• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /** @file
2   SSL/TLS Configuration Library Wrapper Implementation over OpenSSL.
3 
4 Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
5 (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
6 This program and the accompanying materials
7 are licensed and made available under the terms and conditions of the BSD License
8 which accompanies this distribution.  The full text of the license may be found at
9 http://opensource.org/licenses/bsd-license.php
10 
11 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
12 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
13 
14 **/
15 
16 #include "InternalTlsLib.h"
17 
18 typedef struct {
19   //
20   // IANA/IETF defined Cipher Suite ID
21   //
22   UINT16                          IanaCipher;
23   //
24   // OpenSSL-used Cipher Suite String
25   //
26   CONST CHAR8                     *OpensslCipher;
27 } TLS_CIPHER_PAIR;
28 
29 //
30 // The mapping table between IANA/IETF Cipher Suite definitions and
31 // OpenSSL-used Cipher Suite name.
32 //
33 STATIC CONST TLS_CIPHER_PAIR TlsCipherMappingTable[] = {
34   { 0x0001, "NULL-MD5" },                 /// TLS_RSA_WITH_NULL_MD5
35   { 0x0002, "NULL-SHA" },                 /// TLS_RSA_WITH_NULL_SHA
36   { 0x0004, "RC4-MD5" },                  /// TLS_RSA_WITH_RC4_128_MD5
37   { 0x0005, "RC4-SHA" },                  /// TLS_RSA_WITH_RC4_128_SHA
38   { 0x000A, "DES-CBC3-SHA" },             /// TLS_RSA_WITH_3DES_EDE_CBC_SHA, mandatory TLS 1.1
39   { 0x0016, "DHE-RSA-DES-CBC3-SHA" },     /// TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
40   { 0x002F, "AES128-SHA" },               /// TLS_RSA_WITH_AES_128_CBC_SHA, mandatory TLS 1.2
41   { 0x0030, "DH-DSS-AES128-SHA" },        /// TLS_DH_DSS_WITH_AES_128_CBC_SHA
42   { 0x0031, "DH-RSA-AES128-SHA" },        /// TLS_DH_RSA_WITH_AES_128_CBC_SHA
43   { 0x0033, "DHE-RSA-AES128-SHA" },       /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA
44   { 0x0035, "AES256-SHA" },               /// TLS_RSA_WITH_AES_256_CBC_SHA
45   { 0x0036, "DH-DSS-AES256-SHA" },        /// TLS_DH_DSS_WITH_AES_256_CBC_SHA
46   { 0x0037, "DH-RSA-AES256-SHA" },        /// TLS_DH_RSA_WITH_AES_256_CBC_SHA
47   { 0x0039, "DHE-RSA-AES256-SHA" },       /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA
48   { 0x003B, "NULL-SHA256" },              /// TLS_RSA_WITH_NULL_SHA256
49   { 0x003C, "AES128-SHA256" },            /// TLS_RSA_WITH_AES_128_CBC_SHA256
50   { 0x003D, "AES256-SHA256" },            /// TLS_RSA_WITH_AES_256_CBC_SHA256
51   { 0x003E, "DH-DSS-AES128-SHA256" },     /// TLS_DH_DSS_WITH_AES_128_CBC_SHA256
52   { 0x003F, "DH-RSA-AES128-SHA256" },     /// TLS_DH_RSA_WITH_AES_128_CBC_SHA256
53   { 0x0067, "DHE-RSA-AES128-SHA256" },    /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
54   { 0x0068, "DH-DSS-AES256-SHA256" },     /// TLS_DH_DSS_WITH_AES_256_CBC_SHA256
55   { 0x0069, "DH-RSA-AES256-SHA256" },     /// TLS_DH_RSA_WITH_AES_256_CBC_SHA256
56   { 0x006B, "DHE-RSA-AES256-SHA256" }     /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
57 };
58 
59 /**
60   Gets the OpenSSL cipher suite string for the supplied IANA TLS cipher suite.
61 
62   @param[in]  CipherId    The supplied IANA TLS cipher suite ID.
63 
64   @return  The corresponding OpenSSL cipher suite string if found,
65            NULL otherwise.
66 
67 **/
68 STATIC
69 CONST CHAR8 *
TlsGetCipherString(IN UINT16 CipherId)70 TlsGetCipherString (
71   IN     UINT16                   CipherId
72   )
73 {
74   CONST TLS_CIPHER_PAIR  *CipherEntry;
75   UINTN                  TableSize;
76   UINTN                  Index;
77 
78   CipherEntry = TlsCipherMappingTable;
79   TableSize = sizeof (TlsCipherMappingTable) / sizeof (TLS_CIPHER_PAIR);
80 
81   //
82   // Search Cipher Mapping Table for IANA-OpenSSL Cipher Translation
83   //
84   for (Index = 0; Index < TableSize; Index++, CipherEntry++) {
85     //
86     // Translate IANA cipher suite name to OpenSSL name.
87     //
88     if (CipherEntry->IanaCipher == CipherId) {
89       return CipherEntry->OpensslCipher;
90     }
91   }
92 
93   //
94   // No Cipher Mapping found, return NULL.
95   //
96   return NULL;
97 }
98 
99 /**
100   Set a new TLS/SSL method for a particular TLS object.
101 
102   This function sets a new TLS/SSL method for a particular TLS object.
103 
104   @param[in]  Tls         Pointer to a TLS object.
105   @param[in]  MajorVer    Major Version of TLS/SSL Protocol.
106   @param[in]  MinorVer    Minor Version of TLS/SSL Protocol.
107 
108   @retval  EFI_SUCCESS           The TLS/SSL method was set successfully.
109   @retval  EFI_INVALID_PARAMETER The parameter is invalid.
110   @retval  EFI_UNSUPPORTED       Unsupported TLS/SSL method.
111 
112 **/
113 EFI_STATUS
114 EFIAPI
TlsSetVersion(IN VOID * Tls,IN UINT8 MajorVer,IN UINT8 MinorVer)115 TlsSetVersion (
116   IN     VOID                     *Tls,
117   IN     UINT8                    MajorVer,
118   IN     UINT8                    MinorVer
119   )
120 {
121   TLS_CONNECTION  *TlsConn;
122   UINT16          ProtoVersion;
123 
124   TlsConn = (TLS_CONNECTION *)Tls;
125   if (TlsConn == NULL || TlsConn->Ssl == NULL) {
126     return EFI_INVALID_PARAMETER;
127   }
128 
129   ProtoVersion = (MajorVer << 8) | MinorVer;
130 
131   switch (ProtoVersion) {
132   case TLS1_VERSION:
133     //
134     // TLS 1.0
135     //
136     SSL_set_ssl_method (TlsConn->Ssl, TLSv1_method ());
137     break;
138   case TLS1_1_VERSION:
139     //
140     // TLS 1.1
141     //
142     SSL_set_ssl_method (TlsConn->Ssl, TLSv1_1_method ());
143     break;
144   case TLS1_2_VERSION:
145     //
146     // TLS 1.2
147     //
148     SSL_set_ssl_method (TlsConn->Ssl, TLSv1_2_method ());
149     break;
150   default:
151     //
152     // Unsupported Protocol Version
153     //
154     return EFI_UNSUPPORTED;
155   }
156 
157   return EFI_SUCCESS;;
158 }
159 
160 /**
161   Set TLS object to work in client or server mode.
162 
163   This function prepares a TLS object to work in client or server mode.
164 
165   @param[in]  Tls         Pointer to a TLS object.
166   @param[in]  IsServer    Work in server mode.
167 
168   @retval  EFI_SUCCESS           The TLS/SSL work mode was set successfully.
169   @retval  EFI_INVALID_PARAMETER The parameter is invalid.
170   @retval  EFI_UNSUPPORTED       Unsupported TLS/SSL work mode.
171 
172 **/
173 EFI_STATUS
174 EFIAPI
TlsSetConnectionEnd(IN VOID * Tls,IN BOOLEAN IsServer)175 TlsSetConnectionEnd (
176   IN     VOID                     *Tls,
177   IN     BOOLEAN                  IsServer
178   )
179 {
180   TLS_CONNECTION  *TlsConn;
181 
182   TlsConn = (TLS_CONNECTION *) Tls;
183   if (TlsConn == NULL || TlsConn->Ssl == NULL) {
184     return EFI_INVALID_PARAMETER;
185   }
186 
187   if (!IsServer) {
188     //
189     // Set TLS to work in Client mode.
190     //
191     SSL_set_connect_state (TlsConn->Ssl);
192   } else {
193     //
194     // Set TLS to work in Server mode.
195     // It is unsupported for UEFI version currently.
196     //
197     //SSL_set_accept_state (TlsConn->Ssl);
198     return EFI_UNSUPPORTED;
199   }
200 
201   return EFI_SUCCESS;
202 }
203 
204 /**
205   Set the ciphers list to be used by the TLS object.
206 
207   This function sets the ciphers for use by a specified TLS object.
208 
209   @param[in]  Tls          Pointer to a TLS object.
210   @param[in]  CipherId     Pointer to a UINT16 cipher Id.
211   @param[in]  CipherNum    The number of cipher in the list.
212 
213   @retval  EFI_SUCCESS           The ciphers list was set successfully.
214   @retval  EFI_INVALID_PARAMETER The parameter is invalid.
215   @retval  EFI_UNSUPPORTED       Unsupported TLS cipher in the list.
216 
217 **/
218 EFI_STATUS
219 EFIAPI
TlsSetCipherList(IN VOID * Tls,IN UINT16 * CipherId,IN UINTN CipherNum)220 TlsSetCipherList (
221   IN     VOID                     *Tls,
222   IN     UINT16                   *CipherId,
223   IN     UINTN                    CipherNum
224   )
225 {
226   TLS_CONNECTION  *TlsConn;
227   UINTN           Index;
228   CONST CHAR8     *MappingName;
229   CHAR8           CipherString[500];
230 
231   TlsConn = (TLS_CONNECTION *) Tls;
232   if (TlsConn == NULL || TlsConn->Ssl == NULL || CipherId == NULL) {
233     return EFI_INVALID_PARAMETER;
234   }
235 
236   MappingName = NULL;
237 
238   memset (CipherString, 0, sizeof (CipherString));
239 
240   for (Index = 0; Index < CipherNum; Index++) {
241     //
242     // Handling OpenSSL / RFC Cipher name mapping.
243     //
244     MappingName = TlsGetCipherString (*(CipherId + Index));
245     if (MappingName == NULL) {
246       return EFI_UNSUPPORTED;
247     }
248 
249     if (Index != 0) {
250       //
251       // The ciphers were separated by a colon.
252       //
253       AsciiStrCatS (CipherString, sizeof (CipherString), ":");
254     }
255 
256     AsciiStrCatS (CipherString, sizeof (CipherString), MappingName);
257   }
258 
259   AsciiStrCatS (CipherString, sizeof (CipherString), ":@STRENGTH");
260 
261   //
262   // Sets the ciphers for use by the Tls object.
263   //
264   if (SSL_set_cipher_list (TlsConn->Ssl, CipherString) <= 0) {
265     return EFI_UNSUPPORTED;
266   }
267 
268   return EFI_SUCCESS;
269 }
270 
271 /**
272   Set the compression method for TLS/SSL operations.
273 
274   This function handles TLS/SSL integrated compression methods.
275 
276   @param[in]  CompMethod    The compression method ID.
277 
278   @retval  EFI_SUCCESS        The compression method for the communication was
279                               set successfully.
280   @retval  EFI_UNSUPPORTED    Unsupported compression method.
281 
282 **/
283 EFI_STATUS
284 EFIAPI
TlsSetCompressionMethod(IN UINT8 CompMethod)285 TlsSetCompressionMethod (
286   IN     UINT8                    CompMethod
287   )
288 {
289   COMP_METHOD  *Cm;
290   INTN         Ret;
291 
292   Cm  = NULL;
293   Ret = 0;
294 
295   if (CompMethod == 0) {
296     //
297     // TLS defines one standard compression method, CompressionMethod.null (0),
298     // which specifies that data exchanged via the record protocol will not be compressed.
299     // So, return EFI_SUCCESS directly (RFC 3749).
300     //
301     return EFI_SUCCESS;
302   } else if (CompMethod == 1) {
303     Cm = COMP_zlib();
304   } else {
305     return EFI_UNSUPPORTED;
306   }
307 
308   //
309   // Adds the compression method to the list of available
310   // compression methods.
311   //
312   Ret = SSL_COMP_add_compression_method (CompMethod, Cm);
313   if (Ret != 0) {
314     return EFI_UNSUPPORTED;
315   }
316 
317   return EFI_SUCCESS;
318 }
319 
320 /**
321   Set peer certificate verification mode for the TLS connection.
322 
323   This function sets the verification mode flags for the TLS connection.
324 
325   @param[in]  Tls           Pointer to the TLS object.
326   @param[in]  VerifyMode    A set of logically or'ed verification mode flags.
327 
328 **/
329 VOID
330 EFIAPI
TlsSetVerify(IN VOID * Tls,IN UINT32 VerifyMode)331 TlsSetVerify (
332   IN     VOID                     *Tls,
333   IN     UINT32                   VerifyMode
334   )
335 {
336   TLS_CONNECTION  *TlsConn;
337 
338   TlsConn = (TLS_CONNECTION *) Tls;
339   if (TlsConn == NULL || TlsConn->Ssl == NULL) {
340     return;
341   }
342 
343   //
344   // Set peer certificate verification parameters with NULL callback.
345   //
346   SSL_set_verify (TlsConn->Ssl, VerifyMode, NULL);
347 }
348 
349 /**
350   Sets a TLS/SSL session ID to be used during TLS/SSL connect.
351 
352   This function sets a session ID to be used when the TLS/SSL connection is
353   to be established.
354 
355   @param[in]  Tls             Pointer to the TLS object.
356   @param[in]  SessionId       Session ID data used for session resumption.
357   @param[in]  SessionIdLen    Length of Session ID in bytes.
358 
359   @retval  EFI_SUCCESS           Session ID was set successfully.
360   @retval  EFI_INVALID_PARAMETER The parameter is invalid.
361   @retval  EFI_UNSUPPORTED       No available session for ID setting.
362 
363 **/
364 EFI_STATUS
365 EFIAPI
TlsSetSessionId(IN VOID * Tls,IN UINT8 * SessionId,IN UINT16 SessionIdLen)366 TlsSetSessionId (
367   IN     VOID                     *Tls,
368   IN     UINT8                    *SessionId,
369   IN     UINT16                   SessionIdLen
370   )
371 {
372   TLS_CONNECTION  *TlsConn;
373   SSL_SESSION     *Session;
374 
375   TlsConn = (TLS_CONNECTION *) Tls;
376   Session = NULL;
377 
378   if (TlsConn == NULL || TlsConn->Ssl == NULL || SessionId == NULL) {
379     return EFI_INVALID_PARAMETER;
380   }
381 
382   Session = SSL_get_session (TlsConn->Ssl);
383   if (Session == NULL) {
384     return EFI_UNSUPPORTED;
385   }
386 
387   Session->session_id_length = SessionIdLen;
388   CopyMem (Session->session_id, SessionId, Session->session_id_length);
389 
390   return EFI_SUCCESS;
391 }
392 
393 /**
394   Adds the CA to the cert store when requesting Server or Client authentication.
395 
396   This function adds the CA certificate to the list of CAs when requesting
397   Server or Client authentication for the chosen TLS connection.
398 
399   @param[in]  Tls         Pointer to the TLS object.
400   @param[in]  Data        Pointer to the data buffer of a DER-encoded binary
401                           X.509 certificate or PEM-encoded X.509 certificate.
402   @param[in]  DataSize    The size of data buffer in bytes.
403 
404   @retval  EFI_SUCCESS             The operation succeeded.
405   @retval  EFI_INVALID_PARAMETER   The parameter is invalid.
406   @retval  EFI_OUT_OF_RESOURCES    Required resources could not be allocated.
407   @retval  EFI_ABORTED             Invalid X.509 certificate.
408 
409 **/
410 EFI_STATUS
411 EFIAPI
TlsSetCaCertificate(IN VOID * Tls,IN VOID * Data,IN UINTN DataSize)412 TlsSetCaCertificate (
413   IN     VOID                     *Tls,
414   IN     VOID                     *Data,
415   IN     UINTN                    DataSize
416   )
417 {
418   BIO             *BioCert;
419   X509            *Cert;
420   X509_STORE      *X509Store;
421   EFI_STATUS      Status;
422   TLS_CONNECTION  *TlsConn;
423   SSL_CTX         *SslCtx;
424   INTN            Ret;
425   unsigned long   ErrorCode;
426 
427   BioCert   = NULL;
428   Cert      = NULL;
429   X509Store = NULL;
430   Status    = EFI_SUCCESS;
431   TlsConn   = (TLS_CONNECTION *) Tls;
432   Ret       = 0;
433 
434   if (TlsConn == NULL || TlsConn->Ssl == NULL || Data == NULL || DataSize == 0) {
435     return EFI_INVALID_PARAMETER;
436   }
437 
438   //
439   // DER-encoded binary X.509 certificate or PEM-encoded X.509 certificate.
440   // Determine whether certificate is from DER encoding, if so, translate it to X509 structure.
441   //
442   Cert = d2i_X509 (NULL, (const unsigned char ** )&Data, (long) DataSize);
443   if (Cert == NULL) {
444     //
445     // Certificate is from PEM encoding.
446     //
447     BioCert = BIO_new (BIO_s_mem ());
448     if (BioCert == NULL) {
449       Status = EFI_OUT_OF_RESOURCES;
450       goto ON_EXIT;
451     }
452 
453     if (BIO_write (BioCert, Data, (UINT32) DataSize) <= 0) {
454       Status = EFI_ABORTED;
455       goto ON_EXIT;
456     }
457 
458     Cert = PEM_read_bio_X509 (BioCert, NULL, NULL, NULL);
459     if (Cert == NULL) {
460       Status = EFI_ABORTED;
461       goto ON_EXIT;
462     }
463   }
464 
465   SslCtx    = SSL_get_SSL_CTX (TlsConn->Ssl);
466   X509Store = SSL_CTX_get_cert_store (SslCtx);
467   if (X509Store == NULL) {
468       Status = EFI_ABORTED;
469       goto ON_EXIT;
470   }
471 
472   //
473   // Add certificate to X509 store
474   //
475   Ret = X509_STORE_add_cert (X509Store, Cert);
476   if (Ret != 1) {
477     ErrorCode = ERR_peek_last_error ();
478     //
479     // Ignore "already in table" errors
480     //
481     if (!(ERR_GET_FUNC (ErrorCode) == X509_F_X509_STORE_ADD_CERT &&
482         ERR_GET_REASON (ErrorCode) == X509_R_CERT_ALREADY_IN_HASH_TABLE)) {
483       Status = EFI_ABORTED;
484       goto ON_EXIT;
485     }
486   }
487 
488 ON_EXIT:
489   if (BioCert != NULL) {
490     BIO_free (BioCert);
491   }
492 
493   if (Cert != NULL) {
494     X509_free (Cert);
495   }
496 
497   return Status;
498 }
499 
500 /**
501   Loads the local public certificate into the specified TLS object.
502 
503   This function loads the X.509 certificate into the specified TLS object
504   for TLS negotiation.
505 
506   @param[in]  Tls         Pointer to the TLS object.
507   @param[in]  Data        Pointer to the data buffer of a DER-encoded binary
508                           X.509 certificate or PEM-encoded X.509 certificate.
509   @param[in]  DataSize    The size of data buffer in bytes.
510 
511   @retval  EFI_SUCCESS             The operation succeeded.
512   @retval  EFI_INVALID_PARAMETER   The parameter is invalid.
513   @retval  EFI_OUT_OF_RESOURCES    Required resources could not be allocated.
514   @retval  EFI_ABORTED             Invalid X.509 certificate.
515 
516 **/
517 EFI_STATUS
518 EFIAPI
TlsSetHostPublicCert(IN VOID * Tls,IN VOID * Data,IN UINTN DataSize)519 TlsSetHostPublicCert (
520   IN     VOID                     *Tls,
521   IN     VOID                     *Data,
522   IN     UINTN                    DataSize
523   )
524 {
525   BIO             *BioCert;
526   X509            *Cert;
527   EFI_STATUS      Status;
528   TLS_CONNECTION  *TlsConn;
529 
530   BioCert = NULL;
531   Cert    = NULL;
532   Status  = EFI_SUCCESS;
533   TlsConn = (TLS_CONNECTION *) Tls;
534 
535   if (TlsConn == NULL || TlsConn->Ssl == NULL || Data == NULL || DataSize == 0) {
536     return EFI_INVALID_PARAMETER;
537   }
538 
539   //
540   // DER-encoded binary X.509 certificate or PEM-encoded X.509 certificate.
541   // Determine whether certificate is from DER encoding, if so, translate it to X509 structure.
542   //
543   Cert = d2i_X509 (NULL, (const unsigned char ** )&Data, (long) DataSize);
544   if (Cert == NULL) {
545     //
546     // Certificate is from PEM encoding.
547     //
548     BioCert = BIO_new (BIO_s_mem ());
549     if (BioCert == NULL) {
550       Status = EFI_OUT_OF_RESOURCES;
551       goto ON_EXIT;
552     }
553 
554     if (BIO_write (BioCert, Data, (UINT32) DataSize) <= 0) {
555       Status = EFI_ABORTED;
556       goto ON_EXIT;
557     }
558 
559     Cert = PEM_read_bio_X509 (BioCert, NULL, NULL, NULL);
560     if (Cert == NULL) {
561       Status = EFI_ABORTED;
562       goto ON_EXIT;
563     }
564   }
565 
566   if (SSL_use_certificate (TlsConn->Ssl, Cert) != 1) {
567     Status = EFI_ABORTED;
568     goto ON_EXIT;
569   }
570 
571 ON_EXIT:
572   if (BioCert != NULL) {
573     BIO_free (BioCert);
574   }
575 
576   if (Cert != NULL) {
577     X509_free (Cert);
578   }
579 
580   return Status;
581 }
582 
583 /**
584   Adds the local private key to the specified TLS object.
585 
586   This function adds the local private key (PEM-encoded RSA or PKCS#8 private
587   key) into the specified TLS object for TLS negotiation.
588 
589   @param[in]  Tls         Pointer to the TLS object.
590   @param[in]  Data        Pointer to the data buffer of a PEM-encoded RSA
591                           or PKCS#8 private key.
592   @param[in]  DataSize    The size of data buffer in bytes.
593 
594   @retval  EFI_SUCCESS     The operation succeeded.
595   @retval  EFI_UNSUPPORTED This function is not supported.
596   @retval  EFI_ABORTED     Invalid private key data.
597 
598 **/
599 EFI_STATUS
600 EFIAPI
TlsSetHostPrivateKey(IN VOID * Tls,IN VOID * Data,IN UINTN DataSize)601 TlsSetHostPrivateKey (
602   IN     VOID                     *Tls,
603   IN     VOID                     *Data,
604   IN     UINTN                    DataSize
605   )
606 {
607   return EFI_UNSUPPORTED;
608 }
609 
610 /**
611   Adds the CA-supplied certificate revocation list for certificate validation.
612 
613   This function adds the CA-supplied certificate revocation list data for
614   certificate validity checking.
615 
616   @param[in]  Data        Pointer to the data buffer of a DER-encoded CRL data.
617   @param[in]  DataSize    The size of data buffer in bytes.
618 
619   @retval  EFI_SUCCESS     The operation succeeded.
620   @retval  EFI_UNSUPPORTED This function is not supported.
621   @retval  EFI_ABORTED     Invalid CRL data.
622 
623 **/
624 EFI_STATUS
625 EFIAPI
TlsSetCertRevocationList(IN VOID * Data,IN UINTN DataSize)626 TlsSetCertRevocationList (
627   IN     VOID                     *Data,
628   IN     UINTN                    DataSize
629   )
630 {
631   return EFI_UNSUPPORTED;
632 }
633 
634 /**
635   Gets the protocol version used by the specified TLS connection.
636 
637   This function returns the protocol version used by the specified TLS
638   connection.
639 
640   @param[in]  Tls    Pointer to the TLS object.
641 
642   @return  The protocol version of the specified TLS connection.
643 
644 **/
645 UINT16
646 EFIAPI
TlsGetVersion(IN VOID * Tls)647 TlsGetVersion (
648   IN     VOID                     *Tls
649   )
650 {
651   TLS_CONNECTION  *TlsConn;
652 
653   TlsConn = (TLS_CONNECTION *) Tls;
654 
655   ASSERT (TlsConn != NULL);
656 
657   return (UINT16)(SSL_version (TlsConn->Ssl));
658 }
659 
660 /**
661   Gets the connection end of the specified TLS connection.
662 
663   This function returns the connection end (as client or as server) used by
664   the specified TLS connection.
665 
666   @param[in]  Tls    Pointer to the TLS object.
667 
668   @return  The connection end used by the specified TLS connection.
669 
670 **/
671 UINT8
672 EFIAPI
TlsGetConnectionEnd(IN VOID * Tls)673 TlsGetConnectionEnd (
674   IN     VOID                     *Tls
675   )
676 {
677   TLS_CONNECTION  *TlsConn;
678 
679   TlsConn = (TLS_CONNECTION *) Tls;
680 
681   ASSERT (TlsConn != NULL);
682 
683   return (UINT8)SSL_is_server (TlsConn->Ssl);
684 }
685 
686 /**
687   Gets the cipher suite used by the specified TLS connection.
688 
689   This function returns current cipher suite used by the specified
690   TLS connection.
691 
692   @param[in]      Tls         Pointer to the TLS object.
693   @param[in,out]  CipherId    The cipher suite used by the TLS object.
694 
695   @retval  EFI_SUCCESS           The cipher suite was returned successfully.
696   @retval  EFI_INVALID_PARAMETER The parameter is invalid.
697   @retval  EFI_UNSUPPORTED       Unsupported cipher suite.
698 
699 **/
700 EFI_STATUS
701 EFIAPI
TlsGetCurrentCipher(IN VOID * Tls,IN OUT UINT16 * CipherId)702 TlsGetCurrentCipher (
703   IN     VOID                     *Tls,
704   IN OUT UINT16                   *CipherId
705   )
706 {
707   TLS_CONNECTION    *TlsConn;
708   CONST SSL_CIPHER  *Cipher;
709 
710   TlsConn = (TLS_CONNECTION *) Tls;
711   Cipher  = NULL;
712 
713   if (TlsConn == NULL || TlsConn->Ssl == NULL || CipherId == NULL) {
714     return EFI_INVALID_PARAMETER;
715   }
716 
717   Cipher = SSL_get_current_cipher (TlsConn->Ssl);
718   if (Cipher == NULL) {
719     return EFI_UNSUPPORTED;
720   }
721 
722   *CipherId = (SSL_CIPHER_get_id (Cipher)) & 0xFFFF;
723 
724   return EFI_SUCCESS;
725 }
726 
727 /**
728   Gets the compression methods used by the specified TLS connection.
729 
730   This function returns current integrated compression methods used by
731   the specified TLS connection.
732 
733   @param[in]      Tls              Pointer to the TLS object.
734   @param[in,out]  CompressionId    The current compression method used by
735                                    the TLS object.
736 
737   @retval  EFI_SUCCESS           The compression method was returned successfully.
738   @retval  EFI_INVALID_PARAMETER The parameter is invalid.
739   @retval  EFI_ABORTED           Invalid Compression method.
740   @retval  EFI_UNSUPPORTED       This function is not supported.
741 
742 **/
743 EFI_STATUS
744 EFIAPI
TlsGetCurrentCompressionId(IN VOID * Tls,IN OUT UINT8 * CompressionId)745 TlsGetCurrentCompressionId (
746   IN     VOID                     *Tls,
747   IN OUT UINT8                    *CompressionId
748   )
749 {
750   return EFI_UNSUPPORTED;
751 }
752 
753 /**
754   Gets the verification mode currently set in the TLS connection.
755 
756   This function returns the peer verification mode currently set in the
757   specified TLS connection.
758 
759   @param[in]  Tls    Pointer to the TLS object.
760 
761   @return  The verification mode set in the specified TLS connection.
762 
763 **/
764 UINT32
765 EFIAPI
TlsGetVerify(IN VOID * Tls)766 TlsGetVerify (
767   IN     VOID                     *Tls
768   )
769 {
770   TLS_CONNECTION  *TlsConn;
771 
772   TlsConn = (TLS_CONNECTION *) Tls;
773 
774   ASSERT (TlsConn != NULL);
775 
776   return SSL_get_verify_mode (TlsConn->Ssl);
777 }
778 
779 /**
780   Gets the session ID used by the specified TLS connection.
781 
782   This function returns the TLS/SSL session ID currently used by the
783   specified TLS connection.
784 
785   @param[in]      Tls             Pointer to the TLS object.
786   @param[in,out]  SessionId       Buffer to contain the returned session ID.
787   @param[in,out]  SessionIdLen    The length of Session ID in bytes.
788 
789   @retval  EFI_SUCCESS           The Session ID was returned successfully.
790   @retval  EFI_INVALID_PARAMETER The parameter is invalid.
791   @retval  EFI_UNSUPPORTED       Invalid TLS/SSL session.
792 
793 **/
794 EFI_STATUS
795 EFIAPI
TlsGetSessionId(IN VOID * Tls,IN OUT UINT8 * SessionId,IN OUT UINT16 * SessionIdLen)796 TlsGetSessionId (
797   IN     VOID                     *Tls,
798   IN OUT UINT8                    *SessionId,
799   IN OUT UINT16                   *SessionIdLen
800   )
801 {
802   TLS_CONNECTION  *TlsConn;
803   SSL_SESSION     *Session;
804   CONST UINT8     *SslSessionId;
805 
806   TlsConn = (TLS_CONNECTION *) Tls;
807   Session = NULL;
808 
809   if (TlsConn == NULL || TlsConn->Ssl == NULL || SessionId == NULL || SessionIdLen == NULL) {
810     return EFI_INVALID_PARAMETER;
811   }
812 
813   Session = SSL_get_session (TlsConn->Ssl);
814   if (Session == NULL) {
815     return EFI_UNSUPPORTED;
816   }
817 
818   SslSessionId = SSL_SESSION_get_id (Session, (unsigned int *)SessionIdLen);
819   CopyMem (SessionId, SslSessionId, *SessionIdLen);
820 
821   return EFI_SUCCESS;
822 }
823 
824 /**
825   Gets the client random data used in the specified TLS connection.
826 
827   This function returns the TLS/SSL client random data currently used in
828   the specified TLS connection.
829 
830   @param[in]      Tls             Pointer to the TLS object.
831   @param[in,out]  ClientRandom    Buffer to contain the returned client
832                                   random data (32 bytes).
833 
834 **/
835 VOID
836 EFIAPI
TlsGetClientRandom(IN VOID * Tls,IN OUT UINT8 * ClientRandom)837 TlsGetClientRandom (
838   IN     VOID                     *Tls,
839   IN OUT UINT8                    *ClientRandom
840   )
841 {
842   TLS_CONNECTION  *TlsConn;
843 
844   TlsConn = (TLS_CONNECTION *) Tls;
845 
846   if (TlsConn == NULL || TlsConn->Ssl == NULL || ClientRandom == NULL) {
847     return;
848   }
849 
850   CopyMem (ClientRandom, TlsConn->Ssl->s3->client_random, SSL3_RANDOM_SIZE);
851 }
852 
853 /**
854   Gets the server random data used in the specified TLS connection.
855 
856   This function returns the TLS/SSL server random data currently used in
857   the specified TLS connection.
858 
859   @param[in]      Tls             Pointer to the TLS object.
860   @param[in,out]  ServerRandom    Buffer to contain the returned server
861                                   random data (32 bytes).
862 
863 **/
864 VOID
865 EFIAPI
TlsGetServerRandom(IN VOID * Tls,IN OUT UINT8 * ServerRandom)866 TlsGetServerRandom (
867   IN     VOID                     *Tls,
868   IN OUT UINT8                    *ServerRandom
869   )
870 {
871   TLS_CONNECTION  *TlsConn;
872 
873   TlsConn = (TLS_CONNECTION *) Tls;
874 
875   if (TlsConn == NULL || TlsConn->Ssl == NULL || ServerRandom == NULL) {
876     return;
877   }
878 
879   CopyMem (ServerRandom, TlsConn->Ssl->s3->server_random, SSL3_RANDOM_SIZE);
880 }
881 
882 /**
883   Gets the master key data used in the specified TLS connection.
884 
885   This function returns the TLS/SSL master key material currently used in
886   the specified TLS connection.
887 
888   @param[in]      Tls            Pointer to the TLS object.
889   @param[in,out]  KeyMaterial    Buffer to contain the returned key material.
890 
891   @retval  EFI_SUCCESS           Key material was returned successfully.
892   @retval  EFI_INVALID_PARAMETER The parameter is invalid.
893   @retval  EFI_UNSUPPORTED       Invalid TLS/SSL session.
894 
895 **/
896 EFI_STATUS
897 EFIAPI
TlsGetKeyMaterial(IN VOID * Tls,IN OUT UINT8 * KeyMaterial)898 TlsGetKeyMaterial (
899   IN     VOID                     *Tls,
900   IN OUT UINT8                    *KeyMaterial
901   )
902 {
903   TLS_CONNECTION  *TlsConn;
904   SSL_SESSION     *Session;
905 
906   TlsConn = (TLS_CONNECTION *) Tls;
907   Session = NULL;
908 
909   if (TlsConn == NULL || TlsConn->Ssl == NULL || KeyMaterial == NULL) {
910     return EFI_INVALID_PARAMETER;
911   }
912 
913   Session = SSL_get_session (TlsConn->Ssl);
914 
915   if (Session == NULL) {
916     return EFI_UNSUPPORTED;
917   }
918 
919   CopyMem (KeyMaterial, Session->master_key, Session->master_key_length);
920 
921   return EFI_SUCCESS;
922 }
923 
924 /**
925   Gets the CA Certificate from the cert store.
926 
927   This function returns the CA certificate for the chosen
928   TLS connection.
929 
930   @param[in]      Tls         Pointer to the TLS object.
931   @param[out]     Data        Pointer to the data buffer to receive the CA
932                               certificate data sent to the client.
933   @param[in,out]  DataSize    The size of data buffer in bytes.
934 
935   @retval  EFI_SUCCESS             The operation succeeded.
936   @retval  EFI_UNSUPPORTED         This function is not supported.
937   @retval  EFI_BUFFER_TOO_SMALL    The Data is too small to hold the data.
938 
939 **/
940 EFI_STATUS
941 EFIAPI
TlsGetCaCertificate(IN VOID * Tls,OUT VOID * Data,IN OUT UINTN * DataSize)942 TlsGetCaCertificate (
943   IN     VOID                     *Tls,
944   OUT    VOID                     *Data,
945   IN OUT UINTN                    *DataSize
946   )
947 {
948   return EFI_UNSUPPORTED;
949 }
950 
951 /**
952   Gets the local public Certificate set in the specified TLS object.
953 
954   This function returns the local public certificate which was currently set
955   in the specified TLS object.
956 
957   @param[in]      Tls         Pointer to the TLS object.
958   @param[out]     Data        Pointer to the data buffer to receive the local
959                               public certificate.
960   @param[in,out]  DataSize    The size of data buffer in bytes.
961 
962   @retval  EFI_SUCCESS             The operation succeeded.
963   @retval  EFI_INVALID_PARAMETER   The parameter is invalid.
964   @retval  EFI_NOT_FOUND           The certificate is not found.
965   @retval  EFI_BUFFER_TOO_SMALL    The Data is too small to hold the data.
966 
967 **/
968 EFI_STATUS
969 EFIAPI
TlsGetHostPublicCert(IN VOID * Tls,OUT VOID * Data,IN OUT UINTN * DataSize)970 TlsGetHostPublicCert (
971   IN     VOID                     *Tls,
972   OUT    VOID                     *Data,
973   IN OUT UINTN                    *DataSize
974   )
975 {
976   X509            *Cert;
977   TLS_CONNECTION  *TlsConn;
978 
979   Cert    = NULL;
980   TlsConn = (TLS_CONNECTION *) Tls;
981 
982   if (TlsConn == NULL || TlsConn->Ssl == NULL || DataSize == NULL) {
983     return EFI_INVALID_PARAMETER;
984   }
985 
986   Cert = SSL_get_certificate(TlsConn->Ssl);
987   if (Cert == NULL) {
988     return EFI_NOT_FOUND;
989   }
990 
991   //
992   // Only DER encoding is supported currently.
993   //
994   if (*DataSize < (UINTN) i2d_X509 (Cert, NULL)) {
995     *DataSize = (UINTN) i2d_X509 (Cert, NULL);
996     return EFI_BUFFER_TOO_SMALL;
997   }
998 
999   *DataSize = (UINTN) i2d_X509 (Cert, (unsigned char **) &Data);
1000 
1001   return EFI_SUCCESS;
1002 }
1003 
1004 /**
1005   Gets the local private key set in the specified TLS object.
1006 
1007   This function returns the local private key data which was currently set
1008   in the specified TLS object.
1009 
1010   @param[in]      Tls         Pointer to the TLS object.
1011   @param[out]     Data        Pointer to the data buffer to receive the local
1012                               private key data.
1013   @param[in,out]  DataSize    The size of data buffer in bytes.
1014 
1015   @retval  EFI_SUCCESS             The operation succeeded.
1016   @retval  EFI_UNSUPPORTED         This function is not supported.
1017   @retval  EFI_BUFFER_TOO_SMALL    The Data is too small to hold the data.
1018 
1019 **/
1020 EFI_STATUS
1021 EFIAPI
TlsGetHostPrivateKey(IN VOID * Tls,OUT VOID * Data,IN OUT UINTN * DataSize)1022 TlsGetHostPrivateKey (
1023   IN     VOID                     *Tls,
1024   OUT    VOID                     *Data,
1025   IN OUT UINTN                    *DataSize
1026   )
1027 {
1028   return EFI_UNSUPPORTED;
1029 }
1030 
1031 /**
1032   Gets the CA-supplied certificate revocation list data set in the specified
1033   TLS object.
1034 
1035   This function returns the CA-supplied certificate revocation list data which
1036   was currently set in the specified TLS object.
1037 
1038   @param[out]     Data        Pointer to the data buffer to receive the CRL data.
1039   @param[in,out]  DataSize    The size of data buffer in bytes.
1040 
1041   @retval  EFI_SUCCESS             The operation succeeded.
1042   @retval  EFI_UNSUPPORTED         This function is not supported.
1043   @retval  EFI_BUFFER_TOO_SMALL    The Data is too small to hold the data.
1044 
1045 **/
1046 EFI_STATUS
1047 EFIAPI
TlsGetCertRevocationList(OUT VOID * Data,IN OUT UINTN * DataSize)1048 TlsGetCertRevocationList (
1049   OUT    VOID                     *Data,
1050   IN OUT UINTN                    *DataSize
1051   )
1052 {
1053   return EFI_UNSUPPORTED;
1054 }
1055