* [PATCH V3 0/3] CryptoPkg: Extend Tls library @ 2022-10-10 2:39 Li, Yi 2022-10-10 2:39 ` [PATCH V3 1/3] MdePkg: Add Tls configuration related define Li, Yi ` (4 more replies) 0 siblings, 5 replies; 9+ messages in thread From: Li, Yi @ 2022-10-10 2:39 UTC (permalink / raw) To: devel Cc: Yi Li, Jiewen Yao, Jian J Wang, Xiaoyu Lu, Guomin Jiang, Michael D Kinney, Liming Gao REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3892 Review PR: https://github.com/tianocore/edk2/pull/3400 This patch sequence is used to extend Tls library, which are wrapped over OpenSSL. The implementation provides library functions for EFI DXE dirver and Protocol. All APIs passed unit test and fuzzing test, detail as: 1. Unit test: New Tls APIs tested on Intel platform as part of WIFI WPA3 feature. 2. Fuzzing test: Various Fuzz Testing are employed across the all introduced APIs, and the test is used AFL (2.52b) and Libfuzzer (clang+llvm-11.0.0) as the fuzzer, based on HBFA. Fuzzing Pass Rate is 100%; The Code Coverage of new APIs is 91%. All test case show in: https://github.com/liyi77/edk2-staging/tree/HBFA/HBFA/UefiHostFuzzTestCasePkg/TestCase/CryptoPkg V2 change: Move the newly added APIs to the end of struct PCD. V3 change: Corrected tls specification reference and tls cipher suite names. Tested-by: Yi Li <yi1.li@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com> Cc: Guomin Jiang <guomin.jiang@intel.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Cc: Liming Gao <gaoliming@byosoft.com.cn> Signed-off-by: Yi Li <yi1.li@intel.com> Yi Li (3): MdePkg: Add Tls configuration related define CryptoPkg: Extend Tls function library CryptoPkg: Add new Tls APIs to DXE and protocol CryptoPkg/Driver/Crypto.c | 155 +++++++- CryptoPkg/Include/Library/TlsLib.h | 126 +++++- .../Pcd/PcdCryptoServiceFamilyEnable.h | 5 + .../BaseCryptLibOnProtocolPpi/CryptLib.c | 146 ++++++- CryptoPkg/Library/TlsLib/InternalTlsLib.h | 4 + CryptoPkg/Library/TlsLib/TlsConfig.c | 366 +++++++++++++++++- CryptoPkg/Library/TlsLib/TlsProcess.c | 32 ++ CryptoPkg/Library/TlsLibNull/TlsConfigNull.c | 123 +++++- CryptoPkg/Library/TlsLibNull/TlsProcessNull.c | 23 ++ CryptoPkg/Private/Protocol/Crypto.h | 136 ++++++- MdePkg/Include/IndustryStandard/Tls1.h | 112 ++++-- 11 files changed, 1177 insertions(+), 51 deletions(-) -- 2.31.1.windows.1 ^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH V3 1/3] MdePkg: Add Tls configuration related define 2022-10-10 2:39 [PATCH V3 0/3] CryptoPkg: Extend Tls library Li, Yi @ 2022-10-10 2:39 ` Li, Yi 2022-10-10 3:06 ` Michael D Kinney 2022-10-10 2:39 ` [PATCH V3 2/3] CryptoPkg: Extend Tls function library Li, Yi ` (3 subsequent siblings) 4 siblings, 1 reply; 9+ messages in thread From: Li, Yi @ 2022-10-10 2:39 UTC (permalink / raw) To: devel; +Cc: Yi Li, Jiewen Yao, Michael D Kinney, Liming Gao REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3892 Consumed by TlsSetEcCurve and TlsSetSignatureAlgoList. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Cc: Liming Gao <gaoliming@byosoft.com.cn> Signed-off-by: Yi Li <yi1.li@intel.com> --- MdePkg/Include/IndustryStandard/Tls1.h | 112 +++++++++++++++++-------- 1 file changed, 75 insertions(+), 37 deletions(-) diff --git a/MdePkg/Include/IndustryStandard/Tls1.h b/MdePkg/Include/IndustryStandard/Tls1.h index cf67428b11..f1ba0af7dc 100644 --- a/MdePkg/Include/IndustryStandard/Tls1.h +++ b/MdePkg/Include/IndustryStandard/Tls1.h @@ -13,44 +13,48 @@ #pragma pack(1) /// -/// TLS Cipher Suite, refers to A.5 of rfc-2246, rfc-4346 and rfc-5246. +/// TLS Cipher Suite, refers to A.5 of rfc-2246, rfc-4346, rfc-5246, rfc-5288 and rfc-5289. /// -#define TLS_RSA_WITH_NULL_MD5 {0x00, 0x01} -#define TLS_RSA_WITH_NULL_SHA {0x00, 0x02} -#define TLS_RSA_WITH_RC4_128_MD5 {0x00, 0x04} -#define TLS_RSA_WITH_RC4_128_SHA {0x00, 0x05} -#define TLS_RSA_WITH_IDEA_CBC_SHA {0x00, 0x07} -#define TLS_RSA_WITH_DES_CBC_SHA {0x00, 0x09} -#define TLS_RSA_WITH_3DES_EDE_CBC_SHA {0x00, 0x0A} -#define TLS_DH_DSS_WITH_DES_CBC_SHA {0x00, 0x0C} -#define TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA {0x00, 0x0D} -#define TLS_DH_RSA_WITH_DES_CBC_SHA {0x00, 0x0F} -#define TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA {0x00, 0x10} -#define TLS_DHE_DSS_WITH_DES_CBC_SHA {0x00, 0x12} -#define TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA {0x00, 0x13} -#define TLS_DHE_RSA_WITH_DES_CBC_SHA {0x00, 0x15} -#define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA {0x00, 0x16} -#define TLS_RSA_WITH_AES_128_CBC_SHA {0x00, 0x2F} -#define TLS_DH_DSS_WITH_AES_128_CBC_SHA {0x00, 0x30} -#define TLS_DH_RSA_WITH_AES_128_CBC_SHA {0x00, 0x31} -#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA {0x00, 0x32} -#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA {0x00, 0x33} -#define TLS_RSA_WITH_AES_256_CBC_SHA {0x00, 0x35} -#define TLS_DH_DSS_WITH_AES_256_CBC_SHA {0x00, 0x36} -#define TLS_DH_RSA_WITH_AES_256_CBC_SHA {0x00, 0x37} -#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA {0x00, 0x38} -#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA {0x00, 0x39} -#define TLS_RSA_WITH_NULL_SHA256 {0x00, 0x3B} -#define TLS_RSA_WITH_AES_128_CBC_SHA256 {0x00, 0x3C} -#define TLS_RSA_WITH_AES_256_CBC_SHA256 {0x00, 0x3D} -#define TLS_DH_DSS_WITH_AES_128_CBC_SHA256 {0x00, 0x3E} -#define TLS_DH_RSA_WITH_AES_128_CBC_SHA256 {0x00, 0x3F} -#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 {0x00, 0x40} -#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 {0x00, 0x67} -#define TLS_DH_DSS_WITH_AES_256_CBC_SHA256 {0x00, 0x68} -#define TLS_DH_RSA_WITH_AES_256_CBC_SHA256 {0x00, 0x69} -#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 {0x00, 0x6A} -#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 {0x00, 0x6B} +#define TLS_RSA_WITH_NULL_MD5 {0x00, 0x01} +#define TLS_RSA_WITH_NULL_SHA {0x00, 0x02} +#define TLS_RSA_WITH_RC4_128_MD5 {0x00, 0x04} +#define TLS_RSA_WITH_RC4_128_SHA {0x00, 0x05} +#define TLS_RSA_WITH_IDEA_CBC_SHA {0x00, 0x07} +#define TLS_RSA_WITH_DES_CBC_SHA {0x00, 0x09} +#define TLS_RSA_WITH_3DES_EDE_CBC_SHA {0x00, 0x0A} +#define TLS_DH_DSS_WITH_DES_CBC_SHA {0x00, 0x0C} +#define TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA {0x00, 0x0D} +#define TLS_DH_RSA_WITH_DES_CBC_SHA {0x00, 0x0F} +#define TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA {0x00, 0x10} +#define TLS_DHE_DSS_WITH_DES_CBC_SHA {0x00, 0x12} +#define TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA {0x00, 0x13} +#define TLS_DHE_RSA_WITH_DES_CBC_SHA {0x00, 0x15} +#define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA {0x00, 0x16} +#define TLS_RSA_WITH_AES_128_CBC_SHA {0x00, 0x2F} +#define TLS_DH_DSS_WITH_AES_128_CBC_SHA {0x00, 0x30} +#define TLS_DH_RSA_WITH_AES_128_CBC_SHA {0x00, 0x31} +#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA {0x00, 0x32} +#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA {0x00, 0x33} +#define TLS_RSA_WITH_AES_256_CBC_SHA {0x00, 0x35} +#define TLS_DH_DSS_WITH_AES_256_CBC_SHA {0x00, 0x36} +#define TLS_DH_RSA_WITH_AES_256_CBC_SHA {0x00, 0x37} +#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA {0x00, 0x38} +#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA {0x00, 0x39} +#define TLS_RSA_WITH_NULL_SHA256 {0x00, 0x3B} +#define TLS_RSA_WITH_AES_128_CBC_SHA256 {0x00, 0x3C} +#define TLS_RSA_WITH_AES_256_CBC_SHA256 {0x00, 0x3D} +#define TLS_DH_DSS_WITH_AES_128_CBC_SHA256 {0x00, 0x3E} +#define TLS_DH_RSA_WITH_AES_128_CBC_SHA256 {0x00, 0x3F} +#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 {0x00, 0x40} +#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 {0x00, 0x67} +#define TLS_DH_DSS_WITH_AES_256_CBC_SHA256 {0x00, 0x68} +#define TLS_DH_RSA_WITH_AES_256_CBC_SHA256 {0x00, 0x69} +#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 {0x00, 0x6A} +#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 {0x00, 0x6B} +#define TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 {0x00, 0x9F} +#define TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 {0xC0, 0x2B} +#define TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 {0xC0, 0x2C} +#define TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 {0xC0, 0x30} /// /// TLS Version, refers to A.1 of rfc-2246, rfc-4346 and rfc-5246. @@ -95,6 +99,40 @@ typedef struct { // #define TLS_CIPHERTEXT_RECORD_MAX_PAYLOAD_LENGTH 18432 +/// +/// TLS Hash algorithm, refers to section 7.4.1.4.1. of rfc-5246. +/// +typedef enum { + TlsHashAlgoNone = 0, + TlsHashAlgoMd5 = 1, + TlsHashAlgoSha1 = 2, + TlsHashAlgoSha224 = 3, + TlsHashAlgoSha256 = 4, + TlsHashAlgoSha384 = 5, + TlsHashAlgoSha512 = 6, +} TLS_HASH_ALGO; + +/// +/// TLS Signature algorithm, refers to section 7.4.1.4.1. of rfc-5246. +/// +typedef enum { + TlsSignatureAlgoAnonymous = 0, + TlsSignatureAlgoRsa = 1, + TlsSignatureAlgoDsa = 2, + TlsSignatureAlgoEcdsa = 3, +} TLS_SIGNATURE_ALGO; + +/// +/// TLS Supported Elliptic Curves Extensions, refers to section 5.1.1 of rfc-8422. +/// +typedef enum { + TlsEcNamedCurveSecp256r1 = 23, + TlsEcNamedCurveSecp384r1 = 24, + TlsEcNamedCurveSecp521r1 = 25, + TlsEcNamedCurveX25519 = 29, + TlsEcNamedCurveX448 = 30, +} TLS_EC_NAMED_CURVE; + #pragma pack() #endif -- 2.31.1.windows.1 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH V3 1/3] MdePkg: Add Tls configuration related define 2022-10-10 2:39 ` [PATCH V3 1/3] MdePkg: Add Tls configuration related define Li, Yi @ 2022-10-10 3:06 ` Michael D Kinney 0 siblings, 0 replies; 9+ messages in thread From: Michael D Kinney @ 2022-10-10 3:06 UTC (permalink / raw) To: Li, Yi1, devel@edk2.groups.io, Kinney, Michael D; +Cc: Yao, Jiewen, Gao, Liming Acked-by: Michael D Kinney <michael.d.kinney@intel.com> Mike > -----Original Message----- > From: Li, Yi1 <yi1.li@intel.com> > Sent: Sunday, October 9, 2022 7:40 PM > To: devel@edk2.groups.io > Cc: Li, Yi1 <yi1.li@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Gao, > Liming <gaoliming@byosoft.com.cn> > Subject: [PATCH V3 1/3] MdePkg: Add Tls configuration related define > > REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3892 > > Consumed by TlsSetEcCurve and TlsSetSignatureAlgoList. > > Cc: Jiewen Yao <jiewen.yao@intel.com> > Cc: Michael D Kinney <michael.d.kinney@intel.com> > Cc: Liming Gao <gaoliming@byosoft.com.cn> > Signed-off-by: Yi Li <yi1.li@intel.com> > --- > MdePkg/Include/IndustryStandard/Tls1.h | 112 +++++++++++++++++-------- > 1 file changed, 75 insertions(+), 37 deletions(-) > > diff --git a/MdePkg/Include/IndustryStandard/Tls1.h b/MdePkg/Include/IndustryStandard/Tls1.h > index cf67428b11..f1ba0af7dc 100644 > --- a/MdePkg/Include/IndustryStandard/Tls1.h > +++ b/MdePkg/Include/IndustryStandard/Tls1.h > @@ -13,44 +13,48 @@ > #pragma pack(1) > > /// > -/// TLS Cipher Suite, refers to A.5 of rfc-2246, rfc-4346 and rfc-5246. > +/// TLS Cipher Suite, refers to A.5 of rfc-2246, rfc-4346, rfc-5246, rfc-5288 and rfc-5289. > /// > -#define TLS_RSA_WITH_NULL_MD5 {0x00, 0x01} > -#define TLS_RSA_WITH_NULL_SHA {0x00, 0x02} > -#define TLS_RSA_WITH_RC4_128_MD5 {0x00, 0x04} > -#define TLS_RSA_WITH_RC4_128_SHA {0x00, 0x05} > -#define TLS_RSA_WITH_IDEA_CBC_SHA {0x00, 0x07} > -#define TLS_RSA_WITH_DES_CBC_SHA {0x00, 0x09} > -#define TLS_RSA_WITH_3DES_EDE_CBC_SHA {0x00, 0x0A} > -#define TLS_DH_DSS_WITH_DES_CBC_SHA {0x00, 0x0C} > -#define TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA {0x00, 0x0D} > -#define TLS_DH_RSA_WITH_DES_CBC_SHA {0x00, 0x0F} > -#define TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA {0x00, 0x10} > -#define TLS_DHE_DSS_WITH_DES_CBC_SHA {0x00, 0x12} > -#define TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA {0x00, 0x13} > -#define TLS_DHE_RSA_WITH_DES_CBC_SHA {0x00, 0x15} > -#define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA {0x00, 0x16} > -#define TLS_RSA_WITH_AES_128_CBC_SHA {0x00, 0x2F} > -#define TLS_DH_DSS_WITH_AES_128_CBC_SHA {0x00, 0x30} > -#define TLS_DH_RSA_WITH_AES_128_CBC_SHA {0x00, 0x31} > -#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA {0x00, 0x32} > -#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA {0x00, 0x33} > -#define TLS_RSA_WITH_AES_256_CBC_SHA {0x00, 0x35} > -#define TLS_DH_DSS_WITH_AES_256_CBC_SHA {0x00, 0x36} > -#define TLS_DH_RSA_WITH_AES_256_CBC_SHA {0x00, 0x37} > -#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA {0x00, 0x38} > -#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA {0x00, 0x39} > -#define TLS_RSA_WITH_NULL_SHA256 {0x00, 0x3B} > -#define TLS_RSA_WITH_AES_128_CBC_SHA256 {0x00, 0x3C} > -#define TLS_RSA_WITH_AES_256_CBC_SHA256 {0x00, 0x3D} > -#define TLS_DH_DSS_WITH_AES_128_CBC_SHA256 {0x00, 0x3E} > -#define TLS_DH_RSA_WITH_AES_128_CBC_SHA256 {0x00, 0x3F} > -#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 {0x00, 0x40} > -#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 {0x00, 0x67} > -#define TLS_DH_DSS_WITH_AES_256_CBC_SHA256 {0x00, 0x68} > -#define TLS_DH_RSA_WITH_AES_256_CBC_SHA256 {0x00, 0x69} > -#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 {0x00, 0x6A} > -#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 {0x00, 0x6B} > +#define TLS_RSA_WITH_NULL_MD5 {0x00, 0x01} > +#define TLS_RSA_WITH_NULL_SHA {0x00, 0x02} > +#define TLS_RSA_WITH_RC4_128_MD5 {0x00, 0x04} > +#define TLS_RSA_WITH_RC4_128_SHA {0x00, 0x05} > +#define TLS_RSA_WITH_IDEA_CBC_SHA {0x00, 0x07} > +#define TLS_RSA_WITH_DES_CBC_SHA {0x00, 0x09} > +#define TLS_RSA_WITH_3DES_EDE_CBC_SHA {0x00, 0x0A} > +#define TLS_DH_DSS_WITH_DES_CBC_SHA {0x00, 0x0C} > +#define TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA {0x00, 0x0D} > +#define TLS_DH_RSA_WITH_DES_CBC_SHA {0x00, 0x0F} > +#define TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA {0x00, 0x10} > +#define TLS_DHE_DSS_WITH_DES_CBC_SHA {0x00, 0x12} > +#define TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA {0x00, 0x13} > +#define TLS_DHE_RSA_WITH_DES_CBC_SHA {0x00, 0x15} > +#define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA {0x00, 0x16} > +#define TLS_RSA_WITH_AES_128_CBC_SHA {0x00, 0x2F} > +#define TLS_DH_DSS_WITH_AES_128_CBC_SHA {0x00, 0x30} > +#define TLS_DH_RSA_WITH_AES_128_CBC_SHA {0x00, 0x31} > +#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA {0x00, 0x32} > +#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA {0x00, 0x33} > +#define TLS_RSA_WITH_AES_256_CBC_SHA {0x00, 0x35} > +#define TLS_DH_DSS_WITH_AES_256_CBC_SHA {0x00, 0x36} > +#define TLS_DH_RSA_WITH_AES_256_CBC_SHA {0x00, 0x37} > +#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA {0x00, 0x38} > +#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA {0x00, 0x39} > +#define TLS_RSA_WITH_NULL_SHA256 {0x00, 0x3B} > +#define TLS_RSA_WITH_AES_128_CBC_SHA256 {0x00, 0x3C} > +#define TLS_RSA_WITH_AES_256_CBC_SHA256 {0x00, 0x3D} > +#define TLS_DH_DSS_WITH_AES_128_CBC_SHA256 {0x00, 0x3E} > +#define TLS_DH_RSA_WITH_AES_128_CBC_SHA256 {0x00, 0x3F} > +#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 {0x00, 0x40} > +#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 {0x00, 0x67} > +#define TLS_DH_DSS_WITH_AES_256_CBC_SHA256 {0x00, 0x68} > +#define TLS_DH_RSA_WITH_AES_256_CBC_SHA256 {0x00, 0x69} > +#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 {0x00, 0x6A} > +#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 {0x00, 0x6B} > +#define TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 {0x00, 0x9F} > +#define TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 {0xC0, 0x2B} > +#define TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 {0xC0, 0x2C} > +#define TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 {0xC0, 0x30} > > /// > /// TLS Version, refers to A.1 of rfc-2246, rfc-4346 and rfc-5246. > @@ -95,6 +99,40 @@ typedef struct { > // > #define TLS_CIPHERTEXT_RECORD_MAX_PAYLOAD_LENGTH 18432 > > +/// > +/// TLS Hash algorithm, refers to section 7.4.1.4.1. of rfc-5246. > +/// > +typedef enum { > + TlsHashAlgoNone = 0, > + TlsHashAlgoMd5 = 1, > + TlsHashAlgoSha1 = 2, > + TlsHashAlgoSha224 = 3, > + TlsHashAlgoSha256 = 4, > + TlsHashAlgoSha384 = 5, > + TlsHashAlgoSha512 = 6, > +} TLS_HASH_ALGO; > + > +/// > +/// TLS Signature algorithm, refers to section 7.4.1.4.1. of rfc-5246. > +/// > +typedef enum { > + TlsSignatureAlgoAnonymous = 0, > + TlsSignatureAlgoRsa = 1, > + TlsSignatureAlgoDsa = 2, > + TlsSignatureAlgoEcdsa = 3, > +} TLS_SIGNATURE_ALGO; > + > +/// > +/// TLS Supported Elliptic Curves Extensions, refers to section 5.1.1 of rfc-8422. > +/// > +typedef enum { > + TlsEcNamedCurveSecp256r1 = 23, > + TlsEcNamedCurveSecp384r1 = 24, > + TlsEcNamedCurveSecp521r1 = 25, > + TlsEcNamedCurveX25519 = 29, > + TlsEcNamedCurveX448 = 30, > +} TLS_EC_NAMED_CURVE; > + > #pragma pack() > > #endif > -- > 2.31.1.windows.1 ^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH V3 2/3] CryptoPkg: Extend Tls function library 2022-10-10 2:39 [PATCH V3 0/3] CryptoPkg: Extend Tls library Li, Yi 2022-10-10 2:39 ` [PATCH V3 1/3] MdePkg: Add Tls configuration related define Li, Yi @ 2022-10-10 2:39 ` Li, Yi 2022-10-10 2:39 ` [PATCH V3 3/3] CryptoPkg: Add new Tls APIs to DXE and protocol Li, Yi ` (2 subsequent siblings) 4 siblings, 0 replies; 9+ messages in thread From: Li, Yi @ 2022-10-10 2:39 UTC (permalink / raw) To: devel; +Cc: Yi Li, Jiewen Yao, Jian J Wang, Xiaoyu Lu, Guomin Jiang REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3892 1. TlsSetSignatureAlgoList(): Configure the list of TLS signature algorithms that should be used as part of the TLS session establishment. This is needed for some WLAN Supplicant connection establishment flows that allow only specific TLS signature algorithms to be used, e.g., Authenticate and Key Managmenet (AKM) suites that are SUITE-B compliant. 2. TlsSetEcCurve(): Configure the Elliptic Curve that should be used for TLS flows the use cipher suite with EC, e.g., TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384. This is needed for some WLAN Supplicant connection establishment flows that allow only specific TLS signature algorithms to be used, e.g., Authenticate and Key Managmenet (AKM) suites that are SUITE-B compliant. 3. TlsShutdown(): Shutdown the TLS connection without releasing the resources, meaning a new connection can be started without calling TlsNew() and without setting certificates etc. 4. TlsGetExportKey(): Derive keying material from a TLS connection using the mechanism described in RFC 5705 and export the key material (needed by EAP methods such as EAP-TTLS and EAP-PEAP). 5. TlsSetHostPrivateKeyEx(): This function adds the local private key (PEM-encoded or PKCS#8 or DER-encoded private key) into the specified TLS object for TLS negotiation. There is already a similar function TlsSetHostPrivateKey(), the new Ex function introduces a new parameter Password, set Password to NULL when useless. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com> Cc: Guomin Jiang <guomin.jiang@intel.com> Signed-off-by: Yi Li <yi1.li@intel.com> --- CryptoPkg/Include/Library/TlsLib.h | 126 +++++- CryptoPkg/Library/TlsLib/InternalTlsLib.h | 4 + CryptoPkg/Library/TlsLib/TlsConfig.c | 366 +++++++++++++++++- CryptoPkg/Library/TlsLib/TlsProcess.c | 32 ++ CryptoPkg/Library/TlsLibNull/TlsConfigNull.c | 123 +++++- CryptoPkg/Library/TlsLibNull/TlsProcessNull.c | 23 ++ 6 files changed, 667 insertions(+), 7 deletions(-) diff --git a/CryptoPkg/Include/Library/TlsLib.h b/CryptoPkg/Include/Library/TlsLib.h index 3b75fde0aa..d37c5fcc35 100644 --- a/CryptoPkg/Include/Library/TlsLib.h +++ b/CryptoPkg/Include/Library/TlsLib.h @@ -294,6 +294,25 @@ TlsWrite ( IN UINTN BufferSize ); +/** + Shutdown a TLS connection. + + Shutdown the TLS connection without releasing the resources, meaning a new + connection can be started without calling TlsNew() and without setting + certificates etc. + + @param[in] Tls Pointer to the TLS object to shutdown. + + @retval EFI_SUCCESS The TLS is shutdown successfully. + @retval EFI_INVALID_PARAMETER Tls is NULL. + @retval EFI_PROTOCOL_ERROR Some other error occurred. +**/ +EFI_STATUS +EFIAPI +TlsShutdown ( + IN VOID *Tls + ); + /** Set a new TLS/SSL method for a particular TLS object. @@ -492,11 +511,38 @@ TlsSetHostPublicCert ( /** Adds the local private key to the specified TLS object. - This function adds the local private key (PEM-encoded RSA or PKCS#8 private + This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private key) into the specified TLS object for TLS negotiation. @param[in] Tls Pointer to the TLS object. - @param[in] Data Pointer to the data buffer of a PEM-encoded RSA + @param[in] Data Pointer to the data buffer of a DER-encoded or PEM-encoded + or PKCS#8 private key. + @param[in] DataSize The size of data buffer in bytes. + @param[in] Password Pointer to NULL-terminated private key password, set it to NULL + if private key not encrypted. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_ABORTED Invalid private key data. + +**/ +EFI_STATUS +EFIAPI +TlsSetHostPrivateKeyEx ( + IN VOID *Tls, + IN VOID *Data, + IN UINTN DataSize, + IN VOID *Password OPTIONAL + ); + +/** + Adds the local private key to the specified TLS object. + + This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private + key) into the specified TLS object for TLS negotiation. + + @param[in] Tls Pointer to the TLS object. + @param[in] Data Pointer to the data buffer of a DER-encoded or PEM-encoded or PKCS#8 private key. @param[in] DataSize The size of data buffer in bytes. @@ -534,6 +580,53 @@ TlsSetCertRevocationList ( IN UINTN DataSize ); +/** + Set the signature algorithm list to used by the TLS object. + + This function sets the signature algorithms for use by a specified TLS object. + + @param[in] Tls Pointer to a TLS object. + @param[in] Data Array of UINT8 of signature algorithms. The array consists of + pairs of the hash algorithm and the signature algorithm as defined + in RFC 5246 + @param[in] DataSize The length the SignatureAlgoList. Must be divisible by 2. + + @retval EFI_SUCCESS The signature algorithm list was set successfully. + @retval EFI_INVALID_PARAMETER The parameters are invalid. + @retval EFI_UNSUPPORTED No supported TLS signature algorithm was found in SignatureAlgoList + @retval EFI_OUT_OF_RESOURCES Memory allocation failed. + +**/ +EFI_STATUS +EFIAPI +TlsSetSignatureAlgoList ( + IN VOID *Tls, + IN UINT8 *Data, + IN UINTN DataSize + ); + +/** + Set the EC curve to be used for TLS flows + + This function sets the EC curve to be used for TLS flows. + + @param[in] Tls Pointer to a TLS object. + @param[in] Data An EC named curve as defined in section 5.1.1 of RFC 4492. + @param[in] DataSize Size of Data, it should be sizeof (UINT32) + + @retval EFI_SUCCESS The EC curve was set successfully. + @retval EFI_INVALID_PARAMETER The parameters are invalid. + @retval EFI_UNSUPPORTED The requested TLS EC curve is not supported + +**/ +EFI_STATUS +EFIAPI +TlsSetEcCurve ( + IN VOID *Tls, + IN UINT8 *Data, + IN UINTN DataSize + ); + /** Gets the protocol version used by the specified TLS connection. @@ -810,4 +903,33 @@ TlsGetCertRevocationList ( IN OUT UINTN *DataSize ); +/** + Derive keying material from a TLS connection. + + This function exports keying material using the mechanism described in RFC + 5705. + + @param[in] Tls Pointer to the TLS object + @param[in] Label Description of the key for the PRF function + @param[in] Context Optional context + @param[in] ContextLen The length of the context value in bytes + @param[out] KeyBuffer Buffer to hold the output of the TLS-PRF + @param[in] KeyBufferLen The length of the KeyBuffer + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_INVALID_PARAMETER The TLS object is invalid. + @retval EFI_PROTOCOL_ERROR Some other error occurred. + +**/ +EFI_STATUS +EFIAPI +TlsGetExportKey ( + IN VOID *Tls, + IN CONST VOID *Label, + IN CONST VOID *Context, + IN UINTN ContextLen, + OUT VOID *KeyBuffer, + IN UINTN KeyBufferLen + ); + #endif // __TLS_LIB_H__ diff --git a/CryptoPkg/Library/TlsLib/InternalTlsLib.h b/CryptoPkg/Library/TlsLib/InternalTlsLib.h index cf5ffe1b73..97a46af6c1 100644 --- a/CryptoPkg/Library/TlsLib/InternalTlsLib.h +++ b/CryptoPkg/Library/TlsLib/InternalTlsLib.h @@ -17,6 +17,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include <Library/DebugLib.h> #include <Library/MemoryAllocationLib.h> #include <Library/SafeIntLib.h> +#include <Protocol/Tls.h> +#include <IndustryStandard/Tls1.h> +#include <Library/PcdLib.h> +#include <openssl/obj_mac.h> #include <openssl/ssl.h> #include <openssl/bio.h> #include <openssl/err.h> diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c b/CryptoPkg/Library/TlsLib/TlsConfig.c index 0673c9d532..dbe1f06529 100644 --- a/CryptoPkg/Library/TlsLib/TlsConfig.c +++ b/CryptoPkg/Library/TlsLib/TlsConfig.c @@ -62,6 +62,38 @@ STATIC CONST TLS_CIPHER_MAPPING TlsCipherMappingTable[] = { MAP (0x0068, "DH-DSS-AES256-SHA256"), /// TLS_DH_DSS_WITH_AES_256_CBC_SHA256 MAP (0x0069, "DH-RSA-AES256-SHA256"), /// TLS_DH_RSA_WITH_AES_256_CBC_SHA256 MAP (0x006B, "DHE-RSA-AES256-SHA256"), /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 + MAP (0x009F, "DHE-RSA-AES256-GCM-SHA384"), /// TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 + MAP (0xC02B, "ECDHE-ECDSA-AES128-GCM-SHA256"), /// TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + MAP (0xC02C, "ECDHE-ECDSA-AES256-GCM-SHA384"), /// TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + MAP (0xC030, "ECDHE-RSA-AES256-GCM-SHA384"), /// TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 +}; + +typedef struct { + // + // TLS Algorithm + // + UINT8 Algo; + // + // TLS Algorithm name + // + CONST CHAR8 *Name; +} TLS_ALGO_TO_NAME; + +STATIC CONST TLS_ALGO_TO_NAME TlsHashAlgoToName[] = { + { TlsHashAlgoNone, NULL }, + { TlsHashAlgoMd5, "MD5" }, + { TlsHashAlgoSha1, "SHA1" }, + { TlsHashAlgoSha224, "SHA224" }, + { TlsHashAlgoSha256, "SHA256" }, + { TlsHashAlgoSha384, "SHA384" }, + { TlsHashAlgoSha512, "SHA512" }, +}; + +STATIC CONST TLS_ALGO_TO_NAME TlsSignatureAlgoToName[] = { + { TlsSignatureAlgoAnonymous, NULL }, + { TlsSignatureAlgoRsa, "RSA" }, + { TlsSignatureAlgoDsa, "DSA" }, + { TlsSignatureAlgoEcdsa, "ECDSA" }, }; /** @@ -831,11 +863,107 @@ ON_EXIT: /** Adds the local private key to the specified TLS object. - This function adds the local private key (PEM-encoded RSA or PKCS#8 private + This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private key) into the specified TLS object for TLS negotiation. @param[in] Tls Pointer to the TLS object. - @param[in] Data Pointer to the data buffer of a PEM-encoded RSA + @param[in] Data Pointer to the data buffer of a DER-encoded or PEM-encoded + or PKCS#8 private key. + @param[in] DataSize The size of data buffer in bytes. + @param[in] Password Pointer to NULL-terminated private key password, set it to NULL + if private key not encrypted. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_ABORTED Invalid private key data. + +**/ +EFI_STATUS +EFIAPI +TlsSetHostPrivateKeyEx ( + IN VOID *Tls, + IN VOID *Data, + IN UINTN DataSize, + IN VOID *Password OPTIONAL + ) +{ + TLS_CONNECTION *TlsConn; + BIO *Bio; + EVP_PKEY *Pkey; + BOOLEAN Verify; + + TlsConn = (TLS_CONNECTION *)Tls; + + if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (Data == NULL) || (DataSize == 0)) { + return EFI_INVALID_PARAMETER; + } + + // Try to parse the private key in DER format or un-encrypted PKC#8 + if (SSL_use_PrivateKey_ASN1 ( + EVP_PKEY_RSA, + TlsConn->Ssl, + Data, + (long)DataSize + ) == 1) + { + goto verify; + } + + if (SSL_use_PrivateKey_ASN1 ( + EVP_PKEY_DSA, + TlsConn->Ssl, + Data, + (long)DataSize + ) == 1) + { + goto verify; + } + + if (SSL_use_PrivateKey_ASN1 ( + EVP_PKEY_EC, + TlsConn->Ssl, + Data, + (long)DataSize + ) == 1) + { + goto verify; + } + + // Try to parse the private key in PEM format or encrypted PKC#8 + Bio = BIO_new_mem_buf (Data, (int)DataSize); + if (Bio != NULL) { + Verify = FALSE; + Pkey = PEM_read_bio_PrivateKey (Bio, NULL, NULL, Password); + if ((Pkey != NULL) && (SSL_use_PrivateKey (TlsConn->Ssl, Pkey) == 1)) { + Verify = TRUE; + } + + EVP_PKEY_free (Pkey); + BIO_free (Bio); + + if (Verify) { + goto verify; + } + } + + return EFI_ABORTED; + +verify: + if (SSL_check_private_key (TlsConn->Ssl) == 1) { + return EFI_SUCCESS; + } + + return EFI_ABORTED; +} + +/** + Adds the local private key to the specified TLS object. + + This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private + key) into the specified TLS object for TLS negotiation. + + @param[in] Tls Pointer to the TLS object. + @param[in] Data Pointer to the data buffer of a DER-encoded or PEM-encoded or PKCS#8 private key. @param[in] DataSize The size of data buffer in bytes. @@ -852,7 +980,7 @@ TlsSetHostPrivateKey ( IN UINTN DataSize ) { - return EFI_UNSUPPORTED; + return TlsSetHostPrivateKeyEx (Tls, Data, DataSize, NULL); } /** @@ -879,6 +1007,188 @@ TlsSetCertRevocationList ( return EFI_UNSUPPORTED; } +/** + Set the signature algorithm list to used by the TLS object. + + This function sets the signature algorithms for use by a specified TLS object. + + @param[in] Tls Pointer to a TLS object. + @param[in] Data Array of UINT8 of signature algorithms. The array consists of + pairs of the hash algorithm and the signature algorithm as defined + in RFC 5246 + @param[in] DataSize The length the SignatureAlgoList. Must be divisible by 2. + + @retval EFI_SUCCESS The signature algorithm list was set successfully. + @retval EFI_INVALID_PARAMETER The parameters are invalid. + @retval EFI_UNSUPPORTED No supported TLS signature algorithm was found in SignatureAlgoList + @retval EFI_OUT_OF_RESOURCES Memory allocation failed. + +**/ +EFI_STATUS +EFIAPI +TlsSetSignatureAlgoList ( + IN VOID *Tls, + IN UINT8 *Data, + IN UINTN DataSize + ) +{ + TLS_CONNECTION *TlsConn; + UINTN Index; + UINTN SignAlgoStrSize; + CHAR8 *SignAlgoStr; + CHAR8 *Pos; + UINT8 *SignatureAlgoList; + EFI_STATUS Status; + + TlsConn = (TLS_CONNECTION *)Tls; + + if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (Data == NULL) || (DataSize < 3) || + ((DataSize % 2) == 0) || (Data[0] != DataSize - 1)) + { + return EFI_INVALID_PARAMETER; + } + + SignatureAlgoList = Data + 1; + SignAlgoStrSize = 0; + for (Index = 0; Index < Data[0]; Index += 2) { + CONST CHAR8 *Tmp; + + if (SignatureAlgoList[Index] >= ARRAY_SIZE (TlsHashAlgoToName)) { + return EFI_INVALID_PARAMETER; + } + + Tmp = TlsHashAlgoToName[SignatureAlgoList[Index]].Name; + if (!Tmp) { + return EFI_INVALID_PARAMETER; + } + + // Add 1 for the '+' + SignAlgoStrSize += AsciiStrLen (Tmp) + 1; + + if (SignatureAlgoList[Index + 1] >= ARRAY_SIZE (TlsSignatureAlgoToName)) { + return EFI_INVALID_PARAMETER; + } + + Tmp = TlsSignatureAlgoToName[SignatureAlgoList[Index + 1]].Name; + if (!Tmp) { + return EFI_INVALID_PARAMETER; + } + + // Add 1 for the ':' or for the NULL terminator + SignAlgoStrSize += AsciiStrLen (Tmp) + 1; + } + + if (!SignAlgoStrSize) { + return EFI_UNSUPPORTED; + } + + SignAlgoStr = AllocatePool (SignAlgoStrSize); + if (SignAlgoStr == NULL) { + return EFI_OUT_OF_RESOURCES; + } + + Pos = SignAlgoStr; + for (Index = 0; Index < Data[0]; Index += 2) { + CONST CHAR8 *Tmp; + + Tmp = TlsHashAlgoToName[SignatureAlgoList[Index]].Name; + CopyMem (Pos, Tmp, AsciiStrLen (Tmp)); + Pos += AsciiStrLen (Tmp); + *Pos++ = '+'; + + Tmp = TlsSignatureAlgoToName[SignatureAlgoList[Index + 1]].Name; + CopyMem (Pos, Tmp, AsciiStrLen (Tmp)); + Pos += AsciiStrLen (Tmp); + *Pos++ = ':'; + } + + *(Pos - 1) = '\0'; + + if (SSL_set1_sigalgs_list (TlsConn->Ssl, SignAlgoStr) < 1) { + Status = EFI_INVALID_PARAMETER; + } else { + Status = EFI_SUCCESS; + } + + FreePool (SignAlgoStr); + return Status; +} + +/** + Set the EC curve to be used for TLS flows + + This function sets the EC curve to be used for TLS flows. + + @param[in] Tls Pointer to a TLS object. + @param[in] Data An EC named curve as defined in section 5.1.1 of RFC 4492. + @param[in] DataSize Size of Data, it should be sizeof (UINT32) + + @retval EFI_SUCCESS The EC curve was set successfully. + @retval EFI_INVALID_PARAMETER The parameters are invalid. + @retval EFI_UNSUPPORTED The requested TLS EC curve is not supported + +**/ +EFI_STATUS +EFIAPI +TlsSetEcCurve ( + IN VOID *Tls, + IN UINT8 *Data, + IN UINTN DataSize + ) +{ + #if !FixedPcdGetBool (PcdOpensslEcEnabled) + return EFI_UNSUPPORTED; + #else + TLS_CONNECTION *TlsConn; + EC_KEY *EcKey; + INT32 Nid; + INT32 Ret; + + TlsConn = (TLS_CONNECTION *)Tls; + + if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (Data == NULL) || (DataSize != sizeof (UINT32))) { + return EFI_INVALID_PARAMETER; + } + + switch (*((UINT32 *)Data)) { + case TlsEcNamedCurveSecp256r1: + return EFI_UNSUPPORTED; + case TlsEcNamedCurveSecp384r1: + Nid = NID_secp384r1; + break; + case TlsEcNamedCurveSecp521r1: + Nid = NID_secp521r1; + break; + case TlsEcNamedCurveX25519: + Nid = NID_X25519; + break; + case TlsEcNamedCurveX448: + Nid = NID_X448; + break; + default: + return EFI_UNSUPPORTED; + } + + if (SSL_set1_curves (TlsConn->Ssl, &Nid, 1) != 1) { + return EFI_INVALID_PARAMETER; + } + + EcKey = EC_KEY_new_by_curve_name (Nid); + if (EcKey == NULL) { + return EFI_INVALID_PARAMETER; + } + + Ret = SSL_set_tmp_ecdh (TlsConn->Ssl, EcKey); + EC_KEY_free (EcKey); + + if (Ret != 1) { + return EFI_INVALID_PARAMETER; + } + + return EFI_SUCCESS; + #endif +} + /** Gets the protocol version used by the specified TLS connection. @@ -1306,3 +1616,53 @@ TlsGetCertRevocationList ( { return EFI_UNSUPPORTED; } + +/** + Derive keying material from a TLS connection. + + This function exports keying material using the mechanism described in RFC + 5705. + + @param[in] Tls Pointer to the TLS object + @param[in] Label Description of the key for the PRF function + @param[in] Context Optional context + @param[in] ContextLen The length of the context value in bytes + @param[out] KeyBuffer Buffer to hold the output of the TLS-PRF + @param[in] KeyBufferLen The length of the KeyBuffer + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_INVALID_PARAMETER The TLS object is invalid. + @retval EFI_PROTOCOL_ERROR Some other error occurred. + +**/ +EFI_STATUS +EFIAPI +TlsGetExportKey ( + IN VOID *Tls, + IN CONST VOID *Label, + IN CONST VOID *Context, + IN UINTN ContextLen, + OUT VOID *KeyBuffer, + IN UINTN KeyBufferLen + ) +{ + TLS_CONNECTION *TlsConn; + + TlsConn = (TLS_CONNECTION *)Tls; + + if ((TlsConn == NULL) || (TlsConn->Ssl == NULL)) { + return EFI_INVALID_PARAMETER; + } + + return SSL_export_keying_material ( + TlsConn->Ssl, + KeyBuffer, + KeyBufferLen, + Label, + AsciiStrLen (Label), + Context, + ContextLen, + Context != NULL + ) == 1 ? + EFI_SUCCESS : EFI_PROTOCOL_ERROR; +} diff --git a/CryptoPkg/Library/TlsLib/TlsProcess.c b/CryptoPkg/Library/TlsLib/TlsProcess.c index 0f2ad7a9fb..a803d86c4f 100644 --- a/CryptoPkg/Library/TlsLib/TlsProcess.c +++ b/CryptoPkg/Library/TlsLib/TlsProcess.c @@ -461,3 +461,35 @@ TlsWrite ( // return SSL_write (TlsConn->Ssl, Buffer, (UINT32)BufferSize); } + +/** + Shutdown a TLS connection. + + Shutdown the TLS connection without releasing the resources, meaning a new + connection can be started without calling TlsNew() and without setting + certificates etc. + + @param[in] Tls Pointer to the TLS object to shutdown. + + @retval EFI_SUCCESS The TLS is shutdown successfully. + @retval EFI_INVALID_PARAMETER Tls is NULL. + @retval EFI_PROTOCOL_ERROR Some other error occurred. +**/ +EFI_STATUS +EFIAPI +TlsShutdown ( + IN VOID *Tls + ) +{ + TLS_CONNECTION *TlsConn; + + TlsConn = (TLS_CONNECTION *)Tls; + + if ((TlsConn == NULL) || ((TlsConn->Ssl) == NULL)) { + return EFI_INVALID_PARAMETER; + } + + SSL_set_quiet_shutdown (TlsConn->Ssl, 1); + SSL_shutdown (TlsConn->Ssl); + return SSL_clear (TlsConn->Ssl) == 1 ? EFI_SUCCESS : EFI_PROTOCOL_ERROR; +} diff --git a/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c b/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c index 03726fd726..18dd604382 100644 --- a/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c +++ b/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c @@ -242,11 +242,42 @@ TlsSetHostPublicCert ( /** Adds the local private key to the specified TLS object. - This function adds the local private key (PEM-encoded RSA or PKCS#8 private + This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private key) into the specified TLS object for TLS negotiation. @param[in] Tls Pointer to the TLS object. - @param[in] Data Pointer to the data buffer of a PEM-encoded RSA + @param[in] Data Pointer to the data buffer of a DER-encoded or PEM-encoded + or PKCS#8 private key. + @param[in] DataSize The size of data buffer in bytes. + @param[in] Password Pointer to NULL-terminated private key password, set it to NULL + if private key not encrypted. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_ABORTED Invalid private key data. + +**/ +EFI_STATUS +EFIAPI +TlsSetHostPrivateKeyEx ( + IN VOID *Tls, + IN VOID *Data, + IN UINTN DataSize, + IN VOID *Password OPTIONAL + ) +{ + ASSERT (FALSE); + return EFI_UNSUPPORTED; +} + +/** + Adds the local private key to the specified TLS object. + + This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private + key) into the specified TLS object for TLS negotiation. + + @param[in] Tls Pointer to the TLS object. + @param[in] Data Pointer to the data buffer of a DER-encoded or PEM-encoded or PKCS#8 private key. @param[in] DataSize The size of data buffer in bytes. @@ -292,6 +323,61 @@ TlsSetCertRevocationList ( return EFI_UNSUPPORTED; } +/** + Set the signature algorithm list to used by the TLS object. + + This function sets the signature algorithms for use by a specified TLS object. + + @param[in] Tls Pointer to a TLS object. + @param[in] Data Array of UINT8 of signature algorithms. The array consists of + pairs of the hash algorithm and the signature algorithm as defined + in RFC 5246 + @param[in] DataSize The length the SignatureAlgoList. Must be divisible by 2. + + @retval EFI_SUCCESS The signature algorithm list was set successfully. + @retval EFI_INVALID_PARAMETER The parameters are invalid. + @retval EFI_UNSUPPORTED No supported TLS signature algorithm was found in SignatureAlgoList + @retval EFI_OUT_OF_RESOURCES Memory allocation failed. + +**/ +EFI_STATUS +EFIAPI +TlsSetSignatureAlgoList ( + IN VOID *Tls, + IN UINT8 *Data, + IN UINTN DataSize + ) +{ + ASSERT (FALSE); + return EFI_UNSUPPORTED; +} + +/** + Set the EC curve to be used for TLS flows + + This function sets the EC curve to be used for TLS flows. + + @param[in] Tls Pointer to a TLS object. + @param[in] Data An EC named curve as defined in section 5.1.1 of RFC 4492. + @param[in] DataSize Size of Data, it should be sizeof (UINT32) + + @retval EFI_SUCCESS The EC curve was set successfully. + @retval EFI_INVALID_PARAMETER The parameters are invalid. + @retval EFI_UNSUPPORTED The requested TLS EC curve is not supported + +**/ +EFI_STATUS +EFIAPI +TlsSetEcCurve ( + IN VOID *Tls, + IN UINT8 *Data, + IN UINTN DataSize + ) +{ + ASSERT (FALSE); + return EFI_UNSUPPORTED; +} + /** Gets the protocol version used by the specified TLS connection. @@ -617,3 +703,36 @@ TlsGetCertRevocationList ( ASSERT (FALSE); return EFI_UNSUPPORTED; } + +/** + Derive keying material from a TLS connection. + + This function exports keying material using the mechanism described in RFC + 5705. + + @param[in] Tls Pointer to the TLS object + @param[in] Label Description of the key for the PRF function + @param[in] Context Optional context + @param[in] ContextLen The length of the context value in bytes + @param[out] KeyBuffer Buffer to hold the output of the TLS-PRF + @param[in] KeyBufferLen The length of the KeyBuffer + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_INVALID_PARAMETER The TLS object is invalid. + @retval EFI_PROTOCOL_ERROR Some other error occurred. + +**/ +EFI_STATUS +EFIAPI +TlsGetExportKey ( + IN VOID *Tls, + IN CONST VOID *Label, + IN CONST VOID *Context, + IN UINTN ContextLen, + OUT VOID *KeyBuffer, + IN UINTN KeyBufferLen + ) +{ + ASSERT (FALSE); + return EFI_UNSUPPORTED; +} diff --git a/CryptoPkg/Library/TlsLibNull/TlsProcessNull.c b/CryptoPkg/Library/TlsLibNull/TlsProcessNull.c index 0958ddd8d6..395dac548d 100644 --- a/CryptoPkg/Library/TlsLibNull/TlsProcessNull.c +++ b/CryptoPkg/Library/TlsLibNull/TlsProcessNull.c @@ -245,3 +245,26 @@ TlsWrite ( ASSERT (FALSE); return 0; } + +/** + Shutdown a TLS connection. + + Shutdown the TLS connection without releasing the resources, meaning a new + connection can be started without calling TlsNew() and without setting + certificates etc. + + @param[in] Tls Pointer to the TLS object to shutdown. + + @retval EFI_SUCCESS The TLS is shutdown successfully. + @retval EFI_INVALID_PARAMETER Tls is NULL. + @retval EFI_PROTOCOL_ERROR Some other error occurred. +**/ +EFI_STATUS +EFIAPI +TlsShutdown ( + IN VOID *Tls + ) +{ + ASSERT (FALSE); + return EFI_UNSUPPORTED; +} -- 2.31.1.windows.1 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH V3 3/3] CryptoPkg: Add new Tls APIs to DXE and protocol 2022-10-10 2:39 [PATCH V3 0/3] CryptoPkg: Extend Tls library Li, Yi 2022-10-10 2:39 ` [PATCH V3 1/3] MdePkg: Add Tls configuration related define Li, Yi 2022-10-10 2:39 ` [PATCH V3 2/3] CryptoPkg: Extend Tls function library Li, Yi @ 2022-10-10 2:39 ` Li, Yi 2022-10-10 2:46 ` [PATCH V3 0/3] CryptoPkg: Extend Tls library Yao, Jiewen [not found] ` <171C9530E5033AAA.32766@groups.io> 4 siblings, 0 replies; 9+ messages in thread From: Li, Yi @ 2022-10-10 2:39 UTC (permalink / raw) To: devel; +Cc: Yi Li, Jiewen Yao, Jian J Wang, Xiaoyu Lu, Guomin Jiang REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3892 The implementation provides new Tls library functions for Crypto EFI Driver and Protocol. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com> Cc: Guomin Jiang <guomin.jiang@intel.com> Signed-off-by: Yi Li <yi1.li@intel.com> --- CryptoPkg/Driver/Crypto.c | 155 +++++++++++++++++- .../Pcd/PcdCryptoServiceFamilyEnable.h | 5 + .../BaseCryptLibOnProtocolPpi/CryptLib.c | 146 ++++++++++++++++- CryptoPkg/Private/Protocol/Crypto.h | 136 ++++++++++++++- 4 files changed, 435 insertions(+), 7 deletions(-) diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c index 7a8266aaba..f1ff77855c 100644 --- a/CryptoPkg/Driver/Crypto.c +++ b/CryptoPkg/Driver/Crypto.c @@ -4238,6 +4238,28 @@ CryptoServiceTlsWrite ( return CALL_BASECRYPTLIB (Tls.Services.Write, TlsWrite, (Tls, Buffer, BufferSize), 0); } +/** + Shutdown a TLS connection. + + Shutdown the TLS connection without releasing the resources, meaning a new + connection can be started without calling TlsNew() and without setting + certificates etc. + + @param[in] Tls Pointer to the TLS object to shutdown. + + @retval EFI_SUCCESS The TLS is shutdown successfully. + @retval EFI_INVALID_PARAMETER Tls is NULL. + @retval EFI_PROTOCOL_ERROR Some other error occurred. +**/ +EFI_STATUS +EFIAPI +CryptoServiceTlsShutdown ( + IN VOID *Tls + ) +{ + return CALL_BASECRYPTLIB (Tls.Services.Shutdown, TlsShutdown, (Tls), EFI_UNSUPPORTED); +} + /** Set a new TLS/SSL method for a particular TLS object. @@ -4463,11 +4485,41 @@ CryptoServiceTlsSetHostPublicCert ( /** Adds the local private key to the specified TLS object. - This function adds the local private key (PEM-encoded RSA or PKCS#8 private + This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private + key) into the specified TLS object for TLS negotiation. + + @param[in] Tls Pointer to the TLS object. + @param[in] Data Pointer to the data buffer of a DER-encoded or PEM-encoded + or PKCS#8 private key. + @param[in] DataSize The size of data buffer in bytes. + @param[in] Password Pointer to NULL-terminated private key password, set it to NULL + if private key not encrypted. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_ABORTED Invalid private key data. + +**/ +EFI_STATUS +EFIAPI +CryptoServiceTlsSetHostPrivateKeyEx ( + IN VOID *Tls, + IN VOID *Data, + IN UINTN DataSize, + IN VOID *Password OPTIONAL + ) +{ + return CALL_BASECRYPTLIB (TlsSet.Services.HostPrivateKeyEx, TlsSetHostPrivateKeyEx, (Tls, Data, DataSize, Password), EFI_UNSUPPORTED); +} + +/** + Adds the local private key to the specified TLS object. + + This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private key) into the specified TLS object for TLS negotiation. @param[in] Tls Pointer to the TLS object. - @param[in] Data Pointer to the data buffer of a PEM-encoded RSA + @param[in] Data Pointer to the data buffer of a DER-encoded or PEM-encoded or PKCS#8 private key. @param[in] DataSize The size of data buffer in bytes. @@ -4511,6 +4563,59 @@ CryptoServiceTlsSetCertRevocationList ( return CALL_BASECRYPTLIB (TlsSet.Services.CertRevocationList, TlsSetCertRevocationList, (Data, DataSize), EFI_UNSUPPORTED); } +/** + Set the signature algorithm list to used by the TLS object. + + This function sets the signature algorithms for use by a specified TLS object. + + @param[in] Tls Pointer to a TLS object. + @param[in] Data Array of UINT8 of signature algorithms. The array consists of + pairs of the hash algorithm and the signature algorithm as defined + in RFC 5246 + @param[in] DataSize The length the SignatureAlgoList. Must be divisible by 2. + + @retval EFI_SUCCESS The signature algorithm list was set successfully. + @retval EFI_INVALID_PARAMETER The parameters are invalid. + @retval EFI_UNSUPPORTED No supported TLS signature algorithm was found in SignatureAlgoList + @retval EFI_OUT_OF_RESOURCES Memory allocation failed. + +**/ +EFI_STATUS +EFIAPI +CryptoServiceTlsSetSignatureAlgoList ( + IN VOID *Tls, + IN UINT8 *Data, + IN UINTN DataSize + ) +{ + return CALL_BASECRYPTLIB (TlsSet.Services.SignatureAlgoList, TlsSetSignatureAlgoList, (Tls, Data, DataSize), EFI_UNSUPPORTED); +} + +/** + Set the EC curve to be used for TLS flows + + This function sets the EC curve to be used for TLS flows. + + @param[in] Tls Pointer to a TLS object. + @param[in] Data An EC named curve as defined in section 5.1.1 of RFC 4492. + @param[in] DataSize Size of Data, it should be sizeof (UINT32) + + @retval EFI_SUCCESS The EC curve was set successfully. + @retval EFI_INVALID_PARAMETER The parameters are invalid. + @retval EFI_UNSUPPORTED The requested TLS EC curve is not supported + +**/ +EFI_STATUS +EFIAPI +CryptoServiceTlsSetEcCurve ( + IN VOID *Tls, + IN UINT8 *Data, + IN UINTN DataSize + ) +{ + return CALL_BASECRYPTLIB (TlsSet.Services.EcCurve, TlsSetEcCurve, (Tls, Data, DataSize), EFI_UNSUPPORTED); +} + /** Gets the protocol version used by the specified TLS connection. @@ -4826,6 +4931,44 @@ CryptoServiceTlsGetCertRevocationList ( return CALL_BASECRYPTLIB (TlsGet.Services.CertRevocationList, TlsGetCertRevocationList, (Data, DataSize), EFI_UNSUPPORTED); } +/** + Derive keying material from a TLS connection. + + This function exports keying material using the mechanism described in RFC + 5705. + + @param[in] Tls Pointer to the TLS object + @param[in] Label Description of the key for the PRF function + @param[in] Context Optional context + @param[in] ContextLen The length of the context value in bytes + @param[out] KeyBuffer Buffer to hold the output of the TLS-PRF + @param[in] KeyBufferLen The length of the KeyBuffer + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_INVALID_PARAMETER The TLS object is invalid. + @retval EFI_PROTOCOL_ERROR Some other error occurred. + +**/ +EFI_STATUS +EFIAPI +CryptoServiceTlsGetExportKey ( + IN VOID *Tls, + IN CONST VOID *Label, + IN CONST VOID *Context, + IN UINTN ContextLen, + OUT VOID *KeyBuffer, + IN UINTN KeyBufferLen + ) +{ + return CALL_BASECRYPTLIB ( + TlsGet.Services.ExportKey, + TlsGetExportKey, + (Tls, Label, Context, ContextLen, + KeyBuffer, KeyBufferLen), + EFI_UNSUPPORTED + ); +} + /** Carries out the RSA-SSA signature generation with EMSA-PSS encoding scheme. @@ -6266,4 +6409,12 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = { CryptoServiceEcGenerateKey, CryptoServiceEcGetPubKey, CryptoServiceEcDhComputeKey, + /// TLS (continued) + CryptoServiceTlsShutdown, + /// TLS Set (continued) + CryptoServiceTlsSetHostPrivateKeyEx, + CryptoServiceTlsSetSignatureAlgoList, + CryptoServiceTlsSetEcCurve, + /// TLS Get (continued) + CryptoServiceTlsGetExportKey }; diff --git a/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h b/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h index 45bafc2161..4740589417 100644 --- a/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h +++ b/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h @@ -269,6 +269,7 @@ typedef struct { UINT8 CtrlTrafficIn : 1; UINT8 Read : 1; UINT8 Write : 1; + UINT8 Shutdown : 1; } Services; UINT32 Family; } Tls; @@ -285,6 +286,9 @@ typedef struct { UINT8 HostPublicCert : 1; UINT8 HostPrivateKey : 1; UINT8 CertRevocationList : 1; + UINT8 HostPrivateKeyEx : 1; + UINT8 SignatureAlgoList : 1; + UINT8 EcCurve : 1; } Services; UINT32 Family; } TlsSet; @@ -303,6 +307,7 @@ typedef struct { UINT8 HostPublicCert : 1; UINT8 HostPrivateKey : 1; UINT8 CertRevocationList : 1; + UINT8 ExportKey : 1; } Services; UINT32 Family; } TlsGet; diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c index 791e2ef599..52b934a545 100644 --- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c +++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c @@ -3474,6 +3474,28 @@ TlsWrite ( CALL_CRYPTO_SERVICE (TlsWrite, (Tls, Buffer, BufferSize), 0); } +/** + Shutdown a TLS connection. + + Shutdown the TLS connection without releasing the resources, meaning a new + connection can be started without calling TlsNew() and without setting + certificates etc. + + @param[in] Tls Pointer to the TLS object to shutdown. + + @retval EFI_SUCCESS The TLS is shutdown successfully. + @retval EFI_INVALID_PARAMETER Tls is NULL. + @retval EFI_PROTOCOL_ERROR Some other error occurred. +**/ +EFI_STATUS +EFIAPI +TlsShutdown ( + IN VOID *Tls + ) +{ + CALL_CRYPTO_SERVICE (TlsShutdown, (Tls), EFI_UNSUPPORTED); +} + /** Set a new TLS/SSL method for a particular TLS object. @@ -3699,11 +3721,41 @@ TlsSetHostPublicCert ( /** Adds the local private key to the specified TLS object. - This function adds the local private key (PEM-encoded RSA or PKCS#8 private + This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private key) into the specified TLS object for TLS negotiation. @param[in] Tls Pointer to the TLS object. - @param[in] Data Pointer to the data buffer of a PEM-encoded RSA + @param[in] Data Pointer to the data buffer of a DER-encoded or PEM-encoded + or PKCS#8 private key. + @param[in] DataSize The size of data buffer in bytes. + @param[in] Password Pointer to NULL-terminated private key password, set it to NULL + if private key not encrypted. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_ABORTED Invalid private key data. + +**/ +EFI_STATUS +EFIAPI +TlsSetHostPrivateKeyEx ( + IN VOID *Tls, + IN VOID *Data, + IN UINTN DataSize, + IN VOID *Password OPTIONAL + ) +{ + CALL_CRYPTO_SERVICE (TlsSetHostPrivateKeyEx, (Tls, Data, DataSize, Password), EFI_UNSUPPORTED); +} + +/** + Adds the local private key to the specified TLS object. + + This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private + key) into the specified TLS object for TLS negotiation. + + @param[in] Tls Pointer to the TLS object. + @param[in] Data Pointer to the data buffer of a DER-encoded or PEM-encoded or PKCS#8 private key. @param[in] DataSize The size of data buffer in bytes. @@ -3747,6 +3799,59 @@ TlsSetCertRevocationList ( CALL_CRYPTO_SERVICE (TlsSetCertRevocationList, (Data, DataSize), EFI_UNSUPPORTED); } +/** + Set the signature algorithm list to used by the TLS object. + + This function sets the signature algorithms for use by a specified TLS object. + + @param[in] Tls Pointer to a TLS object. + @param[in] Data Array of UINT8 of signature algorithms. The array consists of + pairs of the hash algorithm and the signature algorithm as defined + in RFC 5246 + @param[in] DataSize The length the SignatureAlgoList. Must be divisible by 2. + + @retval EFI_SUCCESS The signature algorithm list was set successfully. + @retval EFI_INVALID_PARAMETER The parameters are invalid. + @retval EFI_UNSUPPORTED No supported TLS signature algorithm was found in SignatureAlgoList + @retval EFI_OUT_OF_RESOURCES Memory allocation failed. + +**/ +EFI_STATUS +EFIAPI +TlsSetSignatureAlgoList ( + IN VOID *Tls, + IN UINT8 *Data, + IN UINTN DataSize + ) +{ + CALL_CRYPTO_SERVICE (TlsSetSignatureAlgoList, (Tls, Data, DataSize), EFI_UNSUPPORTED); +} + +/** + Set the EC curve to be used for TLS flows + + This function sets the EC curve to be used for TLS flows. + + @param[in] Tls Pointer to a TLS object. + @param[in] Data An EC named curve as defined in section 5.1.1 of RFC 4492. + @param[in] DataSize Size of Data, it should be sizeof (UINT32) + + @retval EFI_SUCCESS The EC curve was set successfully. + @retval EFI_INVALID_PARAMETER The parameters are invalid. + @retval EFI_UNSUPPORTED The requested TLS EC curve is not supported + +**/ +EFI_STATUS +EFIAPI +TlsSetEcCurve ( + IN VOID *Tls, + IN UINT8 *Data, + IN UINTN DataSize + ) +{ + CALL_CRYPTO_SERVICE (TlsSetSignatureAlgoList, (Tls, Data, DataSize), EFI_UNSUPPORTED); +} + /** Gets the protocol version used by the specified TLS connection. @@ -4062,6 +4167,43 @@ TlsGetCertRevocationList ( CALL_CRYPTO_SERVICE (TlsGetCertRevocationList, (Data, DataSize), EFI_UNSUPPORTED); } +/** + Derive keying material from a TLS connection. + + This function exports keying material using the mechanism described in RFC + 5705. + + @param[in] Tls Pointer to the TLS object + @param[in] Label Description of the key for the PRF function + @param[in] Context Optional context + @param[in] ContextLen The length of the context value in bytes + @param[out] KeyBuffer Buffer to hold the output of the TLS-PRF + @param[in] KeyBufferLen The length of the KeyBuffer + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_INVALID_PARAMETER The TLS object is invalid. + @retval EFI_PROTOCOL_ERROR Some other error occurred. + +**/ +EFI_STATUS +EFIAPI +TlsGetExportKey ( + IN VOID *Tls, + IN CONST VOID *Label, + IN CONST VOID *Context, + IN UINTN ContextLen, + OUT VOID *KeyBuffer, + IN UINTN KeyBufferLen + ) +{ + CALL_CRYPTO_SERVICE ( + TlsGetExportKey, + (Tls, Label, Context, ContextLen, + KeyBuffer, KeyBufferLen), + EFI_UNSUPPORTED + ); +} + // ===================================================================================== // Big number primitive // ===================================================================================== diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protocol/Crypto.h index 2f267c7f55..6293efa36b 100644 --- a/CryptoPkg/Private/Protocol/Crypto.h +++ b/CryptoPkg/Private/Protocol/Crypto.h @@ -21,7 +21,7 @@ /// the EDK II Crypto Protocol is extended, this version define must be /// increased. /// -#define EDKII_CRYPTO_VERSION 13 +#define EDKII_CRYPTO_VERSION 14 /// /// EDK II Crypto Protocol forward declaration @@ -3186,6 +3186,25 @@ INTN IN UINTN BufferSize ); +/** + Shutdown a TLS connection. + + Shutdown the TLS connection without releasing the resources, meaning a new + connection can be started without calling TlsNew() and without setting + certificates etc. + + @param[in] Tls Pointer to the TLS object to shutdown. + + @retval EFI_SUCCESS The TLS is shutdown successfully. + @retval EFI_INVALID_PARAMETER Tls is NULL. + @retval EFI_PROTOCOL_ERROR Some other error occurred. +**/ +typedef +EFI_STATUS +(EFIAPI *EDKII_CRYPTO_TLS_SHUTDOWN)( + IN VOID *Tls + ); + /** Set a new TLS/SSL method for a particular TLS object. @@ -3384,11 +3403,38 @@ EFI_STATUS /** Adds the local private key to the specified TLS object. - This function adds the local private key (PEM-encoded RSA or PKCS#8 private + This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private + key) into the specified TLS object for TLS negotiation. + + @param[in] Tls Pointer to the TLS object. + @param[in] Data Pointer to the data buffer of a DER-encoded or PEM-encoded + or PKCS#8 private key. + @param[in] DataSize The size of data buffer in bytes. + @param[in] Password Pointer to NULL-terminated private key password, set it to NULL + if private key not encrypted. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_ABORTED Invalid private key data. + +**/ +typedef +EFI_STATUS +(EFIAPI *EDKII_CRYPTO_TLS_SET_HOST_PRIVATE_KEY_EX)( + IN VOID *Tls, + IN VOID *Data, + IN UINTN DataSize, + IN VOID *Password OPTIONAL + ); + +/** + Adds the local private key to the specified TLS object. + + This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private key) into the specified TLS object for TLS negotiation. @param[in] Tls Pointer to the TLS object. - @param[in] Data Pointer to the data buffer of a PEM-encoded RSA + @param[in] Data Pointer to the data buffer of a DER-encoded or PEM-encoded or PKCS#8 private key. @param[in] DataSize The size of data buffer in bytes. @@ -3680,6 +3726,82 @@ EFI_STATUS IN OUT UINTN *DataSize ); +/** + Set the signature algorithm list to used by the TLS object. + + This function sets the signature algorithms for use by a specified TLS object. + + @param[in] Tls Pointer to a TLS object. + @param[in] Data Array of UINT8 of signature algorithms. The array consists of + pairs of the hash algorithm and the signature algorithm as defined + in RFC 5246 + @param[in] DataSize The length the SignatureAlgoList. Must be divisible by 2. + + @retval EFI_SUCCESS The signature algorithm list was set successfully. + @retval EFI_INVALID_PARAMETER The parameters are invalid. + @retval EFI_UNSUPPORTED No supported TLS signature algorithm was found in SignatureAlgoList + @retval EFI_OUT_OF_RESOURCES Memory allocation failed. + +**/ +typedef +EFI_STATUS +(EFIAPI *EDKII_CRYPTO_TLS_SET_SIGNATURE_ALGO_LIST)( + IN VOID *Tls, + IN UINT8 *Data, + IN UINTN DataSize + ); + +/** + Set the EC curve to be used for TLS flows + + This function sets the EC curve to be used for TLS flows. + + @param[in] Tls Pointer to a TLS object. + @param[in] Data An EC named curve as defined in section 5.1.1 of RFC 4492. + @param[in] DataSize Size of Data, it should be sizeof (UINT32) + + @retval EFI_SUCCESS The EC curve was set successfully. + @retval EFI_INVALID_PARAMETER The parameters are invalid. + @retval EFI_UNSUPPORTED The requested TLS EC curve is not supported + +**/ +typedef +EFI_STATUS +(EFIAPI *EDKII_CRYPTO_TLS_SET_EC_CURVE)( + IN VOID *Tls, + IN UINT8 *Data, + IN UINTN DataSize + ); + +/** + Derive keying material from a TLS connection. + + This function exports keying material using the mechanism described in RFC + 5705. + + @param[in] Tls Pointer to the TLS object + @param[in] Label Description of the key for the PRF function + @param[in] Context Optional context + @param[in] ContextLen The length of the context value in bytes + @param[out] KeyBuffer Buffer to hold the output of the TLS-PRF + @param[in] KeyBufferLen The length of the KeyBuffer + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_INVALID_PARAMETER The TLS object is invalid. + @retval EFI_PROTOCOL_ERROR Some other error occurred. + +**/ +typedef +EFI_STATUS +(EFIAPI *EDKII_CRYPTO_TLS_GET_EXPORT_KEY)( + IN VOID *Tls, + IN CONST VOID *Label, + IN CONST VOID *Context, + IN UINTN ContextLen, + OUT VOID *KeyBuffer, + IN UINTN KeyBufferLen + ); + /** Gets the CA-supplied certificate revocation list data set in the specified TLS object. @@ -4954,6 +5076,14 @@ struct _EDKII_CRYPTO_PROTOCOL { EDKII_CRYPTO_EC_GENERATE_KEY EcGenerateKey; EDKII_CRYPTO_EC_GET_PUB_KEY EcGetPubKey; EDKII_CRYPTO_EC_DH_COMPUTE_KEY EcDhComputeKey; + /// TLS (continued) + EDKII_CRYPTO_TLS_SHUTDOWN TlsShutdown; + /// TLS Set (continued) + EDKII_CRYPTO_TLS_SET_HOST_PRIVATE_KEY_EX TlsSetHostPrivateKeyEx; + EDKII_CRYPTO_TLS_SET_SIGNATURE_ALGO_LIST TlsSetSignatureAlgoList; + EDKII_CRYPTO_TLS_SET_EC_CURVE TlsSetEcCurve; + /// TLS Get (continued) + EDKII_CRYPTO_TLS_GET_EXPORT_KEY TlsGetExportKey; }; extern GUID gEdkiiCryptoProtocolGuid; -- 2.31.1.windows.1 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH V3 0/3] CryptoPkg: Extend Tls library 2022-10-10 2:39 [PATCH V3 0/3] CryptoPkg: Extend Tls library Li, Yi ` (2 preceding siblings ...) 2022-10-10 2:39 ` [PATCH V3 3/3] CryptoPkg: Add new Tls APIs to DXE and protocol Li, Yi @ 2022-10-10 2:46 ` Yao, Jiewen [not found] ` <171C9530E5033AAA.32766@groups.io> 4 siblings, 0 replies; 9+ messages in thread From: Yao, Jiewen @ 2022-10-10 2:46 UTC (permalink / raw) To: Li, Yi1, devel@edk2.groups.io Cc: Wang, Jian J, Lu, Xiaoyu1, Jiang, Guomin, Kinney, Michael D, Gao, Liming Thanks for the update. For all patches, reviewed-by: Jiewen Yao <Jiewen.yao@intel.com> I think we need MdePkg owner to give R-B or A-B for TLS definition in MdePkg. Mike or Liming? Thank you Yao Jiewen > -----Original Message----- > From: Li, Yi1 <yi1.li@intel.com> > Sent: Monday, October 10, 2022 10:40 AM > To: devel@edk2.groups.io > Cc: Li, Yi1 <yi1.li@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Wang, > Jian J <jian.j.wang@intel.com>; Lu, Xiaoyu1 <xiaoyu1.lu@intel.com>; Jiang, > Guomin <guomin.jiang@intel.com>; Kinney, Michael D > <michael.d.kinney@intel.com>; Gao, Liming <gaoliming@byosoft.com.cn> > Subject: [PATCH V3 0/3] CryptoPkg: Extend Tls library > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3892 > > Review PR: https://github.com/tianocore/edk2/pull/3400 > This patch sequence is used to extend Tls library, which are wrapped > over OpenSSL. The implementation provides library functions for EFI > DXE dirver and Protocol. > > All APIs passed unit test and fuzzing test, detail as: > 1. Unit test: > New Tls APIs tested on Intel platform as part of WIFI WPA3 feature. > 2. Fuzzing test: > Various Fuzz Testing are employed across the all introduced APIs, and the > test is used AFL (2.52b) and Libfuzzer (clang+llvm-11.0.0) as the fuzzer, > based on HBFA. > Fuzzing Pass Rate is 100%; > The Code Coverage of new APIs is 91%. > All test case show in: > https://github.com/liyi77/edk2- > staging/tree/HBFA/HBFA/UefiHostFuzzTestCasePkg/TestCase/CryptoPkg > > V2 change: > Move the newly added APIs to the end of struct PCD. > V3 change: > Corrected tls specification reference and tls cipher suite names. > > Tested-by: Yi Li <yi1.li@intel.com> > Cc: Jiewen Yao <jiewen.yao@intel.com> > Cc: Jian J Wang <jian.j.wang@intel.com> > Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com> > Cc: Guomin Jiang <guomin.jiang@intel.com> > Cc: Michael D Kinney <michael.d.kinney@intel.com> > Cc: Liming Gao <gaoliming@byosoft.com.cn> > > Signed-off-by: Yi Li <yi1.li@intel.com> > > Yi Li (3): > MdePkg: Add Tls configuration related define > CryptoPkg: Extend Tls function library > CryptoPkg: Add new Tls APIs to DXE and protocol > > CryptoPkg/Driver/Crypto.c | 155 +++++++- > CryptoPkg/Include/Library/TlsLib.h | 126 +++++- > .../Pcd/PcdCryptoServiceFamilyEnable.h | 5 + > .../BaseCryptLibOnProtocolPpi/CryptLib.c | 146 ++++++- > CryptoPkg/Library/TlsLib/InternalTlsLib.h | 4 + > CryptoPkg/Library/TlsLib/TlsConfig.c | 366 +++++++++++++++++- > CryptoPkg/Library/TlsLib/TlsProcess.c | 32 ++ > CryptoPkg/Library/TlsLibNull/TlsConfigNull.c | 123 +++++- > CryptoPkg/Library/TlsLibNull/TlsProcessNull.c | 23 ++ > CryptoPkg/Private/Protocol/Crypto.h | 136 ++++++- > MdePkg/Include/IndustryStandard/Tls1.h | 112 ++++-- > 11 files changed, 1177 insertions(+), 51 deletions(-) > > -- > 2.31.1.windows.1 ^ permalink raw reply [flat|nested] 9+ messages in thread
[parent not found: <171C9530E5033AAA.32766@groups.io>]
