* [PATCH 0/5] CryptoPkg: Add additional cipher algos and TLS API to meet WPA3
@ 2022-05-22 1:54 yi1 li
2022-05-22 1:54 ` [PATCH 1/5] MdePkg: Add Tls configuration related define yi1 li
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: yi1 li @ 2022-05-22 1:54 UTC (permalink / raw)
To: devel
Cc: Yi Li, Jiewen Yao, Jian J Wang, Xiaoyu Lu, Guomin Jiang,
Maciej Rabeda, Jiaxin Wu, Siyuan Fu, Michael D Kinney, Liming Gao
To meet the needs of WPA3 Enterprise, additional cipher algorithms
and TLS APIs need to be added.
Code branch: https://github.com/liyi77/edk2/tree/Add-TLS
Details as follows:
- TlsShutdown: Shutdown the TLS connection without releasing the resources,
meaning a new connection can be started without calling TlsNew() and
without setting certificates etc.
- TlsExportKey: Derive keying material from a TLS connection using the
mechanism described in RFC 5705 and export the key material (needed
by EAP methods such as EAP-TTLS and EAP-PEAP).
- TlsSetEcCurve: Set the EC curve to be used for TLS flows.
- TlsSetSignatureAlgoList: Set the signature algorithm list to used by
the TLS object.
- Additional cipher algorithms: Which are needed for SUITE-B and SUITE-B-192.
- Add implementation for TlsSetHostPrivateKey().
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Yi Li (3):
MdePkg: Add Tls configuration related define
CryptoPkg: Add TlsSetConfiguration API
NetworkPkg/TlsDxe: Sync to new TlsSetHostPrivateKey() API
yi1 li (2):
CryptoPkg: Add APIs TlsShutdown and TlsExportKey to TlsLib
CryptoPkg: Add implementation for TlsSetHostPrivateKey()
CryptoPkg/Driver/Crypto.c | 97 +++-
CryptoPkg/Include/Library/TlsLib.h | 93 +++-
.../Pcd/PcdCryptoServiceFamilyEnable.h | 3 +
.../BaseCryptLibOnProtocolPpi/CryptLib.c | 97 +++-
CryptoPkg/Library/TlsLib/InternalTlsLib.h | 5 +
CryptoPkg/Library/TlsLib/TlsConfig.c | 426 +++++++++++++++++-
CryptoPkg/Library/TlsLib/TlsProcess.c | 32 ++
CryptoPkg/Library/TlsLibNull/TlsConfigNull.c | 67 ++-
CryptoPkg/Library/TlsLibNull/TlsProcessNull.c | 23 +
CryptoPkg/Private/Protocol/Crypto.h | 82 +++-
MdePkg/Include/IndustryStandard/Tls1.h | 110 +++--
NetworkPkg/TlsDxe/TlsConfigProtocol.c | 2 +-
12 files changed, 968 insertions(+), 69 deletions(-)
--
2.31.1.windows.1
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 1/5] MdePkg: Add Tls configuration related define
2022-05-22 1:54 [PATCH 0/5] CryptoPkg: Add additional cipher algos and TLS API to meet WPA3 yi1 li
@ 2022-05-22 1:54 ` yi1 li
2022-05-22 1:54 ` [PATCH 2/5] CryptoPkg: Add TlsSetConfiguration API yi1 li
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: yi1 li @ 2022-05-22 1:54 UTC (permalink / raw)
To: devel; +Cc: Yi Li, Jiewen Yao, Michael D Kinney, Liming Gao
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3892
Consumed by TlsSetEcCurve and TlsSetSignatureAlgoList.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Signed-off-by: Yi Li <yi1.li@intel.com>
---
MdePkg/Include/IndustryStandard/Tls1.h | 110 +++++++++++++++++--------
1 file changed, 74 insertions(+), 36 deletions(-)
diff --git a/MdePkg/Include/IndustryStandard/Tls1.h b/MdePkg/Include/IndustryStandard/Tls1.h
index cf67428b1129..5cf2860caff4 100644
--- a/MdePkg/Include/IndustryStandard/Tls1.h
+++ b/MdePkg/Include/IndustryStandard/Tls1.h
@@ -15,42 +15,46 @@
///
/// TLS Cipher Suite, refers to A.5 of rfc-2246, rfc-4346 and rfc-5246.
///
-#define TLS_RSA_WITH_NULL_MD5 {0x00, 0x01}
-#define TLS_RSA_WITH_NULL_SHA {0x00, 0x02}
-#define TLS_RSA_WITH_RC4_128_MD5 {0x00, 0x04}
-#define TLS_RSA_WITH_RC4_128_SHA {0x00, 0x05}
-#define TLS_RSA_WITH_IDEA_CBC_SHA {0x00, 0x07}
-#define TLS_RSA_WITH_DES_CBC_SHA {0x00, 0x09}
-#define TLS_RSA_WITH_3DES_EDE_CBC_SHA {0x00, 0x0A}
-#define TLS_DH_DSS_WITH_DES_CBC_SHA {0x00, 0x0C}
-#define TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA {0x00, 0x0D}
-#define TLS_DH_RSA_WITH_DES_CBC_SHA {0x00, 0x0F}
-#define TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA {0x00, 0x10}
-#define TLS_DHE_DSS_WITH_DES_CBC_SHA {0x00, 0x12}
-#define TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA {0x00, 0x13}
-#define TLS_DHE_RSA_WITH_DES_CBC_SHA {0x00, 0x15}
-#define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA {0x00, 0x16}
-#define TLS_RSA_WITH_AES_128_CBC_SHA {0x00, 0x2F}
-#define TLS_DH_DSS_WITH_AES_128_CBC_SHA {0x00, 0x30}
-#define TLS_DH_RSA_WITH_AES_128_CBC_SHA {0x00, 0x31}
-#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA {0x00, 0x32}
-#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA {0x00, 0x33}
-#define TLS_RSA_WITH_AES_256_CBC_SHA {0x00, 0x35}
-#define TLS_DH_DSS_WITH_AES_256_CBC_SHA {0x00, 0x36}
-#define TLS_DH_RSA_WITH_AES_256_CBC_SHA {0x00, 0x37}
-#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA {0x00, 0x38}
-#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA {0x00, 0x39}
-#define TLS_RSA_WITH_NULL_SHA256 {0x00, 0x3B}
-#define TLS_RSA_WITH_AES_128_CBC_SHA256 {0x00, 0x3C}
-#define TLS_RSA_WITH_AES_256_CBC_SHA256 {0x00, 0x3D}
-#define TLS_DH_DSS_WITH_AES_128_CBC_SHA256 {0x00, 0x3E}
-#define TLS_DH_RSA_WITH_AES_128_CBC_SHA256 {0x00, 0x3F}
-#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 {0x00, 0x40}
-#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 {0x00, 0x67}
-#define TLS_DH_DSS_WITH_AES_256_CBC_SHA256 {0x00, 0x68}
-#define TLS_DH_RSA_WITH_AES_256_CBC_SHA256 {0x00, 0x69}
-#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 {0x00, 0x6A}
-#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 {0x00, 0x6B}
+#define TLS_RSA_WITH_NULL_MD5 {0x00, 0x01}
+#define TLS_RSA_WITH_NULL_SHA {0x00, 0x02}
+#define TLS_RSA_WITH_RC4_128_MD5 {0x00, 0x04}
+#define TLS_RSA_WITH_RC4_128_SHA {0x00, 0x05}
+#define TLS_RSA_WITH_IDEA_CBC_SHA {0x00, 0x07}
+#define TLS_RSA_WITH_DES_CBC_SHA {0x00, 0x09}
+#define TLS_RSA_WITH_3DES_EDE_CBC_SHA {0x00, 0x0A}
+#define TLS_DH_DSS_WITH_DES_CBC_SHA {0x00, 0x0C}
+#define TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA {0x00, 0x0D}
+#define TLS_DH_RSA_WITH_DES_CBC_SHA {0x00, 0x0F}
+#define TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA {0x00, 0x10}
+#define TLS_DHE_DSS_WITH_DES_CBC_SHA {0x00, 0x12}
+#define TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA {0x00, 0x13}
+#define TLS_DHE_RSA_WITH_DES_CBC_SHA {0x00, 0x15}
+#define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA {0x00, 0x16}
+#define TLS_RSA_WITH_AES_128_CBC_SHA {0x00, 0x2F}
+#define TLS_DH_DSS_WITH_AES_128_CBC_SHA {0x00, 0x30}
+#define TLS_DH_RSA_WITH_AES_128_CBC_SHA {0x00, 0x31}
+#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA {0x00, 0x32}
+#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA {0x00, 0x33}
+#define TLS_RSA_WITH_AES_256_CBC_SHA {0x00, 0x35}
+#define TLS_DH_DSS_WITH_AES_256_CBC_SHA {0x00, 0x36}
+#define TLS_DH_RSA_WITH_AES_256_CBC_SHA {0x00, 0x37}
+#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA {0x00, 0x38}
+#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA {0x00, 0x39}
+#define TLS_RSA_WITH_NULL_SHA256 {0x00, 0x3B}
+#define TLS_RSA_WITH_AES_128_CBC_SHA256 {0x00, 0x3C}
+#define TLS_RSA_WITH_AES_256_CBC_SHA256 {0x00, 0x3D}
+#define TLS_DH_DSS_WITH_AES_128_CBC_SHA256 {0x00, 0x3E}
+#define TLS_DH_RSA_WITH_AES_128_CBC_SHA256 {0x00, 0x3F}
+#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 {0x00, 0x40}
+#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 {0x00, 0x67}
+#define TLS_DH_DSS_WITH_AES_256_CBC_SHA256 {0x00, 0x68}
+#define TLS_DH_RSA_WITH_AES_256_CBC_SHA256 {0x00, 0x69}
+#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 {0x00, 0x6A}
+#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 {0x00, 0x6B}
+#define TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 {0x00, 0x9F}
+#define TLS_ECDHE_ECDSA_AES128_GCM_SHA256 {0xC0, 0x2B}
+#define TLS_ECDHE_ECDSA_AES256_GCM_SHA384 {0xC0, 0x2C}
+#define TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 {0xC0, 0x30}
///
/// TLS Version, refers to A.1 of rfc-2246, rfc-4346 and rfc-5246.
@@ -95,6 +99,40 @@ typedef struct {
//
#define TLS_CIPHERTEXT_RECORD_MAX_PAYLOAD_LENGTH 18432
+///
+/// TLS Hash algorithm, refers to section 7.4.1.4.1. of rfc-5246.
+///
+typedef enum {
+ TlsHashAlgoNone = 0,
+ TlsHashAlgoMd5 = 1,
+ TlsHashAlgoSha1 = 2,
+ TlsHashAlgoSha224 = 3,
+ TlsHashAlgoSha256 = 4,
+ TlsHashAlgoSha384 = 5,
+ TlsHashAlgoSha512 = 6,
+} TLS_HASH_ALGO;
+
+///
+/// TLS Signature algorithm, refers to section 7.4.1.4.1. of rfc-5246.
+///
+typedef enum {
+ TlsSignatureAlgoAnonymous = 0,
+ TlsSignatureAlgoRsa = 1,
+ TlsSignatureAlgoDsa = 2,
+ TlsSignatureAlgoEcdsa = 3,
+} TLS_SIGNATURE_ALGO;
+
+///
+/// TLS Supported Elliptic Curves Extensions, refers to section 5.1.1 of rfc-8442
+///
+typedef enum {
+ TlsEcNamedCurveSecp256r1 = 23,
+ TlsEcNamedCurveSecp384r1 = 24,
+ TlsEcNamedCurveSecp521r1 = 25,
+ TlsEcNamedCurveX25519 = 29,
+ TlsEcNamedCurveX448 = 30,
+} TLS_EC_NAMED_CURVE;
+
#pragma pack()
#endif
--
2.31.1.windows.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 2/5] CryptoPkg: Add TlsSetConfiguration API
2022-05-22 1:54 [PATCH 0/5] CryptoPkg: Add additional cipher algos and TLS API to meet WPA3 yi1 li
2022-05-22 1:54 ` [PATCH 1/5] MdePkg: Add Tls configuration related define yi1 li
@ 2022-05-22 1:54 ` yi1 li
2022-05-22 1:54 ` [PATCH 3/5] CryptoPkg: Add APIs TlsShutdown and TlsExportKey to TlsLib yi1 li
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: yi1 li @ 2022-05-22 1:54 UTC (permalink / raw)
To: devel
Cc: Yi Li, Michael D Kinney, Liming Gao, Jiewen Yao, Jian J Wang,
Xiaoyu Lu, Guomin Jiang
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3892
1. TlsSetSignatureAlgoList: Configure the list of TLS signature algorithms
that should be used as part of the TLS session establishment.
This is needed for some WLAN Supplicant connection establishment flows
that allow only specific TLS signature algorithms to be used, e.g.,
Authenticate and Key Managmenet (AKM) suites that are SUITE-B compliant.
2. TlsSetEcCurve: Configure the Elliptic Curve that should be used for
TLS flows the use cipher suite with EC,
e.g., TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384.
This is needed for some WLAN Supplicant connection establishment flows
that allow only specific TLS signature algorithms to be used,
e.g., Authenticate and Key Managmenet (AKM) suites that are SUITE-B compliant.
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Signed-off-by: Yi Li <yi1.li@intel.com>
---
CryptoPkg/Driver/Crypto.c | 29 ++
CryptoPkg/Include/Library/TlsLib.h | 41 +++
.../Pcd/PcdCryptoServiceFamilyEnable.h | 1 +
.../BaseCryptLibOnProtocolPpi/CryptLib.c | 32 ++
CryptoPkg/Library/TlsLib/InternalTlsLib.h | 5 +
CryptoPkg/Library/TlsLib/TlsConfig.c | 295 ++++++++++++++++--
CryptoPkg/Library/TlsLibNull/TlsConfigNull.c | 30 ++
CryptoPkg/Private/Protocol/Crypto.h | 28 ++
8 files changed, 438 insertions(+), 23 deletions(-)
diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
index 76cb9f4da0a4..6c05c1a69447 100644
--- a/CryptoPkg/Driver/Crypto.c
+++ b/CryptoPkg/Driver/Crypto.c
@@ -4155,6 +4155,34 @@ CryptoServiceTlsSetCertRevocationList (
return CALL_BASECRYPTLIB (TlsSet.Services.CertRevocationList, TlsSetCertRevocationList, (Data, DataSize), EFI_UNSUPPORTED);
}
+/**
+ Configure the TLS object.
+
+ This function allows to configure the TLS object
+
+ @param[in] Tls Pointer to a TLS object.
+ @param[in] Type The type of the configuration.
+ @param[in] Data The data associated with the configuration type.
+ @param[in] DataSize The size of Data.
+
+ @retval EFI_SUCCESS The configuration was successful.
+ @retval EFI_INVALID_PARAMETER The parameters are invalid.
+ @retval EFI_UNSUPPORTED The configuration or configuration type are not supported
+ @retval EFI_OUT_OF_RESOURCES Memory allocation failed.
+
+**/
+EFI_STATUS
+EFIAPI
+CryptoServiceTlsSetConfiguration (
+ IN VOID *Tls,
+ IN EFI_TLS_CONFIG_TYPE Type,
+ IN UINT8 *Data,
+ IN UINTN DataSize
+ )
+{
+ return CALL_BASECRYPTLIB (TlsSet.Services.Configuration, TlsSetConfiguration, (Tls, Type, Data, DataSize), EFI_UNSUPPORTED);
+}
+
/**
Gets the protocol version used by the specified TLS connection.
@@ -4769,6 +4797,7 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
CryptoServiceTlsSetHostPublicCert,
CryptoServiceTlsSetHostPrivateKey,
CryptoServiceTlsSetCertRevocationList,
+ CryptoServiceTlsSetConfiguration,
/// TLS Get
CryptoServiceTlsGetVersion,
CryptoServiceTlsGetConnectionEnd,
diff --git a/CryptoPkg/Include/Library/TlsLib.h b/CryptoPkg/Include/Library/TlsLib.h
index 3b75fde0aaba..24c1c1ed6477 100644
--- a/CryptoPkg/Include/Library/TlsLib.h
+++ b/CryptoPkg/Include/Library/TlsLib.h
@@ -9,6 +9,22 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#ifndef __TLS_LIB_H__
#define __TLS_LIB_H__
+///
+/// EFI_TLS_CONFIG_TYPE
+///
+typedef enum {
+ ///
+ /// Configure the allowed signature algorithms for the TLS context
+ ///
+ EfiTlsConfigSignatureAlgo,
+ ///
+ /// Configure the allowed elliptic curve for the TLS context
+ ///
+ EfiTlsConfigEcCurve,
+
+ EfiTlsConfigMaximum
+} EFI_TLS_CONFIG_TYPE;
+
/**
Initializes the OpenSSL library.
@@ -534,6 +550,31 @@ TlsSetCertRevocationList (
IN UINTN DataSize
);
+/**
+ Configure the TLS object.
+
+ This function allows to configure the TLS object
+
+ @param[in] Tls Pointer to a TLS object.
+ @param[in] Type The type of the configuration.
+ @param[in] Data The data associated with the configuration type.
+ @param[in] DataSize The size of Data.
+
+ @retval EFI_SUCCESS The configuration was successful.
+ @retval EFI_INVALID_PARAMETER The parameters are invalid.
+ @retval EFI_UNSUPPORTED The configuration or configuration type are not supported
+ @retval EFI_OUT_OF_RESOURCES Memory allocation failed.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetConfiguration (
+ IN VOID *Tls,
+ IN EFI_TLS_CONFIG_TYPE Type,
+ IN UINT8 *Data,
+ IN UINTN DataSize
+ );
+
/**
Gets the protocol version used by the specified TLS connection.
diff --git a/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h b/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h
index 3d53c2f105e1..6f5cde161006 100644
--- a/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h
+++ b/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h
@@ -267,6 +267,7 @@ typedef struct {
UINT8 HostPublicCert : 1;
UINT8 HostPrivateKey : 1;
UINT8 CertRevocationList : 1;
+ UINT8 Configuration : 1;
} Services;
UINT32 Family;
} TlsSet;
diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
index 8ee1b53cf957..757b8e40e442 100644
--- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
+++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
@@ -3298,6 +3298,38 @@ TlsSetCertRevocationList (
CALL_CRYPTO_SERVICE (TlsSetCertRevocationList, (Data, DataSize), EFI_UNSUPPORTED);
}
+/**
+ Configure the TLS object.
+
+ This function allows to configure the TLS object
+
+ @param[in] Tls Pointer to a TLS object.
+ @param[in] Type The type of the configuration.
+ @param[in] Data The data associated with the configuration type.
+ @param[in] DataSize The size of Data.
+
+ @retval EFI_SUCCESS The configuration was successful.
+ @retval EFI_INVALID_PARAMETER The parameters are invalid.
+ @retval EFI_UNSUPPORTED The configuration or configuration type are not supported
+ @retval EFI_OUT_OF_RESOURCES Memory allocation failed.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetConfiguration (
+ IN VOID *Tls,
+ IN EFI_TLS_CONFIG_TYPE Type,
+ IN UINT8 *Data,
+ IN UINTN DataSize
+ )
+{
+ CALL_CRYPTO_SERVICE (
+ TlsSetConfiguration,
+ (Tls, Type, Data, DataSize),
+ EFI_UNSUPPORTED
+ );
+}
+
/**
Gets the protocol version used by the specified TLS connection.
diff --git a/CryptoPkg/Library/TlsLib/InternalTlsLib.h b/CryptoPkg/Library/TlsLib/InternalTlsLib.h
index cf5ffe1b7343..32878484d06c 100644
--- a/CryptoPkg/Library/TlsLib/InternalTlsLib.h
+++ b/CryptoPkg/Library/TlsLib/InternalTlsLib.h
@@ -17,6 +17,11 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <Library/DebugLib.h>
#include <Library/MemoryAllocationLib.h>
#include <Library/SafeIntLib.h>
+#include <Library/TlsLib.h>
+#include <Protocol/Tls.h>
+#include <IndustryStandard/Tls1.h>
+#include <Library/PcdLib.h>
+#include <openssl/obj_mac.h>
#include <openssl/ssl.h>
#include <openssl/bio.h>
#include <openssl/err.h>
diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c b/CryptoPkg/Library/TlsLib/TlsConfig.c
index 0673c9d5322e..5c32f1c3329f 100644
--- a/CryptoPkg/Library/TlsLib/TlsConfig.c
+++ b/CryptoPkg/Library/TlsLib/TlsConfig.c
@@ -39,29 +39,61 @@ typedef struct {
// Keep the table uniquely sorted by the IanaCipher field, in increasing order.
//
STATIC CONST TLS_CIPHER_MAPPING TlsCipherMappingTable[] = {
- MAP (0x0001, "NULL-MD5"), /// TLS_RSA_WITH_NULL_MD5
- MAP (0x0002, "NULL-SHA"), /// TLS_RSA_WITH_NULL_SHA
- MAP (0x0004, "RC4-MD5"), /// TLS_RSA_WITH_RC4_128_MD5
- MAP (0x0005, "RC4-SHA"), /// TLS_RSA_WITH_RC4_128_SHA
- MAP (0x000A, "DES-CBC3-SHA"), /// TLS_RSA_WITH_3DES_EDE_CBC_SHA, mandatory TLS 1.1
- MAP (0x0016, "DHE-RSA-DES-CBC3-SHA"), /// TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
- MAP (0x002F, "AES128-SHA"), /// TLS_RSA_WITH_AES_128_CBC_SHA, mandatory TLS 1.2
- MAP (0x0030, "DH-DSS-AES128-SHA"), /// TLS_DH_DSS_WITH_AES_128_CBC_SHA
- MAP (0x0031, "DH-RSA-AES128-SHA"), /// TLS_DH_RSA_WITH_AES_128_CBC_SHA
- MAP (0x0033, "DHE-RSA-AES128-SHA"), /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA
- MAP (0x0035, "AES256-SHA"), /// TLS_RSA_WITH_AES_256_CBC_SHA
- MAP (0x0036, "DH-DSS-AES256-SHA"), /// TLS_DH_DSS_WITH_AES_256_CBC_SHA
- MAP (0x0037, "DH-RSA-AES256-SHA"), /// TLS_DH_RSA_WITH_AES_256_CBC_SHA
- MAP (0x0039, "DHE-RSA-AES256-SHA"), /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA
- MAP (0x003B, "NULL-SHA256"), /// TLS_RSA_WITH_NULL_SHA256
- MAP (0x003C, "AES128-SHA256"), /// TLS_RSA_WITH_AES_128_CBC_SHA256
- MAP (0x003D, "AES256-SHA256"), /// TLS_RSA_WITH_AES_256_CBC_SHA256
- MAP (0x003E, "DH-DSS-AES128-SHA256"), /// TLS_DH_DSS_WITH_AES_128_CBC_SHA256
- MAP (0x003F, "DH-RSA-AES128-SHA256"), /// TLS_DH_RSA_WITH_AES_128_CBC_SHA256
- MAP (0x0067, "DHE-RSA-AES128-SHA256"), /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
- MAP (0x0068, "DH-DSS-AES256-SHA256"), /// TLS_DH_DSS_WITH_AES_256_CBC_SHA256
- MAP (0x0069, "DH-RSA-AES256-SHA256"), /// TLS_DH_RSA_WITH_AES_256_CBC_SHA256
- MAP (0x006B, "DHE-RSA-AES256-SHA256"), /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
+ MAP (0x0001, "NULL-MD5"), /// TLS_RSA_WITH_NULL_MD5
+ MAP (0x0002, "NULL-SHA"), /// TLS_RSA_WITH_NULL_SHA
+ MAP (0x0004, "RC4-MD5"), /// TLS_RSA_WITH_RC4_128_MD5
+ MAP (0x0005, "RC4-SHA"), /// TLS_RSA_WITH_RC4_128_SHA
+ MAP (0x000A, "DES-CBC3-SHA"), /// TLS_RSA_WITH_3DES_EDE_CBC_SHA, mandatory TLS 1.1
+ MAP (0x0016, "DHE-RSA-DES-CBC3-SHA"), /// TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
+ MAP (0x002F, "AES128-SHA"), /// TLS_RSA_WITH_AES_128_CBC_SHA, mandatory TLS 1.2
+ MAP (0x0030, "DH-DSS-AES128-SHA"), /// TLS_DH_DSS_WITH_AES_128_CBC_SHA
+ MAP (0x0031, "DH-RSA-AES128-SHA"), /// TLS_DH_RSA_WITH_AES_128_CBC_SHA
+ MAP (0x0033, "DHE-RSA-AES128-SHA"), /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA
+ MAP (0x0035, "AES256-SHA"), /// TLS_RSA_WITH_AES_256_CBC_SHA
+ MAP (0x0036, "DH-DSS-AES256-SHA"), /// TLS_DH_DSS_WITH_AES_256_CBC_SHA
+ MAP (0x0037, "DH-RSA-AES256-SHA"), /// TLS_DH_RSA_WITH_AES_256_CBC_SHA
+ MAP (0x0039, "DHE-RSA-AES256-SHA"), /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA
+ MAP (0x003B, "NULL-SHA256"), /// TLS_RSA_WITH_NULL_SHA256
+ MAP (0x003C, "AES128-SHA256"), /// TLS_RSA_WITH_AES_128_CBC_SHA256
+ MAP (0x003D, "AES256-SHA256"), /// TLS_RSA_WITH_AES_256_CBC_SHA256
+ MAP (0x003E, "DH-DSS-AES128-SHA256"), /// TLS_DH_DSS_WITH_AES_128_CBC_SHA256
+ MAP (0x003F, "DH-RSA-AES128-SHA256"), /// TLS_DH_RSA_WITH_AES_128_CBC_SHA256
+ MAP (0x0067, "DHE-RSA-AES128-SHA256"), /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+ MAP (0x0068, "DH-DSS-AES256-SHA256"), /// TLS_DH_DSS_WITH_AES_256_CBC_SHA256
+ MAP (0x0069, "DH-RSA-AES256-SHA256"), /// TLS_DH_RSA_WITH_AES_256_CBC_SHA256
+ MAP (0x006B, "DHE-RSA-AES256-SHA256"), /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
+ MAP (0x009F, "DHE-RSA-AES256-GCM-SHA384"), /// TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+ MAP (0xC02B, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"), /// TLS_ECDHE_ECDSA_AES128_GCM_SHA256
+ MAP (0xC02C, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"), /// TLS_ECDHE_ECDSA_AES256_GCM_SHA384
+ MAP (0xC030, "ECDHE-RSA-AES256-GCM-SHA384"), /// TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+};
+
+typedef struct {
+ //
+ // TLS Algorithm
+ //
+ UINT8 Algo;
+ //
+ // TLS Algorithm name
+ //
+ CONST CHAR8 *Name;
+} TLS_ALGO_TO_NAME;
+
+STATIC CONST TLS_ALGO_TO_NAME TlsHashAlgoToName[] = {
+ { TlsHashAlgoNone, NULL },
+ { TlsHashAlgoMd5, "MD5" },
+ { TlsHashAlgoSha1, "SHA1" },
+ { TlsHashAlgoSha224, "SHA224" },
+ { TlsHashAlgoSha256, "SHA256" },
+ { TlsHashAlgoSha384, "SHA384" },
+ { TlsHashAlgoSha512, "SHA512" },
+};
+
+STATIC CONST TLS_ALGO_TO_NAME TlsSignatureAlgoToName[] = {
+ { TlsSignatureAlgoAnonymous, NULL },
+ { TlsSignatureAlgoRsa, "RSA" },
+ { TlsSignatureAlgoDsa, "DSA" },
+ { TlsSignatureAlgoEcdsa, "ECDSA" },
};
/**
@@ -879,6 +911,223 @@ TlsSetCertRevocationList (
return EFI_UNSUPPORTED;
}
+/**
+ Set the signature algorithm list to used by the TLS object.
+
+ This function sets the signature algorithms for use by a specified TLS object.
+
+ @param[in] Tls Pointer to a TLS object.
+ @param[in] Data Array of UINT8 of signature algorithms. The array consists of
+ pairs of the hash algorithm and the signature algorithm as defined
+ in RFC 5246
+ @param[in] DataSize The length the SignatureAlgoList. Must be divisible by 2.
+
+ @retval EFI_SUCCESS The signature algorithm list was set successfully.
+ @retval EFI_INVALID_PARAMETER The parameters are invalid.
+ @retval EFI_UNSUPPORTED No supported TLS signature algorithm was found in SignatureAlgoList
+ @retval EFI_OUT_OF_RESOURCES Memory allocation failed.
+
+**/
+STATIC
+EFI_STATUS
+EFIAPI
+TlsSetSignatureAlgoList (
+ IN VOID *Tls,
+ IN UINT8 *Data,
+ IN UINTN DataSize
+ )
+{
+ TLS_CONNECTION *TlsConn;
+ UINTN Index;
+ UINTN SignAlgoStrSize;
+ CHAR8 *SignAlgoStr;
+ CHAR8 *Pos;
+ UINT8 *SignatureAlgoList;
+ EFI_STATUS Status;
+
+ TlsConn = (TLS_CONNECTION *)Tls;
+
+ if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (Data == NULL) || (DataSize < 3) ||
+ ((DataSize % 2) == 0) || (Data[0] != DataSize - 1))
+ {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ SignatureAlgoList = Data + 1;
+ SignAlgoStrSize = 0;
+ for (Index = 0; Index < Data[0]; Index += 2) {
+ CONST CHAR8 *Tmp;
+
+ if (SignatureAlgoList[Index] >= ARRAY_SIZE (TlsHashAlgoToName)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ Tmp = TlsHashAlgoToName[SignatureAlgoList[Index]].Name;
+ if (!Tmp) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ // Add 1 for the '+'
+ SignAlgoStrSize += AsciiStrLen (Tmp) + 1;
+
+ if (SignatureAlgoList[Index + 1] >= ARRAY_SIZE (TlsSignatureAlgoToName)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ Tmp = TlsSignatureAlgoToName[SignatureAlgoList[Index + 1]].Name;
+ if (!Tmp) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ // Add 1 for the ':' or for the NULL terminator
+ SignAlgoStrSize += AsciiStrLen (Tmp) + 1;
+ }
+
+ if (!SignAlgoStrSize) {
+ return EFI_UNSUPPORTED;
+ }
+
+ SignAlgoStr = AllocatePool (SignAlgoStrSize);
+ if (SignAlgoStr == NULL) {
+ return EFI_OUT_OF_RESOURCES;
+ }
+
+ Pos = SignAlgoStr;
+ for (Index = 0; Index < Data[0]; Index += 2) {
+ CONST CHAR8 *Tmp;
+
+ Tmp = TlsHashAlgoToName[SignatureAlgoList[Index]].Name;
+ CopyMem (Pos, Tmp, AsciiStrLen (Tmp));
+ Pos += AsciiStrLen (Tmp);
+ *Pos++ = '+';
+
+ Tmp = TlsSignatureAlgoToName[SignatureAlgoList[Index + 1]].Name;
+ CopyMem (Pos, Tmp, AsciiStrLen (Tmp));
+ Pos += AsciiStrLen (Tmp);
+ *Pos++ = ':';
+ }
+
+ *(Pos - 1) = '\0';
+
+ if (SSL_set1_sigalgs_list (TlsConn->Ssl, SignAlgoStr) < 1) {
+ Status = EFI_INVALID_PARAMETER;
+ } else {
+ Status = EFI_SUCCESS;
+ }
+
+ FreePool (SignAlgoStr);
+ return Status;
+}
+
+/**
+ Set the EC curve to be used for TLS flows
+
+ This function sets the EC curve to be used for TLS flows.
+
+ @param[in] Tls Pointer to a TLS object.
+ @param[in] Data An EC named curve as defined in section 5.1.1 of RFC 4492.
+ @param[in] DataSize Size of Data, it should be sizeof (UINT32)
+
+ @retval EFI_SUCCESS The EC curve was set successfully.
+ @retval EFI_INVALID_PARAMETER The parameters are invalid.
+ @retval EFI_UNSUPPORTED The requested TLS EC curve is not supported
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetEcCurve (
+ IN VOID *Tls,
+ IN UINT8 *Data,
+ IN UINTN DataSize
+ )
+{
+ #if !FixedPcdGetBool (PcdOpensslEcEnabled)
+ return EFI_UNSUPPORTED;
+ #else
+ TLS_CONNECTION *TlsConn;
+ EC_KEY *Ecdh;
+ INT32 Nid, Ret;
+
+ TlsConn = (TLS_CONNECTION *)Tls;
+
+ if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (Data == NULL) || (DataSize != sizeof (UINT32))) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ switch (*((UINT32 *)Data)) {
+ case TlsEcNamedCurveSecp256r1:
+ return EFI_UNSUPPORTED;
+ case TlsEcNamedCurveSecp384r1:
+ Nid = NID_secp384r1;
+ break;
+ case TlsEcNamedCurveSecp521r1:
+ Nid = NID_secp521r1;
+ break;
+ case TlsEcNamedCurveX25519:
+ Nid = NID_X25519;
+ break;
+ case TlsEcNamedCurveX448:
+ Nid = NID_X448;
+ break;
+ default:
+ return EFI_UNSUPPORTED;
+ }
+
+ if (SSL_set1_curves (TlsConn->Ssl, &Nid, 1) != 1) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ Ecdh = EC_KEY_new_by_curve_name (Nid);
+ if (!Ecdh) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ Ret = SSL_set_tmp_ecdh (TlsConn->Ssl, Ecdh);
+ EC_KEY_free (Ecdh);
+
+ if (Ret != 1) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ return EFI_SUCCESS;
+ #endif
+}
+
+/**
+ Configure the TLS object.
+
+ This function allows to configure the TLS object
+
+ @param[in] Tls Pointer to a TLS object.
+ @param[in] Type The type of the configuration.
+ @param[in] Data The data associated with the configuration type.
+ @param[in] DataSize The size of Data.
+
+ @retval EFI_SUCCESS The configuration was successful.
+ @retval EFI_INVALID_PARAMETER The parameters are invalid.
+ @retval EFI_UNSUPPORTED The configuration or configuration type are not supported
+ @retval EFI_OUT_OF_RESOURCES Memory allocation failed.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetConfiguration (
+ IN VOID *Tls,
+ IN EFI_TLS_CONFIG_TYPE Type,
+ IN UINT8 *Data,
+ IN UINTN DataSize
+ )
+{
+ switch (Type) {
+ case EfiTlsConfigSignatureAlgo:
+ return TlsSetSignatureAlgoList (Tls, Data, DataSize);
+ case EfiTlsConfigEcCurve:
+ return TlsSetEcCurve (Tls, Data, DataSize);
+ default:
+ return EFI_UNSUPPORTED;
+ }
+}
+
/**
Gets the protocol version used by the specified TLS connection.
diff --git a/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c b/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c
index 03726fd7264c..22d258c7f18f 100644
--- a/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c
+++ b/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c
@@ -8,6 +8,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include "InternalTlsLib.h"
+#include <Library/TlsLib.h>
/**
Set a new TLS/SSL method for a particular TLS object.
@@ -292,6 +293,35 @@ TlsSetCertRevocationList (
return EFI_UNSUPPORTED;
}
+/**
+ Configure the TLS object.
+
+ This function allows to configure the TLS object
+
+ @param[in] Tls Pointer to a TLS object.
+ @param[in] Type The type of the configuration.
+ @param[in] Data The data associated with the configuration type.
+ @param[in] DataSize The size of Data.
+
+ @retval EFI_SUCCESS The configuration was successful.
+ @retval EFI_INVALID_PARAMETER The parameters are invalid.
+ @retval EFI_UNSUPPORTED The configuration or configuration type are not supported
+ @retval EFI_OUT_OF_RESOURCES Memory allocation failed.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetConfiguration (
+ IN VOID *Tls,
+ IN EFI_TLS_CONFIG_TYPE Type,
+ IN UINT8 *Data,
+ IN UINTN DataSize
+ )
+{
+ ASSERT (FALSE);
+ return EFI_UNSUPPORTED;
+}
+
/**
Gets the protocol version used by the specified TLS connection.
diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protocol/Crypto.h
index c417568e9600..8de05a99bdcc 100644
--- a/CryptoPkg/Private/Protocol/Crypto.h
+++ b/CryptoPkg/Private/Protocol/Crypto.h
@@ -13,6 +13,7 @@
#include <Base.h>
#include <Library/BaseCryptLib.h>
#include <Library/PcdLib.h>
+#include <Library/TlsLib.h>
///
/// The version of the EDK II Crypto Protocol.
@@ -3361,6 +3362,32 @@ EFI_STATUS
IN OUT UINTN *DataSize
);
+/**
+ Set the signature algorithm list to used by the TLS object.
+
+ This function sets the signature algorithms for use by a specified TLS object.
+
+ @param[in] Tls Pointer to a TLS object.
+ @param[in] SignatureAlgoList Array of UINT8 of signature algorithms. The array consists of
+ pairs of the hash algorithm and the signature algorithm as defined
+ in RFC 5246
+ @param[in] SignatureAlgoNum The length the SignatureAlgoList. Must be divisible by 2.
+
+ @retval EFI_SUCCESS The signature algorithm list was set successfully.
+ @retval EFI_INVALID_PARAMETER The parameters are invalid.
+ @retval EFI_UNSUPPORTED No supported TLS signature algorithm was found in SignatureAlgoList
+ @retval EFI_OUT_OF_RESOURCES Memory allocation failed.
+
+**/
+typedef
+EFI_STATUS
+(EFIAPI *EDKII_CRYPTO_TLS_SET_CONFIGURATION)(
+ IN VOID *Tls,
+ IN EFI_TLS_CONFIG_TYPE Type,
+ IN UINT8 *Data,
+ IN UINTN DataSize
+ );
+
/**
Gets the CA-supplied certificate revocation list data set in the specified
TLS object.
@@ -3656,6 +3683,7 @@ struct _EDKII_CRYPTO_PROTOCOL {
EDKII_CRYPTO_TLS_SET_HOST_PUBLIC_CERT TlsSetHostPublicCert;
EDKII_CRYPTO_TLS_SET_HOST_PRIVATE_KEY TlsSetHostPrivateKey;
EDKII_CRYPTO_TLS_SET_CERT_REVOCATION_LIST TlsSetCertRevocationList;
+ EDKII_CRYPTO_TLS_SET_CONFIGURATION TlsSetConfiguration;
/// TLS Get
EDKII_CRYPTO_TLS_GET_VERSION TlsGetVersion;
EDKII_CRYPTO_TLS_GET_CONNECTION_END TlsGetConnectionEnd;
--
2.31.1.windows.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 3/5] CryptoPkg: Add APIs TlsShutdown and TlsExportKey to TlsLib
2022-05-22 1:54 [PATCH 0/5] CryptoPkg: Add additional cipher algos and TLS API to meet WPA3 yi1 li
2022-05-22 1:54 ` [PATCH 1/5] MdePkg: Add Tls configuration related define yi1 li
2022-05-22 1:54 ` [PATCH 2/5] CryptoPkg: Add TlsSetConfiguration API yi1 li
@ 2022-05-22 1:54 ` yi1 li
2022-05-22 1:54 ` [PATCH 4/5] CryptoPkg: Add implementation for TlsSetHostPrivateKey() yi1 li
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: yi1 li @ 2022-05-22 1:54 UTC (permalink / raw)
To: devel; +Cc: yi1 li, Jiewen Yao, Jian J Wang, Xiaoyu Lu, Guomin Jiang
From: yi1 li <yi1.li@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3892
Add the following API and implementation to the TLS library:
1.TlsShutdown:
Shutdown the TLS connection without releasing the resources,
meaning a new connection can be started without calling TlsNew() and
without setting certificates etc.
2.TlsExportKey: Derive keying material from a TLS connection using the
mechanism described in RFC 5705 and export the key material (needed
by EAP methods such as EAP-TTLS and EAP-PEAP).
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Signed-off-by: Yi Li <yi1.li@intel.com>
---
CryptoPkg/Driver/Crypto.c | 62 +++++++++++++++++++
CryptoPkg/Include/Library/TlsLib.h | 48 ++++++++++++++
.../Pcd/PcdCryptoServiceFamilyEnable.h | 2 +
.../BaseCryptLibOnProtocolPpi/CryptLib.c | 59 ++++++++++++++++++
CryptoPkg/Library/TlsLib/TlsConfig.c | 50 +++++++++++++++
CryptoPkg/Library/TlsLib/TlsProcess.c | 32 ++++++++++
CryptoPkg/Library/TlsLibNull/TlsConfigNull.c | 33 ++++++++++
CryptoPkg/Library/TlsLibNull/TlsProcessNull.c | 23 +++++++
CryptoPkg/Private/Protocol/Crypto.h | 50 +++++++++++++++
9 files changed, 359 insertions(+)
diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
index 6c05c1a69447..6a86c4dba6a2 100644
--- a/CryptoPkg/Driver/Crypto.c
+++ b/CryptoPkg/Driver/Crypto.c
@@ -3882,6 +3882,28 @@ CryptoServiceTlsWrite (
return CALL_BASECRYPTLIB (Tls.Services.Write, TlsWrite, (Tls, Buffer, BufferSize), 0);
}
+/**
+ Shutdown a TLS connection.
+
+ Shutdown the TLS connection without releasing the resources, meaning a new
+ connection can be started without calling TlsNew() and without setting
+ certificates etc.
+
+ @param[in] Tls Pointer to the TLS object to shutdown.
+
+ @retval EFI_SUCCESS The TLS is shutdown successfully.
+ @retval EFI_INVALID_PARAMETER Tls is NULL.
+ @retval EFI_PROTOCOL_ERROR Some other error occurred.
+**/
+EFI_STATUS
+EFIAPI
+CryptoServiceTlsShutdown (
+ IN VOID *Tls
+ )
+{
+ return CALL_BASECRYPTLIB (Tls.Services.Shutdown, TlsShutdown, (Tls), EFI_UNSUPPORTED);
+}
+
/**
Set a new TLS/SSL method for a particular TLS object.
@@ -4498,6 +4520,44 @@ CryptoServiceTlsGetCertRevocationList (
return CALL_BASECRYPTLIB (TlsGet.Services.CertRevocationList, TlsGetCertRevocationList, (Data, DataSize), EFI_UNSUPPORTED);
}
+/**
+ Derive keying material from a TLS connection.
+
+ This function exports keying material using the mechanism described in RFC
+ 5705.
+
+ @param[in] Tls Pointer to the TLS object
+ @param[in] Label Description of the key for the PRF function
+ @param[in] Context, Optional context
+ @param[in] ContextLen The length of the context value in bytes
+ @param[out] KeyBuffer Buffer to hold the output of the TLS-PRF
+ @param[in] KeyBufferLen The length of the KeyBuffer
+
+ @retval EFI_SUCCESS The operation succeeded.
+ @retval EFI_INVALID_PARAMETER The TLS object is invalid.
+ @retval EFI_PROTOCOL_ERROR Some other error occurred.
+
+**/
+EFI_STATUS
+EFIAPI
+CryptoServiceTlsExportKey (
+ IN VOID *Tls,
+ IN CONST VOID *Label,
+ IN CONST VOID *Context,
+ IN UINTN ContextLen,
+ OUT VOID *KeyBuffer,
+ IN UINTN KeyBufferLen
+ )
+{
+ return CALL_BASECRYPTLIB (
+ TlsGet.Services.ExportKey,
+ TlsExportKey,
+ (Tls, Label, Context, ContextLen,
+ KeyBuffer, KeyBufferLen),
+ EFI_UNSUPPORTED
+ );
+}
+
/**
Carries out the RSA-SSA signature generation with EMSA-PSS encoding scheme.
@@ -4785,6 +4845,7 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
CryptoServiceTlsCtrlTrafficIn,
CryptoServiceTlsRead,
CryptoServiceTlsWrite,
+ CryptoServiceTlsShutdown,
/// TLS Set
CryptoServiceTlsSetVersion,
CryptoServiceTlsSetConnectionEnd,
@@ -4812,6 +4873,7 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
CryptoServiceTlsGetHostPublicCert,
CryptoServiceTlsGetHostPrivateKey,
CryptoServiceTlsGetCertRevocationList,
+ CryptoServiceTlsExportKey,
/// RSA PSS
CryptoServiceRsaPssSign,
CryptoServiceRsaPssVerify,
diff --git a/CryptoPkg/Include/Library/TlsLib.h b/CryptoPkg/Include/Library/TlsLib.h
index 24c1c1ed6477..8a109ec89d3d 100644
--- a/CryptoPkg/Include/Library/TlsLib.h
+++ b/CryptoPkg/Include/Library/TlsLib.h
@@ -310,6 +310,25 @@ TlsWrite (
IN UINTN BufferSize
);
+/**
+ Shutdown a TLS connection.
+
+ Shutdown the TLS connection without releasing the resources, meaning a new
+ connection can be started without calling TlsNew() and without setting
+ certificates etc.
+
+ @param[in] Tls Pointer to the TLS object to shutdown.
+
+ @retval EFI_SUCCESS The TLS is shutdown successfully.
+ @retval EFI_INVALID_PARAMETER Tls is NULL.
+ @retval EFI_PROTOCOL_ERROR Some other error occurred.
+**/
+EFI_STATUS
+EFIAPI
+TlsShutdown (
+ IN VOID *Tls
+ );
+
/**
Set a new TLS/SSL method for a particular TLS object.
@@ -851,4 +870,33 @@ TlsGetCertRevocationList (
IN OUT UINTN *DataSize
);
+/**
+ Derive keying material from a TLS connection.
+
+ This function exports keying material using the mechanism described in RFC
+ 5705.
+
+ @param[in] Tls Pointer to the TLS object
+ @param[in] Label Description of the key for the PRF function
+ @param[in] Context, Optional context
+ @param[in] ContextLen The length of the context value in bytes
+ @param[out] KeyBuffer Buffer to hold the output of the TLS-PRF
+ @param[in] KeyBufferLen The length of the KeyBuffer
+
+ @retval EFI_SUCCESS The operation succeeded.
+ @retval EFI_INVALID_PARAMETER The TLS object is invalid.
+ @retval EFI_PROTOCOL_ERROR Some other error occurred.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsExportKey (
+ IN VOID *Tls,
+ IN CONST VOID *Label,
+ IN CONST VOID *Context,
+ IN UINTN ContextLen,
+ OUT VOID *KeyBuffer,
+ IN UINTN KeyBufferLen
+ );
+
#endif // __TLS_LIB_H__
diff --git a/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h b/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h
index 6f5cde161006..589794776808 100644
--- a/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h
+++ b/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h
@@ -251,6 +251,7 @@ typedef struct {
UINT8 CtrlTrafficIn : 1;
UINT8 Read : 1;
UINT8 Write : 1;
+ UINT8 Shutdown : 1;
} Services;
UINT32 Family;
} Tls;
@@ -286,6 +287,7 @@ typedef struct {
UINT8 HostPublicCert : 1;
UINT8 HostPrivateKey : 1;
UINT8 CertRevocationList : 1;
+ UINT8 ExportKey : 1;
} Services;
UINT32 Family;
} TlsGet;
diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
index 757b8e40e442..1c7c90e432de 100644
--- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
+++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
@@ -3025,6 +3025,28 @@ TlsWrite (
CALL_CRYPTO_SERVICE (TlsWrite, (Tls, Buffer, BufferSize), 0);
}
+/**
+ Shutdown a TLS connection.
+
+ Shutdown the TLS connection without releasing the resources, meaning a new
+ connection can be started without calling TlsNew() and without setting
+ certificates etc.
+
+ @param[in] Tls Pointer to the TLS object to shutdown.
+
+ @retval EFI_SUCCESS The TLS is shutdown successfully.
+ @retval EFI_INVALID_PARAMETER Tls is NULL.
+ @retval EFI_PROTOCOL_ERROR Some other error occurred.
+**/
+EFI_STATUS
+EFIAPI
+TlsShutdown (
+ IN VOID *Tls
+ )
+{
+ CALL_CRYPTO_SERVICE (TlsShutdown, (Tls), EFI_UNSUPPORTED);
+}
+
/**
Set a new TLS/SSL method for a particular TLS object.
@@ -3644,3 +3666,40 @@ TlsGetCertRevocationList (
{
CALL_CRYPTO_SERVICE (TlsGetCertRevocationList, (Data, DataSize), EFI_UNSUPPORTED);
}
+
+/**
+ Derive keying material from a TLS connection.
+
+ This function exports keying material using the mechanism described in RFC
+ 5705.
+
+ @param[in] Tls Pointer to the TLS object
+ @param[in] Label Description of the key for the PRF function
+ @param[in] Context, Optional context
+ @param[in] ContextLen The length of the context value in bytes
+ @param[out] KeyBuffer Buffer to hold the output of the TLS-PRF
+ @param[in] KeyBufferLen The length of the KeyBuffer
+
+ @retval EFI_SUCCESS The operation succeeded.
+ @retval EFI_INVALID_PARAMETER The TLS object is invalid.
+ @retval EFI_PROTOCOL_ERROR Some other error occurred.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsExportKey (
+ IN VOID *Tls,
+ IN CONST VOID *Label,
+ IN CONST VOID *Context,
+ IN UINTN ContextLen,
+ OUT VOID *KeyBuffer,
+ IN UINTN KeyBufferLen
+ )
+{
+ CALL_CRYPTO_SERVICE (
+ TlsExportKey,
+ (Tls, Label, Context, ContextLen,
+ KeyBuffer, KeyBufferLen),
+ EFI_UNSUPPORTED
+ );
+}
diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c b/CryptoPkg/Library/TlsLib/TlsConfig.c
index 5c32f1c3329f..b45050c18770 100644
--- a/CryptoPkg/Library/TlsLib/TlsConfig.c
+++ b/CryptoPkg/Library/TlsLib/TlsConfig.c
@@ -1555,3 +1555,53 @@ TlsGetCertRevocationList (
{
return EFI_UNSUPPORTED;
}
+
+/**
+ Derive keying material from a TLS connection.
+
+ This function exports keying material using the mechanism described in RFC
+ 5705.
+
+ @param[in] Tls Pointer to the TLS object
+ @param[in] Label Description of the key for the PRF function
+ @param[in] Context, Optional context
+ @param[in] ContextLen The length of the context value in bytes
+ @param[out] KeyBuffer Buffer to hold the output of the TLS-PRF
+ @param[in] KeyBufferLen The length of the KeyBuffer
+
+ @retval EFI_SUCCESS The operation succeeded.
+ @retval EFI_INVALID_PARAMETER The TLS object is invalid.
+ @retval EFI_PROTOCOL_ERROR Some other error occurred.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsExportKey (
+ IN VOID *Tls,
+ IN CONST VOID *Label,
+ IN CONST VOID *Context,
+ IN UINTN ContextLen,
+ OUT VOID *KeyBuffer,
+ IN UINTN KeyBufferLen
+ )
+{
+ TLS_CONNECTION *TlsConn;
+
+ TlsConn = (TLS_CONNECTION *)Tls;
+
+ if ((TlsConn == NULL) || (TlsConn->Ssl == NULL)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ return SSL_export_keying_material (
+ TlsConn->Ssl,
+ KeyBuffer,
+ KeyBufferLen,
+ Label,
+ AsciiStrLen (Label),
+ Context,
+ ContextLen,
+ Context != NULL
+ ) == 1 ?
+ EFI_SUCCESS : EFI_PROTOCOL_ERROR;
+}
diff --git a/CryptoPkg/Library/TlsLib/TlsProcess.c b/CryptoPkg/Library/TlsLib/TlsProcess.c
index 0f2ad7a9fbc0..a803d86c4f4e 100644
--- a/CryptoPkg/Library/TlsLib/TlsProcess.c
+++ b/CryptoPkg/Library/TlsLib/TlsProcess.c
@@ -461,3 +461,35 @@ TlsWrite (
//
return SSL_write (TlsConn->Ssl, Buffer, (UINT32)BufferSize);
}
+
+/**
+ Shutdown a TLS connection.
+
+ Shutdown the TLS connection without releasing the resources, meaning a new
+ connection can be started without calling TlsNew() and without setting
+ certificates etc.
+
+ @param[in] Tls Pointer to the TLS object to shutdown.
+
+ @retval EFI_SUCCESS The TLS is shutdown successfully.
+ @retval EFI_INVALID_PARAMETER Tls is NULL.
+ @retval EFI_PROTOCOL_ERROR Some other error occurred.
+**/
+EFI_STATUS
+EFIAPI
+TlsShutdown (
+ IN VOID *Tls
+ )
+{
+ TLS_CONNECTION *TlsConn;
+
+ TlsConn = (TLS_CONNECTION *)Tls;
+
+ if ((TlsConn == NULL) || ((TlsConn->Ssl) == NULL)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ SSL_set_quiet_shutdown (TlsConn->Ssl, 1);
+ SSL_shutdown (TlsConn->Ssl);
+ return SSL_clear (TlsConn->Ssl) == 1 ? EFI_SUCCESS : EFI_PROTOCOL_ERROR;
+}
diff --git a/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c b/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c
index 22d258c7f18f..b2c7e6869f53 100644
--- a/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c
+++ b/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c
@@ -647,3 +647,36 @@ TlsGetCertRevocationList (
ASSERT (FALSE);
return EFI_UNSUPPORTED;
}
+
+/**
+ Derive keying material from a TLS connection.
+
+ This function exports keying material using the mechanism described in RFC
+ 5705.
+
+ @param[in] Tls Pointer to the TLS object
+ @param[in] Label Description of the key for the PRF function
+ @param[in] Context, Optional context
+ @param[in] ContextLen The length of the context value in bytes
+ @param[out] KeyBuffer Buffer to hold the output of the TLS-PRF
+ @param[in] KeyBufferLen The length of the KeyBuffer
+
+ @retval EFI_SUCCESS The operation succeeded.
+ @retval EFI_INVALID_PARAMETER The TLS object is invalid.
+ @retval EFI_PROTOCOL_ERROR Some other error occurred.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsExportKey (
+ IN VOID *Tls,
+ IN CONST VOID *Label,
+ IN CONST VOID *Context,
+ IN UINTN ContextLen,
+ OUT VOID *KeyBuffer,
+ IN UINTN KeyBufferLen
+ )
+{
+ ASSERT (FALSE);
+ return EFI_UNSUPPORTED;
+}
diff --git a/CryptoPkg/Library/TlsLibNull/TlsProcessNull.c b/CryptoPkg/Library/TlsLibNull/TlsProcessNull.c
index 0958ddd8d608..395dac548d22 100644
--- a/CryptoPkg/Library/TlsLibNull/TlsProcessNull.c
+++ b/CryptoPkg/Library/TlsLibNull/TlsProcessNull.c
@@ -245,3 +245,26 @@ TlsWrite (
ASSERT (FALSE);
return 0;
}
+
+/**
+ Shutdown a TLS connection.
+
+ Shutdown the TLS connection without releasing the resources, meaning a new
+ connection can be started without calling TlsNew() and without setting
+ certificates etc.
+
+ @param[in] Tls Pointer to the TLS object to shutdown.
+
+ @retval EFI_SUCCESS The TLS is shutdown successfully.
+ @retval EFI_INVALID_PARAMETER Tls is NULL.
+ @retval EFI_PROTOCOL_ERROR Some other error occurred.
+**/
+EFI_STATUS
+EFIAPI
+TlsShutdown (
+ IN VOID *Tls
+ )
+{
+ ASSERT (FALSE);
+ return EFI_UNSUPPORTED;
+}
diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protocol/Crypto.h
index 8de05a99bdcc..bc94cbb66311 100644
--- a/CryptoPkg/Private/Protocol/Crypto.h
+++ b/CryptoPkg/Private/Protocol/Crypto.h
@@ -2868,6 +2868,25 @@ INTN
IN UINTN BufferSize
);
+/**
+ Shutdown a TLS connection.
+
+ Shutdown the TLS connection without releasing the resources, meaning a new
+ connection can be started without calling TlsNew() and without setting
+ certificates etc.
+
+ @param[in] Tls Pointer to the TLS object to shutdown.
+
+ @retval EFI_SUCCESS The TLS is shutdown successfully.
+ @retval EFI_INVALID_PARAMETER Tls is NULL.
+ @retval EFI_PROTOCOL_ERROR Some other error occurred.
+**/
+typedef
+EFI_STATUS
+(EFIAPI *EDKII_CRYPTO_TLS_SHUTDOWN)(
+ IN VOID *Tls
+ );
+
/**
Set a new TLS/SSL method for a particular TLS object.
@@ -3388,6 +3407,35 @@ EFI_STATUS
IN UINTN DataSize
);
+/**
+ Derive keying material from a TLS connection.
+
+ This function exports keying material using the mechanism described in RFC
+ 5705.
+
+ @param[in] Tls Pointer to the TLS object
+ @param[in] Label Description of the key for the PRF function
+ @param[in] Context, Optional context
+ @param[in] ContextLen The length of the context value in bytes
+ @param[out] KeyBuffer Buffer to hold the output of the TLS-PRF
+ @param[in] KeyBufferLen The length of the KeyBuffer
+
+ @retval EFI_SUCCESS The operation succeeded.
+ @retval EFI_INVALID_PARAMETER The TLS object is invalid.
+ @retval EFI_PROTOCOL_ERROR Some other error occurred.
+
+**/
+typedef
+EFI_STATUS
+(EFIAPI *EDKII_CRYPTO_TLS_EXPORT_KEY)(
+ IN VOID *Tls,
+ IN CONST VOID *Label,
+ IN CONST VOID *Context,
+ IN UINTN ContextLen,
+ OUT VOID *KeyBuffer,
+ IN UINTN KeyBufferLen
+ );
+
/**
Gets the CA-supplied certificate revocation list data set in the specified
TLS object.
@@ -3671,6 +3719,7 @@ struct _EDKII_CRYPTO_PROTOCOL {
EDKII_CRYPTO_TLS_CTRL_TRAFFIC_IN TlsCtrlTrafficIn;
EDKII_CRYPTO_TLS_READ TlsRead;
EDKII_CRYPTO_TLS_WRITE TlsWrite;
+ EDKII_CRYPTO_TLS_SHUTDOWN TlsShutdown;
/// TLS Set
EDKII_CRYPTO_TLS_SET_VERSION TlsSetVersion;
EDKII_CRYPTO_TLS_SET_CONNECTION_END TlsSetConnectionEnd;
@@ -3698,6 +3747,7 @@ struct _EDKII_CRYPTO_PROTOCOL {
EDKII_CRYPTO_TLS_GET_HOST_PUBLIC_CERT TlsGetHostPublicCert;
EDKII_CRYPTO_TLS_GET_HOST_PRIVATE_KEY TlsGetHostPrivateKey;
EDKII_CRYPTO_TLS_GET_CERT_REVOCATION_LIST TlsGetCertRevocationList;
+ EDKII_CRYPTO_TLS_EXPORT_KEY TlsExportKey;
/// RSA PSS
EDKII_CRYPTO_RSA_PSS_SIGN RsaPssSign;
EDKII_CRYPTO_RSA_PSS_VERIFY RsaPssVerify;
--
2.31.1.windows.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 4/5] CryptoPkg: Add implementation for TlsSetHostPrivateKey()
2022-05-22 1:54 [PATCH 0/5] CryptoPkg: Add additional cipher algos and TLS API to meet WPA3 yi1 li
` (2 preceding siblings ...)
2022-05-22 1:54 ` [PATCH 3/5] CryptoPkg: Add APIs TlsShutdown and TlsExportKey to TlsLib yi1 li
@ 2022-05-22 1:54 ` yi1 li
2022-05-22 1:54 ` [PATCH 5/5] NetworkPkg/TlsDxe: Sync to new TlsSetHostPrivateKey() API yi1 li
2022-05-23 14:50 ` [edk2-devel] [PATCH 0/5] CryptoPkg: Add additional cipher algos and TLS API to meet WPA3 Maciej Rabeda
5 siblings, 0 replies; 7+ messages in thread
From: yi1 li @ 2022-05-22 1:54 UTC (permalink / raw)
To: devel
Cc: yi1 li, Jiewen Yao, Jian J Wang, Xiaoyu Lu, Guomin Jiang,
Maciej Rabeda, Jiaxin Wu, Siyuan Fu
From: yi1 li <yi1.li@intel.com>
Add Password to TlsSetHostPrivateKey() param list,
Set Password to NULL when useless.
This function adds the local private key (PEM-encoded RSA or PKCS#8 private
key) into the specified TLS object for TLS negotiation.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Signed-off-by: Yi Li <yi1.li@intel.com>
---
CryptoPkg/Driver/Crypto.c | 6 +-
CryptoPkg/Include/Library/TlsLib.h | 4 +-
.../BaseCryptLibOnProtocolPpi/CryptLib.c | 6 +-
CryptoPkg/Library/TlsLib/TlsConfig.c | 81 ++++++++++++++++++-
CryptoPkg/Library/TlsLibNull/TlsConfigNull.c | 4 +-
CryptoPkg/Private/Protocol/Crypto.h | 4 +-
6 files changed, 96 insertions(+), 9 deletions(-)
diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
index 6a86c4dba6a2..b2e3cbde5bd3 100644
--- a/CryptoPkg/Driver/Crypto.c
+++ b/CryptoPkg/Driver/Crypto.c
@@ -4136,6 +4136,7 @@ CryptoServiceTlsSetHostPublicCert (
@param[in] Data Pointer to the data buffer of a PEM-encoded RSA
or PKCS#8 private key.
@param[in] DataSize The size of data buffer in bytes.
+ @param[in] Password Pointer to private key password, set it to NULL if not used.
@retval EFI_SUCCESS The operation succeeded.
@retval EFI_UNSUPPORTED This function is not supported.
@@ -4147,10 +4148,11 @@ EFIAPI
CryptoServiceTlsSetHostPrivateKey (
IN VOID *Tls,
IN VOID *Data,
- IN UINTN DataSize
+ IN UINTN DataSize,
+ IN VOID *Password OPTIONAL
)
{
- return CALL_BASECRYPTLIB (TlsSet.Services.HostPrivateKey, TlsSetHostPrivateKey, (Tls, Data, DataSize), EFI_UNSUPPORTED);
+ return CALL_BASECRYPTLIB (TlsSet.Services.HostPrivateKey, TlsSetHostPrivateKey, (Tls, Data, DataSize, Password), EFI_UNSUPPORTED);
}
/**
diff --git a/CryptoPkg/Include/Library/TlsLib.h b/CryptoPkg/Include/Library/TlsLib.h
index 8a109ec89d3d..01b1087e3d2e 100644
--- a/CryptoPkg/Include/Library/TlsLib.h
+++ b/CryptoPkg/Include/Library/TlsLib.h
@@ -534,6 +534,7 @@ TlsSetHostPublicCert (
@param[in] Data Pointer to the data buffer of a PEM-encoded RSA
or PKCS#8 private key.
@param[in] DataSize The size of data buffer in bytes.
+ @param[in] Password Pointer to private key password, set it to NULL if not used.
@retval EFI_SUCCESS The operation succeeded.
@retval EFI_UNSUPPORTED This function is not supported.
@@ -545,7 +546,8 @@ EFIAPI
TlsSetHostPrivateKey (
IN VOID *Tls,
IN VOID *Data,
- IN UINTN DataSize
+ IN UINTN DataSize,
+ IN VOID *Password OPTIONAL
);
/**
diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
index 1c7c90e432de..d1405e26f9fc 100644
--- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
+++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
@@ -3279,6 +3279,7 @@ TlsSetHostPublicCert (
@param[in] Data Pointer to the data buffer of a PEM-encoded RSA
or PKCS#8 private key.
@param[in] DataSize The size of data buffer in bytes.
+ @param[in] Password Pointer to private key password, set it to NULL if not used.
@retval EFI_SUCCESS The operation succeeded.
@retval EFI_UNSUPPORTED This function is not supported.
@@ -3290,10 +3291,11 @@ EFIAPI
TlsSetHostPrivateKey (
IN VOID *Tls,
IN VOID *Data,
- IN UINTN DataSize
+ IN UINTN DataSize,
+ IN VOID *Password OPTIONAL
)
{
- CALL_CRYPTO_SERVICE (TlsSetHostPrivateKey, (Tls, Data, DataSize), EFI_UNSUPPORTED);
+ CALL_CRYPTO_SERVICE (TlsSetHostPrivateKey, (Tls, Data, DataSize, Password), EFI_UNSUPPORTED);
}
/**
diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c b/CryptoPkg/Library/TlsLib/TlsConfig.c
index b45050c18770..e7d4474dff8d 100644
--- a/CryptoPkg/Library/TlsLib/TlsConfig.c
+++ b/CryptoPkg/Library/TlsLib/TlsConfig.c
@@ -870,6 +870,7 @@ ON_EXIT:
@param[in] Data Pointer to the data buffer of a PEM-encoded RSA
or PKCS#8 private key.
@param[in] DataSize The size of data buffer in bytes.
+ @param[in] Password Pointer to private key password, set it to NULL if not used.
@retval EFI_SUCCESS The operation succeeded.
@retval EFI_UNSUPPORTED This function is not supported.
@@ -881,10 +882,86 @@ EFIAPI
TlsSetHostPrivateKey (
IN VOID *Tls,
IN VOID *Data,
- IN UINTN DataSize
+ IN UINTN DataSize,
+ IN VOID *Password OPTIONAL
)
{
- return EFI_UNSUPPORTED;
+ TLS_CONNECTION *TlsConn;
+ BIO *Bio;
+
+ TlsConn = (TLS_CONNECTION *)Tls;
+
+ if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (Data == NULL) || (DataSize == 0)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ if (SSL_use_PrivateKey_ASN1 (
+ EVP_PKEY_RSA,
+ TlsConn->Ssl,
+ Data,
+ (long)DataSize
+ ) == 1)
+ {
+ goto verify;
+ }
+
+ if (SSL_use_PrivateKey_ASN1 (
+ EVP_PKEY_DSA,
+ TlsConn->Ssl,
+ Data,
+ (long)DataSize
+ ) == 1)
+ {
+ goto verify;
+ }
+
+ if (SSL_use_PrivateKey_ASN1 (
+ EVP_PKEY_EC,
+ TlsConn->Ssl,
+ Data,
+ (long)DataSize
+ ) == 1)
+ {
+ goto verify;
+ }
+
+ if (SSL_use_RSAPrivateKey_ASN1 (
+ TlsConn->Ssl,
+ Data,
+ (long)DataSize
+ ) == 1)
+ {
+ goto verify;
+ }
+
+ // Try to parse the private key in PEM format encoded PKC#8
+ Bio = BIO_new_mem_buf (Data, (long)DataSize);
+ if (Bio != NULL) {
+ EVP_PKEY *Pkey;
+ BOOLEAN Verify;
+
+ Verify = FALSE;
+ Pkey = PEM_read_bio_PrivateKey (Bio, NULL, NULL, Password);
+ if ((Pkey != NULL) && (SSL_use_PrivateKey (TlsConn->Ssl, Pkey) == 1)) {
+ Verify = TRUE;
+ }
+
+ EVP_PKEY_free (Pkey);
+ BIO_free (Bio);
+
+ if (Verify) {
+ goto verify;
+ }
+ }
+
+ return EFI_ABORTED;
+
+verify:
+ if (SSL_check_private_key (TlsConn->Ssl) == 1) {
+ return EFI_SUCCESS;
+ }
+
+ return EFI_ABORTED;
}
/**
diff --git a/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c b/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c
index b2c7e6869f53..9ab95f7269ee 100644
--- a/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c
+++ b/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c
@@ -250,6 +250,7 @@ TlsSetHostPublicCert (
@param[in] Data Pointer to the data buffer of a PEM-encoded RSA
or PKCS#8 private key.
@param[in] DataSize The size of data buffer in bytes.
+ @param[in] Password Pointer to private key password, set it to NULL if not used.
@retval EFI_SUCCESS The operation succeeded.
@retval EFI_UNSUPPORTED This function is not supported.
@@ -261,7 +262,8 @@ EFIAPI
TlsSetHostPrivateKey (
IN VOID *Tls,
IN VOID *Data,
- IN UINTN DataSize
+ IN UINTN DataSize,
+ IN VOID *Password OPTIONAL
)
{
ASSERT (FALSE);
diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protocol/Crypto.h
index bc94cbb66311..ab01ff985da7 100644
--- a/CryptoPkg/Private/Protocol/Crypto.h
+++ b/CryptoPkg/Private/Protocol/Crypto.h
@@ -3092,6 +3092,7 @@ EFI_STATUS
@param[in] Data Pointer to the data buffer of a PEM-encoded RSA
or PKCS#8 private key.
@param[in] DataSize The size of data buffer in bytes.
+ @param[in] Password Pointer to private key password, set it to NULL if not used.
@retval EFI_SUCCESS The operation succeeded.
@retval EFI_UNSUPPORTED This function is not supported.
@@ -3103,7 +3104,8 @@ EFI_STATUS
(EFIAPI *EDKII_CRYPTO_TLS_SET_HOST_PRIVATE_KEY)(
IN VOID *Tls,
IN VOID *Data,
- IN UINTN DataSize
+ IN UINTN DataSize,
+ IN VOID *Password OPTIONAL
);
/**
--
2.31.1.windows.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 5/5] NetworkPkg/TlsDxe: Sync to new TlsSetHostPrivateKey() API
2022-05-22 1:54 [PATCH 0/5] CryptoPkg: Add additional cipher algos and TLS API to meet WPA3 yi1 li
` (3 preceding siblings ...)
2022-05-22 1:54 ` [PATCH 4/5] CryptoPkg: Add implementation for TlsSetHostPrivateKey() yi1 li
@ 2022-05-22 1:54 ` yi1 li
2022-05-23 14:50 ` [edk2-devel] [PATCH 0/5] CryptoPkg: Add additional cipher algos and TLS API to meet WPA3 Maciej Rabeda
5 siblings, 0 replies; 7+ messages in thread
From: yi1 li @ 2022-05-22 1:54 UTC (permalink / raw)
To: devel
Cc: Yi Li, Jiewen Yao, Jian J Wang, Xiaoyu Lu, Guomin Jiang,
Maciej Rabeda, Jiaxin Wu, Siyuan Fu
Add NULL to param list to sync with new TlsSetHostPrivateKey() in TlsLib.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Signed-off-by: Yi Li <yi1.li@intel.com>
---
NetworkPkg/TlsDxe/TlsConfigProtocol.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/NetworkPkg/TlsDxe/TlsConfigProtocol.c b/NetworkPkg/TlsDxe/TlsConfigProtocol.c
index 33729fdf6c31..13532bb66c8a 100644
--- a/NetworkPkg/TlsDxe/TlsConfigProtocol.c
+++ b/NetworkPkg/TlsDxe/TlsConfigProtocol.c
@@ -65,7 +65,7 @@ TlsConfigurationSetData (
Status = TlsSetHostPublicCert (Instance->TlsConn, Data, DataSize);
break;
case EfiTlsConfigDataTypeHostPrivateKey:
- Status = TlsSetHostPrivateKey (Instance->TlsConn, Data, DataSize);
+ Status = TlsSetHostPrivateKey (Instance->TlsConn, Data, DataSize, NULL);
break;
case EfiTlsConfigDataTypeCertRevocationList:
Status = TlsSetCertRevocationList (Data, DataSize);
--
2.31.1.windows.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [edk2-devel] [PATCH 0/5] CryptoPkg: Add additional cipher algos and TLS API to meet WPA3
2022-05-22 1:54 [PATCH 0/5] CryptoPkg: Add additional cipher algos and TLS API to meet WPA3 yi1 li
` (4 preceding siblings ...)
2022-05-22 1:54 ` [PATCH 5/5] NetworkPkg/TlsDxe: Sync to new TlsSetHostPrivateKey() API yi1 li
@ 2022-05-23 14:50 ` Maciej Rabeda
5 siblings, 0 replies; 7+ messages in thread
From: Maciej Rabeda @ 2022-05-23 14:50 UTC (permalink / raw)
To: devel, yi1.li
Cc: Jiewen Yao, Jian J Wang, Xiaoyu Lu, Guomin Jiang, Jiaxin Wu,
Siyuan Fu, Michael D Kinney, Liming Gao
For NetworkPkg part: Reviewed-by: Maciej Rabeda
<maciej.rabeda@linux.intel.com>
On 22 maj 2022 03:54, yi1 li wrote:
> To meet the needs of WPA3 Enterprise, additional cipher algorithms
> and TLS APIs need to be added.
> Code branch: https://github.com/liyi77/edk2/tree/Add-TLS
> Details as follows:
> - TlsShutdown: Shutdown the TLS connection without releasing the resources,
> meaning a new connection can be started without calling TlsNew() and
> without setting certificates etc.
> - TlsExportKey: Derive keying material from a TLS connection using the
> mechanism described in RFC 5705 and export the key material (needed
> by EAP methods such as EAP-TTLS and EAP-PEAP).
> - TlsSetEcCurve: Set the EC curve to be used for TLS flows.
> - TlsSetSignatureAlgoList: Set the signature algorithm list to used by
> the TLS object.
> - Additional cipher algorithms: Which are needed for SUITE-B and SUITE-B-192.
> - Add implementation for TlsSetHostPrivateKey().
>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
> Cc: Guomin Jiang <guomin.jiang@intel.com>
> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
> Cc: Jiaxin Wu <jiaxin.wu@intel.com>
> Cc: Siyuan Fu <siyuan.fu@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Liming Gao <gaoliming@byosoft.com.cn>
>
> Yi Li (3):
> MdePkg: Add Tls configuration related define
> CryptoPkg: Add TlsSetConfiguration API
> NetworkPkg/TlsDxe: Sync to new TlsSetHostPrivateKey() API
>
> yi1 li (2):
> CryptoPkg: Add APIs TlsShutdown and TlsExportKey to TlsLib
> CryptoPkg: Add implementation for TlsSetHostPrivateKey()
>
> CryptoPkg/Driver/Crypto.c | 97 +++-
> CryptoPkg/Include/Library/TlsLib.h | 93 +++-
> .../Pcd/PcdCryptoServiceFamilyEnable.h | 3 +
> .../BaseCryptLibOnProtocolPpi/CryptLib.c | 97 +++-
> CryptoPkg/Library/TlsLib/InternalTlsLib.h | 5 +
> CryptoPkg/Library/TlsLib/TlsConfig.c | 426 +++++++++++++++++-
> CryptoPkg/Library/TlsLib/TlsProcess.c | 32 ++
> CryptoPkg/Library/TlsLibNull/TlsConfigNull.c | 67 ++-
> CryptoPkg/Library/TlsLibNull/TlsProcessNull.c | 23 +
> CryptoPkg/Private/Protocol/Crypto.h | 82 +++-
> MdePkg/Include/IndustryStandard/Tls1.h | 110 +++--
> NetworkPkg/TlsDxe/TlsConfigProtocol.c | 2 +-
> 12 files changed, 968 insertions(+), 69 deletions(-)
>
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2022-05-23 14:50 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-05-22 1:54 [PATCH 0/5] CryptoPkg: Add additional cipher algos and TLS API to meet WPA3 yi1 li
2022-05-22 1:54 ` [PATCH 1/5] MdePkg: Add Tls configuration related define yi1 li
2022-05-22 1:54 ` [PATCH 2/5] CryptoPkg: Add TlsSetConfiguration API yi1 li
2022-05-22 1:54 ` [PATCH 3/5] CryptoPkg: Add APIs TlsShutdown and TlsExportKey to TlsLib yi1 li
2022-05-22 1:54 ` [PATCH 4/5] CryptoPkg: Add implementation for TlsSetHostPrivateKey() yi1 li
2022-05-22 1:54 ` [PATCH 5/5] NetworkPkg/TlsDxe: Sync to new TlsSetHostPrivateKey() API yi1 li
2022-05-23 14:50 ` [edk2-devel] [PATCH 0/5] CryptoPkg: Add additional cipher algos and TLS API to meet WPA3 Maciej Rabeda
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox