CryptoPkg: Add new TlsLib library

v2:
* Code refine and Typo fix:
TlsHandeAlert -> TlsHandleAlert

This patch is used to add new TlsLib library, which is wrapped
over OpenSSL. The implementation provides TLS library functions
for EFI TLS protocol and EFI TLS Configuration Protocol.

Cc: Ye Ting <ting.ye@intel.com>
Cc: Long Qin <qin.long@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Zhang Lubo <lubo.zhang@intel.com>
Cc: Thomas Palmer <thomas.palmer@hpe.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>

1 files changed, 787 insertions, 0 deletions

diff --git a/CryptoPkg/Include/Library/TlsLib.h b/CryptoPkg/Include/Library/TlsLib.h
new file mode 100644
index 0000000000..45564f159e
--- /dev/null
+++ b/CryptoPkg/Include/Library/TlsLib.h
@@ -0,0 +1,787 @@
+/** @file
+  Defines TLS Library APIs.
+
+Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
+This program and the accompanying materials
+are licensed and made available under the terms and conditions of the BSD License
+which accompanies this distribution.  The full text of the license may be found at
+http://opensource.org/licenses/bsd-license.php
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#ifndef __TLS_LIB_H__
+#define __TLS_LIB_H__
+
+/**
+  Initializes the OpenSSL library.
+
+  This function registers ciphers and digests used directly and indirectly
+  by SSL/TLS, and initializes the readable error messages.
+  This function must be called before any other action takes places.
+
+**/
+VOID
+EFIAPI
+TlsInitialize (
+  VOID
+  );
+
+/**
+  Free an allocated SSL_CTX object.
+
+  @param[in]  TlsCtx    Pointer to the SSL_CTX object to be released.
+
+**/
+VOID
+EFIAPI
+TlsCtxFree (
+  IN   VOID                  *TlsCtx
+  );
+
+/**
+  Creates a new SSL_CTX object as framework to establish TLS/SSL enabled
+  connections.
+
+  @param[in]  MajorVer    Major Version of TLS/SSL Protocol.
+  @param[in]  MinorVer    Minor Version of TLS/SSL Protocol.
+
+  @return  Pointer to an allocated SSL_CTX object.
+           If the creation failed, TlsCtxNew() returns NULL.
+
+**/
+VOID *
+EFIAPI
+TlsCtxNew (
+  IN     UINT8                    MajorVer,
+  IN     UINT8                    MinorVer
+  );
+
+/**
+  Free an allocated TLS object.
+
+  This function removes the TLS object pointed to by Tls and frees up the
+  allocated memory. If Tls is NULL, nothing is done.
+
+  @param[in]  Tls    Pointer to the TLS object to be freed.
+
+**/
+VOID
+EFIAPI
+TlsFree (
+  IN     VOID                     *Tls
+  );
+
+/**
+  Create a new TLS object for a connection.
+
+  This function creates a new TLS object for a connection. The new object
+  inherits the setting of the underlying context TlsCtx: connection method,
+  options, verification setting.
+
+  @param[in]  TlsCtx    Pointer to the SSL_CTX object.
+
+  @return  Pointer to an allocated SSL object.
+           If the creation failed, TlsNew() returns NULL.
+
+**/
+VOID *
+EFIAPI
+TlsNew (
+  IN     VOID                     *TlsCtx
+  );
+
+/**
+  Checks if the TLS handshake was done.
+
+  This function will check if the specified TLS handshake was done.
+
+  @param[in]  Tls    Pointer to the TLS object for handshake state checking.
+
+  @retval  TRUE     The TLS handshake was done.
+  @retval  FALSE    The TLS handshake was not done.
+
+**/
+BOOLEAN
+EFIAPI
+TlsInHandshake (
+  IN     VOID                     *Tls
+  );
+
+/**
+  Perform a TLS/SSL handshake.
+
+  This function will perform a TLS/SSL handshake.
+
+  @param[in]       Tls            Pointer to the TLS object for handshake operation.
+  @param[in]       BufferIn       Pointer to the most recently received TLS Handshake packet.
+  @param[in]       BufferInSize   Packet size in bytes for the most recently received TLS
+                                  Handshake packet.
+  @param[out]      BufferOut      Pointer to the buffer to hold the built packet.
+  @param[in, out]  BufferOutSize  Pointer to the buffer size in bytes. On input, it is
+                                  the buffer size provided by the caller. On output, it
+                                  is the buffer size in fact needed to contain the
+                                  packet.
+
+  @retval EFI_SUCCESS             The required TLS packet is built successfully.
+  @retval EFI_INVALID_PARAMETER   One or more of the following conditions is TRUE:
+                                  Tls is NULL.
+                                  BufferIn is NULL but BufferInSize is NOT 0.
+                                  BufferInSize is 0 but BufferIn is NOT NULL.
+                                  BufferOutSize is NULL.
+                                  BufferOut is NULL if *BufferOutSize is not zero.
+  @retval EFI_BUFFER_TOO_SMALL    BufferOutSize is too small to hold the response packet.
+  @retval EFI_ABORTED             Something wrong during handshake.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsDoHandshake (
+  IN     VOID                     *Tls,
+  IN     UINT8                    *BufferIn, OPTIONAL
+  IN     UINTN                    BufferInSize, OPTIONAL
+     OUT UINT8                    *BufferOut, OPTIONAL
+  IN OUT UINTN                    *BufferOutSize
+  );
+
+/**
+  Handle Alert message recorded in BufferIn. If BufferIn is NULL and BufferInSize is zero,
+  TLS session has errors and the response packet needs to be Alert message based on error type.
+
+  @param[in]       Tls            Pointer to the TLS object for state checking.
+  @param[in]       BufferIn       Pointer to the most recently received TLS Alert packet.
+  @param[in]       BufferInSize   Packet size in bytes for the most recently received TLS
+                                  Alert packet.
+  @param[out]      BufferOut      Pointer to the buffer to hold the built packet.
+  @param[in, out]  BufferOutSize  Pointer to the buffer size in bytes. On input, it is
+                                  the buffer size provided by the caller. On output, it
+                                  is the buffer size in fact needed to contain the
+                                  packet.
+
+  @retval EFI_SUCCESS             The required TLS packet is built successfully.
+  @retval EFI_INVALID_PARAMETER   One or more of the following conditions is TRUE:
+                                  Tls is NULL.
+                                  BufferIn is NULL but BufferInSize is NOT 0.
+                                  BufferInSize is 0 but BufferIn is NOT NULL.
+                                  BufferOutSize is NULL.
+                                  BufferOut is NULL if *BufferOutSize is not zero.
+  @retval EFI_ABORTED             An error occurred.
+  @retval EFI_BUFFER_TOO_SMALL    BufferOutSize is too small to hold the response packet.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsHandleAlert (
+  IN     VOID                     *Tls,
+  IN     UINT8                    *BufferIn, OPTIONAL
+  IN     UINTN                    BufferInSize, OPTIONAL
+     OUT UINT8                    *BufferOut, OPTIONAL
+  IN OUT UINTN                    *BufferOutSize
+  );
+
+/**
+  Build the CloseNotify packet.
+
+  @param[in]       Tls            Pointer to the TLS object for state checking.
+  @param[in, out]  Buffer         Pointer to the buffer to hold the built packet.
+  @param[in, out]  BufferSize     Pointer to the buffer size in bytes. On input, it is
+                                  the buffer size provided by the caller. On output, it
+                                  is the buffer size in fact needed to contain the
+                                  packet.
+
+  @retval EFI_SUCCESS             The required TLS packet is built successfully.
+  @retval EFI_INVALID_PARAMETER   One or more of the following conditions is TRUE:
+                                  Tls is NULL.
+                                  BufferSize is NULL.
+                                  Buffer is NULL if *BufferSize is not zero.
+  @retval EFI_BUFFER_TOO_SMALL    BufferSize is too small to hold the response packet.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsCloseNotify (
+  IN     VOID                     *Tls,
+  IN OUT UINT8                    *Buffer,
+  IN OUT UINTN                    *BufferSize
+  );
+
+/**
+  Attempts to read bytes from one TLS object and places the data in Buffer.
+
+  This function will attempt to read BufferSize bytes from the TLS object
+  and places the data in Buffer.
+
+  @param[in]      Tls           Pointer to the TLS object.
+  @param[in,out]  Buffer        Pointer to the buffer to store the data.
+  @param[in]      BufferSize    The size of Buffer in bytes.
+
+  @retval  >0    The amount of data successfully read from the TLS object.
+  @retval  <=0   No data was successfully read.
+
+**/
+INTN
+EFIAPI
+TlsCtrlTrafficOut (
+  IN     VOID                     *Tls,
+  IN OUT VOID                     *Buffer,
+  IN     UINTN                    BufferSize
+  );
+
+/**
+  Attempts to write data from the buffer to TLS object.
+
+  This function will attempt to write BufferSize bytes data from the Buffer
+  to the TLS object.
+
+  @param[in]  Tls           Pointer to the TLS object.
+  @param[in]  Buffer        Pointer to the data buffer.
+  @param[in]  BufferSize    The size of Buffer in bytes.
+
+  @retval  >0    The amount of data successfully written to the TLS object.
+  @retval <=0    No data was successfully written.
+
+**/
+INTN
+EFIAPI
+TlsCtrlTrafficIn (
+  IN     VOID                     *Tls,
+  IN     VOID                     *Buffer,
+  IN     UINTN                    BufferSize
+  );
+
+/**
+  Attempts to read bytes from the specified TLS connection into the buffer.
+
+  This function tries to read BufferSize bytes data from the specified TLS
+  connection into the Buffer.
+
+  @param[in]      Tls           Pointer to the TLS connection for data reading.
+  @param[in,out]  Buffer        Pointer to the data buffer.
+  @param[in]      BufferSize    The size of Buffer in bytes.
+
+  @retval  >0    The read operation was successful, and return value is the
+                 number of bytes actually read from the TLS connection.
+  @retval  <=0   The read operation was not successful.
+
+**/
+INTN
+EFIAPI
+TlsRead (
+  IN     VOID                     *Tls,
+  IN OUT VOID                     *Buffer,
+  IN     UINTN                    BufferSize
+  );
+
+/**
+  Attempts to write data to a TLS connection.
+
+  This function tries to write BufferSize bytes data from the Buffer into the
+  specified TLS connection.
+
+  @param[in]  Tls           Pointer to the TLS connection for data writing.
+  @param[in]  Buffer        Pointer to the data buffer.
+  @param[in]  BufferSize    The size of Buffer in bytes.
+
+  @retval  >0    The write operation was successful, and return value is the
+                 number of bytes actually written to the TLS connection.
+  @retval <=0    The write operation was not successful.
+
+**/
+INTN
+EFIAPI
+TlsWrite (
+  IN     VOID                     *Tls,
+  IN     VOID                     *Buffer,
+  IN     UINTN                    BufferSize
+  );
+
+/**
+  Set a new TLS/SSL method for a particular TLS object.
+
+  This function sets a new TLS/SSL method for a particular TLS object.
+
+  @param[in]  Tls         Pointer to a TLS object.
+  @param[in]  MajorVer    Major Version of TLS/SSL Protocol.
+  @param[in]  MinorVer    Minor Version of TLS/SSL Protocol.
+
+  @retval  EFI_SUCCESS           The TLS/SSL method was set successfully.
+  @retval  EFI_INVALID_PARAMETER The parameter is invalid.
+  @retval  EFI_UNSUPPORTED       Unsupported TLS/SSL method.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetVersion (
+  IN     VOID                     *Tls,
+  IN     UINT8                    MajorVer,
+  IN     UINT8                    MinorVer
+  );
+
+/**
+  Set TLS object to work in client or server mode.
+
+  This function prepares a TLS object to work in client or server mode.
+
+  @param[in]  Tls         Pointer to a TLS object.
+  @param[in]  IsServer    Work in server mode.
+
+  @retval  EFI_SUCCESS           The TLS/SSL work mode was set successfully.
+  @retval  EFI_INVALID_PARAMETER The parameter is invalid.
+  @retval  EFI_UNSUPPORTED       Unsupported TLS/SSL work mode.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetConnectionEnd (
+  IN     VOID                     *Tls,
+  IN     BOOLEAN                  IsServer
+  );
+
+/**
+  Set the ciphers list to be used by the TLS object.
+
+  This function sets the ciphers for use by a specified TLS object.
+
+  @param[in]  Tls          Pointer to a TLS object.
+  @param[in]  CipherId     Pointer to a string that contains one or more
+                           ciphers separated by a colon.
+  @param[in]  CipherNum    The number of cipher in the list.
+
+  @retval  EFI_SUCCESS           The ciphers list was set successfully.
+  @retval  EFI_INVALID_PARAMETER The parameter is invalid.
+  @retval  EFI_UNSUPPORTED       Unsupported TLS cipher in the list.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetCipherList (
+  IN     VOID                     *Tls,
+  IN     UINT16                   *CipherId,
+  IN     UINTN                    CipherNum
+  );
+
+/**
+  Set the compression method for TLS/SSL operations.
+
+  This function handles TLS/SSL integrated compression methods.
+
+  @param[in]  CompMethod    The compression method ID.
+
+  @retval  EFI_SUCCESS        The compression method for the communication was
+                              set successfully.
+  @retval  EFI_UNSUPPORTED    Unsupported compression method.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetCompressionMethod (
+  IN     UINT8                    CompMethod
+  );
+
+/**
+  Set peer certificate verification mode for the TLS connection.
+
+  This function sets the verification mode flags for the TLS connection.
+
+  @param[in]  Tls           Pointer to the TLS object.
+  @param[in]  VerifyMode    A set of logically or'ed verification mode flags.
+
+**/
+VOID
+EFIAPI
+TlsSetVerify (
+  IN     VOID                     *Tls,
+  IN     UINT32                   VerifyMode
+  );
+
+/**
+  Sets a TLS/SSL session ID to be used during TLS/SSL connect.
+
+  This function sets a session ID to be used when the TLS/SSL connection is
+  to be established.
+
+  @param[in]  Tls             Pointer to the TLS object.
+  @param[in]  SessionId       Session ID data used for session resumption.
+  @param[in]  SessionIdLen    Length of Session ID in bytes.
+
+  @retval  EFI_SUCCESS           Session ID was set successfully.
+  @retval  EFI_INVALID_PARAMETER The parameter is invalid.
+  @retval  EFI_UNSUPPORTED       No available session for ID setting.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetSessionId (
+  IN     VOID                     *Tls,
+  IN     UINT8                    *SessionId,
+  IN     UINT16                   SessionIdLen
+  );
+
+/**
+  Adds the CA to the cert store when requesting Server or Client authentication.
+
+  This function adds the CA certificate to the list of CAs when requesting
+  Server or Client authentication for the chosen TLS connection.
+
+  @param[in]  Tls         Pointer to the TLS object.
+  @param[in]  Data        Pointer to the data buffer of a DER-encoded binary
+                          X.509 certificate or PEM-encoded X.509 certificate.
+  @param[in]  DataSize    The size of data buffer in bytes.
+
+  @retval  EFI_SUCCESS             The operation succeeded.
+  @retval  EFI_INVALID_PARAMETER   The parameter is invalid.
+  @retval  EFI_OUT_OF_RESOURCES    Required resources could not be allocated.
+  @retval  EFI_ABORTED             Invalid X.509 certificate.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetCaCertificate (
+  IN     VOID                     *Tls,
+  IN     VOID                     *Data,
+  IN     UINTN                    DataSize
+  );
+
+/**
+  Loads the local public certificate into the specified TLS object.
+
+  This function loads the X.509 certificate into the specified TLS object
+  for TLS negotiation.
+
+  @param[in]  Tls         Pointer to the TLS object.
+  @param[in]  Data        Pointer to the data buffer of a DER-encoded binary
+                          X.509 certificate or PEM-encoded X.509 certificate.
+  @param[in]  DataSize    The size of data buffer in bytes.
+
+  @retval  EFI_SUCCESS             The operation succeeded.
+  @retval  EFI_INVALID_PARAMETER   The parameter is invalid.
+  @retval  EFI_OUT_OF_RESOURCES    Required resources could not be allocated.
+  @retval  EFI_ABORTED             Invalid X.509 certificate.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetHostPublicCert (
+  IN     VOID                     *Tls,
+  IN     VOID                     *Data,
+  IN     UINTN                    DataSize
+  );
+
+/**
+  Adds the local private key to the specified TLS object.
+
+  This function adds the local private key (PEM-encoded RSA or PKCS#8 private
+  key) into the specified TLS object for TLS negotiation.
+
+  @param[in]  Tls         Pointer to the TLS object.
+  @param[in]  Data        Pointer to the data buffer of a PEM-encoded RSA
+                          or PKCS#8 private key.
+  @param[in]  DataSize    The size of data buffer in bytes.
+
+  @retval  EFI_SUCCESS     The operation succeeded.
+  @retval  EFI_UNSUPPORTED This function is not supported.
+  @retval  EFI_ABORTED     Invalid private key data.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetHostPrivateKey (
+  IN     VOID                     *Tls,
+  IN     VOID                     *Data,
+  IN     UINTN                    DataSize
+  );
+
+/**
+  Adds the CA-supplied certificate revocation list for certificate validation.
+
+  This function adds the CA-supplied certificate revocation list data for
+  certificate validity checking.
+
+  @param[in]  Data        Pointer to the data buffer of a DER-encoded CRL data.
+  @param[in]  DataSize    The size of data buffer in bytes.
+
+  @retval  EFI_SUCCESS     The operation succeeded.
+  @retval  EFI_UNSUPPORTED This function is not supported.
+  @retval  EFI_ABORTED     Invalid CRL data.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetCertRevocationList (
+  IN     VOID                     *Data,
+  IN     UINTN                    DataSize
+  );
+
+/**
+  Gets the protocol version used by the specified TLS connection.
+
+  This function returns the protocol version used by the specified TLS
+  connection.
+
+  @param[in]  Tls    Pointer to the TLS object.
+
+  @return  The protocol version of the specified TLS connection.
+
+**/
+UINT16
+EFIAPI
+TlsGetVersion (
+  IN     VOID                     *Tls
+  );
+
+/**
+  Gets the connection end of the specified TLS connection.
+
+  This function returns the connection end (as client or as server) used by
+  the specified TLS connection.
+
+  @param[in]  Tls    Pointer to the TLS object.
+
+  @return  The connection end used by the specified TLS connection.
+
+**/
+UINT8
+EFIAPI
+TlsGetConnectionEnd (
+  IN     VOID                     *Tls
+  );
+
+/**
+  Gets the cipher suite used by the specified TLS connection.
+
+  This function returns current cipher suite used by the specified
+  TLS connection.
+
+  @param[in]      Tls         Pointer to the TLS object.
+  @param[in,out]  CipherId    The cipher suite used by the TLS object.
+
+  @retval  EFI_SUCCESS           The cipher suite was returned successfully.
+  @retval  EFI_INVALID_PARAMETER The parameter is invalid.
+  @retval  EFI_UNSUPPORTED       Unsupported cipher suite.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsGetCurrentCipher (
+  IN     VOID                     *Tls,
+  IN OUT UINT16                   *CipherId
+  );
+
+/**
+  Gets the compression methods used by the specified TLS connection.
+
+  This function returns current integrated compression methods used by
+  the specified TLS connection.
+
+  @param[in]      Tls              Pointer to the TLS object.
+  @param[in,out]  CompressionId    The current compression method used by
+                                   the TLS object.
+
+  @retval  EFI_SUCCESS           The compression method was returned successfully.
+  @retval  EFI_INVALID_PARAMETER The parameter is invalid.
+  @retval  EFI_ABORTED           Invalid Compression method.
+  @retval  EFI_UNSUPPORTED       This function is not supported.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsGetCurrentCompressionId (
+  IN     VOID                     *Tls,
+  IN OUT UINT8                    *CompressionId
+  );
+
+/**
+  Gets the verification mode currently set in the TLS connection.
+
+  This function returns the peer verification mode currently set in the
+  specified TLS connection.
+
+  @param[in]  Tls    Pointer to the TLS object.
+
+  @return  The verification mode set in the specified TLS connection.
+
+**/
+UINT32
+EFIAPI
+TlsGetVerify (
+  IN     VOID                     *Tls
+  );
+
+/**
+  Gets the session ID used by the specified TLS connection.
+
+  This function returns the TLS/SSL session ID currently used by the
+  specified TLS connection.
+
+  @param[in]      Tls             Pointer to the TLS object.
+  @param[in,out]  SessionId       Buffer to contain the returned session ID.
+  @param[in,out]  SessionIdLen    The length of Session ID in bytes.
+
+  @retval  EFI_SUCCESS           The Session ID was returned successfully.
+  @retval  EFI_INVALID_PARAMETER The parameter is invalid.
+  @retval  EFI_UNSUPPORTED       Invalid TLS/SSL session.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsGetSessionId (
+  IN     VOID                     *Tls,
+  IN OUT UINT8                    *SessionId,
+  IN OUT UINT16                   *SessionIdLen
+  );
+
+/**
+  Gets the client random data used in the specified TLS connection.
+
+  This function returns the TLS/SSL client random data currently used in
+  the specified TLS connection.
+
+  @param[in]      Tls             Pointer to the TLS object.
+  @param[in,out]  ClientRandom    Buffer to contain the returned client
+                                  random data (32 bytes).
+
+**/
+VOID
+EFIAPI
+TlsGetClientRandom (
+  IN     VOID                     *Tls,
+  IN OUT UINT8                    *ClientRandom
+  );
+
+/**
+  Gets the server random data used in the specified TLS connection.
+
+  This function returns the TLS/SSL server random data currently used in
+  the specified TLS connection.
+
+  @param[in]      Tls             Pointer to the TLS object.
+  @param[in,out]  ServerRandom    Buffer to contain the returned server
+                                  random data (32 bytes).
+
+**/
+VOID
+EFIAPI
+TlsGetServerRandom (
+  IN     VOID                     *Tls,
+  IN OUT UINT8                    *ServerRandom
+  );
+
+/**
+  Gets the master key data used in the specified TLS connection.
+
+  This function returns the TLS/SSL master key material currently used in
+  the specified TLS connection.
+
+  @param[in]      Tls            Pointer to the TLS object.
+  @param[in,out]  KeyMaterial    Buffer to contain the returned key material.
+
+  @retval  EFI_SUCCESS           Key material was returned successfully.
+  @retval  EFI_INVALID_PARAMETER The parameter is invalid.
+  @retval  EFI_UNSUPPORTED       Invalid TLS/SSL session.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsGetKeyMaterial (
+  IN     VOID                     *Tls,
+  IN OUT UINT8                    *KeyMaterial
+  );
+
+/**
+  Gets the CA Certificate from the cert store.
+
+  This function returns the CA certificate for the chosen
+  TLS connection.
+
+  @param[in]      Tls         Pointer to the TLS object.
+  @param[out]     Data        Pointer to the data buffer to receive the CA
+                              certificate data sent to the client.
+  @param[in,out]  DataSize    The size of data buffer in bytes.
+
+  @retval  EFI_SUCCESS             The operation succeeded.
+  @retval  EFI_UNSUPPORTED         This function is not supported.
+  @retval  EFI_BUFFER_TOO_SMALL    The Data is too small to hold the data.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsGetCaCertificate (
+  IN     VOID                     *Tls,
+  OUT    VOID                     *Data,
+  IN OUT UINTN                    *DataSize
+  );
+
+/**
+  Gets the local public Certificate set in the specified TLS object.
+
+  This function returns the local public certificate which was currently set
+  in the specified TLS object.
+
+  @param[in]      Tls         Pointer to the TLS object.
+  @param[out]     Data        Pointer to the data buffer to receive the local
+                              public certificate.
+  @param[in,out]  DataSize    The size of data buffer in bytes.
+
+  @retval  EFI_SUCCESS             The operation succeeded.
+  @retval  EFI_INVALID_PARAMETER   The parameter is invalid.
+  @retval  EFI_NOT_FOUND           The certificate is not found.
+  @retval  EFI_BUFFER_TOO_SMALL    The Data is too small to hold the data.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsGetHostPublicCert (
+  IN     VOID                     *Tls,
+  OUT    VOID                     *Data,
+  IN OUT UINTN                    *DataSize
+  );
+
+/**
+  Gets the local private key set in the specified TLS object.
+
+  This function returns the local private key data which was currently set
+  in the specified TLS object.
+
+  @param[in]      Tls         Pointer to the TLS object.
+  @param[out]     Data        Pointer to the data buffer to receive the local
+                              private key data.
+  @param[in,out]  DataSize    The size of data buffer in bytes.
+
+  @retval  EFI_SUCCESS             The operation succeeded.
+  @retval  EFI_UNSUPPORTED         This function is not supported.
+  @retval  EFI_BUFFER_TOO_SMALL    The Data is too small to hold the data.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsGetHostPrivateKey (
+  IN     VOID                     *Tls,
+  OUT    VOID                     *Data,
+  IN OUT UINTN                    *DataSize
+  );
+
+/**
+  Gets the CA-supplied certificate revocation list data set in the specified
+  TLS object.
+
+  This function returns the CA-supplied certificate revocation list data which
+  was currently set in the specified TLS object.
+
+  @param[out]     Data        Pointer to the data buffer to receive the CRL data.
+  @param[in,out]  DataSize    The size of data buffer in bytes.
+
+  @retval  EFI_SUCCESS             The operation succeeded.
+  @retval  EFI_UNSUPPORTED         This function is not supported.
+  @retval  EFI_BUFFER_TOO_SMALL    The Data is too small to hold the data.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsGetCertRevocationList (
+  OUT    VOID                     *Data,
+  IN OUT UINTN                    *DataSize
+  );
+
+#endif // __TLS_LIB_H__