From: "yi1 li" <yi1.li@intel.com>
To: devel@edk2.groups.io
Cc: Yi Li <yi1.li@intel.com>,
Michael D Kinney <michael.d.kinney@intel.com>,
Liming Gao <gaoliming@byosoft.com.cn>,
Jiewen Yao <jiewen.yao@intel.com>,
Jian J Wang <jian.j.wang@intel.com>,
Xiaoyu Lu <xiaoyu1.lu@intel.com>,
Guomin Jiang <guomin.jiang@intel.com>
Subject: [PATCH 2/5] CryptoPkg: Add TlsSetConfiguration API
Date: Sun, 22 May 2022 09:54:16 +0800 [thread overview]
Message-ID: <3d961655b3c010ddd0ca2ecbc6879eca21315d76.1653183737.git.yi1.li@intel.com> (raw)
In-Reply-To: <cover.1653183737.git.yi1.li@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3892
1. TlsSetSignatureAlgoList: Configure the list of TLS signature algorithms
that should be used as part of the TLS session establishment.
This is needed for some WLAN Supplicant connection establishment flows
that allow only specific TLS signature algorithms to be used, e.g.,
Authenticate and Key Managmenet (AKM) suites that are SUITE-B compliant.
2. TlsSetEcCurve: Configure the Elliptic Curve that should be used for
TLS flows the use cipher suite with EC,
e.g., TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384.
This is needed for some WLAN Supplicant connection establishment flows
that allow only specific TLS signature algorithms to be used,
e.g., Authenticate and Key Managmenet (AKM) suites that are SUITE-B compliant.
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Signed-off-by: Yi Li <yi1.li@intel.com>
---
CryptoPkg/Driver/Crypto.c | 29 ++
CryptoPkg/Include/Library/TlsLib.h | 41 +++
.../Pcd/PcdCryptoServiceFamilyEnable.h | 1 +
.../BaseCryptLibOnProtocolPpi/CryptLib.c | 32 ++
CryptoPkg/Library/TlsLib/InternalTlsLib.h | 5 +
CryptoPkg/Library/TlsLib/TlsConfig.c | 295 ++++++++++++++++--
CryptoPkg/Library/TlsLibNull/TlsConfigNull.c | 30 ++
CryptoPkg/Private/Protocol/Crypto.h | 28 ++
8 files changed, 438 insertions(+), 23 deletions(-)
diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
index 76cb9f4da0a4..6c05c1a69447 100644
--- a/CryptoPkg/Driver/Crypto.c
+++ b/CryptoPkg/Driver/Crypto.c
@@ -4155,6 +4155,34 @@ CryptoServiceTlsSetCertRevocationList (
return CALL_BASECRYPTLIB (TlsSet.Services.CertRevocationList, TlsSetCertRevocationList, (Data, DataSize), EFI_UNSUPPORTED);
}
+/**
+ Configure the TLS object.
+
+ This function allows to configure the TLS object
+
+ @param[in] Tls Pointer to a TLS object.
+ @param[in] Type The type of the configuration.
+ @param[in] Data The data associated with the configuration type.
+ @param[in] DataSize The size of Data.
+
+ @retval EFI_SUCCESS The configuration was successful.
+ @retval EFI_INVALID_PARAMETER The parameters are invalid.
+ @retval EFI_UNSUPPORTED The configuration or configuration type are not supported
+ @retval EFI_OUT_OF_RESOURCES Memory allocation failed.
+
+**/
+EFI_STATUS
+EFIAPI
+CryptoServiceTlsSetConfiguration (
+ IN VOID *Tls,
+ IN EFI_TLS_CONFIG_TYPE Type,
+ IN UINT8 *Data,
+ IN UINTN DataSize
+ )
+{
+ return CALL_BASECRYPTLIB (TlsSet.Services.Configuration, TlsSetConfiguration, (Tls, Type, Data, DataSize), EFI_UNSUPPORTED);
+}
+
/**
Gets the protocol version used by the specified TLS connection.
