audk/CryptoPkg/Library/TlsLib/InternalTlsLib.h

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

45 lines
997 B
C
Raw Normal View History

/** @file
Internal include file for TlsLib.
Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#ifndef __INTERNAL_TLS_LIB_H__
#define __INTERNAL_TLS_LIB_H__
#undef _WIN32
#undef _WIN64
#include <Library/BaseCryptLib.h>
#include <Library/BaseMemoryLib.h>
#include <Library/DebugLib.h>
CryptoPkg/TlsLib: rewrite TlsSetCipherList() Rewrite the TlsSetCipherList() function in order to fix the following issues: - Any cipher identifier in CipherId that is not recognized by TlsGetCipherMapping() will cause the function to return EFI_UNSUPPORTED. This is a problem because CipherId is an ordered preference list, and a caller should not get EFI_UNSUPPORTED just because it has an elaborate CipherId preference list. Instead, we can filter out cipher identifiers that we don't recognize, as long as we keep the relative order intact. - CipherString is allocated on the stack, with 500 bytes. While processing a large CipherId preference list, this room may not be enough. Although no buffer overflow is possible, CipherString exhaustion can lead to a failed TLS connection, because any cipher names that don't fit on CipherString cannot be negotiated. Compute CipherStringSize first, and allocate CipherString dynamically. - Finally, the "@STRENGTH" pseudo cipher name is appended to CipherString. (Assuming there is enough room left in CipherString.) This causes OpenSSL to sort the cipher list "in order of encryption algorithm key length". This is a bad idea. The caller specifically passes an ordered preference list in CipherId. Therefore TlsSetCipherList() must not ask OpenSSL to reorder the list, for any reason. Drop "@STRENGTH". While at it, fix and unify the documentation of the CipherId parameter. Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Qin Long <qin.long@intel.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Cc: Ting Ye <ting.ye@intel.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=915 Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Long Qin <qin.long@intel.com> Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
2018-03-31 17:33:14 +02:00
#include <Library/MemoryAllocationLib.h>
#include <Library/SafeIntLib.h>
CryptoPkg: Extend Tls function library REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3892 1. TlsSetSignatureAlgoList(): Configure the list of TLS signature algorithms that should be used as part of the TLS session establishment. This is needed for some WLAN Supplicant connection establishment flows that allow only specific TLS signature algorithms to be used, e.g., Authenticate and Key Managmenet (AKM) suites that are SUITE-B compliant. 2. TlsSetEcCurve(): Configure the Elliptic Curve that should be used for TLS flows the use cipher suite with EC, e.g., TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384. This is needed for some WLAN Supplicant connection establishment flows that allow only specific TLS signature algorithms to be used, e.g., Authenticate and Key Managmenet (AKM) suites that are SUITE-B compliant. 3. TlsShutdown(): Shutdown the TLS connection without releasing the resources, meaning a new connection can be started without calling TlsNew() and without setting certificates etc. 4. TlsGetExportKey(): Derive keying material from a TLS connection using the mechanism described in RFC 5705 and export the key material (needed by EAP methods such as EAP-TTLS and EAP-PEAP). 5. TlsSetHostPrivateKeyEx(): This function adds the local private key (PEM-encoded or PKCS#8 or DER-encoded private key) into the specified TLS object for TLS negotiation. There is already a similar function TlsSetHostPrivateKey(), the new Ex function introduces a new parameter Password, set Password to NULL when useless. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com> Cc: Guomin Jiang <guomin.jiang@intel.com> Signed-off-by: Yi Li <yi1.li@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
2022-09-25 11:14:06 +02:00
#include <Protocol/Tls.h>
#include <IndustryStandard/Tls1.h>
#include <Library/PcdLib.h>
#include <openssl/obj_mac.h>
#include <openssl/ssl.h>
#include <openssl/bio.h>
#include <openssl/err.h>
typedef struct {
//
// Main SSL Connection which is created by a server or a client
// per established connection.
//
SSL *Ssl;
//
// Memory BIO for the TLS/SSL Reading operations.
//
BIO *InBio;
//
// Memory BIO for the TLS/SSL Writing operations.
//
BIO *OutBio;
} TLS_CONNECTION;
#endif