tyler.durden
/
audk
mirror of https://github.com/acidanthera/audk.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

CryptoPkg: Convert files to CRLF line ending 

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
This commit is contained in:
Hao Wu 2017-04-06 09:53:07 +08:00
parent 6035094da8
commit 264702a04b
8 changed files with 2923 additions and 2916 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1575
CryptoPkg/Include/Library/TlsLib.h
View File

File diff suppressed because it is too large Load Diff

447
CryptoPkg/Library/OpensslLib/process_files.pl
View File

@ -1,223 +1,224 @@
#!/usr/bin/perl -w
#
# This script runs the OpenSSL Configure script, then processes the
# resulting file list into our local OpensslLib[Crypto].inf and also
# takes a copy of opensslconf.h.
#
# This only needs to be done once by a developer when updating to a
# new version of OpenSSL (or changing options, etc.). Normal users
# do not need to do this, since the results are stored in the EDK2
# git repository for them.
#
use strict;
use Cwd;
use File::Copy;
#
# Find the openssl directory name for use lib. We have to do this
# inside of BEGIN. The variables we create here, however, don't seem
# to be available to the main script, so we have to repeat the
# exercise.
#
my $inf_file;
my $OPENSSL_PATH;
my @inf;
BEGIN {
$inf_file = "OpensslLib.inf";
# Read the contents of the inf file
open( FD, "<" . $inf_file ) ||
die "Cannot open \"" . $inf_file . "\"!";
@inf = (<FD>);
close(FD) ||
die "Cannot close \"" . $inf_file . "\"!";
foreach (@inf) {
if (/DEFINE\s+OPENSSL_PATH\s*=\s*([a-z]+)/) {
# We need to run Configure before we can include its result...
$OPENSSL_PATH = $1;
my $basedir = getcwd();
chdir($OPENSSL_PATH) ||
die "Cannot change to OpenSSL directory \"" . $OPENSSL_PATH . "\"";
# Configure UEFI
system(
"./Configure",
"UEFI",
"no-afalgeng",
"no-asm",
"no-async",
"no-autoalginit",
"no-autoerrinit",
"no-bf",
"no-blake2",
"no-camellia",
"no-capieng",
"no-cast",
"no-chacha",
"no-cms",
"no-ct",
"no-deprecated",
"no-dgram",
"no-dsa",
"no-dynamic-engine",
"no-ec",
"no-ec2m",
"no-engine",
"no-err",
"no-filenames",
"no-gost",
"no-hw",
"no-idea",
"no-mdc2",
"no-pic",
"no-ocb",
"no-poly1305",
"no-posix-io",
"no-rc2",
"no-rfc3779",
"no-rmd160",
"no-scrypt",
"no-seed",
"no-sock",
"no-srp",
"no-ssl",
"no-stdio",
"no-threads",
"no-ts",
"no-ui",
"no-whirlpool"
) == 0 ||
die "OpenSSL Configure failed!\n";
# Generate opensslconf.h per config data
system(
"perl -I. -Mconfigdata util/dofile.pl " .
"include/openssl/opensslconf.h.in " .
"> include/openssl/opensslconf.h"
) == 0 ||
die "Failed to generate opensslconf.h!\n";
chdir($basedir) ||
die "Cannot change to base directory \"" . $basedir . "\"";
push @INC, $1;
last;
}
}
}
#
# Retrieve file lists from OpenSSL configdata
#
use configdata qw/%unified_info/;
my @cryptofilelist = ();
my @sslfilelist = ();
foreach my $product ((@{$unified_info{libraries}},
@{$unified_info{engines}})) {
foreach my $o (@{$unified_info{sources}->{$product}}) {
foreach my $s (@{$unified_info{sources}->{$o}}) {
next if ($unified_info{generate}->{$s});
next if $s =~ "crypto/bio/b_print.c";
if ($product =~ "libssl") {
push @sslfilelist, ' $(OPENSSL_PATH)/' . $s . "\r\n";
next;
}
push @cryptofilelist, ' $(OPENSSL_PATH)/' . $s . "\r\n";
}
}
}
#
# Update OpensslLib.inf with autogenerated file list
#
my @new_inf = ();
my $subbing = 0;
print "\n--> Updating OpensslLib.inf ... ";
foreach (@inf) {
if ( $_ =~ "# Autogenerated files list starts here" ) {
push @new_inf, $_, @cryptofilelist, @sslfilelist;
$subbing = 1;
next;
}
if ( $_ =~ "# Autogenerated files list ends here" ) {
push @new_inf, $_;
$subbing = 0;
next;
}
push @new_inf, $_
unless ($subbing);
}
my $new_inf_file = $inf_file . ".new";
open( FD, ">" . $new_inf_file ) ||
die $new_inf_file;
print( FD @new_inf ) ||
die $new_inf_file;
close(FD) ||
die $new_inf_file;
rename( $new_inf_file, $inf_file ) ||
die "rename $inf_file";
print "Done!";
#
# Update OpensslLibCrypto.inf with auto-generated file list (no libssl)
#
$inf_file = "OpensslLibCrypto.inf";
# Read the contents of the inf file
@inf = ();
@new_inf = ();
open( FD, "<" . $inf_file ) ||
die "Cannot open \"" . $inf_file . "\"!";
@inf = (<FD>);
close(FD) ||
die "Cannot close \"" . $inf_file . "\"!";
$subbing = 0;
print "\n--> Updating OpensslLibCrypto.inf ... ";
foreach (@inf) {
if ( $_ =~ "# Autogenerated files list starts here" ) {
push @new_inf, $_, @cryptofilelist;
$subbing = 1;
next;
}
if ( $_ =~ "# Autogenerated files list ends here" ) {
push @new_inf, $_;
$subbing = 0;
next;
}
push @new_inf, $_
unless ($subbing);
}
$new_inf_file = $inf_file . ".new";
open( FD, ">" . $new_inf_file ) ||
die $new_inf_file;
print( FD @new_inf ) ||
die $new_inf_file;
close(FD) ||
die $new_inf_file;
rename( $new_inf_file, $inf_file ) ||
die "rename $inf_file";
print "Done!";
#
# Copy opensslconf.h generated from OpenSSL Configuration
#
print "\n--> Duplicating opensslconf.h into Include/openssl ... ";
copy($OPENSSL_PATH . "/include/openssl/opensslconf.h",
$OPENSSL_PATH . "/../../../Include/openssl/") ||
die "Cannot copy opensslconf.h!";
print "Done!\n";
print "\nProcessing Files Done!\n";
exit(0);
#!/usr/bin/perl -w
#
# This script runs the OpenSSL Configure script, then processes the
# resulting file list into our local OpensslLib[Crypto].inf and also
# takes a copy of opensslconf.h.
#
# This only needs to be done once by a developer when updating to a
# new version of OpenSSL (or changing options, etc.). Normal users
# do not need to do this, since the results are stored in the EDK2
# git repository for them.
#
use strict;
use Cwd;
use File::Copy;
#
# Find the openssl directory name for use lib. We have to do this
# inside of BEGIN. The variables we create here, however, don't seem
# to be available to the main script, so we have to repeat the
# exercise.
#
my $inf_file;
my $OPENSSL_PATH;
my @inf;
BEGIN {
$inf_file = "OpensslLib.inf";
# Read the contents of the inf file
open( FD, "<" . $inf_file ) ||
die "Cannot open \"" . $inf_file . "\"!";
@inf = (<FD>);
close(FD) ||
die "Cannot close \"" . $inf_file . "\"!";
foreach (@inf) {
if (/DEFINE\s+OPENSSL_PATH\s*=\s*([a-z]+)/) {
# We need to run Configure before we can include its result...
$OPENSSL_PATH = $1;
my $basedir = getcwd();
chdir($OPENSSL_PATH) ||
die "Cannot change to OpenSSL directory \"" . $OPENSSL_PATH . "\"";
# Configure UEFI
system(
"./Configure",
"UEFI",
"no-afalgeng",
"no-asm",
"no-async",
"no-autoalginit",
"no-autoerrinit",
"no-bf",
"no-blake2",
"no-camellia",
"no-capieng",
"no-cast",
"no-chacha",
"no-cms",
"no-ct",
"no-deprecated",
"no-dgram",
"no-dsa",
"no-dynamic-engine",
"no-ec",
"no-ec2m",
"no-engine",
"no-err",
"no-filenames",
"no-gost",
"no-hw",
"no-idea",
"no-mdc2",
"no-pic",
"no-ocb",
"no-poly1305",
"no-posix-io",
"no-rc2",
"no-rfc3779",
"no-rmd160",
"no-scrypt",
"no-seed",
"no-sock",
"no-srp",
"no-ssl",
"no-stdio",
"no-threads",
"no-ts",
"no-ui",
"no-whirlpool"
) == 0 ||
die "OpenSSL Configure failed!\n";
# Generate opensslconf.h per config data
system(
"perl -I. -Mconfigdata util/dofile.pl " .
"include/openssl/opensslconf.h.in " .
"> include/openssl/opensslconf.h"
) == 0 ||
die "Failed to generate opensslconf.h!\n";
chdir($basedir) ||
die "Cannot change to base directory \"" . $basedir . "\"";
push @INC, $1;
last;
}
}
}
#
# Retrieve file lists from OpenSSL configdata
#
use configdata qw/%unified_info/;
my @cryptofilelist = ();
my @sslfilelist = ();
foreach my $product ((@{$unified_info{libraries}},
@{$unified_info{engines}})) {
foreach my $o (@{$unified_info{sources}->{$product}}) {
foreach my $s (@{$unified_info{sources}->{$o}}) {
next if ($unified_info{generate}->{$s});
next if $s =~ "crypto/bio/b_print.c";
if ($product =~ "libssl") {
push @sslfilelist, ' $(OPENSSL_PATH)/' . $s . "\r\n";
next;
}
push @cryptofilelist, ' $(OPENSSL_PATH)/' . $s . "\r\n";
}
}
}
#
# Update OpensslLib.inf with autogenerated file list
#
my @new_inf = ();
my $subbing = 0;
print "\n--> Updating OpensslLib.inf ... ";
foreach (@inf) {
if ( $_ =~ "# Autogenerated files list starts here" ) {
push @new_inf, $_, @cryptofilelist, @sslfilelist;
$subbing = 1;
next;
}
if ( $_ =~ "# Autogenerated files list ends here" ) {
push @new_inf, $_;
$subbing = 0;
next;
}
push @new_inf, $_
unless ($subbing);
}
my $new_inf_file = $inf_file . ".new";
open( FD, ">" . $new_inf_file ) ||
die $new_inf_file;
print( FD @new_inf ) ||
die $new_inf_file;
close(FD) ||
die $new_inf_file;
rename( $new_inf_file, $inf_file ) ||
die "rename $inf_file";
print "Done!";
#
# Update OpensslLibCrypto.inf with auto-generated file list (no libssl)
#
$inf_file = "OpensslLibCrypto.inf";
# Read the contents of the inf file
@inf = ();
@new_inf = ();
open( FD, "<" . $inf_file ) ||
die "Cannot open \"" . $inf_file . "\"!";
@inf = (<FD>);
close(FD) ||
die "Cannot close \"" . $inf_file . "\"!";
$subbing = 0;
print "\n--> Updating OpensslLibCrypto.inf ... ";
foreach (@inf) {
if ( $_ =~ "# Autogenerated files list starts here" ) {
push @new_inf, $_, @cryptofilelist;
$subbing = 1;
next;
}
if ( $_ =~ "# Autogenerated files list ends here" ) {
push @new_inf, $_;
$subbing = 0;
next;
}
push @new_inf, $_
unless ($subbing);
}
$new_inf_file = $inf_file . ".new";
open( FD, ">" . $new_inf_file ) ||
die $new_inf_file;
print( FD @new_inf ) ||
die $new_inf_file;
close(FD) ||
die $new_inf_file;
rename( $new_inf_file, $inf_file ) ||
die "rename $inf_file";
print "Done!";
#
# Copy opensslconf.h generated from OpenSSL Configuration
#
print "\n--> Duplicating opensslconf.h into Include/openssl ... ";
copy($OPENSSL_PATH . "/include/openssl/opensslconf.h",
$OPENSSL_PATH . "/../../../Include/openssl/") ||
die "Cannot copy opensslconf.h!";
print "Done!\n";
print "\nProcessing Files Done!\n";
exit(0);

85
CryptoPkg/Library/TlsLib/InternalTlsLib.h
View File

@ -1,42 +1,43 @@
/** @file
Internal include file for TlsLib.
Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
#ifndef __INTERNAL_TLS_LIB_H__
#define __INTERNAL_TLS_LIB_H__
#undef _WIN32
#undef _WIN64
#include <Library/BaseCryptLib.h>
#include <openssl/ssl.h>
#include <openssl/bio.h>
#include <openssl/err.h>
typedef struct {
//
// Main SSL Connection which is created by a server or a client
// per established connection.
//
SSL *Ssl;
//
// Memory BIO for the TLS/SSL Reading operations.
//
BIO *InBio;
//
// Memory BIO for the TLS/SSL Writing operations.
//
BIO *OutBio;
} TLS_CONNECTION;
#endif
/** @file
Internal include file for TlsLib.
Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
#ifndef __INTERNAL_TLS_LIB_H__
#define __INTERNAL_TLS_LIB_H__
#undef _WIN32
#undef _WIN64
#include <Library/BaseCryptLib.h>
#include <openssl/ssl.h>
#include <openssl/bio.h>
#include <openssl/err.h>
typedef struct {
//
// Main SSL Connection which is created by a server or a client
// per established connection.
//
SSL *Ssl;
//
// Memory BIO for the TLS/SSL Reading operations.
//
BIO *InBio;
//
// Memory BIO for the TLS/SSL Writing operations.
//
BIO *OutBio;
} TLS_CONNECTION;
#endif

2119
CryptoPkg/Library/TlsLib/TlsConfig.c
View File

File diff suppressed because it is too large Load Diff

537
CryptoPkg/Library/TlsLib/TlsInit.c
View File

@ -1,268 +1,269 @@
/** @file
SSL/TLS Initialization Library Wrapper Implementation over OpenSSL.
Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
#include "InternalTlsLib.h"
/**
Initializes the OpenSSL library.
This function registers ciphers and digests used directly and indirectly
by SSL/TLS, and initializes the readable error messages.
This function must be called before any other action takes places.
**/
VOID
EFIAPI
TlsInitialize (
VOID
)
{
//
// Performs initialization of crypto and ssl library, and loads required
// algorithms.
//
OPENSSL_init_ssl (
OPENSSL_INIT_LOAD_SSL_STRINGS | OPENSSL_INIT_LOAD_CRYPTO_STRINGS,
NULL
);
//
// Initialize the pseudorandom number generator.
//
RandomSeed (NULL, 0);
}
/**
Free an allocated SSL_CTX object.
@param[in] TlsCtx Pointer to the SSL_CTX object to be released.
**/
VOID
EFIAPI
TlsCtxFree (
IN VOID *TlsCtx
)
{
if (TlsCtx == NULL) {
return;
}
if (TlsCtx != NULL) {
SSL_CTX_free ((SSL_CTX *) (TlsCtx));
}
}
/**
Creates a new SSL_CTX object as framework to establish TLS/SSL enabled
connections.
@param[in] MajorVer Major Version of TLS/SSL Protocol.
@param[in] MinorVer Minor Version of TLS/SSL Protocol.
@return Pointer to an allocated SSL_CTX object.
If the creation failed, TlsCtxNew() returns NULL.
**/
VOID *
EFIAPI
TlsCtxNew (
IN UINT8 MajorVer,
IN UINT8 MinorVer
)
{
SSL_CTX *TlsCtx;
UINT16 ProtoVersion;
ProtoVersion = (MajorVer << 8) | MinorVer;
TlsCtx = SSL_CTX_new (SSLv23_client_method ());
if (TlsCtx == NULL) {
return NULL;
}
//
// Ensure SSLv3 is disabled
//
SSL_CTX_set_options (TlsCtx, SSL_OP_NO_SSLv3);
//
// Treat as minimum accepted versions by setting the minimal bound.
// Client can use higher TLS version if server supports it
//
SSL_CTX_set_min_proto_version (TlsCtx, ProtoVersion);
return (VOID *) TlsCtx;
}
/**
Free an allocated TLS object.
This function removes the TLS object pointed to by Tls and frees up the
allocated memory. If Tls is NULL, nothing is done.
@param[in] Tls Pointer to the TLS object to be freed.
**/
VOID
EFIAPI
TlsFree (
IN VOID *Tls
)
{
TLS_CONNECTION *TlsConn;
TlsConn = (TLS_CONNECTION *) Tls;
if (TlsConn == NULL) {
return;
}
//
// Free the internal TLS and BIO objects.
//
if (TlsConn->Ssl != NULL) {
SSL_free (TlsConn->Ssl);
}
if (TlsConn->InBio != NULL) {
BIO_free (TlsConn->InBio);
}
if (TlsConn->OutBio != NULL) {
BIO_free (TlsConn->OutBio);
}
OPENSSL_free (Tls);
}
/**
Create a new TLS object for a connection.
This function creates a new TLS object for a connection. The new object
inherits the setting of the underlying context TlsCtx: connection method,
options, verification setting.
@param[in] TlsCtx Pointer to the SSL_CTX object.
@return Pointer to an allocated SSL object.
If the creation failed, TlsNew() returns NULL.
**/
VOID *
EFIAPI
TlsNew (
IN VOID *TlsCtx
)
{
TLS_CONNECTION *TlsConn;
SSL_CTX *SslCtx;
X509_STORE *X509Store;
TlsConn = NULL;
//
// Allocate one new TLS_CONNECTION object
//
TlsConn = (TLS_CONNECTION *) OPENSSL_malloc (sizeof (TLS_CONNECTION));
if (TlsConn == NULL) {
return NULL;
}
TlsConn->Ssl = NULL;
//
// Create a new SSL Object
//
TlsConn->Ssl = SSL_new ((SSL_CTX *) TlsCtx);
if (TlsConn->Ssl == NULL) {
TlsFree ((VOID *) TlsConn);
return NULL;
}
//
// This retains compatibility with previous version of OpenSSL.
//
SSL_set_security_level (TlsConn->Ssl, 0);
//
// Initialize the created SSL Object
//
SSL_set_info_callback (TlsConn->Ssl, NULL);
TlsConn->InBio = NULL;
//
// Set up Reading BIO for TLS connection
//
TlsConn->InBio = BIO_new (BIO_s_mem ());
if (TlsConn->InBio == NULL) {
TlsFree ((VOID *) TlsConn);
return NULL;
}
//
// Sets the behaviour of memory BIO when it is empty. It will set the
// read retry flag.
//
BIO_set_mem_eof_return (TlsConn->InBio, -1);
TlsConn->OutBio = NULL;
//
// Set up Writing BIO for TLS connection
//
TlsConn->OutBio = BIO_new (BIO_s_mem ());
if (TlsConn->OutBio == NULL) {
TlsFree ((VOID *) TlsConn);
return NULL;
}
//
// Sets the behaviour of memory BIO when it is empty. It will set the
// write retry flag.
//
BIO_set_mem_eof_return (TlsConn->OutBio, -1);
ASSERT (TlsConn->Ssl != NULL && TlsConn->InBio != NULL && TlsConn->OutBio != NULL);
//
// Connects the InBio and OutBio for the read and write operations.
//
SSL_set_bio (TlsConn->Ssl, TlsConn->InBio, TlsConn->OutBio);
//
// Create new X509 store if needed
//
SslCtx = SSL_get_SSL_CTX (TlsConn->Ssl);
X509Store = SSL_CTX_get_cert_store (SslCtx);
if (X509Store == NULL) {
X509Store = X509_STORE_new ();
if (X509Store == NULL) {
TlsFree ((VOID *) TlsConn);
return NULL;
}
SSL_CTX_set1_verify_cert_store (SslCtx, X509Store);
X509_STORE_free (X509Store);
}
//
// Set X509_STORE flags used in certificate validation
//
X509_STORE_set_flags (
X509Store,
X509_V_FLAG_PARTIAL_CHAIN | X509_V_FLAG_NO_CHECK_TIME
);
return (VOID *) TlsConn;
}
/** @file
SSL/TLS Initialization Library Wrapper Implementation over OpenSSL.
Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
#include "InternalTlsLib.h"
/**
Initializes the OpenSSL library.
This function registers ciphers and digests used directly and indirectly
by SSL/TLS, and initializes the readable error messages.
This function must be called before any other action takes places.
**/
VOID
EFIAPI
TlsInitialize (
VOID
)
{
//
// Performs initialization of crypto and ssl library, and loads required
// algorithms.
//
OPENSSL_init_ssl (
OPENSSL_INIT_LOAD_SSL_STRINGS | OPENSSL_INIT_LOAD_CRYPTO_STRINGS,
NULL
);
//
// Initialize the pseudorandom number generator.
//
RandomSeed (NULL, 0);
}
/**
Free an allocated SSL_CTX object.
@param[in] TlsCtx Pointer to the SSL_CTX object to be released.
**/
VOID
EFIAPI
TlsCtxFree (
IN VOID *TlsCtx
)
{
if (TlsCtx == NULL) {
return;
}
if (TlsCtx != NULL) {
SSL_CTX_free ((SSL_CTX *) (TlsCtx));
}
}
/**
Creates a new SSL_CTX object as framework to establish TLS/SSL enabled
connections.
@param[in] MajorVer Major Version of TLS/SSL Protocol.
@param[in] MinorVer Minor Version of TLS/SSL Protocol.
@return Pointer to an allocated SSL_CTX object.
If the creation failed, TlsCtxNew() returns NULL.
**/
VOID *
EFIAPI
TlsCtxNew (
IN UINT8 MajorVer,
IN UINT8 MinorVer
)
{
SSL_CTX *TlsCtx;
UINT16 ProtoVersion;
ProtoVersion = (MajorVer << 8) | MinorVer;
TlsCtx = SSL_CTX_new (SSLv23_client_method ());
if (TlsCtx == NULL) {
return NULL;
}
//
// Ensure SSLv3 is disabled
//
SSL_CTX_set_options (TlsCtx, SSL_OP_NO_SSLv3);
//
// Treat as minimum accepted versions by setting the minimal bound.
// Client can use higher TLS version if server supports it
//
SSL_CTX_set_min_proto_version (TlsCtx, ProtoVersion);
return (VOID *) TlsCtx;
}
/**
Free an allocated TLS object.
This function removes the TLS object pointed to by Tls and frees up the
allocated memory. If Tls is NULL, nothing is done.
@param[in] Tls Pointer to the TLS object to be freed.
**/
VOID
EFIAPI
TlsFree (
IN VOID *Tls
)
{
TLS_CONNECTION *TlsConn;
TlsConn = (TLS_CONNECTION *) Tls;
if (TlsConn == NULL) {
return;
}
//
// Free the internal TLS and BIO objects.
//
if (TlsConn->Ssl != NULL) {
SSL_free (TlsConn->Ssl);
}
if (TlsConn->InBio != NULL) {
BIO_free (TlsConn->InBio);
}
if (TlsConn->OutBio != NULL) {
BIO_free (TlsConn->OutBio);
}
OPENSSL_free (Tls);
}
/**
Create a new TLS object for a connection.
This function creates a new TLS object for a connection. The new object
inherits the setting of the underlying context TlsCtx: connection method,
options, verification setting.
@param[in] TlsCtx Pointer to the SSL_CTX object.
@return Pointer to an allocated SSL object.
If the creation failed, TlsNew() returns NULL.
**/
VOID *
EFIAPI
TlsNew (
IN VOID *TlsCtx
)
{
TLS_CONNECTION *TlsConn;
SSL_CTX *SslCtx;
X509_STORE *X509Store;
TlsConn = NULL;
//
// Allocate one new TLS_CONNECTION object
//
TlsConn = (TLS_CONNECTION *) OPENSSL_malloc (sizeof (TLS_CONNECTION));
if (TlsConn == NULL) {
return NULL;
}
TlsConn->Ssl = NULL;
//
// Create a new SSL Object
//
TlsConn->Ssl = SSL_new ((SSL_CTX *) TlsCtx);
if (TlsConn->Ssl == NULL) {
TlsFree ((VOID *) TlsConn);
return NULL;
}
//
// This retains compatibility with previous version of OpenSSL.
//
SSL_set_security_level (TlsConn->Ssl, 0);
//
// Initialize the created SSL Object
//
SSL_set_info_callback (TlsConn->Ssl, NULL);
TlsConn->InBio = NULL;
//
// Set up Reading BIO for TLS connection
//
TlsConn->InBio = BIO_new (BIO_s_mem ());
if (TlsConn->InBio == NULL) {
TlsFree ((VOID *) TlsConn);
return NULL;
}
//
// Sets the behaviour of memory BIO when it is empty. It will set the
// read retry flag.
//
BIO_set_mem_eof_return (TlsConn->InBio, -1);
TlsConn->OutBio = NULL;
//
// Set up Writing BIO for TLS connection
//
TlsConn->OutBio = BIO_new (BIO_s_mem ());
if (TlsConn->OutBio == NULL) {
TlsFree ((VOID *) TlsConn);
return NULL;
}
//
// Sets the behaviour of memory BIO when it is empty. It will set the
// write retry flag.
//
BIO_set_mem_eof_return (TlsConn->OutBio, -1);
ASSERT (TlsConn->Ssl != NULL && TlsConn->InBio != NULL && TlsConn->OutBio != NULL);
//
// Connects the InBio and OutBio for the read and write operations.
//
SSL_set_bio (TlsConn->Ssl, TlsConn->InBio, TlsConn->OutBio);
//
// Create new X509 store if needed
//
SslCtx = SSL_get_SSL_CTX (TlsConn->Ssl);
X509Store = SSL_CTX_get_cert_store (SslCtx);
if (X509Store == NULL) {
X509Store = X509_STORE_new ();
if (X509Store == NULL) {
TlsFree ((VOID *) TlsConn);
return NULL;
}
SSL_CTX_set1_verify_cert_store (SslCtx, X509Store);
X509_STORE_free (X509Store);
}
//
// Set X509_STORE flags used in certificate validation
//
X509_STORE_set_flags (
X509Store,
X509_V_FLAG_PARTIAL_CHAIN | X509_V_FLAG_NO_CHECK_TIME
);
return (VOID *) TlsConn;
}

113
CryptoPkg/Library/TlsLib/TlsLib.inf
View File

@ -1,56 +1,57 @@
## @file
# SSL/TLS Wrapper Library Instance based on OpenSSL.
#
# Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
# (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License
# which accompanies this distribution. The full text of the license may be found at
# http://opensource.org/licenses/bsd-license.php
#
# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#
##
[Defines]
INF_VERSION = 0x00010005
BASE_NAME = TlsLib
MODULE_UNI_FILE = TlsLib.uni
FILE_GUID = CC729DC5-4E21-0B36-1A00-3A8E1B86A155
MODULE_TYPE = DXE_DRIVER
VERSION_STRING = 1.0
LIBRARY_CLASS = TlsLib|DXE_DRIVER DXE_CORE UEFI_APPLICATION UEFI_DRIVER
#
# The following information is for reference only and not required by the build tools.
#
# VALID_ARCHITECTURES = IA32 X64 IPF ARM AARCH64
#
[Sources]
InternalTlsLib.h
TlsInit.c
TlsConfig.c
TlsProcess.c
[Packages]
MdePkg/MdePkg.dec
CryptoPkg/CryptoPkg.dec
[LibraryClasses]
BaseLib
BaseMemoryLib
MemoryAllocationLib
UefiRuntimeServicesTableLib
DebugLib
OpensslLib
IntrinsicLib
PrintLib
[BuildOptions]
#
# suppress the following warnings so we do not break the build with warnings-as-errors:
# C4090: 'function' : different 'const' qualifiers
#
MSFT:*_*_*_CC_FLAGS = /wd4090
## @file
# SSL/TLS Wrapper Library Instance based on OpenSSL.
#
# Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
# (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License
# which accompanies this distribution. The full text of the license may be found at
# http://opensource.org/licenses/bsd-license.php
#
# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#
##
[Defines]
INF_VERSION = 0x00010005
BASE_NAME = TlsLib
MODULE_UNI_FILE = TlsLib.uni
FILE_GUID = CC729DC5-4E21-0B36-1A00-3A8E1B86A155
MODULE_TYPE = DXE_DRIVER
VERSION_STRING = 1.0
LIBRARY_CLASS = TlsLib|DXE_DRIVER DXE_CORE UEFI_APPLICATION UEFI_DRIVER
#
# The following information is for reference only and not required by the build tools.
#
# VALID_ARCHITECTURES = IA32 X64 IPF ARM AARCH64
#
[Sources]
InternalTlsLib.h
TlsInit.c
TlsConfig.c
TlsProcess.c
[Packages]
MdePkg/MdePkg.dec
CryptoPkg/CryptoPkg.dec
[LibraryClasses]
BaseLib
BaseMemoryLib
MemoryAllocationLib
UefiRuntimeServicesTableLib
DebugLib
OpensslLib
IntrinsicLib
PrintLib
[BuildOptions]
#
# suppress the following warnings so we do not break the build with warnings-as-errors:
# C4090: 'function' : different 'const' qualifiers
#
MSFT:*_*_*_CC_FLAGS = /wd4090

38
CryptoPkg/Library/TlsLib/TlsLib.uni
View File

@ -1,19 +1,19 @@
// /** @file
// SSL/TLS Wrapper Library Instance based on OpenSSL.
//
// Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
//
// This program and the accompanying materials
// are licensed and made available under the terms and conditions of the BSD License
// which accompanies this distribution. The full text of the license may be found at
// http://opensource.org/licenses/bsd-license.php
//
// THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
// WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
//
// **/
#string STR_MODULE_ABSTRACT #language en-US "SSL/TLS Wrapper Library Instance"
#string STR_MODULE_DESCRIPTION #language en-US "This module provides SSL/TLS Wrapper Library Instance."
// /** @file
// SSL/TLS Wrapper Library Instance based on OpenSSL.
//
// Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
//
// This program and the accompanying materials
// are licensed and made available under the terms and conditions of the BSD License
// which accompanies this distribution. The full text of the license may be found at
// http://opensource.org/licenses/bsd-license.php
//
// THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
// WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
//
// **/
#string STR_MODULE_ABSTRACT #language en-US "SSL/TLS Wrapper Library Instance"
#string STR_MODULE_DESCRIPTION #language en-US "This module provides SSL/TLS Wrapper Library Instance."

925
CryptoPkg/Library/TlsLib/TlsProcess.c
View File

@ -1,462 +1,463 @@
/** @file
SSL/TLS Process Library Wrapper Implementation over OpenSSL.
The process includes the TLS handshake and packet I/O.
Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
#include "InternalTlsLib.h"
#define MAX_BUFFER_SIZE 32768
/**
Checks if the TLS handshake was done.
This function will check if the specified TLS handshake was done.
@param[in] Tls Pointer to the TLS object for handshake state checking.
@retval TRUE The TLS handshake was done.
@retval FALSE The TLS handshake was not done.
**/
BOOLEAN
EFIAPI
TlsInHandshake (
IN VOID *Tls
)
{
TLS_CONNECTION *TlsConn;
TlsConn = (TLS_CONNECTION *) Tls;
if (TlsConn == NULL || TlsConn->Ssl == NULL) {
return FALSE;
}
//
// Return the status which indicates if the TLS handshake was done.
//
return !SSL_is_init_finished (TlsConn->Ssl);
}
/**
Perform a TLS/SSL handshake.
This function will perform a TLS/SSL handshake.
@param[in] Tls Pointer to the TLS object for handshake operation.
@param[in] BufferIn Pointer to the most recently received TLS Handshake packet.
@param[in] BufferInSize Packet size in bytes for the most recently received TLS
Handshake packet.
@param[out] BufferOut Pointer to the buffer to hold the built packet.
@param[in, out] BufferOutSize Pointer to the buffer size in bytes. On input, it is
the buffer size provided by the caller. On output, it
is the buffer size in fact needed to contain the
packet.
@retval EFI_SUCCESS The required TLS packet is built successfully.
@retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:
Tls is NULL.
BufferIn is NULL but BufferInSize is NOT 0.
BufferInSize is 0 but BufferIn is NOT NULL.
BufferOutSize is NULL.
BufferOut is NULL if *BufferOutSize is not zero.
@retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the response packet.
@retval EFI_ABORTED Something wrong during handshake.
**/
EFI_STATUS
EFIAPI
TlsDoHandshake (
IN VOID *Tls,
IN UINT8 *BufferIn, OPTIONAL
IN UINTN BufferInSize, OPTIONAL
OUT UINT8 *BufferOut, OPTIONAL
IN OUT UINTN *BufferOutSize
)
{
TLS_CONNECTION *TlsConn;
UINTN PendingBufferSize;
INTN Ret;
UINTN ErrorCode;
TlsConn = (TLS_CONNECTION *) Tls;
PendingBufferSize = 0;
Ret = 1;
if (TlsConn == NULL || \
TlsConn->Ssl == NULL || TlsConn->InBio == NULL || TlsConn->OutBio == NULL || \
BufferOutSize == NULL || \
(BufferIn == NULL && BufferInSize != 0) || \
(BufferIn != NULL && BufferInSize == 0) || \
(BufferOut == NULL && *BufferOutSize != 0)) {
return EFI_INVALID_PARAMETER;
}
if(BufferIn == NULL && BufferInSize == 0) {
//
// If RequestBuffer is NULL and RequestSize is 0, and TLS session
// status is EfiTlsSessionNotStarted, the TLS session will be initiated
// and the response packet needs to be ClientHello.
//
PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
if (PendingBufferSize == 0) {
SSL_set_connect_state (TlsConn->Ssl);
Ret = SSL_do_handshake (TlsConn->Ssl);
PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
}
} else {
PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
if (PendingBufferSize == 0) {
BIO_write (TlsConn->InBio, BufferIn, (UINT32) BufferInSize);
Ret = SSL_do_handshake (TlsConn->Ssl);
PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
}
}
if (Ret < 1) {
Ret = SSL_get_error (TlsConn->Ssl, (int) Ret);
if (Ret == SSL_ERROR_SSL ||
Ret == SSL_ERROR_SYSCALL ||
Ret == SSL_ERROR_ZERO_RETURN) {
DEBUG ((
DEBUG_ERROR,
"%a SSL_HANDSHAKE_ERROR State=0x%x SSL_ERROR_%a\n",
__FUNCTION__,
SSL_get_state (TlsConn->Ssl),
Ret == SSL_ERROR_SSL ? "SSL" : Ret == SSL_ERROR_SYSCALL ? "SYSCALL" : "ZERO_RETURN"
));
DEBUG_CODE_BEGIN ();
while (TRUE) {
ErrorCode = ERR_get_error ();
if (ErrorCode == 0) {
break;
}
DEBUG ((
DEBUG_ERROR,
"%a ERROR 0x%x=L%x:F%x:R%x\n",
__FUNCTION__,
ErrorCode,
ERR_GET_LIB (ErrorCode),
ERR_GET_FUNC (ErrorCode),
ERR_GET_REASON (ErrorCode)
));
}
DEBUG_CODE_END ();
return EFI_ABORTED;
}
}
if (PendingBufferSize > *BufferOutSize) {
*BufferOutSize = PendingBufferSize;
return EFI_BUFFER_TOO_SMALL;
}
if (PendingBufferSize > 0) {
*BufferOutSize = BIO_read (TlsConn->OutBio, BufferOut, (UINT32) PendingBufferSize);
} else {
*BufferOutSize = 0;
}
return EFI_SUCCESS;
}
/**
Handle Alert message recorded in BufferIn. If BufferIn is NULL and BufferInSize is zero,
TLS session has errors and the response packet needs to be Alert message based on error type.
@param[in] Tls Pointer to the TLS object for state checking.
@param[in] BufferIn Pointer to the most recently received TLS Alert packet.
@param[in] BufferInSize Packet size in bytes for the most recently received TLS
Alert packet.
@param[out] BufferOut Pointer to the buffer to hold the built packet.
@param[in, out] BufferOutSize Pointer to the buffer size in bytes. On input, it is
the buffer size provided by the caller. On output, it
is the buffer size in fact needed to contain the
packet.
@retval EFI_SUCCESS The required TLS packet is built successfully.
@retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:
Tls is NULL.
BufferIn is NULL but BufferInSize is NOT 0.
BufferInSize is 0 but BufferIn is NOT NULL.
BufferOutSize is NULL.
BufferOut is NULL if *BufferOutSize is not zero.
@retval EFI_ABORTED An error occurred.
@retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the response packet.
**/
EFI_STATUS
EFIAPI
TlsHandleAlert (
IN VOID *Tls,
IN UINT8 *BufferIn, OPTIONAL
IN UINTN BufferInSize, OPTIONAL
OUT UINT8 *BufferOut, OPTIONAL
IN OUT UINTN *BufferOutSize
)
{
TLS_CONNECTION *TlsConn;
UINTN PendingBufferSize;
UINT8 *TempBuffer;
INTN Ret;
TlsConn = (TLS_CONNECTION *) Tls;
PendingBufferSize = 0;
TempBuffer = NULL;
Ret = 0;
if (TlsConn == NULL || \
TlsConn->Ssl == NULL || TlsConn->InBio == NULL || TlsConn->OutBio == NULL || \
BufferOutSize == NULL || \
(BufferIn == NULL && BufferInSize != 0) || \
(BufferIn != NULL && BufferInSize == 0) || \
(BufferOut == NULL && *BufferOutSize != 0)) {
return EFI_INVALID_PARAMETER;
}
PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
if (PendingBufferSize == 0 && BufferIn != NULL && BufferInSize != 0) {
Ret = BIO_write (TlsConn->InBio, BufferIn, (UINT32) BufferInSize);
if (Ret != (INTN) BufferInSize) {
return EFI_ABORTED;
}
TempBuffer = (UINT8 *) OPENSSL_malloc (MAX_BUFFER_SIZE);
//
// ssl3_send_alert() will be called in ssl3_read_bytes() function.
// TempBuffer is invalid since it's a Alert message, so just ignore it.
//
SSL_read (TlsConn->Ssl, TempBuffer, MAX_BUFFER_SIZE);
OPENSSL_free (TempBuffer);
PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
}
if (PendingBufferSize > *BufferOutSize) {
*BufferOutSize = PendingBufferSize;
return EFI_BUFFER_TOO_SMALL;
}
if (PendingBufferSize > 0) {
*BufferOutSize = BIO_read (TlsConn->OutBio, BufferOut, (UINT32) PendingBufferSize);
} else {
*BufferOutSize = 0;
}
return EFI_SUCCESS;
}
/**
Build the CloseNotify packet.
@param[in] Tls Pointer to the TLS object for state checking.
@param[in, out] Buffer Pointer to the buffer to hold the built packet.
@param[in, out] BufferSize Pointer to the buffer size in bytes. On input, it is
the buffer size provided by the caller. On output, it
is the buffer size in fact needed to contain the
packet.
@retval EFI_SUCCESS The required TLS packet is built successfully.
@retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:
Tls is NULL.
BufferSize is NULL.
Buffer is NULL if *BufferSize is not zero.
@retval EFI_BUFFER_TOO_SMALL BufferSize is too small to hold the response packet.
**/
EFI_STATUS
EFIAPI
TlsCloseNotify (
IN VOID *Tls,
IN OUT UINT8 *Buffer,
IN OUT UINTN *BufferSize
)
{
TLS_CONNECTION *TlsConn;
UINTN PendingBufferSize;
TlsConn = (TLS_CONNECTION *) Tls;
PendingBufferSize = 0;
if (TlsConn == NULL || \
TlsConn->Ssl == NULL || TlsConn->InBio == NULL || TlsConn->OutBio == NULL || \
BufferSize == NULL || \
(Buffer == NULL && *BufferSize != 0)) {
return EFI_INVALID_PARAMETER;
}
PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
if (PendingBufferSize == 0) {
//
// ssl3_send_alert() and ssl3_dispatch_alert() function will be called.
//
SSL_shutdown (TlsConn->Ssl);
PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
}
if (PendingBufferSize > *BufferSize) {
*BufferSize = PendingBufferSize;
return EFI_BUFFER_TOO_SMALL;
}
if (PendingBufferSize > 0) {
*BufferSize = BIO_read (TlsConn->OutBio, Buffer, (UINT32) PendingBufferSize);
} else {
*BufferSize = 0;
}
return EFI_SUCCESS;
}
/**
Attempts to read bytes from one TLS object and places the data in Buffer.
This function will attempt to read BufferSize bytes from the TLS object
and places the data in Buffer.
@param[in] Tls Pointer to the TLS object.
@param[in,out] Buffer Pointer to the buffer to store the data.
@param[in] BufferSize The size of Buffer in bytes.
@retval >0 The amount of data successfully read from the TLS object.
@retval <=0 No data was successfully read.
**/
INTN
EFIAPI
TlsCtrlTrafficOut (
IN VOID *Tls,
IN OUT VOID *Buffer,
IN UINTN BufferSize
)
{
TLS_CONNECTION *TlsConn;
TlsConn = (TLS_CONNECTION *) Tls;
if (TlsConn == NULL || TlsConn->OutBio == 0) {
return -1;
}
//
// Read and return the amount of data from the BIO.
//
return BIO_read (TlsConn->OutBio, Buffer, (UINT32) BufferSize);
}
/**
Attempts to write data from the buffer to TLS object.
This function will attempt to write BufferSize bytes data from the Buffer
to the TLS object.
@param[in] Tls Pointer to the TLS object.
@param[in] Buffer Pointer to the data buffer.
@param[in] BufferSize The size of Buffer in bytes.
@retval >0 The amount of data successfully written to the TLS object.
@retval <=0 No data was successfully written.
**/
INTN
EFIAPI
TlsCtrlTrafficIn (
IN VOID *Tls,
IN VOID *Buffer,
IN UINTN BufferSize
)
{
TLS_CONNECTION *TlsConn;
TlsConn = (TLS_CONNECTION *) Tls;
if (TlsConn == NULL || TlsConn->InBio == 0) {
return -1;
}
//
// Write and return the amount of data to the BIO.
//
return BIO_write (TlsConn->InBio, Buffer, (UINT32) BufferSize);
}
/**
Attempts to read bytes from the specified TLS connection into the buffer.
This function tries to read BufferSize bytes data from the specified TLS
connection into the Buffer.
@param[in] Tls Pointer to the TLS connection for data reading.
@param[in,out] Buffer Pointer to the data buffer.
@param[in] BufferSize The size of Buffer in bytes.
@retval >0 The read operation was successful, and return value is the
number of bytes actually read from the TLS connection.
@retval <=0 The read operation was not successful.
**/
INTN
EFIAPI
TlsRead (
IN VOID *Tls,
IN OUT VOID *Buffer,
IN UINTN BufferSize
)
{
TLS_CONNECTION *TlsConn;
TlsConn = (TLS_CONNECTION *) Tls;
if (TlsConn == NULL || TlsConn->Ssl == NULL) {
return -1;
}
//
// Read bytes from the specified TLS connection.
//
return SSL_read (TlsConn->Ssl, Buffer, (UINT32) BufferSize);
}
/**
Attempts to write data to a TLS connection.
This function tries to write BufferSize bytes data from the Buffer into the
specified TLS connection.
@param[in] Tls Pointer to the TLS connection for data writing.
@param[in] Buffer Pointer to the data buffer.
@param[in] BufferSize The size of Buffer in bytes.
@retval >0 The write operation was successful, and return value is the
number of bytes actually written to the TLS connection.
@retval <=0 The write operation was not successful.
**/
INTN
EFIAPI
TlsWrite (
IN VOID *Tls,
IN VOID *Buffer,
IN UINTN BufferSize
)
{
TLS_CONNECTION *TlsConn;
TlsConn = (TLS_CONNECTION *) Tls;
if (TlsConn == NULL || TlsConn->Ssl == NULL) {
return -1;
}
//
// Write bytes to the specified TLS connection.
//
return SSL_write (TlsConn->Ssl, Buffer, (UINT32) BufferSize);
}
/** @file
SSL/TLS Process Library Wrapper Implementation over OpenSSL.
The process includes the TLS handshake and packet I/O.
Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
#include "InternalTlsLib.h"
#define MAX_BUFFER_SIZE 32768
/**
Checks if the TLS handshake was done.
This function will check if the specified TLS handshake was done.
@param[in] Tls Pointer to the TLS object for handshake state checking.
@retval TRUE The TLS handshake was done.
@retval FALSE The TLS handshake was not done.
**/
BOOLEAN
EFIAPI
TlsInHandshake (
IN VOID *Tls
)
{
TLS_CONNECTION *TlsConn;
TlsConn = (TLS_CONNECTION *) Tls;
if (TlsConn == NULL || TlsConn->Ssl == NULL) {
return FALSE;
}
//
// Return the status which indicates if the TLS handshake was done.
//
return !SSL_is_init_finished (TlsConn->Ssl);
}
/**
Perform a TLS/SSL handshake.
This function will perform a TLS/SSL handshake.
@param[in] Tls Pointer to the TLS object for handshake operation.
@param[in] BufferIn Pointer to the most recently received TLS Handshake packet.
@param[in] BufferInSize Packet size in bytes for the most recently received TLS
Handshake packet.
@param[out] BufferOut Pointer to the buffer to hold the built packet.
@param[in, out] BufferOutSize Pointer to the buffer size in bytes. On input, it is
the buffer size provided by the caller. On output, it
is the buffer size in fact needed to contain the
packet.
@retval EFI_SUCCESS The required TLS packet is built successfully.
@retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:
Tls is NULL.
BufferIn is NULL but BufferInSize is NOT 0.
BufferInSize is 0 but BufferIn is NOT NULL.
BufferOutSize is NULL.
BufferOut is NULL if *BufferOutSize is not zero.
@retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the response packet.
@retval EFI_ABORTED Something wrong during handshake.
**/
EFI_STATUS
EFIAPI
TlsDoHandshake (
IN VOID *Tls,
IN UINT8 *BufferIn, OPTIONAL
IN UINTN BufferInSize, OPTIONAL
OUT UINT8 *BufferOut, OPTIONAL
IN OUT UINTN *BufferOutSize
)
{
TLS_CONNECTION *TlsConn;
UINTN PendingBufferSize;
INTN Ret;
UINTN ErrorCode;
TlsConn = (TLS_CONNECTION *) Tls;
PendingBufferSize = 0;
Ret = 1;
if (TlsConn == NULL || \
TlsConn->Ssl == NULL || TlsConn->InBio == NULL || TlsConn->OutBio == NULL || \
BufferOutSize == NULL || \
(BufferIn == NULL && BufferInSize != 0) || \
(BufferIn != NULL && BufferInSize == 0) || \
(BufferOut == NULL && *BufferOutSize != 0)) {
return EFI_INVALID_PARAMETER;
}
if(BufferIn == NULL && BufferInSize == 0) {
//
// If RequestBuffer is NULL and RequestSize is 0, and TLS session
// status is EfiTlsSessionNotStarted, the TLS session will be initiated
// and the response packet needs to be ClientHello.
//
PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
if (PendingBufferSize == 0) {
SSL_set_connect_state (TlsConn->Ssl);
Ret = SSL_do_handshake (TlsConn->Ssl);
PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
}
} else {
PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
if (PendingBufferSize == 0) {
BIO_write (TlsConn->InBio, BufferIn, (UINT32) BufferInSize);
Ret = SSL_do_handshake (TlsConn->Ssl);
PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
}
}
if (Ret < 1) {
Ret = SSL_get_error (TlsConn->Ssl, (int) Ret);
if (Ret == SSL_ERROR_SSL ||
Ret == SSL_ERROR_SYSCALL ||
Ret == SSL_ERROR_ZERO_RETURN) {
DEBUG ((
DEBUG_ERROR,
"%a SSL_HANDSHAKE_ERROR State=0x%x SSL_ERROR_%a\n",
__FUNCTION__,
SSL_get_state (TlsConn->Ssl),
Ret == SSL_ERROR_SSL ? "SSL" : Ret == SSL_ERROR_SYSCALL ? "SYSCALL" : "ZERO_RETURN"
));
DEBUG_CODE_BEGIN ();
while (TRUE) {
ErrorCode = ERR_get_error ();
if (ErrorCode == 0) {
break;
}
DEBUG ((
DEBUG_ERROR,
"%a ERROR 0x%x=L%x:F%x:R%x\n",
__FUNCTION__,
ErrorCode,
ERR_GET_LIB (ErrorCode),
ERR_GET_FUNC (ErrorCode),
ERR_GET_REASON (ErrorCode)
));
}
DEBUG_CODE_END ();
return EFI_ABORTED;
}
}
if (PendingBufferSize > *BufferOutSize) {
*BufferOutSize = PendingBufferSize;
return EFI_BUFFER_TOO_SMALL;
}
if (PendingBufferSize > 0) {
*BufferOutSize = BIO_read (TlsConn->OutBio, BufferOut, (UINT32) PendingBufferSize);
} else {
*BufferOutSize = 0;
}
return EFI_SUCCESS;
}
/**
Handle Alert message recorded in BufferIn. If BufferIn is NULL and BufferInSize is zero,
TLS session has errors and the response packet needs to be Alert message based on error type.
@param[in] Tls Pointer to the TLS object for state checking.
@param[in] BufferIn Pointer to the most recently received TLS Alert packet.
@param[in] BufferInSize Packet size in bytes for the most recently received TLS
Alert packet.
@param[out] BufferOut Pointer to the buffer to hold the built packet.
@param[in, out] BufferOutSize Pointer to the buffer size in bytes. On input, it is
the buffer size provided by the caller. On output, it
is the buffer size in fact needed to contain the
packet.
@retval EFI_SUCCESS The required TLS packet is built successfully.
@retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:
Tls is NULL.
BufferIn is NULL but BufferInSize is NOT 0.
BufferInSize is 0 but BufferIn is NOT NULL.
BufferOutSize is NULL.
BufferOut is NULL if *BufferOutSize is not zero.
@retval EFI_ABORTED An error occurred.
@retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the response packet.
**/
EFI_STATUS
EFIAPI
TlsHandleAlert (
IN VOID *Tls,
IN UINT8 *BufferIn, OPTIONAL
IN UINTN BufferInSize, OPTIONAL
OUT UINT8 *BufferOut, OPTIONAL
IN OUT UINTN *BufferOutSize
)
{
TLS_CONNECTION *TlsConn;
UINTN PendingBufferSize;
UINT8 *TempBuffer;
INTN Ret;
TlsConn = (TLS_CONNECTION *) Tls;
PendingBufferSize = 0;
TempBuffer = NULL;
Ret = 0;
if (TlsConn == NULL || \
TlsConn->Ssl == NULL || TlsConn->InBio == NULL || TlsConn->OutBio == NULL || \
BufferOutSize == NULL || \
(BufferIn == NULL && BufferInSize != 0) || \
(BufferIn != NULL && BufferInSize == 0) || \
(BufferOut == NULL && *BufferOutSize != 0)) {
return EFI_INVALID_PARAMETER;
}
PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
if (PendingBufferSize == 0 && BufferIn != NULL && BufferInSize != 0) {
Ret = BIO_write (TlsConn->InBio, BufferIn, (UINT32) BufferInSize);
if (Ret != (INTN) BufferInSize) {
return EFI_ABORTED;
}
TempBuffer = (UINT8 *) OPENSSL_malloc (MAX_BUFFER_SIZE);
//
// ssl3_send_alert() will be called in ssl3_read_bytes() function.
// TempBuffer is invalid since it's a Alert message, so just ignore it.
//
SSL_read (TlsConn->Ssl, TempBuffer, MAX_BUFFER_SIZE);
OPENSSL_free (TempBuffer);
PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
}
if (PendingBufferSize > *BufferOutSize) {
*BufferOutSize = PendingBufferSize;
return EFI_BUFFER_TOO_SMALL;
}
if (PendingBufferSize > 0) {
*BufferOutSize = BIO_read (TlsConn->OutBio, BufferOut, (UINT32) PendingBufferSize);
} else {
*BufferOutSize = 0;
}
return EFI_SUCCESS;
}
/**
Build the CloseNotify packet.
@param[in] Tls Pointer to the TLS object for state checking.
@param[in, out] Buffer Pointer to the buffer to hold the built packet.
@param[in, out] BufferSize Pointer to the buffer size in bytes. On input, it is
the buffer size provided by the caller. On output, it
is the buffer size in fact needed to contain the
packet.
@retval EFI_SUCCESS The required TLS packet is built successfully.
@retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:
Tls is NULL.
BufferSize is NULL.
Buffer is NULL if *BufferSize is not zero.
@retval EFI_BUFFER_TOO_SMALL BufferSize is too small to hold the response packet.
**/
EFI_STATUS
EFIAPI
TlsCloseNotify (
IN VOID *Tls,
IN OUT UINT8 *Buffer,
IN OUT UINTN *BufferSize
)
{
TLS_CONNECTION *TlsConn;
UINTN PendingBufferSize;
TlsConn = (TLS_CONNECTION *) Tls;
PendingBufferSize = 0;
if (TlsConn == NULL || \
TlsConn->Ssl == NULL || TlsConn->InBio == NULL || TlsConn->OutBio == NULL || \
BufferSize == NULL || \
(Buffer == NULL && *BufferSize != 0)) {
return EFI_INVALID_PARAMETER;
}
PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
if (PendingBufferSize == 0) {
//
// ssl3_send_alert() and ssl3_dispatch_alert() function will be called.
//
SSL_shutdown (TlsConn->Ssl);
PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio);
}
if (PendingBufferSize > *BufferSize) {
*BufferSize = PendingBufferSize;
return EFI_BUFFER_TOO_SMALL;
}
if (PendingBufferSize > 0) {
*BufferSize = BIO_read (TlsConn->OutBio, Buffer, (UINT32) PendingBufferSize);
} else {
*BufferSize = 0;
}
return EFI_SUCCESS;
}
/**
Attempts to read bytes from one TLS object and places the data in Buffer.
This function will attempt to read BufferSize bytes from the TLS object
and places the data in Buffer.
@param[in] Tls Pointer to the TLS object.
@param[in,out] Buffer Pointer to the buffer to store the data.
@param[in] BufferSize The size of Buffer in bytes.
@retval >0 The amount of data successfully read from the TLS object.
@retval <=0 No data was successfully read.
**/
INTN
EFIAPI
TlsCtrlTrafficOut (
IN VOID *Tls,
IN OUT VOID *Buffer,
IN UINTN BufferSize
)
{
TLS_CONNECTION *TlsConn;
TlsConn = (TLS_CONNECTION *) Tls;
if (TlsConn == NULL || TlsConn->OutBio == 0) {
return -1;
}
//
// Read and return the amount of data from the BIO.
//
return BIO_read (TlsConn->OutBio, Buffer, (UINT32) BufferSize);
}
/**
Attempts to write data from the buffer to TLS object.
This function will attempt to write BufferSize bytes data from the Buffer
to the TLS object.
@param[in] Tls Pointer to the TLS object.
@param[in] Buffer Pointer to the data buffer.
@param[in] BufferSize The size of Buffer in bytes.
@retval >0 The amount of data successfully written to the TLS object.
@retval <=0 No data was successfully written.
**/
INTN
EFIAPI
TlsCtrlTrafficIn (
IN VOID *Tls,
IN VOID *Buffer,
IN UINTN BufferSize
)
{
TLS_CONNECTION *TlsConn;
TlsConn = (TLS_CONNECTION *) Tls;
if (TlsConn == NULL || TlsConn->InBio == 0) {
return -1;
}
//
// Write and return the amount of data to the BIO.
//
return BIO_write (TlsConn->InBio, Buffer, (UINT32) BufferSize);
}
/**
Attempts to read bytes from the specified TLS connection into the buffer.
This function tries to read BufferSize bytes data from the specified TLS
connection into the Buffer.
@param[in] Tls Pointer to the TLS connection for data reading.
@param[in,out] Buffer Pointer to the data buffer.
@param[in] BufferSize The size of Buffer in bytes.
@retval >0 The read operation was successful, and return value is the
number of bytes actually read from the TLS connection.
@retval <=0 The read operation was not successful.
**/
INTN
EFIAPI
TlsRead (
IN VOID *Tls,
IN OUT VOID *Buffer,
IN UINTN BufferSize
)
{
TLS_CONNECTION *TlsConn;
TlsConn = (TLS_CONNECTION *) Tls;
if (TlsConn == NULL || TlsConn->Ssl == NULL) {
return -1;
}
//
// Read bytes from the specified TLS connection.
//
return SSL_read (TlsConn->Ssl, Buffer, (UINT32) BufferSize);
}
/**
Attempts to write data to a TLS connection.
This function tries to write BufferSize bytes data from the Buffer into the
specified TLS connection.
@param[in] Tls Pointer to the TLS connection for data writing.
@param[in] Buffer Pointer to the data buffer.
@param[in] BufferSize The size of Buffer in bytes.
@retval >0 The write operation was successful, and return value is the
number of bytes actually written to the TLS connection.
@retval <=0 The write operation was not successful.
**/
INTN
EFIAPI
TlsWrite (
IN VOID *Tls,
IN VOID *Buffer,
IN UINTN BufferSize
)
{
TLS_CONNECTION *TlsConn;
TlsConn = (TLS_CONNECTION *) Tls;
if (TlsConn == NULL || TlsConn->Ssl == NULL) {
return -1;
}
//
// Write bytes to the specified TLS connection.
//
return SSL_write (TlsConn->Ssl, Buffer, (UINT32) BufferSize);
}