@@ -4769,6 +4797,7 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
CryptoServiceTlsSetHostPublicCert,
CryptoServiceTlsSetHostPrivateKey,
CryptoServiceTlsSetCertRevocationList,
+ CryptoServiceTlsSetConfiguration,
/// TLS Get
CryptoServiceTlsGetVersion,
CryptoServiceTlsGetConnectionEnd,
diff --git a/CryptoPkg/Include/Library/TlsLib.h b/CryptoPkg/Include/Library/TlsLib.h
index 3b75fde0aaba..24c1c1ed6477 100644
--- a/CryptoPkg/Include/Library/TlsLib.h
+++ b/CryptoPkg/Include/Library/TlsLib.h
@@ -9,6 +9,22 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#ifndef __TLS_LIB_H__
#define __TLS_LIB_H__
+///
+/// EFI_TLS_CONFIG_TYPE
+///
+typedef enum {
+ ///
+ /// Configure the allowed signature algorithms for the TLS context
+ ///
+ EfiTlsConfigSignatureAlgo,
+ ///
+ /// Configure the allowed elliptic curve for the TLS context
+ ///
+ EfiTlsConfigEcCurve,
+
+ EfiTlsConfigMaximum
+} EFI_TLS_CONFIG_TYPE;
+
/**
Initializes the OpenSSL library.
@@ -534,6 +550,31 @@ TlsSetCertRevocationList (
IN UINTN DataSize
);
+/**
+ Configure the TLS object.
+
+ This function allows to configure the TLS object
+
+ @param[in] Tls Pointer to a TLS object.
+ @param[in] Type The type of the configuration.
+ @param[in] Data The data associated with the configuration type.
+ @param[in] DataSize The size of Data.
+
+ @retval EFI_SUCCESS The configuration was successful.
+ @retval EFI_INVALID_PARAMETER The parameters are invalid.
+ @retval EFI_UNSUPPORTED The configuration or configuration type are not supported
+ @retval EFI_OUT_OF_RESOURCES Memory allocation failed.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetConfiguration (
+ IN VOID *Tls,
+ IN EFI_TLS_CONFIG_TYPE Type,
+ IN UINT8 *Data,
+ IN UINTN DataSize
+ );
+
/**
Gets the protocol version used by the specified TLS connection.
diff --git a/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h b/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h
index 3d53c2f105e1..6f5cde161006 100644
--- a/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h
+++ b/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h
@@ -267,6 +267,7 @@ typedef struct {
UINT8 HostPublicCert : 1;
UINT8 HostPrivateKey : 1;
UINT8 CertRevocationList : 1;
+ UINT8 Configuration : 1;
} Services;
UINT32 Family;
} TlsSet;
diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
index 8ee1b53cf957..757b8e40e442 100644
--- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
+++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
@@ -3298,6 +3298,38 @@ TlsSetCertRevocationList (
CALL_CRYPTO_SERVICE (TlsSetCertRevocationList, (Data, DataSize), EFI_UNSUPPORTED);
}
+/**
+ Configure the TLS object.
+
+ This function allows to configure the TLS object
+
+ @param[in] Tls Pointer to a TLS object.
+ @param[in] Type The type of the configuration.
+ @param[in] Data The data associated with the configuration type.
+ @param[in] DataSize The size of Data.
+
+ @retval EFI_SUCCESS The configuration was successful.
+ @retval EFI_INVALID_PARAMETER The parameters are invalid.
+ @retval EFI_UNSUPPORTED The configuration or configuration type are not supported
+ @retval EFI_OUT_OF_RESOURCES Memory allocation failed.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetConfiguration (
+ IN VOID *Tls,
+ IN EFI_TLS_CONFIG_TYPE Type,
+ IN UINT8 *Data,
+ IN UINTN DataSize
+ )
+{
+ CALL_CRYPTO_SERVICE (
+ TlsSetConfiguration,
+ (Tls, Type, Data, DataSize),
+ EFI_UNSUPPORTED
+ );
+}
+
/**
Gets the protocol version used by the specified TLS connection.
diff --git a/CryptoPkg/Library/TlsLib/InternalTlsLib.h b/CryptoPkg/Library/TlsLib/InternalTlsLib.h
index cf5ffe1b7343..32878484d06c 100644
--- a/CryptoPkg/Library/TlsLib/InternalTlsLib.h
+++ b/CryptoPkg/Library/TlsLib/InternalTlsLib.h
@@ -17,6 +17,11 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <Library/DebugLib.h>
#include <Library/MemoryAllocationLib.h>
#include <Library/SafeIntLib.h>
+#include <Library/TlsLib.h>
+#include <Protocol/Tls.h>
+#include <IndustryStandard/Tls1.h>
+#include <Library/PcdLib.h>
+#include <openssl/obj_mac.h>
#include <openssl/ssl.h>
#include <openssl/bio.h>
#include <openssl/err.h>
diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c b/CryptoPkg/Library/TlsLib/TlsConfig.c
index 0673c9d5322e..5c32f1c3329f 100644
--- a/CryptoPkg/Library/TlsLib/TlsConfig.c
+++ b/CryptoPkg/Library/TlsLib/TlsConfig.c
@@ -39,29 +39,61 @@ typedef struct {
// Keep the table uniquely sorted by the IanaCipher field, in increasing order.
//
STATIC CONST TLS_CIPHER_MAPPING TlsCipherMappingTable[] = {
- MAP (0x0001, "NULL-MD5"), /// TLS_RSA_WITH_NULL_MD5
- MAP (0x0002, "NULL-SHA"), /// TLS_RSA_WITH_NULL_SHA
- MAP (0x0004, "RC4-MD5"), /// TLS_RSA_WITH_RC4_128_MD5
- MAP (0x0005, "RC4-SHA"), /// TLS_RSA_WITH_RC4_128_SHA
- MAP (0x000A, "DES-CBC3-SHA"), /// TLS_RSA_WITH_3DES_EDE_CBC_SHA, mandatory TLS 1.1
- MAP (0x0016, "DHE-RSA-DES-CBC3-SHA"), /// TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
- MAP (0x002F, "AES128-SHA"), /// TLS_RSA_WITH_AES_128_CBC_SHA, mandatory TLS 1.2
- MAP (0x0030, "DH-DSS-AES128-SHA"), /// TLS_DH_DSS_WITH_AES_128_CBC_SHA
- MAP (0x0031, "DH-RSA-AES128-SHA"), /// TLS_DH_RSA_WITH_AES_128_CBC_SHA
- MAP (0x0033, "DHE-RSA-AES128-SHA"), /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA
- MAP (0x0035, "AES256-SHA"), /// TLS_RSA_WITH_AES_256_CBC_SHA
- MAP (0x0036, "DH-DSS-AES256-SHA"), /// TLS_DH_DSS_WITH_AES_256_CBC_SHA
- MAP (0x0037, "DH-RSA-AES256-SHA"), /// TLS_DH_RSA_WITH_AES_256_CBC_SHA
- MAP (0x0039, "DHE-RSA-AES256-SHA"), /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA
- MAP (0x003B, "NULL-SHA256"), /// TLS_RSA_WITH_NULL_SHA256
- MAP (0x003C, "AES128-SHA256"), /// TLS_RSA_WITH_AES_128_CBC_SHA256
- MAP (0x003D, "AES256-SHA256"), /// TLS_RSA_WITH_AES_256_CBC_SHA256
- MAP (0x003E, "DH-DSS-AES128-SHA256"), /// TLS_DH_DSS_WITH_AES_128_CBC_SHA256
- MAP (0x003F, "DH-RSA-AES128-SHA256"), /// TLS_DH_RSA_WITH_AES_128_CBC_SHA256
- MAP (0x0067, "DHE-RSA-AES128-SHA256"), /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
- MAP (0x0068, "DH-DSS-AES256-SHA256"), /// TLS_DH_DSS_WITH_AES_256_CBC_SHA256
- MAP (0x0069, "DH-RSA-AES256-SHA256"), /// TLS_DH_RSA_WITH_AES_256_CBC_SHA256
- MAP (0x006B, "DHE-RSA-AES256-SHA256"), /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
+ MAP (0x0001, "NULL-MD5"), /// TLS_RSA_WITH_NULL_MD5
+ MAP (0x0002, "NULL-SHA"), /// TLS_RSA_WITH_NULL_SHA
+ MAP (0x0004, "RC4-MD5"), /// TLS_RSA_WITH_RC4_128_MD5
+ MAP (0x0005, "RC4-SHA"), /// TLS_RSA_WITH_RC4_128_SHA
+ MAP (0x000A, "DES-CBC3-SHA"), /// TLS_RSA_WITH_3DES_EDE_CBC_SHA, mandatory TLS 1.1
+ MAP (0x0016, "DHE-RSA-DES-CBC3-SHA"), /// TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
+ MAP (0x002F, "AES128-SHA"), /// TLS_RSA_WITH_AES_128_CBC_SHA, mandatory TLS 1.2
+ MAP (0x0030, "DH-DSS-AES128-SHA"), /// TLS_DH_DSS_WITH_AES_128_CBC_SHA
+ MAP (0x0031, "DH-RSA-AES128-SHA"), /// TLS_DH_RSA_WITH_AES_128_CBC_SHA
+ MAP (0x0033, "DHE-RSA-AES128-SHA"), /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA
+ MAP (0x0035, "AES256-SHA"), /// TLS_RSA_WITH_AES_256_CBC_SHA
+ MAP (0x0036, "DH-DSS-AES256-SHA"), /// TLS_DH_DSS_WITH_AES_256_CBC_SHA
+ MAP (0x0037, "DH-RSA-AES256-SHA"), /// TLS_DH_RSA_WITH_AES_256_CBC_SHA
+ MAP (0x0039, "DHE-RSA-AES256-SHA"), /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA
+ MAP (0x003B, "NULL-SHA256"), /// TLS_RSA_WITH_NULL_SHA256
+ MAP (0x003C, "AES128-SHA256"), /// TLS_RSA_WITH_AES_128_CBC_SHA256
+ MAP (0x003D, "AES256-SHA256"), /// TLS_RSA_WITH_AES_256_CBC_SHA256
+ MAP (0x003E, "DH-DSS-AES128-SHA256"), /// TLS_DH_DSS_WITH_AES_128_CBC_SHA256
+ MAP (0x003F, "DH-RSA-AES128-SHA256"), /// TLS_DH_RSA_WITH_AES_128_CBC_SHA256
+ MAP (0x0067, "DHE-RSA-AES128-SHA256"), /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+ MAP (0x0068, "DH-DSS-AES256-SHA256"), /// TLS_DH_DSS_WITH_AES_256_CBC_SHA256
+ MAP (0x0069, "DH-RSA-AES256-SHA256"), /// TLS_DH_RSA_WITH_AES_256_CBC_SHA256
+ MAP (0x006B, "DHE-RSA-AES256-SHA256"), /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
+ MAP (0x009F, "DHE-RSA-AES256-GCM-SHA384"), /// TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+ MAP (0xC02B, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"), /// TLS_ECDHE_ECDSA_AES128_GCM_SHA256
+ MAP (0xC02C, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"), /// TLS_ECDHE_ECDSA_AES256_GCM_SHA384
+ MAP (0xC030, "ECDHE-RSA-AES256-GCM-SHA384"), /// TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+};
+
+typedef struct {
+ //
+ // TLS Algorithm
+ //
+ UINT8 Algo;
+ //
+ // TLS Algorithm name
+ //
+ CONST CHAR8 *Name;
+} TLS_ALGO_TO_NAME;
+
+STATIC CONST TLS_ALGO_TO_NAME TlsHashAlgoToName[] = {
+ { TlsHashAlgoNone, NULL },
+ { TlsHashAlgoMd5, "MD5" },
+ { TlsHashAlgoSha1, "SHA1" },
+ { TlsHashAlgoSha224, "SHA224" },
+ { TlsHashAlgoSha256, "SHA256" },
+ { TlsHashAlgoSha384, "SHA384" },
+ { TlsHashAlgoSha512, "SHA512" },
+};
+
+STATIC CONST TLS_ALGO_TO_NAME TlsSignatureAlgoToName[] = {
+ { TlsSignatureAlgoAnonymous, NULL },
+ { TlsSignatureAlgoRsa, "RSA" },
+ { TlsSignatureAlgoDsa, "DSA" },
+ { TlsSignatureAlgoEcdsa, "ECDSA" },
};
/**
@@ -879,6 +911,223 @@ TlsSetCertRevocationList (
return EFI_UNSUPPORTED;
}
+/**
+ Set the signature algorithm list to used by the TLS object.
+
+ This function sets the signature algorithms for use by a specified TLS object.
+
+ @param[in] Tls Pointer to a TLS object.
+ @param[in] Data Array of UINT8 of signature algorithms. The array consists of
+ pairs of the hash algorithm and the signature algorithm as defined
+ in RFC 5246
+ @param[in] DataSize The length the SignatureAlgoList. Must be divisible by 2.
+
+ @retval EFI_SUCCESS The signature algorithm list was set successfully.
+ @retval EFI_INVALID_PARAMETER The parameters are invalid.
+ @retval EFI_UNSUPPORTED No supported TLS signature algorithm was found in SignatureAlgoList
+ @retval EFI_OUT_OF_RESOURCES Memory allocation failed.
+
+**/
+STATIC
+EFI_STATUS
+EFIAPI
+TlsSetSignatureAlgoList (
+ IN VOID *Tls,
+ IN UINT8 *Data,
+ IN UINTN DataSize
+ )
+{
+ TLS_CONNECTION *TlsConn;
+ UINTN Index;
+ UINTN SignAlgoStrSize;
+ CHAR8 *SignAlgoStr;
+ CHAR8 *Pos;
+ UINT8 *SignatureAlgoList;
+ EFI_STATUS Status;
+
+ TlsConn = (TLS_CONNECTION *)Tls;
+
+ if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (Data == NULL) || (DataSize < 3) ||
+ ((DataSize % 2) == 0) || (Data[0] != DataSize - 1))
+ {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ SignatureAlgoList = Data + 1;
+ SignAlgoStrSize = 0;
+ for (Index = 0; Index < Data[0]; Index += 2) {
+ CONST CHAR8 *Tmp;
+
+ if (SignatureAlgoList[Index] >= ARRAY_SIZE (TlsHashAlgoToName)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ Tmp = TlsHashAlgoToName[SignatureAlgoList[Index]].Name;
+ if (!Tmp) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ // Add 1 for the '+'
+ SignAlgoStrSize += AsciiStrLen (Tmp) + 1;
+
+ if (SignatureAlgoList[Index + 1] >= ARRAY_SIZE (TlsSignatureAlgoToName)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ Tmp = TlsSignatureAlgoToName[SignatureAlgoList[Index + 1]].Name;
+ if (!Tmp) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ // Add 1 for the ':' or for the NULL terminator
+ SignAlgoStrSize += AsciiStrLen (Tmp) + 1;
+ }
+
+ if (!SignAlgoStrSize) {
+ return EFI_UNSUPPORTED;
+ }
+
+ SignAlgoStr = AllocatePool (SignAlgoStrSize);
+ if (SignAlgoStr == NULL) {
+ return EFI_OUT_OF_RESOURCES;
+ }
+
+ Pos = SignAlgoStr;
+ for (Index = 0; Index < Data[0]; Index += 2) {
+ CONST CHAR8 *Tmp;
+
+ Tmp = TlsHashAlgoToName[SignatureAlgoList[Index]].Name;
+ CopyMem (Pos, Tmp, AsciiStrLen (Tmp));
+ Pos += AsciiStrLen (Tmp);
+ *Pos++ = '+';
+
+ Tmp = TlsSignatureAlgoToName[SignatureAlgoList[Index + 1]].Name;
+ CopyMem (Pos, Tmp, AsciiStrLen (Tmp));
+ Pos += AsciiStrLen (Tmp);
+ *Pos++ = ':';
+ }
+
+ *(Pos - 1) = '\0';
+
+ if (SSL_set1_sigalgs_list (TlsConn->Ssl, SignAlgoStr) < 1) {
+ Status = EFI_INVALID_PARAMETER;
+ } else {
+ Status = EFI_SUCCESS;
+ }
+
+ FreePool (SignAlgoStr);
+ return Status;
+}
+
+/**
+ Set the EC curve to be used for TLS flows
+
+ This function sets the EC curve to be used for TLS flows.
+
+ @param[in] Tls Pointer to a TLS object.
+ @param[in] Data An EC named curve as defined in section 5.1.1 of RFC 4492.
+ @param[in] DataSize Size of Data, it should be sizeof (UINT32)
+
+ @retval EFI_SUCCESS The EC curve was set successfully.
+ @retval EFI_INVALID_PARAMETER The parameters are invalid.
+ @retval EFI_UNSUPPORTED The requested TLS EC curve is not supported
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetEcCurve (
+ IN VOID *Tls,
+ IN UINT8 *Data,
+ IN UINTN DataSize
+ )
+{
+ #if !FixedPcdGetBool (PcdOpensslEcEnabled)
+ return EFI_UNSUPPORTED;
+ #else
+ TLS_CONNECTION *TlsConn;
+ EC_KEY *Ecdh;
+ INT32 Nid, Ret;
+
+ TlsConn = (TLS_CONNECTION *)Tls;
+
+ if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (Data == NULL) || (DataSize != sizeof (UINT32))) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ switch (*((UINT32 *)Data)) {
+ case TlsEcNamedCurveSecp256r1:
+ return EFI_UNSUPPORTED;
+ case TlsEcNamedCurveSecp384r1:
+ Nid = NID_secp384r1;
+ break;
+ case TlsEcNamedCurveSecp521r1:
+ Nid = NID_secp521r1;
+ break;
+ case TlsEcNamedCurveX25519:
+ Nid = NID_X25519;
+ break;
+ case TlsEcNamedCurveX448:
+ Nid = NID_X448;
+ break;
+ default:
+ return EFI_UNSUPPORTED;
+ }
+
+ if (SSL_set1_curves (TlsConn->Ssl, &Nid, 1) != 1) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ Ecdh = EC_KEY_new_by_curve_name (Nid);
+ if (!Ecdh) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ Ret = SSL_set_tmp_ecdh (TlsConn->Ssl, Ecdh);
+ EC_KEY_free (Ecdh);
+
+ if (Ret != 1) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ return EFI_SUCCESS;
+ #endif
+}
+
+/**
+ Configure the TLS object.
+
+ This function allows to configure the TLS object
+
+ @param[in] Tls Pointer to a TLS object.
+ @param[in] Type The type of the configuration.
+ @param[in] Data The data associated with the configuration type.
+ @param[in] DataSize The size of Data.
+
+ @retval EFI_SUCCESS The configuration was successful.
+ @retval EFI_INVALID_PARAMETER The parameters are invalid.
+ @retval EFI_UNSUPPORTED The configuration or configuration type are not supported
+ @retval EFI_OUT_OF_RESOURCES Memory allocation failed.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetConfiguration (
+ IN VOID *Tls,
+ IN EFI_TLS_CONFIG_TYPE Type,
+ IN UINT8 *Data,
+ IN UINTN DataSize
+ )
+{
+ switch (Type) {
+ case EfiTlsConfigSignatureAlgo:
+ return TlsSetSignatureAlgoList (Tls, Data, DataSize);
+ case EfiTlsConfigEcCurve:
+ return TlsSetEcCurve (Tls, Data, DataSize);
+ default:
+ return EFI_UNSUPPORTED;
+ }
+}
+
/**
Gets the protocol version used by the specified TLS connection.
diff --git a/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c b/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c
index 03726fd7264c..22d258c7f18f 100644
--- a/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c
+++ b/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c
@@ -8,6 +8,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include "InternalTlsLib.h"
+#include <Library/TlsLib.h>
/**
Set a new TLS/SSL method for a particular TLS object.
@@ -292,6 +293,35 @@ TlsSetCertRevocationList (
return EFI_UNSUPPORTED;
}
+/**
+ Configure the TLS object.
+
+ This function allows to configure the TLS object
+
+ @param[in] Tls Pointer to a TLS object.
+ @param[in] Type The type of the configuration.
+ @param[in] Data The data associated with the configuration type.
+ @param[in] DataSize The size of Data.
+
+ @retval EFI_SUCCESS The configuration was successful.
+ @retval EFI_INVALID_PARAMETER The parameters are invalid.
+ @retval EFI_UNSUPPORTED The configuration or configuration type are not supported
+ @retval EFI_OUT_OF_RESOURCES Memory allocation failed.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetConfiguration (
+ IN VOID *Tls,
+ IN EFI_TLS_CONFIG_TYPE Type,
+ IN UINT8 *Data,
+ IN UINTN DataSize
+ )
+{
+ ASSERT (FALSE);
+ return EFI_UNSUPPORTED;
+}
+
/**
Gets the protocol version used by the specified TLS connection.
diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protocol/Crypto.h
index c417568e9600..8de05a99bdcc 100644
--- a/CryptoPkg/Private/Protocol/Crypto.h
+++ b/CryptoPkg/Private/Protocol/Crypto.h
@@ -13,6 +13,7 @@
#include <Base.h>
#include <Library/BaseCryptLib.h>
#include <Library/PcdLib.h>
+#include <Library/TlsLib.h>
///
/// The version of the EDK II Crypto Protocol.
@@ -3361,6 +3362,32 @@ EFI_STATUS
IN OUT UINTN *DataSize
);
+/**
+ Set the signature algorithm list to used by the TLS object.
+
+ This function sets the signature algorithms for use by a specified TLS object.
+
+ @param[in] Tls Pointer to a TLS object.
+ @param[in] SignatureAlgoList Array of UINT8 of signature algorithms. The array consists of
+ pairs of the hash algorithm and the signature algorithm as defined
+ in RFC 5246
+ @param[in] SignatureAlgoNum The length the SignatureAlgoList. Must be divisible by 2.
+
+ @retval EFI_SUCCESS The signature algorithm list was set successfully.
+ @retval EFI_INVALID_PARAMETER The parameters are invalid.
+ @retval EFI_UNSUPPORTED No supported TLS signature algorithm was found in SignatureAlgoList
+ @retval EFI_OUT_OF_RESOURCES Memory allocation failed.
+
+**/
+typedef
+EFI_STATUS
+(EFIAPI *EDKII_CRYPTO_TLS_SET_CONFIGURATION)(
+ IN VOID *Tls,
+ IN EFI_TLS_CONFIG_TYPE Type,
+ IN UINT8 *Data,
+ IN UINTN DataSize
+ );
+
/**
Gets the CA-supplied certificate revocation list data set in the specified
TLS object.
@@ -3656,6 +3683,7 @@ struct _EDKII_CRYPTO_PROTOCOL {
EDKII_CRYPTO_TLS_SET_HOST_PUBLIC_CERT TlsSetHostPublicCert;
EDKII_CRYPTO_TLS_SET_HOST_PRIVATE_KEY TlsSetHostPrivateKey;
EDKII_CRYPTO_TLS_SET_CERT_REVOCATION_LIST TlsSetCertRevocationList;
+ EDKII_CRYPTO_TLS_SET_CONFIGURATION TlsSetConfiguration;
/// TLS Get
EDKII_CRYPTO_TLS_GET_VERSION TlsGetVersion;
EDKII_CRYPTO_TLS_GET_CONNECTION_END TlsGetConnectionEnd;
--
2.31.1.windows.1
next prev parent reply other threads:[~2022-05-22 1:54 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-22 1:54 [PATCH 0/5] CryptoPkg: Add additional cipher algos and TLS API to meet WPA3 yi1 li
2022-05-22 1:54 ` [PATCH 1/5] MdePkg: Add Tls configuration related define yi1 li
2022-05-22 1:54 ` yi1 li [this message]
2022-05-22 1:54 ` [PATCH 3/5] CryptoPkg: Add APIs TlsShutdown and TlsExportKey to TlsLib yi1 li
2022-05-22 1:54 ` [PATCH 4/5] CryptoPkg: Add implementation for TlsSetHostPrivateKey() yi1 li
2022-05-22 1:54 ` [PATCH 5/5] NetworkPkg/TlsDxe: Sync to new TlsSetHostPrivateKey() API yi1 li
2022-05-23 14:50 ` [edk2-devel] [PATCH 0/5] CryptoPkg: Add additional cipher algos and TLS API to meet WPA3 Maciej Rabeda
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3d961655b3c010ddd0ca2ecbc6879eca21315d76.1653183737.git.yi1.li@intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox