docs/master/_tls_config_8c_source.html

#include "InternalTlsLib.h"


typedef struct {

  //

  // TLS Algorithm

  //

  UINT8          Algo;

  //

  // TLS Algorithm name

  //

  CONST CHAR8    *Name;

} TLS_ALGO_TO_NAME;


STATIC CONST TLS_ALGO_TO_NAME  TlsHashAlgoToName[] = {

  { TlsHashAlgoNone,   NULL     },

  { TlsHashAlgoMd5,    "MD5"    },

  { TlsHashAlgoSha1,   "SHA1"   },

  { TlsHashAlgoSha224, "SHA224" },

  { TlsHashAlgoSha256, "SHA256" },

  { TlsHashAlgoSha384, "SHA384" },

  { TlsHashAlgoSha512, "SHA512" },

};


STATIC CONST TLS_ALGO_TO_NAME  TlsSignatureAlgoToName[] = {

  { TlsSignatureAlgoAnonymous, NULL    },

  { TlsSignatureAlgoRsa,       "RSA"   },

  { TlsSignatureAlgoDsa,       "DSA"   },

  { TlsSignatureAlgoEcdsa,     "ECDSA" },

};


EFI_STATUS

EFIAPI

TlsSetVersion (

  IN     VOID   *Tls,

  IN     UINT8  MajorVer,

  IN     UINT8  MinorVer

  )

{

  TLS_CONNECTION  *TlsConn;

  UINT16          ProtoVersion;


  TlsConn = (TLS_CONNECTION *)Tls;

  if ((TlsConn == NULL) || (TlsConn->Ssl == NULL)) {

    return EFI_INVALID_PARAMETER;

  }


  ProtoVersion = (MajorVer << 8) | MinorVer;


  //

  // Bound TLS method to the particular specified version.

  //

  switch (ProtoVersion) {

    case TLS1_VERSION:

      //

      // TLS 1.0

      //

      SSL_set_min_proto_version (TlsConn->Ssl, TLS1_VERSION);

      SSL_set_max_proto_version (TlsConn->Ssl, TLS1_VERSION);

      break;

    case TLS1_1_VERSION:

      //

      // TLS 1.1

      //

      SSL_set_min_proto_version (TlsConn->Ssl, TLS1_1_VERSION);

      SSL_set_max_proto_version (TlsConn->Ssl, TLS1_1_VERSION);

      break;

    case TLS1_2_VERSION:

      //

      // TLS 1.2

      //

      SSL_set_min_proto_version (TlsConn->Ssl, TLS1_2_VERSION);

      SSL_set_max_proto_version (TlsConn->Ssl, TLS1_2_VERSION);

      break;

    default:

      //

      // Unsupported Protocol Version

      //

      return EFI_UNSUPPORTED;

  }


  return EFI_SUCCESS;

}


EFI_STATUS

EFIAPI

TlsSetConnectionEnd (

  IN     VOID     *Tls,

  IN     BOOLEAN  IsServer

  )

{

  TLS_CONNECTION  *TlsConn;


  TlsConn = (TLS_CONNECTION *)Tls;

  if ((TlsConn == NULL) || (TlsConn->Ssl == NULL)) {

    return EFI_INVALID_PARAMETER;

  }


  if (!IsServer) {

    //

    // Set TLS to work in Client mode.

    //

    SSL_set_connect_state (TlsConn->Ssl);

  } else {

    //

    // Set TLS to work in Server mode.

    // It is unsupported for UEFI version currently.

    //

    // SSL_set_accept_state (TlsConn->Ssl);

    return EFI_UNSUPPORTED;

  }


  return EFI_SUCCESS;

}


EFI_STATUS

EFIAPI

TlsSetCipherList (

  IN     VOID    *Tls,

  IN     UINT16  *CipherId,

  IN     UINTN   CipherNum

  )

{

  TLS_CONNECTION    *TlsConn;

  EFI_STATUS        Status;

  CONST SSL_CIPHER  **MappedCipher;

  UINTN             MappedCipherBytes;

  UINTN             MappedCipherCount;

  UINTN             CipherStringSize;

  UINTN             Index;

  INT32             StackIdx;

  CHAR8             *CipherString;

  CHAR8             *CipherStringPosition;


  STACK_OF (SSL_CIPHER)      *OpensslCipherStack;

  CONST SSL_CIPHER  *OpensslCipher;

  CONST CHAR8       *OpensslCipherName;

  UINTN             OpensslCipherNameLength;


  TlsConn = (TLS_CONNECTION *)Tls;

  if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (CipherId == NULL)) {

    return EFI_INVALID_PARAMETER;

  }


  //

  // Allocate the MappedCipher array for recording the mappings that we find

  // for the input IANA identifiers in CipherId.

  //

  Status = SafeUintnMult (

             CipherNum,

             sizeof (*MappedCipher),

             &MappedCipherBytes

             );

  if (EFI_ERROR (Status)) {

    return EFI_OUT_OF_RESOURCES;

  }


  MappedCipher = AllocatePool (MappedCipherBytes);

  if (MappedCipher == NULL) {

    return EFI_OUT_OF_RESOURCES;

  }


  OpensslCipherStack = SSL_get_ciphers (TlsConn->Ssl);


  //

  // Map the cipher IDs, and count the number of bytes for the full

  // CipherString.

  //

  MappedCipherCount = 0;

  CipherStringSize  = 0;

  for (Index = 0; OpensslCipherStack != NULL && Index < CipherNum; Index++) {

    //

    // Look up the IANA-to-OpenSSL mapping.

    //

    for (StackIdx = 0; StackIdx < sk_SSL_CIPHER_num (OpensslCipherStack); StackIdx++) {

      OpensslCipher = sk_SSL_CIPHER_value (OpensslCipherStack, StackIdx);

      if (CipherId[Index] == SSL_CIPHER_get_protocol_id (OpensslCipher)) {

        break;

      }

    }


    if (StackIdx == sk_SSL_CIPHER_num (OpensslCipherStack)) {

      DEBUG ((

        DEBUG_VERBOSE,

        "%a:%a: skipping CipherId=0x%04x\n",

        gEfiCallerBaseName,

        __func__,

        CipherId[Index]

        ));

      //

      // Skipping the cipher is valid because CipherId is an ordered

      // preference list of ciphers, thus we can filter it as long as we

      // don't change the relative order of elements on it.

      //

      continue;

    }


    //

    // Accumulate cipher name string length into CipherStringSize. If this

    // is not the first successful mapping, account for a colon (":") prefix

    // too.

    //

    if (MappedCipherCount > 0) {

      Status = SafeUintnAdd (CipherStringSize, 1, &CipherStringSize);

      if (EFI_ERROR (Status)) {

        Status = EFI_OUT_OF_RESOURCES;

        goto FreeMappedCipher;

      }

    }


    Status = SafeUintnAdd (

               CipherStringSize,

               AsciiStrLen (SSL_CIPHER_get_name (OpensslCipher)),

               &CipherStringSize

               );

    if (EFI_ERROR (Status)) {

      Status = EFI_OUT_OF_RESOURCES;

      goto FreeMappedCipher;

    }


    //

    // Record the mapping.

    //

    MappedCipher[MappedCipherCount++] = OpensslCipher;

  }


  //

  // Verify that at least one IANA cipher ID could be mapped; account for the

  // terminating NUL character in CipherStringSize; allocate CipherString.

  //

  if (MappedCipherCount == 0) {

    DEBUG ((

      DEBUG_ERROR,

      "%a:%a: no CipherId could be mapped\n",

      gEfiCallerBaseName,

      __func__

      ));

    Status = EFI_UNSUPPORTED;

    goto FreeMappedCipher;

  }


  Status = SafeUintnAdd (CipherStringSize, 1, &CipherStringSize);

  if (EFI_ERROR (Status)) {

    Status = EFI_OUT_OF_RESOURCES;

    goto FreeMappedCipher;

  }


  CipherString = AllocatePool (CipherStringSize);

  if (CipherString == NULL) {

    Status = EFI_OUT_OF_RESOURCES;

    goto FreeMappedCipher;

  }


  //

  // Go over the collected mappings and populate CipherString.

  //

  CipherStringPosition = CipherString;

  for (Index = 0; Index < MappedCipherCount; Index++) {

    OpensslCipher           = MappedCipher[Index];

    OpensslCipherName       = SSL_CIPHER_get_name (OpensslCipher);

    OpensslCipherNameLength = AsciiStrLen (OpensslCipherName);

    //

    // Append the colon (":") prefix except for the first mapping, then append

    // OpensslCipherName.

    //

    if (Index > 0) {

      *(CipherStringPosition++) = ':';

    }


    CopyMem (

      CipherStringPosition,

      OpensslCipherName,

      OpensslCipherNameLength

      );

    CipherStringPosition += OpensslCipherNameLength;

  }


  //

  // NUL-terminate CipherString.

  //

  *(CipherStringPosition++) = '\0';

  ASSERT (CipherStringPosition == CipherString + CipherStringSize);


  //

  // Log CipherString for debugging. CipherString can be very long if the

  // caller provided a large CipherId array, so log CipherString in segments of

  // 79 non-newline characters. (MAX_DEBUG_MESSAGE_LENGTH is usually 0x100 in

  // DebugLib instances.)

  //

  DEBUG_CODE_BEGIN ();

  UINTN  FullLength;

  UINTN  SegmentLength;


  FullLength = CipherStringSize - 1;

  DEBUG ((

    DEBUG_VERBOSE,

    "%a:%a: CipherString={\n",

    gEfiCallerBaseName,

    __func__

    ));

  for (CipherStringPosition = CipherString;

       CipherStringPosition < CipherString + FullLength;

       CipherStringPosition += SegmentLength)

  {

    SegmentLength = FullLength - (CipherStringPosition - CipherString);

    if (SegmentLength > 79) {

      SegmentLength = 79;

    }


    DEBUG ((DEBUG_VERBOSE, "%.*a\n", SegmentLength, CipherStringPosition));

  }


  DEBUG ((DEBUG_VERBOSE, "}\n"));

  //

  // Restore the pre-debug value of CipherStringPosition by skipping over the

  // trailing NUL.

  //

  CipherStringPosition++;

  ASSERT (CipherStringPosition == CipherString + CipherStringSize);

  DEBUG_CODE_END ();


  //

  // Sets the ciphers for use by the Tls object.

  //

  if (SSL_set_cipher_list (TlsConn->Ssl, CipherString) <= 0) {

    Status = EFI_UNSUPPORTED;

    goto FreeCipherString;

  }


  Status = EFI_SUCCESS;


FreeCipherString:

  FreePool (CipherString);


FreeMappedCipher:

  FreePool ((VOID *)MappedCipher);


  return Status;

}


EFI_STATUS

EFIAPI

TlsSetCompressionMethod (

  IN     UINT8  CompMethod

  )

{

  COMP_METHOD  *Cm;

  INTN         Ret;


  Cm  = NULL;

  Ret = 0;


  if (CompMethod == 0) {

    //

    // TLS defines one standard compression method, CompressionMethod.null (0),

    // which specifies that data exchanged via the record protocol will not be compressed.

    // So, return EFI_SUCCESS directly (RFC 3749).

    //

    return EFI_SUCCESS;

  } else if (CompMethod == 1) {

    Cm = COMP_zlib ();

  } else {

    return EFI_UNSUPPORTED;

  }


  //

  // Adds the compression method to the list of available

  // compression methods.

  //

  Ret = SSL_COMP_add_compression_method (CompMethod, Cm);

  if (Ret != 0) {

    return EFI_UNSUPPORTED;

  }


  return EFI_SUCCESS;

}


VOID

EFIAPI

TlsSetVerify (

  IN     VOID    *Tls,

  IN     UINT32  VerifyMode

  )

{

  TLS_CONNECTION  *TlsConn;


  TlsConn = (TLS_CONNECTION *)Tls;

  if ((TlsConn == NULL) || (TlsConn->Ssl == NULL)) {

    return;

  }


  //

  // Set peer certificate verification parameters with NULL callback.

  //

  SSL_set_verify (TlsConn->Ssl, VerifyMode, NULL);

}


EFI_STATUS

EFIAPI

TlsSetVerifyHost (

  IN     VOID    *Tls,

  IN     UINT32  Flags,

  IN     CHAR8   *HostName

  )

{

  TLS_CONNECTION     *TlsConn;

  X509_VERIFY_PARAM  *VerifyParam;

  UINTN              BinaryAddressSize;

  UINT8              BinaryAddress[MAX (NS_INADDRSZ, NS_IN6ADDRSZ)];

  INTN               ParamStatus;


  TlsConn = (TLS_CONNECTION *)Tls;

  if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (HostName == NULL)) {

    return EFI_INVALID_PARAMETER;

  }


  DEBUG ((

    DEBUG_VERBOSE,

    "%a:%a: SNI hostname: %a\n",

    gEfiCallerBaseName,

    __func__,

    HostName

    ));


  if (!SSL_set_tlsext_host_name (TlsConn->Ssl, HostName)) {

    DEBUG ((

      DEBUG_ERROR,

      "%a:%a: Could not set hostname %a for SNI\n",

      gEfiCallerBaseName,

      __func__,

      HostName

      ));

  }


  SSL_set_hostflags (TlsConn->Ssl, Flags);


  VerifyParam = SSL_get0_param (TlsConn->Ssl);

  ASSERT (VerifyParam != NULL);


  BinaryAddressSize = 0;

  if (inet_pton (AF_INET6, HostName, BinaryAddress) == 1) {

    BinaryAddressSize = NS_IN6ADDRSZ;

  } else if (inet_pton (AF_INET, HostName, BinaryAddress) == 1) {

    BinaryAddressSize = NS_INADDRSZ;

  }


  if (BinaryAddressSize > 0) {

    DEBUG ((

      DEBUG_VERBOSE,

      "%a:%a: parsed \"%a\" as an IPv%c address "

      "literal\n",

      gEfiCallerBaseName,

      __func__,

      HostName,

      (UINTN)((BinaryAddressSize == NS_IN6ADDRSZ) ? '6' : '4')

      ));

    ParamStatus = X509_VERIFY_PARAM_set1_ip (

                    VerifyParam,

                    BinaryAddress,

                    BinaryAddressSize

                    );

  } else {

    ParamStatus = X509_VERIFY_PARAM_set1_host (VerifyParam, HostName, 0);

  }


  return (ParamStatus == 1) ? EFI_SUCCESS : EFI_ABORTED;

}


EFI_STATUS

EFIAPI

TlsSetSessionId (

  IN     VOID    *Tls,

  IN     UINT8   *SessionId,

  IN     UINT16  SessionIdLen

  )

{

  TLS_CONNECTION  *TlsConn;

  SSL_SESSION     *Session;


  TlsConn = (TLS_CONNECTION *)Tls;

  Session = NULL;


  if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (SessionId == NULL)) {

    return EFI_INVALID_PARAMETER;

  }


  Session = SSL_get_session (TlsConn->Ssl);

  if (Session == NULL) {

    return EFI_UNSUPPORTED;

  }


  SSL_SESSION_set1_id (Session, (const unsigned char *)SessionId, SessionIdLen);


  return EFI_SUCCESS;

}


EFI_STATUS

EFIAPI

TlsSetCaCertificate (

  IN     VOID   *Tls,

  IN     VOID   *Data,

  IN     UINTN  DataSize

  )

{

  BIO             *BioCert;

  X509            *Cert;

  X509_STORE      *X509Store;

  EFI_STATUS      Status;

  TLS_CONNECTION  *TlsConn;

  SSL_CTX         *SslCtx;

  INTN            Ret;


  BioCert   = NULL;

  Cert      = NULL;

  X509Store = NULL;

  Status    = EFI_SUCCESS;

  TlsConn   = (TLS_CONNECTION *)Tls;

  Ret       = 0;


  if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (Data == NULL) || (DataSize == 0)) {

    return EFI_INVALID_PARAMETER;

  }


  //

  // DER-encoded binary X.509 certificate or PEM-encoded X.509 certificate.

  // Determine whether certificate is from DER encoding, if so, translate it to X509 structure.

  //

  Cert = d2i_X509 (NULL, (const unsigned char **)&Data, (long)DataSize);

  if (Cert == NULL) {

    //

    // Certificate is from PEM encoding.

    //

    BioCert = BIO_new (BIO_s_mem ());

    if (BioCert == NULL) {

      Status = EFI_OUT_OF_RESOURCES;

      goto ON_EXIT;

    }


    if (BIO_write (BioCert, Data, (UINT32)DataSize) <= 0) {

      Status = EFI_ABORTED;

      goto ON_EXIT;

    }


    Cert = PEM_read_bio_X509 (BioCert, NULL, NULL, NULL);

    if (Cert == NULL) {

      Status = EFI_ABORTED;

      goto ON_EXIT;

    }

  }


  SslCtx    = SSL_get_SSL_CTX (TlsConn->Ssl);

  X509Store = SSL_CTX_get_cert_store (SslCtx);

  if (X509Store == NULL) {

    Status = EFI_ABORTED;

    goto ON_EXIT;

  }


  //

  // Add certificate to X509 store

  //

  Ret = X509_STORE_add_cert (X509Store, Cert);

  if (Ret != 1) {

    unsigned long  ErrorCode;


    ErrorCode = ERR_peek_last_error ();

    //

    // Ignore "already in table" errors

    //

    if (!((ERR_GET_LIB (ErrorCode) == ERR_LIB_X509) &&

          (ERR_GET_REASON (ErrorCode) == X509_R_CERT_ALREADY_IN_HASH_TABLE)))

    {

      Status = EFI_ABORTED;

      goto ON_EXIT;

    }

  }


ON_EXIT:

  if (BioCert != NULL) {

    BIO_free (BioCert);

  }


  if (Cert != NULL) {

    X509_free (Cert);

  }


  return Status;

}


EFI_STATUS

EFIAPI

TlsSetHostPublicCert (

  IN     VOID   *Tls,

  IN     VOID   *Data,

  IN     UINTN  DataSize

  )

{

  BIO             *BioCert;

  X509            *Cert;

  EFI_STATUS      Status;

  TLS_CONNECTION  *TlsConn;


  BioCert = NULL;

  Cert    = NULL;

  Status  = EFI_SUCCESS;

  TlsConn = (TLS_CONNECTION *)Tls;


  if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (Data == NULL) || (DataSize == 0)) {

    return EFI_INVALID_PARAMETER;

  }


  //

  // DER-encoded binary X.509 certificate or PEM-encoded X.509 certificate.

  // Determine whether certificate is from DER encoding, if so, translate it to X509 structure.

  //

  Cert = d2i_X509 (NULL, (const unsigned char **)&Data, (long)DataSize);

  if (Cert == NULL) {

    //

    // Certificate is from PEM encoding.

    //

    BioCert = BIO_new (BIO_s_mem ());

    if (BioCert == NULL) {

      Status = EFI_OUT_OF_RESOURCES;

      goto ON_EXIT;

    }


    if (BIO_write (BioCert, Data, (UINT32)DataSize) <= 0) {

      Status = EFI_ABORTED;

      goto ON_EXIT;

    }


    Cert = PEM_read_bio_X509 (BioCert, NULL, NULL, NULL);

    if (Cert == NULL) {

      Status = EFI_ABORTED;

      goto ON_EXIT;

    }

  }


  if (SSL_use_certificate (TlsConn->Ssl, Cert) != 1) {

    Status = EFI_ABORTED;

    goto ON_EXIT;

  }


ON_EXIT:

  if (BioCert != NULL) {

    BIO_free (BioCert);

  }


  if (Cert != NULL) {

    X509_free (Cert);

  }


  return Status;

}


EFI_STATUS

EFIAPI

TlsSetHostPrivateKeyEx (

  IN     VOID   *Tls,

  IN     VOID   *Data,

  IN     UINTN  DataSize,

  IN     VOID   *Password  OPTIONAL

  )

{

  TLS_CONNECTION  *TlsConn;

  BIO             *Bio;

  EVP_PKEY        *Pkey;

  BOOLEAN         Verify;


  TlsConn = (TLS_CONNECTION *)Tls;


  if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (Data == NULL) || (DataSize == 0)) {

    return EFI_INVALID_PARAMETER;

  }


  // Try to parse the private key in DER format or un-encrypted PKC#8

  if (SSL_use_PrivateKey_ASN1 (

        EVP_PKEY_RSA,

        TlsConn->Ssl,

        Data,

        (long)DataSize

        ) == 1)

  {

    goto verify;

  }


  if (SSL_use_PrivateKey_ASN1 (

        EVP_PKEY_DSA,

        TlsConn->Ssl,

        Data,

        (long)DataSize

        ) == 1)

  {

    goto verify;

  }


  if (SSL_use_PrivateKey_ASN1 (

        EVP_PKEY_EC,

        TlsConn->Ssl,

        Data,

        (long)DataSize

        ) == 1)

  {

    goto verify;

  }


  // Try to parse the private key in PEM format or encrypted PKC#8

  Bio = BIO_new_mem_buf (Data, (int)DataSize);

  if (Bio != NULL) {

    Verify = FALSE;

    Pkey   = PEM_read_bio_PrivateKey (Bio, NULL, NULL, Password);

    if ((Pkey != NULL) && (SSL_use_PrivateKey (TlsConn->Ssl, Pkey) == 1)) {

      Verify = TRUE;

    }


    EVP_PKEY_free (Pkey);

    BIO_free (Bio);


    if (Verify) {

      goto verify;

    }

  }


  return EFI_ABORTED;


verify:

  if (SSL_check_private_key (TlsConn->Ssl) == 1) {

    return EFI_SUCCESS;

  }


  return EFI_ABORTED;

}


EFI_STATUS

EFIAPI

TlsSetHostPrivateKey (

  IN     VOID   *Tls,

  IN     VOID   *Data,

  IN     UINTN  DataSize

  )

{

  return TlsSetHostPrivateKeyEx (Tls, Data, DataSize, NULL);

}


EFI_STATUS

EFIAPI

TlsSetCertRevocationList (

  IN     VOID   *Data,

  IN     UINTN  DataSize

  )

{

  return EFI_UNSUPPORTED;

}


EFI_STATUS

EFIAPI

TlsSetSignatureAlgoList (

  IN     VOID   *Tls,

  IN     UINT8  *Data,

  IN     UINTN  DataSize

  )

{

  TLS_CONNECTION  *TlsConn;

  UINTN           Index;

  UINTN           SignAlgoStrSize;

  CHAR8           *SignAlgoStr;

  CHAR8           *Pos;

  UINT8           *SignatureAlgoList;

  EFI_STATUS      Status;


  TlsConn = (TLS_CONNECTION *)Tls;


  if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (Data == NULL) || (DataSize < 3) ||

      ((DataSize % 2) == 0) || (Data[0] != DataSize - 1))

  {

    return EFI_INVALID_PARAMETER;

  }


  SignatureAlgoList = Data + 1;

  SignAlgoStrSize   = 0;

  for (Index = 0; Index < Data[0]; Index += 2) {

    CONST CHAR8  *Tmp;


    if (SignatureAlgoList[Index] >= ARRAY_SIZE (TlsHashAlgoToName)) {

      return EFI_INVALID_PARAMETER;

    }


    Tmp = TlsHashAlgoToName[SignatureAlgoList[Index]].Name;

    if (!Tmp) {

      return EFI_INVALID_PARAMETER;

    }


    // Add 1 for the '+'

    SignAlgoStrSize += AsciiStrLen (Tmp) + 1;


    if (SignatureAlgoList[Index + 1] >= ARRAY_SIZE (TlsSignatureAlgoToName)) {

      return EFI_INVALID_PARAMETER;

    }


    Tmp = TlsSignatureAlgoToName[SignatureAlgoList[Index + 1]].Name;

    if (!Tmp) {

      return EFI_INVALID_PARAMETER;

    }


    // Add 1 for the ':' or for the NULL terminator

    SignAlgoStrSize += AsciiStrLen (Tmp) + 1;

  }


  if (!SignAlgoStrSize) {

    return EFI_UNSUPPORTED;

  }


  SignAlgoStr = AllocatePool (SignAlgoStrSize);

  if (SignAlgoStr == NULL) {

    return EFI_OUT_OF_RESOURCES;

  }


  Pos = SignAlgoStr;

  for (Index = 0; Index < Data[0]; Index += 2) {

    CONST CHAR8  *Tmp;


    Tmp = TlsHashAlgoToName[SignatureAlgoList[Index]].Name;

    CopyMem (Pos, Tmp, AsciiStrLen (Tmp));

    Pos   += AsciiStrLen (Tmp);

    *Pos++ = '+';


    Tmp = TlsSignatureAlgoToName[SignatureAlgoList[Index + 1]].Name;

    CopyMem (Pos, Tmp, AsciiStrLen (Tmp));

    Pos   += AsciiStrLen (Tmp);

    *Pos++ = ':';

  }


  *(Pos - 1) = '\0';


  if (SSL_set1_sigalgs_list (TlsConn->Ssl, SignAlgoStr) < 1) {

    Status = EFI_INVALID_PARAMETER;

  } else {

    Status = EFI_SUCCESS;

  }


  FreePool (SignAlgoStr);

  return Status;

}


EFI_STATUS

EFIAPI

TlsSetEcCurve (

  IN     VOID   *Tls,

  IN     UINT8  *Data,

  IN     UINTN  DataSize

  )

{

  TLS_CONNECTION  *TlsConn;

  EC_KEY          *EcKey;

  INT32           Nid;

  INT32           Ret;


  TlsConn = (TLS_CONNECTION *)Tls;


  if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (Data == NULL) || (DataSize != sizeof (UINT32))) {

    return EFI_INVALID_PARAMETER;

  }


  switch (*((UINT32 *)Data)) {

    case TlsEcNamedCurveSecp256r1:

      return EFI_UNSUPPORTED;

    case TlsEcNamedCurveSecp384r1:

      Nid = NID_secp384r1;

      break;

    case TlsEcNamedCurveSecp521r1:

      Nid = NID_secp521r1;

      break;

    case TlsEcNamedCurveX25519:

      Nid = NID_X25519;

      break;

    case TlsEcNamedCurveX448:

      Nid = NID_X448;

      break;

    default:

      return EFI_UNSUPPORTED;

  }


  if (SSL_set1_curves (TlsConn->Ssl, &Nid, 1) != 1) {

    return EFI_UNSUPPORTED;

  }


  EcKey = EC_KEY_new_by_curve_name (Nid);

  if (EcKey == NULL) {

    return EFI_UNSUPPORTED;

  }


  Ret = SSL_set_tmp_ecdh (TlsConn->Ssl, EcKey);

  EC_KEY_free (EcKey);


  if (Ret != 1) {

    return EFI_UNSUPPORTED;

  }


  return EFI_SUCCESS;

}


UINT16

EFIAPI

TlsGetVersion (

  IN     VOID  *Tls

  )

{

  TLS_CONNECTION  *TlsConn;


  TlsConn = (TLS_CONNECTION *)Tls;


  ASSERT (TlsConn != NULL);


  return (UINT16)(SSL_version (TlsConn->Ssl));

}


UINT8

EFIAPI

TlsGetConnectionEnd (

  IN     VOID  *Tls

  )

{

  TLS_CONNECTION  *TlsConn;


  TlsConn = (TLS_CONNECTION *)Tls;


  ASSERT (TlsConn != NULL);


  return (UINT8)SSL_is_server (TlsConn->Ssl);

}


EFI_STATUS

EFIAPI

TlsGetCurrentCipher (

  IN     VOID    *Tls,

  IN OUT UINT16  *CipherId

  )

{

  TLS_CONNECTION    *TlsConn;

  CONST SSL_CIPHER  *Cipher;


  TlsConn = (TLS_CONNECTION *)Tls;

  Cipher  = NULL;


  if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (CipherId == NULL)) {

    return EFI_INVALID_PARAMETER;

  }


  Cipher = SSL_get_current_cipher (TlsConn->Ssl);

  if (Cipher == NULL) {

    return EFI_UNSUPPORTED;

  }


  *CipherId = (SSL_CIPHER_get_id (Cipher)) & 0xFFFF;


  return EFI_SUCCESS;

}


EFI_STATUS

EFIAPI

TlsGetCurrentCompressionId (

  IN     VOID   *Tls,

  IN OUT UINT8  *CompressionId

  )

{

  return EFI_UNSUPPORTED;

}


UINT32

EFIAPI

TlsGetVerify (

  IN     VOID  *Tls

  )

{

  TLS_CONNECTION  *TlsConn;


  TlsConn = (TLS_CONNECTION *)Tls;


  ASSERT (TlsConn != NULL);


  return SSL_get_verify_mode (TlsConn->Ssl);

}


EFI_STATUS

EFIAPI

TlsGetSessionId (

  IN     VOID    *Tls,

  IN OUT UINT8   *SessionId,

  IN OUT UINT16  *SessionIdLen

  )

{

  TLS_CONNECTION  *TlsConn;

  SSL_SESSION     *Session;

  CONST UINT8     *SslSessionId;


  TlsConn = (TLS_CONNECTION *)Tls;

  Session = NULL;


  if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (SessionId == NULL) || (SessionIdLen == NULL)) {

    return EFI_INVALID_PARAMETER;

  }


  Session = SSL_get_session (TlsConn->Ssl);

  if (Session == NULL) {

    return EFI_UNSUPPORTED;

  }


  SslSessionId = SSL_SESSION_get_id (Session, (unsigned int *)SessionIdLen);

  CopyMem (SessionId, SslSessionId, *SessionIdLen);


  return EFI_SUCCESS;

}


VOID

EFIAPI

TlsGetClientRandom (

  IN     VOID   *Tls,

  IN OUT UINT8  *ClientRandom

  )

{

  TLS_CONNECTION  *TlsConn;


  TlsConn = (TLS_CONNECTION *)Tls;


  if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (ClientRandom == NULL)) {

    return;

  }


  SSL_get_client_random (TlsConn->Ssl, ClientRandom, SSL3_RANDOM_SIZE);

}


VOID

EFIAPI

TlsGetServerRandom (

  IN     VOID   *Tls,

  IN OUT UINT8  *ServerRandom

  )

{

  TLS_CONNECTION  *TlsConn;


  TlsConn = (TLS_CONNECTION *)Tls;


  if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (ServerRandom == NULL)) {

    return;

  }


  SSL_get_server_random (TlsConn->Ssl, ServerRandom, SSL3_RANDOM_SIZE);

}


EFI_STATUS

EFIAPI

TlsGetKeyMaterial (

  IN     VOID   *Tls,

  IN OUT UINT8  *KeyMaterial

  )

{

  TLS_CONNECTION  *TlsConn;

  SSL_SESSION     *Session;


  TlsConn = (TLS_CONNECTION *)Tls;

  Session = NULL;


  if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (KeyMaterial == NULL)) {

    return EFI_INVALID_PARAMETER;

  }


  Session = SSL_get_session (TlsConn->Ssl);


  if (Session == NULL) {

    return EFI_UNSUPPORTED;

  }


  SSL_SESSION_get_master_key (Session, KeyMaterial, SSL3_MASTER_SECRET_SIZE);


  return EFI_SUCCESS;

}


EFI_STATUS

EFIAPI

TlsGetCaCertificate (

  IN     VOID   *Tls,

  OUT    VOID   *Data,

  IN OUT UINTN  *DataSize

  )

{

  return EFI_UNSUPPORTED;

}


EFI_STATUS

EFIAPI

TlsGetHostPublicCert (

  IN     VOID   *Tls,

  OUT    VOID   *Data,

  IN OUT UINTN  *DataSize

  )

{

  X509            *Cert;

  TLS_CONNECTION  *TlsConn;


  Cert    = NULL;

  TlsConn = (TLS_CONNECTION *)Tls;


  if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (DataSize == NULL) || ((*DataSize != 0) && (Data == NULL))) {

    return EFI_INVALID_PARAMETER;

  }


  Cert = SSL_get_certificate (TlsConn->Ssl);

  if (Cert == NULL) {

    return EFI_NOT_FOUND;

  }


  //

  // Only DER encoding is supported currently.

  //

  if (*DataSize < (UINTN)i2d_X509 (Cert, NULL)) {

    *DataSize = (UINTN)i2d_X509 (Cert, NULL);

    return EFI_BUFFER_TOO_SMALL;

  }


  *DataSize = (UINTN)i2d_X509 (Cert, (unsigned char **)&Data);


  return EFI_SUCCESS;

}


EFI_STATUS

EFIAPI

TlsGetHostPrivateKey (

  IN     VOID   *Tls,

  OUT    VOID   *Data,

  IN OUT UINTN  *DataSize

  )

{

  return EFI_UNSUPPORTED;

}


EFI_STATUS

EFIAPI

TlsGetCertRevocationList (

  OUT    VOID   *Data,

  IN OUT UINTN  *DataSize

  )

{

  return EFI_UNSUPPORTED;

}


EFI_STATUS

EFIAPI

TlsGetExportKey (

  IN     VOID        *Tls,

  IN     CONST VOID  *Label,

  IN     CONST VOID  *Context,

  IN     UINTN       ContextLen,

  OUT    VOID        *KeyBuffer,

  IN     UINTN       KeyBufferLen

  )

{

  TLS_CONNECTION  *TlsConn;


  TlsConn = (TLS_CONNECTION *)Tls;


  if ((TlsConn == NULL) || (TlsConn->Ssl == NULL)) {

    return EFI_INVALID_PARAMETER;

  }


  return SSL_export_keying_material (

           TlsConn->Ssl,

           KeyBuffer,

           KeyBufferLen,

           Label,

           AsciiStrLen (Label),

           Context,

           ContextLen,

           Context != NULL

           ) == 1 ?

         EFI_SUCCESS : EFI_PROTOCOL_ERROR;

}

UINTN
UINT64 UINTN
Definition: ProcessorBind.h:112

INTN
INT64 INTN
Definition: ProcessorBind.h:118

AsciiStrLen
UINTN EFIAPI AsciiStrLen(IN CONST CHAR8 *String)
Definition: String.c:641

CopyMem
VOID *EFIAPI CopyMem(OUT VOID *DestinationBuffer, IN CONST VOID *SourceBuffer, IN UINTN Length)
Definition: CopyMemWrapper.c:41

FreePool
VOID EFIAPI FreePool(IN VOID *Buffer)
Definition: MemoryAllocationLib.c:266

NULL
#define NULL
Definition: Base.h:319

CONST
#define CONST
Definition: Base.h:259

STATIC
#define STATIC
Definition: Base.h:264

TRUE
#define TRUE
Definition: Base.h:301

FALSE
#define FALSE
Definition: Base.h:307

ARRAY_SIZE
#define ARRAY_SIZE(Array)
Definition: Base.h:1393

IN
#define IN
Definition: Base.h:279

OUT
#define OUT
Definition: Base.h:284

MAX
#define MAX(a, b)
Definition: Base.h:992

DEBUG_CODE_BEGIN
#define DEBUG_CODE_BEGIN()
Definition: DebugLib.h:564

DEBUG
#define DEBUG(Expression)
Definition: DebugLib.h:434

DEBUG_CODE_END
#define DEBUG_CODE_END()
Definition: DebugLib.h:578

AllocatePool
VOID *EFIAPI AllocatePool(IN UINTN AllocationSize)
Definition: MemoryAllocationLib.c:195

SafeUintnAdd
RETURN_STATUS EFIAPI SafeUintnAdd(IN UINTN Augend, IN UINTN Addend, OUT UINTN *Result)
Definition: SafeIntLib32.c:338

SafeUintnMult
RETURN_STATUS EFIAPI SafeUintnMult(IN UINTN Multiplicand, IN UINTN Multiplier, OUT UINTN *Result)
Definition: SafeIntLib32.c:430

TlsGetServerRandom
VOID EFIAPI TlsGetServerRandom(IN VOID *Tls, IN OUT UINT8 *ServerRandom)
Definition: TlsConfig.c:1353

TlsGetHostPublicCert
EFI_STATUS EFIAPI TlsGetHostPublicCert(IN VOID *Tls, OUT VOID *Data, IN OUT UINTN *DataSize)
Definition: TlsConfig.c:1457

TlsSetVerifyHost
EFI_STATUS EFIAPI TlsSetVerifyHost(IN VOID *Tls, IN UINT32 Flags, IN CHAR8 *HostName)
Definition: TlsConfig.c:486

TlsGetKeyMaterial
EFI_STATUS EFIAPI TlsGetKeyMaterial(IN VOID *Tls, IN OUT UINT8 *KeyMaterial)
Definition: TlsConfig.c:1385

TlsGetVerify
UINT32 EFIAPI TlsGetVerify(IN VOID *Tls)
Definition: TlsConfig.c:1253

TlsGetCurrentCipher
EFI_STATUS EFIAPI TlsGetCurrentCipher(IN VOID *Tls, IN OUT UINT16 *CipherId)
Definition: TlsConfig.c:1187

TlsSetCertRevocationList
EFI_STATUS EFIAPI TlsSetCertRevocationList(IN VOID *Data, IN UINTN DataSize)
Definition: TlsConfig.c:929

TlsGetCertRevocationList
EFI_STATUS EFIAPI TlsGetCertRevocationList(OUT VOID *Data, IN OUT UINTN *DataSize)
Definition: TlsConfig.c:1535

TlsSetCompressionMethod
EFI_STATUS EFIAPI TlsSetCompressionMethod(IN UINT8 CompMethod)
Definition: TlsConfig.c:408

TlsSetCaCertificate
EFI_STATUS EFIAPI TlsSetCaCertificate(IN VOID *Tls, IN VOID *Data, IN UINTN DataSize)
Definition: TlsConfig.c:617

TlsSetCipherList
EFI_STATUS EFIAPI TlsSetCipherList(IN VOID *Tls, IN UINT16 *CipherId, IN UINTN CipherNum)
Definition: TlsConfig.c:171

TlsGetCurrentCompressionId
EFI_STATUS EFIAPI TlsGetCurrentCompressionId(IN VOID *Tls, IN OUT UINT8 *CompressionId)
Definition: TlsConfig.c:1230

TlsSetConnectionEnd
EFI_STATUS EFIAPI TlsSetConnectionEnd(IN VOID *Tls, IN BOOLEAN IsServer)
Definition: TlsConfig.c:122

TlsSetSessionId
EFI_STATUS EFIAPI TlsSetSessionId(IN VOID *Tls, IN UINT8 *SessionId, IN UINT16 SessionIdLen)
Definition: TlsConfig.c:572

TlsSetHostPrivateKey
EFI_STATUS EFIAPI TlsSetHostPrivateKey(IN VOID *Tls, IN VOID *Data, IN UINTN DataSize)
Definition: TlsConfig.c:904

TlsSetHostPublicCert
EFI_STATUS EFIAPI TlsSetHostPublicCert(IN VOID *Tls, IN VOID *Data, IN UINTN DataSize)
Definition: TlsConfig.c:726

TlsGetConnectionEnd
UINT8 EFIAPI TlsGetConnectionEnd(IN VOID *Tls)
Definition: TlsConfig.c:1158

TlsSetVerify
VOID EFIAPI TlsSetVerify(IN VOID *Tls, IN UINT32 VerifyMode)
Definition: TlsConfig.c:454

TlsGetClientRandom
VOID EFIAPI TlsGetClientRandom(IN VOID *Tls, IN OUT UINT8 *ClientRandom)
Definition: TlsConfig.c:1324

TlsSetVersion
EFI_STATUS EFIAPI TlsSetVersion(IN VOID *Tls, IN UINT8 MajorVer, IN UINT8 MinorVer)
Definition: TlsConfig.c:56

TlsSetHostPrivateKeyEx
EFI_STATUS EFIAPI TlsSetHostPrivateKeyEx(IN VOID *Tls, IN VOID *Data, IN UINTN DataSize, IN VOID *Password OPTIONAL)
Definition: TlsConfig.c:810

TlsGetSessionId
EFI_STATUS EFIAPI TlsGetSessionId(IN VOID *Tls, IN OUT UINT8 *SessionId, IN OUT UINT16 *SessionIdLen)
Definition: TlsConfig.c:1283

TlsGetVersion
UINT16 EFIAPI TlsGetVersion(IN VOID *Tls)
Definition: TlsConfig.c:1130

TlsSetEcCurve
EFI_STATUS EFIAPI TlsSetEcCurve(IN VOID *Tls, IN UINT8 *Data, IN UINTN DataSize)
Definition: TlsConfig.c:1060

TlsGetExportKey
EFI_STATUS EFIAPI TlsGetExportKey(IN VOID *Tls, IN CONST VOID *Label, IN CONST VOID *Context, IN UINTN ContextLen, OUT VOID *KeyBuffer, IN UINTN KeyBufferLen)
Definition: TlsConfig.c:1563

TlsGetCaCertificate
EFI_STATUS EFIAPI TlsGetCaCertificate(IN VOID *Tls, OUT VOID *Data, IN OUT UINTN *DataSize)
Definition: TlsConfig.c:1429

TlsGetHostPrivateKey
EFI_STATUS EFIAPI TlsGetHostPrivateKey(IN VOID *Tls, OUT VOID *Data, IN OUT UINTN *DataSize)
Definition: TlsConfig.c:1509

TlsSetSignatureAlgoList
EFI_STATUS EFIAPI TlsSetSignatureAlgoList(IN VOID *Tls, IN UINT8 *Data, IN UINTN DataSize)
Definition: TlsConfig.c:956

InternalTlsLib.h

EFI_STATUS
RETURN_STATUS EFI_STATUS
Definition: UefiBaseType.h:29

EFI_SUCCESS
#define EFI_SUCCESS
Definition: UefiBaseType.h:112

TLS_ALGO_TO_NAME
Definition: TlsConfig.c:12

TLS_CONNECTION
Definition: InternalTlsLib.h:28