CryptoPkg: Extend Tls function library

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3892

1. TlsSetSignatureAlgoList(): Configure the list of TLS signature algorithms
that should be used as part of the TLS session establishment.
This is needed for some WLAN Supplicant connection establishment flows
that allow only specific TLS signature algorithms to be used, e.g.,
Authenticate and Key Managmenet (AKM) suites that are SUITE-B compliant.

2. TlsSetEcCurve(): Configure the Elliptic Curve that should be used for
TLS flows the use cipher suite with EC,
e.g., TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384.
This is needed for some WLAN Supplicant connection establishment flows
that allow only specific TLS signature algorithms to be used,
e.g., Authenticate and Key Managmenet (AKM) suites that are SUITE-B compliant.

3. TlsShutdown():
Shutdown the TLS connection without releasing the resources,
meaning a new connection can be started without calling TlsNew() and
without setting certificates etc.

4. TlsGetExportKey(): Derive keying material from a TLS connection using the
mechanism described in RFC 5705 and export the key material (needed
by EAP methods such as EAP-TTLS and EAP-PEAP).

5. TlsSetHostPrivateKeyEx(): This function adds the local private key
(PEM-encoded or PKCS#8 or DER-encoded private key) into the specified
TLS object for TLS negotiation. There is already a similar function
TlsSetHostPrivateKey(), the new Ex function introduces a new parameter
Password, set Password to NULL when useless.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Signed-off-by: Yi Li <yi1.li@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
This commit is contained in:
Yi Li 2022-09-25 17:14:06 +08:00 committed by mergify[bot]
parent cafc573ac0
commit bb78d969b7
6 changed files with 667 additions and 7 deletions

View File

@ -294,6 +294,25 @@ TlsWrite (
IN UINTN BufferSize
);
/**
Shutdown a TLS connection.
Shutdown the TLS connection without releasing the resources, meaning a new
connection can be started without calling TlsNew() and without setting
certificates etc.
@param[in] Tls Pointer to the TLS object to shutdown.
@retval EFI_SUCCESS The TLS is shutdown successfully.
@retval EFI_INVALID_PARAMETER Tls is NULL.
@retval EFI_PROTOCOL_ERROR Some other error occurred.
**/
EFI_STATUS
EFIAPI
TlsShutdown (
IN VOID *Tls
);
/**
Set a new TLS/SSL method for a particular TLS object.
@ -492,11 +511,38 @@ TlsSetHostPublicCert (
/**
Adds the local private key to the specified TLS object.
This function adds the local private key (PEM-encoded RSA or PKCS#8 private
This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private
key) into the specified TLS object for TLS negotiation.
@param[in] Tls Pointer to the TLS object.
@param[in] Data Pointer to the data buffer of a PEM-encoded RSA
@param[in] Data Pointer to the data buffer of a DER-encoded or PEM-encoded
or PKCS#8 private key.
@param[in] DataSize The size of data buffer in bytes.
@param[in] Password Pointer to NULL-terminated private key password, set it to NULL
if private key not encrypted.
@retval EFI_SUCCESS The operation succeeded.
@retval EFI_UNSUPPORTED This function is not supported.
@retval EFI_ABORTED Invalid private key data.
**/
EFI_STATUS
EFIAPI
TlsSetHostPrivateKeyEx (
IN VOID *Tls,
IN VOID *Data,
IN UINTN DataSize,
IN VOID *Password OPTIONAL
);
/**
Adds the local private key to the specified TLS object.
This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private
key) into the specified TLS object for TLS negotiation.
@param[in] Tls Pointer to the TLS object.
@param[in] Data Pointer to the data buffer of a DER-encoded or PEM-encoded
or PKCS#8 private key.
@param[in] DataSize The size of data buffer in bytes.
@ -534,6 +580,53 @@ TlsSetCertRevocationList (
IN UINTN DataSize
);
/**
Set the signature algorithm list to used by the TLS object.
This function sets the signature algorithms for use by a specified TLS object.
@param[in] Tls Pointer to a TLS object.
@param[in] Data Array of UINT8 of signature algorithms. The array consists of
pairs of the hash algorithm and the signature algorithm as defined
in RFC 5246
@param[in] DataSize The length the SignatureAlgoList. Must be divisible by 2.
@retval EFI_SUCCESS The signature algorithm list was set successfully.
@retval EFI_INVALID_PARAMETER The parameters are invalid.
@retval EFI_UNSUPPORTED No supported TLS signature algorithm was found in SignatureAlgoList
@retval EFI_OUT_OF_RESOURCES Memory allocation failed.
**/
EFI_STATUS
EFIAPI
TlsSetSignatureAlgoList (
IN VOID *Tls,
IN UINT8 *Data,
IN UINTN DataSize
);
/**
Set the EC curve to be used for TLS flows
This function sets the EC curve to be used for TLS flows.
@param[in] Tls Pointer to a TLS object.
@param[in] Data An EC named curve as defined in section 5.1.1 of RFC 4492.
@param[in] DataSize Size of Data, it should be sizeof (UINT32)
@retval EFI_SUCCESS The EC curve was set successfully.
@retval EFI_INVALID_PARAMETER The parameters are invalid.
@retval EFI_UNSUPPORTED The requested TLS EC curve is not supported
**/
EFI_STATUS
EFIAPI
TlsSetEcCurve (
IN VOID *Tls,
IN UINT8 *Data,
IN UINTN DataSize
);
/**
Gets the protocol version used by the specified TLS connection.
@ -810,4 +903,33 @@ TlsGetCertRevocationList (
IN OUT UINTN *DataSize
);
/**
Derive keying material from a TLS connection.
This function exports keying material using the mechanism described in RFC
5705.
@param[in] Tls Pointer to the TLS object
@param[in] Label Description of the key for the PRF function
@param[in] Context Optional context
@param[in] ContextLen The length of the context value in bytes
@param[out] KeyBuffer Buffer to hold the output of the TLS-PRF
@param[in] KeyBufferLen The length of the KeyBuffer
@retval EFI_SUCCESS The operation succeeded.
@retval EFI_INVALID_PARAMETER The TLS object is invalid.
@retval EFI_PROTOCOL_ERROR Some other error occurred.
**/
EFI_STATUS
EFIAPI
TlsGetExportKey (
IN VOID *Tls,
IN CONST VOID *Label,
IN CONST VOID *Context,
IN UINTN ContextLen,
OUT VOID *KeyBuffer,
IN UINTN KeyBufferLen
);
#endif // __TLS_LIB_H__

View File

@ -17,6 +17,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <Library/DebugLib.h>
#include <Library/MemoryAllocationLib.h>
#include <Library/SafeIntLib.h>
#include <Protocol/Tls.h>
#include <IndustryStandard/Tls1.h>
#include <Library/PcdLib.h>
#include <openssl/obj_mac.h>
#include <openssl/ssl.h>
#include <openssl/bio.h>
#include <openssl/err.h>

View File

@ -62,6 +62,38 @@ STATIC CONST TLS_CIPHER_MAPPING TlsCipherMappingTable[] = {
MAP (0x0068, "DH-DSS-AES256-SHA256"), /// TLS_DH_DSS_WITH_AES_256_CBC_SHA256
MAP (0x0069, "DH-RSA-AES256-SHA256"), /// TLS_DH_RSA_WITH_AES_256_CBC_SHA256
MAP (0x006B, "DHE-RSA-AES256-SHA256"), /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
MAP (0x009F, "DHE-RSA-AES256-GCM-SHA384"), /// TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
MAP (0xC02B, "ECDHE-ECDSA-AES128-GCM-SHA256"), /// TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
MAP (0xC02C, "ECDHE-ECDSA-AES256-GCM-SHA384"), /// TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
MAP (0xC030, "ECDHE-RSA-AES256-GCM-SHA384"), /// TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
};
typedef struct {
//
// TLS Algorithm
//
UINT8 Algo;
//
// TLS Algorithm name
//
CONST CHAR8 *Name;
} TLS_ALGO_TO_NAME;
STATIC CONST TLS_ALGO_TO_NAME TlsHashAlgoToName[] = {
{ TlsHashAlgoNone, NULL },
{ TlsHashAlgoMd5, "MD5" },
{ TlsHashAlgoSha1, "SHA1" },
{ TlsHashAlgoSha224, "SHA224" },
{ TlsHashAlgoSha256, "SHA256" },
{ TlsHashAlgoSha384, "SHA384" },
{ TlsHashAlgoSha512, "SHA512" },
};
STATIC CONST TLS_ALGO_TO_NAME TlsSignatureAlgoToName[] = {
{ TlsSignatureAlgoAnonymous, NULL },
{ TlsSignatureAlgoRsa, "RSA" },
{ TlsSignatureAlgoDsa, "DSA" },
{ TlsSignatureAlgoEcdsa, "ECDSA" },
};
/**
@ -831,11 +863,107 @@ ON_EXIT:
/**
Adds the local private key to the specified TLS object.
This function adds the local private key (PEM-encoded RSA or PKCS#8 private
This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private
key) into the specified TLS object for TLS negotiation.
@param[in] Tls Pointer to the TLS object.
@param[in] Data Pointer to the data buffer of a PEM-encoded RSA
@param[in] Data Pointer to the data buffer of a DER-encoded or PEM-encoded
or PKCS#8 private key.
@param[in] DataSize The size of data buffer in bytes.
@param[in] Password Pointer to NULL-terminated private key password, set it to NULL
if private key not encrypted.
@retval EFI_SUCCESS The operation succeeded.
@retval EFI_UNSUPPORTED This function is not supported.
@retval EFI_ABORTED Invalid private key data.
**/
EFI_STATUS
EFIAPI
TlsSetHostPrivateKeyEx (
IN VOID *Tls,
IN VOID *Data,
IN UINTN DataSize,
IN VOID *Password OPTIONAL
)
{
TLS_CONNECTION *TlsConn;
BIO *Bio;
EVP_PKEY *Pkey;
BOOLEAN Verify;
TlsConn = (TLS_CONNECTION *)Tls;
if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (Data == NULL) || (DataSize == 0)) {
return EFI_INVALID_PARAMETER;
}
// Try to parse the private key in DER format or un-encrypted PKC#8
if (SSL_use_PrivateKey_ASN1 (
EVP_PKEY_RSA,
TlsConn->Ssl,
Data,
(long)DataSize
) == 1)
{
goto verify;
}
if (SSL_use_PrivateKey_ASN1 (
EVP_PKEY_DSA,
TlsConn->Ssl,
Data,
(long)DataSize
) == 1)
{
goto verify;
}
if (SSL_use_PrivateKey_ASN1 (
EVP_PKEY_EC,
TlsConn->Ssl,
Data,
(long)DataSize
) == 1)
{
goto verify;
}
// Try to parse the private key in PEM format or encrypted PKC#8
Bio = BIO_new_mem_buf (Data, (int)DataSize);
if (Bio != NULL) {
Verify = FALSE;
Pkey = PEM_read_bio_PrivateKey (Bio, NULL, NULL, Password);
if ((Pkey != NULL) && (SSL_use_PrivateKey (TlsConn->Ssl, Pkey) == 1)) {
Verify = TRUE;
}
EVP_PKEY_free (Pkey);
BIO_free (Bio);
if (Verify) {
goto verify;
}
}
return EFI_ABORTED;
verify:
if (SSL_check_private_key (TlsConn->Ssl) == 1) {
return EFI_SUCCESS;
}
return EFI_ABORTED;
}
/**
Adds the local private key to the specified TLS object.
This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private
key) into the specified TLS object for TLS negotiation.
@param[in] Tls Pointer to the TLS object.
@param[in] Data Pointer to the data buffer of a DER-encoded or PEM-encoded
or PKCS#8 private key.
@param[in] DataSize The size of data buffer in bytes.
@ -852,7 +980,7 @@ TlsSetHostPrivateKey (
IN UINTN DataSize
)
{
return EFI_UNSUPPORTED;
return TlsSetHostPrivateKeyEx (Tls, Data, DataSize, NULL);
}
/**
@ -879,6 +1007,188 @@ TlsSetCertRevocationList (
return EFI_UNSUPPORTED;
}
/**
Set the signature algorithm list to used by the TLS object.
This function sets the signature algorithms for use by a specified TLS object.
@param[in] Tls Pointer to a TLS object.
@param[in] Data Array of UINT8 of signature algorithms. The array consists of
pairs of the hash algorithm and the signature algorithm as defined
in RFC 5246
@param[in] DataSize The length the SignatureAlgoList. Must be divisible by 2.
@retval EFI_SUCCESS The signature algorithm list was set successfully.
@retval EFI_INVALID_PARAMETER The parameters are invalid.
@retval EFI_UNSUPPORTED No supported TLS signature algorithm was found in SignatureAlgoList
@retval EFI_OUT_OF_RESOURCES Memory allocation failed.
**/
EFI_STATUS
EFIAPI
TlsSetSignatureAlgoList (
IN VOID *Tls,
IN UINT8 *Data,
IN UINTN DataSize
)
{
TLS_CONNECTION *TlsConn;
UINTN Index;
UINTN SignAlgoStrSize;
CHAR8 *SignAlgoStr;
CHAR8 *Pos;
UINT8 *SignatureAlgoList;
EFI_STATUS Status;
TlsConn = (TLS_CONNECTION *)Tls;
if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (Data == NULL) || (DataSize < 3) ||
((DataSize % 2) == 0) || (Data[0] != DataSize - 1))
{
return EFI_INVALID_PARAMETER;
}
SignatureAlgoList = Data + 1;
SignAlgoStrSize = 0;
for (Index = 0; Index < Data[0]; Index += 2) {
CONST CHAR8 *Tmp;
if (SignatureAlgoList[Index] >= ARRAY_SIZE (TlsHashAlgoToName)) {
return EFI_INVALID_PARAMETER;
}
Tmp = TlsHashAlgoToName[SignatureAlgoList[Index]].Name;
if (!Tmp) {
return EFI_INVALID_PARAMETER;
}
// Add 1 for the '+'
SignAlgoStrSize += AsciiStrLen (Tmp) + 1;
if (SignatureAlgoList[Index + 1] >= ARRAY_SIZE (TlsSignatureAlgoToName)) {
return EFI_INVALID_PARAMETER;
}
Tmp = TlsSignatureAlgoToName[SignatureAlgoList[Index + 1]].Name;
if (!Tmp) {
return EFI_INVALID_PARAMETER;
}
// Add 1 for the ':' or for the NULL terminator
SignAlgoStrSize += AsciiStrLen (Tmp) + 1;
}
if (!SignAlgoStrSize) {
return EFI_UNSUPPORTED;
}
SignAlgoStr = AllocatePool (SignAlgoStrSize);
if (SignAlgoStr == NULL) {
return EFI_OUT_OF_RESOURCES;
}
Pos = SignAlgoStr;
for (Index = 0; Index < Data[0]; Index += 2) {
CONST CHAR8 *Tmp;
Tmp = TlsHashAlgoToName[SignatureAlgoList[Index]].Name;
CopyMem (Pos, Tmp, AsciiStrLen (Tmp));
Pos += AsciiStrLen (Tmp);
*Pos++ = '+';
Tmp = TlsSignatureAlgoToName[SignatureAlgoList[Index + 1]].Name;
CopyMem (Pos, Tmp, AsciiStrLen (Tmp));
Pos += AsciiStrLen (Tmp);
*Pos++ = ':';
}
*(Pos - 1) = '\0';
if (SSL_set1_sigalgs_list (TlsConn->Ssl, SignAlgoStr) < 1) {
Status = EFI_INVALID_PARAMETER;
} else {
Status = EFI_SUCCESS;
}
FreePool (SignAlgoStr);
return Status;
}
/**
Set the EC curve to be used for TLS flows
This function sets the EC curve to be used for TLS flows.
@param[in] Tls Pointer to a TLS object.
@param[in] Data An EC named curve as defined in section 5.1.1 of RFC 4492.
@param[in] DataSize Size of Data, it should be sizeof (UINT32)
@retval EFI_SUCCESS The EC curve was set successfully.
@retval EFI_INVALID_PARAMETER The parameters are invalid.
@retval EFI_UNSUPPORTED The requested TLS EC curve is not supported
**/
EFI_STATUS
EFIAPI
TlsSetEcCurve (
IN VOID *Tls,
IN UINT8 *Data,
IN UINTN DataSize
)
{
#if !FixedPcdGetBool (PcdOpensslEcEnabled)
return EFI_UNSUPPORTED;
#else
TLS_CONNECTION *TlsConn;
EC_KEY *EcKey;
INT32 Nid;
INT32 Ret;
TlsConn = (TLS_CONNECTION *)Tls;
if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (Data == NULL) || (DataSize != sizeof (UINT32))) {
return EFI_INVALID_PARAMETER;
}
switch (*((UINT32 *)Data)) {
case TlsEcNamedCurveSecp256r1:
return EFI_UNSUPPORTED;
case TlsEcNamedCurveSecp384r1:
Nid = NID_secp384r1;
break;
case TlsEcNamedCurveSecp521r1:
Nid = NID_secp521r1;
break;
case TlsEcNamedCurveX25519:
Nid = NID_X25519;
break;
case TlsEcNamedCurveX448:
Nid = NID_X448;
break;
default:
return EFI_UNSUPPORTED;
}
if (SSL_set1_curves (TlsConn->Ssl, &Nid, 1) != 1) {
return EFI_INVALID_PARAMETER;
}
EcKey = EC_KEY_new_by_curve_name (Nid);
if (EcKey == NULL) {
return EFI_INVALID_PARAMETER;
}
Ret = SSL_set_tmp_ecdh (TlsConn->Ssl, EcKey);
EC_KEY_free (EcKey);
if (Ret != 1) {
return EFI_INVALID_PARAMETER;
}
return EFI_SUCCESS;
#endif
}
/**
Gets the protocol version used by the specified TLS connection.
@ -1306,3 +1616,53 @@ TlsGetCertRevocationList (
{
return EFI_UNSUPPORTED;
}
/**
Derive keying material from a TLS connection.
This function exports keying material using the mechanism described in RFC
5705.
@param[in] Tls Pointer to the TLS object
@param[in] Label Description of the key for the PRF function
@param[in] Context Optional context
@param[in] ContextLen The length of the context value in bytes
@param[out] KeyBuffer Buffer to hold the output of the TLS-PRF
@param[in] KeyBufferLen The length of the KeyBuffer
@retval EFI_SUCCESS The operation succeeded.
@retval EFI_INVALID_PARAMETER The TLS object is invalid.
@retval EFI_PROTOCOL_ERROR Some other error occurred.
**/
EFI_STATUS
EFIAPI
TlsGetExportKey (
IN VOID *Tls,
IN CONST VOID *Label,
IN CONST VOID *Context,
IN UINTN ContextLen,
OUT VOID *KeyBuffer,
IN UINTN KeyBufferLen
)
{
TLS_CONNECTION *TlsConn;
TlsConn = (TLS_CONNECTION *)Tls;
if ((TlsConn == NULL) || (TlsConn->Ssl == NULL)) {
return EFI_INVALID_PARAMETER;
}
return SSL_export_keying_material (
TlsConn->Ssl,
KeyBuffer,
KeyBufferLen,
Label,
AsciiStrLen (Label),
Context,
ContextLen,
Context != NULL
) == 1 ?
EFI_SUCCESS : EFI_PROTOCOL_ERROR;
}

View File

@ -461,3 +461,35 @@ TlsWrite (
//
return SSL_write (TlsConn->Ssl, Buffer, (UINT32)BufferSize);
}
/**
Shutdown a TLS connection.
Shutdown the TLS connection without releasing the resources, meaning a new
connection can be started without calling TlsNew() and without setting
certificates etc.
@param[in] Tls Pointer to the TLS object to shutdown.
@retval EFI_SUCCESS The TLS is shutdown successfully.
@retval EFI_INVALID_PARAMETER Tls is NULL.
@retval EFI_PROTOCOL_ERROR Some other error occurred.
**/
EFI_STATUS
EFIAPI
TlsShutdown (
IN VOID *Tls
)
{
TLS_CONNECTION *TlsConn;
TlsConn = (TLS_CONNECTION *)Tls;
if ((TlsConn == NULL) || ((TlsConn->Ssl) == NULL)) {
return EFI_INVALID_PARAMETER;
}
SSL_set_quiet_shutdown (TlsConn->Ssl, 1);
SSL_shutdown (TlsConn->Ssl);
return SSL_clear (TlsConn->Ssl) == 1 ? EFI_SUCCESS : EFI_PROTOCOL_ERROR;
}

View File

@ -242,11 +242,42 @@ TlsSetHostPublicCert (
/**
Adds the local private key to the specified TLS object.
This function adds the local private key (PEM-encoded RSA or PKCS#8 private
This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private
key) into the specified TLS object for TLS negotiation.
@param[in] Tls Pointer to the TLS object.
@param[in] Data Pointer to the data buffer of a PEM-encoded RSA
@param[in] Data Pointer to the data buffer of a DER-encoded or PEM-encoded
or PKCS#8 private key.
@param[in] DataSize The size of data buffer in bytes.
@param[in] Password Pointer to NULL-terminated private key password, set it to NULL
if private key not encrypted.
@retval EFI_SUCCESS The operation succeeded.
@retval EFI_UNSUPPORTED This function is not supported.
@retval EFI_ABORTED Invalid private key data.
**/
EFI_STATUS
EFIAPI
TlsSetHostPrivateKeyEx (
IN VOID *Tls,
IN VOID *Data,
IN UINTN DataSize,
IN VOID *Password OPTIONAL
)
{
ASSERT (FALSE);
return EFI_UNSUPPORTED;
}
/**
Adds the local private key to the specified TLS object.
This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private
key) into the specified TLS object for TLS negotiation.
@param[in] Tls Pointer to the TLS object.
@param[in] Data Pointer to the data buffer of a DER-encoded or PEM-encoded
or PKCS#8 private key.
@param[in] DataSize The size of data buffer in bytes.
@ -292,6 +323,61 @@ TlsSetCertRevocationList (
return EFI_UNSUPPORTED;
}
/**
Set the signature algorithm list to used by the TLS object.
This function sets the signature algorithms for use by a specified TLS object.
@param[in] Tls Pointer to a TLS object.
@param[in] Data Array of UINT8 of signature algorithms. The array consists of
pairs of the hash algorithm and the signature algorithm as defined
in RFC 5246
@param[in] DataSize The length the SignatureAlgoList. Must be divisible by 2.
@retval EFI_SUCCESS The signature algorithm list was set successfully.
@retval EFI_INVALID_PARAMETER The parameters are invalid.
@retval EFI_UNSUPPORTED No supported TLS signature algorithm was found in SignatureAlgoList
@retval EFI_OUT_OF_RESOURCES Memory allocation failed.
**/
EFI_STATUS
EFIAPI
TlsSetSignatureAlgoList (
IN VOID *Tls,
IN UINT8 *Data,
IN UINTN DataSize
)
{
ASSERT (FALSE);
return EFI_UNSUPPORTED;
}
/**
Set the EC curve to be used for TLS flows
This function sets the EC curve to be used for TLS flows.
@param[in] Tls Pointer to a TLS object.
@param[in] Data An EC named curve as defined in section 5.1.1 of RFC 4492.
@param[in] DataSize Size of Data, it should be sizeof (UINT32)
@retval EFI_SUCCESS The EC curve was set successfully.
@retval EFI_INVALID_PARAMETER The parameters are invalid.
@retval EFI_UNSUPPORTED The requested TLS EC curve is not supported
**/
EFI_STATUS
EFIAPI
TlsSetEcCurve (
IN VOID *Tls,
IN UINT8 *Data,
IN UINTN DataSize
)
{
ASSERT (FALSE);
return EFI_UNSUPPORTED;
}
/**
Gets the protocol version used by the specified TLS connection.
@ -617,3 +703,36 @@ TlsGetCertRevocationList (
ASSERT (FALSE);
return EFI_UNSUPPORTED;
}
/**
Derive keying material from a TLS connection.
This function exports keying material using the mechanism described in RFC
5705.
@param[in] Tls Pointer to the TLS object
@param[in] Label Description of the key for the PRF function
@param[in] Context Optional context
@param[in] ContextLen The length of the context value in bytes
@param[out] KeyBuffer Buffer to hold the output of the TLS-PRF
@param[in] KeyBufferLen The length of the KeyBuffer
@retval EFI_SUCCESS The operation succeeded.
@retval EFI_INVALID_PARAMETER The TLS object is invalid.
@retval EFI_PROTOCOL_ERROR Some other error occurred.
**/
EFI_STATUS
EFIAPI
TlsGetExportKey (
IN VOID *Tls,
IN CONST VOID *Label,
IN CONST VOID *Context,
IN UINTN ContextLen,
OUT VOID *KeyBuffer,
IN UINTN KeyBufferLen
)
{
ASSERT (FALSE);
return EFI_UNSUPPORTED;
}

View File

@ -245,3 +245,26 @@ TlsWrite (
ASSERT (FALSE);
return 0;
}
/**
Shutdown a TLS connection.
Shutdown the TLS connection without releasing the resources, meaning a new
connection can be started without calling TlsNew() and without setting
certificates etc.
@param[in] Tls Pointer to the TLS object to shutdown.
@retval EFI_SUCCESS The TLS is shutdown successfully.
@retval EFI_INVALID_PARAMETER Tls is NULL.
@retval EFI_PROTOCOL_ERROR Some other error occurred.
**/
EFI_STATUS
EFIAPI
TlsShutdown (
IN VOID *Tls
)
{
ASSERT (FALSE);
return EFI_UNSUPPORTED;
}