CryptoPkg: Extend Tls function library

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3892 1. TlsSetSignatureAlgoList(): Configure the list of TLS signature algorithms that should be used as part of the TLS session establishment. This is needed for some WLAN Supplicant connection establishment flows that allow only specific TLS signature algorithms to be used, e.g., Authenticate and Key Managmenet (AKM) suites that are SUITE-B compliant. 2. TlsSetEcCurve(): Configure the Elliptic Curve that should be used for TLS flows the use cipher suite with EC, e.g., TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384. This is needed for some WLAN Supplicant connection establishment flows that allow only specific TLS signature algorithms to be used, e.g., Authenticate and Key Managmenet (AKM) suites that are SUITE-B compliant. 3. TlsShutdown(): Shutdown the TLS connection without releasing the resources, meaning a new connection can be started without calling TlsNew() and without setting certificates etc. 4. TlsGetExportKey(): Derive keying material from a TLS connection using the mechanism described in RFC 5705 and export the key material (needed by EAP methods such as EAP-TTLS and EAP-PEAP). 5. TlsSetHostPrivateKeyEx(): This function adds the local private key (PEM-encoded or PKCS#8 or DER-encoded private key) into the specified TLS object for TLS negotiation. There is already a similar function TlsSetHostPrivateKey(), the new Ex function introduces a new parameter Password, set Password to NULL when useless. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com> Cc: Guomin Jiang <guomin.jiang@intel.com> Signed-off-by: Yi Li <yi1.li@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
author: Yi Li <yi1.li@intel.com> 2022-09-25 17:14:06 +0800
committer: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> 2022-10-10 06:29:51 +0000
commit: bb78d969b703d0f2b6205d5e3ec3ec8989a2d6c0 (patch)
tree: a14ebf77f71553e21ec35634861f2956745fbea5 /CryptoPkg/Library/TlsLibNull/TlsConfigNull.c
parent: cafc573ac0b89db1f02e17eae75842e63c4ef7d7 (diff)
download: edk2-bb78d969b703d0f2b6205d5e3ec3ec8989a2d6c0.tar.gz
edk2-bb78d969b703d0f2b6205d5e3ec3ec8989a2d6c0.tar.bz2
edk2-bb78d969b703d0f2b6205d5e3ec3ec8989a2d6c0.zip
1 files changed, 121 insertions, 2 deletions
diff --git a/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c b/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c
index 03726fd726..18dd604382 100644
--- a/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c
+++ b/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c
@@ -242,11 +242,42 @@ TlsSetHostPublicCert (
 /**
   Adds the local private key to the specified TLS object.
 
-  This function adds the local private key (PEM-encoded RSA or PKCS#8 private
+  This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private
   key) into the specified TLS object for TLS negotiation.
 
   @param[in]  Tls         Pointer to the TLS object.
-  @param[in]  Data        Pointer to the data buffer of a PEM-encoded RSA
+  @param[in]  Data        Pointer to the data buffer of a DER-encoded or PEM-encoded
+                          or PKCS#8 private key.
+  @param[in]  DataSize    The size of data buffer in bytes.
+  @param[in]  Password    Pointer to NULL-terminated private key password, set it to NULL
+                          if private key not encrypted.
+
+  @retval  EFI_SUCCESS     The operation succeeded.
+  @retval  EFI_UNSUPPORTED This function is not supported.
+  @retval  EFI_ABORTED     Invalid private key data.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetHostPrivateKeyEx (
+  IN     VOID   *Tls,
+  IN     VOID   *Data,
+  IN     UINTN  DataSize,
+  IN     VOID   *Password  OPTIONAL
+  )
+{
+  ASSERT (FALSE);
+  return EFI_UNSUPPORTED;
+}
+
+/**
+  Adds the local private key to the specified TLS object.
+
+  This function adds the local private key (DER-encoded or PEM-encoded or PKCS#8 private
+  key) into the specified TLS object for TLS negotiation.
+
+  @param[in]  Tls         Pointer to the TLS object.
+  @param[in]  Data        Pointer to the data buffer of a DER-encoded or PEM-encoded
                           or PKCS#8 private key.
   @param[in]  DataSize    The size of data buffer in bytes.
 
@@ -293,6 +324,61 @@ TlsSetCertRevocationList (
 }
 
 /**
+  Set the signature algorithm list to used by the TLS object.
+
+  This function sets the signature algorithms for use by a specified TLS object.
+
+  @param[in]  Tls                Pointer to a TLS object.
+  @param[in]  Data               Array of UINT8 of signature algorithms. The array consists of
+                                 pairs of the hash algorithm and the signature algorithm as defined
+                                 in RFC 5246
+  @param[in]  DataSize           The length the SignatureAlgoList. Must be divisible by 2.
+
+  @retval  EFI_SUCCESS           The signature algorithm list was set successfully.
+  @retval  EFI_INVALID_PARAMETER The parameters are invalid.
+  @retval  EFI_UNSUPPORTED       No supported TLS signature algorithm was found in SignatureAlgoList
+  @retval  EFI_OUT_OF_RESOURCES  Memory allocation failed.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetSignatureAlgoList (
+  IN     VOID   *Tls,
+  IN     UINT8  *Data,
+  IN     UINTN  DataSize
+  )
+{
+  ASSERT (FALSE);
+  return EFI_UNSUPPORTED;
+}
+
+/**
+  Set the EC curve to be used for TLS flows
+
+  This function sets the EC curve to be used for TLS flows.
+
+  @param[in]  Tls                Pointer to a TLS object.
+  @param[in]  Data               An EC named curve as defined in section 5.1.1 of RFC 4492.
+  @param[in]  DataSize           Size of Data, it should be sizeof (UINT32)
+
+  @retval  EFI_SUCCESS           The EC curve was set successfully.
+  @retval  EFI_INVALID_PARAMETER The parameters are invalid.
+  @retval  EFI_UNSUPPORTED       The requested TLS EC curve is not supported
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetEcCurve (
+  IN     VOID   *Tls,
+  IN     UINT8  *Data,
+  IN     UINTN  DataSize
+  )
+{
+  ASSERT (FALSE);
+  return EFI_UNSUPPORTED;
+}
+
+/**
   Gets the protocol version used by the specified TLS connection.
 
   This function returns the protocol version used by the specified TLS
@@ -617,3 +703,36 @@ TlsGetCertRevocationList (
   ASSERT (FALSE);
   return EFI_UNSUPPORTED;
 }
+
+/**
+  Derive keying material from a TLS connection.
+
+  This function exports keying material using the mechanism described in RFC
+  5705.
+
+  @param[in]      Tls          Pointer to the TLS object
+  @param[in]      Label        Description of the key for the PRF function
+  @param[in]      Context      Optional context
+  @param[in]      ContextLen   The length of the context value in bytes
+  @param[out]     KeyBuffer    Buffer to hold the output of the TLS-PRF
+  @param[in]      KeyBufferLen The length of the KeyBuffer
+
+  @retval  EFI_SUCCESS             The operation succeeded.
+  @retval  EFI_INVALID_PARAMETER   The TLS object is invalid.
+  @retval  EFI_PROTOCOL_ERROR      Some other error occurred.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsGetExportKey (
+  IN     VOID        *Tls,
+  IN     CONST VOID  *Label,
+  IN     CONST VOID  *Context,
+  IN     UINTN       ContextLen,
+  OUT    VOID        *KeyBuffer,
+  IN     UINTN       KeyBufferLen
+  )
+{
+  ASSERT (FALSE);
+  return EFI_UNSUPPORTED;
+}
author	Yi Li <yi1.li@intel.com>	2022-09-25 17:14:06 +0800
committer	mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>	2022-10-10 06:29:51 +0000
commit	bb78d969b703d0f2b6205d5e3ec3ec8989a2d6c0 (patch)
tree	a14ebf77f71553e21ec35634861f2956745fbea5 /CryptoPkg/Library/TlsLibNull/TlsConfigNull.c
parent	cafc573ac0b89db1f02e17eae75842e63c4ef7d7 (diff)
download	edk2-bb78d969b703d0f2b6205d5e3ec3ec8989a2d6c0.tar.gz edk2-bb78d969b703d0f2b6205d5e3ec3ec8989a2d6c0.tar.bz2 edk2-bb78d969b703d0f2b6205d5e3ec3ec8989a2d6c0.zip