From: "Wu, Jiaxin" <jiaxin.wu@intel.com>
To: "Ye, Ting" <ting.ye@intel.com>,
"edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Cc: "Long, Qin" <qin.long@intel.com>,
"Fu, Siyuan" <siyuan.fu@intel.com>,
"Zhang, Lubo" <lubo.zhang@intel.com>,
Thomas Palmer <thomas.palmer@hpe.com>
Subject: Re: [Patch 04/10] CryptoPkg: Add new TlsLib library
Date: Fri, 16 Dec 2016 02:51:20 +0000 [thread overview]
Message-ID: <895558F6EA4E3B41AC93A00D163B72741627F978@SHSMSX103.ccr.corp.intel.com> (raw)
In-Reply-To: <BC0C045B0E2A584CA4575E779FA2C12A1A88F3A7@SHSMSX103.ccr.corp.intel.com>
> Some comments included as following:
>
> 1. In TlsGetHostPublicCert, line 1892:
> The status is set to EFI_NOT_FOUND but not returned. Does it make
> sense to update *DataSize in that case?
You are right, EFI_NOT_FOUND should be returned directly.
> 2. TlsDoHandshake uses EFI_PROTOCOL_ERROR but not record in function
> header.
> 3. TlsGetCurrentCompressionId uses EFI_UNSUPPROTED but not record in
> function header.
> 4. Typo in TlsHandeAlert, should be TlsHandleAlert? Please also update the
> function description.
It's the typo. Thanks for the correction.
>
> Others look good to me.
>
> Reviewed-by: Ye Ting <ting.ye@intel.com>
Thanks Ting, I will correct it before commit the patch.
>
> Thanks,
> Ting
>
>
> -----Original Message-----
> From: Wu, Jiaxin
> Sent: Wednesday, December 14, 2016 3:34 PM
> To: edk2-devel@lists.01.org
> Cc: Ye, Ting <ting.ye@intel.com>; Long, Qin <qin.long@intel.com>; Fu, Siyuan
> <siyuan.fu@intel.com>; Zhang, Lubo <lubo.zhang@intel.com>; Thomas
> Palmer <thomas.palmer@hpe.com>; Wu, Jiaxin <jiaxin.wu@intel.com>
> Subject: [Patch 04/10] CryptoPkg: Add new TlsLib library
>
> This patch is used to add new TlsLib library, which is wrapped
> over OpenSSL. The implementation provides TLS library functions
> for EFI TLS protocol and EFI TLS Configuration Protocol.
>
> Cc: Ye Ting <ting.ye@intel.com>
> Cc: Long Qin <qin.long@intel.com>
> Cc: Fu Siyuan <siyuan.fu@intel.com>
> Cc: Zhang Lubo <lubo.zhang@intel.com>
> Cc: Thomas Palmer <thomas.palmer@hpe.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
> ---
> CryptoPkg/CryptoPkg.dec | 4 +
> CryptoPkg/CryptoPkg.dsc | 1 +
> CryptoPkg/Include/Library/TlsLib.h | 785 +++++++++++++++++++++
> CryptoPkg/Library/TlsLib/InternalTlsLib.h | 35 +
> CryptoPkg/Library/TlsLib/TlsConfig.c | 1055
> +++++++++++++++++++++++++++++
> CryptoPkg/Library/TlsLib/TlsInit.c | 291 ++++++++
> CryptoPkg/Library/TlsLib/TlsLib.inf | 49 ++
> CryptoPkg/Library/TlsLib/TlsLib.uni | 19 +
> CryptoPkg/Library/TlsLib/TlsProcess.c | 461 +++++++++++++
> 9 files changed, 2700 insertions(+)
> create mode 100644 CryptoPkg/Include/Library/TlsLib.h
> create mode 100644 CryptoPkg/Library/TlsLib/InternalTlsLib.h
> create mode 100644 CryptoPkg/Library/TlsLib/TlsConfig.c
> create mode 100644 CryptoPkg/Library/TlsLib/TlsInit.c
> create mode 100644 CryptoPkg/Library/TlsLib/TlsLib.inf
> create mode 100644 CryptoPkg/Library/TlsLib/TlsLib.uni
> create mode 100644 CryptoPkg/Library/TlsLib/TlsProcess.c
>
> diff --git a/CryptoPkg/CryptoPkg.dec b/CryptoPkg/CryptoPkg.dec
> index 80579b7..eee26cb 100644
> --- a/CryptoPkg/CryptoPkg.dec
> +++ b/CryptoPkg/CryptoPkg.dec
> @@ -29,10 +29,14 @@
> [LibraryClasses]
> ## @libraryclass Provides basic library functions for cryptographic
> primitives.
> ##
> BaseCryptLib|Include/Library/BaseCryptLib.h
>
> + ## @libraryclass Provides TLS library functions for EFI TLS protocol.
> + ##
> + TlsLib|Include/Library/TlsLib.h
> +
> [Protocols]
> ## Include/Protocol/RuntimeCrypt.h
> gEfiRuntimeCryptProtocolGuid = { 0xe1475e0c, 0x1746, 0x4802, {0x86, 0x2e,
> 0x1, 0x1c, 0x2c, 0x2d, 0x9d, 0x86 }}
>
> [UserExtensions.TianoCore."ExtraFiles"]
> diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc
> index 3c3e444..468e60b 100644
> --- a/CryptoPkg/CryptoPkg.dsc
> +++ b/CryptoPkg/CryptoPkg.dsc
> @@ -121,10 +121,11 @@
>
> ##########################################################
> #########################################
> [Components]
> CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> + CryptoPkg/Library/TlsLib/TlsLib.inf
>
> CryptoPkg/Application/Cryptest/Cryptest.inf
>
> CryptoPkg/CryptRuntimeDxe/CryptRuntimeDxe.inf
>
> diff --git a/CryptoPkg/Include/Library/TlsLib.h
> b/CryptoPkg/Include/Library/TlsLib.h
> new file mode 100644
> index 0000000..38b861e
> --- /dev/null
> +++ b/CryptoPkg/Include/Library/TlsLib.h
> @@ -0,0 +1,785 @@
> +/** @file
> + Defines TLS Library APIs.
> +
> +Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
> +This program and the accompanying materials
> +are licensed and made available under the terms and conditions of the BSD
> License
> +which accompanies this distribution. The full text of the license may be
> found at
> +http://opensource.org/licenses/bsd-license.php
> +
> +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS"
> BASIS,
> +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER
> EXPRESS OR IMPLIED.
> +
> +**/
> +
> +#ifndef __TLS_LIB_H__
> +#define __TLS_LIB_H__
> +
> +/**
> + Initializes the OpenSSL library.
> +
> + This function registers ciphers and digests used directly and indirectly
> + by SSL/TLS, and initializes the readable error messages.
> + This function must be called before any other action takes places.
> +
> +**/
> +VOID
> +EFIAPI
> +TlsInitialize (
> + VOID
> + );
> +
> +/**
> + Free an allocated SSL_CTX object.
> +
> + @param[in] TlsCtx Pointer to the SSL_CTX object to be released.
> +
> +**/
> +VOID
> +EFIAPI
> +TlsCtxFree (
> + IN VOID *TlsCtx
> + );
> +
> +/**
> + Creates a new SSL_CTX object as framework to establish TLS/SSL enabled
> + connections.
> +
> + @param[in] MajorVer Major Version of TLS/SSL Protocol.
> + @param[in] MinorVer Minor Version of TLS/SSL Protocol.
> +
> + @return Pointer to an allocated SSL_CTX object.
> + If the creation failed, TlsCtxNew() returns NULL.
> +
> +**/
> +VOID *
> +EFIAPI
> +TlsCtxNew (
> + IN UINT8 MajorVer,
> + IN UINT8 MinorVer
> + );
> +
> +/**
> + Free an allocated TLS object.
> +
> + This function removes the TLS object pointed to by Tls and frees up the
> + allocated memory. If Tls is NULL, nothing is done.
> +
> + @param[in] Tls Pointer to the TLS object to be freed.
> +
> +**/
> +VOID
> +EFIAPI
> +TlsFree (
> + IN VOID *Tls
> + );
> +
> +/**
> + Create a new TLS object for a connection.
> +
> + This function creates a new TLS object for a connection. The new object
> + inherits the setting of the underlying context TlsCtx: connection method,
> + options, verification setting.
> +
> + @param[in] TlsCtx Pointer to the SSL_CTX object.
> +
> + @return Pointer to an allocated SSL object.
> + If the creation failed, TlsNew() returns NULL.
> +
> +**/
> +VOID *
> +EFIAPI
> +TlsNew (
> + IN VOID *TlsCtx
> + );
> +
> +/**
> + Checks if the TLS handshake was done.
> +
> + This function will check if the specified TLS handshake was done.
> +
> + @param[in] Tls Pointer to the TLS object for handshake state checking.
> +
> + @retval TRUE The TLS handshake was done.
> + @retval FALSE The TLS handshake was not done.
> +
> +**/
> +BOOLEAN
> +EFIAPI
> +TlsInHandshake (
> + IN VOID *Tls
> + );
> +
> +/**
> + Perform a TLS/SSL handshake.
> +
> + This function will perform a TLS/SSL handshake.
> +
> + @param[in] Tls Pointer to the TLS object for handshake operation.
> + @param[in] BufferIn Pointer to the most recently received TLS
> Handshake packet.
> + @param[in] BufferInSize Packet size in bytes for the most recently
> received TLS
> + Handshake packet.
> + @param[out] BufferOut Pointer to the buffer to hold the built packet.
> + @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On
> input, it is
> + the buffer size provided by the caller. On output, it
> + is the buffer size in fact needed to contain the
> + packet.
> +
> + @retval EFI_SUCCESS The required TLS packet is built successfully.
> + @retval EFI_INVALID_PARAMETER One or more of the following
> conditions is TRUE:
> + Tls is NULL.
> + BufferIn is NULL but BufferInSize is NOT 0.
> + BufferInSize is 0 but BufferIn is NOT NULL.
> + BufferOutSize is NULL.
> + BufferOut is NULL if *BufferOutSize is not zero.
> + @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the
> response packet.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsDoHandshake (
> + IN VOID *Tls,
> + IN UINT8 *BufferIn, OPTIONAL
> + IN UINTN BufferInSize, OPTIONAL
> + OUT UINT8 *BufferOut, OPTIONAL
> + IN OUT UINTN *BufferOutSize
> + );
> +
> +/**
> + Hande Alert message recorded in BufferIn. If BufferIn is NULL and
> BufferInSize is zero,
> + TLS session has errors and the response packet needs to be Alert message
> based on error type.
> +
> + @param[in] Tls Pointer to the TLS object for state checking.
> + @param[in] BufferIn Pointer to the most recently received TLS Alert
> packet.
> + @param[in] BufferInSize Packet size in bytes for the most recently
> received TLS
> + Alert packet.
> + @param[out] BufferOut Pointer to the buffer to hold the built packet.
> + @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On
> input, it is
> + the buffer size provided by the caller. On output, it
> + is the buffer size in fact needed to contain the
> + packet.
> +
> + @retval EFI_SUCCESS The required TLS packet is built successfully.
> + @retval EFI_INVALID_PARAMETER One or more of the following
> conditions is TRUE:
> + Tls is NULL.
> + BufferIn is NULL but BufferInSize is NOT 0.
> + BufferInSize is 0 but BufferIn is NOT NULL.
> + BufferOutSize is NULL.
> + BufferOut is NULL if *BufferOutSize is not zero.
> + @retval EFI_ABORTED An error occurred.
> + @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the
> response packet.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsHandeAlert (
> + IN VOID *Tls,
> + IN UINT8 *BufferIn, OPTIONAL
> + IN UINTN BufferInSize, OPTIONAL
> + OUT UINT8 *BufferOut, OPTIONAL
> + IN OUT UINTN *BufferOutSize
> + );
> +
> +/**
> + Build the CloseNotify packet.
> +
> + @param[in] Tls Pointer to the TLS object for state checking.
> + @param[in, out] Buffer Pointer to the buffer to hold the built packet.
> + @param[in, out] BufferSize Pointer to the buffer size in bytes. On input,
> it is
> + the buffer size provided by the caller. On output, it
> + is the buffer size in fact needed to contain the
> + packet.
> +
> + @retval EFI_SUCCESS The required TLS packet is built successfully.
> + @retval EFI_INVALID_PARAMETER One or more of the following
> conditions is TRUE:
> + Tls is NULL.
> + BufferSize is NULL.
> + Buffer is NULL if *BufferSize is not zero.
> + @retval EFI_BUFFER_TOO_SMALL BufferSize is too small to hold the
> response packet.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsCloseNotify (
> + IN VOID *Tls,
> + IN OUT UINT8 *Buffer,
> + IN OUT UINTN *BufferSize
> + );
> +
> +/**
> + Attempts to read bytes from one TLS object and places the data in Buffer.
> +
> + This function will attempt to read BufferSize bytes from the TLS object
> + and places the data in Buffer.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in,out] Buffer Pointer to the buffer to store the data.
> + @param[in] BufferSize The size of Buffer in bytes.
> +
> + @retval >0 The amount of data successfully read from the TLS object.
> + @retval <=0 No data was successfully read.
> +
> +**/
> +INTN
> +EFIAPI
> +TlsCtrlTrafficOut (
> + IN VOID *Tls,
> + IN OUT VOID *Buffer,
> + IN UINTN BufferSize
> + );
> +
> +/**
> + Attempts to write data from the buffer to TLS object.
> +
> + This function will attempt to write BufferSize bytes data from the Buffer
> + to the TLS object.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in] Buffer Pointer to the data buffer.
> + @param[in] BufferSize The size of Buffer in bytes.
> +
> + @retval >0 The amount of data successfully written to the TLS object.
> + @retval <=0 No data was successfully written.
> +
> +**/
> +INTN
> +EFIAPI
> +TlsCtrlTrafficIn (
> + IN VOID *Tls,
> + IN VOID *Buffer,
> + IN UINTN BufferSize
> + );
> +
> +/**
> + Attempts to read bytes from the specified TLS connection into the buffer.
> +
> + This function tries to read BufferSize bytes data from the specified TLS
> + connection into the Buffer.
> +
> + @param[in] Tls Pointer to the TLS connection for data reading.
> + @param[in,out] Buffer Pointer to the data buffer.
> + @param[in] BufferSize The size of Buffer in bytes.
> +
> + @retval >0 The read operation was successful, and return value is the
> + number of bytes actually read from the TLS connection.
> + @retval <=0 The read operation was not successful.
> +
> +**/
> +INTN
> +EFIAPI
> +TlsRead (
> + IN VOID *Tls,
> + IN OUT VOID *Buffer,
> + IN UINTN BufferSize
> + );
> +
> +/**
> + Attempts to write data to a TLS connection.
> +
> + This function tries to write BufferSize bytes data from the Buffer into the
> + specified TLS connection.
> +
> + @param[in] Tls Pointer to the TLS connection for data writing.
> + @param[in] Buffer Pointer to the data buffer.
> + @param[in] BufferSize The size of Buffer in bytes.
> +
> + @retval >0 The write operation was successful, and return value is the
> + number of bytes actually written to the TLS connection.
> + @retval <=0 The write operation was not successful.
> +
> +**/
> +INTN
> +EFIAPI
> +TlsWrite (
> + IN VOID *Tls,
> + IN VOID *Buffer,
> + IN UINTN BufferSize
> + );
> +
> +/**
> + Set a new TLS/SSL method for a particular TLS object.
> +
> + This function sets a new TLS/SSL method for a particular TLS object.
> +
> + @param[in] Tls Pointer to a TLS object.
> + @param[in] MajorVer Major Version of TLS/SSL Protocol.
> + @param[in] MinorVer Minor Version of TLS/SSL Protocol.
> +
> + @retval EFI_SUCCESS The TLS/SSL method was set successfully.
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.
> + @retval EFI_UNSUPPORTED Unsupported TLS/SSL method.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsSetVersion (
> + IN VOID *Tls,
> + IN UINT8 MajorVer,
> + IN UINT8 MinorVer
> + );
> +
> +/**
> + Set TLS object to work in client or server mode.
> +
> + This function prepares a TLS object to work in client or server mode.
> +
> + @param[in] Tls Pointer to a TLS object.
> + @param[in] IsServer Work in server mode.
> +
> + @retval EFI_SUCCESS The TLS/SSL work mode was set successfully.
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.
> + @retval EFI_UNSUPPORTED Unsupported TLS/SSL work mode.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsSetConnectionEnd (
> + IN VOID *Tls,
> + IN BOOLEAN IsServer
> + );
> +
> +/**
> + Set the ciphers list to be used by the TLS object.
> +
> + This function sets the ciphers for use by a specified TLS object.
> +
> + @param[in] Tls Pointer to a TLS object.
> + @param[in] CipherId Pointer to a string that contains one or more
> + ciphers separated by a colon.
> + @param[in] CipherNum The number of cipher in the list.
> +
> + @retval EFI_SUCCESS The ciphers list was set successfully.
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.
> + @retval EFI_UNSUPPORTED Unsupported TLS cipher in the list.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsSetCipherList (
> + IN VOID *Tls,
> + IN UINT16 *CipherId,
> + IN UINTN CipherNum
> + );
> +
> +/**
> + Set the compression method for TLS/SSL operations.
> +
> + This function handles TLS/SSL integrated compression methods.
> +
> + @param[in] CompMethod The compression method ID.
> +
> + @retval EFI_SUCCESS The compression method for the communication
> was
> + set successfully.
> + @retval EFI_UNSUPPORTED Unsupported compression method.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsSetCompressionMethod (
> + IN UINT8 CompMethod
> + );
> +
> +/**
> + Set peer certificate verification mode for the TLS connection.
> +
> + This function sets the verification mode flags for the TLS connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in] VerifyMode A set of logically or'ed verification mode flags.
> +
> +**/
> +VOID
> +EFIAPI
> +TlsSetVerify (
> + IN VOID *Tls,
> + IN UINT32 VerifyMode
> + );
> +
> +/**
> + Sets a TLS/SSL session ID to be used during TLS/SSL connect.
> +
> + This function sets a session ID to be used when the TLS/SSL connection is
> + to be established.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in] SessionId Session ID data used for session resumption.
> + @param[in] SessionIdLen Length of Session ID in bytes.
> +
> + @retval EFI_SUCCESS Session ID was set successfully.
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.
> + @retval EFI_UNSUPPORTED No available session for ID setting.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsSetSessionId (
> + IN VOID *Tls,
> + IN UINT8 *SessionId,
> + IN UINT16 SessionIdLen
> + );
> +
> +/**
> + Adds the CA to the cert store when requesting Server or Client
> authentication.
> +
> + This function adds the CA certificate to the list of CAs when requesting
> + Server or Client authentication for the chosen TLS connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in] Data Pointer to the data buffer of a DER-encoded binary
> + X.509 certificate or PEM-encoded X.509 certificate.
> + @param[in] DataSize The size of data buffer in bytes.
> +
> + @retval EFI_SUCCESS The operation succeeded.
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.
> + @retval EFI_OUT_OF_RESOURCES Required resources could not be
> allocated.
> + @retval EFI_ABORTED Invalid X.509 certificate.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsSetCaCertificate (
> + IN VOID *Tls,
> + IN VOID *Data,
> + IN UINTN DataSize
> + );
> +
> +/**
> + Loads the local public certificate into the specified TLS object.
> +
> + This function loads the X.509 certificate into the specified TLS object
> + for TLS negotiation.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in] Data Pointer to the data buffer of a DER-encoded binary
> + X.509 certificate or PEM-encoded X.509 certificate.
> + @param[in] DataSize The size of data buffer in bytes.
> +
> + @retval EFI_SUCCESS The operation succeeded.
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.
> + @retval EFI_OUT_OF_RESOURCES Required resources could not be
> allocated.
> + @retval EFI_ABORTED Invalid X.509 certificate.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsSetHostPublicCert (
> + IN VOID *Tls,
> + IN VOID *Data,
> + IN UINTN DataSize
> + );
> +
> +/**
> + Adds the local private key to the specified TLS object.
> +
> + This function adds the local private key (PEM-encoded RSA or PKCS#8
> private
> + key) into the specified TLS object for TLS negotiation.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in] Data Pointer to the data buffer of a PEM-encoded RSA
> + or PKCS#8 private key.
> + @param[in] DataSize The size of data buffer in bytes.
> +
> + @retval EFI_SUCCESS The operation succeeded.
> + @retval EFI_UNSUPPORTED This function is not supported.
> + @retval EFI_ABORTED Invalid private key data.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsSetHostPrivateKey (
> + IN VOID *Tls,
> + IN VOID *Data,
> + IN UINTN DataSize
> + );
> +
> +/**
> + Adds the CA-supplied certificate revocation list for certificate validation.
> +
> + This function adds the CA-supplied certificate revocation list data for
> + certificate validity checking.
> +
> + @param[in] Data Pointer to the data buffer of a DER-encoded CRL data.
> + @param[in] DataSize The size of data buffer in bytes.
> +
> + @retval EFI_SUCCESS The operation succeeded.
> + @retval EFI_UNSUPPORTED This function is not supported.
> + @retval EFI_ABORTED Invalid CRL data.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsSetCertRevocationList (
> + IN VOID *Data,
> + IN UINTN DataSize
> + );
> +
> +/**
> + Gets the protocol version used by the specified TLS connection.
> +
> + This function returns the protocol version used by the specified TLS
> + connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> +
> + @return The protocol version of the specified TLS connection.
> +
> +**/
> +UINT16
> +EFIAPI
> +TlsGetVersion (
> + IN VOID *Tls
> + );
> +
> +/**
> + Gets the connection end of the specified TLS connection.
> +
> + This function returns the connection end (as client or as server) used by
> + the specified TLS connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> +
> + @return The connection end used by the specified TLS connection.
> +
> +**/
> +UINT8
> +EFIAPI
> +TlsGetConnectionEnd (
> + IN VOID *Tls
> + );
> +
> +/**
> + Gets the cipher suite used by the specified TLS connection.
> +
> + This function returns current cipher suite used by the specified
> + TLS connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in,out] CipherId The cipher suite used by the TLS object.
> +
> + @retval EFI_SUCCESS The cipher suite was returned successfully.
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.
> + @retval EFI_UNSUPPORTED Unsupported cipher suite.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsGetCurrentCipher (
> + IN VOID *Tls,
> + IN OUT UINT16 *CipherId
> + );
> +
> +/**
> + Gets the compression methods used by the specified TLS connection.
> +
> + This function returns current integrated compression methods used by
> + the specified TLS connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in,out] CompressionId The current compression method used
> by
> + the TLS object.
> +
> + @retval EFI_SUCCESS The compression method was returned
> successfully.
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.
> + @retval EFI_ABORTED Invalid Compression method.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsGetCurrentCompressionId (
> + IN VOID *Tls,
> + IN OUT UINT8 *CompressionId
> + );
> +
> +/**
> + Gets the verification mode currently set in the TLS connection.
> +
> + This function returns the peer verification mode currently set in the
> + specified TLS connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> +
> + @return The verification mode set in the specified TLS connection.
> +
> +**/
> +UINT32
> +EFIAPI
> +TlsGetVerify (
> + IN VOID *Tls
> + );
> +
> +/**
> + Gets the session ID used by the specified TLS connection.
> +
> + This function returns the TLS/SSL session ID currently used by the
> + specified TLS connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in,out] SessionId Buffer to contain the returned session ID.
> + @param[in,out] SessionIdLen The length of Session ID in bytes.
> +
> + @retval EFI_SUCCESS The Session ID was returned successfully.
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.
> + @retval EFI_UNSUPPORTED Invalid TLS/SSL session.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsGetSessionId (
> + IN VOID *Tls,
> + IN OUT UINT8 *SessionId,
> + IN OUT UINT16 *SessionIdLen
> + );
> +
> +/**
> + Gets the client random data used in the specified TLS connection.
> +
> + This function returns the TLS/SSL client random data currently used in
> + the specified TLS connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in,out] ClientRandom Buffer to contain the returned client
> + random data (32 bytes).
> +
> +**/
> +VOID
> +EFIAPI
> +TlsGetClientRandom (
> + IN VOID *Tls,
> + IN OUT UINT8 *ClientRandom
> + );
> +
> +/**
> + Gets the server random data used in the specified TLS connection.
> +
> + This function returns the TLS/SSL server random data currently used in
> + the specified TLS connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in,out] ServerRandom Buffer to contain the returned server
> + random data (32 bytes).
> +
> +**/
> +VOID
> +EFIAPI
> +TlsGetServerRandom (
> + IN VOID *Tls,
> + IN OUT UINT8 *ServerRandom
> + );
> +
> +/**
> + Gets the master key data used in the specified TLS connection.
> +
> + This function returns the TLS/SSL master key material currently used in
> + the specified TLS connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in,out] KeyMaterial Buffer to contain the returned key material.
> +
> + @retval EFI_SUCCESS Key material was returned successfully.
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.
> + @retval EFI_UNSUPPORTED Invalid TLS/SSL session.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsGetKeyMaterial (
> + IN VOID *Tls,
> + IN OUT UINT8 *KeyMaterial
> + );
> +
> +/**
> + Gets the CA Certificate from the cert store.
> +
> + This function returns the CA certificate for the chosen
> + TLS connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[out] Data Pointer to the data buffer to receive the CA
> + certificate data sent to the client.
> + @param[in,out] DataSize The size of data buffer in bytes.
> +
> + @retval EFI_SUCCESS The operation succeeded.
> + @retval EFI_UNSUPPORTED This function is not supported.
> + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsGetCaCertificate (
> + IN VOID *Tls,
> + OUT VOID *Data,
> + IN OUT UINTN *DataSize
> + );
> +
> +/**
> + Gets the local public Certificate set in the specified TLS object.
> +
> + This function returns the local public certificate which was currently set
> + in the specified TLS object.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[out] Data Pointer to the data buffer to receive the local
> + public certificate.
> + @param[in,out] DataSize The size of data buffer in bytes.
> +
> + @retval EFI_SUCCESS The operation succeeded.
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.
> + @retval EFI_NOT_FOUND The certificate is not found.
> + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsGetHostPublicCert (
> + IN VOID *Tls,
> + OUT VOID *Data,
> + IN OUT UINTN *DataSize
> + );
> +
> +/**
> + Gets the local private key set in the specified TLS object.
> +
> + This function returns the local private key data which was currently set
> + in the specified TLS object.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[out] Data Pointer to the data buffer to receive the local
> + private key data.
> + @param[in,out] DataSize The size of data buffer in bytes.
> +
> + @retval EFI_SUCCESS The operation succeeded.
> + @retval EFI_UNSUPPORTED This function is not supported.
> + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsGetHostPrivateKey (
> + IN VOID *Tls,
> + OUT VOID *Data,
> + IN OUT UINTN *DataSize
> + );
> +
> +/**
> + Gets the CA-supplied certificate revocation list data set in the specified
> + TLS object.
> +
> + This function returns the CA-supplied certificate revocation list data which
> + was currently set in the specified TLS object.
> +
> + @param[out] Data Pointer to the data buffer to receive the CRL data.
> + @param[in,out] DataSize The size of data buffer in bytes.
> +
> + @retval EFI_SUCCESS The operation succeeded.
> + @retval EFI_UNSUPPORTED This function is not supported.
> + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsGetCertRevocationList (
> + OUT VOID *Data,
> + IN OUT UINTN *DataSize
> + );
> +
> +#endif // __TLS_LIB_H__
> diff --git a/CryptoPkg/Library/TlsLib/InternalTlsLib.h
> b/CryptoPkg/Library/TlsLib/InternalTlsLib.h
> new file mode 100644
> index 0000000..2438de9
> --- /dev/null
> +++ b/CryptoPkg/Library/TlsLib/InternalTlsLib.h
> @@ -0,0 +1,35 @@
> +/** @file
> + Internal include file for TlsLib.
> +
> +Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
> +This program and the accompanying materials
> +are licensed and made available under the terms and conditions of the BSD
> License
> +which accompanies this distribution. The full text of the license may be
> found at
> +http://opensource.org/licenses/bsd-license.php
> +
> +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS"
> BASIS,
> +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER
> EXPRESS OR IMPLIED.
> +
> +**/
> +
> +#include <Library/BaseCryptLib.h>
> +#include <openssl/ssl.h>
> +#include <openssl/bio.h>
> +#include <openssl/err.h>
> +
> +typedef struct {
> + //
> + // Main SSL Connection which is created by a server or a client
> + // per established connection.
> + //
> + SSL *Ssl;
> + //
> + // Memory BIO for the TLS/SSL Reading operations.
> + //
> + BIO *InBio;
> + //
> + // Memory BIO for the TLS/SSL Writing operations.
> + //
> + BIO *OutBio;
> +} TLS_CONNECTION;
> +
> diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c
> b/CryptoPkg/Library/TlsLib/TlsConfig.c
> new file mode 100644
> index 0000000..31220b3
> --- /dev/null
> +++ b/CryptoPkg/Library/TlsLib/TlsConfig.c
> @@ -0,0 +1,1055 @@
> +/** @file
> + SSL/TLS Configuration Library Wrapper Implementation over OpenSSL.
> +
> +Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
> +(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
> +This program and the accompanying materials
> +are licensed and made available under the terms and conditions of the BSD
> License
> +which accompanies this distribution. The full text of the license may be
> found at
> +http://opensource.org/licenses/bsd-license.php
> +
> +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS"
> BASIS,
> +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER
> EXPRESS OR IMPLIED.
> +
> +**/
> +
> +#include "InternalTlsLib.h"
> +
> +typedef struct {
> + //
> + // IANA/IETF defined Cipher Suite ID
> + //
> + UINT16 IanaCipher;
> + //
> + // OpenSSL-used Cipher Suite String
> + //
> + CONST CHAR8 *OpensslCipher;
> +} TLS_CIPHER_PAIR;
> +
> +//
> +// The mapping table between IANA/IETF Cipher Suite definitions and
> +// OpenSSL-used Cipher Suite name.
> +//
> +STATIC CONST TLS_CIPHER_PAIR TlsCipherMappingTable[] = {
> + { 0x0001, "NULL-MD5" }, /// TLS_RSA_WITH_NULL_MD5
> + { 0x0002, "NULL-SHA" }, /// TLS_RSA_WITH_NULL_SHA
> + { 0x0004, "RC4-MD5" }, /// TLS_RSA_WITH_RC4_128_MD5
> + { 0x0005, "RC4-SHA" }, /// TLS_RSA_WITH_RC4_128_SHA
> + { 0x000A, "DES-CBC3-SHA" }, ///
> TLS_RSA_WITH_3DES_EDE_CBC_SHA, mandatory TLS 1.1
> + { 0x0016, "DHE-RSA-DES-CBC3-SHA" }, ///
> TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
> + { 0x002F, "AES128-SHA" }, /// TLS_RSA_WITH_AES_128_CBC_SHA,
> mandatory TLS 1.2
> + { 0x0030, "DH-DSS-AES128-SHA" }, ///
> TLS_DH_DSS_WITH_AES_128_CBC_SHA
> + { 0x0031, "DH-RSA-AES128-SHA" }, ///
> TLS_DH_RSA_WITH_AES_128_CBC_SHA
> + { 0x0033, "DHE-RSA-AES128-SHA" }, ///
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA
> + { 0x0035, "AES256-SHA" }, /// TLS_RSA_WITH_AES_256_CBC_SHA
> + { 0x0036, "DH-DSS-AES256-SHA" }, ///
> TLS_DH_DSS_WITH_AES_256_CBC_SHA
> + { 0x0037, "DH-RSA-AES256-SHA" }, ///
> TLS_DH_RSA_WITH_AES_256_CBC_SHA
> + { 0x0039, "DHE-RSA-AES256-SHA" }, ///
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA
> + { 0x003B, "NULL-SHA256" }, /// TLS_RSA_WITH_NULL_SHA256
> + { 0x003C, "AES128-SHA256" }, ///
> TLS_RSA_WITH_AES_128_CBC_SHA256
> + { 0x003D, "AES256-SHA256" }, ///
> TLS_RSA_WITH_AES_256_CBC_SHA256
> + { 0x003E, "DH-DSS-AES128-SHA256" }, ///
> TLS_DH_DSS_WITH_AES_128_CBC_SHA256
> + { 0x003F, "DH-RSA-AES128-SHA256" }, ///
> TLS_DH_RSA_WITH_AES_128_CBC_SHA256
> + { 0x0067, "DHE-RSA-AES128-SHA256" }, ///
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
> + { 0x0068, "DH-DSS-AES256-SHA256" }, ///
> TLS_DH_DSS_WITH_AES_256_CBC_SHA256
> + { 0x0069, "DH-RSA-AES256-SHA256" }, ///
> TLS_DH_RSA_WITH_AES_256_CBC_SHA256
> + { 0x006B, "DHE-RSA-AES256-SHA256" } ///
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
> +};
> +
> +/**
> + Gets the OpenSSL cipher suite string for the supplied IANA TLS cipher suite.
> +
> + @param[in] CipherId The supplied IANA TLS cipher suite ID.
> +
> + @return The corresponding OpenSSL cipher suite string if found,
> + NULL otherwise.
> +
> +**/
> +STATIC
> +CONST CHAR8 *
> +TlsGetCipherString (
> + IN UINT16 CipherId
> + )
> +{
> + CONST TLS_CIPHER_PAIR *CipherEntry;
> + UINTN TableSize;
> + UINTN Index;
> +
> + CipherEntry = TlsCipherMappingTable;
> + TableSize = sizeof (TlsCipherMappingTable) / sizeof (TLS_CIPHER_PAIR);
> +
> + //
> + // Search Cipher Mapping Table for IANA-OpenSSL Cipher Translation
> + //
> + for (Index = 0; Index < TableSize; Index++, CipherEntry++) {
> + //
> + // Translate IANA cipher suite name to OpenSSL name.
> + //
> + if (CipherEntry->IanaCipher == CipherId) {
> + return CipherEntry->OpensslCipher;
> + }
> + }
> +
> + //
> + // No Cipher Mapping found, return NULL.
> + //
> + return NULL;
> +}
> +
> +/**
> + Set a new TLS/SSL method for a particular TLS object.
> +
> + This function sets a new TLS/SSL method for a particular TLS object.
> +
> + @param[in] Tls Pointer to a TLS object.
> + @param[in] MajorVer Major Version of TLS/SSL Protocol.
> + @param[in] MinorVer Minor Version of TLS/SSL Protocol.
> +
> + @retval EFI_SUCCESS The TLS/SSL method was set successfully.
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.
> + @retval EFI_UNSUPPORTED Unsupported TLS/SSL method.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsSetVersion (
> + IN VOID *Tls,
> + IN UINT8 MajorVer,
> + IN UINT8 MinorVer
> + )
> +{
> + TLS_CONNECTION *TlsConn;
> + UINT16 ProtoVersion;
> +
> + TlsConn = (TLS_CONNECTION *)Tls;
> + if (TlsConn == NULL || TlsConn->Ssl == NULL) {
> + return EFI_INVALID_PARAMETER;
> + }
> +
> + ProtoVersion = (MajorVer << 8) | MinorVer;
> +
> + switch (ProtoVersion) {
> + case TLS1_VERSION:
> + //
> + // TLS 1.0
> + //
> + SSL_set_ssl_method (TlsConn->Ssl, TLSv1_method ());
> + break;
> + case TLS1_1_VERSION:
> + //
> + // TLS 1.1
> + //
> + SSL_set_ssl_method (TlsConn->Ssl, TLSv1_1_method ());
> + break;
> + case TLS1_2_VERSION:
> + //
> + // TLS 1.2
> + //
> + SSL_set_ssl_method (TlsConn->Ssl, TLSv1_2_method ());
> + break;
> + default:
> + //
> + // Unsupported Protocol Version
> + //
> + return EFI_UNSUPPORTED;
> + }
> +
> + return EFI_SUCCESS;;
> +}
> +
> +/**
> + Set TLS object to work in client or server mode.
> +
> + This function prepares a TLS object to work in client or server mode.
> +
> + @param[in] Tls Pointer to a TLS object.
> + @param[in] IsServer Work in server mode.
> +
> + @retval EFI_SUCCESS The TLS/SSL work mode was set successfully.
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.
> + @retval EFI_UNSUPPORTED Unsupported TLS/SSL work mode.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsSetConnectionEnd (
> + IN VOID *Tls,
> + IN BOOLEAN IsServer
> + )
> +{
> + TLS_CONNECTION *TlsConn;
> +
> + TlsConn = (TLS_CONNECTION *) Tls;
> + if (TlsConn == NULL || TlsConn->Ssl == NULL) {
> + return EFI_INVALID_PARAMETER;
> + }
> +
> + if (!IsServer) {
> + //
> + // Set TLS to work in Client mode.
> + //
> + SSL_set_connect_state (TlsConn->Ssl);
> + } else {
> + //
> + // Set TLS to work in Server mode.
> + // It is unsupported for UEFI version currently.
> + //
> + //SSL_set_accept_state (TlsConn->Ssl);
> + return EFI_UNSUPPORTED;
> + }
> +
> + return EFI_SUCCESS;
> +}
> +
> +/**
> + Set the ciphers list to be used by the TLS object.
> +
> + This function sets the ciphers for use by a specified TLS object.
> +
> + @param[in] Tls Pointer to a TLS object.
> + @param[in] CipherId Pointer to a UINT16 cipher Id.
> + @param[in] CipherNum The number of cipher in the list.
> +
> + @retval EFI_SUCCESS The ciphers list was set successfully.
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.
> + @retval EFI_UNSUPPORTED Unsupported TLS cipher in the list.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsSetCipherList (
> + IN VOID *Tls,
> + IN UINT16 *CipherId,
> + IN UINTN CipherNum
> + )
> +{
> + TLS_CONNECTION *TlsConn;
> + UINTN Index;
> + CONST CHAR8 *MappingName;
> + CHAR8 CipherString[500];
> +
> + TlsConn = (TLS_CONNECTION *) Tls;
> + if (TlsConn == NULL || TlsConn->Ssl == NULL || CipherId == NULL) {
> + return EFI_INVALID_PARAMETER;
> + }
> +
> + MappingName = NULL;
> +
> + memset (CipherString, 0, sizeof (CipherString));
> +
> + for (Index = 0; Index < CipherNum; Index++) {
> + //
> + // Handling OpenSSL / RFC Cipher name mapping.
> + //
> + MappingName = TlsGetCipherString (*(CipherId + Index));
> + if (MappingName == NULL) {
> + return EFI_UNSUPPORTED;
> + }
> +
> + if (Index != 0) {
> + //
> + // The ciphers were separated by a colon.
> + //
> + AsciiStrCatS (CipherString, sizeof (CipherString), ":");
> + }
> +
> + AsciiStrCatS (CipherString, sizeof (CipherString), MappingName);
> + }
> +
> + AsciiStrCatS (CipherString, sizeof (CipherString), ":@STRENGTH");
> +
> + //
> + // Sets the ciphers for use by the Tls object.
> + //
> + if (SSL_set_cipher_list (TlsConn->Ssl, CipherString) <= 0) {
> + return EFI_UNSUPPORTED;
> + }
> +
> + return EFI_SUCCESS;
> +}
> +
> +/**
> + Set the compression method for TLS/SSL operations.
> +
> + This function handles TLS/SSL integrated compression methods.
> +
> + @param[in] CompMethod The compression method ID.
> +
> + @retval EFI_SUCCESS The compression method for the communication
> was
> + set successfully.
> + @retval EFI_UNSUPPORTED Unsupported compression method.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsSetCompressionMethod (
> + IN UINT8 CompMethod
> + )
> +{
> + COMP_METHOD *Cm;
> + INTN Ret;
> +
> + Cm = NULL;
> + Ret = 0;
> +
> + if (CompMethod == 0) {
> + //
> + // TLS defines one standard compression method,
> CompressionMethod.null (0),
> + // which specifies that data exchanged via the record protocol will not be
> compressed.
> + // So, return EFI_SUCCESS directly (RFC 3749).
> + //
> + return EFI_SUCCESS;
> + } else if (CompMethod == 1) {
> + Cm = COMP_zlib();
> + } else {
> + return EFI_UNSUPPORTED;
> + }
> +
> + //
> + // Adds the compression method to the list of available
> + // compression methods.
> + //
> + Ret = SSL_COMP_add_compression_method (CompMethod, Cm);
> + if (Ret != 0) {
> + return EFI_UNSUPPORTED;
> + }
> +
> + return EFI_SUCCESS;
> +}
> +
> +/**
> + Set peer certificate verification mode for the TLS connection.
> +
> + This function sets the verification mode flags for the TLS connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in] VerifyMode A set of logically or'ed verification mode flags.
> +
> +**/
> +VOID
> +EFIAPI
> +TlsSetVerify (
> + IN VOID *Tls,
> + IN UINT32 VerifyMode
> + )
> +{
> + TLS_CONNECTION *TlsConn;
> +
> + TlsConn = (TLS_CONNECTION *) Tls;
> + if (TlsConn == NULL || TlsConn->Ssl == NULL) {
> + return;
> + }
> +
> + //
> + // Set peer certificate verification parameters with NULL callback.
> + //
> + SSL_set_verify (TlsConn->Ssl, VerifyMode, NULL);
> +}
> +
> +/**
> + Sets a TLS/SSL session ID to be used during TLS/SSL connect.
> +
> + This function sets a session ID to be used when the TLS/SSL connection is
> + to be established.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in] SessionId Session ID data used for session resumption.
> + @param[in] SessionIdLen Length of Session ID in bytes.
> +
> + @retval EFI_SUCCESS Session ID was set successfully.
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.
> + @retval EFI_UNSUPPORTED No available session for ID setting.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsSetSessionId (
> + IN VOID *Tls,
> + IN UINT8 *SessionId,
> + IN UINT16 SessionIdLen
> + )
> +{
> + TLS_CONNECTION *TlsConn;
> + SSL_SESSION *Session;
> +
> + TlsConn = (TLS_CONNECTION *) Tls;
> + Session = NULL;
> +
> + if (TlsConn == NULL || TlsConn->Ssl == NULL || SessionId == NULL) {
> + return EFI_INVALID_PARAMETER;
> + }
> +
> + Session = SSL_get_session (TlsConn->Ssl);
> + if (Session == NULL) {
> + return EFI_UNSUPPORTED;
> + }
> +
> + Session->session_id_length = SessionIdLen;
> + CopyMem (Session->session_id, SessionId, Session->session_id_length);
> +
> + return EFI_SUCCESS;
> +}
> +
> +/**
> + Adds the CA to the cert store when requesting Server or Client
> authentication.
> +
> + This function adds the CA certificate to the list of CAs when requesting
> + Server or Client authentication for the chosen TLS connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in] Data Pointer to the data buffer of a DER-encoded binary
> + X.509 certificate or PEM-encoded X.509 certificate.
> + @param[in] DataSize The size of data buffer in bytes.
> +
> + @retval EFI_SUCCESS The operation succeeded.
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.
> + @retval EFI_OUT_OF_RESOURCES Required resources could not be
> allocated.
> + @retval EFI_ABORTED Invalid X.509 certificate.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsSetCaCertificate (
> + IN VOID *Tls,
> + IN VOID *Data,
> + IN UINTN DataSize
> + )
> +{
> + BIO *BioCert;
> + X509 *Cert;
> + X509_STORE *X509Store;
> + EFI_STATUS Status;
> + TLS_CONNECTION *TlsConn;
> + SSL_CTX *SslCtx;
> + INTN Ret;
> + unsigned long ErrorCode;
> +
> + BioCert = NULL;
> + Cert = NULL;
> + X509Store = NULL;
> + Status = EFI_SUCCESS;
> + TlsConn = (TLS_CONNECTION *) Tls;
> + Ret = 0;
> +
> + if (TlsConn == NULL || TlsConn->Ssl == NULL || Data == NULL || DataSize
> == 0) {
> + return EFI_INVALID_PARAMETER;
> + }
> +
> + //
> + // DER-encoded binary X.509 certificate or PEM-encoded X.509 certificate.
> + // Determine whether certificate is from DER encoding, if so, translate it to
> X509 structure.
> + //
> + Cert = d2i_X509 (NULL, (const unsigned char ** )&Data, (long) DataSize);
> + if (Cert == NULL) {
> + //
> + // Certificate is from PEM encoding.
> + //
> + BioCert = BIO_new (BIO_s_mem ());
> + if (BioCert == NULL) {
> + Status = EFI_OUT_OF_RESOURCES;
> + goto ON_EXIT;
> + }
> +
> + if (BIO_write (BioCert, Data, (UINT32) DataSize) <= 0) {
> + Status = EFI_ABORTED;
> + goto ON_EXIT;
> + }
> +
> + Cert = PEM_read_bio_X509 (BioCert, NULL, NULL, NULL);
> + if (Cert == NULL) {
> + Status = EFI_ABORTED;
> + goto ON_EXIT;
> + }
> + }
> +
> + SslCtx = SSL_get_SSL_CTX (TlsConn->Ssl);
> + X509Store = SSL_CTX_get_cert_store (SslCtx);
> + if (X509Store == NULL) {
> + Status = EFI_ABORTED;
> + goto ON_EXIT;
> + }
> +
> + //
> + // Add certificate to X509 store
> + //
> + Ret = X509_STORE_add_cert (X509Store, Cert);
> + if (Ret != 1) {
> + ErrorCode = ERR_peek_last_error ();
> + //
> + // Ignore "already in table" errors
> + //
> + if (!(ERR_GET_FUNC (ErrorCode) == X509_F_X509_STORE_ADD_CERT &&
> + ERR_GET_REASON (ErrorCode) ==
> X509_R_CERT_ALREADY_IN_HASH_TABLE)) {
> + Status = EFI_ABORTED;
> + goto ON_EXIT;
> + }
> + }
> +
> +ON_EXIT:
> + if (BioCert != NULL) {
> + BIO_free (BioCert);
> + }
> +
> + if (Cert != NULL) {
> + X509_free (Cert);
> + }
> +
> + return Status;
> +}
> +
> +/**
> + Loads the local public certificate into the specified TLS object.
> +
> + This function loads the X.509 certificate into the specified TLS object
> + for TLS negotiation.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in] Data Pointer to the data buffer of a DER-encoded binary
> + X.509 certificate or PEM-encoded X.509 certificate.
> + @param[in] DataSize The size of data buffer in bytes.
> +
> + @retval EFI_SUCCESS The operation succeeded.
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.
> + @retval EFI_OUT_OF_RESOURCES Required resources could not be
> allocated.
> + @retval EFI_ABORTED Invalid X.509 certificate.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsSetHostPublicCert (
> + IN VOID *Tls,
> + IN VOID *Data,
> + IN UINTN DataSize
> + )
> +{
> + BIO *BioCert;
> + X509 *Cert;
> + EFI_STATUS Status;
> + TLS_CONNECTION *TlsConn;
> +
> + BioCert = NULL;
> + Cert = NULL;
> + Status = EFI_SUCCESS;
> + TlsConn = (TLS_CONNECTION *) Tls;
> +
> + if (TlsConn == NULL || TlsConn->Ssl == NULL || Data == NULL || DataSize
> == 0) {
> + return EFI_INVALID_PARAMETER;
> + }
> +
> + //
> + // DER-encoded binary X.509 certificate or PEM-encoded X.509 certificate.
> + // Determine whether certificate is from DER encoding, if so, translate it to
> X509 structure.
> + //
> + Cert = d2i_X509 (NULL, (const unsigned char ** )&Data, (long) DataSize);
> + if (Cert == NULL) {
> + //
> + // Certificate is from PEM encoding.
> + //
> + BioCert = BIO_new (BIO_s_mem ());
> + if (BioCert == NULL) {
> + Status = EFI_OUT_OF_RESOURCES;
> + goto ON_EXIT;
> + }
> +
> + if (BIO_write (BioCert, Data, (UINT32) DataSize) <= 0) {
> + Status = EFI_ABORTED;
> + goto ON_EXIT;
> + }
> +
> + Cert = PEM_read_bio_X509 (BioCert, NULL, NULL, NULL);
> + if (Cert == NULL) {
> + Status = EFI_ABORTED;
> + goto ON_EXIT;
> + }
> + }
> +
> + if (SSL_use_certificate (TlsConn->Ssl, Cert) != 1) {
> + Status = EFI_ABORTED;
> + goto ON_EXIT;
> + }
> +
> +ON_EXIT:
> + if (BioCert != NULL) {
> + BIO_free (BioCert);
> + }
> +
> + if (Cert != NULL) {
> + X509_free (Cert);
> + }
> +
> + return Status;
> +}
> +
> +/**
> + Adds the local private key to the specified TLS object.
> +
> + This function adds the local private key (PEM-encoded RSA or PKCS#8
> private
> + key) into the specified TLS object for TLS negotiation.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in] Data Pointer to the data buffer of a PEM-encoded RSA
> + or PKCS#8 private key.
> + @param[in] DataSize The size of data buffer in bytes.
> +
> + @retval EFI_SUCCESS The operation succeeded.
> + @retval EFI_UNSUPPORTED This function is not supported.
> + @retval EFI_ABORTED Invalid private key data.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsSetHostPrivateKey (
> + IN VOID *Tls,
> + IN VOID *Data,
> + IN UINTN DataSize
> + )
> +{
> + return EFI_UNSUPPORTED;
> +}
> +
> +/**
> + Adds the CA-supplied certificate revocation list for certificate validation.
> +
> + This function adds the CA-supplied certificate revocation list data for
> + certificate validity checking.
> +
> + @param[in] Data Pointer to the data buffer of a DER-encoded CRL data.
> + @param[in] DataSize The size of data buffer in bytes.
> +
> + @retval EFI_SUCCESS The operation succeeded.
> + @retval EFI_UNSUPPORTED This function is not supported.
> + @retval EFI_ABORTED Invalid CRL data.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsSetCertRevocationList (
> + IN VOID *Data,
> + IN UINTN DataSize
> + )
> +{
> + return EFI_UNSUPPORTED;
> +}
> +
> +/**
> + Gets the protocol version used by the specified TLS connection.
> +
> + This function returns the protocol version used by the specified TLS
> + connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> +
> + @return The protocol version of the specified TLS connection.
> +
> +**/
> +UINT16
> +EFIAPI
> +TlsGetVersion (
> + IN VOID *Tls
> + )
> +{
> + TLS_CONNECTION *TlsConn;
> +
> + TlsConn = (TLS_CONNECTION *) Tls;
> +
> + ASSERT (TlsConn != NULL);
> +
> + return (UINT16)(SSL_version (TlsConn->Ssl));
> +}
> +
> +/**
> + Gets the connection end of the specified TLS connection.
> +
> + This function returns the connection end (as client or as server) used by
> + the specified TLS connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> +
> + @return The connection end used by the specified TLS connection.
> +
> +**/
> +UINT8
> +EFIAPI
> +TlsGetConnectionEnd (
> + IN VOID *Tls
> + )
> +{
> + TLS_CONNECTION *TlsConn;
> +
> + TlsConn = (TLS_CONNECTION *) Tls;
> +
> + ASSERT (TlsConn != NULL);
> +
> + return (UINT8)SSL_is_server (TlsConn->Ssl);
> +}
> +
> +/**
> + Gets the cipher suite used by the specified TLS connection.
> +
> + This function returns current cipher suite used by the specified
> + TLS connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in,out] CipherId The cipher suite used by the TLS object.
> +
> + @retval EFI_SUCCESS The cipher suite was returned successfully.
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.
> + @retval EFI_UNSUPPORTED Unsupported cipher suite.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsGetCurrentCipher (
> + IN VOID *Tls,
> + IN OUT UINT16 *CipherId
> + )
> +{
> + TLS_CONNECTION *TlsConn;
> + CONST SSL_CIPHER *Cipher;
> +
> + TlsConn = (TLS_CONNECTION *) Tls;
> + Cipher = NULL;
> +
> + if (TlsConn == NULL || TlsConn->Ssl == NULL || CipherId == NULL) {
> + return EFI_INVALID_PARAMETER;
> + }
> +
> + Cipher = SSL_get_current_cipher (TlsConn->Ssl);
> + if (Cipher == NULL) {
> + return EFI_UNSUPPORTED;
> + }
> +
> + *CipherId = (SSL_CIPHER_get_id (Cipher)) & 0xFFFF;
> +
> + return EFI_SUCCESS;
> +}
> +
> +/**
> + Gets the compression methods used by the specified TLS connection.
> +
> + This function returns current integrated compression methods used by
> + the specified TLS connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in,out] CompressionId The current compression method used
> by
> + the TLS object.
> +
> + @retval EFI_SUCCESS The compression method was returned
> successfully.
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.
> + @retval EFI_ABORTED Invalid Compression method.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsGetCurrentCompressionId (
> + IN VOID *Tls,
> + IN OUT UINT8 *CompressionId
> + )
> +{
> + return EFI_UNSUPPORTED;
> +}
> +
> +/**
> + Gets the verification mode currently set in the TLS connection.
> +
> + This function returns the peer verification mode currently set in the
> + specified TLS connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> +
> + @return The verification mode set in the specified TLS connection.
> +
> +**/
> +UINT32
> +EFIAPI
> +TlsGetVerify (
> + IN VOID *Tls
> + )
> +{
> + TLS_CONNECTION *TlsConn;
> +
> + TlsConn = (TLS_CONNECTION *) Tls;
> +
> + ASSERT (TlsConn != NULL);
> +
> + return SSL_get_verify_mode (TlsConn->Ssl);
> +}
> +
> +/**
> + Gets the session ID used by the specified TLS connection.
> +
> + This function returns the TLS/SSL session ID currently used by the
> + specified TLS connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in,out] SessionId Buffer to contain the returned session ID.
> + @param[in,out] SessionIdLen The length of Session ID in bytes.
> +
> + @retval EFI_SUCCESS The Session ID was returned successfully.
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.
> + @retval EFI_UNSUPPORTED Invalid TLS/SSL session.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsGetSessionId (
> + IN VOID *Tls,
> + IN OUT UINT8 *SessionId,
> + IN OUT UINT16 *SessionIdLen
> + )
> +{
> + TLS_CONNECTION *TlsConn;
> + SSL_SESSION *Session;
> + CONST UINT8 *SslSessionId;
> +
> + TlsConn = (TLS_CONNECTION *) Tls;
> + Session = NULL;
> +
> + if (TlsConn == NULL || TlsConn->Ssl == NULL || SessionId == NULL ||
> SessionIdLen == NULL) {
> + return EFI_INVALID_PARAMETER;
> + }
> +
> + Session = SSL_get_session (TlsConn->Ssl);
> + if (Session == NULL) {
> + return EFI_UNSUPPORTED;
> + }
> +
> + SslSessionId = SSL_SESSION_get_id (Session, (unsigned int
> *)SessionIdLen);
> + CopyMem (SessionId, SslSessionId, *SessionIdLen);
> +
> + return EFI_SUCCESS;
> +}
> +
> +/**
> + Gets the client random data used in the specified TLS connection.
> +
> + This function returns the TLS/SSL client random data currently used in
> + the specified TLS connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in,out] ClientRandom Buffer to contain the returned client
> + random data (32 bytes).
> +
> +**/
> +VOID
> +EFIAPI
> +TlsGetClientRandom (
> + IN VOID *Tls,
> + IN OUT UINT8 *ClientRandom
> + )
> +{
> + TLS_CONNECTION *TlsConn;
> +
> + TlsConn = (TLS_CONNECTION *) Tls;
> +
> + if (TlsConn == NULL || TlsConn->Ssl == NULL || ClientRandom == NULL) {
> + return;
> + }
> +
> + CopyMem (ClientRandom, TlsConn->Ssl->s3->client_random,
> SSL3_RANDOM_SIZE);
> +}
> +
> +/**
> + Gets the server random data used in the specified TLS connection.
> +
> + This function returns the TLS/SSL server random data currently used in
> + the specified TLS connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in,out] ServerRandom Buffer to contain the returned server
> + random data (32 bytes).
> +
> +**/
> +VOID
> +EFIAPI
> +TlsGetServerRandom (
> + IN VOID *Tls,
> + IN OUT UINT8 *ServerRandom
> + )
> +{
> + TLS_CONNECTION *TlsConn;
> +
> + TlsConn = (TLS_CONNECTION *) Tls;
> +
> + if (TlsConn == NULL || TlsConn->Ssl == NULL || ServerRandom == NULL) {
> + return;
> + }
> +
> + CopyMem (ServerRandom, TlsConn->Ssl->s3->server_random,
> SSL3_RANDOM_SIZE);
> +}
> +
> +/**
> + Gets the master key data used in the specified TLS connection.
> +
> + This function returns the TLS/SSL master key material currently used in
> + the specified TLS connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in,out] KeyMaterial Buffer to contain the returned key material.
> +
> + @retval EFI_SUCCESS Key material was returned successfully.
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.
> + @retval EFI_UNSUPPORTED Invalid TLS/SSL session.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsGetKeyMaterial (
> + IN VOID *Tls,
> + IN OUT UINT8 *KeyMaterial
> + )
> +{
> + TLS_CONNECTION *TlsConn;
> + SSL_SESSION *Session;
> +
> + TlsConn = (TLS_CONNECTION *) Tls;
> + Session = NULL;
> +
> + if (TlsConn == NULL || TlsConn->Ssl == NULL || KeyMaterial == NULL) {
> + return EFI_INVALID_PARAMETER;
> + }
> +
> + Session = SSL_get_session (TlsConn->Ssl);
> +
> + if (Session == NULL) {
> + return EFI_UNSUPPORTED;
> + }
> +
> + CopyMem (KeyMaterial, Session->master_key, Session-
> >master_key_length);
> +
> + return EFI_SUCCESS;
> +}
> +
> +/**
> + Gets the CA Certificate from the cert store.
> +
> + This function returns the CA certificate for the chosen
> + TLS connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[out] Data Pointer to the data buffer to receive the CA
> + certificate data sent to the client.
> + @param[in,out] DataSize The size of data buffer in bytes.
> +
> + @retval EFI_SUCCESS The operation succeeded.
> + @retval EFI_UNSUPPORTED This function is not supported.
> + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsGetCaCertificate (
> + IN VOID *Tls,
> + OUT VOID *Data,
> + IN OUT UINTN *DataSize
> + )
> +{
> + return EFI_UNSUPPORTED;
> +}
> +
> +/**
> + Gets the local public Certificate set in the specified TLS object.
> +
> + This function returns the local public certificate which was currently set
> + in the specified TLS object.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[out] Data Pointer to the data buffer to receive the local
> + public certificate.
> + @param[in,out] DataSize The size of data buffer in bytes.
> +
> + @retval EFI_SUCCESS The operation succeeded.
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.
> + @retval EFI_NOT_FOUND The certificate is not found.
> + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsGetHostPublicCert (
> + IN VOID *Tls,
> + OUT VOID *Data,
> + IN OUT UINTN *DataSize
> + )
> +{
> + X509 *Cert;
> + EFI_STATUS Status;
> + TLS_CONNECTION *TlsConn;
> +
> + Cert = NULL;
> + Status = EFI_SUCCESS;
> + TlsConn = (TLS_CONNECTION *) Tls;
> +
> + if (TlsConn == NULL || TlsConn->Ssl == NULL || DataSize == NULL) {
> + return EFI_INVALID_PARAMETER;
> + }
> +
> + Cert = SSL_get_certificate(TlsConn->Ssl);
> + if (Cert == NULL) {
> + Status = EFI_NOT_FOUND;
> + }
> +
> + //
> + // Only DER encoding is supported currently.
> + //
> + if (*DataSize < (UINTN) i2d_X509 (Cert, NULL)) {
> + *DataSize = (UINTN) i2d_X509 (Cert, NULL);
> + return EFI_BUFFER_TOO_SMALL;
> + }
> +
> + *DataSize = (UINTN) i2d_X509 (Cert, (unsigned char **) &Data);
> +
> + return Status;
> +}
> +
> +/**
> + Gets the local private key set in the specified TLS object.
> +
> + This function returns the local private key data which was currently set
> + in the specified TLS object.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[out] Data Pointer to the data buffer to receive the local
> + private key data.
> + @param[in,out] DataSize The size of data buffer in bytes.
> +
> + @retval EFI_SUCCESS The operation succeeded.
> + @retval EFI_UNSUPPORTED This function is not supported.
> + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsGetHostPrivateKey (
> + IN VOID *Tls,
> + OUT VOID *Data,
> + IN OUT UINTN *DataSize
> + )
> +{
> + return EFI_UNSUPPORTED;
> +}
> +
> +/**
> + Gets the CA-supplied certificate revocation list data set in the specified
> + TLS object.
> +
> + This function returns the CA-supplied certificate revocation list data which
> + was currently set in the specified TLS object.
> +
> + @param[out] Data Pointer to the data buffer to receive the CRL data.
> + @param[in,out] DataSize The size of data buffer in bytes.
> +
> + @retval EFI_SUCCESS The operation succeeded.
> + @retval EFI_UNSUPPORTED This function is not supported.
> + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsGetCertRevocationList (
> + OUT VOID *Data,
> + IN OUT UINTN *DataSize
> + )
> +{
> + return EFI_UNSUPPORTED;
> +}
> diff --git a/CryptoPkg/Library/TlsLib/TlsInit.c
> b/CryptoPkg/Library/TlsLib/TlsInit.c
> new file mode 100644
> index 0000000..6b1fd93
> --- /dev/null
> +++ b/CryptoPkg/Library/TlsLib/TlsInit.c
> @@ -0,0 +1,291 @@
> +/** @file
> + SSL/TLS Initialization Library Wrapper Implementation over OpenSSL.
> +
> +Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
> +(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
> +This program and the accompanying materials
> +are licensed and made available under the terms and conditions of the BSD
> License
> +which accompanies this distribution. The full text of the license may be
> found at
> +http://opensource.org/licenses/bsd-license.php
> +
> +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS"
> BASIS,
> +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER
> EXPRESS OR IMPLIED.
> +
> +**/
> +
> +#include "InternalTlsLib.h"
> +
> +/**
> + Initializes the OpenSSL library.
> +
> + This function registers ciphers and digests used directly and indirectly
> + by SSL/TLS, and initializes the readable error messages.
> + This function must be called before any other action takes places.
> +
> +**/
> +VOID
> +EFIAPI
> +TlsInitialize (
> + VOID
> + )
> +{
> + //
> + // Performs initialization of crypto and ssl library, and loads required
> + // algorithms.
> + //
> + SSL_library_init ();
> +
> + //
> + // Loads error strings from both crypto and ssl library.
> + //
> + SSL_load_error_strings ();
> +
> + /// OpenSSL_add_all_algorithms();
> +
> + //
> + // Initialize the pseudorandom number generator.
> + //
> + RandomSeed (NULL, 0);
> +}
> +
> +/**
> + Free an allocated SSL_CTX object.
> +
> + @param[in] TlsCtx Pointer to the SSL_CTX object to be released.
> +
> +**/
> +VOID
> +EFIAPI
> +TlsCtxFree (
> + IN VOID *TlsCtx
> + )
> +{
> + if (TlsCtx == NULL) {
> + return;
> + }
> +
> + if (TlsCtx != NULL) {
> + SSL_CTX_free ((SSL_CTX *) (TlsCtx));
> + }
> +}
> +
> +/**
> + Creates a new SSL_CTX object as framework to establish TLS/SSL enabled
> + connections.
> +
> + @param[in] MajorVer Major Version of TLS/SSL Protocol.
> + @param[in] MinorVer Minor Version of TLS/SSL Protocol.
> +
> + @return Pointer to an allocated SSL_CTX object.
> + If the creation failed, TlsCtxNew() returns NULL.
> +
> +**/
> +VOID *
> +EFIAPI
> +TlsCtxNew (
> + IN UINT8 MajorVer,
> + IN UINT8 MinorVer
> + )
> +{
> + SSL_CTX *TlsCtx;
> + UINT16 ProtoVersion;
> +
> + ProtoVersion = (MajorVer << 8) | MinorVer;
> +
> + TlsCtx = SSL_CTX_new (SSLv23_client_method ());
> + if (TlsCtx == NULL) {
> + return NULL;
> + }
> +
> + //
> + // Ensure SSLv3 is disabled
> + //
> + SSL_CTX_set_options (TlsCtx, SSL_OP_NO_SSLv3);
> +
> + //
> + // Treat as minimum accepted versions. Client can use higher
> + // TLS version if server supports it
> + //
> + switch (ProtoVersion) {
> + case TLS1_VERSION:
> + //
> + // TLS 1.0
> + //
> + break;
> + case TLS1_1_VERSION:
> + //
> + // TLS 1.1
> + //
> + SSL_CTX_set_options (TlsCtx, SSL_OP_NO_TLSv1);
> + break;
> + case TLS1_2_VERSION:
> + //
> + // TLS 1.2
> + //
> + SSL_CTX_set_options (TlsCtx, SSL_OP_NO_TLSv1);
> + SSL_CTX_set_options (TlsCtx, SSL_OP_NO_TLSv1_1);
> + break;
> + default:
> + //
> + // Unsupported TLS/SSL Protocol Version.
> + //
> + break;
> + }
> +
> + return (VOID *) TlsCtx;
> +}
> +
> +/**
> + Free an allocated TLS object.
> +
> + This function removes the TLS object pointed to by Tls and frees up the
> + allocated memory. If Tls is NULL, nothing is done.
> +
> + @param[in] Tls Pointer to the TLS object to be freed.
> +
> +**/
> +VOID
> +EFIAPI
> +TlsFree (
> + IN VOID *Tls
> + )
> +{
> + TLS_CONNECTION *TlsConn;
> +
> + TlsConn = (TLS_CONNECTION *) Tls;
> + if (TlsConn == NULL) {
> + return;
> + }
> +
> + //
> + // Free the internal TLS and BIO objects.
> + //
> + if (TlsConn->Ssl != NULL) {
> + SSL_free (TlsConn->Ssl);
> + }
> +
> + if (TlsConn->InBio != NULL) {
> + BIO_free (TlsConn->InBio);
> + }
> +
> + if (TlsConn->OutBio != NULL) {
> + BIO_free (TlsConn->OutBio);
> + }
> +
> + OPENSSL_free (Tls);
> +}
> +
> +/**
> + Create a new TLS object for a connection.
> +
> + This function creates a new TLS object for a connection. The new object
> + inherits the setting of the underlying context TlsCtx: connection method,
> + options, verification setting.
> +
> + @param[in] TlsCtx Pointer to the SSL_CTX object.
> +
> + @return Pointer to an allocated SSL object.
> + If the creation failed, TlsNew() returns NULL.
> +
> +**/
> +VOID *
> +EFIAPI
> +TlsNew (
> + IN VOID *TlsCtx
> + )
> +{
> + TLS_CONNECTION *TlsConn;
> + SSL_CTX *SslCtx;
> + X509_STORE *X509Store;
> +
> + TlsConn = NULL;
> +
> + //
> + // Allocate one new TLS_CONNECTION object
> + //
> + TlsConn = (TLS_CONNECTION *) OPENSSL_malloc (sizeof
> (TLS_CONNECTION));
> + if (TlsConn == NULL) {
> + return NULL;
> + }
> +
> + TlsConn->Ssl = NULL;
> +
> + //
> + // Create a new SSL Object
> + //
> + TlsConn->Ssl = SSL_new ((SSL_CTX *) TlsCtx);
> + if (TlsConn->Ssl == NULL) {
> + TlsFree ((VOID *) TlsConn);
> + return NULL;
> + }
> +
> + //
> + // Initialize the created SSL Object
> + //
> + SSL_set_info_callback (TlsConn->Ssl, NULL);
> +
> + TlsConn->InBio = NULL;
> +
> + //
> + // Set up Reading BIO for TLS connection
> + //
> + TlsConn->InBio = BIO_new (BIO_s_mem ());
> + if (TlsConn->InBio == NULL) {
> + TlsFree ((VOID *) TlsConn);
> + return NULL;
> + }
> +
> + //
> + // Sets the behaviour of memory BIO when it is empty. It will set the
> + // read retry flag.
> + //
> + BIO_set_mem_eof_return (TlsConn->InBio, -1);
> +
> + TlsConn->OutBio = NULL;
> +
> + //
> + // Set up Writing BIO for TLS connection
> + //
> + TlsConn->OutBio = BIO_new (BIO_s_mem ());
> + if (TlsConn->OutBio == NULL) {
> + TlsFree ((VOID *) TlsConn);
> + return NULL;
> + }
> +
> + //
> + // Sets the behaviour of memory BIO when it is empty. It will set the
> + // write retry flag.
> + //
> + BIO_set_mem_eof_return (TlsConn->OutBio, -1);
> +
> + ASSERT (TlsConn->Ssl != NULL && TlsConn->InBio != NULL && TlsConn-
> >OutBio != NULL);
> +
> + //
> + // Connects the InBio and OutBio for the read and write operations.
> + //
> + SSL_set_bio (TlsConn->Ssl, TlsConn->InBio, TlsConn->OutBio);
> +
> + //
> + // Create new X509 store if needed
> + //
> + SslCtx = SSL_get_SSL_CTX (TlsConn->Ssl);
> + X509Store = SSL_CTX_get_cert_store (SslCtx);
> + if (X509Store == NULL) {
> + X509Store = X509_STORE_new ();
> + if (X509Store == NULL) {
> + TlsFree ((VOID *) TlsConn);
> + return NULL;
> + }
> + SSL_CTX_set1_verify_cert_store (SslCtx, X509Store);
> + X509_STORE_free (X509Store);
> + }
> +
> + //
> + // Set X509_STORE flags used in certificate validation
> + //
> + X509_STORE_set_flags (
> + X509Store,
> + X509_V_FLAG_PARTIAL_CHAIN | X509_V_FLAG_NO_CHECK_TIME
> + );
> + return (VOID *) TlsConn;
> +}
> diff --git a/CryptoPkg/Library/TlsLib/TlsLib.inf
> b/CryptoPkg/Library/TlsLib/TlsLib.inf
> new file mode 100644
> index 0000000..2122b3b
> --- /dev/null
> +++ b/CryptoPkg/Library/TlsLib/TlsLib.inf
> @@ -0,0 +1,49 @@
> +## @file
> +# SSL/TLS Wrapper Library Instance based on OpenSSL.
> +#
> +# Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
> +# (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
> +# This program and the accompanying materials
> +# are licensed and made available under the terms and conditions of the
> BSD License
> +# which accompanies this distribution. The full text of the license may be
> found at
> +# http://opensource.org/licenses/bsd-license.php
> +#
> +# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS"
> BASIS,
> +# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER
> EXPRESS OR IMPLIED.
> +#
> +##
> +
> +[Defines]
> + INF_VERSION = 0x00010005
> + BASE_NAME = TlsLib
> + MODULE_UNI_FILE = TlsLib.uni
> + FILE_GUID = CC729DC5-4E21-0B36-1A00-3A8E1B86A155
> + MODULE_TYPE = DXE_DRIVER
> + VERSION_STRING = 1.0
> + LIBRARY_CLASS = TlsLib|DXE_DRIVER DXE_CORE
> UEFI_APPLICATION UEFI_DRIVER
> +
> +#
> +# The following information is for reference only and not required by the
> build tools.
> +#
> +# VALID_ARCHITECTURES = IA32 X64 IPF ARM AARCH64
> +#
> +
> +[Sources]
> + InternalTlsLib.h
> + TlsInit.c
> + TlsConfig.c
> + TlsProcess.c
> +
> +[Packages]
> + MdePkg/MdePkg.dec
> + CryptoPkg/CryptoPkg.dec
> +
> +[LibraryClasses]
> + BaseLib
> + BaseMemoryLib
> + MemoryAllocationLib
> + UefiRuntimeServicesTableLib
> + DebugLib
> + OpensslLib
> + IntrinsicLib
> + PrintLib
> diff --git a/CryptoPkg/Library/TlsLib/TlsLib.uni
> b/CryptoPkg/Library/TlsLib/TlsLib.uni
> new file mode 100644
> index 0000000..9b79287
> --- /dev/null
> +++ b/CryptoPkg/Library/TlsLib/TlsLib.uni
> @@ -0,0 +1,19 @@
> +// /** @file
> +// SSL/TLS Wrapper Library Instance based on OpenSSL.
> +//
> +// Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
> +//
> +// This program and the accompanying materials
> +// are licensed and made available under the terms and conditions of the
> BSD License
> +// which accompanies this distribution. The full text of the license may be
> found at
> +// http://opensource.org/licenses/bsd-license.php
> +//
> +// THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS"
> BASIS,
> +// WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER
> EXPRESS OR IMPLIED.
> +//
> +// **/
> +
> +
> +#string STR_MODULE_ABSTRACT #language en-US "SSL/TLS Wrapper
> Library Instance"
> +
> +#string STR_MODULE_DESCRIPTION #language en-US "This module
> provides SSL/TLS Wrapper Library Instance."
> \ No newline at end of file
> diff --git a/CryptoPkg/Library/TlsLib/TlsProcess.c
> b/CryptoPkg/Library/TlsLib/TlsProcess.c
> new file mode 100644
> index 0000000..52b55d7
> --- /dev/null
> +++ b/CryptoPkg/Library/TlsLib/TlsProcess.c
> @@ -0,0 +1,461 @@
> +/** @file
> + SSL/TLS Process Library Wrapper Implementation over OpenSSL.
> + The process includes the TLS handshake and packet I/O.
> +
> +Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
> +(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
> +This program and the accompanying materials
> +are licensed and made available under the terms and conditions of the BSD
> License
> +which accompanies this distribution. The full text of the license may be
> found at
> +http://opensource.org/licenses/bsd-license.php
> +
> +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS"
> BASIS,
> +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER
> EXPRESS OR IMPLIED.
> +
> +**/
> +
> +#include "InternalTlsLib.h"
> +
> +#define MAX_BUFFER_SIZE 32768
> +
> +/**
> + Checks if the TLS handshake was done.
> +
> + This function will check if the specified TLS handshake was done.
> +
> + @param[in] Tls Pointer to the TLS object for handshake state checking.
> +
> + @retval TRUE The TLS handshake was done.
> + @retval FALSE The TLS handshake was not done.
> +
> +**/
> +BOOLEAN
> +EFIAPI
> +TlsInHandshake (
> + IN VOID *Tls
> + )
> +{
> + TLS_CONNECTION *TlsConn;
> +
> + TlsConn = (TLS_CONNECTION *) Tls;
> + if (TlsConn == NULL || TlsConn->Ssl == NULL) {
> + return FALSE;
> + }
> +
> + //
> + // Return the status which indicates if the TLS handshake was done.
> + //
> + return !SSL_is_init_finished (TlsConn->Ssl);
> +}
> +
> +/**
> + Perform a TLS/SSL handshake.
> +
> + This function will perform a TLS/SSL handshake.
> +
> + @param[in] Tls Pointer to the TLS object for handshake operation.
> + @param[in] BufferIn Pointer to the most recently received TLS
> Handshake packet.
> + @param[in] BufferInSize Packet size in bytes for the most recently
> received TLS
> + Handshake packet.
> + @param[out] BufferOut Pointer to the buffer to hold the built packet.
> + @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On
> input, it is
> + the buffer size provided by the caller. On output, it
> + is the buffer size in fact needed to contain the
> + packet.
> +
> + @retval EFI_SUCCESS The required TLS packet is built successfully.
> + @retval EFI_INVALID_PARAMETER One or more of the following
> conditions is TRUE:
> + Tls is NULL.
> + BufferIn is NULL but BufferInSize is NOT 0.
> + BufferInSize is 0 but BufferIn is NOT NULL.
> + BufferOutSize is NULL.
> + BufferOut is NULL if *BufferOutSize is not zero.
> + @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the
> response packet.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsDoHandshake (
> + IN VOID *Tls,
> + IN UINT8 *BufferIn, OPTIONAL
> + IN UINTN BufferInSize, OPTIONAL
> + OUT UINT8 *BufferOut, OPTIONAL
> + IN OUT UINTN *BufferOutSize
> + )
> +{
> + TLS_CONNECTION *TlsConn;
> + UINTN PendingBufferSize;
> + INTN Ret;
> + unsigned long ErrorCode;
> +
> + TlsConn = (TLS_CONNECTION *) Tls;
> + PendingBufferSize = 0;
> + Ret = 1;
> +
> + if (TlsConn == NULL || \
> + TlsConn->Ssl == NULL || TlsConn->InBio == NULL || TlsConn->OutBio ==
> NULL || \
> + BufferOutSize == NULL || \
> + (BufferIn == NULL && BufferInSize != 0) || \
> + (BufferIn != NULL && BufferInSize == 0) || \
> + (BufferOut == NULL && *BufferOutSize != 0)) {
> + return EFI_INVALID_PARAMETER;
> + }
> +
> + if(BufferIn == NULL && BufferInSize == 0) {
> + //
> + // If RequestBuffer is NULL and RequestSize is 0, and TLS session
> + // status is EfiTlsSessionNotStarted, the TLS session will be initiated
> + // and the response packet needs to be ClientHello.
> + //
> + PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
> + if (PendingBufferSize == 0) {
> + SSL_set_connect_state (TlsConn->Ssl);
> + Ret = SSL_do_handshake (TlsConn->Ssl);
> + PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
> + }
> + } else {
> + PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
> + if (PendingBufferSize == 0) {
> + BIO_write (TlsConn->InBio, BufferIn, (UINT32) BufferInSize);
> + Ret = SSL_do_handshake (TlsConn->Ssl);
> + PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
> + }
> + }
> +
> + if (Ret < 1) {
> + Ret = SSL_get_error (TlsConn->Ssl, (int) Ret);
> + if (Ret == SSL_ERROR_SSL ||
> + Ret == SSL_ERROR_SYSCALL ||
> + Ret == SSL_ERROR_ZERO_RETURN) {
> + DEBUG ((
> + DEBUG_ERROR,
> + "%a SSL_HANDSHAKE_ERROR State=0x%x SSL_ERROR_%a\n",
> + __FUNCTION__,
> + SSL_get_state (TlsConn->Ssl),
> + Ret == SSL_ERROR_SSL ? "SSL" : Ret == SSL_ERROR_SYSCALL ?
> "SYSCALL" : "ZERO_RETURN"
> + ));
> + DEBUG_CODE_BEGIN ();
> + while (TRUE) {
> + ErrorCode = ERR_get_error ();
> + if (ErrorCode == 0) {
> + break;
> + }
> + DEBUG ((
> + DEBUG_ERROR,
> + "%a ERROR 0x%x=L%x:F%x:R%x\n",
> + __FUNCTION__,
> + ErrorCode,
> + ERR_GET_LIB (ErrorCode),
> + ERR_GET_FUNC (ErrorCode),
> + ERR_GET_REASON (ErrorCode)
> + ));
> + }
> + DEBUG_CODE_END ();
> + return EFI_PROTOCOL_ERROR;
> + }
> + }
> +
> + if (PendingBufferSize > *BufferOutSize) {
> + *BufferOutSize = PendingBufferSize;
> + return EFI_BUFFER_TOO_SMALL;
> + }
> +
> + if (PendingBufferSize > 0) {
> + *BufferOutSize = BIO_read (TlsConn->OutBio, BufferOut, (UINT32)
> PendingBufferSize);
> + } else {
> + *BufferOutSize = 0;
> + }
> +
> + return EFI_SUCCESS;
> +}
> +
> +/**
> + Hande Alert message recorded in BufferIn. If BufferIn is NULL and
> BufferInSize is zero,
> + TLS session has errors and the response packet needs to be Alert message
> based on error type.
> +
> + @param[in] Tls Pointer to the TLS object for state checking.
> + @param[in] BufferIn Pointer to the most recently received TLS Alert
> packet.
> + @param[in] BufferInSize Packet size in bytes for the most recently
> received TLS
> + Alert packet.
> + @param[out] BufferOut Pointer to the buffer to hold the built packet.
> + @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On
> input, it is
> + the buffer size provided by the caller. On output, it
> + is the buffer size in fact needed to contain the
> + packet.
> +
> + @retval EFI_SUCCESS The required TLS packet is built successfully.
> + @retval EFI_INVALID_PARAMETER One or more of the following
> conditions is TRUE:
> + Tls is NULL.
> + BufferIn is NULL but BufferInSize is NOT 0.
> + BufferInSize is 0 but BufferIn is NOT NULL.
> + BufferOutSize is NULL.
> + BufferOut is NULL if *BufferOutSize is not zero.
> + @retval EFI_ABORTED An error occurred.
> + @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the
> response packet.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsHandeAlert (
> + IN VOID *Tls,
> + IN UINT8 *BufferIn, OPTIONAL
> + IN UINTN BufferInSize, OPTIONAL
> + OUT UINT8 *BufferOut, OPTIONAL
> + IN OUT UINTN *BufferOutSize
> + )
> +{
> + TLS_CONNECTION *TlsConn;
> + UINTN PendingBufferSize;
> + UINT8 *TempBuffer;
> + INTN Ret;
> +
> + TlsConn = (TLS_CONNECTION *) Tls;
> + PendingBufferSize = 0;
> + TempBuffer = NULL;
> + Ret = 0;
> +
> + if (TlsConn == NULL || \
> + TlsConn->Ssl == NULL || TlsConn->InBio == NULL || TlsConn->OutBio ==
> NULL || \
> + BufferOutSize == NULL || \
> + (BufferIn == NULL && BufferInSize != 0) || \
> + (BufferIn != NULL && BufferInSize == 0) || \
> + (BufferOut == NULL && *BufferOutSize != 0)) {
> + return EFI_INVALID_PARAMETER;
> + }
> +
> + PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
> + if (PendingBufferSize == 0 && BufferIn != NULL && BufferInSize != 0) {
> + Ret = BIO_write (TlsConn->InBio, BufferIn, (UINT32) BufferInSize);
> + if (Ret != (INTN) BufferInSize) {
> + return EFI_ABORTED;
> + }
> +
> + TempBuffer = (UINT8 *) OPENSSL_malloc (MAX_BUFFER_SIZE);
> +
> + //
> + // ssl3_send_alert() will be called in ssl3_read_bytes() function.
> + // TempBuffer is invalid since it's a Alert message, so just ignore it.
> + //
> + SSL_read (TlsConn->Ssl, TempBuffer, MAX_BUFFER_SIZE);
> +
> + OPENSSL_free (TempBuffer);
> +
> + PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
> + }
> +
> + if (PendingBufferSize > *BufferOutSize) {
> + *BufferOutSize = PendingBufferSize;
> + return EFI_BUFFER_TOO_SMALL;
> + }
> +
> + if (PendingBufferSize > 0) {
> + *BufferOutSize = BIO_read (TlsConn->OutBio, BufferOut, (UINT32)
> PendingBufferSize);
> + } else {
> + *BufferOutSize = 0;
> + }
> +
> + return EFI_SUCCESS;
> +}
> +
> +/**
> + Build the CloseNotify packet.
> +
> + @param[in] Tls Pointer to the TLS object for state checking.
> + @param[in, out] Buffer Pointer to the buffer to hold the built packet.
> + @param[in, out] BufferSize Pointer to the buffer size in bytes. On input,
> it is
> + the buffer size provided by the caller. On output, it
> + is the buffer size in fact needed to contain the
> + packet.
> +
> + @retval EFI_SUCCESS The required TLS packet is built successfully.
> + @retval EFI_INVALID_PARAMETER One or more of the following
> conditions is TRUE:
> + Tls is NULL.
> + BufferSize is NULL.
> + Buffer is NULL if *BufferSize is not zero.
> + @retval EFI_BUFFER_TOO_SMALL BufferSize is too small to hold the
> response packet.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsCloseNotify (
> + IN VOID *Tls,
> + IN OUT UINT8 *Buffer,
> + IN OUT UINTN *BufferSize
> + )
> +{
> + TLS_CONNECTION *TlsConn;
> + UINTN PendingBufferSize;
> +
> + TlsConn = (TLS_CONNECTION *) Tls;
> + PendingBufferSize = 0;
> +
> + if (TlsConn == NULL || \
> + TlsConn->Ssl == NULL || TlsConn->InBio == NULL || TlsConn->OutBio ==
> NULL || \
> + BufferSize == NULL || \
> + (Buffer == NULL && *BufferSize != 0)) {
> + return EFI_INVALID_PARAMETER;
> + }
> +
> + PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
> + if (PendingBufferSize == 0) {
> + //
> + // ssl3_send_alert() and ssl3_dispatch_alert() function will be called.
> + //
> + SSL_shutdown (TlsConn->Ssl);
> + PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
> + }
> +
> + if (PendingBufferSize > *BufferSize) {
> + *BufferSize = PendingBufferSize;
> + return EFI_BUFFER_TOO_SMALL;
> + }
> +
> + if (PendingBufferSize > 0) {
> + *BufferSize = BIO_read (TlsConn->OutBio, Buffer, (UINT32)
> PendingBufferSize);
> + } else {
> + *BufferSize = 0;
> + }
> +
> + return EFI_SUCCESS;
> +}
> +
> +/**
> + Attempts to read bytes from one TLS object and places the data in Buffer.
> +
> + This function will attempt to read BufferSize bytes from the TLS object
> + and places the data in Buffer.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in,out] Buffer Pointer to the buffer to store the data.
> + @param[in] BufferSize The size of Buffer in bytes.
> +
> + @retval >0 The amount of data successfully read from the TLS object.
> + @retval <=0 No data was successfully read.
> +
> +**/
> +INTN
> +EFIAPI
> +TlsCtrlTrafficOut (
> + IN VOID *Tls,
> + IN OUT VOID *Buffer,
> + IN UINTN BufferSize
> + )
> +{
> + TLS_CONNECTION *TlsConn;
> +
> + TlsConn = (TLS_CONNECTION *) Tls;
> + if (TlsConn == NULL || TlsConn->OutBio == 0) {
> + return -1;
> + }
> +
> + //
> + // Read and return the amount of data from the BIO.
> + //
> + return BIO_read (TlsConn->OutBio, Buffer, (UINT32) BufferSize);
> +}
> +
> +/**
> + Attempts to write data from the buffer to TLS object.
> +
> + This function will attempt to write BufferSize bytes data from the Buffer
> + to the TLS object.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in] Buffer Pointer to the data buffer.
> + @param[in] BufferSize The size of Buffer in bytes.
> +
> + @retval >0 The amount of data successfully written to the TLS object.
> + @retval <=0 No data was successfully written.
> +
> +**/
> +INTN
> +EFIAPI
> +TlsCtrlTrafficIn (
> + IN VOID *Tls,
> + IN VOID *Buffer,
> + IN UINTN BufferSize
> + )
> +{
> + TLS_CONNECTION *TlsConn;
> +
> + TlsConn = (TLS_CONNECTION *) Tls;
> + if (TlsConn == NULL || TlsConn->InBio == 0) {
> + return -1;
> + }
> +
> + //
> + // Write and return the amount of data to the BIO.
> + //
> + return BIO_write (TlsConn->InBio, Buffer, (UINT32) BufferSize);
> +}
> +/**
> + Attempts to read bytes from the specified TLS connection into the buffer.
> +
> + This function tries to read BufferSize bytes data from the specified TLS
> + connection into the Buffer.
> +
> + @param[in] Tls Pointer to the TLS connection for data reading.
> + @param[in,out] Buffer Pointer to the data buffer.
> + @param[in] BufferSize The size of Buffer in bytes.
> +
> + @retval >0 The read operation was successful, and return value is the
> + number of bytes actually read from the TLS connection.
> + @retval <=0 The read operation was not successful.
> +
> +**/
> +INTN
> +EFIAPI
> +TlsRead (
> + IN VOID *Tls,
> + IN OUT VOID *Buffer,
> + IN UINTN BufferSize
> + )
> +{
> + TLS_CONNECTION *TlsConn;
> +
> + TlsConn = (TLS_CONNECTION *) Tls;
> + if (TlsConn == NULL || TlsConn->Ssl == NULL) {
> + return -1;
> + }
> +
> + //
> + // Read bytes from the specified TLS connection.
> + //
> + return SSL_read (TlsConn->Ssl, Buffer, (UINT32) BufferSize);
> +}
> +
> +/**
> + Attempts to write data to a TLS connection.
> +
> + This function tries to write BufferSize bytes data from the Buffer into the
> + specified TLS connection.
> +
> + @param[in] Tls Pointer to the TLS connection for data writing.
> + @param[in] Buffer Pointer to the data buffer.
> + @param[in] BufferSize The size of Buffer in bytes.
> +
> + @retval >0 The write operation was successful, and return value is the
> + number of bytes actually written to the TLS connection.
> + @retval <=0 The write operation was not successful.
> +
> +**/
> +INTN
> +EFIAPI
> +TlsWrite (
> + IN VOID *Tls,
> + IN VOID *Buffer,
> + IN UINTN BufferSize
> + )
> +{
> + TLS_CONNECTION *TlsConn;
> +
> + TlsConn = (TLS_CONNECTION *) Tls;
> + if (TlsConn == NULL || TlsConn->Ssl == NULL) {
> + return -1;
> + }
> +
> + //
> + // Write bytes to the specified TLS connection.
> + //
> + return SSL_write (TlsConn->Ssl, Buffer, (UINT32) BufferSize);
> +}
> --
> 1.9.5.msysgit.1
next prev parent reply other threads:[~2016-12-16 2:51 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-14 7:34 [Patch 00/10] Sync staging/HTTPS-TLS feature into edk2 master Jiaxin Wu
2016-12-14 7:34 ` [Patch 01/10] MdePkg: Add TLS related protocol definition Jiaxin Wu
2016-12-14 8:36 ` Long, Qin
2016-12-14 8:39 ` Wu, Jiaxin
2016-12-15 8:34 ` Ye, Ting
2016-12-14 8:43 ` Fu, Siyuan
2016-12-14 7:34 ` [Patch 02/10] MdePkg: Add a header to standardize TLS definitions Jiaxin Wu
2016-12-14 8:42 ` Long, Qin
2016-12-14 8:43 ` Fu, Siyuan
2016-12-15 8:35 ` Ye, Ting
2016-12-14 7:34 ` [Patch 03/10] CryptoPkg: Enable ssl build in OpensslLib directly Jiaxin Wu
2016-12-15 8:37 ` Ye, Ting
2016-12-14 7:34 ` [Patch 04/10] CryptoPkg: Add new TlsLib library Jiaxin Wu
2016-12-16 2:10 ` Ye, Ting
2016-12-16 2:51 ` Wu, Jiaxin [this message]
2016-12-14 7:34 ` [Patch 05/10] NetworkPkg/TlsDxe: TlsDxe driver implementation over OpenSSL Jiaxin Wu
2016-12-14 8:41 ` Fu, Siyuan
2016-12-15 7:24 ` Wu, Jiaxin
2016-12-14 7:34 ` [Patch 06/10] NetworkPkg/TlsAuthConfigDxe: Provide the UI to support TLS auth configuration Jiaxin Wu
2016-12-15 2:22 ` Fu, Siyuan
2016-12-22 2:52 ` Ye, Ting
2016-12-22 3:13 ` Wu, Jiaxin
2016-12-14 7:34 ` [Patch 07/10] NetworkPkg/HttpDxe: HTTPS support over IPv4 and IPv6 Jiaxin Wu
2016-12-15 2:39 ` Fu, Siyuan
2016-12-15 7:14 ` Wu, Jiaxin
2016-12-22 7:33 ` Ye, Ting
2016-12-22 8:30 ` Wu, Jiaxin
2016-12-14 7:34 ` [Patch 08/10] NetworkPkg/NetworkPkg.dsc: Enable TlsDxe and TlsAuthConfigDxe module Jiaxin Wu
2016-12-15 2:39 ` Fu, Siyuan
2016-12-22 7:37 ` Ye, Ting
2016-12-14 7:34 ` [Patch 09/10] Nt32Pkg/Nt32Pkg.dsc: Remove the flag for OpensslLib and BaseCryptLib Jiaxin Wu
2016-12-14 7:56 ` Ni, Ruiyu
2016-12-15 8:25 ` Long, Qin
2016-12-22 7:39 ` Ye, Ting
2016-12-14 7:34 ` [Patch 10/10] Nt32Pkg: Enable HTTPS boot feature for Nt32 platform Jiaxin Wu
2016-12-14 7:44 ` Yao, Jiewen
2016-12-14 7:46 ` Wu, Jiaxin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=895558F6EA4E3B41AC93A00D163B72741627F978@SHSMSX103.ccr.corp.intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox