From: "Long, Qin" <qin.long@intel.com>
To: "Wu, Hao A" <hao.a.wu@intel.com>,
"edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Cc: "Ye, Ting" <ting.ye@intel.com>
Subject: Re: [PATCH 1/6] CryptoPkg: Convert files to CRLF line ending
Date: Thu, 6 Apr 2017 02:56:45 +0000 [thread overview]
Message-ID: <BF2CCE9263284D428840004653A28B6E53F8CAB7@SHSMSX103.ccr.corp.intel.com> (raw)
In-Reply-To: <20170406022515.42504-2-hao.a.wu@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
Best Regards & Thanks,
LONG, Qin
> -----Original Message-----
> From: Wu, Hao A
> Sent: Thursday, April 06, 2017 10:25 AM
> To: edk2-devel@lists.01.org
> Cc: Wu, Hao A; Long, Qin; Ye, Ting
> Subject: [PATCH 1/6] CryptoPkg: Convert files to CRLF line ending
>
> Cc: Qin Long <qin.long@intel.com>
> Cc: Ting Ye <ting.ye@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Hao Wu <hao.a.wu@intel.com>
> ---
> CryptoPkg/Include/Library/TlsLib.h | 1575 +++++++--------
> CryptoPkg/Library/OpensslLib/process_files.pl | 447 +++--
> CryptoPkg/Library/TlsLib/InternalTlsLib.h | 85 +-
> CryptoPkg/Library/TlsLib/TlsConfig.c | 2119 ++++++++++----------
> CryptoPkg/Library/TlsLib/TlsInit.c | 537 ++---
> CryptoPkg/Library/TlsLib/TlsLib.inf | 113 +-
> CryptoPkg/Library/TlsLib/TlsLib.uni | 38 +-
> CryptoPkg/Library/TlsLib/TlsProcess.c | 925 ++++-----
> 8 files changed, 2923 insertions(+), 2916 deletions(-)
>
> diff --git a/CryptoPkg/Include/Library/TlsLib.h
> b/CryptoPkg/Include/Library/TlsLib.h
> index 45564f159e..fa6cb99d78 100644
> --- a/CryptoPkg/Include/Library/TlsLib.h
> +++ b/CryptoPkg/Include/Library/TlsLib.h
> @@ -1,787 +1,788 @@
> -/** @file
> - Defines TLS Library APIs.
> -
> -Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
> -This program and the accompanying materials
> -are licensed and made available under the terms and conditions of the BSD
> License
> -which accompanies this distribution. The full text of the license may be
> found at
> -http://opensource.org/licenses/bsd-license.php
> -
> -THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS"
> BASIS,
> -WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER
> EXPRESS OR IMPLIED.
> -
> -**/
> -
> -#ifndef __TLS_LIB_H__
> -#define __TLS_LIB_H__
> -
> -/**
> - Initializes the OpenSSL library.
> -
> - This function registers ciphers and digests used directly and indirectly
> - by SSL/TLS, and initializes the readable error messages.
> - This function must be called before any other action takes places.
> -
> -**/
> -VOID
> -EFIAPI
> -TlsInitialize (
> - VOID
> - );
> -
> -/**
> - Free an allocated SSL_CTX object.
> -
> - @param[in] TlsCtx Pointer to the SSL_CTX object to be released.
> -
> -**/
> -VOID
> -EFIAPI
> -TlsCtxFree (
> - IN VOID *TlsCtx
> - );
> -
> -/**
> - Creates a new SSL_CTX object as framework to establish TLS/SSL enabled
> - connections.
> -
> - @param[in] MajorVer Major Version of TLS/SSL Protocol.
> - @param[in] MinorVer Minor Version of TLS/SSL Protocol.
> -
> - @return Pointer to an allocated SSL_CTX object.
> - If the creation failed, TlsCtxNew() returns NULL.
> -
> -**/
> -VOID *
> -EFIAPI
> -TlsCtxNew (
> - IN UINT8 MajorVer,
> - IN UINT8 MinorVer
> - );
> -
> -/**
> - Free an allocated TLS object.
> -
> - This function removes the TLS object pointed to by Tls and frees up the
> - allocated memory. If Tls is NULL, nothing is done.
> -
> - @param[in] Tls Pointer to the TLS object to be freed.
> -
> -**/
> -VOID
> -EFIAPI
> -TlsFree (
> - IN VOID *Tls
> - );
> -
> -/**
> - Create a new TLS object for a connection.
> -
> - This function creates a new TLS object for a connection. The new object
> - inherits the setting of the underlying context TlsCtx: connection method,
> - options, verification setting.
> -
> - @param[in] TlsCtx Pointer to the SSL_CTX object.
> -
> - @return Pointer to an allocated SSL object.
> - If the creation failed, TlsNew() returns NULL.
> -
> -**/
> -VOID *
> -EFIAPI
> -TlsNew (
> - IN VOID *TlsCtx
> - );
> -
> -/**
> - Checks if the TLS handshake was done.
> -
> - This function will check if the specified TLS handshake was done.
> -
> - @param[in] Tls Pointer to the TLS object for handshake state checking.
> -
> - @retval TRUE The TLS handshake was done.
> - @retval FALSE The TLS handshake was not done.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TlsInHandshake (
> - IN VOID *Tls
> - );
> -
> -/**
> - Perform a TLS/SSL handshake.
> -
> - This function will perform a TLS/SSL handshake.
> -
> - @param[in] Tls Pointer to the TLS object for handshake operation.
> - @param[in] BufferIn Pointer to the most recently received TLS
> Handshake packet.
> - @param[in] BufferInSize Packet size in bytes for the most recently
> received TLS
> - Handshake packet.
> - @param[out] BufferOut Pointer to the buffer to hold the built packet.
> - @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On
> input, it is
> - the buffer size provided by the caller. On output, it
> - is the buffer size in fact needed to contain the
> - packet.
> -
> - @retval EFI_SUCCESS The required TLS packet is built successfully.
> - @retval EFI_INVALID_PARAMETER One or more of the following
> conditions is TRUE:
> - Tls is NULL.
> - BufferIn is NULL but BufferInSize is NOT 0.
> - BufferInSize is 0 but BufferIn is NOT NULL.
> - BufferOutSize is NULL.
> - BufferOut is NULL if *BufferOutSize is not zero.
> - @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the
> response packet.
> - @retval EFI_ABORTED Something wrong during handshake.
> -
> -**/
> -EFI_STATUS
> -EFIAPI
> -TlsDoHandshake (
> - IN VOID *Tls,
> - IN UINT8 *BufferIn, OPTIONAL
> - IN UINTN BufferInSize, OPTIONAL
> - OUT UINT8 *BufferOut, OPTIONAL
> - IN OUT UINTN *BufferOutSize
> - );
> -
> -/**
> - Handle Alert message recorded in BufferIn. If BufferIn is NULL and
> BufferInSize is zero,
> - TLS session has errors and the response packet needs to be Alert message
> based on error type.
> -
> - @param[in] Tls Pointer to the TLS object for state checking.
> - @param[in] BufferIn Pointer to the most recently received TLS Alert
> packet.
> - @param[in] BufferInSize Packet size in bytes for the most recently
> received TLS
> - Alert packet.
> - @param[out] BufferOut Pointer to the buffer to hold the built packet.
> - @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On
> input, it is
> - the buffer size provided by the caller. On output, it
> - is the buffer size in fact needed to contain the
> - packet.
> -
> - @retval EFI_SUCCESS The required TLS packet is built successfully.
> - @retval EFI_INVALID_PARAMETER One or more of the following
> conditions is TRUE:
> - Tls is NULL.
> - BufferIn is NULL but BufferInSize is NOT 0.
> - BufferInSize is 0 but BufferIn is NOT NULL.
> - BufferOutSize is NULL.
> - BufferOut is NULL if *BufferOutSize is not zero.
> - @retval EFI_ABORTED An error occurred.
> - @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the
> response packet.
> -
> -**/
> -EFI_STATUS
> -EFIAPI
> -TlsHandleAlert (
> - IN VOID *Tls,
> - IN UINT8 *BufferIn, OPTIONAL
> - IN UINTN BufferInSize, OPTIONAL
> - OUT UINT8 *BufferOut, OPTIONAL
> - IN OUT UINTN *BufferOutSize
> - );
> -
> -/**
> - Build the CloseNotify packet.
> -
> - @param[in] Tls Pointer to the TLS object for state checking.
> - @param[in, out] Buffer Pointer to the buffer to hold the built packet.
> - @param[in, out] BufferSize Pointer to the buffer size in bytes. On input,
> it is
> - the buffer size provided by the caller. On output, it
> - is the buffer size in fact needed to contain the
> - packet.
> -
> - @retval EFI_SUCCESS The required TLS packet is built successfully.
> - @retval EFI_INVALID_PARAMETER One or more of the following
> conditions is TRUE:
> - Tls is NULL.
> - BufferSize is NULL.
> - Buffer is NULL if *BufferSize is not zero.
> - @retval EFI_BUFFER_TOO_SMALL BufferSize is too small to hold the
> response packet.
> -
> -**/
> -EFI_STATUS
> -EFIAPI
> -TlsCloseNotify (
> - IN VOID *Tls,
> - IN OUT UINT8 *Buffer,
> - IN OUT UINTN *BufferSize
> - );
> -
> -/**
> - Attempts to read bytes from one TLS object and places the data in Buffer.
> -
> - This function will attempt to read BufferSize bytes from the TLS object
> - and places the data in Buffer.
> -
> - @param[in] Tls Pointer to the TLS object.
> - @param[in,out] Buffer Pointer to the buffer to store the data.
> - @param[in] BufferSize The size of Buffer in bytes.
> -
> - @retval >0 The amount of data successfully read from the TLS object.
> - @retval <=0 No data was successfully read.
> -
> -**/
> -INTN
> -EFIAPI
> -TlsCtrlTrafficOut (
> - IN VOID *Tls,
> - IN OUT VOID *Buffer,
> - IN UINTN BufferSize
> - );
> -
> -/**
> - Attempts to write data from the buffer to TLS object.
> -
> - This function will attempt to write BufferSize bytes data from the Buffer
> - to the TLS object.
> -
> - @param[in] Tls Pointer to the TLS object.
> - @param[in] Buffer Pointer to the data buffer.
> - @param[in] BufferSize The size of Buffer in bytes.
> -
> - @retval >0 The amount of data successfully written to the TLS object.
> - @retval <=0 No data was successfully written.
> -
> -**/
> -INTN
> -EFIAPI
> -TlsCtrlTrafficIn (
> - IN VOID *Tls,
> - IN VOID *Buffer,
> - IN UINTN BufferSize
> - );
> -
> -/**
> - Attempts to read bytes from the specified TLS connection into the buffer.
> -
> - This function tries to read BufferSize bytes data from the specified TLS
> - connection into the Buffer.
> -
> - @param[in] Tls Pointer to the TLS connection for data reading.
> - @param[in,out] Buffer Pointer to the data buffer.
> - @param[in] BufferSize The size of Buffer in bytes.
> -
> - @retval >0 The read operation was successful, and return value is the
> - number of bytes actually read from the TLS connection.
> - @retval <=0 The read operation was not successful.
> -
> -**/
> -INTN
> -EFIAPI
> -TlsRead (
> - IN VOID *Tls,
> - IN OUT VOID *Buffer,
> - IN UINTN BufferSize
> - );
> -
> -/**
> - Attempts to write data to a TLS connection.
> -
> - This function tries to write BufferSize bytes data from the Buffer into the
> - specified TLS connection.
> -
> - @param[in] Tls Pointer to the TLS connection for data writing.
> - @param[in] Buffer Pointer to the data buffer.
> - @param[in] BufferSize The size of Buffer in bytes.
> -
> - @retval >0 The write operation was successful, and return value is the
> - number of bytes actually written to the TLS connection.
> - @retval <=0 The write operation was not successful.
> -
> -**/
> -INTN
> -EFIAPI
> -TlsWrite (
> - IN VOID *Tls,
> - IN VOID *Buffer,
> - IN UINTN BufferSize
> - );
> -
> -/**
> - Set a new TLS/SSL method for a particular TLS object.
> -
> - This function sets a new TLS/SSL method for a particular TLS object.
> -
> - @param[in] Tls Pointer to a TLS object.
> - @param[in] MajorVer Major Version of TLS/SSL Protocol.
> - @param[in] MinorVer Minor Version of TLS/SSL Protocol.
> -
> - @retval EFI_SUCCESS The TLS/SSL method was set successfully.
> - @retval EFI_INVALID_PARAMETER The parameter is invalid.
> - @retval EFI_UNSUPPORTED Unsupported TLS/SSL method.
> -
> -**/
> -EFI_STATUS
> -EFIAPI
> -TlsSetVersion (
> - IN VOID *Tls,
> - IN UINT8 MajorVer,
> - IN UINT8 MinorVer
> - );
> -
> -/**
> - Set TLS object to work in client or server mode.
> -
> - This function prepares a TLS object to work in client or server mode.
> -
> - @param[in] Tls Pointer to a TLS object.
> - @param[in] IsServer Work in server mode.
> -
> - @retval EFI_SUCCESS The TLS/SSL work mode was set successfully.
> - @retval EFI_INVALID_PARAMETER The parameter is invalid.
> - @retval EFI_UNSUPPORTED Unsupported TLS/SSL work mode.
> -
> -**/
> -EFI_STATUS
> -EFIAPI
> -TlsSetConnectionEnd (
> - IN VOID *Tls,
> - IN BOOLEAN IsServer
> - );
> -
> -/**
> - Set the ciphers list to be used by the TLS object.
> -
> - This function sets the ciphers for use by a specified TLS object.
> -
> - @param[in] Tls Pointer to a TLS object.
> - @param[in] CipherId Pointer to a string that contains one or more
> - ciphers separated by a colon.
> - @param[in] CipherNum The number of cipher in the list.
> -
> - @retval EFI_SUCCESS The ciphers list was set successfully.
> - @retval EFI_INVALID_PARAMETER The parameter is invalid.
> - @retval EFI_UNSUPPORTED Unsupported TLS cipher in the list.
> -
> -**/
> -EFI_STATUS
> -EFIAPI
> -TlsSetCipherList (
> - IN VOID *Tls,
> - IN UINT16 *CipherId,
> - IN UINTN CipherNum
> - );
> -
> -/**
> - Set the compression method for TLS/SSL operations.
> -
> - This function handles TLS/SSL integrated compression methods.
> -
> - @param[in] CompMethod The compression method ID.
> -
> - @retval EFI_SUCCESS The compression method for the communication
> was
> - set successfully.
> - @retval EFI_UNSUPPORTED Unsupported compression method.
> -
> -**/
> -EFI_STATUS
> -EFIAPI
> -TlsSetCompressionMethod (
> - IN UINT8 CompMethod
> - );
> -
> -/**
> - Set peer certificate verification mode for the TLS connection.
> -
> - This function sets the verification mode flags for the TLS connection.
> -
> - @param[in] Tls Pointer to the TLS object.
> - @param[in] VerifyMode A set of logically or'ed verification mode flags.
> -
> -**/
> -VOID
> -EFIAPI
> -TlsSetVerify (
> - IN VOID *Tls,
> - IN UINT32 VerifyMode
> - );
> -
> -/**
> - Sets a TLS/SSL session ID to be used during TLS/SSL connect.
> -
> - This function sets a session ID to be used when the TLS/SSL connection is
> - to be established.
> -
> - @param[in] Tls Pointer to the TLS object.
> - @param[in] SessionId Session ID data used for session resumption.
> - @param[in] SessionIdLen Length of Session ID in bytes.
> -
> - @retval EFI_SUCCESS Session ID was set successfully.
> - @retval EFI_INVALID_PARAMETER The parameter is invalid.
> - @retval EFI_UNSUPPORTED No available session for ID setting.
> -
> -**/
> -EFI_STATUS
> -EFIAPI
> -TlsSetSessionId (
> - IN VOID *Tls,
> - IN UINT8 *SessionId,
> - IN UINT16 SessionIdLen
> - );
> -
> -/**
> - Adds the CA to the cert store when requesting Server or Client
> authentication.
> -
> - This function adds the CA certificate to the list of CAs when requesting
> - Server or Client authentication for the chosen TLS connection.
> -
> - @param[in] Tls Pointer to the TLS object.
> - @param[in] Data Pointer to the data buffer of a DER-encoded binary
> - X.509 certificate or PEM-encoded X.509 certificate.
> - @param[in] DataSize The size of data buffer in bytes.
> -
> - @retval EFI_SUCCESS The operation succeeded.
> - @retval EFI_INVALID_PARAMETER The parameter is invalid.
> - @retval EFI_OUT_OF_RESOURCES Required resources could not be
> allocated.
> - @retval EFI_ABORTED Invalid X.509 certificate.
> -
> -**/
> -EFI_STATUS
> -EFIAPI
> -TlsSetCaCertificate (
> - IN VOID *Tls,
> - IN VOID *Data,
> - IN UINTN DataSize
> - );
> -
> -/**
> - Loads the local public certificate into the specified TLS object.
> -
> - This function loads the X.509 certificate into the specified TLS object
> - for TLS negotiation.
> -
> - @param[in] Tls Pointer to the TLS object.
> - @param[in] Data Pointer to the data buffer of a DER-encoded binary
> - X.509 certificate or PEM-encoded X.509 certificate.
> - @param[in] DataSize The size of data buffer in bytes.
> -
> - @retval EFI_SUCCESS The operation succeeded.
> - @retval EFI_INVALID_PARAMETER The parameter is invalid.
> - @retval EFI_OUT_OF_RESOURCES Required resources could not be
> allocated.
> - @retval EFI_ABORTED Invalid X.509 certificate.
> -
> -**/
> -EFI_STATUS
> -EFIAPI
> -TlsSetHostPublicCert (
> - IN VOID *Tls,
> - IN VOID *Data,
> - IN UINTN DataSize
> - );
> -
> -/**
> - Adds the local private key to the specified TLS object.
> -
> - This function adds the local private key (PEM-encoded RSA or PKCS#8
> private
> - key) into the specified TLS object for TLS negotiation.
> -
> - @param[in] Tls Pointer to the TLS object.
> - @param[in] Data Pointer to the data buffer of a PEM-encoded RSA
> - or PKCS#8 private key.
> - @param[in] DataSize The size of data buffer in bytes.
> -
> - @retval EFI_SUCCESS The operation succeeded.
> - @retval EFI_UNSUPPORTED This function is not supported.
> - @retval EFI_ABORTED Invalid private key data.
> -
> -**/
> -EFI_STATUS
> -EFIAPI
> -TlsSetHostPrivateKey (
> - IN VOID *Tls,
> - IN VOID *Data,
> - IN UINTN DataSize
> - );
> -
> -/**
> - Adds the CA-supplied certificate revocation list for certificate validation.
> -
> - This function adds the CA-supplied certificate revocation list data for
> - certificate validity checking.
> -
> - @param[in] Data Pointer to the data buffer of a DER-encoded CRL data.
> - @param[in] DataSize The size of data buffer in bytes.
> -
> - @retval EFI_SUCCESS The operation succeeded.
> - @retval EFI_UNSUPPORTED This function is not supported.
> - @retval EFI_ABORTED Invalid CRL data.
> -
> -**/
> -EFI_STATUS
> -EFIAPI
> -TlsSetCertRevocationList (
> - IN VOID *Data,
> - IN UINTN DataSize
> - );
> -
> -/**
> - Gets the protocol version used by the specified TLS connection.
> -
> - This function returns the protocol version used by the specified TLS
> - connection.
> -
> - @param[in] Tls Pointer to the TLS object.
> -
> - @return The protocol version of the specified TLS connection.
> -
> -**/
> -UINT16
> -EFIAPI
> -TlsGetVersion (
> - IN VOID *Tls
> - );
> -
> -/**
> - Gets the connection end of the specified TLS connection.
> -
> - This function returns the connection end (as client or as server) used by
> - the specified TLS connection.
> -
> - @param[in] Tls Pointer to the TLS object.
> -
> - @return The connection end used by the specified TLS connection.
> -
> -**/
> -UINT8
> -EFIAPI
> -TlsGetConnectionEnd (
> - IN VOID *Tls
> - );
> -
> -/**
> - Gets the cipher suite used by the specified TLS connection.
> -
> - This function returns current cipher suite used by the specified
> - TLS connection.
> -
> - @param[in] Tls Pointer to the TLS object.
> - @param[in,out] CipherId The cipher suite used by the TLS object.
> -
> - @retval EFI_SUCCESS The cipher suite was returned successfully.
> - @retval EFI_INVALID_PARAMETER The parameter is invalid.
> - @retval EFI_UNSUPPORTED Unsupported cipher suite.
> -
> -**/
> -EFI_STATUS
> -EFIAPI
> -TlsGetCurrentCipher (
> - IN VOID *Tls,
> - IN OUT UINT16 *CipherId
> - );
> -
> -/**
> - Gets the compression methods used by the specified TLS connection.
> -
> - This function returns current integrated compression methods used by
> - the specified TLS connection.
> -
> - @param[in] Tls Pointer to the TLS object.
> - @param[in,out] CompressionId The current compression method used
> by
> - the TLS object.
> -
> - @retval EFI_SUCCESS The compression method was returned
> successfully.
> - @retval EFI_INVALID_PARAMETER The parameter is invalid.
> - @retval EFI_ABORTED Invalid Compression method.
> - @retval EFI_UNSUPPORTED This function is not supported.
> -
> -**/
> -EFI_STATUS
> -EFIAPI
> -TlsGetCurrentCompressionId (
> - IN VOID *Tls,
> - IN OUT UINT8 *CompressionId
> - );
> -
> -/**
> - Gets the verification mode currently set in the TLS connection.
> -
> - This function returns the peer verification mode currently set in the
> - specified TLS connection.
> -
> - @param[in] Tls Pointer to the TLS object.
> -
> - @return The verification mode set in the specified TLS connection.
> -
> -**/
> -UINT32
> -EFIAPI
> -TlsGetVerify (
> - IN VOID *Tls
> - );
> -
> -/**
> - Gets the session ID used by the specified TLS connection.
> -
> - This function returns the TLS/SSL session ID currently used by the
> - specified TLS connection.
> -
> - @param[in] Tls Pointer to the TLS object.
> - @param[in,out] SessionId Buffer to contain the returned session ID.
> - @param[in,out] SessionIdLen The length of Session ID in bytes.
> -
> - @retval EFI_SUCCESS The Session ID was returned successfully.
> - @retval EFI_INVALID_PARAMETER The parameter is invalid.
> - @retval EFI_UNSUPPORTED Invalid TLS/SSL session.
> -
> -**/
> -EFI_STATUS
> -EFIAPI
> -TlsGetSessionId (
> - IN VOID *Tls,
> - IN OUT UINT8 *SessionId,
> - IN OUT UINT16 *SessionIdLen
> - );
> -
> -/**
> - Gets the client random data used in the specified TLS connection.
> -
> - This function returns the TLS/SSL client random data currently used in
> - the specified TLS connection.
> -
> - @param[in] Tls Pointer to the TLS object.
> - @param[in,out] ClientRandom Buffer to contain the returned client
> - random data (32 bytes).
> -
> -**/
> -VOID
> -EFIAPI
> -TlsGetClientRandom (
> - IN VOID *Tls,
> - IN OUT UINT8 *ClientRandom
> - );
> -
> -/**
> - Gets the server random data used in the specified TLS connection.
> -
> - This function returns the TLS/SSL server random data currently used in
> - the specified TLS connection.
> -
> - @param[in] Tls Pointer to the TLS object.
> - @param[in,out] ServerRandom Buffer to contain the returned server
> - random data (32 bytes).
> -
> -**/
> -VOID
> -EFIAPI
> -TlsGetServerRandom (
> - IN VOID *Tls,
> - IN OUT UINT8 *ServerRandom
> - );
> -
> -/**
> - Gets the master key data used in the specified TLS connection.
> -
> - This function returns the TLS/SSL master key material currently used in
> - the specified TLS connection.
> -
> - @param[in] Tls Pointer to the TLS object.
> - @param[in,out] KeyMaterial Buffer to contain the returned key material.
> -
> - @retval EFI_SUCCESS Key material was returned successfully.
> - @retval EFI_INVALID_PARAMETER The parameter is invalid.
> - @retval EFI_UNSUPPORTED Invalid TLS/SSL session.
> -
> -**/
> -EFI_STATUS
> -EFIAPI
> -TlsGetKeyMaterial (
> - IN VOID *Tls,
> - IN OUT UINT8 *KeyMaterial
> - );
> -
> -/**
> - Gets the CA Certificate from the cert store.
> -
> - This function returns the CA certificate for the chosen
> - TLS connection.
> -
> - @param[in] Tls Pointer to the TLS object.
> - @param[out] Data Pointer to the data buffer to receive the CA
> - certificate data sent to the client.
> - @param[in,out] DataSize The size of data buffer in bytes.
> -
> - @retval EFI_SUCCESS The operation succeeded.
> - @retval EFI_UNSUPPORTED This function is not supported.
> - @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
> -
> -**/
> -EFI_STATUS
> -EFIAPI
> -TlsGetCaCertificate (
> - IN VOID *Tls,
> - OUT VOID *Data,
> - IN OUT UINTN *DataSize
> - );
> -
> -/**
> - Gets the local public Certificate set in the specified TLS object.
> -
> - This function returns the local public certificate which was currently set
> - in the specified TLS object.
> -
> - @param[in] Tls Pointer to the TLS object.
> - @param[out] Data Pointer to the data buffer to receive the local
> - public certificate.
> - @param[in,out] DataSize The size of data buffer in bytes.
> -
> - @retval EFI_SUCCESS The operation succeeded.
> - @retval EFI_INVALID_PARAMETER The parameter is invalid.
> - @retval EFI_NOT_FOUND The certificate is not found.
> - @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
> -
> -**/
> -EFI_STATUS
> -EFIAPI
> -TlsGetHostPublicCert (
> - IN VOID *Tls,
> - OUT VOID *Data,
> - IN OUT UINTN *DataSize
> - );
> -
> -/**
> - Gets the local private key set in the specified TLS object.
> -
> - This function returns the local private key data which was currently set
> - in the specified TLS object.
> -
> - @param[in] Tls Pointer to the TLS object.
> - @param[out] Data Pointer to the data buffer to receive the local
> - private key data.
> - @param[in,out] DataSize The size of data buffer in bytes.
> -
> - @retval EFI_SUCCESS The operation succeeded.
> - @retval EFI_UNSUPPORTED This function is not supported.
> - @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
> -
> -**/
> -EFI_STATUS
> -EFIAPI
> -TlsGetHostPrivateKey (
> - IN VOID *Tls,
> - OUT VOID *Data,
> - IN OUT UINTN *DataSize
> - );
> -
> -/**
> - Gets the CA-supplied certificate revocation list data set in the specified
> - TLS object.
> -
> - This function returns the CA-supplied certificate revocation list data which
> - was currently set in the specified TLS object.
> -
> - @param[out] Data Pointer to the data buffer to receive the CRL data.
> - @param[in,out] DataSize The size of data buffer in bytes.
> -
> - @retval EFI_SUCCESS The operation succeeded.
> - @retval EFI_UNSUPPORTED This function is not supported.
> - @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
> -
> -**/
> -EFI_STATUS
> -EFIAPI
> -TlsGetCertRevocationList (
> - OUT VOID *Data,
> - IN OUT UINTN *DataSize
> - );
> -
> -#endif // __TLS_LIB_H__
> +/** @file
> + Defines TLS Library APIs.
> +
> +Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
> +This program and the accompanying materials
> +are licensed and made available under the terms and conditions of the BSD
> License
> +which accompanies this distribution. The full text of the license may be
> found at
> +http://opensource.org/licenses/bsd-license.php
> +
> +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS"
> BASIS,
> +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER
> EXPRESS OR IMPLIED.
> +
> +**/
> +
> +#ifndef __TLS_LIB_H__
> +#define __TLS_LIB_H__
> +
> +/**
> + Initializes the OpenSSL library.
> +
> + This function registers ciphers and digests used directly and indirectly
> + by SSL/TLS, and initializes the readable error messages.
> + This function must be called before any other action takes places.
> +
> +**/
> +VOID
> +EFIAPI
> +TlsInitialize (
> + VOID
> + );
> +
> +/**
> + Free an allocated SSL_CTX object.
> +
> + @param[in] TlsCtx Pointer to the SSL_CTX object to be released.
> +
> +**/
> +VOID
> +EFIAPI
> +TlsCtxFree (
> + IN VOID *TlsCtx
> + );
> +
> +/**
> + Creates a new SSL_CTX object as framework to establish TLS/SSL enabled
> + connections.
> +
> + @param[in] MajorVer Major Version of TLS/SSL Protocol.
> + @param[in] MinorVer Minor Version of TLS/SSL Protocol.
> +
> + @return Pointer to an allocated SSL_CTX object.
> + If the creation failed, TlsCtxNew() returns NULL.
> +
> +**/
> +VOID *
> +EFIAPI
> +TlsCtxNew (
> + IN UINT8 MajorVer,
> + IN UINT8 MinorVer
> + );
> +
> +/**
> + Free an allocated TLS object.
> +
> + This function removes the TLS object pointed to by Tls and frees up the
> + allocated memory. If Tls is NULL, nothing is done.
> +
> + @param[in] Tls Pointer to the TLS object to be freed.
> +
> +**/
> +VOID
> +EFIAPI
> +TlsFree (
> + IN VOID *Tls
> + );
> +
> +/**
> + Create a new TLS object for a connection.
> +
> + This function creates a new TLS object for a connection. The new object
> + inherits the setting of the underlying context TlsCtx: connection method,
> + options, verification setting.
> +
> + @param[in] TlsCtx Pointer to the SSL_CTX object.
> +
> + @return Pointer to an allocated SSL object.
> + If the creation failed, TlsNew() returns NULL.
> +
> +**/
> +VOID *
> +EFIAPI
> +TlsNew (
> + IN VOID *TlsCtx
> + );
> +
> +/**
> + Checks if the TLS handshake was done.
> +
> + This function will check if the specified TLS handshake was done.
> +
> + @param[in] Tls Pointer to the TLS object for handshake state checking.
> +
> + @retval TRUE The TLS handshake was done.
> + @retval FALSE The TLS handshake was not done.
> +
> +**/
> +BOOLEAN
> +EFIAPI
> +TlsInHandshake (
> + IN VOID *Tls
> + );
> +
> +/**
> + Perform a TLS/SSL handshake.
> +
> + This function will perform a TLS/SSL handshake.
> +
> + @param[in] Tls Pointer to the TLS object for handshake operation.
> + @param[in] BufferIn Pointer to the most recently received TLS
> Handshake packet.
> + @param[in] BufferInSize Packet size in bytes for the most recently
> received TLS
> + Handshake packet.
> + @param[out] BufferOut Pointer to the buffer to hold the built packet.
> + @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On
> input, it is
> + the buffer size provided by the caller. On output, it
> + is the buffer size in fact needed to contain the
> + packet.
> +
> + @retval EFI_SUCCESS The required TLS packet is built successfully.
> + @retval EFI_INVALID_PARAMETER One or more of the following
> conditions is TRUE:
> + Tls is NULL.
> + BufferIn is NULL but BufferInSize is NOT 0.
> + BufferInSize is 0 but BufferIn is NOT NULL.
> + BufferOutSize is NULL.
> + BufferOut is NULL if *BufferOutSize is not zero.
> + @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the
> response packet.
> + @retval EFI_ABORTED Something wrong during handshake.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsDoHandshake (
> + IN VOID *Tls,
> + IN UINT8 *BufferIn, OPTIONAL
> + IN UINTN BufferInSize, OPTIONAL
> + OUT UINT8 *BufferOut, OPTIONAL
> + IN OUT UINTN *BufferOutSize
> + );
> +
> +/**
> + Handle Alert message recorded in BufferIn. If BufferIn is NULL and
> BufferInSize is zero,
> + TLS session has errors and the response packet needs to be Alert message
> based on error type.
> +
> + @param[in] Tls Pointer to the TLS object for state checking.
> + @param[in] BufferIn Pointer to the most recently received TLS Alert
> packet.
> + @param[in] BufferInSize Packet size in bytes for the most recently
> received TLS
> + Alert packet.
> + @param[out] BufferOut Pointer to the buffer to hold the built packet.
> + @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On
> input, it is
> + the buffer size provided by the caller. On output, it
> + is the buffer size in fact needed to contain the
> + packet.
> +
> + @retval EFI_SUCCESS The required TLS packet is built successfully.
> + @retval EFI_INVALID_PARAMETER One or more of the following
> conditions is TRUE:
> + Tls is NULL.
> + BufferIn is NULL but BufferInSize is NOT 0.
> + BufferInSize is 0 but BufferIn is NOT NULL.
> + BufferOutSize is NULL.
> + BufferOut is NULL if *BufferOutSize is not zero.
> + @retval EFI_ABORTED An error occurred.
> + @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the
> response packet.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsHandleAlert (
> + IN VOID *Tls,
> + IN UINT8 *BufferIn, OPTIONAL
> + IN UINTN BufferInSize, OPTIONAL
> + OUT UINT8 *BufferOut, OPTIONAL
> + IN OUT UINTN *BufferOutSize
> + );
> +
> +/**
> + Build the CloseNotify packet.
> +
> + @param[in] Tls Pointer to the TLS object for state checking.
> + @param[in, out] Buffer Pointer to the buffer to hold the built packet.
> + @param[in, out] BufferSize Pointer to the buffer size in bytes. On input,
> it is
> + the buffer size provided by the caller. On output, it
> + is the buffer size in fact needed to contain the
> + packet.
> +
> + @retval EFI_SUCCESS The required TLS packet is built successfully.
> + @retval EFI_INVALID_PARAMETER One or more of the following
> conditions is TRUE:
> + Tls is NULL.
> + BufferSize is NULL.
> + Buffer is NULL if *BufferSize is not zero.
> + @retval EFI_BUFFER_TOO_SMALL BufferSize is too small to hold the
> response packet.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsCloseNotify (
> + IN VOID *Tls,
> + IN OUT UINT8 *Buffer,
> + IN OUT UINTN *BufferSize
> + );
> +
> +/**
> + Attempts to read bytes from one TLS object and places the data in Buffer.
> +
> + This function will attempt to read BufferSize bytes from the TLS object
> + and places the data in Buffer.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in,out] Buffer Pointer to the buffer to store the data.
> + @param[in] BufferSize The size of Buffer in bytes.
> +
> + @retval >0 The amount of data successfully read from the TLS object.
> + @retval <=0 No data was successfully read.
> +
> +**/
> +INTN
> +EFIAPI
> +TlsCtrlTrafficOut (
> + IN VOID *Tls,
> + IN OUT VOID *Buffer,
> + IN UINTN BufferSize
> + );
> +
> +/**
> + Attempts to write data from the buffer to TLS object.
> +
> + This function will attempt to write BufferSize bytes data from the Buffer
> + to the TLS object.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in] Buffer Pointer to the data buffer.
> + @param[in] BufferSize The size of Buffer in bytes.
> +
> + @retval >0 The amount of data successfully written to the TLS object.
> + @retval <=0 No data was successfully written.
> +
> +**/
> +INTN
> +EFIAPI
> +TlsCtrlTrafficIn (
> + IN VOID *Tls,
> + IN VOID *Buffer,
> + IN UINTN BufferSize
> + );
> +
> +/**
> + Attempts to read bytes from the specified TLS connection into the buffer.
> +
> + This function tries to read BufferSize bytes data from the specified TLS
> + connection into the Buffer.
> +
> + @param[in] Tls Pointer to the TLS connection for data reading.
> + @param[in,out] Buffer Pointer to the data buffer.
> + @param[in] BufferSize The size of Buffer in bytes.
> +
> + @retval >0 The read operation was successful, and return value is the
> + number of bytes actually read from the TLS connection.
> + @retval <=0 The read operation was not successful.
> +
> +**/
> +INTN
> +EFIAPI
> +TlsRead (
> + IN VOID *Tls,
> + IN OUT VOID *Buffer,
> + IN UINTN BufferSize
> + );
> +
> +/**
> + Attempts to write data to a TLS connection.
> +
> + This function tries to write BufferSize bytes data from the Buffer into the
> + specified TLS connection.
> +
> + @param[in] Tls Pointer to the TLS connection for data writing.
> + @param[in] Buffer Pointer to the data buffer.
> + @param[in] BufferSize The size of Buffer in bytes.
> +
> + @retval >0 The write operation was successful, and return value is the
> + number of bytes actually written to the TLS connection.
> + @retval <=0 The write operation was not successful.
> +
> +**/
> +INTN
> +EFIAPI
> +TlsWrite (
> + IN VOID *Tls,
> + IN VOID *Buffer,
> + IN UINTN BufferSize
> + );
> +
> +/**
> + Set a new TLS/SSL method for a particular TLS object.
> +
> + This function sets a new TLS/SSL method for a particular TLS object.
> +
> + @param[in] Tls Pointer to a TLS object.
> + @param[in] MajorVer Major Version of TLS/SSL Protocol.
> + @param[in] MinorVer Minor Version of TLS/SSL Protocol.
> +
> + @retval EFI_SUCCESS The TLS/SSL method was set successfully.
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.
> + @retval EFI_UNSUPPORTED Unsupported TLS/SSL method.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsSetVersion (
> + IN VOID *Tls,
> + IN UINT8 MajorVer,
> + IN UINT8 MinorVer
> + );
> +
> +/**
> + Set TLS object to work in client or server mode.
> +
> + This function prepares a TLS object to work in client or server mode.
> +
> + @param[in] Tls Pointer to a TLS object.
> + @param[in] IsServer Work in server mode.
> +
> + @retval EFI_SUCCESS The TLS/SSL work mode was set successfully.
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.
> + @retval EFI_UNSUPPORTED Unsupported TLS/SSL work mode.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsSetConnectionEnd (
> + IN VOID *Tls,
> + IN BOOLEAN IsServer
> + );
> +
> +/**
> + Set the ciphers list to be used by the TLS object.
> +
> + This function sets the ciphers for use by a specified TLS object.
> +
> + @param[in] Tls Pointer to a TLS object.
> + @param[in] CipherId Pointer to a string that contains one or more
> + ciphers separated by a colon.
> + @param[in] CipherNum The number of cipher in the list.
> +
> + @retval EFI_SUCCESS The ciphers list was set successfully.
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.
> + @retval EFI_UNSUPPORTED Unsupported TLS cipher in the list.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsSetCipherList (
> + IN VOID *Tls,
> + IN UINT16 *CipherId,
> + IN UINTN CipherNum
> + );
> +
> +/**
> + Set the compression method for TLS/SSL operations.
> +
> + This function handles TLS/SSL integrated compression methods.
> +
> + @param[in] CompMethod The compression method ID.
> +
> + @retval EFI_SUCCESS The compression method for the communication
> was
> + set successfully.
> + @retval EFI_UNSUPPORTED Unsupported compression method.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsSetCompressionMethod (
> + IN UINT8 CompMethod
> + );
> +
> +/**
> + Set peer certificate verification mode for the TLS connection.
> +
> + This function sets the verification mode flags for the TLS connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in] VerifyMode A set of logically or'ed verification mode flags.
> +
> +**/
> +VOID
> +EFIAPI
> +TlsSetVerify (
> + IN VOID *Tls,
> + IN UINT32 VerifyMode
> + );
> +
> +/**
> + Sets a TLS/SSL session ID to be used during TLS/SSL connect.
> +
> + This function sets a session ID to be used when the TLS/SSL connection is
> + to be established.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in] SessionId Session ID data used for session resumption.
> + @param[in] SessionIdLen Length of Session ID in bytes.
> +
> + @retval EFI_SUCCESS Session ID was set successfully.
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.
> + @retval EFI_UNSUPPORTED No available session for ID setting.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsSetSessionId (
> + IN VOID *Tls,
> + IN UINT8 *SessionId,
> + IN UINT16 SessionIdLen
> + );
> +
> +/**
> + Adds the CA to the cert store when requesting Server or Client
> authentication.
> +
> + This function adds the CA certificate to the list of CAs when requesting
> + Server or Client authentication for the chosen TLS connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in] Data Pointer to the data buffer of a DER-encoded binary
> + X.509 certificate or PEM-encoded X.509 certificate.
> + @param[in] DataSize The size of data buffer in bytes.
> +
> + @retval EFI_SUCCESS The operation succeeded.
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.
> + @retval EFI_OUT_OF_RESOURCES Required resources could not be
> allocated.
> + @retval EFI_ABORTED Invalid X.509 certificate.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsSetCaCertificate (
> + IN VOID *Tls,
> + IN VOID *Data,
> + IN UINTN DataSize
> + );
> +
> +/**
> + Loads the local public certificate into the specified TLS object.
> +
> + This function loads the X.509 certificate into the specified TLS object
> + for TLS negotiation.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in] Data Pointer to the data buffer of a DER-encoded binary
> + X.509 certificate or PEM-encoded X.509 certificate.
> + @param[in] DataSize The size of data buffer in bytes.
> +
> + @retval EFI_SUCCESS The operation succeeded.
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.
> + @retval EFI_OUT_OF_RESOURCES Required resources could not be
> allocated.
> + @retval EFI_ABORTED Invalid X.509 certificate.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsSetHostPublicCert (
> + IN VOID *Tls,
> + IN VOID *Data,
> + IN UINTN DataSize
> + );
> +
> +/**
> + Adds the local private key to the specified TLS object.
> +
> + This function adds the local private key (PEM-encoded RSA or PKCS#8
> private
> + key) into the specified TLS object for TLS negotiation.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in] Data Pointer to the data buffer of a PEM-encoded RSA
> + or PKCS#8 private key.
> + @param[in] DataSize The size of data buffer in bytes.
> +
> + @retval EFI_SUCCESS The operation succeeded.
> + @retval EFI_UNSUPPORTED This function is not supported.
> + @retval EFI_ABORTED Invalid private key data.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsSetHostPrivateKey (
> + IN VOID *Tls,
> + IN VOID *Data,
> + IN UINTN DataSize
> + );
> +
> +/**
> + Adds the CA-supplied certificate revocation list for certificate validation.
> +
> + This function adds the CA-supplied certificate revocation list data for
> + certificate validity checking.
> +
> + @param[in] Data Pointer to the data buffer of a DER-encoded CRL data.
> + @param[in] DataSize The size of data buffer in bytes.
> +
> + @retval EFI_SUCCESS The operation succeeded.
> + @retval EFI_UNSUPPORTED This function is not supported.
> + @retval EFI_ABORTED Invalid CRL data.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsSetCertRevocationList (
> + IN VOID *Data,
> + IN UINTN DataSize
> + );
> +
> +/**
> + Gets the protocol version used by the specified TLS connection.
> +
> + This function returns the protocol version used by the specified TLS
> + connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> +
> + @return The protocol version of the specified TLS connection.
> +
> +**/
> +UINT16
> +EFIAPI
> +TlsGetVersion (
> + IN VOID *Tls
> + );
> +
> +/**
> + Gets the connection end of the specified TLS connection.
> +
> + This function returns the connection end (as client or as server) used by
> + the specified TLS connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> +
> + @return The connection end used by the specified TLS connection.
> +
> +**/
> +UINT8
> +EFIAPI
> +TlsGetConnectionEnd (
> + IN VOID *Tls
> + );
> +
> +/**
> + Gets the cipher suite used by the specified TLS connection.
> +
> + This function returns current cipher suite used by the specified
> + TLS connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in,out] CipherId The cipher suite used by the TLS object.
> +
> + @retval EFI_SUCCESS The cipher suite was returned successfully.
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.
> + @retval EFI_UNSUPPORTED Unsupported cipher suite.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsGetCurrentCipher (
> + IN VOID *Tls,
> + IN OUT UINT16 *CipherId
> + );
> +
> +/**
> + Gets the compression methods used by the specified TLS connection.
> +
> + This function returns current integrated compression methods used by
> + the specified TLS connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in,out] CompressionId The current compression method used
> by
> + the TLS object.
> +
> + @retval EFI_SUCCESS The compression method was returned
> successfully.
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.
> + @retval EFI_ABORTED Invalid Compression method.
> + @retval EFI_UNSUPPORTED This function is not supported.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsGetCurrentCompressionId (
> + IN VOID *Tls,
> + IN OUT UINT8 *CompressionId
> + );
> +
> +/**
> + Gets the verification mode currently set in the TLS connection.
> +
> + This function returns the peer verification mode currently set in the
> + specified TLS connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> +
> + @return The verification mode set in the specified TLS connection.
> +
> +**/
> +UINT32
> +EFIAPI
> +TlsGetVerify (
> + IN VOID *Tls
> + );
> +
> +/**
> + Gets the session ID used by the specified TLS connection.
> +
> + This function returns the TLS/SSL session ID currently used by the
> + specified TLS connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in,out] SessionId Buffer to contain the returned session ID.
> + @param[in,out] SessionIdLen The length of Session ID in bytes.
> +
> + @retval EFI_SUCCESS The Session ID was returned successfully.
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.
> + @retval EFI_UNSUPPORTED Invalid TLS/SSL session.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsGetSessionId (
> + IN VOID *Tls,
> + IN OUT UINT8 *SessionId,
> + IN OUT UINT16 *SessionIdLen
> + );
> +
> +/**
> + Gets the client random data used in the specified TLS connection.
> +
> + This function returns the TLS/SSL client random data currently used in
> + the specified TLS connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in,out] ClientRandom Buffer to contain the returned client
> + random data (32 bytes).
> +
> +**/
> +VOID
> +EFIAPI
> +TlsGetClientRandom (
> + IN VOID *Tls,
> + IN OUT UINT8 *ClientRandom
> + );
> +
> +/**
> + Gets the server random data used in the specified TLS connection.
> +
> + This function returns the TLS/SSL server random data currently used in
> + the specified TLS connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in,out] ServerRandom Buffer to contain the returned server
> + random data (32 bytes).
> +
> +**/
> +VOID
> +EFIAPI
> +TlsGetServerRandom (
> + IN VOID *Tls,
> + IN OUT UINT8 *ServerRandom
> + );
> +
> +/**
> + Gets the master key data used in the specified TLS connection.
> +
> + This function returns the TLS/SSL master key material currently used in
> + the specified TLS connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in,out] KeyMaterial Buffer to contain the returned key material.
> +
> + @retval EFI_SUCCESS Key material was returned successfully.
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.
> + @retval EFI_UNSUPPORTED Invalid TLS/SSL session.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsGetKeyMaterial (
> + IN VOID *Tls,
> + IN OUT UINT8 *KeyMaterial
> + );
> +
> +/**
> + Gets the CA Certificate from the cert store.
> +
> + This function returns the CA certificate for the chosen
> + TLS connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[out] Data Pointer to the data buffer to receive the CA
> + certificate data sent to the client.
> + @param[in,out] DataSize The size of data buffer in bytes.
> +
> + @retval EFI_SUCCESS The operation succeeded.
> + @retval EFI_UNSUPPORTED This function is not supported.
> + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsGetCaCertificate (
> + IN VOID *Tls,
> + OUT VOID *Data,
> + IN OUT UINTN *DataSize
> + );
> +
> +/**
> + Gets the local public Certificate set in the specified TLS object.
> +
> + This function returns the local public certificate which was currently set
> + in the specified TLS object.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[out] Data Pointer to the data buffer to receive the local
> + public certificate.
> + @param[in,out] DataSize The size of data buffer in bytes.
> +
> + @retval EFI_SUCCESS The operation succeeded.
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.
> + @retval EFI_NOT_FOUND The certificate is not found.
> + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsGetHostPublicCert (
> + IN VOID *Tls,
> + OUT VOID *Data,
> + IN OUT UINTN *DataSize
> + );
> +
> +/**
> + Gets the local private key set in the specified TLS object.
> +
> + This function returns the local private key data which was currently set
> + in the specified TLS object.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[out] Data Pointer to the data buffer to receive the local
> + private key data.
> + @param[in,out] DataSize The size of data buffer in bytes.
> +
> + @retval EFI_SUCCESS The operation succeeded.
> + @retval EFI_UNSUPPORTED This function is not supported.
> + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsGetHostPrivateKey (
> + IN VOID *Tls,
> + OUT VOID *Data,
> + IN OUT UINTN *DataSize
> + );
> +
> +/**
> + Gets the CA-supplied certificate revocation list data set in the specified
> + TLS object.
> +
> + This function returns the CA-supplied certificate revocation list data which
> + was currently set in the specified TLS object.
> +
> + @param[out] Data Pointer to the data buffer to receive the CRL data.
> + @param[in,out] DataSize The size of data buffer in bytes.
> +
> + @retval EFI_SUCCESS The operation succeeded.
> + @retval EFI_UNSUPPORTED This function is not supported.
> + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsGetCertRevocationList (
> + OUT VOID *Data,
> + IN OUT UINTN *DataSize
> + );
> +
> +#endif // __TLS_LIB_H__
> +
> diff --git a/CryptoPkg/Library/OpensslLib/process_files.pl
> b/CryptoPkg/Library/OpensslLib/process_files.pl
> index 210811b9ed..4a60073485 100644
> --- a/CryptoPkg/Library/OpensslLib/process_files.pl
> +++ b/CryptoPkg/Library/OpensslLib/process_files.pl
> @@ -1,223 +1,224 @@
> -#!/usr/bin/perl -w
> -#
> -# This script runs the OpenSSL Configure script, then processes the
> -# resulting file list into our local OpensslLib[Crypto].inf and also
> -# takes a copy of opensslconf.h.
> -#
> -# This only needs to be done once by a developer when updating to a
> -# new version of OpenSSL (or changing options, etc.). Normal users
> -# do not need to do this, since the results are stored in the EDK2
> -# git repository for them.
> -#
> -use strict;
> -use Cwd;
> -use File::Copy;
> -
> -#
> -# Find the openssl directory name for use lib. We have to do this
> -# inside of BEGIN. The variables we create here, however, don't seem
> -# to be available to the main script, so we have to repeat the
> -# exercise.
> -#
> -my $inf_file;
> -my $OPENSSL_PATH;
> -my @inf;
> -
> -BEGIN {
> - $inf_file = "OpensslLib.inf";
> -
> - # Read the contents of the inf file
> - open( FD, "<" . $inf_file ) ||
> - die "Cannot open \"" . $inf_file . "\"!";
> - @inf = (<FD>);
> - close(FD) ||
> - die "Cannot close \"" . $inf_file . "\"!";
> -
> - foreach (@inf) {
> - if (/DEFINE\s+OPENSSL_PATH\s*=\s*([a-z]+)/) {
> -
> - # We need to run Configure before we can include its result...
> - $OPENSSL_PATH = $1;
> -
> - my $basedir = getcwd();
> -
> - chdir($OPENSSL_PATH) ||
> - die "Cannot change to OpenSSL directory \"" . $OPENSSL_PATH .
> "\"";
> -
> - # Configure UEFI
> - system(
> - "./Configure",
> - "UEFI",
> - "no-afalgeng",
> - "no-asm",
> - "no-async",
> - "no-autoalginit",
> - "no-autoerrinit",
> - "no-bf",
> - "no-blake2",
> - "no-camellia",
> - "no-capieng",
> - "no-cast",
> - "no-chacha",
> - "no-cms",
> - "no-ct",
> - "no-deprecated",
> - "no-dgram",
> - "no-dsa",
> - "no-dynamic-engine",
> - "no-ec",
> - "no-ec2m",
> - "no-engine",
> - "no-err",
> - "no-filenames",
> - "no-gost",
> - "no-hw",
> - "no-idea",
> - "no-mdc2",
> - "no-pic",
> - "no-ocb",
> - "no-poly1305",
> - "no-posix-io",
> - "no-rc2",
> - "no-rfc3779",
> - "no-rmd160",
> - "no-scrypt",
> - "no-seed",
> - "no-sock",
> - "no-srp",
> - "no-ssl",
> - "no-stdio",
> - "no-threads",
> - "no-ts",
> - "no-ui",
> - "no-whirlpool"
> - ) == 0 ||
> - die "OpenSSL Configure failed!\n";
> -
> - # Generate opensslconf.h per config data
> - system(
> - "perl -I. -Mconfigdata util/dofile.pl " .
> - "include/openssl/opensslconf.h.in " .
> - "> include/openssl/opensslconf.h"
> - ) == 0 ||
> - die "Failed to generate opensslconf.h!\n";
> -
> - chdir($basedir) ||
> - die "Cannot change to base directory \"" . $basedir . "\"";
> -
> - push @INC, $1;
> - last;
> - }
> - }
> -}
> -
> -#
> -# Retrieve file lists from OpenSSL configdata
> -#
> -use configdata qw/%unified_info/;
> -
> -my @cryptofilelist = ();
> -my @sslfilelist = ();
> -foreach my $product ((@{$unified_info{libraries}},
> - @{$unified_info{engines}})) {
> - foreach my $o (@{$unified_info{sources}->{$product}}) {
> - foreach my $s (@{$unified_info{sources}->{$o}}) {
> - next if ($unified_info{generate}->{$s});
> - next if $s =~ "crypto/bio/b_print.c";
> - if ($product =~ "libssl") {
> - push @sslfilelist, ' $(OPENSSL_PATH)/' . $s . "\r\n";
> - next;
> - }
> - push @cryptofilelist, ' $(OPENSSL_PATH)/' . $s . "\r\n";
> - }
> - }
> -}
> -
> -#
> -# Update OpensslLib.inf with autogenerated file list
> -#
> -my @new_inf = ();
> -my $subbing = 0;
> -print "\n--> Updating OpensslLib.inf ... ";
> -foreach (@inf) {
> - if ( $_ =~ "# Autogenerated files list starts here" ) {
> - push @new_inf, $_, @cryptofilelist, @sslfilelist;
> - $subbing = 1;
> - next;
> - }
> - if ( $_ =~ "# Autogenerated files list ends here" ) {
> - push @new_inf, $_;
> - $subbing = 0;
> - next;
> - }
> -
> - push @new_inf, $_
> - unless ($subbing);
> -}
> -
> -my $new_inf_file = $inf_file . ".new";
> -open( FD, ">" . $new_inf_file ) ||
> - die $new_inf_file;
> -print( FD @new_inf ) ||
> - die $new_inf_file;
> -close(FD) ||
> - die $new_inf_file;
> -rename( $new_inf_file, $inf_file ) ||
> - die "rename $inf_file";
> -print "Done!";
> -
> -#
> -# Update OpensslLibCrypto.inf with auto-generated file list (no libssl)
> -#
> -$inf_file = "OpensslLibCrypto.inf";
> -
> -# Read the contents of the inf file
> -@inf = ();
> -@new_inf = ();
> -open( FD, "<" . $inf_file ) ||
> - die "Cannot open \"" . $inf_file . "\"!";
> -@inf = (<FD>);
> -close(FD) ||
> - die "Cannot close \"" . $inf_file . "\"!";
> -
> -$subbing = 0;
> -print "\n--> Updating OpensslLibCrypto.inf ... ";
> -foreach (@inf) {
> - if ( $_ =~ "# Autogenerated files list starts here" ) {
> - push @new_inf, $_, @cryptofilelist;
> - $subbing = 1;
> - next;
> - }
> - if ( $_ =~ "# Autogenerated files list ends here" ) {
> - push @new_inf, $_;
> - $subbing = 0;
> - next;
> - }
> -
> - push @new_inf, $_
> - unless ($subbing);
> -}
> -
> -$new_inf_file = $inf_file . ".new";
> -open( FD, ">" . $new_inf_file ) ||
> - die $new_inf_file;
> -print( FD @new_inf ) ||
> - die $new_inf_file;
> -close(FD) ||
> - die $new_inf_file;
> -rename( $new_inf_file, $inf_file ) ||
> - die "rename $inf_file";
> -print "Done!";
> -
> -#
> -# Copy opensslconf.h generated from OpenSSL Configuration
> -#
> -print "\n--> Duplicating opensslconf.h into Include/openssl ... ";
> -copy($OPENSSL_PATH . "/include/openssl/opensslconf.h",
> - $OPENSSL_PATH . "/../../../Include/openssl/") ||
> - die "Cannot copy opensslconf.h!";
> -print "Done!\n";
> -
> -print "\nProcessing Files Done!\n";
> -
> -exit(0);
> +#!/usr/bin/perl -w
> +#
> +# This script runs the OpenSSL Configure script, then processes the
> +# resulting file list into our local OpensslLib[Crypto].inf and also
> +# takes a copy of opensslconf.h.
> +#
> +# This only needs to be done once by a developer when updating to a
> +# new version of OpenSSL (or changing options, etc.). Normal users
> +# do not need to do this, since the results are stored in the EDK2
> +# git repository for them.
> +#
> +use strict;
> +use Cwd;
> +use File::Copy;
> +
> +#
> +# Find the openssl directory name for use lib. We have to do this
> +# inside of BEGIN. The variables we create here, however, don't seem
> +# to be available to the main script, so we have to repeat the
> +# exercise.
> +#
> +my $inf_file;
> +my $OPENSSL_PATH;
> +my @inf;
> +
> +BEGIN {
> + $inf_file = "OpensslLib.inf";
> +
> + # Read the contents of the inf file
> + open( FD, "<" . $inf_file ) ||
> + die "Cannot open \"" . $inf_file . "\"!";
> + @inf = (<FD>);
> + close(FD) ||
> + die "Cannot close \"" . $inf_file . "\"!";
> +
> + foreach (@inf) {
> + if (/DEFINE\s+OPENSSL_PATH\s*=\s*([a-z]+)/) {
> +
> + # We need to run Configure before we can include its result...
> + $OPENSSL_PATH = $1;
> +
> + my $basedir = getcwd();
> +
> + chdir($OPENSSL_PATH) ||
> + die "Cannot change to OpenSSL directory \"" . $OPENSSL_PATH .
> "\"";
> +
> + # Configure UEFI
> + system(
> + "./Configure",
> + "UEFI",
> + "no-afalgeng",
> + "no-asm",
> + "no-async",
> + "no-autoalginit",
> + "no-autoerrinit",
> + "no-bf",
> + "no-blake2",
> + "no-camellia",
> + "no-capieng",
> + "no-cast",
> + "no-chacha",
> + "no-cms",
> + "no-ct",
> + "no-deprecated",
> + "no-dgram",
> + "no-dsa",
> + "no-dynamic-engine",
> + "no-ec",
> + "no-ec2m",
> + "no-engine",
> + "no-err",
> + "no-filenames",
> + "no-gost",
> + "no-hw",
> + "no-idea",
> + "no-mdc2",
> + "no-pic",
> + "no-ocb",
> + "no-poly1305",
> + "no-posix-io",
> + "no-rc2",
> + "no-rfc3779",
> + "no-rmd160",
> + "no-scrypt",
> + "no-seed",
> + "no-sock",
> + "no-srp",
> + "no-ssl",
> + "no-stdio",
> + "no-threads",
> + "no-ts",
> + "no-ui",
> + "no-whirlpool"
> + ) == 0 ||
> + die "OpenSSL Configure failed!\n";
> +
> + # Generate opensslconf.h per config data
> + system(
> + "perl -I. -Mconfigdata util/dofile.pl " .
> + "include/openssl/opensslconf.h.in " .
> + "> include/openssl/opensslconf.h"
> + ) == 0 ||
> + die "Failed to generate opensslconf.h!\n";
> +
> + chdir($basedir) ||
> + die "Cannot change to base directory \"" . $basedir . "\"";
> +
> + push @INC, $1;
> + last;
> + }
> + }
> +}
> +
> +#
> +# Retrieve file lists from OpenSSL configdata
> +#
> +use configdata qw/%unified_info/;
> +
> +my @cryptofilelist = ();
> +my @sslfilelist = ();
> +foreach my $product ((@{$unified_info{libraries}},
> + @{$unified_info{engines}})) {
> + foreach my $o (@{$unified_info{sources}->{$product}}) {
> + foreach my $s (@{$unified_info{sources}->{$o}}) {
> + next if ($unified_info{generate}->{$s});
> + next if $s =~ "crypto/bio/b_print.c";
> + if ($product =~ "libssl") {
> + push @sslfilelist, ' $(OPENSSL_PATH)/' . $s . "\r\n";
> + next;
> + }
> + push @cryptofilelist, ' $(OPENSSL_PATH)/' . $s . "\r\n";
> + }
> + }
> +}
> +
> +#
> +# Update OpensslLib.inf with autogenerated file list
> +#
> +my @new_inf = ();
> +my $subbing = 0;
> +print "\n--> Updating OpensslLib.inf ... ";
> +foreach (@inf) {
> + if ( $_ =~ "# Autogenerated files list starts here" ) {
> + push @new_inf, $_, @cryptofilelist, @sslfilelist;
> + $subbing = 1;
> + next;
> + }
> + if ( $_ =~ "# Autogenerated files list ends here" ) {
> + push @new_inf, $_;
> + $subbing = 0;
> + next;
> + }
> +
> + push @new_inf, $_
> + unless ($subbing);
> +}
> +
> +my $new_inf_file = $inf_file . ".new";
> +open( FD, ">" . $new_inf_file ) ||
> + die $new_inf_file;
> +print( FD @new_inf ) ||
> + die $new_inf_file;
> +close(FD) ||
> + die $new_inf_file;
> +rename( $new_inf_file, $inf_file ) ||
> + die "rename $inf_file";
> +print "Done!";
> +
> +#
> +# Update OpensslLibCrypto.inf with auto-generated file list (no libssl)
> +#
> +$inf_file = "OpensslLibCrypto.inf";
> +
> +# Read the contents of the inf file
> +@inf = ();
> +@new_inf = ();
> +open( FD, "<" . $inf_file ) ||
> + die "Cannot open \"" . $inf_file . "\"!";
> +@inf = (<FD>);
> +close(FD) ||
> + die "Cannot close \"" . $inf_file . "\"!";
> +
> +$subbing = 0;
> +print "\n--> Updating OpensslLibCrypto.inf ... ";
> +foreach (@inf) {
> + if ( $_ =~ "# Autogenerated files list starts here" ) {
> + push @new_inf, $_, @cryptofilelist;
> + $subbing = 1;
> + next;
> + }
> + if ( $_ =~ "# Autogenerated files list ends here" ) {
> + push @new_inf, $_;
> + $subbing = 0;
> + next;
> + }
> +
> + push @new_inf, $_
> + unless ($subbing);
> +}
> +
> +$new_inf_file = $inf_file . ".new";
> +open( FD, ">" . $new_inf_file ) ||
> + die $new_inf_file;
> +print( FD @new_inf ) ||
> + die $new_inf_file;
> +close(FD) ||
> + die $new_inf_file;
> +rename( $new_inf_file, $inf_file ) ||
> + die "rename $inf_file";
> +print "Done!";
> +
> +#
> +# Copy opensslconf.h generated from OpenSSL Configuration
> +#
> +print "\n--> Duplicating opensslconf.h into Include/openssl ... ";
> +copy($OPENSSL_PATH . "/include/openssl/opensslconf.h",
> + $OPENSSL_PATH . "/../../../Include/openssl/") ||
> + die "Cannot copy opensslconf.h!";
> +print "Done!\n";
> +
> +print "\nProcessing Files Done!\n";
> +
> +exit(0);
> +
> diff --git a/CryptoPkg/Library/TlsLib/InternalTlsLib.h
> b/CryptoPkg/Library/TlsLib/InternalTlsLib.h
> index 97727361e8..88c4e3b38e 100644
> --- a/CryptoPkg/Library/TlsLib/InternalTlsLib.h
> +++ b/CryptoPkg/Library/TlsLib/InternalTlsLib.h
> @@ -1,42 +1,43 @@
> -/** @file
> - Internal include file for TlsLib.
> -
> -Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
> -This program and the accompanying materials
> -are licensed and made available under the terms and conditions of the BSD
> License
> -which accompanies this distribution. The full text of the license may be
> found at
> -http://opensource.org/licenses/bsd-license.php
> -
> -THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS"
> BASIS,
> -WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER
> EXPRESS OR IMPLIED.
> -
> -**/
> -
> -#ifndef __INTERNAL_TLS_LIB_H__
> -#define __INTERNAL_TLS_LIB_H__
> -
> -#undef _WIN32
> -#undef _WIN64
> -
> -#include <Library/BaseCryptLib.h>
> -#include <openssl/ssl.h>
> -#include <openssl/bio.h>
> -#include <openssl/err.h>
> -
> -typedef struct {
> - //
> - // Main SSL Connection which is created by a server or a client
> - // per established connection.
> - //
> - SSL *Ssl;
> - //
> - // Memory BIO for the TLS/SSL Reading operations.
> - //
> - BIO *InBio;
> - //
> - // Memory BIO for the TLS/SSL Writing operations.
> - //
> - BIO *OutBio;
> -} TLS_CONNECTION;
> -
> -#endif
> +/** @file
> + Internal include file for TlsLib.
> +
> +Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
> +This program and the accompanying materials
> +are licensed and made available under the terms and conditions of the BSD
> License
> +which accompanies this distribution. The full text of the license may be
> found at
> +http://opensource.org/licenses/bsd-license.php
> +
> +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS"
> BASIS,
> +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER
> EXPRESS OR IMPLIED.
> +
> +**/
> +
> +#ifndef __INTERNAL_TLS_LIB_H__
> +#define __INTERNAL_TLS_LIB_H__
> +
> +#undef _WIN32
> +#undef _WIN64
> +
> +#include <Library/BaseCryptLib.h>
> +#include <openssl/ssl.h>
> +#include <openssl/bio.h>
> +#include <openssl/err.h>
> +
> +typedef struct {
> + //
> + // Main SSL Connection which is created by a server or a client
> + // per established connection.
> + //
> + SSL *Ssl;
> + //
> + // Memory BIO for the TLS/SSL Reading operations.
> + //
> + BIO *InBio;
> + //
> + // Memory BIO for the TLS/SSL Writing operations.
> + //
> + BIO *OutBio;
> +} TLS_CONNECTION;
> +
> +#endif
> +
> diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c
> b/CryptoPkg/Library/TlsLib/TlsConfig.c
> index 43e275d400..4c88229b89 100644
> --- a/CryptoPkg/Library/TlsLib/TlsConfig.c
> +++ b/CryptoPkg/Library/TlsLib/TlsConfig.c
> @@ -1,1059 +1,1060 @@
> -/** @file
> - SSL/TLS Configuration Library Wrapper Implementation over OpenSSL.
> -
> -Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
> -(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
> -This program and the accompanying materials
> -are licensed and made available under the terms and conditions of the BSD
> License
> -which accompanies this distribution. The full text of the license may be
> found at
> -http://opensource.org/licenses/bsd-license.php
> -
> -THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS"
> BASIS,
> -WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER
> EXPRESS OR IMPLIED.
> -
> -**/
> -
> -#include "InternalTlsLib.h"
> -
> -typedef struct {
> - //
> - // IANA/IETF defined Cipher Suite ID
> - //
> - UINT16 IanaCipher;
> - //
> - // OpenSSL-used Cipher Suite String
> - //
> - CONST CHAR8 *OpensslCipher;
> -} TLS_CIPHER_PAIR;
> -
> -//
> -// The mapping table between IANA/IETF Cipher Suite definitions and
> -// OpenSSL-used Cipher Suite name.
> -//
> -STATIC CONST TLS_CIPHER_PAIR TlsCipherMappingTable[] = {
> - { 0x0001, "NULL-MD5" }, /// TLS_RSA_WITH_NULL_MD5
> - { 0x0002, "NULL-SHA" }, /// TLS_RSA_WITH_NULL_SHA
> - { 0x0004, "RC4-MD5" }, /// TLS_RSA_WITH_RC4_128_MD5
> - { 0x0005, "RC4-SHA" }, /// TLS_RSA_WITH_RC4_128_SHA
> - { 0x000A, "DES-CBC3-SHA" }, /// TLS_RSA_WITH_3DES_EDE_CBC_SHA,
> mandatory TLS 1.1
> - { 0x0016, "DHE-RSA-DES-CBC3-SHA" }, ///
> TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
> - { 0x002F, "AES128-SHA" }, /// TLS_RSA_WITH_AES_128_CBC_SHA,
> mandatory TLS 1.2
> - { 0x0030, "DH-DSS-AES128-SHA" }, ///
> TLS_DH_DSS_WITH_AES_128_CBC_SHA
> - { 0x0031, "DH-RSA-AES128-SHA" }, ///
> TLS_DH_RSA_WITH_AES_128_CBC_SHA
> - { 0x0033, "DHE-RSA-AES128-SHA" }, ///
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA
> - { 0x0035, "AES256-SHA" }, /// TLS_RSA_WITH_AES_256_CBC_SHA
> - { 0x0036, "DH-DSS-AES256-SHA" }, ///
> TLS_DH_DSS_WITH_AES_256_CBC_SHA
> - { 0x0037, "DH-RSA-AES256-SHA" }, ///
> TLS_DH_RSA_WITH_AES_256_CBC_SHA
> - { 0x0039, "DHE-RSA-AES256-SHA" }, ///
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA
> - { 0x003B, "NULL-SHA256" }, /// TLS_RSA_WITH_NULL_SHA256
> - { 0x003C, "AES128-SHA256" }, ///
> TLS_RSA_WITH_AES_128_CBC_SHA256
> - { 0x003D, "AES256-SHA256" }, ///
> TLS_RSA_WITH_AES_256_CBC_SHA256
> - { 0x003E, "DH-DSS-AES128-SHA256" }, ///
> TLS_DH_DSS_WITH_AES_128_CBC_SHA256
> - { 0x003F, "DH-RSA-AES128-SHA256" }, ///
> TLS_DH_RSA_WITH_AES_128_CBC_SHA256
> - { 0x0067, "DHE-RSA-AES128-SHA256" }, ///
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
> - { 0x0068, "DH-DSS-AES256-SHA256" }, ///
> TLS_DH_DSS_WITH_AES_256_CBC_SHA256
> - { 0x0069, "DH-RSA-AES256-SHA256" }, ///
> TLS_DH_RSA_WITH_AES_256_CBC_SHA256
> - { 0x006B, "DHE-RSA-AES256-SHA256" } ///
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
> -};
> -
> -/**
> - Gets the OpenSSL cipher suite string for the supplied IANA TLS cipher suite.
> -
> - @param[in] CipherId The supplied IANA TLS cipher suite ID.
> -
> - @return The corresponding OpenSSL cipher suite string if found,
> - NULL otherwise.
> -
> -**/
> -STATIC
> -CONST CHAR8 *
> -TlsGetCipherString (
> - IN UINT16 CipherId
> - )
> -{
> - CONST TLS_CIPHER_PAIR *CipherEntry;
> - UINTN TableSize;
> - UINTN Index;
> -
> - CipherEntry = TlsCipherMappingTable;
> - TableSize = sizeof (TlsCipherMappingTable) / sizeof (TLS_CIPHER_PAIR);
> -
> - //
> - // Search Cipher Mapping Table for IANA-OpenSSL Cipher Translation
> - //
> - for (Index = 0; Index < TableSize; Index++, CipherEntry++) {
> - //
> - // Translate IANA cipher suite name to OpenSSL name.
> - //
> - if (CipherEntry->IanaCipher == CipherId) {
> - return CipherEntry->OpensslCipher;
> - }
> - }
> -
> - //
> - // No Cipher Mapping found, return NULL.
> - //
> - return NULL;
> -}
> -
> -/**
> - Set a new TLS/SSL method for a particular TLS object.
> -
> - This function sets a new TLS/SSL method for a particular TLS object.
> -
> - @param[in] Tls Pointer to a TLS object.
> - @param[in] MajorVer Major Version of TLS/SSL Protocol.
> - @param[in] MinorVer Minor Version of TLS/SSL Protocol.
> -
> - @retval EFI_SUCCESS The TLS/SSL method was set successfully.
> - @retval EFI_INVALID_PARAMETER The parameter is invalid.
> - @retval EFI_UNSUPPORTED Unsupported TLS/SSL method.
> -
> -**/
> -EFI_STATUS
> -EFIAPI
> -TlsSetVersion (
> - IN VOID *Tls,
> - IN UINT8 MajorVer,
> - IN UINT8 MinorVer
> - )
> -{
> - TLS_CONNECTION *TlsConn;
> - UINT16 ProtoVersion;
> -
> - TlsConn = (TLS_CONNECTION *)Tls;
> - if (TlsConn == NULL || TlsConn->Ssl == NULL) {
> - return EFI_INVALID_PARAMETER;
> - }
> -
> - ProtoVersion = (MajorVer << 8) | MinorVer;
> -
> - //
> - // Bound TLS method to the particular specified version.
> - //
> - switch (ProtoVersion) {
> - case TLS1_VERSION:
> - //
> - // TLS 1.0
> - //
> - SSL_set_min_proto_version (TlsConn->Ssl, TLS1_VERSION);
> - SSL_set_max_proto_version (TlsConn->Ssl, TLS1_VERSION);
> - break;
> - case TLS1_1_VERSION:
> - //
> - // TLS 1.1
> - //
> - SSL_set_min_proto_version (TlsConn->Ssl, TLS1_1_VERSION);
> - SSL_set_max_proto_version (TlsConn->Ssl, TLS1_1_VERSION);
> - break;
> - case TLS1_2_VERSION:
> - //
> - // TLS 1.2
> - //
> - SSL_set_min_proto_version (TlsConn->Ssl, TLS1_2_VERSION);
> - SSL_set_max_proto_version (TlsConn->Ssl, TLS1_2_VERSION);
> - break;
> - default:
> - //
> - // Unsupported Protocol Version
> - //
> - return EFI_UNSUPPORTED;
> - }
> -
> - return EFI_SUCCESS;;
> -}
> -
> -/**
> - Set TLS object to work in client or server mode.
> -
> - This function prepares a TLS object to work in client or server mode.
> -
> - @param[in] Tls Pointer to a TLS object.
> - @param[in] IsServer Work in server mode.
> -
> - @retval EFI_SUCCESS The TLS/SSL work mode was set successfully.
> - @retval EFI_INVALID_PARAMETER The parameter is invalid.
> - @retval EFI_UNSUPPORTED Unsupported TLS/SSL work mode.
> -
> -**/
> -EFI_STATUS
> -EFIAPI
> -TlsSetConnectionEnd (
> - IN VOID *Tls,
> - IN BOOLEAN IsServer
> - )
> -{
> - TLS_CONNECTION *TlsConn;
> -
> - TlsConn = (TLS_CONNECTION *) Tls;
> - if (TlsConn == NULL || TlsConn->Ssl == NULL) {
> - return EFI_INVALID_PARAMETER;
> - }
> -
> - if (!IsServer) {
> - //
> - // Set TLS to work in Client mode.
> - //
> - SSL_set_connect_state (TlsConn->Ssl);
> - } else {
> - //
> - // Set TLS to work in Server mode.
> - // It is unsupported for UEFI version currently.
> - //
> - //SSL_set_accept_state (TlsConn->Ssl);
> - return EFI_UNSUPPORTED;
> - }
> -
> - return EFI_SUCCESS;
> -}
> -
> -/**
> - Set the ciphers list to be used by the TLS object.
> -
> - This function sets the ciphers for use by a specified TLS object.
> -
> - @param[in] Tls Pointer to a TLS object.
> - @param[in] CipherId Pointer to a UINT16 cipher Id.
> - @param[in] CipherNum The number of cipher in the list.
> -
> - @retval EFI_SUCCESS The ciphers list was set successfully.
> - @retval EFI_INVALID_PARAMETER The parameter is invalid.
> - @retval EFI_UNSUPPORTED Unsupported TLS cipher in the list.
> -
> -**/
> -EFI_STATUS
> -EFIAPI
> -TlsSetCipherList (
> - IN VOID *Tls,
> - IN UINT16 *CipherId,
> - IN UINTN CipherNum
> - )
> -{
> - TLS_CONNECTION *TlsConn;
> - UINTN Index;
> - CONST CHAR8 *MappingName;
> - CHAR8 CipherString[500];
> -
> - TlsConn = (TLS_CONNECTION *) Tls;
> - if (TlsConn == NULL || TlsConn->Ssl == NULL || CipherId == NULL) {
> - return EFI_INVALID_PARAMETER;
> - }
> -
> - MappingName = NULL;
> -
> - memset (CipherString, 0, sizeof (CipherString));
> -
> - for (Index = 0; Index < CipherNum; Index++) {
> - //
> - // Handling OpenSSL / RFC Cipher name mapping.
> - //
> - MappingName = TlsGetCipherString (*(CipherId + Index));
> - if (MappingName == NULL) {
> - return EFI_UNSUPPORTED;
> - }
> -
> - if (Index != 0) {
> - //
> - // The ciphers were separated by a colon.
> - //
> - AsciiStrCatS (CipherString, sizeof (CipherString), ":");
> - }
> -
> - AsciiStrCatS (CipherString, sizeof (CipherString), MappingName);
> - }
> -
> - AsciiStrCatS (CipherString, sizeof (CipherString), ":@STRENGTH");
> -
> - //
> - // Sets the ciphers for use by the Tls object.
> - //
> - if (SSL_set_cipher_list (TlsConn->Ssl, CipherString) <= 0) {
> - return EFI_UNSUPPORTED;
> - }
> -
> - return EFI_SUCCESS;
> -}
> -
> -/**
> - Set the compression method for TLS/SSL operations.
> -
> - This function handles TLS/SSL integrated compression methods.
> -
> - @param[in] CompMethod The compression method ID.
> -
> - @retval EFI_SUCCESS The compression method for the communication
> was
> - set successfully.
> - @retval EFI_UNSUPPORTED Unsupported compression method.
> -
> -**/
> -EFI_STATUS
> -EFIAPI
> -TlsSetCompressionMethod (
> - IN UINT8 CompMethod
> - )
> -{
> - COMP_METHOD *Cm;
> - INTN Ret;
> -
> - Cm = NULL;
> - Ret = 0;
> -
> - if (CompMethod == 0) {
> - //
> - // TLS defines one standard compression method,
> CompressionMethod.null (0),
> - // which specifies that data exchanged via the record protocol will not be
> compressed.
> - // So, return EFI_SUCCESS directly (RFC 3749).
> - //
> - return EFI_SUCCESS;
> - } else if (CompMethod == 1) {
> - Cm = COMP_zlib();
> - } else {
> - return EFI_UNSUPPORTED;
> - }
> -
> - //
> - // Adds the compression method to the list of available
> - // compression methods.
> - //
> - Ret = SSL_COMP_add_compression_method (CompMethod, Cm);
> - if (Ret != 0) {
> - return EFI_UNSUPPORTED;
> - }
> -
> - return EFI_SUCCESS;
> -}
> -
> -/**
> - Set peer certificate verification mode for the TLS connection.
> -
> - This function sets the verification mode flags for the TLS connection.
> -
> - @param[in] Tls Pointer to the TLS object.
> - @param[in] VerifyMode A set of logically or'ed verification mode flags.
> -
> -**/
> -VOID
> -EFIAPI
> -TlsSetVerify (
> - IN VOID *Tls,
> - IN UINT32 VerifyMode
> - )
> -{
> - TLS_CONNECTION *TlsConn;
> -
> - TlsConn = (TLS_CONNECTION *) Tls;
> - if (TlsConn == NULL || TlsConn->Ssl == NULL) {
> - return;
> - }
> -
> - //
> - // Set peer certificate verification parameters with NULL callback.
> - //
> - SSL_set_verify (TlsConn->Ssl, VerifyMode, NULL);
> -}
> -
> -/**
> - Sets a TLS/SSL session ID to be used during TLS/SSL connect.
> -
> - This function sets a session ID to be used when the TLS/SSL connection is
> - to be established.
> -
> - @param[in] Tls Pointer to the TLS object.
> - @param[in] SessionId Session ID data used for session resumption.
> - @param[in] SessionIdLen Length of Session ID in bytes.
> -
> - @retval EFI_SUCCESS Session ID was set successfully.
> - @retval EFI_INVALID_PARAMETER The parameter is invalid.
> - @retval EFI_UNSUPPORTED No available session for ID setting.
> -
> -**/
> -EFI_STATUS
> -EFIAPI
> -TlsSetSessionId (
> - IN VOID *Tls,
> - IN UINT8 *SessionId,
> - IN UINT16 SessionIdLen
> - )
> -{
> - TLS_CONNECTION *TlsConn;
> - SSL_SESSION *Session;
> -
> - TlsConn = (TLS_CONNECTION *) Tls;
> - Session = NULL;
> -
> - if (TlsConn == NULL || TlsConn->Ssl == NULL || SessionId == NULL) {
> - return EFI_INVALID_PARAMETER;
> - }
> -
> - Session = SSL_get_session (TlsConn->Ssl);
> - if (Session == NULL) {
> - return EFI_UNSUPPORTED;
> - }
> -
> - SSL_SESSION_set1_id (Session, (const unsigned char *)SessionId,
> SessionIdLen);
> -
> - return EFI_SUCCESS;
> -}
> -
> -/**
> - Adds the CA to the cert store when requesting Server or Client
> authentication.
> -
> - This function adds the CA certificate to the list of CAs when requesting
> - Server or Client authentication for the chosen TLS connection.
> -
> - @param[in] Tls Pointer to the TLS object.
> - @param[in] Data Pointer to the data buffer of a DER-encoded binary
> - X.509 certificate or PEM-encoded X.509 certificate.
> - @param[in] DataSize The size of data buffer in bytes.
> -
> - @retval EFI_SUCCESS The operation succeeded.
> - @retval EFI_INVALID_PARAMETER The parameter is invalid.
> - @retval EFI_OUT_OF_RESOURCES Required resources could not be
> allocated.
> - @retval EFI_ABORTED Invalid X.509 certificate.
> -
> -**/
> -EFI_STATUS
> -EFIAPI
> -TlsSetCaCertificate (
> - IN VOID *Tls,
> - IN VOID *Data,
> - IN UINTN DataSize
> - )
> -{
> - BIO *BioCert;
> - X509 *Cert;
> - X509_STORE *X509Store;
> - EFI_STATUS Status;
> - TLS_CONNECTION *TlsConn;
> - SSL_CTX *SslCtx;
> - INTN Ret;
> - UINTN ErrorCode;
> -
> - BioCert = NULL;
> - Cert = NULL;
> - X509Store = NULL;
> - Status = EFI_SUCCESS;
> - TlsConn = (TLS_CONNECTION *) Tls;
> - Ret = 0;
> -
> - if (TlsConn == NULL || TlsConn->Ssl == NULL || Data == NULL || DataSize
> == 0) {
> - return EFI_INVALID_PARAMETER;
> - }
> -
> - //
> - // DER-encoded binary X.509 certificate or PEM-encoded X.509 certificate.
> - // Determine whether certificate is from DER encoding, if so, translate it to
> X509 structure.
> - //
> - Cert = d2i_X509 (NULL, (const unsigned char ** )&Data, (long) DataSize);
> - if (Cert == NULL) {
> - //
> - // Certificate is from PEM encoding.
> - //
> - BioCert = BIO_new (BIO_s_mem ());
> - if (BioCert == NULL) {
> - Status = EFI_OUT_OF_RESOURCES;
> - goto ON_EXIT;
> - }
> -
> - if (BIO_write (BioCert, Data, (UINT32) DataSize) <= 0) {
> - Status = EFI_ABORTED;
> - goto ON_EXIT;
> - }
> -
> - Cert = PEM_read_bio_X509 (BioCert, NULL, NULL, NULL);
> - if (Cert == NULL) {
> - Status = EFI_ABORTED;
> - goto ON_EXIT;
> - }
> - }
> -
> - SslCtx = SSL_get_SSL_CTX (TlsConn->Ssl);
> - X509Store = SSL_CTX_get_cert_store (SslCtx);
> - if (X509Store == NULL) {
> - Status = EFI_ABORTED;
> - goto ON_EXIT;
> - }
> -
> - //
> - // Add certificate to X509 store
> - //
> - Ret = X509_STORE_add_cert (X509Store, Cert);
> - if (Ret != 1) {
> - ErrorCode = ERR_peek_last_error ();
> - //
> - // Ignore "already in table" errors
> - //
> - if (!(ERR_GET_FUNC (ErrorCode) == X509_F_X509_STORE_ADD_CERT &&
> - ERR_GET_REASON (ErrorCode) ==
> X509_R_CERT_ALREADY_IN_HASH_TABLE)) {
> - Status = EFI_ABORTED;
> - goto ON_EXIT;
> - }
> - }
> -
> -ON_EXIT:
> - if (BioCert != NULL) {
> - BIO_free (BioCert);
> - }
> -
> - if (Cert != NULL) {
> - X509_free (Cert);
> - }
> -
> - return Status;
> -}
> -
> -/**
> - Loads the local public certificate into the specified TLS object.
> -
> - This function loads the X.509 certificate into the specified TLS object
> - for TLS negotiation.
> -
> - @param[in] Tls Pointer to the TLS object.
> - @param[in] Data Pointer to the data buffer of a DER-encoded binary
> - X.509 certificate or PEM-encoded X.509 certificate.
> - @param[in] DataSize The size of data buffer in bytes.
> -
> - @retval EFI_SUCCESS The operation succeeded.
> - @retval EFI_INVALID_PARAMETER The parameter is invalid.
> - @retval EFI_OUT_OF_RESOURCES Required resources could not be
> allocated.
> - @retval EFI_ABORTED Invalid X.509 certificate.
> -
> -**/
> -EFI_STATUS
> -EFIAPI
> -TlsSetHostPublicCert (
> - IN VOID *Tls,
> - IN VOID *Data,
> - IN UINTN DataSize
> - )
> -{
> - BIO *BioCert;
> - X509 *Cert;
> - EFI_STATUS Status;
> - TLS_CONNECTION *TlsConn;
> -
> - BioCert = NULL;
> - Cert = NULL;
> - Status = EFI_SUCCESS;
> - TlsConn = (TLS_CONNECTION *) Tls;
> -
> - if (TlsConn == NULL || TlsConn->Ssl == NULL || Data == NULL || DataSize
> == 0) {
> - return EFI_INVALID_PARAMETER;
> - }
> -
> - //
> - // DER-encoded binary X.509 certificate or PEM-encoded X.509 certificate.
> - // Determine whether certificate is from DER encoding, if so, translate it to
> X509 structure.
> - //
> - Cert = d2i_X509 (NULL, (const unsigned char ** )&Data, (long) DataSize);
> - if (Cert == NULL) {
> - //
> - // Certificate is from PEM encoding.
> - //
> - BioCert = BIO_new (BIO_s_mem ());
> - if (BioCert == NULL) {
> - Status = EFI_OUT_OF_RESOURCES;
> - goto ON_EXIT;
> - }
> -
> - if (BIO_write (BioCert, Data, (UINT32) DataSize) <= 0) {
> - Status = EFI_ABORTED;
> - goto ON_EXIT;
> - }
> -
> - Cert = PEM_read_bio_X509 (BioCert, NULL, NULL, NULL);
> - if (Cert == NULL) {
> - Status = EFI_ABORTED;
> - goto ON_EXIT;
> - }
> - }
> -
> - if (SSL_use_certificate (TlsConn->Ssl, Cert) != 1) {
> - Status = EFI_ABORTED;
> - goto ON_EXIT;
> - }
> -
> -ON_EXIT:
> - if (BioCert != NULL) {
> - BIO_free (BioCert);
> - }
> -
> - if (Cert != NULL) {
> - X509_free (Cert);
> - }
> -
> - return Status;
> -}
> -
> -/**
> - Adds the local private key to the specified TLS object.
> -
> - This function adds the local private key (PEM-encoded RSA or PKCS#8
> private
> - key) into the specified TLS object for TLS negotiation.
> -
> - @param[in] Tls Pointer to the TLS object.
> - @param[in] Data Pointer to the data buffer of a PEM-encoded RSA
> - or PKCS#8 private key.
> - @param[in] DataSize The size of data buffer in bytes.
> -
> - @retval EFI_SUCCESS The operation succeeded.
> - @retval EFI_UNSUPPORTED This function is not supported.
> - @retval EFI_ABORTED Invalid private key data.
> -
> -**/
> -EFI_STATUS
> -EFIAPI
> -TlsSetHostPrivateKey (
> - IN VOID *Tls,
> - IN VOID *Data,
> - IN UINTN DataSize
> - )
> -{
> - return EFI_UNSUPPORTED;
> -}
> -
> -/**
> - Adds the CA-supplied certificate revocation list for certificate validation.
> -
> - This function adds the CA-supplied certificate revocation list data for
> - certificate validity checking.
> -
> - @param[in] Data Pointer to the data buffer of a DER-encoded CRL data.
> - @param[in] DataSize The size of data buffer in bytes.
> -
> - @retval EFI_SUCCESS The operation succeeded.
> - @retval EFI_UNSUPPORTED This function is not supported.
> - @retval EFI_ABORTED Invalid CRL data.
> -
> -**/
> -EFI_STATUS
> -EFIAPI
> -TlsSetCertRevocationList (
> - IN VOID *Data,
> - IN UINTN DataSize
> - )
> -{
> - return EFI_UNSUPPORTED;
> -}
> -
> -/**
> - Gets the protocol version used by the specified TLS connection.
> -
> - This function returns the protocol version used by the specified TLS
> - connection.
> -
> - @param[in] Tls Pointer to the TLS object.
> -
> - @return The protocol version of the specified TLS connection.
> -
> -**/
> -UINT16
> -EFIAPI
> -TlsGetVersion (
> - IN VOID *Tls
> - )
> -{
> - TLS_CONNECTION *TlsConn;
> -
> - TlsConn = (TLS_CONNECTION *) Tls;
> -
> - ASSERT (TlsConn != NULL);
> -
> - return (UINT16)(SSL_version (TlsConn->Ssl));
> -}
> -
> -/**
> - Gets the connection end of the specified TLS connection.
> -
> - This function returns the connection end (as client or as server) used by
> - the specified TLS connection.
> -
> - @param[in] Tls Pointer to the TLS object.
> -
> - @return The connection end used by the specified TLS connection.
> -
> -**/
> -UINT8
> -EFIAPI
> -TlsGetConnectionEnd (
> - IN VOID *Tls
> - )
> -{
> - TLS_CONNECTION *TlsConn;
> -
> - TlsConn = (TLS_CONNECTION *) Tls;
> -
> - ASSERT (TlsConn != NULL);
> -
> - return (UINT8)SSL_is_server (TlsConn->Ssl);
> -}
> -
> -/**
> - Gets the cipher suite used by the specified TLS connection.
> -
> - This function returns current cipher suite used by the specified
> - TLS connection.
> -
> - @param[in] Tls Pointer to the TLS object.
> - @param[in,out] CipherId The cipher suite used by the TLS object.
> -
> - @retval EFI_SUCCESS The cipher suite was returned successfully.
> - @retval EFI_INVALID_PARAMETER The parameter is invalid.
> - @retval EFI_UNSUPPORTED Unsupported cipher suite.
> -
> -**/
> -EFI_STATUS
> -EFIAPI
> -TlsGetCurrentCipher (
> - IN VOID *Tls,
> - IN OUT UINT16 *CipherId
> - )
> -{
> - TLS_CONNECTION *TlsConn;
> - CONST SSL_CIPHER *Cipher;
> -
> - TlsConn = (TLS_CONNECTION *) Tls;
> - Cipher = NULL;
> -
> - if (TlsConn == NULL || TlsConn->Ssl == NULL || CipherId == NULL) {
> - return EFI_INVALID_PARAMETER;
> - }
> -
> - Cipher = SSL_get_current_cipher (TlsConn->Ssl);
> - if (Cipher == NULL) {
> - return EFI_UNSUPPORTED;
> - }
> -
> - *CipherId = (SSL_CIPHER_get_id (Cipher)) & 0xFFFF;
> -
> - return EFI_SUCCESS;
> -}
> -
> -/**
> - Gets the compression methods used by the specified TLS connection.
> -
> - This function returns current integrated compression methods used by
> - the specified TLS connection.
> -
> - @param[in] Tls Pointer to the TLS object.
> - @param[in,out] CompressionId The current compression method used
> by
> - the TLS object.
> -
> - @retval EFI_SUCCESS The compression method was returned
> successfully.
> - @retval EFI_INVALID_PARAMETER The parameter is invalid.
> - @retval EFI_ABORTED Invalid Compression method.
> - @retval EFI_UNSUPPORTED This function is not supported.
> -
> -**/
> -EFI_STATUS
> -EFIAPI
> -TlsGetCurrentCompressionId (
> - IN VOID *Tls,
> - IN OUT UINT8 *CompressionId
> - )
> -{
> - return EFI_UNSUPPORTED;
> -}
> -
> -/**
> - Gets the verification mode currently set in the TLS connection.
> -
> - This function returns the peer verification mode currently set in the
> - specified TLS connection.
> -
> - @param[in] Tls Pointer to the TLS object.
> -
> - @return The verification mode set in the specified TLS connection.
> -
> -**/
> -UINT32
> -EFIAPI
> -TlsGetVerify (
> - IN VOID *Tls
> - )
> -{
> - TLS_CONNECTION *TlsConn;
> -
> - TlsConn = (TLS_CONNECTION *) Tls;
> -
> - ASSERT (TlsConn != NULL);
> -
> - return SSL_get_verify_mode (TlsConn->Ssl);
> -}
> -
> -/**
> - Gets the session ID used by the specified TLS connection.
> -
> - This function returns the TLS/SSL session ID currently used by the
> - specified TLS connection.
> -
> - @param[in] Tls Pointer to the TLS object.
> - @param[in,out] SessionId Buffer to contain the returned session ID.
> - @param[in,out] SessionIdLen The length of Session ID in bytes.
> -
> - @retval EFI_SUCCESS The Session ID was returned successfully.
> - @retval EFI_INVALID_PARAMETER The parameter is invalid.
> - @retval EFI_UNSUPPORTED Invalid TLS/SSL session.
> -
> -**/
> -EFI_STATUS
> -EFIAPI
> -TlsGetSessionId (
> - IN VOID *Tls,
> - IN OUT UINT8 *SessionId,
> - IN OUT UINT16 *SessionIdLen
> - )
> -{
> - TLS_CONNECTION *TlsConn;
> - SSL_SESSION *Session;
> - CONST UINT8 *SslSessionId;
> -
> - TlsConn = (TLS_CONNECTION *) Tls;
> - Session = NULL;
> -
> - if (TlsConn == NULL || TlsConn->Ssl == NULL || SessionId == NULL ||
> SessionIdLen == NULL) {
> - return EFI_INVALID_PARAMETER;
> - }
> -
> - Session = SSL_get_session (TlsConn->Ssl);
> - if (Session == NULL) {
> - return EFI_UNSUPPORTED;
> - }
> -
> - SslSessionId = SSL_SESSION_get_id (Session, (unsigned int *)SessionIdLen);
> - CopyMem (SessionId, SslSessionId, *SessionIdLen);
> -
> - return EFI_SUCCESS;
> -}
> -
> -/**
> - Gets the client random data used in the specified TLS connection.
> -
> - This function returns the TLS/SSL client random data currently used in
> - the specified TLS connection.
> -
> - @param[in] Tls Pointer to the TLS object.
> - @param[in,out] ClientRandom Buffer to contain the returned client
> - random data (32 bytes).
> -
> -**/
> -VOID
> -EFIAPI
> -TlsGetClientRandom (
> - IN VOID *Tls,
> - IN OUT UINT8 *ClientRandom
> - )
> -{
> - TLS_CONNECTION *TlsConn;
> -
> - TlsConn = (TLS_CONNECTION *) Tls;
> -
> - if (TlsConn == NULL || TlsConn->Ssl == NULL || ClientRandom == NULL) {
> - return;
> - }
> -
> - SSL_get_client_random (TlsConn->Ssl, ClientRandom,
> SSL3_RANDOM_SIZE);
> -}
> -
> -/**
> - Gets the server random data used in the specified TLS connection.
> -
> - This function returns the TLS/SSL server random data currently used in
> - the specified TLS connection.
> -
> - @param[in] Tls Pointer to the TLS object.
> - @param[in,out] ServerRandom Buffer to contain the returned server
> - random data (32 bytes).
> -
> -**/
> -VOID
> -EFIAPI
> -TlsGetServerRandom (
> - IN VOID *Tls,
> - IN OUT UINT8 *ServerRandom
> - )
> -{
> - TLS_CONNECTION *TlsConn;
> -
> - TlsConn = (TLS_CONNECTION *) Tls;
> -
> - if (TlsConn == NULL || TlsConn->Ssl == NULL || ServerRandom == NULL) {
> - return;
> - }
> -
> - SSL_get_server_random (TlsConn->Ssl, ServerRandom,
> SSL3_RANDOM_SIZE);
> -}
> -
> -/**
> - Gets the master key data used in the specified TLS connection.
> -
> - This function returns the TLS/SSL master key material currently used in
> - the specified TLS connection.
> -
> - @param[in] Tls Pointer to the TLS object.
> - @param[in,out] KeyMaterial Buffer to contain the returned key material.
> -
> - @retval EFI_SUCCESS Key material was returned successfully.
> - @retval EFI_INVALID_PARAMETER The parameter is invalid.
> - @retval EFI_UNSUPPORTED Invalid TLS/SSL session.
> -
> -**/
> -EFI_STATUS
> -EFIAPI
> -TlsGetKeyMaterial (
> - IN VOID *Tls,
> - IN OUT UINT8 *KeyMaterial
> - )
> -{
> - TLS_CONNECTION *TlsConn;
> - SSL_SESSION *Session;
> -
> - TlsConn = (TLS_CONNECTION *) Tls;
> - Session = NULL;
> -
> - if (TlsConn == NULL || TlsConn->Ssl == NULL || KeyMaterial == NULL) {
> - return EFI_INVALID_PARAMETER;
> - }
> -
> - Session = SSL_get_session (TlsConn->Ssl);
> -
> - if (Session == NULL) {
> - return EFI_UNSUPPORTED;
> - }
> -
> - SSL_SESSION_get_master_key (Session, KeyMaterial,
> SSL3_MASTER_SECRET_SIZE);
> -
> - return EFI_SUCCESS;
> -}
> -
> -/**
> - Gets the CA Certificate from the cert store.
> -
> - This function returns the CA certificate for the chosen
> - TLS connection.
> -
> - @param[in] Tls Pointer to the TLS object.
> - @param[out] Data Pointer to the data buffer to receive the CA
> - certificate data sent to the client.
> - @param[in,out] DataSize The size of data buffer in bytes.
> -
> - @retval EFI_SUCCESS The operation succeeded.
> - @retval EFI_UNSUPPORTED This function is not supported.
> - @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
> -
> -**/
> -EFI_STATUS
> -EFIAPI
> -TlsGetCaCertificate (
> - IN VOID *Tls,
> - OUT VOID *Data,
> - IN OUT UINTN *DataSize
> - )
> -{
> - return EFI_UNSUPPORTED;
> -}
> -
> -/**
> - Gets the local public Certificate set in the specified TLS object.
> -
> - This function returns the local public certificate which was currently set
> - in the specified TLS object.
> -
> - @param[in] Tls Pointer to the TLS object.
> - @param[out] Data Pointer to the data buffer to receive the local
> - public certificate.
> - @param[in,out] DataSize The size of data buffer in bytes.
> -
> - @retval EFI_SUCCESS The operation succeeded.
> - @retval EFI_INVALID_PARAMETER The parameter is invalid.
> - @retval EFI_NOT_FOUND The certificate is not found.
> - @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
> -
> -**/
> -EFI_STATUS
> -EFIAPI
> -TlsGetHostPublicCert (
> - IN VOID *Tls,
> - OUT VOID *Data,
> - IN OUT UINTN *DataSize
> - )
> -{
> - X509 *Cert;
> - TLS_CONNECTION *TlsConn;
> -
> - Cert = NULL;
> - TlsConn = (TLS_CONNECTION *) Tls;
> -
> - if (TlsConn == NULL || TlsConn->Ssl == NULL || DataSize == NULL) {
> - return EFI_INVALID_PARAMETER;
> - }
> -
> - Cert = SSL_get_certificate(TlsConn->Ssl);
> - if (Cert == NULL) {
> - return EFI_NOT_FOUND;
> - }
> -
> - //
> - // Only DER encoding is supported currently.
> - //
> - if (*DataSize < (UINTN) i2d_X509 (Cert, NULL)) {
> - *DataSize = (UINTN) i2d_X509 (Cert, NULL);
> - return EFI_BUFFER_TOO_SMALL;
> - }
> -
> - *DataSize = (UINTN) i2d_X509 (Cert, (unsigned char **) &Data);
> -
> - return EFI_SUCCESS;
> -}
> -
> -/**
> - Gets the local private key set in the specified TLS object.
> -
> - This function returns the local private key data which was currently set
> - in the specified TLS object.
> -
> - @param[in] Tls Pointer to the TLS object.
> - @param[out] Data Pointer to the data buffer to receive the local
> - private key data.
> - @param[in,out] DataSize The size of data buffer in bytes.
> -
> - @retval EFI_SUCCESS The operation succeeded.
> - @retval EFI_UNSUPPORTED This function is not supported.
> - @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
> -
> -**/
> -EFI_STATUS
> -EFIAPI
> -TlsGetHostPrivateKey (
> - IN VOID *Tls,
> - OUT VOID *Data,
> - IN OUT UINTN *DataSize
> - )
> -{
> - return EFI_UNSUPPORTED;
> -}
> -
> -/**
> - Gets the CA-supplied certificate revocation list data set in the specified
> - TLS object.
> -
> - This function returns the CA-supplied certificate revocation list data which
> - was currently set in the specified TLS object.
> -
> - @param[out] Data Pointer to the data buffer to receive the CRL data.
> - @param[in,out] DataSize The size of data buffer in bytes.
> -
> - @retval EFI_SUCCESS The operation succeeded.
> - @retval EFI_UNSUPPORTED This function is not supported.
> - @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
> -
> -**/
> -EFI_STATUS
> -EFIAPI
> -TlsGetCertRevocationList (
> - OUT VOID *Data,
> - IN OUT UINTN *DataSize
> - )
> -{
> - return EFI_UNSUPPORTED;
> -}
> +/** @file
> + SSL/TLS Configuration Library Wrapper Implementation over OpenSSL.
> +
> +Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
> +(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
> +This program and the accompanying materials
> +are licensed and made available under the terms and conditions of the BSD
> License
> +which accompanies this distribution. The full text of the license may be
> found at
> +http://opensource.org/licenses/bsd-license.php
> +
> +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS"
> BASIS,
> +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER
> EXPRESS OR IMPLIED.
> +
> +**/
> +
> +#include "InternalTlsLib.h"
> +
> +typedef struct {
> + //
> + // IANA/IETF defined Cipher Suite ID
> + //
> + UINT16 IanaCipher;
> + //
> + // OpenSSL-used Cipher Suite String
> + //
> + CONST CHAR8 *OpensslCipher;
> +} TLS_CIPHER_PAIR;
> +
> +//
> +// The mapping table between IANA/IETF Cipher Suite definitions and
> +// OpenSSL-used Cipher Suite name.
> +//
> +STATIC CONST TLS_CIPHER_PAIR TlsCipherMappingTable[] = {
> + { 0x0001, "NULL-MD5" }, /// TLS_RSA_WITH_NULL_MD5
> + { 0x0002, "NULL-SHA" }, /// TLS_RSA_WITH_NULL_SHA
> + { 0x0004, "RC4-MD5" }, /// TLS_RSA_WITH_RC4_128_MD5
> + { 0x0005, "RC4-SHA" }, /// TLS_RSA_WITH_RC4_128_SHA
> + { 0x000A, "DES-CBC3-SHA" }, ///
> TLS_RSA_WITH_3DES_EDE_CBC_SHA, mandatory TLS 1.1
> + { 0x0016, "DHE-RSA-DES-CBC3-SHA" }, ///
> TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
> + { 0x002F, "AES128-SHA" }, /// TLS_RSA_WITH_AES_128_CBC_SHA,
> mandatory TLS 1.2
> + { 0x0030, "DH-DSS-AES128-SHA" }, ///
> TLS_DH_DSS_WITH_AES_128_CBC_SHA
> + { 0x0031, "DH-RSA-AES128-SHA" }, ///
> TLS_DH_RSA_WITH_AES_128_CBC_SHA
> + { 0x0033, "DHE-RSA-AES128-SHA" }, ///
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA
> + { 0x0035, "AES256-SHA" }, /// TLS_RSA_WITH_AES_256_CBC_SHA
> + { 0x0036, "DH-DSS-AES256-SHA" }, ///
> TLS_DH_DSS_WITH_AES_256_CBC_SHA
> + { 0x0037, "DH-RSA-AES256-SHA" }, ///
> TLS_DH_RSA_WITH_AES_256_CBC_SHA
> + { 0x0039, "DHE-RSA-AES256-SHA" }, ///
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA
> + { 0x003B, "NULL-SHA256" }, /// TLS_RSA_WITH_NULL_SHA256
> + { 0x003C, "AES128-SHA256" }, ///
> TLS_RSA_WITH_AES_128_CBC_SHA256
> + { 0x003D, "AES256-SHA256" }, ///
> TLS_RSA_WITH_AES_256_CBC_SHA256
> + { 0x003E, "DH-DSS-AES128-SHA256" }, ///
> TLS_DH_DSS_WITH_AES_128_CBC_SHA256
> + { 0x003F, "DH-RSA-AES128-SHA256" }, ///
> TLS_DH_RSA_WITH_AES_128_CBC_SHA256
> + { 0x0067, "DHE-RSA-AES128-SHA256" }, ///
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
> + { 0x0068, "DH-DSS-AES256-SHA256" }, ///
> TLS_DH_DSS_WITH_AES_256_CBC_SHA256
> + { 0x0069, "DH-RSA-AES256-SHA256" }, ///
> TLS_DH_RSA_WITH_AES_256_CBC_SHA256
> + { 0x006B, "DHE-RSA-AES256-SHA256" } ///
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
> +};
> +
> +/**
> + Gets the OpenSSL cipher suite string for the supplied IANA TLS cipher suite.
> +
> + @param[in] CipherId The supplied IANA TLS cipher suite ID.
> +
> + @return The corresponding OpenSSL cipher suite string if found,
> + NULL otherwise.
> +
> +**/
> +STATIC
> +CONST CHAR8 *
> +TlsGetCipherString (
> + IN UINT16 CipherId
> + )
> +{
> + CONST TLS_CIPHER_PAIR *CipherEntry;
> + UINTN TableSize;
> + UINTN Index;
> +
> + CipherEntry = TlsCipherMappingTable;
> + TableSize = sizeof (TlsCipherMappingTable) / sizeof (TLS_CIPHER_PAIR);
> +
> + //
> + // Search Cipher Mapping Table for IANA-OpenSSL Cipher Translation
> + //
> + for (Index = 0; Index < TableSize; Index++, CipherEntry++) {
> + //
> + // Translate IANA cipher suite name to OpenSSL name.
> + //
> + if (CipherEntry->IanaCipher == CipherId) {
> + return CipherEntry->OpensslCipher;
> + }
> + }
> +
> + //
> + // No Cipher Mapping found, return NULL.
> + //
> + return NULL;
> +}
> +
> +/**
> + Set a new TLS/SSL method for a particular TLS object.
> +
> + This function sets a new TLS/SSL method for a particular TLS object.
> +
> + @param[in] Tls Pointer to a TLS object.
> + @param[in] MajorVer Major Version of TLS/SSL Protocol.
> + @param[in] MinorVer Minor Version of TLS/SSL Protocol.
> +
> + @retval EFI_SUCCESS The TLS/SSL method was set successfully.
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.
> + @retval EFI_UNSUPPORTED Unsupported TLS/SSL method.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsSetVersion (
> + IN VOID *Tls,
> + IN UINT8 MajorVer,
> + IN UINT8 MinorVer
> + )
> +{
> + TLS_CONNECTION *TlsConn;
> + UINT16 ProtoVersion;
> +
> + TlsConn = (TLS_CONNECTION *)Tls;
> + if (TlsConn == NULL || TlsConn->Ssl == NULL) {
> + return EFI_INVALID_PARAMETER;
> + }
> +
> + ProtoVersion = (MajorVer << 8) | MinorVer;
> +
> + //
> + // Bound TLS method to the particular specified version.
> + //
> + switch (ProtoVersion) {
> + case TLS1_VERSION:
> + //
> + // TLS 1.0
> + //
> + SSL_set_min_proto_version (TlsConn->Ssl, TLS1_VERSION);
> + SSL_set_max_proto_version (TlsConn->Ssl, TLS1_VERSION);
> + break;
> + case TLS1_1_VERSION:
> + //
> + // TLS 1.1
> + //
> + SSL_set_min_proto_version (TlsConn->Ssl, TLS1_1_VERSION);
> + SSL_set_max_proto_version (TlsConn->Ssl, TLS1_1_VERSION);
> + break;
> + case TLS1_2_VERSION:
> + //
> + // TLS 1.2
> + //
> + SSL_set_min_proto_version (TlsConn->Ssl, TLS1_2_VERSION);
> + SSL_set_max_proto_version (TlsConn->Ssl, TLS1_2_VERSION);
> + break;
> + default:
> + //
> + // Unsupported Protocol Version
> + //
> + return EFI_UNSUPPORTED;
> + }
> +
> + return EFI_SUCCESS;;
> +}
> +
> +/**
> + Set TLS object to work in client or server mode.
> +
> + This function prepares a TLS object to work in client or server mode.
> +
> + @param[in] Tls Pointer to a TLS object.
> + @param[in] IsServer Work in server mode.
> +
> + @retval EFI_SUCCESS The TLS/SSL work mode was set successfully.
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.
> + @retval EFI_UNSUPPORTED Unsupported TLS/SSL work mode.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsSetConnectionEnd (
> + IN VOID *Tls,
> + IN BOOLEAN IsServer
> + )
> +{
> + TLS_CONNECTION *TlsConn;
> +
> + TlsConn = (TLS_CONNECTION *) Tls;
> + if (TlsConn == NULL || TlsConn->Ssl == NULL) {
> + return EFI_INVALID_PARAMETER;
> + }
> +
> + if (!IsServer) {
> + //
> + // Set TLS to work in Client mode.
> + //
> + SSL_set_connect_state (TlsConn->Ssl);
> + } else {
> + //
> + // Set TLS to work in Server mode.
> + // It is unsupported for UEFI version currently.
> + //
> + //SSL_set_accept_state (TlsConn->Ssl);
> + return EFI_UNSUPPORTED;
> + }
> +
> + return EFI_SUCCESS;
> +}
> +
> +/**
> + Set the ciphers list to be used by the TLS object.
> +
> + This function sets the ciphers for use by a specified TLS object.
> +
> + @param[in] Tls Pointer to a TLS object.
> + @param[in] CipherId Pointer to a UINT16 cipher Id.
> + @param[in] CipherNum The number of cipher in the list.
> +
> + @retval EFI_SUCCESS The ciphers list was set successfully.
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.
> + @retval EFI_UNSUPPORTED Unsupported TLS cipher in the list.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsSetCipherList (
> + IN VOID *Tls,
> + IN UINT16 *CipherId,
> + IN UINTN CipherNum
> + )
> +{
> + TLS_CONNECTION *TlsConn;
> + UINTN Index;
> + CONST CHAR8 *MappingName;
> + CHAR8 CipherString[500];
> +
> + TlsConn = (TLS_CONNECTION *) Tls;
> + if (TlsConn == NULL || TlsConn->Ssl == NULL || CipherId == NULL) {
> + return EFI_INVALID_PARAMETER;
> + }
> +
> + MappingName = NULL;
> +
> + memset (CipherString, 0, sizeof (CipherString));
> +
> + for (Index = 0; Index < CipherNum; Index++) {
> + //
> + // Handling OpenSSL / RFC Cipher name mapping.
> + //
> + MappingName = TlsGetCipherString (*(CipherId + Index));
> + if (MappingName == NULL) {
> + return EFI_UNSUPPORTED;
> + }
> +
> + if (Index != 0) {
> + //
> + // The ciphers were separated by a colon.
> + //
> + AsciiStrCatS (CipherString, sizeof (CipherString), ":");
> + }
> +
> + AsciiStrCatS (CipherString, sizeof (CipherString), MappingName);
> + }
> +
> + AsciiStrCatS (CipherString, sizeof (CipherString), ":@STRENGTH");
> +
> + //
> + // Sets the ciphers for use by the Tls object.
> + //
> + if (SSL_set_cipher_list (TlsConn->Ssl, CipherString) <= 0) {
> + return EFI_UNSUPPORTED;
> + }
> +
> + return EFI_SUCCESS;
> +}
> +
> +/**
> + Set the compression method for TLS/SSL operations.
> +
> + This function handles TLS/SSL integrated compression methods.
> +
> + @param[in] CompMethod The compression method ID.
> +
> + @retval EFI_SUCCESS The compression method for the communication
> was
> + set successfully.
> + @retval EFI_UNSUPPORTED Unsupported compression method.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsSetCompressionMethod (
> + IN UINT8 CompMethod
> + )
> +{
> + COMP_METHOD *Cm;
> + INTN Ret;
> +
> + Cm = NULL;
> + Ret = 0;
> +
> + if (CompMethod == 0) {
> + //
> + // TLS defines one standard compression method,
> CompressionMethod.null (0),
> + // which specifies that data exchanged via the record protocol will not be
> compressed.
> + // So, return EFI_SUCCESS directly (RFC 3749).
> + //
> + return EFI_SUCCESS;
> + } else if (CompMethod == 1) {
> + Cm = COMP_zlib();
> + } else {
> + return EFI_UNSUPPORTED;
> + }
> +
> + //
> + // Adds the compression method to the list of available
> + // compression methods.
> + //
> + Ret = SSL_COMP_add_compression_method (CompMethod, Cm);
> + if (Ret != 0) {
> + return EFI_UNSUPPORTED;
> + }
> +
> + return EFI_SUCCESS;
> +}
> +
> +/**
> + Set peer certificate verification mode for the TLS connection.
> +
> + This function sets the verification mode flags for the TLS connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in] VerifyMode A set of logically or'ed verification mode flags.
> +
> +**/
> +VOID
> +EFIAPI
> +TlsSetVerify (
> + IN VOID *Tls,
> + IN UINT32 VerifyMode
> + )
> +{
> + TLS_CONNECTION *TlsConn;
> +
> + TlsConn = (TLS_CONNECTION *) Tls;
> + if (TlsConn == NULL || TlsConn->Ssl == NULL) {
> + return;
> + }
> +
> + //
> + // Set peer certificate verification parameters with NULL callback.
> + //
> + SSL_set_verify (TlsConn->Ssl, VerifyMode, NULL);
> +}
> +
> +/**
> + Sets a TLS/SSL session ID to be used during TLS/SSL connect.
> +
> + This function sets a session ID to be used when the TLS/SSL connection is
> + to be established.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in] SessionId Session ID data used for session resumption.
> + @param[in] SessionIdLen Length of Session ID in bytes.
> +
> + @retval EFI_SUCCESS Session ID was set successfully.
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.
> + @retval EFI_UNSUPPORTED No available session for ID setting.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsSetSessionId (
> + IN VOID *Tls,
> + IN UINT8 *SessionId,
> + IN UINT16 SessionIdLen
> + )
> +{
> + TLS_CONNECTION *TlsConn;
> + SSL_SESSION *Session;
> +
> + TlsConn = (TLS_CONNECTION *) Tls;
> + Session = NULL;
> +
> + if (TlsConn == NULL || TlsConn->Ssl == NULL || SessionId == NULL) {
> + return EFI_INVALID_PARAMETER;
> + }
> +
> + Session = SSL_get_session (TlsConn->Ssl);
> + if (Session == NULL) {
> + return EFI_UNSUPPORTED;
> + }
> +
> + SSL_SESSION_set1_id (Session, (const unsigned char *)SessionId,
> SessionIdLen);
> +
> + return EFI_SUCCESS;
> +}
> +
> +/**
> + Adds the CA to the cert store when requesting Server or Client
> authentication.
> +
> + This function adds the CA certificate to the list of CAs when requesting
> + Server or Client authentication for the chosen TLS connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in] Data Pointer to the data buffer of a DER-encoded binary
> + X.509 certificate or PEM-encoded X.509 certificate.
> + @param[in] DataSize The size of data buffer in bytes.
> +
> + @retval EFI_SUCCESS The operation succeeded.
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.
> + @retval EFI_OUT_OF_RESOURCES Required resources could not be
> allocated.
> + @retval EFI_ABORTED Invalid X.509 certificate.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsSetCaCertificate (
> + IN VOID *Tls,
> + IN VOID *Data,
> + IN UINTN DataSize
> + )
> +{
> + BIO *BioCert;
> + X509 *Cert;
> + X509_STORE *X509Store;
> + EFI_STATUS Status;
> + TLS_CONNECTION *TlsConn;
> + SSL_CTX *SslCtx;
> + INTN Ret;
> + UINTN ErrorCode;
> +
> + BioCert = NULL;
> + Cert = NULL;
> + X509Store = NULL;
> + Status = EFI_SUCCESS;
> + TlsConn = (TLS_CONNECTION *) Tls;
> + Ret = 0;
> +
> + if (TlsConn == NULL || TlsConn->Ssl == NULL || Data == NULL || DataSize
> == 0) {
> + return EFI_INVALID_PARAMETER;
> + }
> +
> + //
> + // DER-encoded binary X.509 certificate or PEM-encoded X.509 certificate.
> + // Determine whether certificate is from DER encoding, if so, translate it to
> X509 structure.
> + //
> + Cert = d2i_X509 (NULL, (const unsigned char ** )&Data, (long) DataSize);
> + if (Cert == NULL) {
> + //
> + // Certificate is from PEM encoding.
> + //
> + BioCert = BIO_new (BIO_s_mem ());
> + if (BioCert == NULL) {
> + Status = EFI_OUT_OF_RESOURCES;
> + goto ON_EXIT;
> + }
> +
> + if (BIO_write (BioCert, Data, (UINT32) DataSize) <= 0) {
> + Status = EFI_ABORTED;
> + goto ON_EXIT;
> + }
> +
> + Cert = PEM_read_bio_X509 (BioCert, NULL, NULL, NULL);
> + if (Cert == NULL) {
> + Status = EFI_ABORTED;
> + goto ON_EXIT;
> + }
> + }
> +
> + SslCtx = SSL_get_SSL_CTX (TlsConn->Ssl);
> + X509Store = SSL_CTX_get_cert_store (SslCtx);
> + if (X509Store == NULL) {
> + Status = EFI_ABORTED;
> + goto ON_EXIT;
> + }
> +
> + //
> + // Add certificate to X509 store
> + //
> + Ret = X509_STORE_add_cert (X509Store, Cert);
> + if (Ret != 1) {
> + ErrorCode = ERR_peek_last_error ();
> + //
> + // Ignore "already in table" errors
> + //
> + if (!(ERR_GET_FUNC (ErrorCode) == X509_F_X509_STORE_ADD_CERT &&
> + ERR_GET_REASON (ErrorCode) ==
> X509_R_CERT_ALREADY_IN_HASH_TABLE)) {
> + Status = EFI_ABORTED;
> + goto ON_EXIT;
> + }
> + }
> +
> +ON_EXIT:
> + if (BioCert != NULL) {
> + BIO_free (BioCert);
> + }
> +
> + if (Cert != NULL) {
> + X509_free (Cert);
> + }
> +
> + return Status;
> +}
> +
> +/**
> + Loads the local public certificate into the specified TLS object.
> +
> + This function loads the X.509 certificate into the specified TLS object
> + for TLS negotiation.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in] Data Pointer to the data buffer of a DER-encoded binary
> + X.509 certificate or PEM-encoded X.509 certificate.
> + @param[in] DataSize The size of data buffer in bytes.
> +
> + @retval EFI_SUCCESS The operation succeeded.
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.
> + @retval EFI_OUT_OF_RESOURCES Required resources could not be
> allocated.
> + @retval EFI_ABORTED Invalid X.509 certificate.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsSetHostPublicCert (
> + IN VOID *Tls,
> + IN VOID *Data,
> + IN UINTN DataSize
> + )
> +{
> + BIO *BioCert;
> + X509 *Cert;
> + EFI_STATUS Status;
> + TLS_CONNECTION *TlsConn;
> +
> + BioCert = NULL;
> + Cert = NULL;
> + Status = EFI_SUCCESS;
> + TlsConn = (TLS_CONNECTION *) Tls;
> +
> + if (TlsConn == NULL || TlsConn->Ssl == NULL || Data == NULL || DataSize
> == 0) {
> + return EFI_INVALID_PARAMETER;
> + }
> +
> + //
> + // DER-encoded binary X.509 certificate or PEM-encoded X.509 certificate.
> + // Determine whether certificate is from DER encoding, if so, translate it to
> X509 structure.
> + //
> + Cert = d2i_X509 (NULL, (const unsigned char ** )&Data, (long) DataSize);
> + if (Cert == NULL) {
> + //
> + // Certificate is from PEM encoding.
> + //
> + BioCert = BIO_new (BIO_s_mem ());
> + if (BioCert == NULL) {
> + Status = EFI_OUT_OF_RESOURCES;
> + goto ON_EXIT;
> + }
> +
> + if (BIO_write (BioCert, Data, (UINT32) DataSize) <= 0) {
> + Status = EFI_ABORTED;
> + goto ON_EXIT;
> + }
> +
> + Cert = PEM_read_bio_X509 (BioCert, NULL, NULL, NULL);
> + if (Cert == NULL) {
> + Status = EFI_ABORTED;
> + goto ON_EXIT;
> + }
> + }
> +
> + if (SSL_use_certificate (TlsConn->Ssl, Cert) != 1) {
> + Status = EFI_ABORTED;
> + goto ON_EXIT;
> + }
> +
> +ON_EXIT:
> + if (BioCert != NULL) {
> + BIO_free (BioCert);
> + }
> +
> + if (Cert != NULL) {
> + X509_free (Cert);
> + }
> +
> + return Status;
> +}
> +
> +/**
> + Adds the local private key to the specified TLS object.
> +
> + This function adds the local private key (PEM-encoded RSA or PKCS#8
> private
> + key) into the specified TLS object for TLS negotiation.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in] Data Pointer to the data buffer of a PEM-encoded RSA
> + or PKCS#8 private key.
> + @param[in] DataSize The size of data buffer in bytes.
> +
> + @retval EFI_SUCCESS The operation succeeded.
> + @retval EFI_UNSUPPORTED This function is not supported.
> + @retval EFI_ABORTED Invalid private key data.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsSetHostPrivateKey (
> + IN VOID *Tls,
> + IN VOID *Data,
> + IN UINTN DataSize
> + )
> +{
> + return EFI_UNSUPPORTED;
> +}
> +
> +/**
> + Adds the CA-supplied certificate revocation list for certificate validation.
> +
> + This function adds the CA-supplied certificate revocation list data for
> + certificate validity checking.
> +
> + @param[in] Data Pointer to the data buffer of a DER-encoded CRL data.
> + @param[in] DataSize The size of data buffer in bytes.
> +
> + @retval EFI_SUCCESS The operation succeeded.
> + @retval EFI_UNSUPPORTED This function is not supported.
> + @retval EFI_ABORTED Invalid CRL data.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsSetCertRevocationList (
> + IN VOID *Data,
> + IN UINTN DataSize
> + )
> +{
> + return EFI_UNSUPPORTED;
> +}
> +
> +/**
> + Gets the protocol version used by the specified TLS connection.
> +
> + This function returns the protocol version used by the specified TLS
> + connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> +
> + @return The protocol version of the specified TLS connection.
> +
> +**/
> +UINT16
> +EFIAPI
> +TlsGetVersion (
> + IN VOID *Tls
> + )
> +{
> + TLS_CONNECTION *TlsConn;
> +
> + TlsConn = (TLS_CONNECTION *) Tls;
> +
> + ASSERT (TlsConn != NULL);
> +
> + return (UINT16)(SSL_version (TlsConn->Ssl));
> +}
> +
> +/**
> + Gets the connection end of the specified TLS connection.
> +
> + This function returns the connection end (as client or as server) used by
> + the specified TLS connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> +
> + @return The connection end used by the specified TLS connection.
> +
> +**/
> +UINT8
> +EFIAPI
> +TlsGetConnectionEnd (
> + IN VOID *Tls
> + )
> +{
> + TLS_CONNECTION *TlsConn;
> +
> + TlsConn = (TLS_CONNECTION *) Tls;
> +
> + ASSERT (TlsConn != NULL);
> +
> + return (UINT8)SSL_is_server (TlsConn->Ssl);
> +}
> +
> +/**
> + Gets the cipher suite used by the specified TLS connection.
> +
> + This function returns current cipher suite used by the specified
> + TLS connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in,out] CipherId The cipher suite used by the TLS object.
> +
> + @retval EFI_SUCCESS The cipher suite was returned successfully.
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.
> + @retval EFI_UNSUPPORTED Unsupported cipher suite.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsGetCurrentCipher (
> + IN VOID *Tls,
> + IN OUT UINT16 *CipherId
> + )
> +{
> + TLS_CONNECTION *TlsConn;
> + CONST SSL_CIPHER *Cipher;
> +
> + TlsConn = (TLS_CONNECTION *) Tls;
> + Cipher = NULL;
> +
> + if (TlsConn == NULL || TlsConn->Ssl == NULL || CipherId == NULL) {
> + return EFI_INVALID_PARAMETER;
> + }
> +
> + Cipher = SSL_get_current_cipher (TlsConn->Ssl);
> + if (Cipher == NULL) {
> + return EFI_UNSUPPORTED;
> + }
> +
> + *CipherId = (SSL_CIPHER_get_id (Cipher)) & 0xFFFF;
> +
> + return EFI_SUCCESS;
> +}
> +
> +/**
> + Gets the compression methods used by the specified TLS connection.
> +
> + This function returns current integrated compression methods used by
> + the specified TLS connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in,out] CompressionId The current compression method used
> by
> + the TLS object.
> +
> + @retval EFI_SUCCESS The compression method was returned
> successfully.
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.
> + @retval EFI_ABORTED Invalid Compression method.
> + @retval EFI_UNSUPPORTED This function is not supported.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsGetCurrentCompressionId (
> + IN VOID *Tls,
> + IN OUT UINT8 *CompressionId
> + )
> +{
> + return EFI_UNSUPPORTED;
> +}
> +
> +/**
> + Gets the verification mode currently set in the TLS connection.
> +
> + This function returns the peer verification mode currently set in the
> + specified TLS connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> +
> + @return The verification mode set in the specified TLS connection.
> +
> +**/
> +UINT32
> +EFIAPI
> +TlsGetVerify (
> + IN VOID *Tls
> + )
> +{
> + TLS_CONNECTION *TlsConn;
> +
> + TlsConn = (TLS_CONNECTION *) Tls;
> +
> + ASSERT (TlsConn != NULL);
> +
> + return SSL_get_verify_mode (TlsConn->Ssl);
> +}
> +
> +/**
> + Gets the session ID used by the specified TLS connection.
> +
> + This function returns the TLS/SSL session ID currently used by the
> + specified TLS connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in,out] SessionId Buffer to contain the returned session ID.
> + @param[in,out] SessionIdLen The length of Session ID in bytes.
> +
> + @retval EFI_SUCCESS The Session ID was returned successfully.
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.
> + @retval EFI_UNSUPPORTED Invalid TLS/SSL session.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsGetSessionId (
> + IN VOID *Tls,
> + IN OUT UINT8 *SessionId,
> + IN OUT UINT16 *SessionIdLen
> + )
> +{
> + TLS_CONNECTION *TlsConn;
> + SSL_SESSION *Session;
> + CONST UINT8 *SslSessionId;
> +
> + TlsConn = (TLS_CONNECTION *) Tls;
> + Session = NULL;
> +
> + if (TlsConn == NULL || TlsConn->Ssl == NULL || SessionId == NULL ||
> SessionIdLen == NULL) {
> + return EFI_INVALID_PARAMETER;
> + }
> +
> + Session = SSL_get_session (TlsConn->Ssl);
> + if (Session == NULL) {
> + return EFI_UNSUPPORTED;
> + }
> +
> + SslSessionId = SSL_SESSION_get_id (Session, (unsigned int
> *)SessionIdLen);
> + CopyMem (SessionId, SslSessionId, *SessionIdLen);
> +
> + return EFI_SUCCESS;
> +}
> +
> +/**
> + Gets the client random data used in the specified TLS connection.
> +
> + This function returns the TLS/SSL client random data currently used in
> + the specified TLS connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in,out] ClientRandom Buffer to contain the returned client
> + random data (32 bytes).
> +
> +**/
> +VOID
> +EFIAPI
> +TlsGetClientRandom (
> + IN VOID *Tls,
> + IN OUT UINT8 *ClientRandom
> + )
> +{
> + TLS_CONNECTION *TlsConn;
> +
> + TlsConn = (TLS_CONNECTION *) Tls;
> +
> + if (TlsConn == NULL || TlsConn->Ssl == NULL || ClientRandom == NULL) {
> + return;
> + }
> +
> + SSL_get_client_random (TlsConn->Ssl, ClientRandom,
> SSL3_RANDOM_SIZE);
> +}
> +
> +/**
> + Gets the server random data used in the specified TLS connection.
> +
> + This function returns the TLS/SSL server random data currently used in
> + the specified TLS connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in,out] ServerRandom Buffer to contain the returned server
> + random data (32 bytes).
> +
> +**/
> +VOID
> +EFIAPI
> +TlsGetServerRandom (
> + IN VOID *Tls,
> + IN OUT UINT8 *ServerRandom
> + )
> +{
> + TLS_CONNECTION *TlsConn;
> +
> + TlsConn = (TLS_CONNECTION *) Tls;
> +
> + if (TlsConn == NULL || TlsConn->Ssl == NULL || ServerRandom == NULL) {
> + return;
> + }
> +
> + SSL_get_server_random (TlsConn->Ssl, ServerRandom,
> SSL3_RANDOM_SIZE);
> +}
> +
> +/**
> + Gets the master key data used in the specified TLS connection.
> +
> + This function returns the TLS/SSL master key material currently used in
> + the specified TLS connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in,out] KeyMaterial Buffer to contain the returned key material.
> +
> + @retval EFI_SUCCESS Key material was returned successfully.
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.
> + @retval EFI_UNSUPPORTED Invalid TLS/SSL session.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsGetKeyMaterial (
> + IN VOID *Tls,
> + IN OUT UINT8 *KeyMaterial
> + )
> +{
> + TLS_CONNECTION *TlsConn;
> + SSL_SESSION *Session;
> +
> + TlsConn = (TLS_CONNECTION *) Tls;
> + Session = NULL;
> +
> + if (TlsConn == NULL || TlsConn->Ssl == NULL || KeyMaterial == NULL) {
> + return EFI_INVALID_PARAMETER;
> + }
> +
> + Session = SSL_get_session (TlsConn->Ssl);
> +
> + if (Session == NULL) {
> + return EFI_UNSUPPORTED;
> + }
> +
> + SSL_SESSION_get_master_key (Session, KeyMaterial,
> SSL3_MASTER_SECRET_SIZE);
> +
> + return EFI_SUCCESS;
> +}
> +
> +/**
> + Gets the CA Certificate from the cert store.
> +
> + This function returns the CA certificate for the chosen
> + TLS connection.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[out] Data Pointer to the data buffer to receive the CA
> + certificate data sent to the client.
> + @param[in,out] DataSize The size of data buffer in bytes.
> +
> + @retval EFI_SUCCESS The operation succeeded.
> + @retval EFI_UNSUPPORTED This function is not supported.
> + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsGetCaCertificate (
> + IN VOID *Tls,
> + OUT VOID *Data,
> + IN OUT UINTN *DataSize
> + )
> +{
> + return EFI_UNSUPPORTED;
> +}
> +
> +/**
> + Gets the local public Certificate set in the specified TLS object.
> +
> + This function returns the local public certificate which was currently set
> + in the specified TLS object.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[out] Data Pointer to the data buffer to receive the local
> + public certificate.
> + @param[in,out] DataSize The size of data buffer in bytes.
> +
> + @retval EFI_SUCCESS The operation succeeded.
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.
> + @retval EFI_NOT_FOUND The certificate is not found.
> + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsGetHostPublicCert (
> + IN VOID *Tls,
> + OUT VOID *Data,
> + IN OUT UINTN *DataSize
> + )
> +{
> + X509 *Cert;
> + TLS_CONNECTION *TlsConn;
> +
> + Cert = NULL;
> + TlsConn = (TLS_CONNECTION *) Tls;
> +
> + if (TlsConn == NULL || TlsConn->Ssl == NULL || DataSize == NULL) {
> + return EFI_INVALID_PARAMETER;
> + }
> +
> + Cert = SSL_get_certificate(TlsConn->Ssl);
> + if (Cert == NULL) {
> + return EFI_NOT_FOUND;
> + }
> +
> + //
> + // Only DER encoding is supported currently.
> + //
> + if (*DataSize < (UINTN) i2d_X509 (Cert, NULL)) {
> + *DataSize = (UINTN) i2d_X509 (Cert, NULL);
> + return EFI_BUFFER_TOO_SMALL;
> + }
> +
> + *DataSize = (UINTN) i2d_X509 (Cert, (unsigned char **) &Data);
> +
> + return EFI_SUCCESS;
> +}
> +
> +/**
> + Gets the local private key set in the specified TLS object.
> +
> + This function returns the local private key data which was currently set
> + in the specified TLS object.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[out] Data Pointer to the data buffer to receive the local
> + private key data.
> + @param[in,out] DataSize The size of data buffer in bytes.
> +
> + @retval EFI_SUCCESS The operation succeeded.
> + @retval EFI_UNSUPPORTED This function is not supported.
> + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsGetHostPrivateKey (
> + IN VOID *Tls,
> + OUT VOID *Data,
> + IN OUT UINTN *DataSize
> + )
> +{
> + return EFI_UNSUPPORTED;
> +}
> +
> +/**
> + Gets the CA-supplied certificate revocation list data set in the specified
> + TLS object.
> +
> + This function returns the CA-supplied certificate revocation list data which
> + was currently set in the specified TLS object.
> +
> + @param[out] Data Pointer to the data buffer to receive the CRL data.
> + @param[in,out] DataSize The size of data buffer in bytes.
> +
> + @retval EFI_SUCCESS The operation succeeded.
> + @retval EFI_UNSUPPORTED This function is not supported.
> + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsGetCertRevocationList (
> + OUT VOID *Data,
> + IN OUT UINTN *DataSize
> + )
> +{
> + return EFI_UNSUPPORTED;
> +}
> +
> diff --git a/CryptoPkg/Library/TlsLib/TlsInit.c
> b/CryptoPkg/Library/TlsLib/TlsInit.c
> index f32148ac9a..e2c9744a44 100644
> --- a/CryptoPkg/Library/TlsLib/TlsInit.c
> +++ b/CryptoPkg/Library/TlsLib/TlsInit.c
> @@ -1,268 +1,269 @@
> -/** @file
> - SSL/TLS Initialization Library Wrapper Implementation over OpenSSL.
> -
> -Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
> -(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
> -This program and the accompanying materials
> -are licensed and made available under the terms and conditions of the BSD
> License
> -which accompanies this distribution. The full text of the license may be
> found at
> -http://opensource.org/licenses/bsd-license.php
> -
> -THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS"
> BASIS,
> -WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER
> EXPRESS OR IMPLIED.
> -
> -**/
> -
> -#include "InternalTlsLib.h"
> -
> -/**
> - Initializes the OpenSSL library.
> -
> - This function registers ciphers and digests used directly and indirectly
> - by SSL/TLS, and initializes the readable error messages.
> - This function must be called before any other action takes places.
> -
> -**/
> -VOID
> -EFIAPI
> -TlsInitialize (
> - VOID
> - )
> -{
> - //
> - // Performs initialization of crypto and ssl library, and loads required
> - // algorithms.
> - //
> - OPENSSL_init_ssl (
> - OPENSSL_INIT_LOAD_SSL_STRINGS |
> OPENSSL_INIT_LOAD_CRYPTO_STRINGS,
> - NULL
> - );
> -
> - //
> - // Initialize the pseudorandom number generator.
> - //
> - RandomSeed (NULL, 0);
> -}
> -
> -/**
> - Free an allocated SSL_CTX object.
> -
> - @param[in] TlsCtx Pointer to the SSL_CTX object to be released.
> -
> -**/
> -VOID
> -EFIAPI
> -TlsCtxFree (
> - IN VOID *TlsCtx
> - )
> -{
> - if (TlsCtx == NULL) {
> - return;
> - }
> -
> - if (TlsCtx != NULL) {
> - SSL_CTX_free ((SSL_CTX *) (TlsCtx));
> - }
> -}
> -
> -/**
> - Creates a new SSL_CTX object as framework to establish TLS/SSL enabled
> - connections.
> -
> - @param[in] MajorVer Major Version of TLS/SSL Protocol.
> - @param[in] MinorVer Minor Version of TLS/SSL Protocol.
> -
> - @return Pointer to an allocated SSL_CTX object.
> - If the creation failed, TlsCtxNew() returns NULL.
> -
> -**/
> -VOID *
> -EFIAPI
> -TlsCtxNew (
> - IN UINT8 MajorVer,
> - IN UINT8 MinorVer
> - )
> -{
> - SSL_CTX *TlsCtx;
> - UINT16 ProtoVersion;
> -
> - ProtoVersion = (MajorVer << 8) | MinorVer;
> -
> - TlsCtx = SSL_CTX_new (SSLv23_client_method ());
> - if (TlsCtx == NULL) {
> - return NULL;
> - }
> -
> - //
> - // Ensure SSLv3 is disabled
> - //
> - SSL_CTX_set_options (TlsCtx, SSL_OP_NO_SSLv3);
> -
> - //
> - // Treat as minimum accepted versions by setting the minimal bound.
> - // Client can use higher TLS version if server supports it
> - //
> - SSL_CTX_set_min_proto_version (TlsCtx, ProtoVersion);
> -
> - return (VOID *) TlsCtx;
> -}
> -
> -/**
> - Free an allocated TLS object.
> -
> - This function removes the TLS object pointed to by Tls and frees up the
> - allocated memory. If Tls is NULL, nothing is done.
> -
> - @param[in] Tls Pointer to the TLS object to be freed.
> -
> -**/
> -VOID
> -EFIAPI
> -TlsFree (
> - IN VOID *Tls
> - )
> -{
> - TLS_CONNECTION *TlsConn;
> -
> - TlsConn = (TLS_CONNECTION *) Tls;
> - if (TlsConn == NULL) {
> - return;
> - }
> -
> - //
> - // Free the internal TLS and BIO objects.
> - //
> - if (TlsConn->Ssl != NULL) {
> - SSL_free (TlsConn->Ssl);
> - }
> -
> - if (TlsConn->InBio != NULL) {
> - BIO_free (TlsConn->InBio);
> - }
> -
> - if (TlsConn->OutBio != NULL) {
> - BIO_free (TlsConn->OutBio);
> - }
> -
> - OPENSSL_free (Tls);
> -}
> -
> -/**
> - Create a new TLS object for a connection.
> -
> - This function creates a new TLS object for a connection. The new object
> - inherits the setting of the underlying context TlsCtx: connection method,
> - options, verification setting.
> -
> - @param[in] TlsCtx Pointer to the SSL_CTX object.
> -
> - @return Pointer to an allocated SSL object.
> - If the creation failed, TlsNew() returns NULL.
> -
> -**/
> -VOID *
> -EFIAPI
> -TlsNew (
> - IN VOID *TlsCtx
> - )
> -{
> - TLS_CONNECTION *TlsConn;
> - SSL_CTX *SslCtx;
> - X509_STORE *X509Store;
> -
> - TlsConn = NULL;
> -
> - //
> - // Allocate one new TLS_CONNECTION object
> - //
> - TlsConn = (TLS_CONNECTION *) OPENSSL_malloc (sizeof
> (TLS_CONNECTION));
> - if (TlsConn == NULL) {
> - return NULL;
> - }
> -
> - TlsConn->Ssl = NULL;
> -
> - //
> - // Create a new SSL Object
> - //
> - TlsConn->Ssl = SSL_new ((SSL_CTX *) TlsCtx);
> - if (TlsConn->Ssl == NULL) {
> - TlsFree ((VOID *) TlsConn);
> - return NULL;
> - }
> -
> - //
> - // This retains compatibility with previous version of OpenSSL.
> - //
> - SSL_set_security_level (TlsConn->Ssl, 0);
> -
> - //
> - // Initialize the created SSL Object
> - //
> - SSL_set_info_callback (TlsConn->Ssl, NULL);
> -
> - TlsConn->InBio = NULL;
> -
> - //
> - // Set up Reading BIO for TLS connection
> - //
> - TlsConn->InBio = BIO_new (BIO_s_mem ());
> - if (TlsConn->InBio == NULL) {
> - TlsFree ((VOID *) TlsConn);
> - return NULL;
> - }
> -
> - //
> - // Sets the behaviour of memory BIO when it is empty. It will set the
> - // read retry flag.
> - //
> - BIO_set_mem_eof_return (TlsConn->InBio, -1);
> -
> - TlsConn->OutBio = NULL;
> -
> - //
> - // Set up Writing BIO for TLS connection
> - //
> - TlsConn->OutBio = BIO_new (BIO_s_mem ());
> - if (TlsConn->OutBio == NULL) {
> - TlsFree ((VOID *) TlsConn);
> - return NULL;
> - }
> -
> - //
> - // Sets the behaviour of memory BIO when it is empty. It will set the
> - // write retry flag.
> - //
> - BIO_set_mem_eof_return (TlsConn->OutBio, -1);
> -
> - ASSERT (TlsConn->Ssl != NULL && TlsConn->InBio != NULL && TlsConn-
> >OutBio != NULL);
> -
> - //
> - // Connects the InBio and OutBio for the read and write operations.
> - //
> - SSL_set_bio (TlsConn->Ssl, TlsConn->InBio, TlsConn->OutBio);
> -
> - //
> - // Create new X509 store if needed
> - //
> - SslCtx = SSL_get_SSL_CTX (TlsConn->Ssl);
> - X509Store = SSL_CTX_get_cert_store (SslCtx);
> - if (X509Store == NULL) {
> - X509Store = X509_STORE_new ();
> - if (X509Store == NULL) {
> - TlsFree ((VOID *) TlsConn);
> - return NULL;
> - }
> - SSL_CTX_set1_verify_cert_store (SslCtx, X509Store);
> - X509_STORE_free (X509Store);
> - }
> -
> - //
> - // Set X509_STORE flags used in certificate validation
> - //
> - X509_STORE_set_flags (
> - X509Store,
> - X509_V_FLAG_PARTIAL_CHAIN | X509_V_FLAG_NO_CHECK_TIME
> - );
> - return (VOID *) TlsConn;
> -}
> +/** @file
> + SSL/TLS Initialization Library Wrapper Implementation over OpenSSL.
> +
> +Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
> +(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
> +This program and the accompanying materials
> +are licensed and made available under the terms and conditions of the BSD
> License
> +which accompanies this distribution. The full text of the license may be
> found at
> +http://opensource.org/licenses/bsd-license.php
> +
> +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS"
> BASIS,
> +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER
> EXPRESS OR IMPLIED.
> +
> +**/
> +
> +#include "InternalTlsLib.h"
> +
> +/**
> + Initializes the OpenSSL library.
> +
> + This function registers ciphers and digests used directly and indirectly
> + by SSL/TLS, and initializes the readable error messages.
> + This function must be called before any other action takes places.
> +
> +**/
> +VOID
> +EFIAPI
> +TlsInitialize (
> + VOID
> + )
> +{
> + //
> + // Performs initialization of crypto and ssl library, and loads required
> + // algorithms.
> + //
> + OPENSSL_init_ssl (
> + OPENSSL_INIT_LOAD_SSL_STRINGS |
> OPENSSL_INIT_LOAD_CRYPTO_STRINGS,
> + NULL
> + );
> +
> + //
> + // Initialize the pseudorandom number generator.
> + //
> + RandomSeed (NULL, 0);
> +}
> +
> +/**
> + Free an allocated SSL_CTX object.
> +
> + @param[in] TlsCtx Pointer to the SSL_CTX object to be released.
> +
> +**/
> +VOID
> +EFIAPI
> +TlsCtxFree (
> + IN VOID *TlsCtx
> + )
> +{
> + if (TlsCtx == NULL) {
> + return;
> + }
> +
> + if (TlsCtx != NULL) {
> + SSL_CTX_free ((SSL_CTX *) (TlsCtx));
> + }
> +}
> +
> +/**
> + Creates a new SSL_CTX object as framework to establish TLS/SSL enabled
> + connections.
> +
> + @param[in] MajorVer Major Version of TLS/SSL Protocol.
> + @param[in] MinorVer Minor Version of TLS/SSL Protocol.
> +
> + @return Pointer to an allocated SSL_CTX object.
> + If the creation failed, TlsCtxNew() returns NULL.
> +
> +**/
> +VOID *
> +EFIAPI
> +TlsCtxNew (
> + IN UINT8 MajorVer,
> + IN UINT8 MinorVer
> + )
> +{
> + SSL_CTX *TlsCtx;
> + UINT16 ProtoVersion;
> +
> + ProtoVersion = (MajorVer << 8) | MinorVer;
> +
> + TlsCtx = SSL_CTX_new (SSLv23_client_method ());
> + if (TlsCtx == NULL) {
> + return NULL;
> + }
> +
> + //
> + // Ensure SSLv3 is disabled
> + //
> + SSL_CTX_set_options (TlsCtx, SSL_OP_NO_SSLv3);
> +
> + //
> + // Treat as minimum accepted versions by setting the minimal bound.
> + // Client can use higher TLS version if server supports it
> + //
> + SSL_CTX_set_min_proto_version (TlsCtx, ProtoVersion);
> +
> + return (VOID *) TlsCtx;
> +}
> +
> +/**
> + Free an allocated TLS object.
> +
> + This function removes the TLS object pointed to by Tls and frees up the
> + allocated memory. If Tls is NULL, nothing is done.
> +
> + @param[in] Tls Pointer to the TLS object to be freed.
> +
> +**/
> +VOID
> +EFIAPI
> +TlsFree (
> + IN VOID *Tls
> + )
> +{
> + TLS_CONNECTION *TlsConn;
> +
> + TlsConn = (TLS_CONNECTION *) Tls;
> + if (TlsConn == NULL) {
> + return;
> + }
> +
> + //
> + // Free the internal TLS and BIO objects.
> + //
> + if (TlsConn->Ssl != NULL) {
> + SSL_free (TlsConn->Ssl);
> + }
> +
> + if (TlsConn->InBio != NULL) {
> + BIO_free (TlsConn->InBio);
> + }
> +
> + if (TlsConn->OutBio != NULL) {
> + BIO_free (TlsConn->OutBio);
> + }
> +
> + OPENSSL_free (Tls);
> +}
> +
> +/**
> + Create a new TLS object for a connection.
> +
> + This function creates a new TLS object for a connection. The new object
> + inherits the setting of the underlying context TlsCtx: connection method,
> + options, verification setting.
> +
> + @param[in] TlsCtx Pointer to the SSL_CTX object.
> +
> + @return Pointer to an allocated SSL object.
> + If the creation failed, TlsNew() returns NULL.
> +
> +**/
> +VOID *
> +EFIAPI
> +TlsNew (
> + IN VOID *TlsCtx
> + )
> +{
> + TLS_CONNECTION *TlsConn;
> + SSL_CTX *SslCtx;
> + X509_STORE *X509Store;
> +
> + TlsConn = NULL;
> +
> + //
> + // Allocate one new TLS_CONNECTION object
> + //
> + TlsConn = (TLS_CONNECTION *) OPENSSL_malloc (sizeof
> (TLS_CONNECTION));
> + if (TlsConn == NULL) {
> + return NULL;
> + }
> +
> + TlsConn->Ssl = NULL;
> +
> + //
> + // Create a new SSL Object
> + //
> + TlsConn->Ssl = SSL_new ((SSL_CTX *) TlsCtx);
> + if (TlsConn->Ssl == NULL) {
> + TlsFree ((VOID *) TlsConn);
> + return NULL;
> + }
> +
> + //
> + // This retains compatibility with previous version of OpenSSL.
> + //
> + SSL_set_security_level (TlsConn->Ssl, 0);
> +
> + //
> + // Initialize the created SSL Object
> + //
> + SSL_set_info_callback (TlsConn->Ssl, NULL);
> +
> + TlsConn->InBio = NULL;
> +
> + //
> + // Set up Reading BIO for TLS connection
> + //
> + TlsConn->InBio = BIO_new (BIO_s_mem ());
> + if (TlsConn->InBio == NULL) {
> + TlsFree ((VOID *) TlsConn);
> + return NULL;
> + }
> +
> + //
> + // Sets the behaviour of memory BIO when it is empty. It will set the
> + // read retry flag.
> + //
> + BIO_set_mem_eof_return (TlsConn->InBio, -1);
> +
> + TlsConn->OutBio = NULL;
> +
> + //
> + // Set up Writing BIO for TLS connection
> + //
> + TlsConn->OutBio = BIO_new (BIO_s_mem ());
> + if (TlsConn->OutBio == NULL) {
> + TlsFree ((VOID *) TlsConn);
> + return NULL;
> + }
> +
> + //
> + // Sets the behaviour of memory BIO when it is empty. It will set the
> + // write retry flag.
> + //
> + BIO_set_mem_eof_return (TlsConn->OutBio, -1);
> +
> + ASSERT (TlsConn->Ssl != NULL && TlsConn->InBio != NULL && TlsConn-
> >OutBio != NULL);
> +
> + //
> + // Connects the InBio and OutBio for the read and write operations.
> + //
> + SSL_set_bio (TlsConn->Ssl, TlsConn->InBio, TlsConn->OutBio);
> +
> + //
> + // Create new X509 store if needed
> + //
> + SslCtx = SSL_get_SSL_CTX (TlsConn->Ssl);
> + X509Store = SSL_CTX_get_cert_store (SslCtx);
> + if (X509Store == NULL) {
> + X509Store = X509_STORE_new ();
> + if (X509Store == NULL) {
> + TlsFree ((VOID *) TlsConn);
> + return NULL;
> + }
> + SSL_CTX_set1_verify_cert_store (SslCtx, X509Store);
> + X509_STORE_free (X509Store);
> + }
> +
> + //
> + // Set X509_STORE flags used in certificate validation
> + //
> + X509_STORE_set_flags (
> + X509Store,
> + X509_V_FLAG_PARTIAL_CHAIN | X509_V_FLAG_NO_CHECK_TIME
> + );
> + return (VOID *) TlsConn;
> +}
> +
> diff --git a/CryptoPkg/Library/TlsLib/TlsLib.inf
> b/CryptoPkg/Library/TlsLib/TlsLib.inf
> index d4ce646591..a3f93e7165 100644
> --- a/CryptoPkg/Library/TlsLib/TlsLib.inf
> +++ b/CryptoPkg/Library/TlsLib/TlsLib.inf
> @@ -1,56 +1,57 @@
> -## @file
> -# SSL/TLS Wrapper Library Instance based on OpenSSL.
> -#
> -# Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
> -# (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
> -# This program and the accompanying materials
> -# are licensed and made available under the terms and conditions of the
> BSD License
> -# which accompanies this distribution. The full text of the license may be
> found at
> -# http://opensource.org/licenses/bsd-license.php
> -#
> -# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS"
> BASIS,
> -# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER
> EXPRESS OR IMPLIED.
> -#
> -##
> -
> -[Defines]
> - INF_VERSION = 0x00010005
> - BASE_NAME = TlsLib
> - MODULE_UNI_FILE = TlsLib.uni
> - FILE_GUID = CC729DC5-4E21-0B36-1A00-3A8E1B86A155
> - MODULE_TYPE = DXE_DRIVER
> - VERSION_STRING = 1.0
> - LIBRARY_CLASS = TlsLib|DXE_DRIVER DXE_CORE
> UEFI_APPLICATION UEFI_DRIVER
> -
> -#
> -# The following information is for reference only and not required by the
> build tools.
> -#
> -# VALID_ARCHITECTURES = IA32 X64 IPF ARM AARCH64
> -#
> -
> -[Sources]
> - InternalTlsLib.h
> - TlsInit.c
> - TlsConfig.c
> - TlsProcess.c
> -
> -[Packages]
> - MdePkg/MdePkg.dec
> - CryptoPkg/CryptoPkg.dec
> -
> -[LibraryClasses]
> - BaseLib
> - BaseMemoryLib
> - MemoryAllocationLib
> - UefiRuntimeServicesTableLib
> - DebugLib
> - OpensslLib
> - IntrinsicLib
> - PrintLib
> -
> -[BuildOptions]
> - #
> - # suppress the following warnings so we do not break the build with
> warnings-as-errors:
> - # C4090: 'function' : different 'const' qualifiers
> - #
> - MSFT:*_*_*_CC_FLAGS = /wd4090
> +## @file
> +# SSL/TLS Wrapper Library Instance based on OpenSSL.
> +#
> +# Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
> +# (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
> +# This program and the accompanying materials
> +# are licensed and made available under the terms and conditions of the
> BSD License
> +# which accompanies this distribution. The full text of the license may be
> found at
> +# http://opensource.org/licenses/bsd-license.php
> +#
> +# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS"
> BASIS,
> +# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER
> EXPRESS OR IMPLIED.
> +#
> +##
> +
> +[Defines]
> + INF_VERSION = 0x00010005
> + BASE_NAME = TlsLib
> + MODULE_UNI_FILE = TlsLib.uni
> + FILE_GUID = CC729DC5-4E21-0B36-1A00-3A8E1B86A155
> + MODULE_TYPE = DXE_DRIVER
> + VERSION_STRING = 1.0
> + LIBRARY_CLASS = TlsLib|DXE_DRIVER DXE_CORE
> UEFI_APPLICATION UEFI_DRIVER
> +
> +#
> +# The following information is for reference only and not required by the
> build tools.
> +#
> +# VALID_ARCHITECTURES = IA32 X64 IPF ARM AARCH64
> +#
> +
> +[Sources]
> + InternalTlsLib.h
> + TlsInit.c
> + TlsConfig.c
> + TlsProcess.c
> +
> +[Packages]
> + MdePkg/MdePkg.dec
> + CryptoPkg/CryptoPkg.dec
> +
> +[LibraryClasses]
> + BaseLib
> + BaseMemoryLib
> + MemoryAllocationLib
> + UefiRuntimeServicesTableLib
> + DebugLib
> + OpensslLib
> + IntrinsicLib
> + PrintLib
> +
> +[BuildOptions]
> + #
> + # suppress the following warnings so we do not break the build with
> warnings-as-errors:
> + # C4090: 'function' : different 'const' qualifiers
> + #
> + MSFT:*_*_*_CC_FLAGS = /wd4090
> +
> diff --git a/CryptoPkg/Library/TlsLib/TlsLib.uni
> b/CryptoPkg/Library/TlsLib/TlsLib.uni
> index 9b792872a5..e43a5df8e6 100644
> --- a/CryptoPkg/Library/TlsLib/TlsLib.uni
> +++ b/CryptoPkg/Library/TlsLib/TlsLib.uni
> @@ -1,19 +1,19 @@
> -// /** @file
> -// SSL/TLS Wrapper Library Instance based on OpenSSL.
> -//
> -// Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
> -//
> -// This program and the accompanying materials
> -// are licensed and made available under the terms and conditions of the
> BSD License
> -// which accompanies this distribution. The full text of the license may be
> found at
> -// http://opensource.org/licenses/bsd-license.php
> -//
> -// THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS"
> BASIS,
> -// WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER
> EXPRESS OR IMPLIED.
> -//
> -// **/
> -
> -
> -#string STR_MODULE_ABSTRACT #language en-US "SSL/TLS Wrapper
> Library Instance"
> -
> -#string STR_MODULE_DESCRIPTION #language en-US "This module
> provides SSL/TLS Wrapper Library Instance."
> \ No newline at end of file
> +// /** @file
> +// SSL/TLS Wrapper Library Instance based on OpenSSL.
> +//
> +// Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
> +//
> +// This program and the accompanying materials
> +// are licensed and made available under the terms and conditions of the
> BSD License
> +// which accompanies this distribution. The full text of the license may be
> found at
> +// http://opensource.org/licenses/bsd-license.php
> +//
> +// THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS"
> BASIS,
> +// WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER
> EXPRESS OR IMPLIED.
> +//
> +// **/
> +
> +
> +#string STR_MODULE_ABSTRACT #language en-US "SSL/TLS Wrapper
> Library Instance"
> +
> +#string STR_MODULE_DESCRIPTION #language en-US "This module
> provides SSL/TLS Wrapper Library Instance."
> diff --git a/CryptoPkg/Library/TlsLib/TlsProcess.c
> b/CryptoPkg/Library/TlsLib/TlsProcess.c
> index 8532dab97a..38baac0e8b 100644
> --- a/CryptoPkg/Library/TlsLib/TlsProcess.c
> +++ b/CryptoPkg/Library/TlsLib/TlsProcess.c
> @@ -1,462 +1,463 @@
> -/** @file
> - SSL/TLS Process Library Wrapper Implementation over OpenSSL.
> - The process includes the TLS handshake and packet I/O.
> -
> -Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
> -(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
> -This program and the accompanying materials
> -are licensed and made available under the terms and conditions of the BSD
> License
> -which accompanies this distribution. The full text of the license may be
> found at
> -http://opensource.org/licenses/bsd-license.php
> -
> -THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS"
> BASIS,
> -WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER
> EXPRESS OR IMPLIED.
> -
> -**/
> -
> -#include "InternalTlsLib.h"
> -
> -#define MAX_BUFFER_SIZE 32768
> -
> -/**
> - Checks if the TLS handshake was done.
> -
> - This function will check if the specified TLS handshake was done.
> -
> - @param[in] Tls Pointer to the TLS object for handshake state checking.
> -
> - @retval TRUE The TLS handshake was done.
> - @retval FALSE The TLS handshake was not done.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TlsInHandshake (
> - IN VOID *Tls
> - )
> -{
> - TLS_CONNECTION *TlsConn;
> -
> - TlsConn = (TLS_CONNECTION *) Tls;
> - if (TlsConn == NULL || TlsConn->Ssl == NULL) {
> - return FALSE;
> - }
> -
> - //
> - // Return the status which indicates if the TLS handshake was done.
> - //
> - return !SSL_is_init_finished (TlsConn->Ssl);
> -}
> -
> -/**
> - Perform a TLS/SSL handshake.
> -
> - This function will perform a TLS/SSL handshake.
> -
> - @param[in] Tls Pointer to the TLS object for handshake operation.
> - @param[in] BufferIn Pointer to the most recently received TLS
> Handshake packet.
> - @param[in] BufferInSize Packet size in bytes for the most recently
> received TLS
> - Handshake packet.
> - @param[out] BufferOut Pointer to the buffer to hold the built packet.
> - @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On
> input, it is
> - the buffer size provided by the caller. On output, it
> - is the buffer size in fact needed to contain the
> - packet.
> -
> - @retval EFI_SUCCESS The required TLS packet is built successfully.
> - @retval EFI_INVALID_PARAMETER One or more of the following
> conditions is TRUE:
> - Tls is NULL.
> - BufferIn is NULL but BufferInSize is NOT 0.
> - BufferInSize is 0 but BufferIn is NOT NULL.
> - BufferOutSize is NULL.
> - BufferOut is NULL if *BufferOutSize is not zero.
> - @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the
> response packet.
> - @retval EFI_ABORTED Something wrong during handshake.
> -
> -**/
> -EFI_STATUS
> -EFIAPI
> -TlsDoHandshake (
> - IN VOID *Tls,
> - IN UINT8 *BufferIn, OPTIONAL
> - IN UINTN BufferInSize, OPTIONAL
> - OUT UINT8 *BufferOut, OPTIONAL
> - IN OUT UINTN *BufferOutSize
> - )
> -{
> - TLS_CONNECTION *TlsConn;
> - UINTN PendingBufferSize;
> - INTN Ret;
> - UINTN ErrorCode;
> -
> - TlsConn = (TLS_CONNECTION *) Tls;
> - PendingBufferSize = 0;
> - Ret = 1;
> -
> - if (TlsConn == NULL || \
> - TlsConn->Ssl == NULL || TlsConn->InBio == NULL || TlsConn->OutBio ==
> NULL || \
> - BufferOutSize == NULL || \
> - (BufferIn == NULL && BufferInSize != 0) || \
> - (BufferIn != NULL && BufferInSize == 0) || \
> - (BufferOut == NULL && *BufferOutSize != 0)) {
> - return EFI_INVALID_PARAMETER;
> - }
> -
> - if(BufferIn == NULL && BufferInSize == 0) {
> - //
> - // If RequestBuffer is NULL and RequestSize is 0, and TLS session
> - // status is EfiTlsSessionNotStarted, the TLS session will be initiated
> - // and the response packet needs to be ClientHello.
> - //
> - PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
> - if (PendingBufferSize == 0) {
> - SSL_set_connect_state (TlsConn->Ssl);
> - Ret = SSL_do_handshake (TlsConn->Ssl);
> - PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
> - }
> - } else {
> - PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
> - if (PendingBufferSize == 0) {
> - BIO_write (TlsConn->InBio, BufferIn, (UINT32) BufferInSize);
> - Ret = SSL_do_handshake (TlsConn->Ssl);
> - PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
> - }
> - }
> -
> - if (Ret < 1) {
> - Ret = SSL_get_error (TlsConn->Ssl, (int) Ret);
> - if (Ret == SSL_ERROR_SSL ||
> - Ret == SSL_ERROR_SYSCALL ||
> - Ret == SSL_ERROR_ZERO_RETURN) {
> - DEBUG ((
> - DEBUG_ERROR,
> - "%a SSL_HANDSHAKE_ERROR State=0x%x SSL_ERROR_%a\n",
> - __FUNCTION__,
> - SSL_get_state (TlsConn->Ssl),
> - Ret == SSL_ERROR_SSL ? "SSL" : Ret == SSL_ERROR_SYSCALL ?
> "SYSCALL" : "ZERO_RETURN"
> - ));
> - DEBUG_CODE_BEGIN ();
> - while (TRUE) {
> - ErrorCode = ERR_get_error ();
> - if (ErrorCode == 0) {
> - break;
> - }
> - DEBUG ((
> - DEBUG_ERROR,
> - "%a ERROR 0x%x=L%x:F%x:R%x\n",
> - __FUNCTION__,
> - ErrorCode,
> - ERR_GET_LIB (ErrorCode),
> - ERR_GET_FUNC (ErrorCode),
> - ERR_GET_REASON (ErrorCode)
> - ));
> - }
> - DEBUG_CODE_END ();
> - return EFI_ABORTED;
> - }
> - }
> -
> - if (PendingBufferSize > *BufferOutSize) {
> - *BufferOutSize = PendingBufferSize;
> - return EFI_BUFFER_TOO_SMALL;
> - }
> -
> - if (PendingBufferSize > 0) {
> - *BufferOutSize = BIO_read (TlsConn->OutBio, BufferOut, (UINT32)
> PendingBufferSize);
> - } else {
> - *BufferOutSize = 0;
> - }
> -
> - return EFI_SUCCESS;
> -}
> -
> -/**
> - Handle Alert message recorded in BufferIn. If BufferIn is NULL and
> BufferInSize is zero,
> - TLS session has errors and the response packet needs to be Alert message
> based on error type.
> -
> - @param[in] Tls Pointer to the TLS object for state checking.
> - @param[in] BufferIn Pointer to the most recently received TLS Alert
> packet.
> - @param[in] BufferInSize Packet size in bytes for the most recently
> received TLS
> - Alert packet.
> - @param[out] BufferOut Pointer to the buffer to hold the built packet.
> - @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On
> input, it is
> - the buffer size provided by the caller. On output, it
> - is the buffer size in fact needed to contain the
> - packet.
> -
> - @retval EFI_SUCCESS The required TLS packet is built successfully.
> - @retval EFI_INVALID_PARAMETER One or more of the following
> conditions is TRUE:
> - Tls is NULL.
> - BufferIn is NULL but BufferInSize is NOT 0.
> - BufferInSize is 0 but BufferIn is NOT NULL.
> - BufferOutSize is NULL.
> - BufferOut is NULL if *BufferOutSize is not zero.
> - @retval EFI_ABORTED An error occurred.
> - @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the
> response packet.
> -
> -**/
> -EFI_STATUS
> -EFIAPI
> -TlsHandleAlert (
> - IN VOID *Tls,
> - IN UINT8 *BufferIn, OPTIONAL
> - IN UINTN BufferInSize, OPTIONAL
> - OUT UINT8 *BufferOut, OPTIONAL
> - IN OUT UINTN *BufferOutSize
> - )
> -{
> - TLS_CONNECTION *TlsConn;
> - UINTN PendingBufferSize;
> - UINT8 *TempBuffer;
> - INTN Ret;
> -
> - TlsConn = (TLS_CONNECTION *) Tls;
> - PendingBufferSize = 0;
> - TempBuffer = NULL;
> - Ret = 0;
> -
> - if (TlsConn == NULL || \
> - TlsConn->Ssl == NULL || TlsConn->InBio == NULL || TlsConn->OutBio ==
> NULL || \
> - BufferOutSize == NULL || \
> - (BufferIn == NULL && BufferInSize != 0) || \
> - (BufferIn != NULL && BufferInSize == 0) || \
> - (BufferOut == NULL && *BufferOutSize != 0)) {
> - return EFI_INVALID_PARAMETER;
> - }
> -
> - PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
> - if (PendingBufferSize == 0 && BufferIn != NULL && BufferInSize != 0) {
> - Ret = BIO_write (TlsConn->InBio, BufferIn, (UINT32) BufferInSize);
> - if (Ret != (INTN) BufferInSize) {
> - return EFI_ABORTED;
> - }
> -
> - TempBuffer = (UINT8 *) OPENSSL_malloc (MAX_BUFFER_SIZE);
> -
> - //
> - // ssl3_send_alert() will be called in ssl3_read_bytes() function.
> - // TempBuffer is invalid since it's a Alert message, so just ignore it.
> - //
> - SSL_read (TlsConn->Ssl, TempBuffer, MAX_BUFFER_SIZE);
> -
> - OPENSSL_free (TempBuffer);
> -
> - PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
> - }
> -
> - if (PendingBufferSize > *BufferOutSize) {
> - *BufferOutSize = PendingBufferSize;
> - return EFI_BUFFER_TOO_SMALL;
> - }
> -
> - if (PendingBufferSize > 0) {
> - *BufferOutSize = BIO_read (TlsConn->OutBio, BufferOut, (UINT32)
> PendingBufferSize);
> - } else {
> - *BufferOutSize = 0;
> - }
> -
> - return EFI_SUCCESS;
> -}
> -
> -/**
> - Build the CloseNotify packet.
> -
> - @param[in] Tls Pointer to the TLS object for state checking.
> - @param[in, out] Buffer Pointer to the buffer to hold the built packet.
> - @param[in, out] BufferSize Pointer to the buffer size in bytes. On input,
> it is
> - the buffer size provided by the caller. On output, it
> - is the buffer size in fact needed to contain the
> - packet.
> -
> - @retval EFI_SUCCESS The required TLS packet is built successfully.
> - @retval EFI_INVALID_PARAMETER One or more of the following
> conditions is TRUE:
> - Tls is NULL.
> - BufferSize is NULL.
> - Buffer is NULL if *BufferSize is not zero.
> - @retval EFI_BUFFER_TOO_SMALL BufferSize is too small to hold the
> response packet.
> -
> -**/
> -EFI_STATUS
> -EFIAPI
> -TlsCloseNotify (
> - IN VOID *Tls,
> - IN OUT UINT8 *Buffer,
> - IN OUT UINTN *BufferSize
> - )
> -{
> - TLS_CONNECTION *TlsConn;
> - UINTN PendingBufferSize;
> -
> - TlsConn = (TLS_CONNECTION *) Tls;
> - PendingBufferSize = 0;
> -
> - if (TlsConn == NULL || \
> - TlsConn->Ssl == NULL || TlsConn->InBio == NULL || TlsConn->OutBio ==
> NULL || \
> - BufferSize == NULL || \
> - (Buffer == NULL && *BufferSize != 0)) {
> - return EFI_INVALID_PARAMETER;
> - }
> -
> - PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
> - if (PendingBufferSize == 0) {
> - //
> - // ssl3_send_alert() and ssl3_dispatch_alert() function will be called.
> - //
> - SSL_shutdown (TlsConn->Ssl);
> - PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
> - }
> -
> - if (PendingBufferSize > *BufferSize) {
> - *BufferSize = PendingBufferSize;
> - return EFI_BUFFER_TOO_SMALL;
> - }
> -
> - if (PendingBufferSize > 0) {
> - *BufferSize = BIO_read (TlsConn->OutBio, Buffer, (UINT32)
> PendingBufferSize);
> - } else {
> - *BufferSize = 0;
> - }
> -
> - return EFI_SUCCESS;
> -}
> -
> -/**
> - Attempts to read bytes from one TLS object and places the data in Buffer.
> -
> - This function will attempt to read BufferSize bytes from the TLS object
> - and places the data in Buffer.
> -
> - @param[in] Tls Pointer to the TLS object.
> - @param[in,out] Buffer Pointer to the buffer to store the data.
> - @param[in] BufferSize The size of Buffer in bytes.
> -
> - @retval >0 The amount of data successfully read from the TLS object.
> - @retval <=0 No data was successfully read.
> -
> -**/
> -INTN
> -EFIAPI
> -TlsCtrlTrafficOut (
> - IN VOID *Tls,
> - IN OUT VOID *Buffer,
> - IN UINTN BufferSize
> - )
> -{
> - TLS_CONNECTION *TlsConn;
> -
> - TlsConn = (TLS_CONNECTION *) Tls;
> - if (TlsConn == NULL || TlsConn->OutBio == 0) {
> - return -1;
> - }
> -
> - //
> - // Read and return the amount of data from the BIO.
> - //
> - return BIO_read (TlsConn->OutBio, Buffer, (UINT32) BufferSize);
> -}
> -
> -/**
> - Attempts to write data from the buffer to TLS object.
> -
> - This function will attempt to write BufferSize bytes data from the Buffer
> - to the TLS object.
> -
> - @param[in] Tls Pointer to the TLS object.
> - @param[in] Buffer Pointer to the data buffer.
> - @param[in] BufferSize The size of Buffer in bytes.
> -
> - @retval >0 The amount of data successfully written to the TLS object.
> - @retval <=0 No data was successfully written.
> -
> -**/
> -INTN
> -EFIAPI
> -TlsCtrlTrafficIn (
> - IN VOID *Tls,
> - IN VOID *Buffer,
> - IN UINTN BufferSize
> - )
> -{
> - TLS_CONNECTION *TlsConn;
> -
> - TlsConn = (TLS_CONNECTION *) Tls;
> - if (TlsConn == NULL || TlsConn->InBio == 0) {
> - return -1;
> - }
> -
> - //
> - // Write and return the amount of data to the BIO.
> - //
> - return BIO_write (TlsConn->InBio, Buffer, (UINT32) BufferSize);
> -}
> -/**
> - Attempts to read bytes from the specified TLS connection into the buffer.
> -
> - This function tries to read BufferSize bytes data from the specified TLS
> - connection into the Buffer.
> -
> - @param[in] Tls Pointer to the TLS connection for data reading.
> - @param[in,out] Buffer Pointer to the data buffer.
> - @param[in] BufferSize The size of Buffer in bytes.
> -
> - @retval >0 The read operation was successful, and return value is the
> - number of bytes actually read from the TLS connection.
> - @retval <=0 The read operation was not successful.
> -
> -**/
> -INTN
> -EFIAPI
> -TlsRead (
> - IN VOID *Tls,
> - IN OUT VOID *Buffer,
> - IN UINTN BufferSize
> - )
> -{
> - TLS_CONNECTION *TlsConn;
> -
> - TlsConn = (TLS_CONNECTION *) Tls;
> - if (TlsConn == NULL || TlsConn->Ssl == NULL) {
> - return -1;
> - }
> -
> - //
> - // Read bytes from the specified TLS connection.
> - //
> - return SSL_read (TlsConn->Ssl, Buffer, (UINT32) BufferSize);
> -}
> -
> -/**
> - Attempts to write data to a TLS connection.
> -
> - This function tries to write BufferSize bytes data from the Buffer into the
> - specified TLS connection.
> -
> - @param[in] Tls Pointer to the TLS connection for data writing.
> - @param[in] Buffer Pointer to the data buffer.
> - @param[in] BufferSize The size of Buffer in bytes.
> -
> - @retval >0 The write operation was successful, and return value is the
> - number of bytes actually written to the TLS connection.
> - @retval <=0 The write operation was not successful.
> -
> -**/
> -INTN
> -EFIAPI
> -TlsWrite (
> - IN VOID *Tls,
> - IN VOID *Buffer,
> - IN UINTN BufferSize
> - )
> -{
> - TLS_CONNECTION *TlsConn;
> -
> - TlsConn = (TLS_CONNECTION *) Tls;
> - if (TlsConn == NULL || TlsConn->Ssl == NULL) {
> - return -1;
> - }
> -
> - //
> - // Write bytes to the specified TLS connection.
> - //
> - return SSL_write (TlsConn->Ssl, Buffer, (UINT32) BufferSize);
> -}
> +/** @file
> + SSL/TLS Process Library Wrapper Implementation over OpenSSL.
> + The process includes the TLS handshake and packet I/O.
> +
> +Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
> +(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
> +This program and the accompanying materials
> +are licensed and made available under the terms and conditions of the BSD
> License
> +which accompanies this distribution. The full text of the license may be
> found at
> +http://opensource.org/licenses/bsd-license.php
> +
> +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS"
> BASIS,
> +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER
> EXPRESS OR IMPLIED.
> +
> +**/
> +
> +#include "InternalTlsLib.h"
> +
> +#define MAX_BUFFER_SIZE 32768
> +
> +/**
> + Checks if the TLS handshake was done.
> +
> + This function will check if the specified TLS handshake was done.
> +
> + @param[in] Tls Pointer to the TLS object for handshake state checking.
> +
> + @retval TRUE The TLS handshake was done.
> + @retval FALSE The TLS handshake was not done.
> +
> +**/
> +BOOLEAN
> +EFIAPI
> +TlsInHandshake (
> + IN VOID *Tls
> + )
> +{
> + TLS_CONNECTION *TlsConn;
> +
> + TlsConn = (TLS_CONNECTION *) Tls;
> + if (TlsConn == NULL || TlsConn->Ssl == NULL) {
> + return FALSE;
> + }
> +
> + //
> + // Return the status which indicates if the TLS handshake was done.
> + //
> + return !SSL_is_init_finished (TlsConn->Ssl);
> +}
> +
> +/**
> + Perform a TLS/SSL handshake.
> +
> + This function will perform a TLS/SSL handshake.
> +
> + @param[in] Tls Pointer to the TLS object for handshake operation.
> + @param[in] BufferIn Pointer to the most recently received TLS
> Handshake packet.
> + @param[in] BufferInSize Packet size in bytes for the most recently
> received TLS
> + Handshake packet.
> + @param[out] BufferOut Pointer to the buffer to hold the built packet.
> + @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On
> input, it is
> + the buffer size provided by the caller. On output, it
> + is the buffer size in fact needed to contain the
> + packet.
> +
> + @retval EFI_SUCCESS The required TLS packet is built successfully.
> + @retval EFI_INVALID_PARAMETER One or more of the following
> conditions is TRUE:
> + Tls is NULL.
> + BufferIn is NULL but BufferInSize is NOT 0.
> + BufferInSize is 0 but BufferIn is NOT NULL.
> + BufferOutSize is NULL.
> + BufferOut is NULL if *BufferOutSize is not zero.
> + @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the
> response packet.
> + @retval EFI_ABORTED Something wrong during handshake.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsDoHandshake (
> + IN VOID *Tls,
> + IN UINT8 *BufferIn, OPTIONAL
> + IN UINTN BufferInSize, OPTIONAL
> + OUT UINT8 *BufferOut, OPTIONAL
> + IN OUT UINTN *BufferOutSize
> + )
> +{
> + TLS_CONNECTION *TlsConn;
> + UINTN PendingBufferSize;
> + INTN Ret;
> + UINTN ErrorCode;
> +
> + TlsConn = (TLS_CONNECTION *) Tls;
> + PendingBufferSize = 0;
> + Ret = 1;
> +
> + if (TlsConn == NULL || \
> + TlsConn->Ssl == NULL || TlsConn->InBio == NULL || TlsConn->OutBio ==
> NULL || \
> + BufferOutSize == NULL || \
> + (BufferIn == NULL && BufferInSize != 0) || \
> + (BufferIn != NULL && BufferInSize == 0) || \
> + (BufferOut == NULL && *BufferOutSize != 0)) {
> + return EFI_INVALID_PARAMETER;
> + }
> +
> + if(BufferIn == NULL && BufferInSize == 0) {
> + //
> + // If RequestBuffer is NULL and RequestSize is 0, and TLS session
> + // status is EfiTlsSessionNotStarted, the TLS session will be initiated
> + // and the response packet needs to be ClientHello.
> + //
> + PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
> + if (PendingBufferSize == 0) {
> + SSL_set_connect_state (TlsConn->Ssl);
> + Ret = SSL_do_handshake (TlsConn->Ssl);
> + PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
> + }
> + } else {
> + PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
> + if (PendingBufferSize == 0) {
> + BIO_write (TlsConn->InBio, BufferIn, (UINT32) BufferInSize);
> + Ret = SSL_do_handshake (TlsConn->Ssl);
> + PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
> + }
> + }
> +
> + if (Ret < 1) {
> + Ret = SSL_get_error (TlsConn->Ssl, (int) Ret);
> + if (Ret == SSL_ERROR_SSL ||
> + Ret == SSL_ERROR_SYSCALL ||
> + Ret == SSL_ERROR_ZERO_RETURN) {
> + DEBUG ((
> + DEBUG_ERROR,
> + "%a SSL_HANDSHAKE_ERROR State=0x%x SSL_ERROR_%a\n",
> + __FUNCTION__,
> + SSL_get_state (TlsConn->Ssl),
> + Ret == SSL_ERROR_SSL ? "SSL" : Ret == SSL_ERROR_SYSCALL ?
> "SYSCALL" : "ZERO_RETURN"
> + ));
> + DEBUG_CODE_BEGIN ();
> + while (TRUE) {
> + ErrorCode = ERR_get_error ();
> + if (ErrorCode == 0) {
> + break;
> + }
> + DEBUG ((
> + DEBUG_ERROR,
> + "%a ERROR 0x%x=L%x:F%x:R%x\n",
> + __FUNCTION__,
> + ErrorCode,
> + ERR_GET_LIB (ErrorCode),
> + ERR_GET_FUNC (ErrorCode),
> + ERR_GET_REASON (ErrorCode)
> + ));
> + }
> + DEBUG_CODE_END ();
> + return EFI_ABORTED;
> + }
> + }
> +
> + if (PendingBufferSize > *BufferOutSize) {
> + *BufferOutSize = PendingBufferSize;
> + return EFI_BUFFER_TOO_SMALL;
> + }
> +
> + if (PendingBufferSize > 0) {
> + *BufferOutSize = BIO_read (TlsConn->OutBio, BufferOut, (UINT32)
> PendingBufferSize);
> + } else {
> + *BufferOutSize = 0;
> + }
> +
> + return EFI_SUCCESS;
> +}
> +
> +/**
> + Handle Alert message recorded in BufferIn. If BufferIn is NULL and
> BufferInSize is zero,
> + TLS session has errors and the response packet needs to be Alert message
> based on error type.
> +
> + @param[in] Tls Pointer to the TLS object for state checking.
> + @param[in] BufferIn Pointer to the most recently received TLS Alert
> packet.
> + @param[in] BufferInSize Packet size in bytes for the most recently
> received TLS
> + Alert packet.
> + @param[out] BufferOut Pointer to the buffer to hold the built packet.
> + @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On
> input, it is
> + the buffer size provided by the caller. On output, it
> + is the buffer size in fact needed to contain the
> + packet.
> +
> + @retval EFI_SUCCESS The required TLS packet is built successfully.
> + @retval EFI_INVALID_PARAMETER One or more of the following
> conditions is TRUE:
> + Tls is NULL.
> + BufferIn is NULL but BufferInSize is NOT 0.
> + BufferInSize is 0 but BufferIn is NOT NULL.
> + BufferOutSize is NULL.
> + BufferOut is NULL if *BufferOutSize is not zero.
> + @retval EFI_ABORTED An error occurred.
> + @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the
> response packet.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsHandleAlert (
> + IN VOID *Tls,
> + IN UINT8 *BufferIn, OPTIONAL
> + IN UINTN BufferInSize, OPTIONAL
> + OUT UINT8 *BufferOut, OPTIONAL
> + IN OUT UINTN *BufferOutSize
> + )
> +{
> + TLS_CONNECTION *TlsConn;
> + UINTN PendingBufferSize;
> + UINT8 *TempBuffer;
> + INTN Ret;
> +
> + TlsConn = (TLS_CONNECTION *) Tls;
> + PendingBufferSize = 0;
> + TempBuffer = NULL;
> + Ret = 0;
> +
> + if (TlsConn == NULL || \
> + TlsConn->Ssl == NULL || TlsConn->InBio == NULL || TlsConn->OutBio ==
> NULL || \
> + BufferOutSize == NULL || \
> + (BufferIn == NULL && BufferInSize != 0) || \
> + (BufferIn != NULL && BufferInSize == 0) || \
> + (BufferOut == NULL && *BufferOutSize != 0)) {
> + return EFI_INVALID_PARAMETER;
> + }
> +
> + PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
> + if (PendingBufferSize == 0 && BufferIn != NULL && BufferInSize != 0) {
> + Ret = BIO_write (TlsConn->InBio, BufferIn, (UINT32) BufferInSize);
> + if (Ret != (INTN) BufferInSize) {
> + return EFI_ABORTED;
> + }
> +
> + TempBuffer = (UINT8 *) OPENSSL_malloc (MAX_BUFFER_SIZE);
> +
> + //
> + // ssl3_send_alert() will be called in ssl3_read_bytes() function.
> + // TempBuffer is invalid since it's a Alert message, so just ignore it.
> + //
> + SSL_read (TlsConn->Ssl, TempBuffer, MAX_BUFFER_SIZE);
> +
> + OPENSSL_free (TempBuffer);
> +
> + PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
> + }
> +
> + if (PendingBufferSize > *BufferOutSize) {
> + *BufferOutSize = PendingBufferSize;
> + return EFI_BUFFER_TOO_SMALL;
> + }
> +
> + if (PendingBufferSize > 0) {
> + *BufferOutSize = BIO_read (TlsConn->OutBio, BufferOut, (UINT32)
> PendingBufferSize);
> + } else {
> + *BufferOutSize = 0;
> + }
> +
> + return EFI_SUCCESS;
> +}
> +
> +/**
> + Build the CloseNotify packet.
> +
> + @param[in] Tls Pointer to the TLS object for state checking.
> + @param[in, out] Buffer Pointer to the buffer to hold the built packet.
> + @param[in, out] BufferSize Pointer to the buffer size in bytes. On input,
> it is
> + the buffer size provided by the caller. On output, it
> + is the buffer size in fact needed to contain the
> + packet.
> +
> + @retval EFI_SUCCESS The required TLS packet is built successfully.
> + @retval EFI_INVALID_PARAMETER One or more of the following
> conditions is TRUE:
> + Tls is NULL.
> + BufferSize is NULL.
> + Buffer is NULL if *BufferSize is not zero.
> + @retval EFI_BUFFER_TOO_SMALL BufferSize is too small to hold the
> response packet.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsCloseNotify (
> + IN VOID *Tls,
> + IN OUT UINT8 *Buffer,
> + IN OUT UINTN *BufferSize
> + )
> +{
> + TLS_CONNECTION *TlsConn;
> + UINTN PendingBufferSize;
> +
> + TlsConn = (TLS_CONNECTION *) Tls;
> + PendingBufferSize = 0;
> +
> + if (TlsConn == NULL || \
> + TlsConn->Ssl == NULL || TlsConn->InBio == NULL || TlsConn->OutBio ==
> NULL || \
> + BufferSize == NULL || \
> + (Buffer == NULL && *BufferSize != 0)) {
> + return EFI_INVALID_PARAMETER;
> + }
> +
> + PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
> + if (PendingBufferSize == 0) {
> + //
> + // ssl3_send_alert() and ssl3_dispatch_alert() function will be called.
> + //
> + SSL_shutdown (TlsConn->Ssl);
> + PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
> + }
> +
> + if (PendingBufferSize > *BufferSize) {
> + *BufferSize = PendingBufferSize;
> + return EFI_BUFFER_TOO_SMALL;
> + }
> +
> + if (PendingBufferSize > 0) {
> + *BufferSize = BIO_read (TlsConn->OutBio, Buffer, (UINT32)
> PendingBufferSize);
> + } else {
> + *BufferSize = 0;
> + }
> +
> + return EFI_SUCCESS;
> +}
> +
> +/**
> + Attempts to read bytes from one TLS object and places the data in Buffer.
> +
> + This function will attempt to read BufferSize bytes from the TLS object
> + and places the data in Buffer.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in,out] Buffer Pointer to the buffer to store the data.
> + @param[in] BufferSize The size of Buffer in bytes.
> +
> + @retval >0 The amount of data successfully read from the TLS object.
> + @retval <=0 No data was successfully read.
> +
> +**/
> +INTN
> +EFIAPI
> +TlsCtrlTrafficOut (
> + IN VOID *Tls,
> + IN OUT VOID *Buffer,
> + IN UINTN BufferSize
> + )
> +{
> + TLS_CONNECTION *TlsConn;
> +
> + TlsConn = (TLS_CONNECTION *) Tls;
> + if (TlsConn == NULL || TlsConn->OutBio == 0) {
> + return -1;
> + }
> +
> + //
> + // Read and return the amount of data from the BIO.
> + //
> + return BIO_read (TlsConn->OutBio, Buffer, (UINT32) BufferSize);
> +}
> +
> +/**
> + Attempts to write data from the buffer to TLS object.
> +
> + This function will attempt to write BufferSize bytes data from the Buffer
> + to the TLS object.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in] Buffer Pointer to the data buffer.
> + @param[in] BufferSize The size of Buffer in bytes.
> +
> + @retval >0 The amount of data successfully written to the TLS object.
> + @retval <=0 No data was successfully written.
> +
> +**/
> +INTN
> +EFIAPI
> +TlsCtrlTrafficIn (
> + IN VOID *Tls,
> + IN VOID *Buffer,
> + IN UINTN BufferSize
> + )
> +{
> + TLS_CONNECTION *TlsConn;
> +
> + TlsConn = (TLS_CONNECTION *) Tls;
> + if (TlsConn == NULL || TlsConn->InBio == 0) {
> + return -1;
> + }
> +
> + //
> + // Write and return the amount of data to the BIO.
> + //
> + return BIO_write (TlsConn->InBio, Buffer, (UINT32) BufferSize);
> +}
> +/**
> + Attempts to read bytes from the specified TLS connection into the buffer.
> +
> + This function tries to read BufferSize bytes data from the specified TLS
> + connection into the Buffer.
> +
> + @param[in] Tls Pointer to the TLS connection for data reading.
> + @param[in,out] Buffer Pointer to the data buffer.
> + @param[in] BufferSize The size of Buffer in bytes.
> +
> + @retval >0 The read operation was successful, and return value is the
> + number of bytes actually read from the TLS connection.
> + @retval <=0 The read operation was not successful.
> +
> +**/
> +INTN
> +EFIAPI
> +TlsRead (
> + IN VOID *Tls,
> + IN OUT VOID *Buffer,
> + IN UINTN BufferSize
> + )
> +{
> + TLS_CONNECTION *TlsConn;
> +
> + TlsConn = (TLS_CONNECTION *) Tls;
> + if (TlsConn == NULL || TlsConn->Ssl == NULL) {
> + return -1;
> + }
> +
> + //
> + // Read bytes from the specified TLS connection.
> + //
> + return SSL_read (TlsConn->Ssl, Buffer, (UINT32) BufferSize);
> +}
> +
> +/**
> + Attempts to write data to a TLS connection.
> +
> + This function tries to write BufferSize bytes data from the Buffer into the
> + specified TLS connection.
> +
> + @param[in] Tls Pointer to the TLS connection for data writing.
> + @param[in] Buffer Pointer to the data buffer.
> + @param[in] BufferSize The size of Buffer in bytes.
> +
> + @retval >0 The write operation was successful, and return value is the
> + number of bytes actually written to the TLS connection.
> + @retval <=0 The write operation was not successful.
> +
> +**/
> +INTN
> +EFIAPI
> +TlsWrite (
> + IN VOID *Tls,
> + IN VOID *Buffer,
> + IN UINTN BufferSize
> + )
> +{
> + TLS_CONNECTION *TlsConn;
> +
> + TlsConn = (TLS_CONNECTION *) Tls;
> + if (TlsConn == NULL || TlsConn->Ssl == NULL) {
> + return -1;
> + }
> +
> + //
> + // Write bytes to the specified TLS connection.
> + //
> + return SSL_write (TlsConn->Ssl, Buffer, (UINT32) BufferSize);
> +}
> +
> --
> 2.12.0.windows.1
next prev parent reply other threads:[~2017-04-06 2:56 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-06 2:25 [PATCH 0/6] Convert files to CRLF line ending Hao Wu
2017-04-06 2:25 ` [PATCH 1/6] CryptoPkg: " Hao Wu
2017-04-06 2:56 ` Long, Qin [this message]
2017-04-06 2:25 ` [PATCH 2/6] IntelFsp2Pkg: " Hao Wu
2017-04-06 3:08 ` Yao, Jiewen
2017-04-06 2:25 ` [PATCH 3/6] IntelFsp2WrapperPkg: " Hao Wu
2017-04-06 3:08 ` Yao, Jiewen
2017-04-06 2:25 ` [PATCH 4/6] SignedCapsulePkg: " Hao Wu
2017-04-06 3:08 ` Yao, Jiewen
2017-04-06 2:25 ` [PATCH 5/6] MdePkg: " Hao Wu
2017-04-06 4:45 ` Gao, Liming
2017-04-06 2:25 ` [PATCH 6/6] NetworkPkg: " Hao Wu
2017-04-06 5:29 ` Wu, Jiaxin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=BF2CCE9263284D428840004653A28B6E53F8CAB7@SHSMSX103.ccr.corp.intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox