path: root/roms/edk2/CryptoPkg/Library/TlsLib
diff options
Diffstat (limited to 'roms/edk2/CryptoPkg/Library/TlsLib')
6 files changed, 2091 insertions, 0 deletions
diff --git a/roms/edk2/CryptoPkg/Library/TlsLib/InternalTlsLib.h b/roms/edk2/CryptoPkg/Library/TlsLib/InternalTlsLib.h
new file mode 100644
index 000000000..ce7f4ced4
--- /dev/null
+++ b/roms/edk2/CryptoPkg/Library/TlsLib/InternalTlsLib.h
@@ -0,0 +1,41 @@
+/** @file
+ Internal include file for TlsLib.
+Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+#ifndef __INTERNAL_TLS_LIB_H__
+#define __INTERNAL_TLS_LIB_H__
+#undef _WIN32
+#undef _WIN64
+#include <Library/BaseCryptLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/DebugLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/SafeIntLib.h>
+#include <openssl/ssl.h>
+#include <openssl/bio.h>
+#include <openssl/err.h>
+typedef struct {
+ //
+ // Main SSL Connection which is created by a server or a client
+ // per established connection.
+ //
+ SSL *Ssl;
+ //
+ // Memory BIO for the TLS/SSL Reading operations.
+ //
+ BIO *InBio;
+ //
+ // Memory BIO for the TLS/SSL Writing operations.
+ //
+ BIO *OutBio;
diff --git a/roms/edk2/CryptoPkg/Library/TlsLib/TlsConfig.c b/roms/edk2/CryptoPkg/Library/TlsLib/TlsConfig.c
new file mode 100644
index 000000000..307eb5789
--- /dev/null
+++ b/roms/edk2/CryptoPkg/Library/TlsLib/TlsConfig.c
@@ -0,0 +1,1267 @@
+/** @file
+ SSL/TLS Configuration Library Wrapper Implementation over OpenSSL.
+Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>
+(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+#include "InternalTlsLib.h"
+typedef struct {
+ //
+ // IANA/IETF defined Cipher Suite ID
+ //
+ UINT16 IanaCipher;
+ //
+ // OpenSSL-used Cipher Suite String
+ //
+ CONST CHAR8 *OpensslCipher;
+ //
+ // Length of OpensslCipher
+ //
+ UINTN OpensslCipherLength;
+// Create a TLS_CIPHER_MAPPING initializer from IanaCipher and OpensslCipher so
+// that OpensslCipherLength is filled in automatically. IanaCipher must be an
+// integer constant expression, and OpensslCipher must be a string literal.
+#define MAP(IanaCipher, OpensslCipher) \
+ { (IanaCipher), (OpensslCipher), sizeof (OpensslCipher) - 1 }
+// The mapping table between IANA/IETF Cipher Suite definitions and
+// OpenSSL-used Cipher Suite name.
+// Keep the table uniquely sorted by the IanaCipher field, in increasing order.
+ MAP ( 0x0001, "NULL-MD5" ), /// TLS_RSA_WITH_NULL_MD5
+ MAP ( 0x0002, "NULL-SHA" ), /// TLS_RSA_WITH_NULL_SHA
+ MAP ( 0x0004, "RC4-MD5" ), /// TLS_RSA_WITH_RC4_128_MD5
+ MAP ( 0x0005, "RC4-SHA" ), /// TLS_RSA_WITH_RC4_128_SHA
+ MAP ( 0x000A, "DES-CBC3-SHA" ), /// TLS_RSA_WITH_3DES_EDE_CBC_SHA, mandatory TLS 1.1
+ MAP ( 0x002F, "AES128-SHA" ), /// TLS_RSA_WITH_AES_128_CBC_SHA, mandatory TLS 1.2
+ MAP ( 0x0030, "DH-DSS-AES128-SHA" ), /// TLS_DH_DSS_WITH_AES_128_CBC_SHA
+ MAP ( 0x0031, "DH-RSA-AES128-SHA" ), /// TLS_DH_RSA_WITH_AES_128_CBC_SHA
+ MAP ( 0x0033, "DHE-RSA-AES128-SHA" ), /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA
+ MAP ( 0x0035, "AES256-SHA" ), /// TLS_RSA_WITH_AES_256_CBC_SHA
+ MAP ( 0x0036, "DH-DSS-AES256-SHA" ), /// TLS_DH_DSS_WITH_AES_256_CBC_SHA
+ MAP ( 0x0037, "DH-RSA-AES256-SHA" ), /// TLS_DH_RSA_WITH_AES_256_CBC_SHA
+ MAP ( 0x0039, "DHE-RSA-AES256-SHA" ), /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA
+ MAP ( 0x003B, "NULL-SHA256" ), /// TLS_RSA_WITH_NULL_SHA256
+ MAP ( 0x003C, "AES128-SHA256" ), /// TLS_RSA_WITH_AES_128_CBC_SHA256
+ MAP ( 0x003D, "AES256-SHA256" ), /// TLS_RSA_WITH_AES_256_CBC_SHA256
+ MAP ( 0x003E, "DH-DSS-AES128-SHA256" ), /// TLS_DH_DSS_WITH_AES_128_CBC_SHA256
+ MAP ( 0x003F, "DH-RSA-AES128-SHA256" ), /// TLS_DH_RSA_WITH_AES_128_CBC_SHA256
+ MAP ( 0x0067, "DHE-RSA-AES128-SHA256" ), /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+ MAP ( 0x0068, "DH-DSS-AES256-SHA256" ), /// TLS_DH_DSS_WITH_AES_256_CBC_SHA256
+ MAP ( 0x0069, "DH-RSA-AES256-SHA256" ), /// TLS_DH_RSA_WITH_AES_256_CBC_SHA256
+ MAP ( 0x006B, "DHE-RSA-AES256-SHA256" ), /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
+ Gets the OpenSSL cipher suite mapping for the supplied IANA TLS cipher suite.
+ @param[in] CipherId The supplied IANA TLS cipher suite ID.
+ @return The corresponding OpenSSL cipher suite mapping if found,
+ NULL otherwise.
+TlsGetCipherMapping (
+ IN UINT16 CipherId
+ )
+ INTN Left;
+ INTN Right;
+ INTN Middle;
+ //
+ // Binary Search Cipher Mapping Table for IANA-OpenSSL Cipher Translation
+ //
+ Left = 0;
+ Right = ARRAY_SIZE (TlsCipherMappingTable) - 1;
+ while (Right >= Left) {
+ Middle = (Left + Right) / 2;
+ if (CipherId == TlsCipherMappingTable[Middle].IanaCipher) {
+ //
+ // Translate IANA cipher suite ID to OpenSSL name.
+ //
+ return &TlsCipherMappingTable[Middle];
+ }
+ if (CipherId < TlsCipherMappingTable[Middle].IanaCipher) {
+ Right = Middle - 1;
+ } else {
+ Left = Middle + 1;
+ }
+ }
+ //
+ // No Cipher Mapping found, return NULL.
+ //
+ return NULL;
+ Set a new TLS/SSL method for a particular TLS object.
+ This function sets a new TLS/SSL method for a particular TLS object.
+ @param[in] Tls Pointer to a TLS object.
+ @param[in] MajorVer Major Version of TLS/SSL Protocol.
+ @param[in] MinorVer Minor Version of TLS/SSL Protocol.
+ @retval EFI_SUCCESS The TLS/SSL method was set successfully.
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.
+ @retval EFI_UNSUPPORTED Unsupported TLS/SSL method.
+TlsSetVersion (
+ IN VOID *Tls,
+ IN UINT8 MajorVer,
+ IN UINT8 MinorVer
+ )
+ UINT16 ProtoVersion;
+ TlsConn = (TLS_CONNECTION *)Tls;
+ if (TlsConn == NULL || TlsConn->Ssl == NULL) {
+ }
+ ProtoVersion = (MajorVer << 8) | MinorVer;
+ //
+ // Bound TLS method to the particular specified version.
+ //
+ switch (ProtoVersion) {
+ case TLS1_VERSION:
+ //
+ // TLS 1.0
+ //
+ SSL_set_min_proto_version (TlsConn->Ssl, TLS1_VERSION);
+ SSL_set_max_proto_version (TlsConn->Ssl, TLS1_VERSION);
+ break;
+ case TLS1_1_VERSION:
+ //
+ // TLS 1.1
+ //
+ SSL_set_min_proto_version (TlsConn->Ssl, TLS1_1_VERSION);
+ SSL_set_max_proto_version (TlsConn->Ssl, TLS1_1_VERSION);
+ break;
+ case TLS1_2_VERSION:
+ //
+ // TLS 1.2
+ //
+ SSL_set_min_proto_version (TlsConn->Ssl, TLS1_2_VERSION);
+ SSL_set_max_proto_version (TlsConn->Ssl, TLS1_2_VERSION);
+ break;
+ default:
+ //
+ // Unsupported Protocol Version
+ //
+ }
+ return EFI_SUCCESS;;
+ Set TLS object to work in client or server mode.
+ This function prepares a TLS object to work in client or server mode.
+ @param[in] Tls Pointer to a TLS object.
+ @param[in] IsServer Work in server mode.
+ @retval EFI_SUCCESS The TLS/SSL work mode was set successfully.
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.
+ @retval EFI_UNSUPPORTED Unsupported TLS/SSL work mode.
+TlsSetConnectionEnd (
+ IN VOID *Tls,
+ )
+ TlsConn = (TLS_CONNECTION *) Tls;
+ if (TlsConn == NULL || TlsConn->Ssl == NULL) {
+ }
+ if (!IsServer) {
+ //
+ // Set TLS to work in Client mode.
+ //
+ SSL_set_connect_state (TlsConn->Ssl);
+ } else {
+ //
+ // Set TLS to work in Server mode.
+ // It is unsupported for UEFI version currently.
+ //
+ //SSL_set_accept_state (TlsConn->Ssl);
+ }
+ return EFI_SUCCESS;
+ Set the ciphers list to be used by the TLS object.
+ This function sets the ciphers for use by a specified TLS object.
+ @param[in] Tls Pointer to a TLS object.
+ @param[in] CipherId Array of UINT16 cipher identifiers. Each UINT16
+ cipher identifier comes from the TLS Cipher Suite
+ Registry of the IANA, interpreting Byte1 and Byte2
+ in network (big endian) byte order.
+ @param[in] CipherNum The number of cipher in the list.
+ @retval EFI_SUCCESS The ciphers list was set successfully.
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.
+ @retval EFI_UNSUPPORTED No supported TLS cipher was found in CipherId.
+ @retval EFI_OUT_OF_RESOURCES Memory allocation failed.
+TlsSetCipherList (
+ IN VOID *Tls,
+ IN UINT16 *CipherId,
+ IN UINTN CipherNum
+ )
+ EFI_STATUS Status;
+ UINTN MappedCipherBytes;
+ UINTN MappedCipherCount;
+ UINTN CipherStringSize;
+ UINTN Index;
+ CHAR8 *CipherString;
+ CHAR8 *CipherStringPosition;
+ TlsConn = (TLS_CONNECTION *) Tls;
+ if (TlsConn == NULL || TlsConn->Ssl == NULL || CipherId == NULL) {
+ }
+ //
+ // Allocate the MappedCipher array for recording the mappings that we find
+ // for the input IANA identifiers in CipherId.
+ //
+ Status = SafeUintnMult (CipherNum, sizeof (*MappedCipher),
+ &MappedCipherBytes);
+ if (EFI_ERROR (Status)) {
+ }
+ MappedCipher = AllocatePool (MappedCipherBytes);
+ if (MappedCipher == NULL) {
+ }
+ //
+ // Map the cipher IDs, and count the number of bytes for the full
+ // CipherString.
+ //
+ MappedCipherCount = 0;
+ CipherStringSize = 0;
+ for (Index = 0; Index < CipherNum; Index++) {
+ //
+ // Look up the IANA-to-OpenSSL mapping.
+ //
+ Mapping = TlsGetCipherMapping (CipherId[Index]);
+ if (Mapping == NULL) {
+ DEBUG ((DEBUG_VERBOSE, "%a:%a: skipping CipherId=0x%04x\n",
+ gEfiCallerBaseName, __FUNCTION__, CipherId[Index]));
+ //
+ // Skipping the cipher is valid because CipherId is an ordered
+ // preference list of ciphers, thus we can filter it as long as we
+ // don't change the relative order of elements on it.
+ //
+ continue;
+ }
+ //
+ // Accumulate Mapping->OpensslCipherLength into CipherStringSize. If this
+ // is not the first successful mapping, account for a colon (":") prefix
+ // too.
+ //
+ if (MappedCipherCount > 0) {
+ Status = SafeUintnAdd (CipherStringSize, 1, &CipherStringSize);
+ if (EFI_ERROR (Status)) {
+ goto FreeMappedCipher;
+ }
+ }
+ Status = SafeUintnAdd (CipherStringSize, Mapping->OpensslCipherLength,
+ &CipherStringSize);
+ if (EFI_ERROR (Status)) {
+ goto FreeMappedCipher;
+ }
+ //
+ // Record the mapping.
+ //
+ MappedCipher[MappedCipherCount++] = Mapping;
+ }
+ //
+ // Verify that at least one IANA cipher ID could be mapped; account for the
+ // terminating NUL character in CipherStringSize; allocate CipherString.
+ //
+ if (MappedCipherCount == 0) {
+ DEBUG ((DEBUG_ERROR, "%a:%a: no CipherId could be mapped\n",
+ gEfiCallerBaseName, __FUNCTION__));
+ goto FreeMappedCipher;
+ }
+ Status = SafeUintnAdd (CipherStringSize, 1, &CipherStringSize);
+ if (EFI_ERROR (Status)) {
+ goto FreeMappedCipher;
+ }
+ CipherString = AllocatePool (CipherStringSize);
+ if (CipherString == NULL) {
+ goto FreeMappedCipher;
+ }
+ //
+ // Go over the collected mappings and populate CipherString.
+ //
+ CipherStringPosition = CipherString;
+ for (Index = 0; Index < MappedCipherCount; Index++) {
+ Mapping = MappedCipher[Index];
+ //
+ // Append the colon (":") prefix except for the first mapping, then append
+ // Mapping->OpensslCipher.
+ //
+ if (Index > 0) {
+ *(CipherStringPosition++) = ':';
+ }
+ CopyMem (CipherStringPosition, Mapping->OpensslCipher,
+ Mapping->OpensslCipherLength);
+ CipherStringPosition += Mapping->OpensslCipherLength;
+ }
+ //
+ // NUL-terminate CipherString.
+ //
+ *(CipherStringPosition++) = '\0';
+ ASSERT (CipherStringPosition == CipherString + CipherStringSize);
+ //
+ // Log CipherString for debugging. CipherString can be very long if the
+ // caller provided a large CipherId array, so log CipherString in segments of
+ // 79 non-newline characters. (MAX_DEBUG_MESSAGE_LENGTH is usually 0x100 in
+ // DebugLib instances.)
+ //
+ UINTN FullLength;
+ UINTN SegmentLength;
+ FullLength = CipherStringSize - 1;
+ DEBUG ((DEBUG_VERBOSE, "%a:%a: CipherString={\n", gEfiCallerBaseName,
+ __FUNCTION__));
+ for (CipherStringPosition = CipherString;
+ CipherStringPosition < CipherString + FullLength;
+ CipherStringPosition += SegmentLength) {
+ SegmentLength = FullLength - (CipherStringPosition - CipherString);
+ if (SegmentLength > 79) {
+ SegmentLength = 79;
+ }
+ DEBUG ((DEBUG_VERBOSE, "%.*a\n", SegmentLength, CipherStringPosition));
+ }
+ //
+ // Restore the pre-debug value of CipherStringPosition by skipping over the
+ // trailing NUL.
+ //
+ CipherStringPosition++;
+ ASSERT (CipherStringPosition == CipherString + CipherStringSize);
+ );
+ //
+ // Sets the ciphers for use by the Tls object.
+ //
+ if (SSL_set_cipher_list (TlsConn->Ssl, CipherString) <= 0) {
+ goto FreeCipherString;
+ }
+ Status = EFI_SUCCESS;
+ FreePool (CipherString);
+ FreePool (MappedCipher);
+ return Status;
+ Set the compression method for TLS/SSL operations.
+ This function handles TLS/SSL integrated compression methods.
+ @param[in] CompMethod The compression method ID.
+ @retval EFI_SUCCESS The compression method for the communication was
+ set successfully.
+ @retval EFI_UNSUPPORTED Unsupported compression method.
+TlsSetCompressionMethod (
+ IN UINT8 CompMethod
+ )
+ INTN Ret;
+ Cm = NULL;
+ Ret = 0;
+ if (CompMethod == 0) {
+ //
+ // TLS defines one standard compression method, CompressionMethod.null (0),
+ // which specifies that data exchanged via the record protocol will not be compressed.
+ // So, return EFI_SUCCESS directly (RFC 3749).
+ //
+ return EFI_SUCCESS;
+ } else if (CompMethod == 1) {
+ Cm = COMP_zlib();
+ } else {
+ }
+ //
+ // Adds the compression method to the list of available
+ // compression methods.
+ //
+ Ret = SSL_COMP_add_compression_method (CompMethod, Cm);
+ if (Ret != 0) {
+ }
+ return EFI_SUCCESS;
+ Set peer certificate verification mode for the TLS connection.
+ This function sets the verification mode flags for the TLS connection.
+ @param[in] Tls Pointer to the TLS object.
+ @param[in] VerifyMode A set of logically or'ed verification mode flags.
+TlsSetVerify (
+ IN VOID *Tls,
+ IN UINT32 VerifyMode
+ )
+ TlsConn = (TLS_CONNECTION *) Tls;
+ if (TlsConn == NULL || TlsConn->Ssl == NULL) {
+ return;
+ }
+ //
+ // Set peer certificate verification parameters with NULL callback.
+ //
+ SSL_set_verify (TlsConn->Ssl, VerifyMode, NULL);
+ Set the specified host name to be verified.
+ @param[in] Tls Pointer to the TLS object.
+ @param[in] Flags The setting flags during the validation.
+ @param[in] HostName The specified host name to be verified.
+ @retval EFI_SUCCESS The HostName setting was set successfully.
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.
+ @retval EFI_ABORTED Invalid HostName setting.
+TlsSetVerifyHost (
+ IN VOID *Tls,
+ IN UINT32 Flags,
+ IN CHAR8 *HostName
+ )
+ X509_VERIFY_PARAM *VerifyParam;
+ UINTN BinaryAddressSize;
+ INTN ParamStatus;
+ TlsConn = (TLS_CONNECTION *) Tls;
+ if (TlsConn == NULL || TlsConn->Ssl == NULL || HostName == NULL) {
+ }
+ SSL_set_hostflags(TlsConn->Ssl, Flags);
+ VerifyParam = SSL_get0_param (TlsConn->Ssl);
+ ASSERT (VerifyParam != NULL);
+ BinaryAddressSize = 0;
+ if (inet_pton (AF_INET6, HostName, BinaryAddress) == 1) {
+ BinaryAddressSize = NS_IN6ADDRSZ;
+ } else if (inet_pton (AF_INET, HostName, BinaryAddress) == 1) {
+ BinaryAddressSize = NS_INADDRSZ;
+ }
+ if (BinaryAddressSize > 0) {
+ DEBUG ((DEBUG_VERBOSE, "%a:%a: parsed \"%a\" as an IPv%c address "
+ "literal\n", gEfiCallerBaseName, __FUNCTION__, HostName,
+ (UINTN)((BinaryAddressSize == NS_IN6ADDRSZ) ? '6' : '4')));
+ ParamStatus = X509_VERIFY_PARAM_set1_ip (VerifyParam, BinaryAddress,
+ BinaryAddressSize);
+ } else {
+ ParamStatus = X509_VERIFY_PARAM_set1_host (VerifyParam, HostName, 0);
+ }
+ return (ParamStatus == 1) ? EFI_SUCCESS : EFI_ABORTED;
+ Sets a TLS/SSL session ID to be used during TLS/SSL connect.
+ This function sets a session ID to be used when the TLS/SSL connection is
+ to be established.
+ @param[in] Tls Pointer to the TLS object.
+ @param[in] SessionId Session ID data used for session resumption.
+ @param[in] SessionIdLen Length of Session ID in bytes.
+ @retval EFI_SUCCESS Session ID was set successfully.
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.
+ @retval EFI_UNSUPPORTED No available session for ID setting.
+TlsSetSessionId (
+ IN VOID *Tls,
+ IN UINT8 *SessionId,
+ IN UINT16 SessionIdLen
+ )
+ SSL_SESSION *Session;
+ TlsConn = (TLS_CONNECTION *) Tls;
+ Session = NULL;
+ if (TlsConn == NULL || TlsConn->Ssl == NULL || SessionId == NULL) {
+ }
+ Session = SSL_get_session (TlsConn->Ssl);
+ if (Session == NULL) {
+ }
+ SSL_SESSION_set1_id (Session, (const unsigned char *)SessionId, SessionIdLen);
+ return EFI_SUCCESS;
+ Adds the CA to the cert store when requesting Server or Client authentication.
+ This function adds the CA certificate to the list of CAs when requesting
+ Server or Client authentication for the chosen TLS connection.
+ @param[in] Tls Pointer to the TLS object.
+ @param[in] Data Pointer to the data buffer of a DER-encoded binary
+ X.509 certificate or PEM-encoded X.509 certificate.
+ @param[in] DataSize The size of data buffer in bytes.
+ @retval EFI_SUCCESS The operation succeeded.
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.
+ @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated.
+ @retval EFI_ABORTED Invalid X.509 certificate.
+TlsSetCaCertificate (
+ IN VOID *Tls,
+ IN VOID *Data,
+ IN UINTN DataSize
+ )
+ BIO *BioCert;
+ X509 *Cert;
+ X509_STORE *X509Store;
+ EFI_STATUS Status;
+ SSL_CTX *SslCtx;
+ INTN Ret;
+ UINTN ErrorCode;
+ BioCert = NULL;
+ Cert = NULL;
+ X509Store = NULL;
+ Status = EFI_SUCCESS;
+ TlsConn = (TLS_CONNECTION *) Tls;
+ Ret = 0;
+ if (TlsConn == NULL || TlsConn->Ssl == NULL || Data == NULL || DataSize == 0) {
+ }
+ //
+ // DER-encoded binary X.509 certificate or PEM-encoded X.509 certificate.
+ // Determine whether certificate is from DER encoding, if so, translate it to X509 structure.
+ //
+ Cert = d2i_X509 (NULL, (const unsigned char ** )&Data, (long) DataSize);
+ if (Cert == NULL) {
+ //
+ // Certificate is from PEM encoding.
+ //
+ BioCert = BIO_new (BIO_s_mem ());
+ if (BioCert == NULL) {
+ goto ON_EXIT;
+ }
+ if (BIO_write (BioCert, Data, (UINT32) DataSize) <= 0) {
+ Status = EFI_ABORTED;
+ goto ON_EXIT;
+ }
+ Cert = PEM_read_bio_X509 (BioCert, NULL, NULL, NULL);
+ if (Cert == NULL) {
+ Status = EFI_ABORTED;
+ goto ON_EXIT;
+ }
+ }
+ SslCtx = SSL_get_SSL_CTX (TlsConn->Ssl);
+ X509Store = SSL_CTX_get_cert_store (SslCtx);
+ if (X509Store == NULL) {
+ Status = EFI_ABORTED;
+ goto ON_EXIT;
+ }
+ //
+ // Add certificate to X509 store
+ //
+ Ret = X509_STORE_add_cert (X509Store, Cert);
+ if (Ret != 1) {
+ ErrorCode = ERR_peek_last_error ();
+ //
+ // Ignore "already in table" errors
+ //
+ if (!(ERR_GET_FUNC (ErrorCode) == X509_F_X509_STORE_ADD_CERT &&
+ Status = EFI_ABORTED;
+ goto ON_EXIT;
+ }
+ }
+ if (BioCert != NULL) {
+ BIO_free (BioCert);
+ }
+ if (Cert != NULL) {
+ X509_free (Cert);
+ }
+ return Status;
+ Loads the local public certificate into the specified TLS object.
+ This function loads the X.509 certificate into the specified TLS object
+ for TLS negotiation.
+ @param[in] Tls Pointer to the TLS object.
+ @param[in] Data Pointer to the data buffer of a DER-encoded binary
+ X.509 certificate or PEM-encoded X.509 certificate.
+ @param[in] DataSize The size of data buffer in bytes.
+ @retval EFI_SUCCESS The operation succeeded.
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.
+ @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated.
+ @retval EFI_ABORTED Invalid X.509 certificate.
+TlsSetHostPublicCert (
+ IN VOID *Tls,
+ IN VOID *Data,
+ IN UINTN DataSize
+ )
+ BIO *BioCert;
+ X509 *Cert;
+ EFI_STATUS Status;
+ BioCert = NULL;
+ Cert = NULL;
+ Status = EFI_SUCCESS;
+ TlsConn = (TLS_CONNECTION *) Tls;
+ if (TlsConn == NULL || TlsConn->Ssl == NULL || Data == NULL || DataSize == 0) {
+ }
+ //
+ // DER-encoded binary X.509 certificate or PEM-encoded X.509 certificate.
+ // Determine whether certificate is from DER encoding, if so, translate it to X509 structure.
+ //
+ Cert = d2i_X509 (NULL, (const unsigned char ** )&Data, (long) DataSize);
+ if (Cert == NULL) {
+ //
+ // Certificate is from PEM encoding.
+ //
+ BioCert = BIO_new (BIO_s_mem ());
+ if (BioCert == NULL) {
+ goto ON_EXIT;
+ }
+ if (BIO_write (BioCert, Data, (UINT32) DataSize) <= 0) {
+ Status = EFI_ABORTED;
+ goto ON_EXIT;
+ }
+ Cert = PEM_read_bio_X509 (BioCert, NULL, NULL, NULL);
+ if (Cert == NULL) {
+ Status = EFI_ABORTED;
+ goto ON_EXIT;
+ }
+ }
+ if (SSL_use_certificate (TlsConn->Ssl, Cert) != 1) {
+ Status = EFI_ABORTED;
+ goto ON_EXIT;
+ }
+ if (BioCert != NULL) {
+ BIO_free (BioCert);
+ }
+ if (Cert != NULL) {
+ X509_free (Cert);
+ }
+ return Status;
+ Adds the local private key to the specified TLS object.
+ This function adds the local private key (PEM-encoded RSA or PKCS#8 private
+ key) into the specified TLS object for TLS negotiation.
+ @param[in] Tls Pointer to the TLS object.
+ @param[in] Data Pointer to the data buffer of a PEM-encoded RSA
+ or PKCS#8 private key.
+ @param[in] DataSize The size of data buffer in bytes.
+ @retval EFI_SUCCESS The operation succeeded.
+ @retval EFI_UNSUPPORTED This function is not supported.
+ @retval EFI_ABORTED Invalid private key data.
+TlsSetHostPrivateKey (
+ IN VOID *Tls,
+ IN VOID *Data,
+ IN UINTN DataSize
+ )
+ Adds the CA-supplied certificate revocation list for certificate validation.
+ This function adds the CA-supplied certificate revocation list data for
+ certificate validity checking.
+ @param[in] Data Pointer to the data buffer of a DER-encoded CRL data.
+ @param[in] DataSize The size of data buffer in bytes.
+ @retval EFI_SUCCESS The operation succeeded.
+ @retval EFI_UNSUPPORTED This function is not supported.
+ @retval EFI_ABORTED Invalid CRL data.
+TlsSetCertRevocationList (
+ IN VOID *Data,
+ IN UINTN DataSize
+ )
+ Gets the protocol version used by the specified TLS connection.
+ This function returns the protocol version used by the specified TLS
+ connection.
+ If Tls is NULL, then ASSERT().
+ @param[in] Tls Pointer to the TLS object.
+ @return The protocol version of the specified TLS connection.
+TlsGetVersion (
+ IN VOID *Tls
+ )
+ TlsConn = (TLS_CONNECTION *) Tls;
+ ASSERT (TlsConn != NULL);
+ return (UINT16)(SSL_version (TlsConn->Ssl));
+ Gets the connection end of the specified TLS connection.
+ This function returns the connection end (as client or as server) used by
+ the specified TLS connection.
+ If Tls is NULL, then ASSERT().
+ @param[in] Tls Pointer to the TLS object.
+ @return The connection end used by the specified TLS connection.
+TlsGetConnectionEnd (
+ IN VOID *Tls
+ )
+ TlsConn = (TLS_CONNECTION *) Tls;
+ ASSERT (TlsConn != NULL);
+ return (UINT8)SSL_is_server (TlsConn->Ssl);
+ Gets the cipher suite used by the specified TLS connection.
+ This function returns current cipher suite used by the specified
+ TLS connection.
+ @param[in] Tls Pointer to the TLS object.
+ @param[in,out] CipherId The cipher suite used by the TLS object.
+ @retval EFI_SUCCESS The cipher suite was returned successfully.
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.
+ @retval EFI_UNSUPPORTED Unsupported cipher suite.
+TlsGetCurrentCipher (
+ IN VOID *Tls,
+ IN OUT UINT16 *CipherId
+ )
+ TlsConn = (TLS_CONNECTION *) Tls;
+ Cipher = NULL;
+ if (TlsConn == NULL || TlsConn->Ssl == NULL || CipherId == NULL) {
+ }
+ Cipher = SSL_get_current_cipher (TlsConn->Ssl);
+ if (Cipher == NULL) {
+ }
+ *CipherId = (SSL_CIPHER_get_id (Cipher)) & 0xFFFF;
+ return EFI_SUCCESS;
+ Gets the compression methods used by the specified TLS connection.
+ This function returns current integrated compression methods used by
+ the specified TLS connection.
+ @param[in] Tls Pointer to the TLS object.
+ @param[in,out] CompressionId The current compression method used by
+ the TLS object.
+ @retval EFI_SUCCESS The compression method was returned successfully.
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.
+ @retval EFI_ABORTED Invalid Compression method.
+ @retval EFI_UNSUPPORTED This function is not supported.
+TlsGetCurrentCompressionId (
+ IN VOID *Tls,
+ IN OUT UINT8 *CompressionId
+ )
+ Gets the verification mode currently set in the TLS connection.
+ This function returns the peer verification mode currently set in the
+ specified TLS connection.
+ If Tls is NULL, then ASSERT().
+ @param[in] Tls Pointer to the TLS object.
+ @return The verification mode set in the specified TLS connection.
+TlsGetVerify (
+ IN VOID *Tls
+ )
+ TlsConn = (TLS_CONNECTION *) Tls;
+ ASSERT (TlsConn != NULL);
+ return SSL_get_verify_mode (TlsConn->Ssl);
+ Gets the session ID used by the specified TLS connection.
+ This function returns the TLS/SSL session ID currently used by the
+ specified TLS connection.
+ @param[in] Tls Pointer to the TLS object.
+ @param[in,out] SessionId Buffer to contain the returned session ID.
+ @param[in,out] SessionIdLen The length of Session ID in bytes.
+ @retval EFI_SUCCESS The Session ID was returned successfully.
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.
+ @retval EFI_UNSUPPORTED Invalid TLS/SSL session.
+TlsGetSessionId (
+ IN VOID *Tls,
+ IN OUT UINT8 *SessionId,
+ IN OUT UINT16 *SessionIdLen
+ )
+ SSL_SESSION *Session;
+ CONST UINT8 *SslSessionId;
+ TlsConn = (TLS_CONNECTION *) Tls;
+ Session = NULL;
+ if (TlsConn == NULL || TlsConn->Ssl == NULL || SessionId == NULL || SessionIdLen == NULL) {
+ }
+ Session = SSL_get_session (TlsConn->Ssl);
+ if (Session == NULL) {
+ }
+ SslSessionId = SSL_SESSION_get_id (Session, (unsigned int *)SessionIdLen);
+ CopyMem (SessionId, SslSessionId, *SessionIdLen);
+ return EFI_SUCCESS;
+ Gets the client random data used in the specified TLS connection.
+ This function returns the TLS/SSL client random data currently used in
+ the specified TLS connection.
+ @param[in] Tls Pointer to the TLS object.
+ @param[in,out] ClientRandom Buffer to contain the returned client
+ random data (32 bytes).
+TlsGetClientRandom (
+ IN VOID *Tls,
+ IN OUT UINT8 *ClientRandom
+ )
+ TlsConn = (TLS_CONNECTION *) Tls;
+ if (TlsConn == NULL || TlsConn->Ssl == NULL || ClientRandom == NULL) {
+ return;
+ }
+ SSL_get_client_random (TlsConn->Ssl, ClientRandom, SSL3_RANDOM_SIZE);
+ Gets the server random data used in the specified TLS connection.
+ This function returns the TLS/SSL server random data currently used in
+ the specified TLS connection.
+ @param[in] Tls Pointer to the TLS object.
+ @param[in,out] ServerRandom Buffer to contain the returned server
+ random data (32 bytes).
+TlsGetServerRandom (
+ IN VOID *Tls,
+ IN OUT UINT8 *ServerRandom
+ )
+ TlsConn = (TLS_CONNECTION *) Tls;
+ if (TlsConn == NULL || TlsConn->Ssl == NULL || ServerRandom == NULL) {
+ return;
+ }
+ SSL_get_server_random (TlsConn->Ssl, ServerRandom, SSL3_RANDOM_SIZE);
+ Gets the master key data used in the specified TLS connection.
+ This function returns the TLS/SSL master key material currently used in
+ the specified TLS connection.
+ @param[in] Tls Pointer to the TLS object.
+ @param[in,out] KeyMaterial Buffer to contain the returned key material.
+ @retval EFI_SUCCESS Key material was returned successfully.
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.
+ @retval EFI_UNSUPPORTED Invalid TLS/SSL session.
+TlsGetKeyMaterial (
+ IN VOID *Tls,
+ IN OUT UINT8 *KeyMaterial
+ )
+ SSL_SESSION *Session;
+ TlsConn = (TLS_CONNECTION *) Tls;
+ Session = NULL;
+ if (TlsConn == NULL || TlsConn->Ssl == NULL || KeyMaterial == NULL) {
+ }
+ Session = SSL_get_session (TlsConn->Ssl);
+ if (Session == NULL) {
+ }
+ SSL_SESSION_get_master_key (Session, KeyMaterial, SSL3_MASTER_SECRET_SIZE);
+ return EFI_SUCCESS;
+ Gets the CA Certificate from the cert store.
+ This function returns the CA certificate for the chosen
+ TLS connection.
+ @param[in] Tls Pointer to the TLS object.
+ @param[out] Data Pointer to the data buffer to receive the CA
+ certificate data sent to the client.
+ @param[in,out] DataSize The size of data buffer in bytes.
+ @retval EFI_SUCCESS The operation succeeded.
+ @retval EFI_UNSUPPORTED This function is not supported.
+ @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
+TlsGetCaCertificate (
+ IN VOID *Tls,
+ OUT VOID *Data,
+ IN OUT UINTN *DataSize
+ )
+ Gets the local public Certificate set in the specified TLS object.
+ This function returns the local public certificate which was currently set
+ in the specified TLS object.
+ @param[in] Tls Pointer to the TLS object.
+ @param[out] Data Pointer to the data buffer to receive the local
+ public certificate.
+ @param[in,out] DataSize The size of data buffer in bytes.
+ @retval EFI_SUCCESS The operation succeeded.
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.
+ @retval EFI_NOT_FOUND The certificate is not found.
+ @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
+TlsGetHostPublicCert (
+ IN VOID *Tls,
+ OUT VOID *Data,
+ IN OUT UINTN *DataSize
+ )
+ X509 *Cert;
+ Cert = NULL;
+ TlsConn = (TLS_CONNECTION *) Tls;
+ if (TlsConn == NULL || TlsConn->Ssl == NULL || DataSize == NULL || (*DataSize != 0 && Data == NULL)) {
+ }
+ Cert = SSL_get_certificate(TlsConn->Ssl);
+ if (Cert == NULL) {
+ return EFI_NOT_FOUND;
+ }
+ //
+ // Only DER encoding is supported currently.
+ //
+ if (*DataSize < (UINTN) i2d_X509 (Cert, NULL)) {
+ *DataSize = (UINTN) i2d_X509 (Cert, NULL);
+ }
+ *DataSize = (UINTN) i2d_X509 (Cert, (unsigned char **) &Data);
+ return EFI_SUCCESS;
+ Gets the local private key set in the specified TLS object.
+ This function returns the local private key data which was currently set
+ in the specified TLS object.
+ @param[in] Tls Pointer to the TLS object.
+ @param[out] Data Pointer to the data buffer to receive the local
+ private key data.
+ @param[in,out] DataSize The size of data buffer in bytes.
+ @retval EFI_SUCCESS The operation succeeded.
+ @retval EFI_UNSUPPORTED This function is not supported.
+ @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
+TlsGetHostPrivateKey (
+ IN VOID *Tls,
+ OUT VOID *Data,
+ IN OUT UINTN *DataSize
+ )
+ Gets the CA-supplied certificate revocation list data set in the specified
+ TLS object.
+ This function returns the CA-supplied certificate revocation list data which
+ was currently set in the specified TLS object.
+ @param[out] Data Pointer to the data buffer to receive the CRL data.
+ @param[in,out] DataSize The size of data buffer in bytes.
+ @retval EFI_SUCCESS The operation succeeded.
+ @retval EFI_UNSUPPORTED This function is not supported.
+ @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
+TlsGetCertRevocationList (
+ OUT VOID *Data,
+ IN OUT UINTN *DataSize
+ )
diff --git a/roms/edk2/CryptoPkg/Library/TlsLib/TlsInit.c b/roms/edk2/CryptoPkg/Library/TlsLib/TlsInit.c
new file mode 100644
index 000000000..f9ad6f6b9
--- /dev/null
+++ b/roms/edk2/CryptoPkg/Library/TlsLib/TlsInit.c
@@ -0,0 +1,263 @@
+/** @file
+ SSL/TLS Initialization Library Wrapper Implementation over OpenSSL.
+Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
+(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+#include "InternalTlsLib.h"
+ Initializes the OpenSSL library.
+ This function registers ciphers and digests used directly and indirectly
+ by SSL/TLS, and initializes the readable error messages.
+ This function must be called before any other action takes places.
+ @retval TRUE The OpenSSL library has been initialized.
+ @retval FALSE Failed to initialize the OpenSSL library.
+TlsInitialize (
+ )
+ INTN Ret;
+ //
+ // Performs initialization of crypto and ssl library, and loads required
+ // algorithms.
+ //
+ Ret = OPENSSL_init_ssl (
+ );
+ if (Ret != 1) {
+ return FALSE;
+ }
+ //
+ // Initialize the pseudorandom number generator.
+ //
+ return RandomSeed (NULL, 0);
+ Free an allocated SSL_CTX object.
+ @param[in] TlsCtx Pointer to the SSL_CTX object to be released.
+TlsCtxFree (
+ IN VOID *TlsCtx
+ )
+ if (TlsCtx == NULL) {
+ return;
+ }
+ if (TlsCtx != NULL) {
+ SSL_CTX_free ((SSL_CTX *) (TlsCtx));
+ }
+ Creates a new SSL_CTX object as framework to establish TLS/SSL enabled
+ connections.
+ @param[in] MajorVer Major Version of TLS/SSL Protocol.
+ @param[in] MinorVer Minor Version of TLS/SSL Protocol.
+ @return Pointer to an allocated SSL_CTX object.
+ If the creation failed, TlsCtxNew() returns NULL.
+TlsCtxNew (
+ IN UINT8 MajorVer,
+ IN UINT8 MinorVer
+ )
+ SSL_CTX *TlsCtx;
+ UINT16 ProtoVersion;
+ ProtoVersion = (MajorVer << 8) | MinorVer;
+ TlsCtx = SSL_CTX_new (SSLv23_client_method ());
+ if (TlsCtx == NULL) {
+ return NULL;
+ }
+ //
+ // Ensure SSLv3 is disabled
+ //
+ SSL_CTX_set_options (TlsCtx, SSL_OP_NO_SSLv3);
+ //
+ // Treat as minimum accepted versions by setting the minimal bound.
+ // Client can use higher TLS version if server supports it
+ //
+ SSL_CTX_set_min_proto_version (TlsCtx, ProtoVersion);
+ return (VOID *) TlsCtx;
+ Free an allocated TLS object.
+ This function removes the TLS object pointed to by Tls and frees up the
+ allocated memory. If Tls is NULL, nothing is done.
+ @param[in] Tls Pointer to the TLS object to be freed.
+TlsFree (
+ IN VOID *Tls
+ )
+ TlsConn = (TLS_CONNECTION *) Tls;
+ if (TlsConn == NULL) {
+ return;
+ }
+ //
+ // Free the internal TLS and related BIO objects.
+ //
+ if (TlsConn->Ssl != NULL) {
+ SSL_free (TlsConn->Ssl);
+ }
+ OPENSSL_free (Tls);
+ Create a new TLS object for a connection.
+ This function creates a new TLS object for a connection. The new object
+ inherits the setting of the underlying context TlsCtx: connection method,
+ options, verification setting.
+ @param[in] TlsCtx Pointer to the SSL_CTX object.
+ @return Pointer to an allocated SSL object.
+ If the creation failed, TlsNew() returns NULL.
+TlsNew (
+ IN VOID *TlsCtx
+ )
+ SSL_CTX *SslCtx;
+ X509_STORE *X509Store;
+ TlsConn = NULL;
+ //
+ // Allocate one new TLS_CONNECTION object
+ //
+ TlsConn = (TLS_CONNECTION *) OPENSSL_malloc (sizeof (TLS_CONNECTION));
+ if (TlsConn == NULL) {
+ return NULL;
+ }
+ TlsConn->Ssl = NULL;
+ //
+ // Create a new SSL Object
+ //
+ TlsConn->Ssl = SSL_new ((SSL_CTX *) TlsCtx);
+ if (TlsConn->Ssl == NULL) {
+ TlsFree ((VOID *) TlsConn);
+ return NULL;
+ }
+ //
+ // This retains compatibility with previous version of OpenSSL.
+ //
+ SSL_set_security_level (TlsConn->Ssl, 0);
+ //
+ // Initialize the created SSL Object
+ //
+ SSL_set_info_callback (TlsConn->Ssl, NULL);
+ TlsConn->InBio = NULL;
+ //
+ // Set up Reading BIO for TLS connection
+ //
+ TlsConn->InBio = BIO_new (BIO_s_mem ());
+ if (TlsConn->InBio == NULL) {
+ TlsFree ((VOID *) TlsConn);
+ return NULL;
+ }
+ //
+ // Sets the behaviour of memory BIO when it is empty. It will set the
+ // read retry flag.
+ //
+ BIO_set_mem_eof_return (TlsConn->InBio, -1);
+ TlsConn->OutBio = NULL;
+ //
+ // Set up Writing BIO for TLS connection
+ //
+ TlsConn->OutBio = BIO_new (BIO_s_mem ());
+ if (TlsConn->OutBio == NULL) {
+ TlsFree ((VOID *) TlsConn);
+ return NULL;
+ }
+ //
+ // Sets the behaviour of memory BIO when it is empty. It will set the
+ // write retry flag.
+ //
+ BIO_set_mem_eof_return (TlsConn->OutBio, -1);
+ ASSERT (TlsConn->Ssl != NULL && TlsConn->InBio != NULL && TlsConn->OutBio != NULL);
+ //
+ // Connects the InBio and OutBio for the read and write operations.
+ //
+ SSL_set_bio (TlsConn->Ssl, TlsConn->InBio, TlsConn->OutBio);
+ //
+ // Create new X509 store if needed
+ //
+ SslCtx = SSL_get_SSL_CTX (TlsConn->Ssl);
+ X509Store = SSL_CTX_get_cert_store (SslCtx);
+ if (X509Store == NULL) {
+ X509Store = X509_STORE_new ();
+ if (X509Store == NULL) {
+ TlsFree ((VOID *) TlsConn);
+ return NULL;
+ }
+ SSL_CTX_set1_verify_cert_store (SslCtx, X509Store);
+ X509_STORE_free (X509Store);
+ }
+ //
+ // Set X509_STORE flags used in certificate validation
+ //
+ X509_STORE_set_flags (
+ X509Store,
+ );
+ return (VOID *) TlsConn;
diff --git a/roms/edk2/CryptoPkg/Library/TlsLib/TlsLib.inf b/roms/edk2/CryptoPkg/Library/TlsLib/TlsLib.inf
new file mode 100644
index 000000000..27209f4d7
--- /dev/null
+++ b/roms/edk2/CryptoPkg/Library/TlsLib/TlsLib.inf
@@ -0,0 +1,50 @@
+## @file
+# SSL/TLS Wrapper Library Instance based on OpenSSL.
+# Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>
+# (C) Copyright 2016-2020 Hewlett Packard Enterprise Development LP<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+ INF_VERSION = 0x00010005
+ BASE_NAME = TlsLib
+ MODULE_UNI_FILE = TlsLib.uni
+ FILE_GUID = CC729DC5-4E21-0B36-1A00-3A8E1B86A155
+# The following information is for reference only and not required by the build tools.
+ InternalTlsLib.h
+ TlsInit.c
+ TlsConfig.c
+ TlsProcess.c
+ MdePkg/MdePkg.dec
+ CryptoPkg/CryptoPkg.dec
+ BaseCryptLib
+ BaseMemoryLib
+ DebugLib
+ IntrinsicLib
+ MemoryAllocationLib
+ OpensslLib
+ SafeIntLib
+ #
+ # suppress the following warnings so we do not break the build with warnings-as-errors:
+ # C4090: 'function' : different 'const' qualifiers
+ #
+ MSFT:*_*_*_CC_FLAGS = /wd4090
diff --git a/roms/edk2/CryptoPkg/Library/TlsLib/TlsLib.uni b/roms/edk2/CryptoPkg/Library/TlsLib/TlsLib.uni
new file mode 100644
index 000000000..fe854217b
--- /dev/null
+++ b/roms/edk2/CryptoPkg/Library/TlsLib/TlsLib.uni
@@ -0,0 +1,13 @@
+// /** @file
+// SSL/TLS Wrapper Library Instance based on OpenSSL.
+// Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+// **/
+#string STR_MODULE_ABSTRACT #language en-US "SSL/TLS Wrapper Library Instance"
+#string STR_MODULE_DESCRIPTION #language en-US "This module provides SSL/TLS Wrapper Library Instance."
diff --git a/roms/edk2/CryptoPkg/Library/TlsLib/TlsProcess.c b/roms/edk2/CryptoPkg/Library/TlsLib/TlsProcess.c
new file mode 100644
index 000000000..ac952e903
--- /dev/null
+++ b/roms/edk2/CryptoPkg/Library/TlsLib/TlsProcess.c
@@ -0,0 +1,457 @@
+/** @file
+ SSL/TLS Process Library Wrapper Implementation over OpenSSL.
+ The process includes the TLS handshake and packet I/O.
+Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
+(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+#include "InternalTlsLib.h"
+#define MAX_BUFFER_SIZE 32768
+ Checks if the TLS handshake was done.
+ This function will check if the specified TLS handshake was done.
+ @param[in] Tls Pointer to the TLS object for handshake state checking.
+ @retval TRUE The TLS handshake was done.
+ @retval FALSE The TLS handshake was not done.
+TlsInHandshake (
+ IN VOID *Tls
+ )
+ TlsConn = (TLS_CONNECTION *) Tls;
+ if (TlsConn == NULL || TlsConn->Ssl == NULL) {
+ return FALSE;
+ }
+ //
+ // Return the status which indicates if the TLS handshake was done.
+ //
+ return !SSL_is_init_finished (TlsConn->Ssl);
+ Perform a TLS/SSL handshake.
+ This function will perform a TLS/SSL handshake.
+ @param[in] Tls Pointer to the TLS object for handshake operation.
+ @param[in] BufferIn Pointer to the most recently received TLS Handshake packet.
+ @param[in] BufferInSize Packet size in bytes for the most recently received TLS
+ Handshake packet.
+ @param[out] BufferOut Pointer to the buffer to hold the built packet.
+ @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On input, it is
+ the buffer size provided by the caller. On output, it
+ is the buffer size in fact needed to contain the
+ packet.
+ @retval EFI_SUCCESS The required TLS packet is built successfully.
+ @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:
+ Tls is NULL.
+ BufferIn is NULL but BufferInSize is NOT 0.
+ BufferInSize is 0 but BufferIn is NOT NULL.
+ BufferOutSize is NULL.
+ BufferOut is NULL if *BufferOutSize is not zero.
+ @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the response packet.
+ @retval EFI_ABORTED Something wrong during handshake.
+TlsDoHandshake (
+ IN VOID *Tls,
+ IN OUT UINTN *BufferOutSize
+ )
+ UINTN PendingBufferSize;
+ INTN Ret;
+ UINTN ErrorCode;
+ TlsConn = (TLS_CONNECTION *) Tls;
+ PendingBufferSize = 0;
+ Ret = 1;
+ if (TlsConn == NULL || \
+ TlsConn->Ssl == NULL || TlsConn->InBio == NULL || TlsConn->OutBio == NULL || \
+ BufferOutSize == NULL || \
+ (BufferIn == NULL && BufferInSize != 0) || \
+ (BufferIn != NULL && BufferInSize == 0) || \
+ (BufferOut == NULL && *BufferOutSize != 0)) {
+ }
+ if(BufferIn == NULL && BufferInSize == 0) {
+ //
+ // If RequestBuffer is NULL and RequestSize is 0, and TLS session
+ // status is EfiTlsSessionNotStarted, the TLS session will be initiated
+ // and the response packet needs to be ClientHello.
+ //
+ PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
+ if (PendingBufferSize == 0) {
+ SSL_set_connect_state (TlsConn->Ssl);
+ Ret = SSL_do_handshake (TlsConn->Ssl);
+ PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
+ }
+ } else {
+ PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
+ if (PendingBufferSize == 0) {
+ BIO_write (TlsConn->InBio, BufferIn, (UINT32) BufferInSize);
+ Ret = SSL_do_handshake (TlsConn->Ssl);
+ PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
+ }
+ }
+ if (Ret < 1) {
+ Ret = SSL_get_error (TlsConn->Ssl, (int) Ret);
+ if (Ret == SSL_ERROR_SSL ||
+ DEBUG ((
+ "%a SSL_HANDSHAKE_ERROR State=0x%x SSL_ERROR_%a\n",
+ SSL_get_state (TlsConn->Ssl),
+ ));
+ while (TRUE) {
+ ErrorCode = ERR_get_error ();
+ if (ErrorCode == 0) {
+ break;
+ }
+ DEBUG ((
+ "%a ERROR 0x%x=L%x:F%x:R%x\n",
+ ErrorCode,
+ ERR_GET_LIB (ErrorCode),
+ ERR_GET_FUNC (ErrorCode),
+ ERR_GET_REASON (ErrorCode)
+ ));
+ }
+ return EFI_ABORTED;
+ }
+ }
+ if (PendingBufferSize > *BufferOutSize) {
+ *BufferOutSize = PendingBufferSize;
+ }
+ if (PendingBufferSize > 0) {
+ *BufferOutSize = BIO_read (TlsConn->OutBio, BufferOut, (UINT32) PendingBufferSize);
+ } else {
+ *BufferOutSize = 0;
+ }
+ return EFI_SUCCESS;
+ Handle Alert message recorded in BufferIn. If BufferIn is NULL and BufferInSize is zero,
+ TLS session has errors and the response packet needs to be Alert message based on error type.
+ @param[in] Tls Pointer to the TLS object for state checking.
+ @param[in] BufferIn Pointer to the most recently received TLS Alert packet.
+ @param[in] BufferInSize Packet size in bytes for the most recently received TLS
+ Alert packet.
+ @param[out] BufferOut Pointer to the buffer to hold the built packet.
+ @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On input, it is
+ the buffer size provided by the caller. On output, it
+ is the buffer size in fact needed to contain the
+ packet.
+ @retval EFI_SUCCESS The required TLS packet is built successfully.
+ @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:
+ Tls is NULL.
+ BufferIn is NULL but BufferInSize is NOT 0.
+ BufferInSize is 0 but BufferIn is NOT NULL.
+ BufferOutSize is NULL.
+ BufferOut is NULL if *BufferOutSize is not zero.
+ @retval EFI_ABORTED An error occurred.
+ @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the response packet.
+TlsHandleAlert (
+ IN VOID *Tls,
+ IN OUT UINTN *BufferOutSize
+ )
+ UINTN PendingBufferSize;
+ UINT8 *TempBuffer;
+ INTN Ret;
+ TlsConn = (TLS_CONNECTION *) Tls;
+ PendingBufferSize = 0;
+ TempBuffer = NULL;
+ Ret = 0;
+ if (TlsConn == NULL || \
+ TlsConn->Ssl == NULL || TlsConn->InBio == NULL || TlsConn->OutBio == NULL || \
+ BufferOutSize == NULL || \
+ (BufferIn == NULL && BufferInSize != 0) || \
+ (BufferIn != NULL && BufferInSize == 0) || \
+ (BufferOut == NULL && *BufferOutSize != 0)) {
+ }
+ PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
+ if (PendingBufferSize == 0 && BufferIn != NULL && BufferInSize != 0) {
+ Ret = BIO_write (TlsConn->InBio, BufferIn, (UINT32) BufferInSize);
+ if (Ret != (INTN) BufferInSize) {
+ return EFI_ABORTED;
+ }
+ TempBuffer = (UINT8 *) OPENSSL_malloc (MAX_BUFFER_SIZE);
+ //
+ // ssl3_send_alert() will be called in ssl3_read_bytes() function.
+ // TempBuffer is invalid since it's a Alert message, so just ignore it.
+ //
+ SSL_read (TlsConn->Ssl, TempBuffer, MAX_BUFFER_SIZE);
+ OPENSSL_free (TempBuffer);
+ PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
+ }
+ if (PendingBufferSize > *BufferOutSize) {
+ *BufferOutSize = PendingBufferSize;
+ }
+ if (PendingBufferSize > 0) {
+ *BufferOutSize = BIO_read (TlsConn->OutBio, BufferOut, (UINT32) PendingBufferSize);
+ } else {
+ *BufferOutSize = 0;
+ }
+ return EFI_SUCCESS;
+ Build the CloseNotify packet.
+ @param[in] Tls Pointer to the TLS object for state checking.
+ @param[in, out] Buffer Pointer to the buffer to hold the built packet.
+ @param[in, out] BufferSize Pointer to the buffer size in bytes. On input, it is
+ the buffer size provided by the caller. On output, it
+ is the buffer size in fact needed to contain the
+ packet.
+ @retval EFI_SUCCESS The required TLS packet is built successfully.
+ @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:
+ Tls is NULL.
+ BufferSize is NULL.
+ Buffer is NULL if *BufferSize is not zero.
+ @retval EFI_BUFFER_TOO_SMALL BufferSize is too small to hold the response packet.
+TlsCloseNotify (
+ IN VOID *Tls,
+ IN OUT UINT8 *Buffer,
+ IN OUT UINTN *BufferSize
+ )
+ UINTN PendingBufferSize;
+ TlsConn = (TLS_CONNECTION *) Tls;
+ PendingBufferSize = 0;
+ if (TlsConn == NULL || \
+ TlsConn->Ssl == NULL || TlsConn->InBio == NULL || TlsConn->OutBio == NULL || \
+ BufferSize == NULL || \
+ (Buffer == NULL && *BufferSize != 0)) {
+ }
+ PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
+ if (PendingBufferSize == 0) {
+ //
+ // ssl3_send_alert() and ssl3_dispatch_alert() function will be called.
+ //
+ SSL_shutdown (TlsConn->Ssl);
+ PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
+ }
+ if (PendingBufferSize > *BufferSize) {
+ *BufferSize = PendingBufferSize;
+ }
+ if (PendingBufferSize > 0) {
+ *BufferSize = BIO_read (TlsConn->OutBio, Buffer, (UINT32) PendingBufferSize);
+ } else {
+ *BufferSize = 0;
+ }
+ return EFI_SUCCESS;
+ Attempts to read bytes from one TLS object and places the data in Buffer.
+ This function will attempt to read BufferSize bytes from the TLS object
+ and places the data in Buffer.
+ @param[in] Tls Pointer to the TLS object.
+ @param[in,out] Buffer Pointer to the buffer to store the data.
+ @param[in] BufferSize The size of Buffer in bytes.
+ @retval >0 The amount of data successfully read from the TLS object.
+ @retval <=0 No data was successfully read.
+TlsCtrlTrafficOut (
+ IN VOID *Tls,
+ IN OUT VOID *Buffer,
+ IN UINTN BufferSize
+ )
+ TlsConn = (TLS_CONNECTION *) Tls;
+ if (TlsConn == NULL || TlsConn->OutBio == 0) {
+ return -1;
+ }
+ //
+ // Read and return the amount of data from the BIO.
+ //
+ return BIO_read (TlsConn->OutBio, Buffer, (UINT32) BufferSize);
+ Attempts to write data from the buffer to TLS object.
+ This function will attempt to write BufferSize bytes data from the Buffer
+ to the TLS object.
+ @param[in] Tls Pointer to the TLS object.
+ @param[in] Buffer Pointer to the data buffer.
+ @param[in] BufferSize The size of Buffer in bytes.
+ @retval >0 The amount of data successfully written to the TLS object.
+ @retval <=0 No data was successfully written.
+TlsCtrlTrafficIn (
+ IN VOID *Tls,
+ IN VOID *Buffer,
+ IN UINTN BufferSize
+ )
+ TlsConn = (TLS_CONNECTION *) Tls;
+ if (TlsConn == NULL || TlsConn->InBio == 0) {
+ return -1;
+ }
+ //
+ // Write and return the amount of data to the BIO.
+ //
+ return BIO_write (TlsConn->InBio, Buffer, (UINT32) BufferSize);
+ Attempts to read bytes from the specified TLS connection into the buffer.
+ This function tries to read BufferSize bytes data from the specified TLS
+ connection into the Buffer.
+ @param[in] Tls Pointer to the TLS connection for data reading.
+ @param[in,out] Buffer Pointer to the data buffer.
+ @param[in] BufferSize The size of Buffer in bytes.
+ @retval >0 The read operation was successful, and return value is the
+ number of bytes actually read from the TLS connection.
+ @retval <=0 The read operation was not successful.
+TlsRead (
+ IN VOID *Tls,
+ IN OUT VOID *Buffer,
+ IN UINTN BufferSize
+ )
+ TlsConn = (TLS_CONNECTION *) Tls;
+ if (TlsConn == NULL || TlsConn->Ssl == NULL) {
+ return -1;
+ }
+ //
+ // Read bytes from the specified TLS connection.
+ //
+ return SSL_read (TlsConn->Ssl, Buffer, (UINT32) BufferSize);
+ Attempts to write data to a TLS connection.
+ This function tries to write BufferSize bytes data from the Buffer into the
+ specified TLS connection.
+ @param[in] Tls Pointer to the TLS connection for data writing.
+ @param[in] Buffer Pointer to the data buffer.
+ @param[in] BufferSize The size of Buffer in bytes.
+ @retval >0 The write operation was successful, and return value is the
+ number of bytes actually written to the TLS connection.
+ @retval <=0 The write operation was not successful.
+TlsWrite (
+ IN VOID *Tls,
+ IN VOID *Buffer,
+ IN UINTN BufferSize
+ )
+ TlsConn = (TLS_CONNECTION *) Tls;
+ if (TlsConn == NULL || TlsConn->Ssl == NULL) {
+ return -1;
+ }
+ //
+ // Write bytes to the specified TLS connection.
+ //
+ return SSL_write (TlsConn->Ssl, Buffer, (UINT32) BufferSize);