (Tls, Data, DataSize), EFI_UNSUPPORTED);\r
+}\r
+\r
+/**\r
+ Set the EC curve to be used for TLS flows\r
+\r
+ This function sets the EC curve to be used for TLS flows.\r
+\r
+ @param[in] Tls Pointer to a TLS object.\r
+ @param[in] Data An EC named curve as defined in section 5.1.1 of RFC 4492.\r
+ @param[in] DataSize Size of Data, it should be sizeof (UINT32)\r
+\r
+ @retval EFI_SUCCESS The EC curve was set successfully.\r
+ @retval EFI_INVALID_PARAMETER The parameters are invalid.\r
+ @retval EFI_UNSUPPORTED The requested TLS EC curve is not supported\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+CryptoServiceTlsSetEcCurve (\r
+ IN VOID *Tls,\r
+ IN UINT8 *Data,\r
+ IN UINTN DataSize\r
+ )\r
+{\r
+ return CALL_BASECRYPTLIB (TlsSet.Services.EcCurve, TlsSetEcCurve, (Tls, Data, DataSize), EFI_UNSUPPORTED);\r
+}\r
+\r
/**\r
Gets the protocol version used by the specified TLS connection.\r
\r
return CALL_BASECRYPTLIB (TlsGet.Services.CertRevocationList, TlsGetCertRevocationList, (Data, DataSize), EFI_UNSUPPORTED);\r
}\r
\r
+/**\r
+ Derive keying material from a TLS connection.\r
+\r
+ This function exports keying material using the mechanism described in RFC\r
+ 5705.\r
+\r
+ @param[in] Tls Pointer to the TLS object\r
+ @param[in] Label Description of the key for the PRF function\r
+ @param[in] Context Optional context\r
+ @param[in] ContextLen The length of the context value in bytes\r
+ @param[out] KeyBuffer Buffer to hold the output of the TLS-PRF\r
+ @param[in] KeyBufferLen The length of the KeyBuffer\r
+\r
+ @retval EFI_SUCCESS The operation succeeded.\r
+ @retval EFI_INVALID_PARAMETER The TLS object is invalid.\r
+ @retval EFI_PROTOCOL_ERROR Some other error occurred.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+CryptoServiceTlsGetExportKey (\r
+ IN VOID *Tls,\r
+ IN CONST VOID *Label,\r
+ IN CONST VOID *Context,\r
+ IN UINTN ContextLen,\r
+ OUT VOID *KeyBuffer,\r
+ IN UINTN KeyBufferLen\r
+ )\r
+{\r
+ return CALL_BASECRYPTLIB (\r
+ TlsGet.Services.ExportKey,\r
+ TlsGetExportKey,\r
+ (Tls, Label, Context, ContextLen,\r
+ KeyBuffer, KeyBufferLen),\r
+ EFI_UNSUPPORTED\r
+ );\r
+}\r
+\r
/**\r
Carries out the RSA-SSA signature generation with EMSA-PSS encoding scheme.\r
\r
CryptoServiceEcGenerateKey,\r
CryptoServiceEcGetPubKey,\r
CryptoServiceEcDhComputeKey,\r
+ /// TLS (continued)\r
+ CryptoServiceTlsShutdown,\r
+ /// TLS Set (continued)\r
+ CryptoServiceTlsSetHostPrivateKeyEx,\r
+ CryptoServiceTlsSetSignatureAlgoList,\r
+ CryptoServiceTlsSetEcCurve,\r
+ /// TLS Get (continued)\r
+ CryptoServiceTlsGetExportKey\r
};\r
UINT8 CtrlTrafficIn : 1;\r
UINT8 Read : 1;\r
UINT8 Write : 1;\r
+ UINT8 Shutdown : 1;\r
} Services;\r
UINT32 Family;\r
} Tls;\r
UINT8 HostPublicCert : 1;\r
UINT8 HostPrivateKey : 1;\r
UINT8 CertRevocationList : 1;\r
+ UINT8 HostPrivateKeyEx : 1;\r
+ UINT8 SignatureAlgoList : 1;\r
+ UINT8 EcCurve : 1;\r
} Services;\r
UINT32 Family;\r
} TlsSet;\r
UINT8 HostPublicCert : 1;\r
UINT8 HostPrivateKey : 1;\r
UINT8 CertRevocationList : 1;\r
+ UINT8 ExportKey : 1;\r
} Services;\r
UINT32 Family;\r
} TlsGet;\r
CALL_CRYPTO_SERVICE (TlsWrite, (Tls, Buffer, BufferSize), 0);\r
}\r
\r
+/**\r
+ Shutdown a TLS connection.\r
+\r
+ Shutdown the TLS connection without releasing the resources, meaning a new\r
+ connection can be started without calling TlsNew() and without setting\r
+ certificates etc.\r
+\r
+ @param[in] Tls Pointer to the TLS object to shutdown.\r
+\r
+ @retval EFI_SUCCESS The TLS is shutdown successfully.\r
+ @retval EFI_INVALID_PARAMETER Tls is NULL.\r
+ @retval EFI_PROTOCOL_ERROR Some other error occurred.\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsShutdown (\r
+ IN VOID *Tls\r
+ )\r
+{\r
+ CALL_CRYPTO_SERVICE (TlsShutdown, (Tls), EFI_UNSUPPORTED);\r
+}\r
+\r
/**\r
Set a new TLS/SSL method for a particular TLS object.\r
\r
/**\r
Adds the local private key to the specified TLS object.\r
\r
- This function adds the local private key (PEM-encoded RSA or PKCS#8 private\r
+ This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private\r
key) into the specified TLS object for TLS negotiation.\r
\r
@param[in] Tls Pointer to the TLS object.\r
- @param[in] Data Pointer to the data buffer of a PEM-encoded RSA\r
+ @param[in] Data Pointer to the data buffer of a DER-encoded or PEM-encoded\r
+ or PKCS#8 private key.\r
+ @param[in] DataSize The size of data buffer in bytes.\r
+ @param[in] Password Pointer to NULL-terminated private key password, set it to NULL\r
+ if private key not encrypted.\r
+\r
+ @retval EFI_SUCCESS The operation succeeded.\r
+ @retval EFI_UNSUPPORTED This function is not supported.\r
+ @retval EFI_ABORTED Invalid private key data.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsSetHostPrivateKeyEx (\r
+ IN VOID *Tls,\r
+ IN VOID *Data,\r
+ IN UINTN DataSize,\r
+ IN VOID *Password OPTIONAL\r
+ )\r
+{\r
+ CALL_CRYPTO_SERVICE (TlsSetHostPrivateKeyEx, (Tls, Data, DataSize, Password), EFI_UNSUPPORTED);\r
+}\r
+\r
+/**\r
+ Adds the local private key to the specified TLS object.\r
+\r
+ This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private\r
+ key) into the specified TLS object for TLS negotiation.\r
+\r
+ @param[in] Tls Pointer to the TLS object.\r
+ @param[in] Data Pointer to the data buffer of a DER-encoded or PEM-encoded\r
or PKCS#8 private key.\r
@param[in] DataSize The size of data buffer in bytes.\r
\r
CALL_CRYPTO_SERVICE (TlsSetCertRevocationList, (Data, DataSize), EFI_UNSUPPORTED);\r
}\r
\r
+/**\r
+ Set the signature algorithm list to used by the TLS object.\r
+\r
+ This function sets the signature algorithms for use by a specified TLS object.\r
+\r
+ @param[in] Tls Pointer to a TLS object.\r
+ @param[in] Data Array of UINT8 of signature algorithms. The array consists of\r
+ pairs of the hash algorithm and the signature algorithm as defined\r
+ in RFC 5246\r
+ @param[in] DataSize The length the SignatureAlgoList. Must be divisible by 2.\r
+\r
+ @retval EFI_SUCCESS The signature algorithm list was set successfully.\r
+ @retval EFI_INVALID_PARAMETER The parameters are invalid.\r
+ @retval EFI_UNSUPPORTED No supported TLS signature algorithm was found in SignatureAlgoList\r
+ @retval EFI_OUT_OF_RESOURCES Memory allocation failed.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsSetSignatureAlgoList (\r
+ IN VOID *Tls,\r
+ IN UINT8 *Data,\r
+ IN UINTN DataSize\r
+ )\r
+{\r
+ CALL_CRYPTO_SERVICE (TlsSetSignatureAlgoList, (Tls, Data, DataSize), EFI_UNSUPPORTED);\r
+}\r
+\r
+/**\r
+ Set the EC curve to be used for TLS flows\r
+\r
+ This function sets the EC curve to be used for TLS flows.\r
+\r
+ @param[in] Tls Pointer to a TLS object.\r
+ @param[in] Data An EC named curve as defined in section 5.1.1 of RFC 4492.\r
+ @param[in] DataSize Size of Data, it should be sizeof (UINT32)\r
+\r
+ @retval EFI_SUCCESS The EC curve was set successfully.\r
+ @retval EFI_INVALID_PARAMETER The parameters are invalid.\r
+ @retval EFI_UNSUPPORTED The requested TLS EC curve is not supported\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsSetEcCurve (\r
+ IN VOID *Tls,\r
+ IN UINT8 *Data,\r
+ IN UINTN DataSize\r
+ )\r
+{\r
+ CALL_CRYPTO_SERVICE (TlsSetSignatureAlgoList, (Tls, Data, DataSize), EFI_UNSUPPORTED);\r
+}\r
+\r
/**\r
Gets the protocol version used by the specified TLS connection.\r
\r
CALL_CRYPTO_SERVICE (TlsGetCertRevocationList, (Data, DataSize), EFI_UNSUPPORTED);\r
}\r
\r
+/**\r
+ Derive keying material from a TLS connection.\r
+\r
+ This function exports keying material using the mechanism described in RFC\r
+ 5705.\r
+\r
+ @param[in] Tls Pointer to the TLS object\r
+ @param[in] Label Description of the key for the PRF function\r
+ @param[in] Context Optional context\r
+ @param[in] ContextLen The length of the context value in bytes\r
+ @param[out] KeyBuffer Buffer to hold the output of the TLS-PRF\r
+ @param[in] KeyBufferLen The length of the KeyBuffer\r
+\r
+ @retval EFI_SUCCESS The operation succeeded.\r
+ @retval EFI_INVALID_PARAMETER The TLS object is invalid.\r
+ @retval EFI_PROTOCOL_ERROR Some other error occurred.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+TlsGetExportKey (\r
+ IN VOID *Tls,\r
+ IN CONST VOID *Label,\r
+ IN CONST VOID *Context,\r
+ IN UINTN ContextLen,\r
+ OUT VOID *KeyBuffer,\r
+ IN UINTN KeyBufferLen\r
+ )\r
+{\r
+ CALL_CRYPTO_SERVICE (\r
+ TlsGetExportKey,\r
+ (Tls, Label, Context, ContextLen,\r
+ KeyBuffer, KeyBufferLen),\r
+ EFI_UNSUPPORTED\r
+ );\r
+}\r
+\r
// =====================================================================================\r
// Big number primitive\r
// =====================================================================================\r
/// the EDK II Crypto Protocol is extended, this version define must be\r
/// increased.\r
///\r
-#define EDKII_CRYPTO_VERSION 13\r
+#define EDKII_CRYPTO_VERSION 14\r
\r
///\r
/// EDK II Crypto Protocol forward declaration\r
IN UINTN BufferSize\r
);\r
\r
+/**\r
+ Shutdown a TLS connection.\r
+\r
+ Shutdown the TLS connection without releasing the resources, meaning a new\r
+ connection can be started without calling TlsNew() and without setting\r
+ certificates etc.\r
+\r
+ @param[in] Tls Pointer to the TLS object to shutdown.\r
+\r
+ @retval EFI_SUCCESS The TLS is shutdown successfully.\r
+ @retval EFI_INVALID_PARAMETER Tls is NULL.\r
+ @retval EFI_PROTOCOL_ERROR Some other error occurred.\r
+**/\r
+typedef\r
+EFI_STATUS\r
+(EFIAPI *EDKII_CRYPTO_TLS_SHUTDOWN)(\r
+ IN VOID *Tls\r
+ );\r
+\r
/**\r
Set a new TLS/SSL method for a particular TLS object.\r
\r
/**\r
Adds the local private key to the specified TLS object.\r
\r
- This function adds the local private key (PEM-encoded RSA or PKCS#8 private\r
+ This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private\r
+ key) into the specified TLS object for TLS negotiation.\r
+\r
+ @param[in] Tls Pointer to the TLS object.\r
+ @param[in] Data Pointer to the data buffer of a DER-encoded or PEM-encoded\r
+ or PKCS#8 private key.\r
+ @param[in] DataSize The size of data buffer in bytes.\r
+ @param[in] Password Pointer to NULL-terminated private key password, set it to NULL\r
+ if private key not encrypted.\r
+\r
+ @retval EFI_SUCCESS The operation succeeded.\r
+ @retval EFI_UNSUPPORTED This function is not supported.\r
+ @retval EFI_ABORTED Invalid private key data.\r
+\r
+**/\r
+typedef\r
+EFI_STATUS\r
+(EFIAPI *EDKII_CRYPTO_TLS_SET_HOST_PRIVATE_KEY_EX)(\r
+ IN VOID *Tls,\r
+ IN VOID *Data,\r
+ IN UINTN DataSize,\r
+ IN VOID *Password OPTIONAL\r
+ );\r
+\r
+/**\r
+ Adds the local private key to the specified TLS object.\r
+\r
+ This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private\r
key) into the specified TLS object for TLS negotiation.\r
\r
@param[in] Tls Pointer to the TLS object.\r
- @param[in] Data Pointer to the data buffer of a PEM-encoded RSA\r
+ @param[in] Data Pointer to the data buffer of a DER-encoded or PEM-encoded\r
or PKCS#8 private key.\r
@param[in] DataSize The size of data buffer in bytes.\r
\r
IN OUT UINTN *DataSize\r
);\r
\r
+/**\r
+ Set the signature algorithm list to used by the TLS object.\r
+\r
+ This function sets the signature algorithms for use by a specified TLS object.\r
+\r
+ @param[in] Tls Pointer to a TLS object.\r
+ @param[in] Data Array of UINT8 of signature algorithms. The array consists of\r
+ pairs of the hash algorithm and the signature algorithm as defined\r
+ in RFC 5246\r
+ @param[in] DataSize The length the SignatureAlgoList. Must be divisible by 2.\r
+\r
+ @retval EFI_SUCCESS The signature algorithm list was set successfully.\r
+ @retval EFI_INVALID_PARAMETER The parameters are invalid.\r
+ @retval EFI_UNSUPPORTED No supported TLS signature algorithm was found in SignatureAlgoList\r
+ @retval EFI_OUT_OF_RESOURCES Memory allocation failed.\r
+\r
+**/\r
+typedef\r
+EFI_STATUS\r
+(EFIAPI *EDKII_CRYPTO_TLS_SET_SIGNATURE_ALGO_LIST)(\r
+ IN VOID *Tls,\r
+ IN UINT8 *Data,\r
+ IN UINTN DataSize\r
+ );\r
+\r
+/**\r
+ Set the EC curve to be used for TLS flows\r
+\r
+ This function sets the EC curve to be used for TLS flows.\r
+\r
+ @param[in] Tls Pointer to a TLS object.\r
+ @param[in] Data An EC named curve as defined in section 5.1.1 of RFC 4492.\r
+ @param[in] DataSize Size of Data, it should be sizeof (UINT32)\r
+\r
+ @retval EFI_SUCCESS The EC curve was set successfully.\r
+ @retval EFI_INVALID_PARAMETER The parameters are invalid.\r
+ @retval EFI_UNSUPPORTED The requested TLS EC curve is not supported\r
+\r
+**/\r
+typedef\r
+EFI_STATUS\r
+(EFIAPI *EDKII_CRYPTO_TLS_SET_EC_CURVE)(\r
+ IN VOID *Tls,\r
+ IN UINT8 *Data,\r
+ IN UINTN DataSize\r
+ );\r
+\r
+/**\r
+ Derive keying material from a TLS connection.\r
+\r
+ This function exports keying material using the mechanism described in RFC\r
+ 5705.\r
+\r
+ @param[in] Tls Pointer to the TLS object\r
+ @param[in] Label Description of the key for the PRF function\r
+ @param[in] Context Optional context\r
+ @param[in] ContextLen The length of the context value in bytes\r
+ @param[out] KeyBuffer Buffer to hold the output of the TLS-PRF\r
+ @param[in] KeyBufferLen The length of the KeyBuffer\r
+\r
+ @retval EFI_SUCCESS The operation succeeded.\r
+ @retval EFI_INVALID_PARAMETER The TLS object is invalid.\r
+ @retval EFI_PROTOCOL_ERROR Some other error occurred.\r
+\r
+**/\r
+typedef\r
+EFI_STATUS\r
+(EFIAPI *EDKII_CRYPTO_TLS_GET_EXPORT_KEY)(\r
+ IN VOID *Tls,\r
+ IN CONST VOID *Label,\r
+ IN CONST VOID *Context,\r
+ IN UINTN ContextLen,\r
+ OUT VOID *KeyBuffer,\r
+ IN UINTN KeyBufferLen\r
+ );\r
+\r
/**\r
Gets the CA-supplied certificate revocation list data set in the specified\r
TLS object.\r
EDKII_CRYPTO_EC_GENERATE_KEY EcGenerateKey;\r
EDKII_CRYPTO_EC_GET_PUB_KEY EcGetPubKey;\r
EDKII_CRYPTO_EC_DH_COMPUTE_KEY EcDhComputeKey;\r
+ /// TLS (continued)\r
+ EDKII_CRYPTO_TLS_SHUTDOWN TlsShutdown;\r
+ /// TLS Set (continued)\r
+ EDKII_CRYPTO_TLS_SET_HOST_PRIVATE_KEY_EX TlsSetHostPrivateKeyEx;\r
+ EDKII_CRYPTO_TLS_SET_SIGNATURE_ALGO_LIST TlsSetSignatureAlgoList;\r
+ EDKII_CRYPTO_TLS_SET_EC_CURVE TlsSetEcCurve;\r
+ /// TLS Get (continued)\r
+ EDKII_CRYPTO_TLS_GET_EXPORT_KEY TlsGetExportKey;\r
};\r
\r
extern GUID gEdkiiCryptoProtocolGuid;\r