* Re: [edk2-devel] [PATCH V3 0/3] CryptoPkg: Extend Tls library [not found] ` <171C9530E5033AAA.32766@groups.io> @ 2022-10-10 4:45 ` Yao, Jiewen 2022-10-10 5:38 ` Li, Yi 0 siblings, 1 reply; 9+ messages in thread From: Yao, Jiewen @ 2022-10-10 4:45 UTC (permalink / raw) To: devel@edk2.groups.io, Yao, Jiewen, Li, Yi1 Cc: Wang, Jian J, Lu, Xiaoyu1, Jiang, Guomin, Kinney, Michael D, Gao, Liming Hi Yi Is this patch based on latest EDKII? I failed to apply the patch 2/3. The 1/3 and 3/3 are good. > -----Original Message----- > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Yao, > Jiewen > Sent: Monday, October 10, 2022 10:47 AM > To: Li, Yi1 <yi1.li@intel.com>; devel@edk2.groups.io > Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, Xiaoyu1 > <xiaoyu1.lu@intel.com>; Jiang, Guomin <guomin.jiang@intel.com>; Kinney, > Michael D <michael.d.kinney@intel.com>; Gao, Liming > <gaoliming@byosoft.com.cn> > Subject: Re: [edk2-devel] [PATCH V3 0/3] CryptoPkg: Extend Tls library > > Thanks for the update. > For all patches, reviewed-by: Jiewen Yao <Jiewen.yao@intel.com> > > I think we need MdePkg owner to give R-B or A-B for TLS definition in > MdePkg. Mike or Liming? > > Thank you > Yao Jiewen > > > > -----Original Message----- > > From: Li, Yi1 <yi1.li@intel.com> > > Sent: Monday, October 10, 2022 10:40 AM > > To: devel@edk2.groups.io > > Cc: Li, Yi1 <yi1.li@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Wang, > > Jian J <jian.j.wang@intel.com>; Lu, Xiaoyu1 <xiaoyu1.lu@intel.com>; Jiang, > > Guomin <guomin.jiang@intel.com>; Kinney, Michael D > > <michael.d.kinney@intel.com>; Gao, Liming <gaoliming@byosoft.com.cn> > > Subject: [PATCH V3 0/3] CryptoPkg: Extend Tls library > > > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3892 > > > > Review PR: https://github.com/tianocore/edk2/pull/3400 > > This patch sequence is used to extend Tls library, which are wrapped > > over OpenSSL. The implementation provides library functions for EFI > > DXE dirver and Protocol. > > > > All APIs passed unit test and fuzzing test, detail as: > > 1. Unit test: > > New Tls APIs tested on Intel platform as part of WIFI WPA3 feature. > > 2. Fuzzing test: > > Various Fuzz Testing are employed across the all introduced APIs, and the > > test is used AFL (2.52b) and Libfuzzer (clang+llvm-11.0.0) as the fuzzer, > > based on HBFA. > > Fuzzing Pass Rate is 100%; > > The Code Coverage of new APIs is 91%. > > All test case show in: > > https://github.com/liyi77/edk2- > > staging/tree/HBFA/HBFA/UefiHostFuzzTestCasePkg/TestCase/CryptoPkg > > > > V2 change: > > Move the newly added APIs to the end of struct PCD. > > V3 change: > > Corrected tls specification reference and tls cipher suite names. > > > > Tested-by: Yi Li <yi1.li@intel.com> > > Cc: Jiewen Yao <jiewen.yao@intel.com> > > Cc: Jian J Wang <jian.j.wang@intel.com> > > Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com> > > Cc: Guomin Jiang <guomin.jiang@intel.com> > > Cc: Michael D Kinney <michael.d.kinney@intel.com> > > Cc: Liming Gao <gaoliming@byosoft.com.cn> > > > > Signed-off-by: Yi Li <yi1.li@intel.com> > > > > Yi Li (3): > > MdePkg: Add Tls configuration related define > > CryptoPkg: Extend Tls function library > > CryptoPkg: Add new Tls APIs to DXE and protocol > > > > CryptoPkg/Driver/Crypto.c | 155 +++++++- > > CryptoPkg/Include/Library/TlsLib.h | 126 +++++- > > .../Pcd/PcdCryptoServiceFamilyEnable.h | 5 + > > .../BaseCryptLibOnProtocolPpi/CryptLib.c | 146 ++++++- > > CryptoPkg/Library/TlsLib/InternalTlsLib.h | 4 + > > CryptoPkg/Library/TlsLib/TlsConfig.c | 366 +++++++++++++++++- > > CryptoPkg/Library/TlsLib/TlsProcess.c | 32 ++ > > CryptoPkg/Library/TlsLibNull/TlsConfigNull.c | 123 +++++- > > CryptoPkg/Library/TlsLibNull/TlsProcessNull.c | 23 ++ > > CryptoPkg/Private/Protocol/Crypto.h | 136 ++++++- > > MdePkg/Include/IndustryStandard/Tls1.h | 112 ++++-- > > 11 files changed, 1177 insertions(+), 51 deletions(-) > > > > -- > > 2.31.1.windows.1 > > > > > ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [edk2-devel] [PATCH V3 0/3] CryptoPkg: Extend Tls library 2022-10-10 4:45 ` [edk2-devel] " Yao, Jiewen @ 2022-10-10 5:38 ` Li, Yi 2022-10-10 6:31 ` Yao, Jiewen 0 siblings, 1 reply; 9+ messages in thread From: Li, Yi @ 2022-10-10 5:38 UTC (permalink / raw) To: Yao, Jiewen, devel@edk2.groups.io Cc: Wang, Jian J, Lu, Xiaoyu1, Jiang, Guomin, Kinney, Michael D, Gao, Liming [-- Attachment #1: Type: text/plain, Size: 4598 bytes --] Hi Jiewen, Yes it is, based on latest commit 3c9e2f239a38590b4e3a8c1ec2304227f2af0103. I applied them to EDKII master branch successfully, not sure why. Attachments are the successful patch files for reference, But they are same as the patches in the mail. Let me know if there are still conflicts. Thanks, Yi -----Original Message----- From: Yao, Jiewen <jiewen.yao@intel.com> Sent: Monday, October 10, 2022 12:46 PM To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>; Li, Yi1 <yi1.li@intel.com> Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, Xiaoyu1 <xiaoyu1.lu@intel.com>; Jiang, Guomin <guomin.jiang@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Gao, Liming <gaoliming@byosoft.com.cn> Subject: RE: [edk2-devel] [PATCH V3 0/3] CryptoPkg: Extend Tls library Hi Yi Is this patch based on latest EDKII? I failed to apply the patch 2/3. The 1/3 and 3/3 are good. > -----Original Message----- > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Yao, > Jiewen > Sent: Monday, October 10, 2022 10:47 AM > To: Li, Yi1 <yi1.li@intel.com>; devel@edk2.groups.io > Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, Xiaoyu1 > <xiaoyu1.lu@intel.com>; Jiang, Guomin <guomin.jiang@intel.com>; > Kinney, Michael D <michael.d.kinney@intel.com>; Gao, Liming > <gaoliming@byosoft.com.cn> > Subject: Re: [edk2-devel] [PATCH V3 0/3] CryptoPkg: Extend Tls library > > Thanks for the update. > For all patches, reviewed-by: Jiewen Yao <Jiewen.yao@intel.com> > > I think we need MdePkg owner to give R-B or A-B for TLS definition in > MdePkg. Mike or Liming? > > Thank you > Yao Jiewen > > > > -----Original Message----- > > From: Li, Yi1 <yi1.li@intel.com> > > Sent: Monday, October 10, 2022 10:40 AM > > To: devel@edk2.groups.io > > Cc: Li, Yi1 <yi1.li@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; > > Wang, Jian J <jian.j.wang@intel.com>; Lu, Xiaoyu1 > > <xiaoyu1.lu@intel.com>; Jiang, Guomin <guomin.jiang@intel.com>; > > Kinney, Michael D <michael.d.kinney@intel.com>; Gao, Liming > > <gaoliming@byosoft.com.cn> > > Subject: [PATCH V3 0/3] CryptoPkg: Extend Tls library > > > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3892 > > > > Review PR: https://github.com/tianocore/edk2/pull/3400 > > This patch sequence is used to extend Tls library, which are wrapped > > over OpenSSL. The implementation provides library functions for EFI > > DXE dirver and Protocol. > > > > All APIs passed unit test and fuzzing test, detail as: > > 1. Unit test: > > New Tls APIs tested on Intel platform as part of WIFI WPA3 feature. > > 2. Fuzzing test: > > Various Fuzz Testing are employed across the all introduced APIs, > > and the test is used AFL (2.52b) and Libfuzzer (clang+llvm-11.0.0) > > as the fuzzer, based on HBFA. > > Fuzzing Pass Rate is 100%; > > The Code Coverage of new APIs is 91%. > > All test case show in: > > https://github.com/liyi77/edk2- > > staging/tree/HBFA/HBFA/UefiHostFuzzTestCasePkg/TestCase/CryptoPkg > > > > V2 change: > > Move the newly added APIs to the end of struct PCD. > > V3 change: > > Corrected tls specification reference and tls cipher suite names. > > > > Tested-by: Yi Li <yi1.li@intel.com> > > Cc: Jiewen Yao <jiewen.yao@intel.com> > > Cc: Jian J Wang <jian.j.wang@intel.com> > > Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com> > > Cc: Guomin Jiang <guomin.jiang@intel.com> > > Cc: Michael D Kinney <michael.d.kinney@intel.com> > > Cc: Liming Gao <gaoliming@byosoft.com.cn> > > > > Signed-off-by: Yi Li <yi1.li@intel.com> > > > > Yi Li (3): > > MdePkg: Add Tls configuration related define > > CryptoPkg: Extend Tls function library > > CryptoPkg: Add new Tls APIs to DXE and protocol > > > > CryptoPkg/Driver/Crypto.c | 155 +++++++- > > CryptoPkg/Include/Library/TlsLib.h | 126 +++++- > > .../Pcd/PcdCryptoServiceFamilyEnable.h | 5 + > > .../BaseCryptLibOnProtocolPpi/CryptLib.c | 146 ++++++- > > CryptoPkg/Library/TlsLib/InternalTlsLib.h | 4 + > > CryptoPkg/Library/TlsLib/TlsConfig.c | 366 +++++++++++++++++- > > CryptoPkg/Library/TlsLib/TlsProcess.c | 32 ++ > > CryptoPkg/Library/TlsLibNull/TlsConfigNull.c | 123 +++++- > > CryptoPkg/Library/TlsLibNull/TlsProcessNull.c | 23 ++ > > CryptoPkg/Private/Protocol/Crypto.h | 136 ++++++- > > MdePkg/Include/IndustryStandard/Tls1.h | 112 ++++-- > > 11 files changed, 1177 insertions(+), 51 deletions(-) > > > > -- > > 2.31.1.windows.1 > > > > > [-- Attachment #2: 0001-MdePkg-Add-Tls-configuration-related-define.patch --] [-- Type: application/octet-stream, Size: 7096 bytes --] From 965fb84a8afba7038d09c8685909bf3c31d8ca39 Mon Sep 17 00:00:00 2001 Message-Id: <965fb84a8afba7038d09c8685909bf3c31d8ca39.1665369262.git.yi1.li@intel.com> In-Reply-To: <cover.1665369262.git.yi1.li@intel.com> References: <cover.1665369262.git.yi1.li@intel.com> From: Yi Li <yi1.li@intel.com> Date: Sat, 7 May 2022 15:37:32 +0800 Subject: [PATCH V3 1/3] MdePkg: Add Tls configuration related define REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3892 Consumed by TlsSetEcCurve and TlsSetSignatureAlgoList. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Cc: Liming Gao <gaoliming@byosoft.com.cn> Signed-off-by: Yi Li <yi1.li@intel.com> --- MdePkg/Include/IndustryStandard/Tls1.h | 112 +++++++++++++++++-------- 1 file changed, 75 insertions(+), 37 deletions(-) diff --git a/MdePkg/Include/IndustryStandard/Tls1.h b/MdePkg/Include/IndustryStandard/Tls1.h index cf67428b11..f1ba0af7dc 100644 --- a/MdePkg/Include/IndustryStandard/Tls1.h +++ b/MdePkg/Include/IndustryStandard/Tls1.h @@ -13,44 +13,48 @@ #pragma pack(1) /// -/// TLS Cipher Suite, refers to A.5 of rfc-2246, rfc-4346 and rfc-5246. +/// TLS Cipher Suite, refers to A.5 of rfc-2246, rfc-4346, rfc-5246, rfc-5288 and rfc-5289. /// -#define TLS_RSA_WITH_NULL_MD5 {0x00, 0x01} -#define TLS_RSA_WITH_NULL_SHA {0x00, 0x02} -#define TLS_RSA_WITH_RC4_128_MD5 {0x00, 0x04} -#define TLS_RSA_WITH_RC4_128_SHA {0x00, 0x05} -#define TLS_RSA_WITH_IDEA_CBC_SHA {0x00, 0x07} -#define TLS_RSA_WITH_DES_CBC_SHA {0x00, 0x09} -#define TLS_RSA_WITH_3DES_EDE_CBC_SHA {0x00, 0x0A} -#define TLS_DH_DSS_WITH_DES_CBC_SHA {0x00, 0x0C} -#define TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA {0x00, 0x0D} -#define TLS_DH_RSA_WITH_DES_CBC_SHA {0x00, 0x0F} -#define TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA {0x00, 0x10} -#define TLS_DHE_DSS_WITH_DES_CBC_SHA {0x00, 0x12} -#define TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA {0x00, 0x13} -#define TLS_DHE_RSA_WITH_DES_CBC_SHA {0x00, 0x15} -#define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA {0x00, 0x16} -#define TLS_RSA_WITH_AES_128_CBC_SHA {0x00, 0x2F} -#define TLS_DH_DSS_WITH_AES_128_CBC_SHA {0x00, 0x30} -#define TLS_DH_RSA_WITH_AES_128_CBC_SHA {0x00, 0x31} -#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA {0x00, 0x32} -#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA {0x00, 0x33} -#define TLS_RSA_WITH_AES_256_CBC_SHA {0x00, 0x35} -#define TLS_DH_DSS_WITH_AES_256_CBC_SHA {0x00, 0x36} -#define TLS_DH_RSA_WITH_AES_256_CBC_SHA {0x00, 0x37} -#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA {0x00, 0x38} -#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA {0x00, 0x39} -#define TLS_RSA_WITH_NULL_SHA256 {0x00, 0x3B} -#define TLS_RSA_WITH_AES_128_CBC_SHA256 {0x00, 0x3C} -#define TLS_RSA_WITH_AES_256_CBC_SHA256 {0x00, 0x3D} -#define TLS_DH_DSS_WITH_AES_128_CBC_SHA256 {0x00, 0x3E} -#define TLS_DH_RSA_WITH_AES_128_CBC_SHA256 {0x00, 0x3F} -#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 {0x00, 0x40} -#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 {0x00, 0x67} -#define TLS_DH_DSS_WITH_AES_256_CBC_SHA256 {0x00, 0x68} -#define TLS_DH_RSA_WITH_AES_256_CBC_SHA256 {0x00, 0x69} -#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 {0x00, 0x6A} -#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 {0x00, 0x6B} +#define TLS_RSA_WITH_NULL_MD5 {0x00, 0x01} +#define TLS_RSA_WITH_NULL_SHA {0x00, 0x02} +#define TLS_RSA_WITH_RC4_128_MD5 {0x00, 0x04} +#define TLS_RSA_WITH_RC4_128_SHA {0x00, 0x05} +#define TLS_RSA_WITH_IDEA_CBC_SHA {0x00, 0x07} +#define TLS_RSA_WITH_DES_CBC_SHA {0x00, 0x09} +#define TLS_RSA_WITH_3DES_EDE_CBC_SHA {0x00, 0x0A} +#define TLS_DH_DSS_WITH_DES_CBC_SHA {0x00, 0x0C} +#define TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA {0x00, 0x0D} +#define TLS_DH_RSA_WITH_DES_CBC_SHA {0x00, 0x0F} +#define TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA {0x00, 0x10} +#define TLS_DHE_DSS_WITH_DES_CBC_SHA {0x00, 0x12} +#define TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA {0x00, 0x13} +#define TLS_DHE_RSA_WITH_DES_CBC_SHA {0x00, 0x15} +#define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA {0x00, 0x16} +#define TLS_RSA_WITH_AES_128_CBC_SHA {0x00, 0x2F} +#define TLS_DH_DSS_WITH_AES_128_CBC_SHA {0x00, 0x30} +#define TLS_DH_RSA_WITH_AES_128_CBC_SHA {0x00, 0x31} +#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA {0x00, 0x32} +#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA {0x00, 0x33} +#define TLS_RSA_WITH_AES_256_CBC_SHA {0x00, 0x35} +#define TLS_DH_DSS_WITH_AES_256_CBC_SHA {0x00, 0x36} +#define TLS_DH_RSA_WITH_AES_256_CBC_SHA {0x00, 0x37} +#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA {0x00, 0x38} +#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA {0x00, 0x39} +#define TLS_RSA_WITH_NULL_SHA256 {0x00, 0x3B} +#define TLS_RSA_WITH_AES_128_CBC_SHA256 {0x00, 0x3C} +#define TLS_RSA_WITH_AES_256_CBC_SHA256 {0x00, 0x3D} +#define TLS_DH_DSS_WITH_AES_128_CBC_SHA256 {0x00, 0x3E} +#define TLS_DH_RSA_WITH_AES_128_CBC_SHA256 {0x00, 0x3F} +#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 {0x00, 0x40} +#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 {0x00, 0x67} +#define TLS_DH_DSS_WITH_AES_256_CBC_SHA256 {0x00, 0x68} +#define TLS_DH_RSA_WITH_AES_256_CBC_SHA256 {0x00, 0x69} +#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 {0x00, 0x6A} +#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 {0x00, 0x6B} +#define TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 {0x00, 0x9F} +#define TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 {0xC0, 0x2B} +#define TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 {0xC0, 0x2C} +#define TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 {0xC0, 0x30} /// /// TLS Version, refers to A.1 of rfc-2246, rfc-4346 and rfc-5246. @@ -95,6 +99,40 @@ typedef struct { // #define TLS_CIPHERTEXT_RECORD_MAX_PAYLOAD_LENGTH 18432 +/// +/// TLS Hash algorithm, refers to section 7.4.1.4.1. of rfc-5246. +/// +typedef enum { + TlsHashAlgoNone = 0, + TlsHashAlgoMd5 = 1, + TlsHashAlgoSha1 = 2, + TlsHashAlgoSha224 = 3, + TlsHashAlgoSha256 = 4, + TlsHashAlgoSha384 = 5, + TlsHashAlgoSha512 = 6, +} TLS_HASH_ALGO; + +/// +/// TLS Signature algorithm, refers to section 7.4.1.4.1. of rfc-5246. +/// +typedef enum { + TlsSignatureAlgoAnonymous = 0, + TlsSignatureAlgoRsa = 1, + TlsSignatureAlgoDsa = 2, + TlsSignatureAlgoEcdsa = 3, +} TLS_SIGNATURE_ALGO; + +/// +/// TLS Supported Elliptic Curves Extensions, refers to section 5.1.1 of rfc-8422. +/// +typedef enum { + TlsEcNamedCurveSecp256r1 = 23, + TlsEcNamedCurveSecp384r1 = 24, + TlsEcNamedCurveSecp521r1 = 25, + TlsEcNamedCurveX25519 = 29, + TlsEcNamedCurveX448 = 30, +} TLS_EC_NAMED_CURVE; + #pragma pack() #endif -- 2.31.1.windows.1 [-- Attachment #3: 0002-CryptoPkg-Extend-Tls-function-library.patch --] [-- Type: application/octet-stream, Size: 27874 bytes --] From e871aa4ce8f50632836d08cdb2a292c8a66e2bf7 Mon Sep 17 00:00:00 2001 Message-Id: <e871aa4ce8f50632836d08cdb2a292c8a66e2bf7.1665369262.git.yi1.li@intel.com> In-Reply-To: <cover.1665369262.git.yi1.li@intel.com> References: <cover.1665369262.git.yi1.li@intel.com> From: Yi Li <yi1.li@intel.com> Date: Sun, 25 Sep 2022 17:14:06 +0800 Subject: [PATCH V3 2/3] CryptoPkg: Extend Tls function library REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3892 1. TlsSetSignatureAlgoList(): Configure the list of TLS signature algorithms that should be used as part of the TLS session establishment. This is needed for some WLAN Supplicant connection establishment flows that allow only specific TLS signature algorithms to be used, e.g., Authenticate and Key Managmenet (AKM) suites that are SUITE-B compliant. 2. TlsSetEcCurve(): Configure the Elliptic Curve that should be used for TLS flows the use cipher suite with EC, e.g., TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384. This is needed for some WLAN Supplicant connection establishment flows that allow only specific TLS signature algorithms to be used, e.g., Authenticate and Key Managmenet (AKM) suites that are SUITE-B compliant. 3. TlsShutdown(): Shutdown the TLS connection without releasing the resources, meaning a new connection can be started without calling TlsNew() and without setting certificates etc. 4. TlsGetExportKey(): Derive keying material from a TLS connection using the mechanism described in RFC 5705 and export the key material (needed by EAP methods such as EAP-TTLS and EAP-PEAP). 5. TlsSetHostPrivateKeyEx(): This function adds the local private key (PEM-encoded or PKCS#8 or DER-encoded private key) into the specified TLS object for TLS negotiation. There is already a similar function TlsSetHostPrivateKey(), the new Ex function introduces a new parameter Password, set Password to NULL when useless. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com> Cc: Guomin Jiang <guomin.jiang@intel.com> Signed-off-by: Yi Li <yi1.li@intel.com> --- CryptoPkg/Include/Library/TlsLib.h | 126 +++++- CryptoPkg/Library/TlsLib/InternalTlsLib.h | 4 + CryptoPkg/Library/TlsLib/TlsConfig.c | 366 +++++++++++++++++- CryptoPkg/Library/TlsLib/TlsProcess.c | 32 ++ CryptoPkg/Library/TlsLibNull/TlsConfigNull.c | 123 +++++- CryptoPkg/Library/TlsLibNull/TlsProcessNull.c | 23 ++ 6 files changed, 667 insertions(+), 7 deletions(-) diff --git a/CryptoPkg/Include/Library/TlsLib.h b/CryptoPkg/Include/Library/TlsLib.h index 3b75fde0aa..d37c5fcc35 100644 --- a/CryptoPkg/Include/Library/TlsLib.h +++ b/CryptoPkg/Include/Library/TlsLib.h @@ -294,6 +294,25 @@ TlsWrite ( IN UINTN BufferSize ); +/** + Shutdown a TLS connection. + + Shutdown the TLS connection without releasing the resources, meaning a new + connection can be started without calling TlsNew() and without setting + certificates etc. + + @param[in] Tls Pointer to the TLS object to shutdown. + + @retval EFI_SUCCESS The TLS is shutdown successfully. + @retval EFI_INVALID_PARAMETER Tls is NULL. + @retval EFI_PROTOCOL_ERROR Some other error occurred. +**/ +EFI_STATUS +EFIAPI +TlsShutdown ( + IN VOID *Tls + ); + /** Set a new TLS/SSL method for a particular TLS object. @@ -492,11 +511,38 @@ TlsSetHostPublicCert ( /** Adds the local private key to the specified TLS object. - This function adds the local private key (PEM-encoded RSA or PKCS#8 private + This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private key) into the specified TLS object for TLS negotiation. @param[in] Tls Pointer to the TLS object. - @param[in] Data Pointer to the data buffer of a PEM-encoded RSA + @param[in] Data Pointer to the data buffer of a DER-encoded or PEM-encoded + or PKCS#8 private key. + @param[in] DataSize The size of data buffer in bytes. + @param[in] Password Pointer to NULL-terminated private key password, set it to NULL + if private key not encrypted. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_ABORTED Invalid private key data. + +**/ +EFI_STATUS +EFIAPI +TlsSetHostPrivateKeyEx ( + IN VOID *Tls, + IN VOID *Data, + IN UINTN DataSize, + IN VOID *Password OPTIONAL + ); + +/** + Adds the local private key to the specified TLS object. + + This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private + key) into the specified TLS object for TLS negotiation. + + @param[in] Tls Pointer to the TLS object. + @param[in] Data Pointer to the data buffer of a DER-encoded or PEM-encoded or PKCS#8 private key. @param[in] DataSize The size of data buffer in bytes. @@ -534,6 +580,53 @@ TlsSetCertRevocationList ( IN UINTN DataSize ); +/** + Set the signature algorithm list to used by the TLS object. + + This function sets the signature algorithms for use by a specified TLS object. + + @param[in] Tls Pointer to a TLS object. + @param[in] Data Array of UINT8 of signature algorithms. The array consists of + pairs of the hash algorithm and the signature algorithm as defined + in RFC 5246 + @param[in] DataSize The length the SignatureAlgoList. Must be divisible by 2. + + @retval EFI_SUCCESS The signature algorithm list was set successfully. + @retval EFI_INVALID_PARAMETER The parameters are invalid. + @retval EFI_UNSUPPORTED No supported TLS signature algorithm was found in SignatureAlgoList + @retval EFI_OUT_OF_RESOURCES Memory allocation failed. + +**/ +EFI_STATUS +EFIAPI +TlsSetSignatureAlgoList ( + IN VOID *Tls, + IN UINT8 *Data, + IN UINTN DataSize + ); + +/** + Set the EC curve to be used for TLS flows + + This function sets the EC curve to be used for TLS flows. + + @param[in] Tls Pointer to a TLS object. + @param[in] Data An EC named curve as defined in section 5.1.1 of RFC 4492. + @param[in] DataSize Size of Data, it should be sizeof (UINT32) + + @retval EFI_SUCCESS The EC curve was set successfully. + @retval EFI_INVALID_PARAMETER The parameters are invalid. + @retval EFI_UNSUPPORTED The requested TLS EC curve is not supported + +**/ +EFI_STATUS +EFIAPI +TlsSetEcCurve ( + IN VOID *Tls, + IN UINT8 *Data, + IN UINTN DataSize + ); + /** Gets the protocol version used by the specified TLS connection. @@ -810,4 +903,33 @@ TlsGetCertRevocationList ( IN OUT UINTN *DataSize ); +/** + Derive keying material from a TLS connection. + + This function exports keying material using the mechanism described in RFC + 5705. + + @param[in] Tls Pointer to the TLS object + @param[in] Label Description of the key for the PRF function + @param[in] Context Optional context + @param[in] ContextLen The length of the context value in bytes + @param[out] KeyBuffer Buffer to hold the output of the TLS-PRF + @param[in] KeyBufferLen The length of the KeyBuffer + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_INVALID_PARAMETER The TLS object is invalid. + @retval EFI_PROTOCOL_ERROR Some other error occurred. + +**/ +EFI_STATUS +EFIAPI +TlsGetExportKey ( + IN VOID *Tls, + IN CONST VOID *Label, + IN CONST VOID *Context, + IN UINTN ContextLen, + OUT VOID *KeyBuffer, + IN UINTN KeyBufferLen + ); + #endif // __TLS_LIB_H__ diff --git a/CryptoPkg/Library/TlsLib/InternalTlsLib.h b/CryptoPkg/Library/TlsLib/InternalTlsLib.h index cf5ffe1b73..97a46af6c1 100644 --- a/CryptoPkg/Library/TlsLib/InternalTlsLib.h +++ b/CryptoPkg/Library/TlsLib/InternalTlsLib.h @@ -17,6 +17,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include <Library/DebugLib.h> #include <Library/MemoryAllocationLib.h> #include <Library/SafeIntLib.h> +#include <Protocol/Tls.h> +#include <IndustryStandard/Tls1.h> +#include <Library/PcdLib.h> +#include <openssl/obj_mac.h> #include <openssl/ssl.h> #include <openssl/bio.h> #include <openssl/err.h> diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c b/CryptoPkg/Library/TlsLib/TlsConfig.c index 0673c9d532..dbe1f06529 100644 --- a/CryptoPkg/Library/TlsLib/TlsConfig.c +++ b/CryptoPkg/Library/TlsLib/TlsConfig.c @@ -62,6 +62,38 @@ STATIC CONST TLS_CIPHER_MAPPING TlsCipherMappingTable[] = { MAP (0x0068, "DH-DSS-AES256-SHA256"), /// TLS_DH_DSS_WITH_AES_256_CBC_SHA256 MAP (0x0069, "DH-RSA-AES256-SHA256"), /// TLS_DH_RSA_WITH_AES_256_CBC_SHA256 MAP (0x006B, "DHE-RSA-AES256-SHA256"), /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 + MAP (0x009F, "DHE-RSA-AES256-GCM-SHA384"), /// TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 + MAP (0xC02B, "ECDHE-ECDSA-AES128-GCM-SHA256"), /// TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + MAP (0xC02C, "ECDHE-ECDSA-AES256-GCM-SHA384"), /// TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + MAP (0xC030, "ECDHE-RSA-AES256-GCM-SHA384"), /// TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 +}; + +typedef struct { + // + // TLS Algorithm + // + UINT8 Algo; + // + // TLS Algorithm name + // + CONST CHAR8 *Name; +} TLS_ALGO_TO_NAME; + +STATIC CONST TLS_ALGO_TO_NAME TlsHashAlgoToName[] = { + { TlsHashAlgoNone, NULL }, + { TlsHashAlgoMd5, "MD5" }, + { TlsHashAlgoSha1, "SHA1" }, + { TlsHashAlgoSha224, "SHA224" }, + { TlsHashAlgoSha256, "SHA256" }, + { TlsHashAlgoSha384, "SHA384" }, + { TlsHashAlgoSha512, "SHA512" }, +}; + +STATIC CONST TLS_ALGO_TO_NAME TlsSignatureAlgoToName[] = { + { TlsSignatureAlgoAnonymous, NULL }, + { TlsSignatureAlgoRsa, "RSA" }, + { TlsSignatureAlgoDsa, "DSA" }, + { TlsSignatureAlgoEcdsa, "ECDSA" }, }; /** @@ -831,11 +863,107 @@ ON_EXIT: /** Adds the local private key to the specified TLS object. - This function adds the local private key (PEM-encoded RSA or PKCS#8 private + This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private key) into the specified TLS object for TLS negotiation. @param[in] Tls Pointer to the TLS object. - @param[in] Data Pointer to the data buffer of a PEM-encoded RSA + @param[in] Data Pointer to the data buffer of a DER-encoded or PEM-encoded + or PKCS#8 private key. + @param[in] DataSize The size of data buffer in bytes. + @param[in] Password Pointer to NULL-terminated private key password, set it to NULL + if private key not encrypted. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_ABORTED Invalid private key data. + +**/ +EFI_STATUS +EFIAPI +TlsSetHostPrivateKeyEx ( + IN VOID *Tls, + IN VOID *Data, + IN UINTN DataSize, + IN VOID *Password OPTIONAL + ) +{ + TLS_CONNECTION *TlsConn; + BIO *Bio; + EVP_PKEY *Pkey; + BOOLEAN Verify; + + TlsConn = (TLS_CONNECTION *)Tls; + + if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (Data == NULL) || (DataSize == 0)) { + return EFI_INVALID_PARAMETER; + } + + // Try to parse the private key in DER format or un-encrypted PKC#8 + if (SSL_use_PrivateKey_ASN1 ( + EVP_PKEY_RSA, + TlsConn->Ssl, + Data, + (long)DataSize + ) == 1) + { + goto verify; + } + + if (SSL_use_PrivateKey_ASN1 ( + EVP_PKEY_DSA, + TlsConn->Ssl, + Data, + (long)DataSize + ) == 1) + { + goto verify; + } + + if (SSL_use_PrivateKey_ASN1 ( + EVP_PKEY_EC, + TlsConn->Ssl, + Data, + (long)DataSize + ) == 1) + { + goto verify; + } + + // Try to parse the private key in PEM format or encrypted PKC#8 + Bio = BIO_new_mem_buf (Data, (int)DataSize); + if (Bio != NULL) { + Verify = FALSE; + Pkey = PEM_read_bio_PrivateKey (Bio, NULL, NULL, Password); + if ((Pkey != NULL) && (SSL_use_PrivateKey (TlsConn->Ssl, Pkey) == 1)) { + Verify = TRUE; + } + + EVP_PKEY_free (Pkey); + BIO_free (Bio); + + if (Verify) { + goto verify; + } + } + + return EFI_ABORTED; + +verify: + if (SSL_check_private_key (TlsConn->Ssl) == 1) { + return EFI_SUCCESS; + } + + return EFI_ABORTED; +} + +/** + Adds the local private key to the specified TLS object. + + This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private + key) into the specified TLS object for TLS negotiation. + + @param[in] Tls Pointer to the TLS object. + @param[in] Data Pointer to the data buffer of a DER-encoded or PEM-encoded or PKCS#8 private key. @param[in] DataSize The size of data buffer in bytes. @@ -852,7 +980,7 @@ TlsSetHostPrivateKey ( IN UINTN DataSize ) { - return EFI_UNSUPPORTED; + return TlsSetHostPrivateKeyEx (Tls, Data, DataSize, NULL); } /** @@ -879,6 +1007,188 @@ TlsSetCertRevocationList ( return EFI_UNSUPPORTED; } +/** + Set the signature algorithm list to used by the TLS object. + + This function sets the signature algorithms for use by a specified TLS object. + + @param[in] Tls Pointer to a TLS object. + @param[in] Data Array of UINT8 of signature algorithms. The array consists of + pairs of the hash algorithm and the signature algorithm as defined + in RFC 5246 + @param[in] DataSize The length the SignatureAlgoList. Must be divisible by 2. + + @retval EFI_SUCCESS The signature algorithm list was set successfully. + @retval EFI_INVALID_PARAMETER The parameters are invalid. + @retval EFI_UNSUPPORTED No supported TLS signature algorithm was found in SignatureAlgoList + @retval EFI_OUT_OF_RESOURCES Memory allocation failed. + +**/ +EFI_STATUS +EFIAPI +TlsSetSignatureAlgoList ( + IN VOID *Tls, + IN UINT8 *Data, + IN UINTN DataSize + ) +{ + TLS_CONNECTION *TlsConn; + UINTN Index; + UINTN SignAlgoStrSize; + CHAR8 *SignAlgoStr; + CHAR8 *Pos; + UINT8 *SignatureAlgoList; + EFI_STATUS Status; + + TlsConn = (TLS_CONNECTION *)Tls; + + if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (Data == NULL) || (DataSize < 3) || + ((DataSize % 2) == 0) || (Data[0] != DataSize - 1)) + { + return EFI_INVALID_PARAMETER; + } + + SignatureAlgoList = Data + 1; + SignAlgoStrSize = 0; + for (Index = 0; Index < Data[0]; Index += 2) { + CONST CHAR8 *Tmp; + + if (SignatureAlgoList[Index] >= ARRAY_SIZE (TlsHashAlgoToName)) { + return EFI_INVALID_PARAMETER; + } + + Tmp = TlsHashAlgoToName[SignatureAlgoList[Index]].Name; + if (!Tmp) { + return EFI_INVALID_PARAMETER; + } + + // Add 1 for the '+' + SignAlgoStrSize += AsciiStrLen (Tmp) + 1; + + if (SignatureAlgoList[Index + 1] >= ARRAY_SIZE (TlsSignatureAlgoToName)) { + return EFI_INVALID_PARAMETER; + } + + Tmp = TlsSignatureAlgoToName[SignatureAlgoList[Index + 1]].Name; + if (!Tmp) { + return EFI_INVALID_PARAMETER; + } + + // Add 1 for the ':' or for the NULL terminator + SignAlgoStrSize += AsciiStrLen (Tmp) + 1; + } + + if (!SignAlgoStrSize) { + return EFI_UNSUPPORTED; + } + + SignAlgoStr = AllocatePool (SignAlgoStrSize); + if (SignAlgoStr == NULL) { + return EFI_OUT_OF_RESOURCES; + } + + Pos = SignAlgoStr; + for (Index = 0; Index < Data[0]; Index += 2) { + CONST CHAR8 *Tmp; + + Tmp = TlsHashAlgoToName[SignatureAlgoList[Index]].Name; + CopyMem (Pos, Tmp, AsciiStrLen (Tmp)); + Pos += AsciiStrLen (Tmp); + *Pos++ = '+'; + + Tmp = TlsSignatureAlgoToName[SignatureAlgoList[Index + 1]].Name; + CopyMem (Pos, Tmp, AsciiStrLen (Tmp)); + Pos += AsciiStrLen (Tmp); + *Pos++ = ':'; + } + + *(Pos - 1) = '\0'; + + if (SSL_set1_sigalgs_list (TlsConn->Ssl, SignAlgoStr) < 1) { + Status = EFI_INVALID_PARAMETER; + } else { + Status = EFI_SUCCESS; + } + + FreePool (SignAlgoStr); + return Status; +} + +/** + Set the EC curve to be used for TLS flows + + This function sets the EC curve to be used for TLS flows. + + @param[in] Tls Pointer to a TLS object. + @param[in] Data An EC named curve as defined in section 5.1.1 of RFC 4492. + @param[in] DataSize Size of Data, it should be sizeof (UINT32) + + @retval EFI_SUCCESS The EC curve was set successfully. + @retval EFI_INVALID_PARAMETER The parameters are invalid. + @retval EFI_UNSUPPORTED The requested TLS EC curve is not supported + +**/ +EFI_STATUS +EFIAPI +TlsSetEcCurve ( + IN VOID *Tls, + IN UINT8 *Data, + IN UINTN DataSize + ) +{ + #if !FixedPcdGetBool (PcdOpensslEcEnabled) + return EFI_UNSUPPORTED; + #else + TLS_CONNECTION *TlsConn; + EC_KEY *EcKey; + INT32 Nid; + INT32 Ret; + + TlsConn = (TLS_CONNECTION *)Tls; + + if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (Data == NULL) || (DataSize != sizeof (UINT32))) { + return EFI_INVALID_PARAMETER; + } + + switch (*((UINT32 *)Data)) { + case TlsEcNamedCurveSecp256r1: + return EFI_UNSUPPORTED; + case TlsEcNamedCurveSecp384r1: + Nid = NID_secp384r1; + break; + case TlsEcNamedCurveSecp521r1: + Nid = NID_secp521r1; + break; + case TlsEcNamedCurveX25519: + Nid = NID_X25519; + break; + case TlsEcNamedCurveX448: + Nid = NID_X448; + break; + default: + return EFI_UNSUPPORTED; + } + + if (SSL_set1_curves (TlsConn->Ssl, &Nid, 1) != 1) { + return EFI_INVALID_PARAMETER; + } + + EcKey = EC_KEY_new_by_curve_name (Nid); + if (EcKey == NULL) { + return EFI_INVALID_PARAMETER; + } + + Ret = SSL_set_tmp_ecdh (TlsConn->Ssl, EcKey); + EC_KEY_free (EcKey); + + if (Ret != 1) { + return EFI_INVALID_PARAMETER; + } + + return EFI_SUCCESS; + #endif +} + /** Gets the protocol version used by the specified TLS connection. @@ -1306,3 +1616,53 @@ TlsGetCertRevocationList ( { return EFI_UNSUPPORTED; } + +/** + Derive keying material from a TLS connection. + + This function exports keying material using the mechanism described in RFC + 5705. + + @param[in] Tls Pointer to the TLS object + @param[in] Label Description of the key for the PRF function + @param[in] Context Optional context + @param[in] ContextLen The length of the context value in bytes + @param[out] KeyBuffer Buffer to hold the output of the TLS-PRF + @param[in] KeyBufferLen The length of the KeyBuffer + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_INVALID_PARAMETER The TLS object is invalid. + @retval EFI_PROTOCOL_ERROR Some other error occurred. + +**/ +EFI_STATUS +EFIAPI +TlsGetExportKey ( + IN VOID *Tls, + IN CONST VOID *Label, + IN CONST VOID *Context, + IN UINTN ContextLen, + OUT VOID *KeyBuffer, + IN UINTN KeyBufferLen + ) +{ + TLS_CONNECTION *TlsConn; + + TlsConn = (TLS_CONNECTION *)Tls; + + if ((TlsConn == NULL) || (TlsConn->Ssl == NULL)) { + return EFI_INVALID_PARAMETER; + } + + return SSL_export_keying_material ( + TlsConn->Ssl, + KeyBuffer, + KeyBufferLen, + Label, + AsciiStrLen (Label), + Context, + ContextLen, + Context != NULL + ) == 1 ? + EFI_SUCCESS : EFI_PROTOCOL_ERROR; +} diff --git a/CryptoPkg/Library/TlsLib/TlsProcess.c b/CryptoPkg/Library/TlsLib/TlsProcess.c index 0f2ad7a9fb..a803d86c4f 100644 --- a/CryptoPkg/Library/TlsLib/TlsProcess.c +++ b/CryptoPkg/Library/TlsLib/TlsProcess.c @@ -461,3 +461,35 @@ TlsWrite ( // return SSL_write (TlsConn->Ssl, Buffer, (UINT32)BufferSize); } + +/** + Shutdown a TLS connection. + + Shutdown the TLS connection without releasing the resources, meaning a new + connection can be started without calling TlsNew() and without setting + certificates etc. + + @param[in] Tls Pointer to the TLS object to shutdown. + + @retval EFI_SUCCESS The TLS is shutdown successfully. + @retval EFI_INVALID_PARAMETER Tls is NULL. + @retval EFI_PROTOCOL_ERROR Some other error occurred. +**/ +EFI_STATUS +EFIAPI +TlsShutdown ( + IN VOID *Tls + ) +{ + TLS_CONNECTION *TlsConn; + + TlsConn = (TLS_CONNECTION *)Tls; + + if ((TlsConn == NULL) || ((TlsConn->Ssl) == NULL)) { + return EFI_INVALID_PARAMETER; + } + + SSL_set_quiet_shutdown (TlsConn->Ssl, 1); + SSL_shutdown (TlsConn->Ssl); + return SSL_clear (TlsConn->Ssl) == 1 ? EFI_SUCCESS : EFI_PROTOCOL_ERROR; +} diff --git a/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c b/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c index 03726fd726..18dd604382 100644 --- a/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c +++ b/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c @@ -242,11 +242,42 @@ TlsSetHostPublicCert ( /** Adds the local private key to the specified TLS object. - This function adds the local private key (PEM-encoded RSA or PKCS#8 private + This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private key) into the specified TLS object for TLS negotiation. @param[in] Tls Pointer to the TLS object. - @param[in] Data Pointer to the data buffer of a PEM-encoded RSA + @param[in] Data Pointer to the data buffer of a DER-encoded or PEM-encoded + or PKCS#8 private key. + @param[in] DataSize The size of data buffer in bytes. + @param[in] Password Pointer to NULL-terminated private key password, set it to NULL + if private key not encrypted. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_ABORTED Invalid private key data. + +**/ +EFI_STATUS +EFIAPI +TlsSetHostPrivateKeyEx ( + IN VOID *Tls, + IN VOID *Data, + IN UINTN DataSize, + IN VOID *Password OPTIONAL + ) +{ + ASSERT (FALSE); + return EFI_UNSUPPORTED; +} + +/** + Adds the local private key to the specified TLS object. + + This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private + key) into the specified TLS object for TLS negotiation. + + @param[in] Tls Pointer to the TLS object. + @param[in] Data Pointer to the data buffer of a DER-encoded or PEM-encoded or PKCS#8 private key. @param[in] DataSize The size of data buffer in bytes. @@ -292,6 +323,61 @@ TlsSetCertRevocationList ( return EFI_UNSUPPORTED; } +/** + Set the signature algorithm list to used by the TLS object. + + This function sets the signature algorithms for use by a specified TLS object. + + @param[in] Tls Pointer to a TLS object. + @param[in] Data Array of UINT8 of signature algorithms. The array consists of + pairs of the hash algorithm and the signature algorithm as defined + in RFC 5246 + @param[in] DataSize The length the SignatureAlgoList. Must be divisible by 2. + + @retval EFI_SUCCESS The signature algorithm list was set successfully. + @retval EFI_INVALID_PARAMETER The parameters are invalid. + @retval EFI_UNSUPPORTED No supported TLS signature algorithm was found in SignatureAlgoList + @retval EFI_OUT_OF_RESOURCES Memory allocation failed. + +**/ +EFI_STATUS +EFIAPI +TlsSetSignatureAlgoList ( + IN VOID *Tls, + IN UINT8 *Data, + IN UINTN DataSize + ) +{ + ASSERT (FALSE); + return EFI_UNSUPPORTED; +} + +/** + Set the EC curve to be used for TLS flows + + This function sets the EC curve to be used for TLS flows. + + @param[in] Tls Pointer to a TLS object. + @param[in] Data An EC named curve as defined in section 5.1.1 of RFC 4492. + @param[in] DataSize Size of Data, it should be sizeof (UINT32) + + @retval EFI_SUCCESS The EC curve was set successfully. + @retval EFI_INVALID_PARAMETER The parameters are invalid. + @retval EFI_UNSUPPORTED The requested TLS EC curve is not supported + +**/ +EFI_STATUS +EFIAPI +TlsSetEcCurve ( + IN VOID *Tls, + IN UINT8 *Data, + IN UINTN DataSize + ) +{ + ASSERT (FALSE); + return EFI_UNSUPPORTED; +} + /** Gets the protocol version used by the specified TLS connection. @@ -617,3 +703,36 @@ TlsGetCertRevocationList ( ASSERT (FALSE); return EFI_UNSUPPORTED; } + +/** + Derive keying material from a TLS connection. + + This function exports keying material using the mechanism described in RFC + 5705. + + @param[in] Tls Pointer to the TLS object + @param[in] Label Description of the key for the PRF function + @param[in] Context Optional context + @param[in] ContextLen The length of the context value in bytes + @param[out] KeyBuffer Buffer to hold the output of the TLS-PRF + @param[in] KeyBufferLen The length of the KeyBuffer + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_INVALID_PARAMETER The TLS object is invalid. + @retval EFI_PROTOCOL_ERROR Some other error occurred. + +**/ +EFI_STATUS +EFIAPI +TlsGetExportKey ( + IN VOID *Tls, + IN CONST VOID *Label, + IN CONST VOID *Context, + IN UINTN ContextLen, + OUT VOID *KeyBuffer, + IN UINTN KeyBufferLen + ) +{ + ASSERT (FALSE); + return EFI_UNSUPPORTED; +} diff --git a/CryptoPkg/Library/TlsLibNull/TlsProcessNull.c b/CryptoPkg/Library/TlsLibNull/TlsProcessNull.c index 0958ddd8d6..395dac548d 100644 --- a/CryptoPkg/Library/TlsLibNull/TlsProcessNull.c +++ b/CryptoPkg/Library/TlsLibNull/TlsProcessNull.c @@ -245,3 +245,26 @@ TlsWrite ( ASSERT (FALSE); return 0; } + +/** + Shutdown a TLS connection. + + Shutdown the TLS connection without releasing the resources, meaning a new + connection can be started without calling TlsNew() and without setting + certificates etc. + + @param[in] Tls Pointer to the TLS object to shutdown. + + @retval EFI_SUCCESS The TLS is shutdown successfully. + @retval EFI_INVALID_PARAMETER Tls is NULL. + @retval EFI_PROTOCOL_ERROR Some other error occurred. +**/ +EFI_STATUS +EFIAPI +TlsShutdown ( + IN VOID *Tls + ) +{ + ASSERT (FALSE); + return EFI_UNSUPPORTED; +} -- 2.31.1.windows.1 [-- Attachment #4: 0003-CryptoPkg-Add-new-Tls-APIs-to-DXE-and-protocol.patch --] [-- Type: application/octet-stream, Size: 22645 bytes --] From 2319dba7115127b25aeb6bc9b3e6cb6c6256de6f Mon Sep 17 00:00:00 2001 Message-Id: <2319dba7115127b25aeb6bc9b3e6cb6c6256de6f.1665369262.git.yi1.li@intel.com> In-Reply-To: <cover.1665369262.git.yi1.li@intel.com> References: <cover.1665369262.git.yi1.li@intel.com> From: Yi Li <yi1.li@intel.com> Date: Mon, 26 Sep 2022 00:13:05 +0800 Subject: [PATCH V3 3/3] CryptoPkg: Add new Tls APIs to DXE and protocol REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3892 The implementation provides new Tls library functions for Crypto EFI Driver and Protocol. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com> Cc: Guomin Jiang <guomin.jiang@intel.com> Signed-off-by: Yi Li <yi1.li@intel.com> --- CryptoPkg/Driver/Crypto.c | 155 +++++++++++++++++- .../Pcd/PcdCryptoServiceFamilyEnable.h | 5 + .../BaseCryptLibOnProtocolPpi/CryptLib.c | 146 ++++++++++++++++- CryptoPkg/Private/Protocol/Crypto.h | 136 ++++++++++++++- 4 files changed, 435 insertions(+), 7 deletions(-) diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c index 7a8266aaba..f1ff77855c 100644 --- a/CryptoPkg/Driver/Crypto.c +++ b/CryptoPkg/Driver/Crypto.c @@ -4238,6 +4238,28 @@ CryptoServiceTlsWrite ( return CALL_BASECRYPTLIB (Tls.Services.Write, TlsWrite, (Tls, Buffer, BufferSize), 0); } +/** + Shutdown a TLS connection. + + Shutdown the TLS connection without releasing the resources, meaning a new + connection can be started without calling TlsNew() and without setting + certificates etc. + + @param[in] Tls Pointer to the TLS object to shutdown. + + @retval EFI_SUCCESS The TLS is shutdown successfully. + @retval EFI_INVALID_PARAMETER Tls is NULL. + @retval EFI_PROTOCOL_ERROR Some other error occurred. +**/ +EFI_STATUS +EFIAPI +CryptoServiceTlsShutdown ( + IN VOID *Tls + ) +{ + return CALL_BASECRYPTLIB (Tls.Services.Shutdown, TlsShutdown, (Tls), EFI_UNSUPPORTED); +} + /** Set a new TLS/SSL method for a particular TLS object. @@ -4463,11 +4485,41 @@ CryptoServiceTlsSetHostPublicCert ( /** Adds the local private key to the specified TLS object. - This function adds the local private key (PEM-encoded RSA or PKCS#8 private + This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private + key) into the specified TLS object for TLS negotiation. + + @param[in] Tls Pointer to the TLS object. + @param[in] Data Pointer to the data buffer of a DER-encoded or PEM-encoded + or PKCS#8 private key. + @param[in] DataSize The size of data buffer in bytes. + @param[in] Password Pointer to NULL-terminated private key password, set it to NULL + if private key not encrypted. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_ABORTED Invalid private key data. + +**/ +EFI_STATUS +EFIAPI +CryptoServiceTlsSetHostPrivateKeyEx ( + IN VOID *Tls, + IN VOID *Data, + IN UINTN DataSize, + IN VOID *Password OPTIONAL + ) +{ + return CALL_BASECRYPTLIB (TlsSet.Services.HostPrivateKeyEx, TlsSetHostPrivateKeyEx, (Tls, Data, DataSize, Password), EFI_UNSUPPORTED); +} + +/** + Adds the local private key to the specified TLS object. + + This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private key) into the specified TLS object for TLS negotiation. @param[in] Tls Pointer to the TLS object. - @param[in] Data Pointer to the data buffer of a PEM-encoded RSA + @param[in] Data Pointer to the data buffer of a DER-encoded or PEM-encoded or PKCS#8 private key. @param[in] DataSize The size of data buffer in bytes. @@ -4511,6 +4563,59 @@ CryptoServiceTlsSetCertRevocationList ( return CALL_BASECRYPTLIB (TlsSet.Services.CertRevocationList, TlsSetCertRevocationList, (Data, DataSize), EFI_UNSUPPORTED); } +/** + Set the signature algorithm list to used by the TLS object. + + This function sets the signature algorithms for use by a specified TLS object. + + @param[in] Tls Pointer to a TLS object. + @param[in] Data Array of UINT8 of signature algorithms. The array consists of + pairs of the hash algorithm and the signature algorithm as defined + in RFC 5246 + @param[in] DataSize The length the SignatureAlgoList. Must be divisible by 2. + + @retval EFI_SUCCESS The signature algorithm list was set successfully. + @retval EFI_INVALID_PARAMETER The parameters are invalid. + @retval EFI_UNSUPPORTED No supported TLS signature algorithm was found in SignatureAlgoList + @retval EFI_OUT_OF_RESOURCES Memory allocation failed. + +**/ +EFI_STATUS +EFIAPI +CryptoServiceTlsSetSignatureAlgoList ( + IN VOID *Tls, + IN UINT8 *Data, + IN UINTN DataSize + ) +{ + return CALL_BASECRYPTLIB (TlsSet.Services.SignatureAlgoList, TlsSetSignatureAlgoList, (Tls, Data, DataSize), EFI_UNSUPPORTED); +} + +/** + Set the EC curve to be used for TLS flows + + This function sets the EC curve to be used for TLS flows. + + @param[in] Tls Pointer to a TLS object. + @param[in] Data An EC named curve as defined in section 5.1.1 of RFC 4492. + @param[in] DataSize Size of Data, it should be sizeof (UINT32) + + @retval EFI_SUCCESS The EC curve was set successfully. + @retval EFI_INVALID_PARAMETER The parameters are invalid. + @retval EFI_UNSUPPORTED The requested TLS EC curve is not supported + +**/ +EFI_STATUS +EFIAPI +CryptoServiceTlsSetEcCurve ( + IN VOID *Tls, + IN UINT8 *Data, + IN UINTN DataSize + ) +{ + return CALL_BASECRYPTLIB (TlsSet.Services.EcCurve, TlsSetEcCurve, (Tls, Data, DataSize), EFI_UNSUPPORTED); +} + /** Gets the protocol version used by the specified TLS connection. @@ -4826,6 +4931,44 @@ CryptoServiceTlsGetCertRevocationList ( return CALL_BASECRYPTLIB (TlsGet.Services.CertRevocationList, TlsGetCertRevocationList, (Data, DataSize), EFI_UNSUPPORTED); } +/** + Derive keying material from a TLS connection. + + This function exports keying material using the mechanism described in RFC + 5705. + + @param[in] Tls Pointer to the TLS object + @param[in] Label Description of the key for the PRF function + @param[in] Context Optional context + @param[in] ContextLen The length of the context value in bytes + @param[out] KeyBuffer Buffer to hold the output of the TLS-PRF + @param[in] KeyBufferLen The length of the KeyBuffer + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_INVALID_PARAMETER The TLS object is invalid. + @retval EFI_PROTOCOL_ERROR Some other error occurred. + +**/ +EFI_STATUS +EFIAPI +CryptoServiceTlsGetExportKey ( + IN VOID *Tls, + IN CONST VOID *Label, + IN CONST VOID *Context, + IN UINTN ContextLen, + OUT VOID *KeyBuffer, + IN UINTN KeyBufferLen + ) +{ + return CALL_BASECRYPTLIB ( + TlsGet.Services.ExportKey, + TlsGetExportKey, + (Tls, Label, Context, ContextLen, + KeyBuffer, KeyBufferLen), + EFI_UNSUPPORTED + ); +} + /** Carries out the RSA-SSA signature generation with EMSA-PSS encoding scheme. @@ -6266,4 +6409,12 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = { CryptoServiceEcGenerateKey, CryptoServiceEcGetPubKey, CryptoServiceEcDhComputeKey, + /// TLS (continued) + CryptoServiceTlsShutdown, + /// TLS Set (continued) + CryptoServiceTlsSetHostPrivateKeyEx, + CryptoServiceTlsSetSignatureAlgoList, + CryptoServiceTlsSetEcCurve, + /// TLS Get (continued) + CryptoServiceTlsGetExportKey }; diff --git a/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h b/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h index 45bafc2161..4740589417 100644 --- a/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h +++ b/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h @@ -269,6 +269,7 @@ typedef struct { UINT8 CtrlTrafficIn : 1; UINT8 Read : 1; UINT8 Write : 1; + UINT8 Shutdown : 1; } Services; UINT32 Family; } Tls; @@ -285,6 +286,9 @@ typedef struct { UINT8 HostPublicCert : 1; UINT8 HostPrivateKey : 1; UINT8 CertRevocationList : 1; + UINT8 HostPrivateKeyEx : 1; + UINT8 SignatureAlgoList : 1; + UINT8 EcCurve : 1; } Services; UINT32 Family; } TlsSet; @@ -303,6 +307,7 @@ typedef struct { UINT8 HostPublicCert : 1; UINT8 HostPrivateKey : 1; UINT8 CertRevocationList : 1; + UINT8 ExportKey : 1; } Services; UINT32 Family; } TlsGet; diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c index 791e2ef599..52b934a545 100644 --- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c +++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c @@ -3474,6 +3474,28 @@ TlsWrite ( CALL_CRYPTO_SERVICE (TlsWrite, (Tls, Buffer, BufferSize), 0); } +/** + Shutdown a TLS connection. + + Shutdown the TLS connection without releasing the resources, meaning a new + connection can be started without calling TlsNew() and without setting + certificates etc. + + @param[in] Tls Pointer to the TLS object to shutdown. + + @retval EFI_SUCCESS The TLS is shutdown successfully. + @retval EFI_INVALID_PARAMETER Tls is NULL. + @retval EFI_PROTOCOL_ERROR Some other error occurred. +**/ +EFI_STATUS +EFIAPI +TlsShutdown ( + IN VOID *Tls + ) +{ + CALL_CRYPTO_SERVICE (TlsShutdown, (Tls), EFI_UNSUPPORTED); +} + /** Set a new TLS/SSL method for a particular TLS object. @@ -3699,11 +3721,41 @@ TlsSetHostPublicCert ( /** Adds the local private key to the specified TLS object. - This function adds the local private key (PEM-encoded RSA or PKCS#8 private + This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private key) into the specified TLS object for TLS negotiation. @param[in] Tls Pointer to the TLS object. - @param[in] Data Pointer to the data buffer of a PEM-encoded RSA + @param[in] Data Pointer to the data buffer of a DER-encoded or PEM-encoded + or PKCS#8 private key. + @param[in] DataSize The size of data buffer in bytes. + @param[in] Password Pointer to NULL-terminated private key password, set it to NULL + if private key not encrypted. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_ABORTED Invalid private key data. + +**/ +EFI_STATUS +EFIAPI +TlsSetHostPrivateKeyEx ( + IN VOID *Tls, + IN VOID *Data, + IN UINTN DataSize, + IN VOID *Password OPTIONAL + ) +{ + CALL_CRYPTO_SERVICE (TlsSetHostPrivateKeyEx, (Tls, Data, DataSize, Password), EFI_UNSUPPORTED); +} + +/** + Adds the local private key to the specified TLS object. + + This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private + key) into the specified TLS object for TLS negotiation. + + @param[in] Tls Pointer to the TLS object. + @param[in] Data Pointer to the data buffer of a DER-encoded or PEM-encoded or PKCS#8 private key. @param[in] DataSize The size of data buffer in bytes. @@ -3747,6 +3799,59 @@ TlsSetCertRevocationList ( CALL_CRYPTO_SERVICE (TlsSetCertRevocationList, (Data, DataSize), EFI_UNSUPPORTED); } +/** + Set the signature algorithm list to used by the TLS object. + + This function sets the signature algorithms for use by a specified TLS object. + + @param[in] Tls Pointer to a TLS object. + @param[in] Data Array of UINT8 of signature algorithms. The array consists of + pairs of the hash algorithm and the signature algorithm as defined + in RFC 5246 + @param[in] DataSize The length the SignatureAlgoList. Must be divisible by 2. + + @retval EFI_SUCCESS The signature algorithm list was set successfully. + @retval EFI_INVALID_PARAMETER The parameters are invalid. + @retval EFI_UNSUPPORTED No supported TLS signature algorithm was found in SignatureAlgoList + @retval EFI_OUT_OF_RESOURCES Memory allocation failed. + +**/ +EFI_STATUS +EFIAPI +TlsSetSignatureAlgoList ( + IN VOID *Tls, + IN UINT8 *Data, + IN UINTN DataSize + ) +{ + CALL_CRYPTO_SERVICE (TlsSetSignatureAlgoList, (Tls, Data, DataSize), EFI_UNSUPPORTED); +} + +/** + Set the EC curve to be used for TLS flows + + This function sets the EC curve to be used for TLS flows. + + @param[in] Tls Pointer to a TLS object. + @param[in] Data An EC named curve as defined in section 5.1.1 of RFC 4492. + @param[in] DataSize Size of Data, it should be sizeof (UINT32) + + @retval EFI_SUCCESS The EC curve was set successfully. + @retval EFI_INVALID_PARAMETER The parameters are invalid. + @retval EFI_UNSUPPORTED The requested TLS EC curve is not supported + +**/ +EFI_STATUS +EFIAPI +TlsSetEcCurve ( + IN VOID *Tls, + IN UINT8 *Data, + IN UINTN DataSize + ) +{ + CALL_CRYPTO_SERVICE (TlsSetSignatureAlgoList, (Tls, Data, DataSize), EFI_UNSUPPORTED); +} + /** Gets the protocol version used by the specified TLS connection. @@ -4062,6 +4167,43 @@ TlsGetCertRevocationList ( CALL_CRYPTO_SERVICE (TlsGetCertRevocationList, (Data, DataSize), EFI_UNSUPPORTED); } +/** + Derive keying material from a TLS connection. + + This function exports keying material using the mechanism described in RFC + 5705. + + @param[in] Tls Pointer to the TLS object + @param[in] Label Description of the key for the PRF function + @param[in] Context Optional context + @param[in] ContextLen The length of the context value in bytes + @param[out] KeyBuffer Buffer to hold the output of the TLS-PRF + @param[in] KeyBufferLen The length of the KeyBuffer + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_INVALID_PARAMETER The TLS object is invalid. + @retval EFI_PROTOCOL_ERROR Some other error occurred. + +**/ +EFI_STATUS +EFIAPI +TlsGetExportKey ( + IN VOID *Tls, + IN CONST VOID *Label, + IN CONST VOID *Context, + IN UINTN ContextLen, + OUT VOID *KeyBuffer, + IN UINTN KeyBufferLen + ) +{ + CALL_CRYPTO_SERVICE ( + TlsGetExportKey, + (Tls, Label, Context, ContextLen, + KeyBuffer, KeyBufferLen), + EFI_UNSUPPORTED + ); +} + // ===================================================================================== // Big number primitive // ===================================================================================== diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protocol/Crypto.h index 2f267c7f55..6293efa36b 100644 --- a/CryptoPkg/Private/Protocol/Crypto.h +++ b/CryptoPkg/Private/Protocol/Crypto.h @@ -21,7 +21,7 @@ /// the EDK II Crypto Protocol is extended, this version define must be /// increased. /// -#define EDKII_CRYPTO_VERSION 13 +#define EDKII_CRYPTO_VERSION 14 /// /// EDK II Crypto Protocol forward declaration @@ -3186,6 +3186,25 @@ INTN IN UINTN BufferSize ); +/** + Shutdown a TLS connection. + + Shutdown the TLS connection without releasing the resources, meaning a new + connection can be started without calling TlsNew() and without setting + certificates etc. + + @param[in] Tls Pointer to the TLS object to shutdown. + + @retval EFI_SUCCESS The TLS is shutdown successfully. + @retval EFI_INVALID_PARAMETER Tls is NULL. + @retval EFI_PROTOCOL_ERROR Some other error occurred. +**/ +typedef +EFI_STATUS +(EFIAPI *EDKII_CRYPTO_TLS_SHUTDOWN)( + IN VOID *Tls + ); + /** Set a new TLS/SSL method for a particular TLS object. @@ -3384,11 +3403,38 @@ EFI_STATUS /** Adds the local private key to the specified TLS object. - This function adds the local private key (PEM-encoded RSA or PKCS#8 private + This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private + key) into the specified TLS object for TLS negotiation. + + @param[in] Tls Pointer to the TLS object. + @param[in] Data Pointer to the data buffer of a DER-encoded or PEM-encoded + or PKCS#8 private key. + @param[in] DataSize The size of data buffer in bytes. + @param[in] Password Pointer to NULL-terminated private key password, set it to NULL + if private key not encrypted. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_ABORTED Invalid private key data. + +**/ +typedef +EFI_STATUS +(EFIAPI *EDKII_CRYPTO_TLS_SET_HOST_PRIVATE_KEY_EX)( + IN VOID *Tls, + IN VOID *Data, + IN UINTN DataSize, + IN VOID *Password OPTIONAL + ); + +/** + Adds the local private key to the specified TLS object. + + This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private key) into the specified TLS object for TLS negotiation. @param[in] Tls Pointer to the TLS object. - @param[in] Data Pointer to the data buffer of a PEM-encoded RSA + @param[in] Data Pointer to the data buffer of a DER-encoded or PEM-encoded or PKCS#8 private key. @param[in] DataSize The size of data buffer in bytes. @@ -3680,6 +3726,82 @@ EFI_STATUS IN OUT UINTN *DataSize ); +/** + Set the signature algorithm list to used by the TLS object. + + This function sets the signature algorithms for use by a specified TLS object. + + @param[in] Tls Pointer to a TLS object. + @param[in] Data Array of UINT8 of signature algorithms. The array consists of + pairs of the hash algorithm and the signature algorithm as defined + in RFC 5246 + @param[in] DataSize The length the SignatureAlgoList. Must be divisible by 2. + + @retval EFI_SUCCESS The signature algorithm list was set successfully. + @retval EFI_INVALID_PARAMETER The parameters are invalid. + @retval EFI_UNSUPPORTED No supported TLS signature algorithm was found in SignatureAlgoList + @retval EFI_OUT_OF_RESOURCES Memory allocation failed. + +**/ +typedef +EFI_STATUS +(EFIAPI *EDKII_CRYPTO_TLS_SET_SIGNATURE_ALGO_LIST)( + IN VOID *Tls, + IN UINT8 *Data, + IN UINTN DataSize + ); + +/** + Set the EC curve to be used for TLS flows + + This function sets the EC curve to be used for TLS flows. + + @param[in] Tls Pointer to a TLS object. + @param[in] Data An EC named curve as defined in section 5.1.1 of RFC 4492. + @param[in] DataSize Size of Data, it should be sizeof (UINT32) + + @retval EFI_SUCCESS The EC curve was set successfully. + @retval EFI_INVALID_PARAMETER The parameters are invalid. + @retval EFI_UNSUPPORTED The requested TLS EC curve is not supported + +**/ +typedef +EFI_STATUS +(EFIAPI *EDKII_CRYPTO_TLS_SET_EC_CURVE)( + IN VOID *Tls, + IN UINT8 *Data, + IN UINTN DataSize + ); + +/** + Derive keying material from a TLS connection. + + This function exports keying material using the mechanism described in RFC + 5705. + + @param[in] Tls Pointer to the TLS object + @param[in] Label Description of the key for the PRF function + @param[in] Context Optional context + @param[in] ContextLen The length of the context value in bytes + @param[out] KeyBuffer Buffer to hold the output of the TLS-PRF + @param[in] KeyBufferLen The length of the KeyBuffer + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_INVALID_PARAMETER The TLS object is invalid. + @retval EFI_PROTOCOL_ERROR Some other error occurred. + +**/ +typedef +EFI_STATUS +(EFIAPI *EDKII_CRYPTO_TLS_GET_EXPORT_KEY)( + IN VOID *Tls, + IN CONST VOID *Label, + IN CONST VOID *Context, + IN UINTN ContextLen, + OUT VOID *KeyBuffer, + IN UINTN KeyBufferLen + ); + /** Gets the CA-supplied certificate revocation list data set in the specified TLS object. @@ -4954,6 +5076,14 @@ struct _EDKII_CRYPTO_PROTOCOL { EDKII_CRYPTO_EC_GENERATE_KEY EcGenerateKey; EDKII_CRYPTO_EC_GET_PUB_KEY EcGetPubKey; EDKII_CRYPTO_EC_DH_COMPUTE_KEY EcDhComputeKey; + /// TLS (continued) + EDKII_CRYPTO_TLS_SHUTDOWN TlsShutdown; + /// TLS Set (continued) + EDKII_CRYPTO_TLS_SET_HOST_PRIVATE_KEY_EX TlsSetHostPrivateKeyEx; + EDKII_CRYPTO_TLS_SET_SIGNATURE_ALGO_LIST TlsSetSignatureAlgoList; + EDKII_CRYPTO_TLS_SET_EC_CURVE TlsSetEcCurve; + /// TLS Get (continued) + EDKII_CRYPTO_TLS_GET_EXPORT_KEY TlsGetExportKey; }; extern GUID gEdkiiCryptoProtocolGuid; -- 2.31.1.windows.1 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [edk2-devel] [PATCH V3 0/3] CryptoPkg: Extend Tls library 2022-10-10 5:38 ` Li, Yi @ 2022-10-10 6:31 ` Yao, Jiewen 0 siblings, 0 replies; 9+ messages in thread From: Yao, Jiewen @ 2022-10-10 6:31 UTC (permalink / raw) To: Li, Yi1, devel@edk2.groups.io Cc: Wang, Jian J, Lu, Xiaoyu1, Jiang, Guomin, Kinney, Michael D, Gao, Liming Thanks. Merged https://github.com/tianocore/edk2/pull/3458 > -----Original Message----- > From: Li, Yi1 <yi1.li@intel.com> > Sent: Monday, October 10, 2022 1:38 PM > To: Yao, Jiewen <jiewen.yao@intel.com>; devel@edk2.groups.io > Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, Xiaoyu1 > <xiaoyu1.lu@intel.com>; Jiang, Guomin <guomin.jiang@intel.com>; Kinney, > Michael D <michael.d.kinney@intel.com>; Gao, Liming > <gaoliming@byosoft.com.cn> > Subject: RE: [edk2-devel] [PATCH V3 0/3] CryptoPkg: Extend Tls library > > Hi Jiewen, > Yes it is, based on latest commit > 3c9e2f239a38590b4e3a8c1ec2304227f2af0103. > I applied them to EDKII master branch successfully, not sure why. > Attachments are the successful patch files for reference, But they are same > as the patches in the mail. > Let me know if there are still conflicts. > > Thanks, > Yi > > -----Original Message----- > From: Yao, Jiewen <jiewen.yao@intel.com> > Sent: Monday, October 10, 2022 12:46 PM > To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>; Li, Yi1 > <yi1.li@intel.com> > Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, Xiaoyu1 > <xiaoyu1.lu@intel.com>; Jiang, Guomin <guomin.jiang@intel.com>; Kinney, > Michael D <michael.d.kinney@intel.com>; Gao, Liming > <gaoliming@byosoft.com.cn> > Subject: RE: [edk2-devel] [PATCH V3 0/3] CryptoPkg: Extend Tls library > > Hi Yi > Is this patch based on latest EDKII? > > I failed to apply the patch 2/3. > The 1/3 and 3/3 are good. > > > > > > -----Original Message----- > > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Yao, > > Jiewen > > Sent: Monday, October 10, 2022 10:47 AM > > To: Li, Yi1 <yi1.li@intel.com>; devel@edk2.groups.io > > Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, Xiaoyu1 > > <xiaoyu1.lu@intel.com>; Jiang, Guomin <guomin.jiang@intel.com>; > > Kinney, Michael D <michael.d.kinney@intel.com>; Gao, Liming > > <gaoliming@byosoft.com.cn> > > Subject: Re: [edk2-devel] [PATCH V3 0/3] CryptoPkg: Extend Tls library > > > > Thanks for the update. > > For all patches, reviewed-by: Jiewen Yao <Jiewen.yao@intel.com> > > > > I think we need MdePkg owner to give R-B or A-B for TLS definition in > > MdePkg. Mike or Liming? > > > > Thank you > > Yao Jiewen > > > > > > > -----Original Message----- > > > From: Li, Yi1 <yi1.li@intel.com> > > > Sent: Monday, October 10, 2022 10:40 AM > > > To: devel@edk2.groups.io > > > Cc: Li, Yi1 <yi1.li@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; > > > Wang, Jian J <jian.j.wang@intel.com>; Lu, Xiaoyu1 > > > <xiaoyu1.lu@intel.com>; Jiang, Guomin <guomin.jiang@intel.com>; > > > Kinney, Michael D <michael.d.kinney@intel.com>; Gao, Liming > > > <gaoliming@byosoft.com.cn> > > > Subject: [PATCH V3 0/3] CryptoPkg: Extend Tls library > > > > > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3892 > > > > > > Review PR: https://github.com/tianocore/edk2/pull/3400 > > > This patch sequence is used to extend Tls library, which are wrapped > > > over OpenSSL. The implementation provides library functions for EFI > > > DXE dirver and Protocol. > > > > > > All APIs passed unit test and fuzzing test, detail as: > > > 1. Unit test: > > > New Tls APIs tested on Intel platform as part of WIFI WPA3 feature. > > > 2. Fuzzing test: > > > Various Fuzz Testing are employed across the all introduced APIs, > > > and the test is used AFL (2.52b) and Libfuzzer (clang+llvm-11.0.0) > > > as the fuzzer, based on HBFA. > > > Fuzzing Pass Rate is 100%; > > > The Code Coverage of new APIs is 91%. > > > All test case show in: > > > https://github.com/liyi77/edk2- > > > > staging/tree/HBFA/HBFA/UefiHostFuzzTestCasePkg/TestCase/CryptoPkg > > > > > > V2 change: > > > Move the newly added APIs to the end of struct PCD. > > > V3 change: > > > Corrected tls specification reference and tls cipher suite names. > > > > > > Tested-by: Yi Li <yi1.li@intel.com> > > > Cc: Jiewen Yao <jiewen.yao@intel.com> > > > Cc: Jian J Wang <jian.j.wang@intel.com> > > > Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com> > > > Cc: Guomin Jiang <guomin.jiang@intel.com> > > > Cc: Michael D Kinney <michael.d.kinney@intel.com> > > > Cc: Liming Gao <gaoliming@byosoft.com.cn> > > > > > > Signed-off-by: Yi Li <yi1.li@intel.com> > > > > > > Yi Li (3): > > > MdePkg: Add Tls configuration related define > > > CryptoPkg: Extend Tls function library > > > CryptoPkg: Add new Tls APIs to DXE and protocol > > > > > > CryptoPkg/Driver/Crypto.c | 155 +++++++- > > > CryptoPkg/Include/Library/TlsLib.h | 126 +++++- > > > .../Pcd/PcdCryptoServiceFamilyEnable.h | 5 + > > > .../BaseCryptLibOnProtocolPpi/CryptLib.c | 146 ++++++- > > > CryptoPkg/Library/TlsLib/InternalTlsLib.h | 4 + > > > CryptoPkg/Library/TlsLib/TlsConfig.c | 366 +++++++++++++++++- > > > CryptoPkg/Library/TlsLib/TlsProcess.c | 32 ++ > > > CryptoPkg/Library/TlsLibNull/TlsConfigNull.c | 123 +++++- > > > CryptoPkg/Library/TlsLibNull/TlsProcessNull.c | 23 ++ > > > CryptoPkg/Private/Protocol/Crypto.h | 136 ++++++- > > > MdePkg/Include/IndustryStandard/Tls1.h | 112 ++++-- > > > 11 files changed, 1177 insertions(+), 51 deletions(-) > > > > > > -- > > > 2.31.1.windows.1 > > > > > > > > > > ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2022-10-10 6:31 UTC | newest] Thread overview: 9+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2022-10-10 2:39 [PATCH V3 0/3] CryptoPkg: Extend Tls library Li, Yi 2022-10-10 2:39 ` [PATCH V3 1/3] MdePkg: Add Tls configuration related define Li, Yi 2022-10-10 3:06 ` Michael D Kinney 2022-10-10 2:39 ` [PATCH V3 2/3] CryptoPkg: Extend Tls function library Li, Yi 2022-10-10 2:39 ` [PATCH V3 3/3] CryptoPkg: Add new Tls APIs to DXE and protocol Li, Yi 2022-10-10 2:46 ` [PATCH V3 0/3] CryptoPkg: Extend Tls library Yao, Jiewen [not found] ` <171C9530E5033AAA.32766@groups.io> 2022-10-10 4:45 ` [edk2-devel] " Yao, Jiewen 2022-10-10 5:38 ` Li, Yi 2022-10-10 6:31 ` Yao, Jiewen
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox