public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Li, Yi" <yi1.li@intel.com>
To: devel@edk2.groups.io
Cc: Yi Li <yi1.li@intel.com>, Jiewen Yao <jiewen.yao@intel.com>,
	Jian J Wang <jian.j.wang@intel.com>,
	Xiaoyu Lu <xiaoyu1.lu@intel.com>,
	Guomin Jiang <guomin.jiang@intel.com>
Subject: [PATCH V3 2/3] CryptoPkg: Extend Tls function library
Date: Mon, 10 Oct 2022 10:39:58 +0800	[thread overview]
Message-ID: <e871aa4ce8f50632836d08cdb2a292c8a66e2bf7.1665369262.git.yi1.li@intel.com> (raw)
In-Reply-To: <cover.1665369262.git.yi1.li@intel.com>

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3892

1. TlsSetSignatureAlgoList(): Configure the list of TLS signature algorithms
that should be used as part of the TLS session establishment.
This is needed for some WLAN Supplicant connection establishment flows
that allow only specific TLS signature algorithms to be used, e.g.,
Authenticate and Key Managmenet (AKM) suites that are SUITE-B compliant.

2. TlsSetEcCurve(): Configure the Elliptic Curve that should be used for
TLS flows the use cipher suite with EC,
e.g., TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384.
This is needed for some WLAN Supplicant connection establishment flows
that allow only specific TLS signature algorithms to be used,
e.g., Authenticate and Key Managmenet (AKM) suites that are SUITE-B compliant.

3. TlsShutdown():
Shutdown the TLS connection without releasing the resources,
meaning a new connection can be started without calling TlsNew() and
without setting certificates etc.

4. TlsGetExportKey(): Derive keying material from a TLS connection using the
mechanism described in RFC 5705 and export the key material (needed
by EAP methods such as EAP-TTLS and EAP-PEAP).

5. TlsSetHostPrivateKeyEx(): This function adds the local private key
(PEM-encoded or PKCS#8 or DER-encoded private key) into the specified
TLS object for TLS negotiation. There is already a similar function
TlsSetHostPrivateKey(), the new Ex function introduces a new parameter
Password, set Password to NULL when useless.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Signed-off-by: Yi Li <yi1.li@intel.com>
---
 CryptoPkg/Include/Library/TlsLib.h            | 126 +++++-
 CryptoPkg/Library/TlsLib/InternalTlsLib.h     |   4 +
 CryptoPkg/Library/TlsLib/TlsConfig.c          | 366 +++++++++++++++++-
 CryptoPkg/Library/TlsLib/TlsProcess.c         |  32 ++
 CryptoPkg/Library/TlsLibNull/TlsConfigNull.c  | 123 +++++-
 CryptoPkg/Library/TlsLibNull/TlsProcessNull.c |  23 ++
 6 files changed, 667 insertions(+), 7 deletions(-)

diff --git a/CryptoPkg/Include/Library/TlsLib.h b/CryptoPkg/Include/Library/TlsLib.h
index 3b75fde0aa..d37c5fcc35 100644
--- a/CryptoPkg/Include/Library/TlsLib.h
+++ b/CryptoPkg/Include/Library/TlsLib.h
@@ -294,6 +294,25 @@ TlsWrite (
   IN     UINTN  BufferSize
   );
 
+/**
+  Shutdown a TLS connection.
+
+  Shutdown the TLS connection without releasing the resources, meaning a new
+  connection can be started without calling TlsNew() and without setting
+  certificates etc.
+
+  @param[in]       Tls            Pointer to the TLS object to shutdown.
+
+  @retval EFI_SUCCESS             The TLS is shutdown successfully.
+  @retval EFI_INVALID_PARAMETER   Tls is NULL.
+  @retval EFI_PROTOCOL_ERROR      Some other error occurred.
+**/
+EFI_STATUS
+EFIAPI
+TlsShutdown (
+  IN     VOID  *Tls
+  );
+
 /**
   Set a new TLS/SSL method for a particular TLS object.
 
@@ -492,11 +511,38 @@ TlsSetHostPublicCert (
 /**
   Adds the local private key to the specified TLS object.
 
-  This function adds the local private key (PEM-encoded RSA or PKCS#8 private
+  This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private
   key) into the specified TLS object for TLS negotiation.
 
   @param[in]  Tls         Pointer to the TLS object.
-  @param[in]  Data        Pointer to the data buffer of a PEM-encoded RSA
+  @param[in]  Data        Pointer to the data buffer of a DER-encoded or PEM-encoded
+                          or PKCS#8 private key.
+  @param[in]  DataSize    The size of data buffer in bytes.
+  @param[in]  Password    Pointer to NULL-terminated private key password, set it to NULL
+                          if private key not encrypted.
+
+  @retval  EFI_SUCCESS     The operation succeeded.
+  @retval  EFI_UNSUPPORTED This function is not supported.
+  @retval  EFI_ABORTED     Invalid private key data.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetHostPrivateKeyEx (
+  IN     VOID   *Tls,
+  IN     VOID   *Data,
+  IN     UINTN  DataSize,
+  IN     VOID   *Password  OPTIONAL
+  );
+
+/**
+  Adds the local private key to the specified TLS object.
+
+  This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private
+  key) into the specified TLS object for TLS negotiation.
+
+  @param[in]  Tls         Pointer to the TLS object.
+  @param[in]  Data        Pointer to the data buffer of a DER-encoded or PEM-encoded
                           or PKCS#8 private key.
   @param[in]  DataSize    The size of data buffer in bytes.
 
@@ -534,6 +580,53 @@ TlsSetCertRevocationList (
   IN     UINTN  DataSize
   );
 
+/**
+  Set the signature algorithm list to used by the TLS object.
+
+  This function sets the signature algorithms for use by a specified TLS object.
+
+  @param[in]  Tls                Pointer to a TLS object.
+  @param[in]  Data               Array of UINT8 of signature algorithms. The array consists of
+                                 pairs of the hash algorithm and the signature algorithm as defined
+                                 in RFC 5246
+  @param[in]  DataSize           The length the SignatureAlgoList. Must be divisible by 2.
+
+  @retval  EFI_SUCCESS           The signature algorithm list was set successfully.
+  @retval  EFI_INVALID_PARAMETER The parameters are invalid.
+  @retval  EFI_UNSUPPORTED       No supported TLS signature algorithm was found in SignatureAlgoList
+  @retval  EFI_OUT_OF_RESOURCES  Memory allocation failed.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetSignatureAlgoList (
+  IN     VOID   *Tls,
+  IN     UINT8  *Data,
+  IN     UINTN  DataSize
+  );
+
+/**
+  Set the EC curve to be used for TLS flows
+
+  This function sets the EC curve to be used for TLS flows.
+
+  @param[in]  Tls                Pointer to a TLS object.
+  @param[in]  Data               An EC named curve as defined in section 5.1.1 of RFC 4492.
+  @param[in]  DataSize           Size of Data, it should be sizeof (UINT32)
+
+  @retval  EFI_SUCCESS           The EC curve was set successfully.
+  @retval  EFI_INVALID_PARAMETER The parameters are invalid.
+  @retval  EFI_UNSUPPORTED       The requested TLS EC curve is not supported
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetEcCurve (
+  IN     VOID   *Tls,
+  IN     UINT8  *Data,
+  IN     UINTN  DataSize
+  );
+
 /**
   Gets the protocol version used by the specified TLS connection.
 
@@ -810,4 +903,33 @@ TlsGetCertRevocationList (
   IN OUT UINTN  *DataSize
   );
 
+/**
+  Derive keying material from a TLS connection.
+
+  This function exports keying material using the mechanism described in RFC
+  5705.
+
+  @param[in]      Tls          Pointer to the TLS object
+  @param[in]      Label        Description of the key for the PRF function
+  @param[in]      Context      Optional context
+  @param[in]      ContextLen   The length of the context value in bytes
+  @param[out]     KeyBuffer    Buffer to hold the output of the TLS-PRF
+  @param[in]      KeyBufferLen The length of the KeyBuffer
+
+  @retval  EFI_SUCCESS             The operation succeeded.
+  @retval  EFI_INVALID_PARAMETER   The TLS object is invalid.
+  @retval  EFI_PROTOCOL_ERROR      Some other error occurred.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsGetExportKey (
+  IN     VOID        *Tls,
+  IN     CONST VOID  *Label,
+  IN     CONST VOID  *Context,
+  IN     UINTN       ContextLen,
+  OUT    VOID        *KeyBuffer,
+  IN     UINTN       KeyBufferLen
+  );
+
 #endif // __TLS_LIB_H__
diff --git a/CryptoPkg/Library/TlsLib/InternalTlsLib.h b/CryptoPkg/Library/TlsLib/InternalTlsLib.h
index cf5ffe1b73..97a46af6c1 100644
--- a/CryptoPkg/Library/TlsLib/InternalTlsLib.h
+++ b/CryptoPkg/Library/TlsLib/InternalTlsLib.h
@@ -17,6 +17,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #include <Library/DebugLib.h>
 #include <Library/MemoryAllocationLib.h>
 #include <Library/SafeIntLib.h>
+#include <Protocol/Tls.h>
+#include <IndustryStandard/Tls1.h>
+#include <Library/PcdLib.h>
+#include <openssl/obj_mac.h>
 #include <openssl/ssl.h>
 #include <openssl/bio.h>
 #include <openssl/err.h>
diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c b/CryptoPkg/Library/TlsLib/TlsConfig.c
index 0673c9d532..dbe1f06529 100644
--- a/CryptoPkg/Library/TlsLib/TlsConfig.c
+++ b/CryptoPkg/Library/TlsLib/TlsConfig.c
@@ -62,6 +62,38 @@ STATIC CONST TLS_CIPHER_MAPPING  TlsCipherMappingTable[] = {
   MAP (0x0068, "DH-DSS-AES256-SHA256"),             /// TLS_DH_DSS_WITH_AES_256_CBC_SHA256
   MAP (0x0069, "DH-RSA-AES256-SHA256"),             /// TLS_DH_RSA_WITH_AES_256_CBC_SHA256
   MAP (0x006B, "DHE-RSA-AES256-SHA256"),            /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
+  MAP (0x009F, "DHE-RSA-AES256-GCM-SHA384"),        /// TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+  MAP (0xC02B, "ECDHE-ECDSA-AES128-GCM-SHA256"),    /// TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+  MAP (0xC02C, "ECDHE-ECDSA-AES256-GCM-SHA384"),    /// TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+  MAP (0xC030, "ECDHE-RSA-AES256-GCM-SHA384"),      /// TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+};
+
+typedef struct {
+  //
+  // TLS Algorithm
+  //
+  UINT8          Algo;
+  //
+  // TLS Algorithm name
+  //
+  CONST CHAR8    *Name;
+} TLS_ALGO_TO_NAME;
+
+STATIC CONST TLS_ALGO_TO_NAME  TlsHashAlgoToName[] = {
+  { TlsHashAlgoNone,   NULL     },
+  { TlsHashAlgoMd5,    "MD5"    },
+  { TlsHashAlgoSha1,   "SHA1"   },
+  { TlsHashAlgoSha224, "SHA224" },
+  { TlsHashAlgoSha256, "SHA256" },
+  { TlsHashAlgoSha384, "SHA384" },
+  { TlsHashAlgoSha512, "SHA512" },
+};
+
+STATIC CONST TLS_ALGO_TO_NAME  TlsSignatureAlgoToName[] = {
+  { TlsSignatureAlgoAnonymous, NULL    },
+  { TlsSignatureAlgoRsa,       "RSA"   },
+  { TlsSignatureAlgoDsa,       "DSA"   },
+  { TlsSignatureAlgoEcdsa,     "ECDSA" },
 };
 
 /**
@@ -831,11 +863,107 @@ ON_EXIT:
 /**
   Adds the local private key to the specified TLS object.
 
-  This function adds the local private key (PEM-encoded RSA or PKCS#8 private
+  This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private
   key) into the specified TLS object for TLS negotiation.
 
   @param[in]  Tls         Pointer to the TLS object.
-  @param[in]  Data        Pointer to the data buffer of a PEM-encoded RSA
+  @param[in]  Data        Pointer to the data buffer of a DER-encoded or PEM-encoded
+                          or PKCS#8 private key.
+  @param[in]  DataSize    The size of data buffer in bytes.
+  @param[in]  Password    Pointer to NULL-terminated private key password, set it to NULL
+                          if private key not encrypted.
+
+  @retval  EFI_SUCCESS     The operation succeeded.
+  @retval  EFI_UNSUPPORTED This function is not supported.
+  @retval  EFI_ABORTED     Invalid private key data.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetHostPrivateKeyEx (
+  IN     VOID   *Tls,
+  IN     VOID   *Data,
+  IN     UINTN  DataSize,
+  IN     VOID   *Password  OPTIONAL
+  )
+{
+  TLS_CONNECTION  *TlsConn;
+  BIO             *Bio;
+  EVP_PKEY        *Pkey;
+  BOOLEAN         Verify;
+
+  TlsConn = (TLS_CONNECTION *)Tls;
+
+  if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (Data == NULL) || (DataSize == 0)) {
+    return EFI_INVALID_PARAMETER;
+  }
+
+  // Try to parse the private key in DER format or un-encrypted PKC#8
+  if (SSL_use_PrivateKey_ASN1 (
+        EVP_PKEY_RSA,
+        TlsConn->Ssl,
+        Data,
+        (long)DataSize
+        ) == 1)
+  {
+    goto verify;
+  }
+
+  if (SSL_use_PrivateKey_ASN1 (
+        EVP_PKEY_DSA,
+        TlsConn->Ssl,
+        Data,
+        (long)DataSize
+        ) == 1)
+  {
+    goto verify;
+  }
+
+  if (SSL_use_PrivateKey_ASN1 (
+        EVP_PKEY_EC,
+        TlsConn->Ssl,
+        Data,
+        (long)DataSize
+        ) == 1)
+  {
+    goto verify;
+  }
+
+  // Try to parse the private key in PEM format or encrypted PKC#8
+  Bio = BIO_new_mem_buf (Data, (int)DataSize);
+  if (Bio != NULL) {
+    Verify = FALSE;
+    Pkey   = PEM_read_bio_PrivateKey (Bio, NULL, NULL, Password);
+    if ((Pkey != NULL) && (SSL_use_PrivateKey (TlsConn->Ssl, Pkey) == 1)) {
+      Verify = TRUE;
+    }
+
+    EVP_PKEY_free (Pkey);
+    BIO_free (Bio);
+
+    if (Verify) {
+      goto verify;
+    }
+  }
+
+  return EFI_ABORTED;
+
+verify:
+  if (SSL_check_private_key (TlsConn->Ssl) == 1) {
+    return EFI_SUCCESS;
+  }
+
+  return EFI_ABORTED;
+}
+
+/**
+  Adds the local private key to the specified TLS object.
+
+  This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private
+  key) into the specified TLS object for TLS negotiation.
+
+  @param[in]  Tls         Pointer to the TLS object.
+  @param[in]  Data        Pointer to the data buffer of a DER-encoded or PEM-encoded
                           or PKCS#8 private key.
   @param[in]  DataSize    The size of data buffer in bytes.
 
@@ -852,7 +980,7 @@ TlsSetHostPrivateKey (
   IN     UINTN  DataSize
   )
 {
-  return EFI_UNSUPPORTED;
+  return TlsSetHostPrivateKeyEx (Tls, Data, DataSize, NULL);
 }
 
 /**
@@ -879,6 +1007,188 @@ TlsSetCertRevocationList (
   return EFI_UNSUPPORTED;
 }
 
+/**
+  Set the signature algorithm list to used by the TLS object.
+
+  This function sets the signature algorithms for use by a specified TLS object.
+
+  @param[in]  Tls                Pointer to a TLS object.
+  @param[in]  Data               Array of UINT8 of signature algorithms. The array consists of
+                                 pairs of the hash algorithm and the signature algorithm as defined
+                                 in RFC 5246
+  @param[in]  DataSize           The length the SignatureAlgoList. Must be divisible by 2.
+
+  @retval  EFI_SUCCESS           The signature algorithm list was set successfully.
+  @retval  EFI_INVALID_PARAMETER The parameters are invalid.
+  @retval  EFI_UNSUPPORTED       No supported TLS signature algorithm was found in SignatureAlgoList
+  @retval  EFI_OUT_OF_RESOURCES  Memory allocation failed.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetSignatureAlgoList (
+  IN     VOID   *Tls,
+  IN     UINT8  *Data,
+  IN     UINTN  DataSize
+  )
+{
+  TLS_CONNECTION  *TlsConn;
+  UINTN           Index;
+  UINTN           SignAlgoStrSize;
+  CHAR8           *SignAlgoStr;
+  CHAR8           *Pos;
+  UINT8           *SignatureAlgoList;
+  EFI_STATUS      Status;
+
+  TlsConn = (TLS_CONNECTION *)Tls;
+
+  if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (Data == NULL) || (DataSize < 3) ||
+      ((DataSize % 2) == 0) || (Data[0] != DataSize - 1))
+  {
+    return EFI_INVALID_PARAMETER;
+  }
+
+  SignatureAlgoList = Data + 1;
+  SignAlgoStrSize   = 0;
+  for (Index = 0; Index < Data[0]; Index += 2) {
+    CONST CHAR8  *Tmp;
+
+    if (SignatureAlgoList[Index] >= ARRAY_SIZE (TlsHashAlgoToName)) {
+      return EFI_INVALID_PARAMETER;
+    }
+
+    Tmp = TlsHashAlgoToName[SignatureAlgoList[Index]].Name;
+    if (!Tmp) {
+      return EFI_INVALID_PARAMETER;
+    }
+
+    // Add 1 for the '+'
+    SignAlgoStrSize += AsciiStrLen (Tmp) + 1;
+
+    if (SignatureAlgoList[Index + 1] >= ARRAY_SIZE (TlsSignatureAlgoToName)) {
+      return EFI_INVALID_PARAMETER;
+    }
+
+    Tmp = TlsSignatureAlgoToName[SignatureAlgoList[Index + 1]].Name;
+    if (!Tmp) {
+      return EFI_INVALID_PARAMETER;
+    }
+
+    // Add 1 for the ':' or for the NULL terminator
+    SignAlgoStrSize += AsciiStrLen (Tmp) + 1;
+  }
+
+  if (!SignAlgoStrSize) {
+    return EFI_UNSUPPORTED;
+  }
+
+  SignAlgoStr = AllocatePool (SignAlgoStrSize);
+  if (SignAlgoStr == NULL) {
+    return EFI_OUT_OF_RESOURCES;
+  }
+
+  Pos = SignAlgoStr;
+  for (Index = 0; Index < Data[0]; Index += 2) {
+    CONST CHAR8  *Tmp;
+
+    Tmp = TlsHashAlgoToName[SignatureAlgoList[Index]].Name;
+    CopyMem (Pos, Tmp, AsciiStrLen (Tmp));
+    Pos   += AsciiStrLen (Tmp);
+    *Pos++ = '+';
+
+    Tmp = TlsSignatureAlgoToName[SignatureAlgoList[Index + 1]].Name;
+    CopyMem (Pos, Tmp, AsciiStrLen (Tmp));
+    Pos   += AsciiStrLen (Tmp);
+    *Pos++ = ':';
+  }
+
+  *(Pos - 1) = '\0';
+
+  if (SSL_set1_sigalgs_list (TlsConn->Ssl, SignAlgoStr) < 1) {
+    Status = EFI_INVALID_PARAMETER;
+  } else {
+    Status = EFI_SUCCESS;
+  }
+
+  FreePool (SignAlgoStr);
+  return Status;
+}
+
+/**
+  Set the EC curve to be used for TLS flows
+
+  This function sets the EC curve to be used for TLS flows.
+
+  @param[in]  Tls                Pointer to a TLS object.
+  @param[in]  Data               An EC named curve as defined in section 5.1.1 of RFC 4492.
+  @param[in]  DataSize           Size of Data, it should be sizeof (UINT32)
+
+  @retval  EFI_SUCCESS           The EC curve was set successfully.
+  @retval  EFI_INVALID_PARAMETER The parameters are invalid.
+  @retval  EFI_UNSUPPORTED       The requested TLS EC curve is not supported
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetEcCurve (
+  IN     VOID   *Tls,
+  IN     UINT8  *Data,
+  IN     UINTN  DataSize
+  )
+{
+ #if !FixedPcdGetBool (PcdOpensslEcEnabled)
+  return EFI_UNSUPPORTED;
+ #else
+  TLS_CONNECTION  *TlsConn;
+  EC_KEY          *EcKey;
+  INT32           Nid;
+  INT32           Ret;
+
+  TlsConn = (TLS_CONNECTION *)Tls;
+
+  if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (Data == NULL) || (DataSize != sizeof (UINT32))) {
+    return EFI_INVALID_PARAMETER;
+  }
+
+  switch (*((UINT32 *)Data)) {
+    case TlsEcNamedCurveSecp256r1:
+      return EFI_UNSUPPORTED;
+    case TlsEcNamedCurveSecp384r1:
+      Nid = NID_secp384r1;
+      break;
+    case TlsEcNamedCurveSecp521r1:
+      Nid = NID_secp521r1;
+      break;
+    case TlsEcNamedCurveX25519:
+      Nid = NID_X25519;
+      break;
+    case TlsEcNamedCurveX448:
+      Nid = NID_X448;
+      break;
+    default:
+      return EFI_UNSUPPORTED;
+  }
+
+  if (SSL_set1_curves (TlsConn->Ssl, &Nid, 1) != 1) {
+    return EFI_INVALID_PARAMETER;
+  }
+
+  EcKey = EC_KEY_new_by_curve_name (Nid);
+  if (EcKey == NULL) {
+    return EFI_INVALID_PARAMETER;
+  }
+
+  Ret = SSL_set_tmp_ecdh (TlsConn->Ssl, EcKey);
+  EC_KEY_free (EcKey);
+
+  if (Ret != 1) {
+    return EFI_INVALID_PARAMETER;
+  }
+
+  return EFI_SUCCESS;
+ #endif
+}
+
 /**
   Gets the protocol version used by the specified TLS connection.
 
@@ -1306,3 +1616,53 @@ TlsGetCertRevocationList (
 {
   return EFI_UNSUPPORTED;
 }
+
+/**
+  Derive keying material from a TLS connection.
+
+  This function exports keying material using the mechanism described in RFC
+  5705.
+
+  @param[in]      Tls          Pointer to the TLS object
+  @param[in]      Label        Description of the key for the PRF function
+  @param[in]      Context      Optional context
+  @param[in]      ContextLen   The length of the context value in bytes
+  @param[out]     KeyBuffer    Buffer to hold the output of the TLS-PRF
+  @param[in]      KeyBufferLen The length of the KeyBuffer
+
+  @retval  EFI_SUCCESS             The operation succeeded.
+  @retval  EFI_INVALID_PARAMETER   The TLS object is invalid.
+  @retval  EFI_PROTOCOL_ERROR      Some other error occurred.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsGetExportKey (
+  IN     VOID        *Tls,
+  IN     CONST VOID  *Label,
+  IN     CONST VOID  *Context,
+  IN     UINTN       ContextLen,
+  OUT    VOID        *KeyBuffer,
+  IN     UINTN       KeyBufferLen
+  )
+{
+  TLS_CONNECTION  *TlsConn;
+
+  TlsConn = (TLS_CONNECTION *)Tls;
+
+  if ((TlsConn == NULL) || (TlsConn->Ssl == NULL)) {
+    return EFI_INVALID_PARAMETER;
+  }
+
+  return SSL_export_keying_material (
+           TlsConn->Ssl,
+           KeyBuffer,
+           KeyBufferLen,
+           Label,
+           AsciiStrLen (Label),
+           Context,
+           ContextLen,
+           Context != NULL
+           ) == 1 ?
+         EFI_SUCCESS : EFI_PROTOCOL_ERROR;
+}
diff --git a/CryptoPkg/Library/TlsLib/TlsProcess.c b/CryptoPkg/Library/TlsLib/TlsProcess.c
index 0f2ad7a9fb..a803d86c4f 100644
--- a/CryptoPkg/Library/TlsLib/TlsProcess.c
+++ b/CryptoPkg/Library/TlsLib/TlsProcess.c
@@ -461,3 +461,35 @@ TlsWrite (
   //
   return SSL_write (TlsConn->Ssl, Buffer, (UINT32)BufferSize);
 }
+
+/**
+  Shutdown a TLS connection.
+
+  Shutdown the TLS connection without releasing the resources, meaning a new
+  connection can be started without calling TlsNew() and without setting
+  certificates etc.
+
+  @param[in]       Tls            Pointer to the TLS object to shutdown.
+
+  @retval EFI_SUCCESS             The TLS is shutdown successfully.
+  @retval EFI_INVALID_PARAMETER   Tls is NULL.
+  @retval EFI_PROTOCOL_ERROR      Some other error occurred.
+**/
+EFI_STATUS
+EFIAPI
+TlsShutdown (
+  IN     VOID  *Tls
+  )
+{
+  TLS_CONNECTION  *TlsConn;
+
+  TlsConn = (TLS_CONNECTION *)Tls;
+
+  if ((TlsConn == NULL) || ((TlsConn->Ssl) == NULL)) {
+    return EFI_INVALID_PARAMETER;
+  }
+
+  SSL_set_quiet_shutdown (TlsConn->Ssl, 1);
+  SSL_shutdown (TlsConn->Ssl);
+  return SSL_clear (TlsConn->Ssl) == 1 ? EFI_SUCCESS : EFI_PROTOCOL_ERROR;
+}
diff --git a/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c b/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c
index 03726fd726..18dd604382 100644
--- a/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c
+++ b/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c
@@ -242,11 +242,42 @@ TlsSetHostPublicCert (
 /**
   Adds the local private key to the specified TLS object.
 
-  This function adds the local private key (PEM-encoded RSA or PKCS#8 private
+  This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private
   key) into the specified TLS object for TLS negotiation.
 
   @param[in]  Tls         Pointer to the TLS object.
-  @param[in]  Data        Pointer to the data buffer of a PEM-encoded RSA
+  @param[in]  Data        Pointer to the data buffer of a DER-encoded or PEM-encoded
+                          or PKCS#8 private key.
+  @param[in]  DataSize    The size of data buffer in bytes.
+  @param[in]  Password    Pointer to NULL-terminated private key password, set it to NULL
+                          if private key not encrypted.
+
+  @retval  EFI_SUCCESS     The operation succeeded.
+  @retval  EFI_UNSUPPORTED This function is not supported.
+  @retval  EFI_ABORTED     Invalid private key data.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetHostPrivateKeyEx (
+  IN     VOID   *Tls,
+  IN     VOID   *Data,
+  IN     UINTN  DataSize,
+  IN     VOID   *Password  OPTIONAL
+  )
+{
+  ASSERT (FALSE);
+  return EFI_UNSUPPORTED;
+}
+
+/**
+  Adds the local private key to the specified TLS object.
+
+  This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private
+  key) into the specified TLS object for TLS negotiation.
+
+  @param[in]  Tls         Pointer to the TLS object.
+  @param[in]  Data        Pointer to the data buffer of a DER-encoded or PEM-encoded
                           or PKCS#8 private key.
   @param[in]  DataSize    The size of data buffer in bytes.
 
@@ -292,6 +323,61 @@ TlsSetCertRevocationList (
   return EFI_UNSUPPORTED;
 }
 
+/**
+  Set the signature algorithm list to used by the TLS object.
+
+  This function sets the signature algorithms for use by a specified TLS object.
+
+  @param[in]  Tls                Pointer to a TLS object.
+  @param[in]  Data               Array of UINT8 of signature algorithms. The array consists of
+                                 pairs of the hash algorithm and the signature algorithm as defined
+                                 in RFC 5246
+  @param[in]  DataSize           The length the SignatureAlgoList. Must be divisible by 2.
+
+  @retval  EFI_SUCCESS           The signature algorithm list was set successfully.
+  @retval  EFI_INVALID_PARAMETER The parameters are invalid.
+  @retval  EFI_UNSUPPORTED       No supported TLS signature algorithm was found in SignatureAlgoList
+  @retval  EFI_OUT_OF_RESOURCES  Memory allocation failed.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetSignatureAlgoList (
+  IN     VOID   *Tls,
+  IN     UINT8  *Data,
+  IN     UINTN  DataSize
+  )
+{
+  ASSERT (FALSE);
+  return EFI_UNSUPPORTED;
+}
+
+/**
+  Set the EC curve to be used for TLS flows
+
+  This function sets the EC curve to be used for TLS flows.
+
+  @param[in]  Tls                Pointer to a TLS object.
+  @param[in]  Data               An EC named curve as defined in section 5.1.1 of RFC 4492.
+  @param[in]  DataSize           Size of Data, it should be sizeof (UINT32)
+
+  @retval  EFI_SUCCESS           The EC curve was set successfully.
+  @retval  EFI_INVALID_PARAMETER The parameters are invalid.
+  @retval  EFI_UNSUPPORTED       The requested TLS EC curve is not supported
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetEcCurve (
+  IN     VOID   *Tls,
+  IN     UINT8  *Data,
+  IN     UINTN  DataSize
+  )
+{
+  ASSERT (FALSE);
+  return EFI_UNSUPPORTED;
+}
+
 /**
   Gets the protocol version used by the specified TLS connection.
 
@@ -617,3 +703,36 @@ TlsGetCertRevocationList (
   ASSERT (FALSE);
   return EFI_UNSUPPORTED;
 }
+
+/**
+  Derive keying material from a TLS connection.
+
+  This function exports keying material using the mechanism described in RFC
+  5705.
+
+  @param[in]      Tls          Pointer to the TLS object
+  @param[in]      Label        Description of the key for the PRF function
+  @param[in]      Context      Optional context
+  @param[in]      ContextLen   The length of the context value in bytes
+  @param[out]     KeyBuffer    Buffer to hold the output of the TLS-PRF
+  @param[in]      KeyBufferLen The length of the KeyBuffer
+
+  @retval  EFI_SUCCESS             The operation succeeded.
+  @retval  EFI_INVALID_PARAMETER   The TLS object is invalid.
+  @retval  EFI_PROTOCOL_ERROR      Some other error occurred.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsGetExportKey (
+  IN     VOID        *Tls,
+  IN     CONST VOID  *Label,
+  IN     CONST VOID  *Context,
+  IN     UINTN       ContextLen,
+  OUT    VOID        *KeyBuffer,
+  IN     UINTN       KeyBufferLen
+  )
+{
+  ASSERT (FALSE);
+  return EFI_UNSUPPORTED;
+}
diff --git a/CryptoPkg/Library/TlsLibNull/TlsProcessNull.c b/CryptoPkg/Library/TlsLibNull/TlsProcessNull.c
index 0958ddd8d6..395dac548d 100644
--- a/CryptoPkg/Library/TlsLibNull/TlsProcessNull.c
+++ b/CryptoPkg/Library/TlsLibNull/TlsProcessNull.c
@@ -245,3 +245,26 @@ TlsWrite (
   ASSERT (FALSE);
   return 0;
 }
+
+/**
+  Shutdown a TLS connection.
+
+  Shutdown the TLS connection without releasing the resources, meaning a new
+  connection can be started without calling TlsNew() and without setting
+  certificates etc.
+
+  @param[in]       Tls            Pointer to the TLS object to shutdown.
+
+  @retval EFI_SUCCESS             The TLS is shutdown successfully.
+  @retval EFI_INVALID_PARAMETER   Tls is NULL.
+  @retval EFI_PROTOCOL_ERROR      Some other error occurred.
+**/
+EFI_STATUS
+EFIAPI
+TlsShutdown (
+  IN     VOID  *Tls
+  )
+{
+  ASSERT (FALSE);
+  return EFI_UNSUPPORTED;
+}
-- 
2.31.1.windows.1


  parent reply	other threads:[~2022-10-10  2:40 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-10-10  2:39 [PATCH V3 0/3] CryptoPkg: Extend Tls library Li, Yi
2022-10-10  2:39 ` [PATCH V3 1/3] MdePkg: Add Tls configuration related define Li, Yi
2022-10-10  3:06   ` Michael D Kinney
2022-10-10  2:39 ` Li, Yi [this message]
2022-10-10  2:39 ` [PATCH V3 3/3] CryptoPkg: Add new Tls APIs to DXE and protocol Li, Yi
2022-10-10  2:46 ` [PATCH V3 0/3] CryptoPkg: Extend Tls library Yao, Jiewen
     [not found] ` <171C9530E5033AAA.32766@groups.io>
2022-10-10  4:45   ` [edk2-devel] " Yao, Jiewen
2022-10-10  5:38     ` Li, Yi
2022-10-10  6:31       ` Yao, Jiewen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=e871aa4ce8f50632836d08cdb2a292c8a66e2bf7.1665369262.git.yi1.li@intel.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox