You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

801 lines
25 KiB

/** @file
Defines TLS Library APIs.
Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
#ifndef __TLS_LIB_H__
#define __TLS_LIB_H__
/**
Initializes the OpenSSL library.
This function registers ciphers and digests used directly and indirectly
by SSL/TLS, and initializes the readable error messages.
This function must be called before any other action takes places.
@retval TRUE The OpenSSL library has been initialized.
@retval FALSE Failed to initialize the OpenSSL library.
**/
BOOLEAN
EFIAPI
TlsInitialize (
VOID
);
/**
Free an allocated SSL_CTX object.
@param[in] TlsCtx Pointer to the SSL_CTX object to be released.
**/
VOID
EFIAPI
TlsCtxFree (
IN VOID *TlsCtx
);
/**
Creates a new SSL_CTX object as framework to establish TLS/SSL enabled
connections.
@param[in] MajorVer Major Version of TLS/SSL Protocol.
@param[in] MinorVer Minor Version of TLS/SSL Protocol.
@return Pointer to an allocated SSL_CTX object.
If the creation failed, TlsCtxNew() returns NULL.
**/
VOID *
EFIAPI
TlsCtxNew (
IN UINT8 MajorVer,
IN UINT8 MinorVer
);
/**
Free an allocated TLS object.
This function removes the TLS object pointed to by Tls and frees up the
allocated memory. If Tls is NULL, nothing is done.
@param[in] Tls Pointer to the TLS object to be freed.
**/
VOID
EFIAPI
TlsFree (
IN VOID *Tls
);
/**
Create a new TLS object for a connection.
This function creates a new TLS object for a connection. The new object
inherits the setting of the underlying context TlsCtx: connection method,
options, verification setting.
@param[in] TlsCtx Pointer to the SSL_CTX object.
@return Pointer to an allocated SSL object.
If the creation failed, TlsNew() returns NULL.
**/
VOID *
EFIAPI
TlsNew (
IN VOID *TlsCtx
);
/**
Checks if the TLS handshake was done.
This function will check if the specified TLS handshake was done.
@param[in] Tls Pointer to the TLS object for handshake state checking.
@retval TRUE The TLS handshake was done.
@retval FALSE The TLS handshake was not done.
**/
BOOLEAN
EFIAPI
TlsInHandshake (
IN VOID *Tls
);
/**
Perform a TLS/SSL handshake.
This function will perform a TLS/SSL handshake.
@param[in] Tls Pointer to the TLS object for handshake operation.
@param[in] BufferIn Pointer to the most recently received TLS Handshake packet.
@param[in] BufferInSize Packet size in bytes for the most recently received TLS
Handshake packet.
@param[out] BufferOut Pointer to the buffer to hold the built packet.
@param[in, out] BufferOutSize Pointer to the buffer size in bytes. On input, it is
the buffer size provided by the caller. On output, it
is the buffer size in fact needed to contain the
packet.
@retval EFI_SUCCESS The required TLS packet is built successfully.
@retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:
Tls is NULL.
BufferIn is NULL but BufferInSize is NOT 0.
BufferInSize is 0 but BufferIn is NOT NULL.
BufferOutSize is NULL.
BufferOut is NULL if *BufferOutSize is not zero.
@retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the response packet.
@retval EFI_ABORTED Something wrong during handshake.
**/
EFI_STATUS
EFIAPI
TlsDoHandshake (
IN VOID *Tls,
IN UINT8 *BufferIn, OPTIONAL
IN UINTN BufferInSize, OPTIONAL
OUT UINT8 *BufferOut, OPTIONAL
IN OUT UINTN *BufferOutSize
);
/**
Handle Alert message recorded in BufferIn. If BufferIn is NULL and BufferInSize is zero,
TLS session has errors and the response packet needs to be Alert message based on error type.
@param[in] Tls Pointer to the TLS object for state checking.
@param[in] BufferIn Pointer to the most recently received TLS Alert packet.
@param[in] BufferInSize Packet size in bytes for the most recently received TLS
Alert packet.
@param[out] BufferOut Pointer to the buffer to hold the built packet.
@param[in, out] BufferOutSize Pointer to the buffer size in bytes. On input, it is
the buffer size provided by the caller. On output, it
is the buffer size in fact needed to contain the
packet.
@retval EFI_SUCCESS The required TLS packet is built successfully.
@retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:
Tls is NULL.
BufferIn is NULL but BufferInSize is NOT 0.
BufferInSize is 0 but BufferIn is NOT NULL.
BufferOutSize is NULL.
BufferOut is NULL if *BufferOutSize is not zero.
@retval EFI_ABORTED An error occurred.
@retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the response packet.
**/
EFI_STATUS
EFIAPI
TlsHandleAlert (
IN VOID *Tls,
IN UINT8 *BufferIn, OPTIONAL
IN UINTN BufferInSize, OPTIONAL
OUT UINT8 *BufferOut, OPTIONAL
IN OUT UINTN *BufferOutSize
);
/**
Build the CloseNotify packet.
@param[in] Tls Pointer to the TLS object for state checking.
@param[in, out] Buffer Pointer to the buffer to hold the built packet.
@param[in, out] BufferSize Pointer to the buffer size in bytes. On input, it is
the buffer size provided by the caller. On output, it
is the buffer size in fact needed to contain the
packet.
@retval EFI_SUCCESS The required TLS packet is built successfully.
@retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:
Tls is NULL.
BufferSize is NULL.
Buffer is NULL if *BufferSize is not zero.
@retval EFI_BUFFER_TOO_SMALL BufferSize is too small to hold the response packet.
**/
EFI_STATUS
EFIAPI
TlsCloseNotify (
IN VOID *Tls,
IN OUT UINT8 *Buffer,
IN OUT UINTN *BufferSize
);
/**
Attempts to read bytes from one TLS object and places the data in Buffer.
This function will attempt to read BufferSize bytes from the TLS object
and places the data in Buffer.
@param[in] Tls Pointer to the TLS object.
@param[in,out] Buffer Pointer to the buffer to store the data.
@param[in] BufferSize The size of Buffer in bytes.
@retval >0 The amount of data successfully read from the TLS object.
@retval <=0 No data was successfully read.
**/
INTN
EFIAPI
TlsCtrlTrafficOut (
IN VOID *Tls,
IN OUT VOID *Buffer,
IN UINTN BufferSize
);
/**
Attempts to write data from the buffer to TLS object.
This function will attempt to write BufferSize bytes data from the Buffer
to the TLS object.
@param[in] Tls Pointer to the TLS object.
@param[in] Buffer Pointer to the data buffer.
@param[in] BufferSize The size of Buffer in bytes.
@retval >0 The amount of data successfully written to the TLS object.
@retval <=0 No data was successfully written.
**/
INTN
EFIAPI
TlsCtrlTrafficIn (
IN VOID *Tls,
IN VOID *Buffer,
IN UINTN BufferSize
);
/**
Attempts to read bytes from the specified TLS connection into the buffer.
This function tries to read BufferSize bytes data from the specified TLS
connection into the Buffer.
@param[in] Tls Pointer to the TLS connection for data reading.
@param[in,out] Buffer Pointer to the data buffer.
@param[in] BufferSize The size of Buffer in bytes.
@retval >0 The read operation was successful, and return value is the
number of bytes actually read from the TLS connection.
@retval <=0 The read operation was not successful.
**/
INTN
EFIAPI
TlsRead (
IN VOID *Tls,
IN OUT VOID *Buffer,
IN UINTN BufferSize
);
/**
Attempts to write data to a TLS connection.
This function tries to write BufferSize bytes data from the Buffer into the
specified TLS connection.
@param[in] Tls Pointer to the TLS connection for data writing.
@param[in] Buffer Pointer to the data buffer.
@param[in] BufferSize The size of Buffer in bytes.
@retval >0 The write operation was successful, and return value is the
number of bytes actually written to the TLS connection.
@retval <=0 The write operation was not successful.
**/
INTN
EFIAPI
TlsWrite (
IN VOID *Tls,
IN VOID *Buffer,
IN UINTN BufferSize
);
/**
Set a new TLS/SSL method for a particular TLS object.
This function sets a new TLS/SSL method for a particular TLS object.
@param[in] Tls Pointer to a TLS object.
@param[in] MajorVer Major Version of TLS/SSL Protocol.
@param[in] MinorVer Minor Version of TLS/SSL Protocol.
@retval EFI_SUCCESS The TLS/SSL method was set successfully.
@retval EFI_INVALID_PARAMETER The parameter is invalid.
@retval EFI_UNSUPPORTED Unsupported TLS/SSL method.
**/
EFI_STATUS
EFIAPI
TlsSetVersion (
IN VOID *Tls,
IN UINT8 MajorVer,
IN UINT8 MinorVer
);
/**
Set TLS object to work in client or server mode.
This function prepares a TLS object to work in client or server mode.
@param[in] Tls Pointer to a TLS object.
@param[in] IsServer Work in server mode.
@retval EFI_SUCCESS The TLS/SSL work mode was set successfully.
@retval EFI_INVALID_PARAMETER The parameter is invalid.
@retval EFI_UNSUPPORTED Unsupported TLS/SSL work mode.
**/
EFI_STATUS
EFIAPI
TlsSetConnectionEnd (
IN VOID *Tls,
IN BOOLEAN IsServer
);
/**
Set the ciphers list to be used by the TLS object.
This function sets the ciphers for use by a specified TLS object.
@param[in] Tls Pointer to a TLS object.
@param[in] CipherId Array of UINT16 cipher identifiers. Each UINT16
cipher identifier comes from the TLS Cipher Suite
Registry of the IANA, interpreting Byte1 and Byte2
in network (big endian) byte order.
@param[in] CipherNum The number of cipher in the list.
@retval EFI_SUCCESS The ciphers list was set successfully.
@retval EFI_INVALID_PARAMETER The parameter is invalid.
@retval EFI_UNSUPPORTED No supported TLS cipher was found in CipherId.
@retval EFI_OUT_OF_RESOURCES Memory allocation failed.
**/
EFI_STATUS
EFIAPI
TlsSetCipherList (
IN VOID *Tls,
IN UINT16 *CipherId,
IN UINTN CipherNum
);
/**
Set the compression method for TLS/SSL operations.
This function handles TLS/SSL integrated compression methods.
@param[in] CompMethod The compression method ID.
@retval EFI_SUCCESS The compression method for the communication was
set successfully.
@retval EFI_UNSUPPORTED Unsupported compression method.
**/
EFI_STATUS
EFIAPI
TlsSetCompressionMethod (
IN UINT8 CompMethod
);
/**
Set peer certificate verification mode for the TLS connection.
This function sets the verification mode flags for the TLS connection.
@param[in] Tls Pointer to the TLS object.
@param[in] VerifyMode A set of logically or'ed verification mode flags.
**/
VOID
EFIAPI
TlsSetVerify (
IN VOID *Tls,
IN UINT32 VerifyMode
);
/**
Sets a TLS/SSL session ID to be used during TLS/SSL connect.
This function sets a session ID to be used when the TLS/SSL connection is
to be established.
@param[in] Tls Pointer to the TLS object.
@param[in] SessionId Session ID data used for session resumption.
@param[in] SessionIdLen Length of Session ID in bytes.
@retval EFI_SUCCESS Session ID was set successfully.
@retval EFI_INVALID_PARAMETER The parameter is invalid.
@retval EFI_UNSUPPORTED No available session for ID setting.
**/
EFI_STATUS
EFIAPI
TlsSetSessionId (
IN VOID *Tls,
IN UINT8 *SessionId,
IN UINT16 SessionIdLen
);
/**
Adds the CA to the cert store when requesting Server or Client authentication.
This function adds the CA certificate to the list of CAs when requesting
Server or Client authentication for the chosen TLS connection.
@param[in] Tls Pointer to the TLS object.
@param[in] Data Pointer to the data buffer of a DER-encoded binary
X.509 certificate or PEM-encoded X.509 certificate.
@param[in] DataSize The size of data buffer in bytes.
@retval EFI_SUCCESS The operation succeeded.
@retval EFI_INVALID_PARAMETER The parameter is invalid.
@retval EFI_OUT_OF_RESOURCES Required resources could not be allocated.
@retval EFI_ABORTED Invalid X.509 certificate.
**/
EFI_STATUS
EFIAPI
TlsSetCaCertificate (
IN VOID *Tls,
IN VOID *Data,
IN UINTN DataSize
);
/**
Loads the local public certificate into the specified TLS object.
This function loads the X.509 certificate into the specified TLS object
for TLS negotiation.
@param[in] Tls Pointer to the TLS object.
@param[in] Data Pointer to the data buffer of a DER-encoded binary
X.509 certificate or PEM-encoded X.509 certificate.
@param[in] DataSize The size of data buffer in bytes.
@retval EFI_SUCCESS The operation succeeded.
@retval EFI_INVALID_PARAMETER The parameter is invalid.
@retval EFI_OUT_OF_RESOURCES Required resources could not be allocated.
@retval EFI_ABORTED Invalid X.509 certificate.
**/
EFI_STATUS
EFIAPI
TlsSetHostPublicCert (
IN VOID *Tls,
IN VOID *Data,
IN UINTN DataSize
);
/**
Adds the local private key to the specified TLS object.
This function adds the local private key (PEM-encoded RSA or PKCS#8 private
key) into the specified TLS object for TLS negotiation.
@param[in] Tls Pointer to the TLS object.
@param[in] Data Pointer to the data buffer of a PEM-encoded RSA
or PKCS#8 private key.
@param[in] DataSize The size of data buffer in bytes.
@retval EFI_SUCCESS The operation succeeded.
@retval EFI_UNSUPPORTED This function is not supported.
@retval EFI_ABORTED Invalid private key data.
**/
EFI_STATUS
EFIAPI
TlsSetHostPrivateKey (
IN VOID *Tls,
IN VOID *Data,
IN UINTN DataSize
);
/**
Adds the CA-supplied certificate revocation list for certificate validation.
This function adds the CA-supplied certificate revocation list data for
certificate validity checking.
@param[in] Data Pointer to the data buffer of a DER-encoded CRL data.
@param[in] DataSize The size of data buffer in bytes.
@retval EFI_SUCCESS The operation succeeded.
@retval EFI_UNSUPPORTED This function is not supported.
@retval EFI_ABORTED Invalid CRL data.
**/
EFI_STATUS
EFIAPI
TlsSetCertRevocationList (
IN VOID *Data,
IN UINTN DataSize
);
/**
Gets the protocol version used by the specified TLS connection.
This function returns the protocol version used by the specified TLS
connection.
If Tls is NULL, then ASSERT().
@param[in] Tls Pointer to the TLS object.
@return The protocol version of the specified TLS connection.
**/
UINT16
EFIAPI
TlsGetVersion (
IN VOID *Tls
);
/**
Gets the connection end of the specified TLS connection.
This function returns the connection end (as client or as server) used by
the specified TLS connection.
If Tls is NULL, then ASSERT().
@param[in] Tls Pointer to the TLS object.
@return The connection end used by the specified TLS connection.
**/
UINT8
EFIAPI
TlsGetConnectionEnd (
IN VOID *Tls
);
/**
Gets the cipher suite used by the specified TLS connection.
This function returns current cipher suite used by the specified
TLS connection.
@param[in] Tls Pointer to the TLS object.
@param[in,out] CipherId The cipher suite used by the TLS object.
@retval EFI_SUCCESS The cipher suite was returned successfully.
@retval EFI_INVALID_PARAMETER The parameter is invalid.
@retval EFI_UNSUPPORTED Unsupported cipher suite.
**/
EFI_STATUS
EFIAPI
TlsGetCurrentCipher (
IN VOID *Tls,
IN OUT UINT16 *CipherId
);
/**
Gets the compression methods used by the specified TLS connection.
This function returns current integrated compression methods used by
the specified TLS connection.
@param[in] Tls Pointer to the TLS object.
@param[in,out] CompressionId The current compression method used by
the TLS object.
@retval EFI_SUCCESS The compression method was returned successfully.
@retval EFI_INVALID_PARAMETER The parameter is invalid.
@retval EFI_ABORTED Invalid Compression method.
@retval EFI_UNSUPPORTED This function is not supported.
**/
EFI_STATUS
EFIAPI
TlsGetCurrentCompressionId (
IN VOID *Tls,
IN OUT UINT8 *CompressionId
);
/**
Gets the verification mode currently set in the TLS connection.
This function returns the peer verification mode currently set in the
specified TLS connection.
If Tls is NULL, then ASSERT().
@param[in] Tls Pointer to the TLS object.
@return The verification mode set in the specified TLS connection.
**/
UINT32
EFIAPI
TlsGetVerify (
IN VOID *Tls
);
/**
Gets the session ID used by the specified TLS connection.
This function returns the TLS/SSL session ID currently used by the
specified TLS connection.
@param[in] Tls Pointer to the TLS object.
@param[in,out] SessionId Buffer to contain the returned session ID.
@param[in,out] SessionIdLen The length of Session ID in bytes.
@retval EFI_SUCCESS The Session ID was returned successfully.
@retval EFI_INVALID_PARAMETER The parameter is invalid.
@retval EFI_UNSUPPORTED Invalid TLS/SSL session.
**/
EFI_STATUS
EFIAPI
TlsGetSessionId (
IN VOID *Tls,
IN OUT UINT8 *SessionId,
IN OUT UINT16 *SessionIdLen
);
/**
Gets the client random data used in the specified TLS connection.
This function returns the TLS/SSL client random data currently used in
the specified TLS connection.
@param[in] Tls Pointer to the TLS object.
@param[in,out] ClientRandom Buffer to contain the returned client
random data (32 bytes).
**/
VOID
EFIAPI
TlsGetClientRandom (
IN VOID *Tls,
IN OUT UINT8 *ClientRandom
);
/**
Gets the server random data used in the specified TLS connection.
This function returns the TLS/SSL server random data currently used in
the specified TLS connection.
@param[in] Tls Pointer to the TLS object.
@param[in,out] ServerRandom Buffer to contain the returned server
random data (32 bytes).
**/
VOID
EFIAPI
TlsGetServerRandom (
IN VOID *Tls,
IN OUT UINT8 *ServerRandom
);
/**
Gets the master key data used in the specified TLS connection.
This function returns the TLS/SSL master key material currently used in
the specified TLS connection.
@param[in] Tls Pointer to the TLS object.
@param[in,out] KeyMaterial Buffer to contain the returned key material.
@retval EFI_SUCCESS Key material was returned successfully.
@retval EFI_INVALID_PARAMETER The parameter is invalid.
@retval EFI_UNSUPPORTED Invalid TLS/SSL session.
**/
EFI_STATUS
EFIAPI
TlsGetKeyMaterial (
IN VOID *Tls,
IN OUT UINT8 *KeyMaterial
);
/**
Gets the CA Certificate from the cert store.
This function returns the CA certificate for the chosen
TLS connection.
@param[in] Tls Pointer to the TLS object.
@param[out] Data Pointer to the data buffer to receive the CA
certificate data sent to the client.
@param[in,out] DataSize The size of data buffer in bytes.
@retval EFI_SUCCESS The operation succeeded.
@retval EFI_UNSUPPORTED This function is not supported.
@retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
**/
EFI_STATUS
EFIAPI
TlsGetCaCertificate (
IN VOID *Tls,
OUT VOID *Data,
IN OUT UINTN *DataSize
);
/**
Gets the local public Certificate set in the specified TLS object.
This function returns the local public certificate which was currently set
in the specified TLS object.
@param[in] Tls Pointer to the TLS object.
@param[out] Data Pointer to the data buffer to receive the local
public certificate.
@param[in,out] DataSize The size of data buffer in bytes.
@retval EFI_SUCCESS The operation succeeded.
@retval EFI_INVALID_PARAMETER The parameter is invalid.
@retval EFI_NOT_FOUND The certificate is not found.
@retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
**/
EFI_STATUS
EFIAPI
TlsGetHostPublicCert (
IN VOID *Tls,
OUT VOID *Data,
IN OUT UINTN *DataSize
);
/**
Gets the local private key set in the specified TLS object.
This function returns the local private key data which was currently set
in the specified TLS object.
@param[in] Tls Pointer to the TLS object.
@param[out] Data Pointer to the data buffer to receive the local
private key data.
@param[in,out] DataSize The size of data buffer in bytes.
@retval EFI_SUCCESS The operation succeeded.
@retval EFI_UNSUPPORTED This function is not supported.
@retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
**/
EFI_STATUS
EFIAPI
TlsGetHostPrivateKey (
IN VOID *Tls,
OUT VOID *Data,
IN OUT UINTN *DataSize
);
/**
Gets the CA-supplied certificate revocation list data set in the specified
TLS object.
This function returns the CA-supplied certificate revocation list data which
was currently set in the specified TLS object.
@param[out] Data Pointer to the data buffer to receive the CRL data.
@param[in,out] DataSize The size of data buffer in bytes.
@retval EFI_SUCCESS The operation succeeded.
@retval EFI_UNSUPPORTED This function is not supported.
@retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
**/
EFI_STATUS
EFIAPI
TlsGetCertRevocationList (
OUT VOID *Data,
IN OUT UINTN *DataSize
);
#endif // __TLS_LIB_H__