From: "Michael D Kinney" <michael.d.kinney@intel.com>
To: "devel@edk2.groups.io" <devel@edk2.groups.io>,
"Li, Yi1" <yi1.li@intel.com>,
"Kinney, Michael D" <michael.d.kinney@intel.com>
Cc: "Yao, Jiewen" <jiewen.yao@intel.com>,
"Wang, Jian J" <jian.j.wang@intel.com>,
"Lu, Xiaoyu1" <xiaoyu1.lu@intel.com>,
"Jiang, Guomin" <guomin.jiang@intel.com>
Subject: Re: [edk2-devel] [PATCH 3/3] CryptoPkg: Add new Tls APIs to DXE and protocol
Date: Fri, 30 Sep 2022 05:08:47 +0000 [thread overview]
Message-ID: <CO1PR11MB4929E38B88F459E31BBCBB86D2569@CO1PR11MB4929.namprd11.prod.outlook.com> (raw)
In-Reply-To: <b0b3dfe5f7645ae36d3e6387a39757df2b43acfa.1664172690.git.yi1.li@intel.com>
I see one issue with adding new bits to the crypto services structured PCD.
Comment below.
Mike
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Li, Yi
> Sent: Sunday, September 25, 2022 11:27 PM
> To: devel@edk2.groups.io
> Cc: Li, Yi1 <yi1.li@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>; Lu, Xiaoyu1
> <xiaoyu1.lu@intel.com>; Jiang, Guomin <guomin.jiang@intel.com>
> Subject: [edk2-devel] [PATCH 3/3] CryptoPkg: Add new Tls APIs to DXE and protocol
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3892
>
> The implementation provides new Tls library functions
> for Crypto EFI Driver and Protocol.
>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
> Cc: Guomin Jiang <guomin.jiang@intel.com>
> Signed-off-by: Yi Li <yi1.li@intel.com>
> ---
> CryptoPkg/Driver/Crypto.c | 155 +++++++++++++++++-
> .../Pcd/PcdCryptoServiceFamilyEnable.h | 5 +
> .../BaseCryptLibOnProtocolPpi/CryptLib.c | 146 ++++++++++++++++-
> CryptoPkg/Private/Protocol/Crypto.h | 136 ++++++++++++++-
> 4 files changed, 435 insertions(+), 7 deletions(-)
>
> diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
> index 7a8266aaba..f1ff77855c 100644
> --- a/CryptoPkg/Driver/Crypto.c
> +++ b/CryptoPkg/Driver/Crypto.c
> @@ -4238,6 +4238,28 @@ CryptoServiceTlsWrite (
> return CALL_BASECRYPTLIB (Tls.Services.Write, TlsWrite, (Tls, Buffer, BufferSize), 0);
> }
>
> +/**
> + Shutdown a TLS connection.
> +
> + Shutdown the TLS connection without releasing the resources, meaning a new
> + connection can be started without calling TlsNew() and without setting
> + certificates etc.
> +
> + @param[in] Tls Pointer to the TLS object to shutdown.
> +
> + @retval EFI_SUCCESS The TLS is shutdown successfully.
> + @retval EFI_INVALID_PARAMETER Tls is NULL.
> + @retval EFI_PROTOCOL_ERROR Some other error occurred.
> +**/
> +EFI_STATUS
> +EFIAPI
> +CryptoServiceTlsShutdown (
> + IN VOID *Tls
> + )
> +{
> + return CALL_BASECRYPTLIB (Tls.Services.Shutdown, TlsShutdown, (Tls), EFI_UNSUPPORTED);
> +}
> +
> /**
> Set a new TLS/SSL method for a particular TLS object.
>
> @@ -4463,11 +4485,41 @@ CryptoServiceTlsSetHostPublicCert (
> /**
> Adds the local private key to the specified TLS object.
>
> - This function adds the local private key (PEM-encoded RSA or PKCS#8 private
> + This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private
> + key) into the specified TLS object for TLS negotiation.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in] Data Pointer to the data buffer of a DER-encoded or PEM-encoded
> + or PKCS#8 private key.
> + @param[in] DataSize The size of data buffer in bytes.
> + @param[in] Password Pointer to NULL-terminated private key password, set it to NULL
> + if private key not encrypted.
> +
> + @retval EFI_SUCCESS The operation succeeded.
> + @retval EFI_UNSUPPORTED This function is not supported.
> + @retval EFI_ABORTED Invalid private key data.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +CryptoServiceTlsSetHostPrivateKeyEx (
> + IN VOID *Tls,
> + IN VOID *Data,
> + IN UINTN DataSize,
> + IN VOID *Password OPTIONAL
> + )
> +{
> + return CALL_BASECRYPTLIB (TlsSet.Services.HostPrivateKeyEx, TlsSetHostPrivateKeyEx, (Tls, Data, DataSize, Password),
> EFI_UNSUPPORTED);
> +}
> +
> +/**
> + Adds the local private key to the specified TLS object.
> +
> + This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private
> key) into the specified TLS object for TLS negotiation.
>
> @param[in] Tls Pointer to the TLS object.
> - @param[in] Data Pointer to the data buffer of a PEM-encoded RSA
> + @param[in] Data Pointer to the data buffer of a DER-encoded or PEM-encoded
> or PKCS#8 private key.
> @param[in] DataSize The size of data buffer in bytes.
>
> @@ -4511,6 +4563,59 @@ CryptoServiceTlsSetCertRevocationList (
> return CALL_BASECRYPTLIB (TlsSet.Services.CertRevocationList, TlsSetCertRevocationList, (Data, DataSize), EFI_UNSUPPORTED);
> }
>
> +/**
> + Set the signature algorithm list to used by the TLS object.
> +
> + This function sets the signature algorithms for use by a specified TLS object.
> +
> + @param[in] Tls Pointer to a TLS object.
> + @param[in] Data Array of UINT8 of signature algorithms. The array consists of
> + pairs of the hash algorithm and the signature algorithm as defined
> + in RFC 5246
> + @param[in] DataSize The length the SignatureAlgoList. Must be divisible by 2.
> +
> + @retval EFI_SUCCESS The signature algorithm list was set successfully.
> + @retval EFI_INVALID_PARAMETER The parameters are invalid.
> + @retval EFI_UNSUPPORTED No supported TLS signature algorithm was found in SignatureAlgoList
> + @retval EFI_OUT_OF_RESOURCES Memory allocation failed.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +CryptoServiceTlsSetSignatureAlgoList (
> + IN VOID *Tls,
> + IN UINT8 *Data,
> + IN UINTN DataSize
> + )
> +{
> + return CALL_BASECRYPTLIB (TlsSet.Services.SignatureAlgoList, TlsSetSignatureAlgoList, (Tls, Data, DataSize), EFI_UNSUPPORTED);
> +}
> +
> +/**
> + Set the EC curve to be used for TLS flows
> +
> + This function sets the EC curve to be used for TLS flows.
> +
> + @param[in] Tls Pointer to a TLS object.
> + @param[in] Data An EC named curve as defined in section 5.1.1 of RFC 4492.
> + @param[in] DataSize Size of Data, it should be sizeof (UINT32)
> +
> + @retval EFI_SUCCESS The EC curve was set successfully.
> + @retval EFI_INVALID_PARAMETER The parameters are invalid.
> + @retval EFI_UNSUPPORTED The requested TLS EC curve is not supported
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +CryptoServiceTlsSetEcCurve (
> + IN VOID *Tls,
> + IN UINT8 *Data,
> + IN UINTN DataSize
> + )
> +{
> + return CALL_BASECRYPTLIB (TlsSet.Services.EcCurve, TlsSetEcCurve, (Tls, Data, DataSize), EFI_UNSUPPORTED);
> +}
> +
> /**
> Gets the protocol version used by the specified TLS connection.
>
> @@ -4826,6 +4931,44 @@ CryptoServiceTlsGetCertRevocationList (
> return CALL_BASECRYPTLIB (TlsGet.Services.CertRevocationList, TlsGetCertRevocationList, (Data, DataSize), EFI_UNSUPPORTED);
> }
>
> +/**
> + Derive keying material from a TLS connection.
> +
> + This function exports keying material using the mechanism described in RFC
> + 5705.
> +
> + @param[in] Tls Pointer to the TLS object
> + @param[in] Label Description of the key for the PRF function
> + @param[in] Context Optional context
> + @param[in] ContextLen The length of the context value in bytes
> + @param[out] KeyBuffer Buffer to hold the output of the TLS-PRF
> + @param[in] KeyBufferLen The length of the KeyBuffer
> +
> + @retval EFI_SUCCESS The operation succeeded.
> + @retval EFI_INVALID_PARAMETER The TLS object is invalid.
> + @retval EFI_PROTOCOL_ERROR Some other error occurred.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +CryptoServiceTlsGetExportKey (
> + IN VOID *Tls,
> + IN CONST VOID *Label,
> + IN CONST VOID *Context,
> + IN UINTN ContextLen,
> + OUT VOID *KeyBuffer,
> + IN UINTN KeyBufferLen
> + )
> +{
> + return CALL_BASECRYPTLIB (
> + TlsGet.Services.ExportKey,
> + TlsGetExportKey,
> + (Tls, Label, Context, ContextLen,
> + KeyBuffer, KeyBufferLen),
> + EFI_UNSUPPORTED
> + );
> +}
> +
> /**
> Carries out the RSA-SSA signature generation with EMSA-PSS encoding scheme.
>
> @@ -6266,4 +6409,12 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
> CryptoServiceEcGenerateKey,
> CryptoServiceEcGetPubKey,
> CryptoServiceEcDhComputeKey,
> + /// TLS (continued)
> + CryptoServiceTlsShutdown,
> + /// TLS Set (continued)
> + CryptoServiceTlsSetHostPrivateKeyEx,
> + CryptoServiceTlsSetSignatureAlgoList,
> + CryptoServiceTlsSetEcCurve,
> + /// TLS Get (continued)
> + CryptoServiceTlsGetExportKey
> };
> diff --git a/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h b/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h
> index 45bafc2161..70caa2122b 100644
> --- a/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h
> +++ b/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h
> @@ -269,6 +269,7 @@ typedef struct {
> UINT8 CtrlTrafficIn : 1;
> UINT8 Read : 1;
> UINT8 Write : 1;
> + UINT8 Shutdown : 1;
> } Services;
> UINT32 Family;
> } Tls;
> @@ -283,8 +284,11 @@ typedef struct {
> UINT8 SessionId : 1;
> UINT8 CaCertificate : 1;
> UINT8 HostPublicCert : 1;
> + UINT8 HostPrivateKeyEx : 1;
New bits must be added to the end of the Services struct. Move after EcCurve.
> UINT8 HostPrivateKey : 1;
> UINT8 CertRevocationList : 1;
> + UINT8 SignatureAlgoList : 1;
> + UINT8 EcCurve : 1;
> } Services;
> UINT32 Family;
> } TlsSet;
> @@ -303,6 +307,7 @@ typedef struct {
> UINT8 HostPublicCert : 1;
> UINT8 HostPrivateKey : 1;
> UINT8 CertRevocationList : 1;
> + UINT8 ExportKey : 1;
> } Services;
> UINT32 Family;
> } TlsGet;
> diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> index 791e2ef599..52b934a545 100644
> --- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> +++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> @@ -3474,6 +3474,28 @@ TlsWrite (
> CALL_CRYPTO_SERVICE (TlsWrite, (Tls, Buffer, BufferSize), 0);
> }
>
> +/**
> + Shutdown a TLS connection.
> +
> + Shutdown the TLS connection without releasing the resources, meaning a new
> + connection can be started without calling TlsNew() and without setting
> + certificates etc.
> +
> + @param[in] Tls Pointer to the TLS object to shutdown.
> +
> + @retval EFI_SUCCESS The TLS is shutdown successfully.
> + @retval EFI_INVALID_PARAMETER Tls is NULL.
> + @retval EFI_PROTOCOL_ERROR Some other error occurred.
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsShutdown (
> + IN VOID *Tls
> + )
> +{
> + CALL_CRYPTO_SERVICE (TlsShutdown, (Tls), EFI_UNSUPPORTED);
> +}
> +
> /**
> Set a new TLS/SSL method for a particular TLS object.
>
> @@ -3699,11 +3721,41 @@ TlsSetHostPublicCert (
> /**
> Adds the local private key to the specified TLS object.
>
> - This function adds the local private key (PEM-encoded RSA or PKCS#8 private
> + This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private
> key) into the specified TLS object for TLS negotiation.
>
> @param[in] Tls Pointer to the TLS object.
> - @param[in] Data Pointer to the data buffer of a PEM-encoded RSA
> + @param[in] Data Pointer to the data buffer of a DER-encoded or PEM-encoded
> + or PKCS#8 private key.
> + @param[in] DataSize The size of data buffer in bytes.
> + @param[in] Password Pointer to NULL-terminated private key password, set it to NULL
> + if private key not encrypted.
> +
> + @retval EFI_SUCCESS The operation succeeded.
> + @retval EFI_UNSUPPORTED This function is not supported.
> + @retval EFI_ABORTED Invalid private key data.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsSetHostPrivateKeyEx (
> + IN VOID *Tls,
> + IN VOID *Data,
> + IN UINTN DataSize,
> + IN VOID *Password OPTIONAL
> + )
> +{
> + CALL_CRYPTO_SERVICE (TlsSetHostPrivateKeyEx, (Tls, Data, DataSize, Password), EFI_UNSUPPORTED);
> +}
> +
> +/**
> + Adds the local private key to the specified TLS object.
> +
> + This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private
> + key) into the specified TLS object for TLS negotiation.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in] Data Pointer to the data buffer of a DER-encoded or PEM-encoded
> or PKCS#8 private key.
> @param[in] DataSize The size of data buffer in bytes.
>
> @@ -3747,6 +3799,59 @@ TlsSetCertRevocationList (
> CALL_CRYPTO_SERVICE (TlsSetCertRevocationList, (Data, DataSize), EFI_UNSUPPORTED);
> }
>
> +/**
> + Set the signature algorithm list to used by the TLS object.
> +
> + This function sets the signature algorithms for use by a specified TLS object.
> +
> + @param[in] Tls Pointer to a TLS object.
> + @param[in] Data Array of UINT8 of signature algorithms. The array consists of
> + pairs of the hash algorithm and the signature algorithm as defined
> + in RFC 5246
> + @param[in] DataSize The length the SignatureAlgoList. Must be divisible by 2.
> +
> + @retval EFI_SUCCESS The signature algorithm list was set successfully.
> + @retval EFI_INVALID_PARAMETER The parameters are invalid.
> + @retval EFI_UNSUPPORTED No supported TLS signature algorithm was found in SignatureAlgoList
> + @retval EFI_OUT_OF_RESOURCES Memory allocation failed.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsSetSignatureAlgoList (
> + IN VOID *Tls,
> + IN UINT8 *Data,
> + IN UINTN DataSize
> + )
> +{
> + CALL_CRYPTO_SERVICE (TlsSetSignatureAlgoList, (Tls, Data, DataSize), EFI_UNSUPPORTED);
> +}
> +
> +/**
> + Set the EC curve to be used for TLS flows
> +
> + This function sets the EC curve to be used for TLS flows.
> +
> + @param[in] Tls Pointer to a TLS object.
> + @param[in] Data An EC named curve as defined in section 5.1.1 of RFC 4492.
> + @param[in] DataSize Size of Data, it should be sizeof (UINT32)
> +
> + @retval EFI_SUCCESS The EC curve was set successfully.
> + @retval EFI_INVALID_PARAMETER The parameters are invalid.
> + @retval EFI_UNSUPPORTED The requested TLS EC curve is not supported
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsSetEcCurve (
> + IN VOID *Tls,
> + IN UINT8 *Data,
> + IN UINTN DataSize
> + )
> +{
> + CALL_CRYPTO_SERVICE (TlsSetSignatureAlgoList, (Tls, Data, DataSize), EFI_UNSUPPORTED);
> +}
> +
> /**
> Gets the protocol version used by the specified TLS connection.
>
> @@ -4062,6 +4167,43 @@ TlsGetCertRevocationList (
> CALL_CRYPTO_SERVICE (TlsGetCertRevocationList, (Data, DataSize), EFI_UNSUPPORTED);
> }
>
> +/**
> + Derive keying material from a TLS connection.
> +
> + This function exports keying material using the mechanism described in RFC
> + 5705.
> +
> + @param[in] Tls Pointer to the TLS object
> + @param[in] Label Description of the key for the PRF function
> + @param[in] Context Optional context
> + @param[in] ContextLen The length of the context value in bytes
> + @param[out] KeyBuffer Buffer to hold the output of the TLS-PRF
> + @param[in] KeyBufferLen The length of the KeyBuffer
> +
> + @retval EFI_SUCCESS The operation succeeded.
> + @retval EFI_INVALID_PARAMETER The TLS object is invalid.
> + @retval EFI_PROTOCOL_ERROR Some other error occurred.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +TlsGetExportKey (
> + IN VOID *Tls,
> + IN CONST VOID *Label,
> + IN CONST VOID *Context,
> + IN UINTN ContextLen,
> + OUT VOID *KeyBuffer,
> + IN UINTN KeyBufferLen
> + )
> +{
> + CALL_CRYPTO_SERVICE (
> + TlsGetExportKey,
> + (Tls, Label, Context, ContextLen,
> + KeyBuffer, KeyBufferLen),
> + EFI_UNSUPPORTED
> + );
> +}
> +
> // =====================================================================================
> // Big number primitive
> // =====================================================================================
> diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protocol/Crypto.h
> index 2f267c7f55..6293efa36b 100644
> --- a/CryptoPkg/Private/Protocol/Crypto.h
> +++ b/CryptoPkg/Private/Protocol/Crypto.h
> @@ -21,7 +21,7 @@
> /// the EDK II Crypto Protocol is extended, this version define must be
> /// increased.
> ///
> -#define EDKII_CRYPTO_VERSION 13
> +#define EDKII_CRYPTO_VERSION 14
>
> ///
> /// EDK II Crypto Protocol forward declaration
> @@ -3186,6 +3186,25 @@ INTN
> IN UINTN BufferSize
> );
>
> +/**
> + Shutdown a TLS connection.
> +
> + Shutdown the TLS connection without releasing the resources, meaning a new
> + connection can be started without calling TlsNew() and without setting
> + certificates etc.
> +
> + @param[in] Tls Pointer to the TLS object to shutdown.
> +
> + @retval EFI_SUCCESS The TLS is shutdown successfully.
> + @retval EFI_INVALID_PARAMETER Tls is NULL.
> + @retval EFI_PROTOCOL_ERROR Some other error occurred.
> +**/
> +typedef
> +EFI_STATUS
> +(EFIAPI *EDKII_CRYPTO_TLS_SHUTDOWN)(
> + IN VOID *Tls
> + );
> +
> /**
> Set a new TLS/SSL method for a particular TLS object.
>
> @@ -3384,11 +3403,38 @@ EFI_STATUS
> /**
> Adds the local private key to the specified TLS object.
>
> - This function adds the local private key (PEM-encoded RSA or PKCS#8 private
> + This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private
> + key) into the specified TLS object for TLS negotiation.
> +
> + @param[in] Tls Pointer to the TLS object.
> + @param[in] Data Pointer to the data buffer of a DER-encoded or PEM-encoded
> + or PKCS#8 private key.
> + @param[in] DataSize The size of data buffer in bytes.
> + @param[in] Password Pointer to NULL-terminated private key password, set it to NULL
> + if private key not encrypted.
> +
> + @retval EFI_SUCCESS The operation succeeded.
> + @retval EFI_UNSUPPORTED This function is not supported.
> + @retval EFI_ABORTED Invalid private key data.
> +
> +**/
> +typedef
> +EFI_STATUS
> +(EFIAPI *EDKII_CRYPTO_TLS_SET_HOST_PRIVATE_KEY_EX)(
> + IN VOID *Tls,
> + IN VOID *Data,
> + IN UINTN DataSize,
> + IN VOID *Password OPTIONAL
> + );
> +
> +/**
> + Adds the local private key to the specified TLS object.
> +
> + This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private
> key) into the specified TLS object for TLS negotiation.
>
> @param[in] Tls Pointer to the TLS object.
> - @param[in] Data Pointer to the data buffer of a PEM-encoded RSA
> + @param[in] Data Pointer to the data buffer of a DER-encoded or PEM-encoded
> or PKCS#8 private key.
> @param[in] DataSize The size of data buffer in bytes.
>
> @@ -3680,6 +3726,82 @@ EFI_STATUS
> IN OUT UINTN *DataSize
> );
>
> +/**
> + Set the signature algorithm list to used by the TLS object.
> +
> + This function sets the signature algorithms for use by a specified TLS object.
> +
> + @param[in] Tls Pointer to a TLS object.
> + @param[in] Data Array of UINT8 of signature algorithms. The array consists of
> + pairs of the hash algorithm and the signature algorithm as defined
> + in RFC 5246
> + @param[in] DataSize The length the SignatureAlgoList. Must be divisible by 2.
> +
> + @retval EFI_SUCCESS The signature algorithm list was set successfully.
> + @retval EFI_INVALID_PARAMETER The parameters are invalid.
> + @retval EFI_UNSUPPORTED No supported TLS signature algorithm was found in SignatureAlgoList
> + @retval EFI_OUT_OF_RESOURCES Memory allocation failed.
> +
> +**/
> +typedef
> +EFI_STATUS
> +(EFIAPI *EDKII_CRYPTO_TLS_SET_SIGNATURE_ALGO_LIST)(
> + IN VOID *Tls,
> + IN UINT8 *Data,
> + IN UINTN DataSize
> + );
> +
> +/**
> + Set the EC curve to be used for TLS flows
> +
> + This function sets the EC curve to be used for TLS flows.
> +
> + @param[in] Tls Pointer to a TLS object.
> + @param[in] Data An EC named curve as defined in section 5.1.1 of RFC 4492.
> + @param[in] DataSize Size of Data, it should be sizeof (UINT32)
> +
> + @retval EFI_SUCCESS The EC curve was set successfully.
> + @retval EFI_INVALID_PARAMETER The parameters are invalid.
> + @retval EFI_UNSUPPORTED The requested TLS EC curve is not supported
> +
> +**/
> +typedef
> +EFI_STATUS
> +(EFIAPI *EDKII_CRYPTO_TLS_SET_EC_CURVE)(
> + IN VOID *Tls,
> + IN UINT8 *Data,
> + IN UINTN DataSize
> + );
> +
> +/**
> + Derive keying material from a TLS connection.
> +
> + This function exports keying material using the mechanism described in RFC
> + 5705.
> +
> + @param[in] Tls Pointer to the TLS object
> + @param[in] Label Description of the key for the PRF function
> + @param[in] Context Optional context
> + @param[in] ContextLen The length of the context value in bytes
> + @param[out] KeyBuffer Buffer to hold the output of the TLS-PRF
> + @param[in] KeyBufferLen The length of the KeyBuffer
> +
> + @retval EFI_SUCCESS The operation succeeded.
> + @retval EFI_INVALID_PARAMETER The TLS object is invalid.
> + @retval EFI_PROTOCOL_ERROR Some other error occurred.
> +
> +**/
> +typedef
> +EFI_STATUS
> +(EFIAPI *EDKII_CRYPTO_TLS_GET_EXPORT_KEY)(
> + IN VOID *Tls,
> + IN CONST VOID *Label,
> + IN CONST VOID *Context,
> + IN UINTN ContextLen,
> + OUT VOID *KeyBuffer,
> + IN UINTN KeyBufferLen
> + );
> +
> /**
> Gets the CA-supplied certificate revocation list data set in the specified
> TLS object.
> @@ -4954,6 +5076,14 @@ struct _EDKII_CRYPTO_PROTOCOL {
> EDKII_CRYPTO_EC_GENERATE_KEY EcGenerateKey;
> EDKII_CRYPTO_EC_GET_PUB_KEY EcGetPubKey;
> EDKII_CRYPTO_EC_DH_COMPUTE_KEY EcDhComputeKey;
> + /// TLS (continued)
> + EDKII_CRYPTO_TLS_SHUTDOWN TlsShutdown;
> + /// TLS Set (continued)
> + EDKII_CRYPTO_TLS_SET_HOST_PRIVATE_KEY_EX TlsSetHostPrivateKeyEx;
> + EDKII_CRYPTO_TLS_SET_SIGNATURE_ALGO_LIST TlsSetSignatureAlgoList;
> + EDKII_CRYPTO_TLS_SET_EC_CURVE TlsSetEcCurve;
> + /// TLS Get (continued)
> + EDKII_CRYPTO_TLS_GET_EXPORT_KEY TlsGetExportKey;
> };
>
> extern GUID gEdkiiCryptoProtocolGuid;
> --
> 2.31.1.windows.1
>
>
>
>
>
next prev parent reply other threads:[~2022-09-30 5:08 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <cover.1664172690.git.yi1.li@intel.com>
2022-09-26 6:27 ` [PATCH 1/3] MdePkg: Add Tls configuration related define Li, Yi
2022-09-26 6:27 ` [PATCH 2/3] CryptoPkg: Extend Tls function library Li, Yi
2022-09-26 6:27 ` [PATCH 3/3] CryptoPkg: Add new Tls APIs to DXE and protocol Li, Yi
2022-09-30 5:08 ` Michael D Kinney [this message]
2022-09-30 5:28 ` [edk2-devel] " Li, Yi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CO1PR11MB4929E38B88F459E31BBCBB86D2569@CO1PR11MB4929.namprd11.prod.outlook.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox