From nobody Thu May 2 03:34:29 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+89925+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+89925+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1653184477; cv=none; d=zohomail.com; s=zohoarc; b=G31jFPeHHAJ/x9WK0HPYcwReSbIEAnzEYcRFJCIl8FBjIhLnqlKxL9AnhStYWv9oiEdHHQwCSy/OJnY/WNJ/hekXP6lk1vWzRzy50sEpQ2G8fMlltFpnSjMfNFP1UXcUvwVqnq0c7I/m45ddA7PxG8DOmPnbW5UikY/kt6AEI5U= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1653184477; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=4ZiXYPpky8YxhrcMiFUdahbiAy95e+92GAjoNyYshRE=; b=VteIBmGnbxTr4leBWHYBG+HgNcV8Sw2GzsGVrZ8Dl9P94YRVI6hosRlKVMH9nZqW+eFWlVvLBf+JeJygXWYBufsEYim8yh5DXXpfF49cJyoFIpVtTmM461bkGta7T9MIqinhDYFDi/lugJKej3M5NWCIiCxbj6LdSwdbt7i7u70= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+89925+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1653184477169670.8693248906528; Sat, 21 May 2022 18:54:37 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id c0oDYY1788612x4i6qCOOXfH; Sat, 21 May 2022 18:54:36 -0700 X-Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) by mx.groups.io with SMTP id smtpd.web08.12307.1653184471447644489 for ; Sat, 21 May 2022 18:54:36 -0700 X-IronPort-AV: E=McAfee;i="6400,9594,10354"; a="333560477" X-IronPort-AV: E=Sophos;i="5.91,243,1647327600"; d="scan'208";a="333560477" X-Received: from orsmga008.jf.intel.com ([10.7.209.65]) by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 May 2022 18:54:35 -0700 X-IronPort-AV: E=Sophos;i="5.91,243,1647327600"; d="scan'208";a="599981369" X-Received: from shwdejointd178.ccr.corp.intel.com ([10.239.153.103]) by orsmga008-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 May 2022 18:54:33 -0700 From: "yi1 li" To: devel@edk2.groups.io Cc: Yi Li , Jiewen Yao , Michael D Kinney , Liming Gao Subject: [edk2-devel] [PATCH 1/5] MdePkg: Add Tls configuration related define Date: Sun, 22 May 2022 09:54:15 +0800 Message-Id: <7664558e2ef56fc6c1d83a8869ac74a57eb24d46.1653183737.git.yi1.li@intel.com> In-Reply-To: References: MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,yi1.li@intel.com X-Gm-Message-State: CKq2tyu4JxSIpFdeEC7enAkyx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1653184476; bh=Es4ec2/EzjureYVMgucLj7uE4TbKWnih/9qQPGN0CfA=; h=Cc:Date:From:Reply-To:Subject:To; b=DTJsRpw0x+Rq/+KWq+v4rk7Fny2UaHAXUjwRk1k/72alrriJRkJt63nA3UKz/18dWi9 WLYGo0n/tDzb47pMrBwfqFsKeBIuQqDgjmlBX1GH3C1bpvlhqkkirOg5/iPyEn9SfpYDE NS3hfpwQhK2YpnUQyAtlANzVt6CnePfm3Xw= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1653184478886100001 Content-Type: text/plain; charset="utf-8" REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D3892 Consumed by TlsSetEcCurve and TlsSetSignatureAlgoList. Cc: Jiewen Yao Cc: Michael D Kinney Cc: Liming Gao Signed-off-by: Yi Li --- MdePkg/Include/IndustryStandard/Tls1.h | 110 +++++++++++++++++-------- 1 file changed, 74 insertions(+), 36 deletions(-) diff --git a/MdePkg/Include/IndustryStandard/Tls1.h b/MdePkg/Include/Indust= ryStandard/Tls1.h index cf67428b1129..5cf2860caff4 100644 --- a/MdePkg/Include/IndustryStandard/Tls1.h +++ b/MdePkg/Include/IndustryStandard/Tls1.h @@ -15,42 +15,46 @@ /// /// TLS Cipher Suite, refers to A.5 of rfc-2246, rfc-4346 and rfc-5246. /// -#define TLS_RSA_WITH_NULL_MD5 {0x00, 0x01} -#define TLS_RSA_WITH_NULL_SHA {0x00, 0x02} -#define TLS_RSA_WITH_RC4_128_MD5 {0x00, 0x04} -#define TLS_RSA_WITH_RC4_128_SHA {0x00, 0x05} -#define TLS_RSA_WITH_IDEA_CBC_SHA {0x00, 0x07} -#define TLS_RSA_WITH_DES_CBC_SHA {0x00, 0x09} -#define TLS_RSA_WITH_3DES_EDE_CBC_SHA {0x00, 0x0A} -#define TLS_DH_DSS_WITH_DES_CBC_SHA {0x00, 0x0C} -#define TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA {0x00, 0x0D} -#define TLS_DH_RSA_WITH_DES_CBC_SHA {0x00, 0x0F} -#define TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA {0x00, 0x10} -#define TLS_DHE_DSS_WITH_DES_CBC_SHA {0x00, 0x12} -#define TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA {0x00, 0x13} -#define TLS_DHE_RSA_WITH_DES_CBC_SHA {0x00, 0x15} -#define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA {0x00, 0x16} -#define TLS_RSA_WITH_AES_128_CBC_SHA {0x00, 0x2F} -#define TLS_DH_DSS_WITH_AES_128_CBC_SHA {0x00, 0x30} -#define TLS_DH_RSA_WITH_AES_128_CBC_SHA {0x00, 0x31} -#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA {0x00, 0x32} -#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA {0x00, 0x33} -#define TLS_RSA_WITH_AES_256_CBC_SHA {0x00, 0x35} -#define TLS_DH_DSS_WITH_AES_256_CBC_SHA {0x00, 0x36} -#define TLS_DH_RSA_WITH_AES_256_CBC_SHA {0x00, 0x37} -#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA {0x00, 0x38} -#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA {0x00, 0x39} -#define TLS_RSA_WITH_NULL_SHA256 {0x00, 0x3B} -#define TLS_RSA_WITH_AES_128_CBC_SHA256 {0x00, 0x3C} -#define TLS_RSA_WITH_AES_256_CBC_SHA256 {0x00, 0x3D} -#define TLS_DH_DSS_WITH_AES_128_CBC_SHA256 {0x00, 0x3E} -#define TLS_DH_RSA_WITH_AES_128_CBC_SHA256 {0x00, 0x3F} -#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 {0x00, 0x40} -#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 {0x00, 0x67} -#define TLS_DH_DSS_WITH_AES_256_CBC_SHA256 {0x00, 0x68} -#define TLS_DH_RSA_WITH_AES_256_CBC_SHA256 {0x00, 0x69} -#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 {0x00, 0x6A} -#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 {0x00, 0x6B} +#define TLS_RSA_WITH_NULL_MD5 {0x00, 0x01} +#define TLS_RSA_WITH_NULL_SHA {0x00, 0x02} +#define TLS_RSA_WITH_RC4_128_MD5 {0x00, 0x04} +#define TLS_RSA_WITH_RC4_128_SHA {0x00, 0x05} +#define TLS_RSA_WITH_IDEA_CBC_SHA {0x00, 0x07} +#define TLS_RSA_WITH_DES_CBC_SHA {0x00, 0x09} +#define TLS_RSA_WITH_3DES_EDE_CBC_SHA {0x00, 0x0A} +#define TLS_DH_DSS_WITH_DES_CBC_SHA {0x00, 0x0C} +#define TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA {0x00, 0x0D} +#define TLS_DH_RSA_WITH_DES_CBC_SHA {0x00, 0x0F} +#define TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA {0x00, 0x10} +#define TLS_DHE_DSS_WITH_DES_CBC_SHA {0x00, 0x12} +#define TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA {0x00, 0x13} +#define TLS_DHE_RSA_WITH_DES_CBC_SHA {0x00, 0x15} +#define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA {0x00, 0x16} +#define TLS_RSA_WITH_AES_128_CBC_SHA {0x00, 0x2F} +#define TLS_DH_DSS_WITH_AES_128_CBC_SHA {0x00, 0x30} +#define TLS_DH_RSA_WITH_AES_128_CBC_SHA {0x00, 0x31} +#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA {0x00, 0x32} +#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA {0x00, 0x33} +#define TLS_RSA_WITH_AES_256_CBC_SHA {0x00, 0x35} +#define TLS_DH_DSS_WITH_AES_256_CBC_SHA {0x00, 0x36} +#define TLS_DH_RSA_WITH_AES_256_CBC_SHA {0x00, 0x37} +#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA {0x00, 0x38} +#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA {0x00, 0x39} +#define TLS_RSA_WITH_NULL_SHA256 {0x00, 0x3B} +#define TLS_RSA_WITH_AES_128_CBC_SHA256 {0x00, 0x3C} +#define TLS_RSA_WITH_AES_256_CBC_SHA256 {0x00, 0x3D} +#define TLS_DH_DSS_WITH_AES_128_CBC_SHA256 {0x00, 0x3E} +#define TLS_DH_RSA_WITH_AES_128_CBC_SHA256 {0x00, 0x3F} +#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 {0x00, 0x40} +#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 {0x00, 0x67} +#define TLS_DH_DSS_WITH_AES_256_CBC_SHA256 {0x00, 0x68} +#define TLS_DH_RSA_WITH_AES_256_CBC_SHA256 {0x00, 0x69} +#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 {0x00, 0x6A} +#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 {0x00, 0x6B} +#define TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 {0x00, 0x9F} +#define TLS_ECDHE_ECDSA_AES128_GCM_SHA256 {0xC0, 0x2B} +#define TLS_ECDHE_ECDSA_AES256_GCM_SHA384 {0xC0, 0x2C} +#define TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 {0xC0, 0x30} =20 /// /// TLS Version, refers to A.1 of rfc-2246, rfc-4346 and rfc-5246. @@ -95,6 +99,40 @@ typedef struct { // #define TLS_CIPHERTEXT_RECORD_MAX_PAYLOAD_LENGTH 18432 =20 +/// +/// TLS Hash algorithm, refers to section 7.4.1.4.1. of rfc-5246. +/// +typedef enum { + TlsHashAlgoNone =3D 0, + TlsHashAlgoMd5 =3D 1, + TlsHashAlgoSha1 =3D 2, + TlsHashAlgoSha224 =3D 3, + TlsHashAlgoSha256 =3D 4, + TlsHashAlgoSha384 =3D 5, + TlsHashAlgoSha512 =3D 6, +} TLS_HASH_ALGO; + +/// +/// TLS Signature algorithm, refers to section 7.4.1.4.1. of rfc-5246. +/// +typedef enum { + TlsSignatureAlgoAnonymous =3D 0, + TlsSignatureAlgoRsa =3D 1, + TlsSignatureAlgoDsa =3D 2, + TlsSignatureAlgoEcdsa =3D 3, +} TLS_SIGNATURE_ALGO; + +/// +/// TLS Supported Elliptic Curves Extensions, refers to section 5.1.1 of r= fc-8442 +/// +typedef enum { + TlsEcNamedCurveSecp256r1 =3D 23, + TlsEcNamedCurveSecp384r1 =3D 24, + TlsEcNamedCurveSecp521r1 =3D 25, + TlsEcNamedCurveX25519 =3D 29, + TlsEcNamedCurveX448 =3D 30, +} TLS_EC_NAMED_CURVE; + #pragma pack() =20 #endif --=20 2.31.1.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#89925): https://edk2.groups.io/g/devel/message/89925 Mute This Topic: https://groups.io/mt/91262938/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Thu May 2 03:34:29 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+89926+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+89926+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1653184486; cv=none; d=zohomail.com; s=zohoarc; b=MMV3ydXPAvs06o5WYlcbDJKn6LWUfEXOC6jWu+GHuwIg2DN+zajmqMDtN3dODdkvr+xQrHQwivWxWxZgVX605CQH2cLUGo08i2TErwkLEDW1oYBtT/Ljr1C5sTFeeHKvsKhIZh3A8IBCad0GeOcR9FhS8oUU18BqHRbLf1fU9h4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1653184486; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=sywi4U/zFCfGm6sL8P2jKAN6RaJvUQFM3uD1zgGHS4M=; b=WfaJOgJbuP8moBVlO5eQNu5h1aLu49sBqlF8BykBM+//yNEEXKvTunlLwxlHKdkAoY7hA1Tjmbswl27z9mZQlZxtUEQI76Bnv9OB9figKUjjdr/T9fHcYXMvfnwTXn9JSHgmNYX7YAwsOycwb1NzAK0RlSP5Bymk0g0L+l/HUXI= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+89926+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1653184486036213.45848925370296; Sat, 21 May 2022 18:54:46 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id T9i9YY1788612xgP4qpvfzve; Sat, 21 May 2022 18:54:45 -0700 X-Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by mx.groups.io with SMTP id smtpd.web08.12308.1653184484313245119 for ; Sat, 21 May 2022 18:54:45 -0700 X-IronPort-AV: E=McAfee;i="6400,9594,10354"; a="272638241" X-IronPort-AV: E=Sophos;i="5.91,243,1647327600"; d="scan'208";a="272638241" X-Received: from orsmga008.jf.intel.com ([10.7.209.65]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 May 2022 18:54:43 -0700 X-IronPort-AV: E=Sophos;i="5.91,243,1647327600"; d="scan'208";a="599981460" X-Received: from shwdejointd178.ccr.corp.intel.com ([10.239.153.103]) by orsmga008-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 May 2022 18:54:41 -0700 From: "yi1 li" To: devel@edk2.groups.io Cc: Yi Li , Michael D Kinney , Liming Gao , Jiewen Yao , Jian J Wang , Xiaoyu Lu , Guomin Jiang Subject: [edk2-devel] [PATCH 2/5] CryptoPkg: Add TlsSetConfiguration API Date: Sun, 22 May 2022 09:54:16 +0800 Message-Id: <3d961655b3c010ddd0ca2ecbc6879eca21315d76.1653183737.git.yi1.li@intel.com> In-Reply-To: References: MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,yi1.li@intel.com X-Gm-Message-State: CSliaXWd6FGrHwoQVsQXGYeyx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1653184485; bh=ByC6FHC3gtJgH08CURiuW2TqFWA/UPHPhKskzvUhk7M=; h=Cc:Date:From:Reply-To:Subject:To; b=RojFFncSZXzL11KyOpITqvi/WoOBKUaVffpGX8zX9CYw4CC5MKSRdFRJE3t7CmzH0X3 Li0n5t8Te4QTl6ME6cTahr6/Jea0KzNVmIjedbDoNsA8mdiu7VIsua8iAm7qzzVVroHKE ni+yP/tjxm/6jOPY4moq/h2lVmYjSDZ4HiU= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1653184486932100001 Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3892 1. TlsSetSignatureAlgoList: Configure the list of TLS signature algorithms that should be used as part of the TLS session establishment. This is needed for some WLAN Supplicant connection establishment flows that allow only specific TLS signature algorithms to be used, e.g., Authenticate and Key Managmenet (AKM) suites that are SUITE-B compliant. 2. TlsSetEcCurve: Configure the Elliptic Curve that should be used for TLS flows the use cipher suite with EC, e.g., TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384. This is needed for some WLAN Supplicant connection establishment flows that allow only specific TLS signature algorithms to be used, e.g., Authenticate and Key Managmenet (AKM) suites that are SUITE-B complia= nt. Cc: Michael D Kinney Cc: Liming Gao Cc: Jiewen Yao Cc: Jian J Wang Cc: Xiaoyu Lu Cc: Guomin Jiang Signed-off-by: Yi Li --- CryptoPkg/Driver/Crypto.c | 29 ++ CryptoPkg/Include/Library/TlsLib.h | 41 +++ .../Pcd/PcdCryptoServiceFamilyEnable.h | 1 + .../BaseCryptLibOnProtocolPpi/CryptLib.c | 32 ++ CryptoPkg/Library/TlsLib/InternalTlsLib.h | 5 + CryptoPkg/Library/TlsLib/TlsConfig.c | 295 ++++++++++++++++-- CryptoPkg/Library/TlsLibNull/TlsConfigNull.c | 30 ++ CryptoPkg/Private/Protocol/Crypto.h | 28 ++ 8 files changed, 438 insertions(+), 23 deletions(-) diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c index 76cb9f4da0a4..6c05c1a69447 100644 --- a/CryptoPkg/Driver/Crypto.c +++ b/CryptoPkg/Driver/Crypto.c @@ -4155,6 +4155,34 @@ CryptoServiceTlsSetCertRevocationList ( return CALL_BASECRYPTLIB (TlsSet.Services.CertRevocationList, TlsSetCert= RevocationList, (Data, DataSize), EFI_UNSUPPORTED); } =20 +/** + Configure the TLS object. + + This function allows to configure the TLS object + + @param[in] Tls Pointer to a TLS object. + @param[in] Type The type of the configuration. + @param[in] Data The data associated with the configuratio= n type. + @param[in] DataSize The size of Data. + + @retval EFI_SUCCESS The configuration was successful. + @retval EFI_INVALID_PARAMETER The parameters are invalid. + @retval EFI_UNSUPPORTED The configuration or configuration type a= re not supported + @retval EFI_OUT_OF_RESOURCES Memory allocation failed. + +**/ +EFI_STATUS +EFIAPI +CryptoServiceTlsSetConfiguration ( + IN VOID *Tls, + IN EFI_TLS_CONFIG_TYPE Type, + IN UINT8 *Data, + IN UINTN DataSize + ) +{ + return CALL_BASECRYPTLIB (TlsSet.Services.Configuration, TlsSetConfigura= tion, (Tls, Type, Data, DataSize), EFI_UNSUPPORTED); +} + /** Gets the protocol version used by the specified TLS connection. =20 @@ -4769,6 +4797,7 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto =3D { CryptoServiceTlsSetHostPublicCert, CryptoServiceTlsSetHostPrivateKey, CryptoServiceTlsSetCertRevocationList, + CryptoServiceTlsSetConfiguration, /// TLS Get CryptoServiceTlsGetVersion, CryptoServiceTlsGetConnectionEnd, diff --git a/CryptoPkg/Include/Library/TlsLib.h b/CryptoPkg/Include/Library= /TlsLib.h index 3b75fde0aaba..24c1c1ed6477 100644 --- a/CryptoPkg/Include/Library/TlsLib.h +++ b/CryptoPkg/Include/Library/TlsLib.h @@ -9,6 +9,22 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #ifndef __TLS_LIB_H__ #define __TLS_LIB_H__ =20 +/// +/// EFI_TLS_CONFIG_TYPE +/// +typedef enum { + /// + /// Configure the allowed signature algorithms for the TLS context + /// + EfiTlsConfigSignatureAlgo, + /// + /// Configure the allowed elliptic curve for the TLS context + /// + EfiTlsConfigEcCurve, + + EfiTlsConfigMaximum +} EFI_TLS_CONFIG_TYPE; + /** Initializes the OpenSSL library. =20 @@ -534,6 +550,31 @@ TlsSetCertRevocationList ( IN UINTN DataSize ); =20 +/** + Configure the TLS object. + + This function allows to configure the TLS object + + @param[in] Tls Pointer to a TLS object. + @param[in] Type The type of the configuration. + @param[in] Data The data associated with the configuratio= n type. + @param[in] DataSize The size of Data. + + @retval EFI_SUCCESS The configuration was successful. + @retval EFI_INVALID_PARAMETER The parameters are invalid. + @retval EFI_UNSUPPORTED The configuration or configuration type a= re not supported + @retval EFI_OUT_OF_RESOURCES Memory allocation failed. + +**/ +EFI_STATUS +EFIAPI +TlsSetConfiguration ( + IN VOID *Tls, + IN EFI_TLS_CONFIG_TYPE Type, + IN UINT8 *Data, + IN UINTN DataSize + ); + /** Gets the protocol version used by the specified TLS connection. =20 diff --git a/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h b/CryptoP= kg/Include/Pcd/PcdCryptoServiceFamilyEnable.h index 3d53c2f105e1..6f5cde161006 100644 --- a/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h +++ b/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h @@ -267,6 +267,7 @@ typedef struct { UINT8 HostPublicCert : 1; UINT8 HostPrivateKey : 1; UINT8 CertRevocationList : 1; + UINT8 Configuration : 1; } Services; UINT32 Family; } TlsSet; diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/Crypt= oPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c index 8ee1b53cf957..757b8e40e442 100644 --- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c +++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c @@ -3298,6 +3298,38 @@ TlsSetCertRevocationList ( CALL_CRYPTO_SERVICE (TlsSetCertRevocationList, (Data, DataSize), EFI_UNS= UPPORTED); } =20 +/** + Configure the TLS object. + + This function allows to configure the TLS object + + @param[in] Tls Pointer to a TLS object. + @param[in] Type The type of the configuration. + @param[in] Data The data associated with the configuratio= n type. + @param[in] DataSize The size of Data. + + @retval EFI_SUCCESS The configuration was successful. + @retval EFI_INVALID_PARAMETER The parameters are invalid. + @retval EFI_UNSUPPORTED The configuration or configuration type a= re not supported + @retval EFI_OUT_OF_RESOURCES Memory allocation failed. + +**/ +EFI_STATUS +EFIAPI +TlsSetConfiguration ( + IN VOID *Tls, + IN EFI_TLS_CONFIG_TYPE Type, + IN UINT8 *Data, + IN UINTN DataSize + ) +{ + CALL_CRYPTO_SERVICE ( + TlsSetConfiguration, + (Tls, Type, Data, DataSize), + EFI_UNSUPPORTED + ); +} + /** Gets the protocol version used by the specified TLS connection. =20 diff --git a/CryptoPkg/Library/TlsLib/InternalTlsLib.h b/CryptoPkg/Library/= TlsLib/InternalTlsLib.h index cf5ffe1b7343..32878484d06c 100644 --- a/CryptoPkg/Library/TlsLib/InternalTlsLib.h +++ b/CryptoPkg/Library/TlsLib/InternalTlsLib.h @@ -17,6 +17,11 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include #include #include +#include +#include +#include +#include +#include #include #include #include diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c b/CryptoPkg/Library/TlsLi= b/TlsConfig.c index 0673c9d5322e..5c32f1c3329f 100644 --- a/CryptoPkg/Library/TlsLib/TlsConfig.c +++ b/CryptoPkg/Library/TlsLib/TlsConfig.c @@ -39,29 +39,61 @@ typedef struct { // Keep the table uniquely sorted by the IanaCipher field, in increasing o= rder. // STATIC CONST TLS_CIPHER_MAPPING TlsCipherMappingTable[] =3D { - MAP (0x0001, "NULL-MD5"), /// TLS_RSA_WITH_NULL_= MD5 - MAP (0x0002, "NULL-SHA"), /// TLS_RSA_WITH_NULL_= SHA - MAP (0x0004, "RC4-MD5"), /// TLS_RSA_WITH_RC4_1= 28_MD5 - MAP (0x0005, "RC4-SHA"), /// TLS_RSA_WITH_RC4_1= 28_SHA - MAP (0x000A, "DES-CBC3-SHA"), /// TLS_RSA_WITH_3DES_= EDE_CBC_SHA, mandatory TLS 1.1 - MAP (0x0016, "DHE-RSA-DES-CBC3-SHA"), /// TLS_DHE_RSA_WITH_3= DES_EDE_CBC_SHA - MAP (0x002F, "AES128-SHA"), /// TLS_RSA_WITH_AES_1= 28_CBC_SHA, mandatory TLS 1.2 - MAP (0x0030, "DH-DSS-AES128-SHA"), /// TLS_DH_DSS_WITH_AE= S_128_CBC_SHA - MAP (0x0031, "DH-RSA-AES128-SHA"), /// TLS_DH_RSA_WITH_AE= S_128_CBC_SHA - MAP (0x0033, "DHE-RSA-AES128-SHA"), /// TLS_DHE_RSA_WITH_A= ES_128_CBC_SHA - MAP (0x0035, "AES256-SHA"), /// TLS_RSA_WITH_AES_2= 56_CBC_SHA - MAP (0x0036, "DH-DSS-AES256-SHA"), /// TLS_DH_DSS_WITH_AE= S_256_CBC_SHA - MAP (0x0037, "DH-RSA-AES256-SHA"), /// TLS_DH_RSA_WITH_AE= S_256_CBC_SHA - MAP (0x0039, "DHE-RSA-AES256-SHA"), /// TLS_DHE_RSA_WITH_A= ES_256_CBC_SHA - MAP (0x003B, "NULL-SHA256"), /// TLS_RSA_WITH_NULL_= SHA256 - MAP (0x003C, "AES128-SHA256"), /// TLS_RSA_WITH_AES_1= 28_CBC_SHA256 - MAP (0x003D, "AES256-SHA256"), /// TLS_RSA_WITH_AES_2= 56_CBC_SHA256 - MAP (0x003E, "DH-DSS-AES128-SHA256"), /// TLS_DH_DSS_WITH_AE= S_128_CBC_SHA256 - MAP (0x003F, "DH-RSA-AES128-SHA256"), /// TLS_DH_RSA_WITH_AE= S_128_CBC_SHA256 - MAP (0x0067, "DHE-RSA-AES128-SHA256"), /// TLS_DHE_RSA_WITH_A= ES_128_CBC_SHA256 - MAP (0x0068, "DH-DSS-AES256-SHA256"), /// TLS_DH_DSS_WITH_AE= S_256_CBC_SHA256 - MAP (0x0069, "DH-RSA-AES256-SHA256"), /// TLS_DH_RSA_WITH_AE= S_256_CBC_SHA256 - MAP (0x006B, "DHE-RSA-AES256-SHA256"), /// TLS_DHE_RSA_WITH_A= ES_256_CBC_SHA256 + MAP (0x0001, "NULL-MD5"), /// TLS_RSA_WIT= H_NULL_MD5 + MAP (0x0002, "NULL-SHA"), /// TLS_RSA_WIT= H_NULL_SHA + MAP (0x0004, "RC4-MD5"), /// TLS_RSA_WIT= H_RC4_128_MD5 + MAP (0x0005, "RC4-SHA"), /// TLS_RSA_WIT= H_RC4_128_SHA + MAP (0x000A, "DES-CBC3-SHA"), /// TLS_RSA_WIT= H_3DES_EDE_CBC_SHA, mandatory TLS 1.1 + MAP (0x0016, "DHE-RSA-DES-CBC3-SHA"), /// TLS_DHE_RSA= _WITH_3DES_EDE_CBC_SHA + MAP (0x002F, "AES128-SHA"), /// TLS_RSA_WIT= H_AES_128_CBC_SHA, mandatory TLS 1.2 + MAP (0x0030, "DH-DSS-AES128-SHA"), /// TLS_DH_DSS_= WITH_AES_128_CBC_SHA + MAP (0x0031, "DH-RSA-AES128-SHA"), /// TLS_DH_RSA_= WITH_AES_128_CBC_SHA + MAP (0x0033, "DHE-RSA-AES128-SHA"), /// TLS_DHE_RSA= _WITH_AES_128_CBC_SHA + MAP (0x0035, "AES256-SHA"), /// TLS_RSA_WIT= H_AES_256_CBC_SHA + MAP (0x0036, "DH-DSS-AES256-SHA"), /// TLS_DH_DSS_= WITH_AES_256_CBC_SHA + MAP (0x0037, "DH-RSA-AES256-SHA"), /// TLS_DH_RSA_= WITH_AES_256_CBC_SHA + MAP (0x0039, "DHE-RSA-AES256-SHA"), /// TLS_DHE_RSA= _WITH_AES_256_CBC_SHA + MAP (0x003B, "NULL-SHA256"), /// TLS_RSA_WIT= H_NULL_SHA256 + MAP (0x003C, "AES128-SHA256"), /// TLS_RSA_WIT= H_AES_128_CBC_SHA256 + MAP (0x003D, "AES256-SHA256"), /// TLS_RSA_WIT= H_AES_256_CBC_SHA256 + MAP (0x003E, "DH-DSS-AES128-SHA256"), /// TLS_DH_DSS_= WITH_AES_128_CBC_SHA256 + MAP (0x003F, "DH-RSA-AES128-SHA256"), /// TLS_DH_RSA_= WITH_AES_128_CBC_SHA256 + MAP (0x0067, "DHE-RSA-AES128-SHA256"), /// TLS_DHE_RSA= _WITH_AES_128_CBC_SHA256 + MAP (0x0068, "DH-DSS-AES256-SHA256"), /// TLS_DH_DSS_= WITH_AES_256_CBC_SHA256 + MAP (0x0069, "DH-RSA-AES256-SHA256"), /// TLS_DH_RSA_= WITH_AES_256_CBC_SHA256 + MAP (0x006B, "DHE-RSA-AES256-SHA256"), /// TLS_DHE_RSA= _WITH_AES_256_CBC_SHA256 + MAP (0x009F, "DHE-RSA-AES256-GCM-SHA384"), /// TLS_DHE_RSA= _WITH_AES_256_GCM_SHA384 + MAP (0xC02B, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"), /// TLS_ECDHE_E= CDSA_AES128_GCM_SHA256 + MAP (0xC02C, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"), /// TLS_ECDHE_E= CDSA_AES256_GCM_SHA384 + MAP (0xC030, "ECDHE-RSA-AES256-GCM-SHA384"), /// TLS_ECDHE_R= SA_WITH_AES_256_GCM_SHA384 +}; + +typedef struct { + // + // TLS Algorithm + // + UINT8 Algo; + // + // TLS Algorithm name + // + CONST CHAR8 *Name; +} TLS_ALGO_TO_NAME; + +STATIC CONST TLS_ALGO_TO_NAME TlsHashAlgoToName[] =3D { + { TlsHashAlgoNone, NULL }, + { TlsHashAlgoMd5, "MD5" }, + { TlsHashAlgoSha1, "SHA1" }, + { TlsHashAlgoSha224, "SHA224" }, + { TlsHashAlgoSha256, "SHA256" }, + { TlsHashAlgoSha384, "SHA384" }, + { TlsHashAlgoSha512, "SHA512" }, +}; + +STATIC CONST TLS_ALGO_TO_NAME TlsSignatureAlgoToName[] =3D { + { TlsSignatureAlgoAnonymous, NULL }, + { TlsSignatureAlgoRsa, "RSA" }, + { TlsSignatureAlgoDsa, "DSA" }, + { TlsSignatureAlgoEcdsa, "ECDSA" }, }; =20 /** @@ -879,6 +911,223 @@ TlsSetCertRevocationList ( return EFI_UNSUPPORTED; } =20 +/** + Set the signature algorithm list to used by the TLS object. + + This function sets the signature algorithms for use by a specified TLS o= bject. + + @param[in] Tls Pointer to a TLS object. + @param[in] Data Array of UINT8 of signature algorithms. T= he array consists of + pairs of the hash algorithm and the signa= ture algorithm as defined + in RFC 5246 + @param[in] DataSize The length the SignatureAlgoList. Must be= divisible by 2. + + @retval EFI_SUCCESS The signature algorithm list was set succ= essfully. + @retval EFI_INVALID_PARAMETER The parameters are invalid. + @retval EFI_UNSUPPORTED No supported TLS signature algorithm was = found in SignatureAlgoList + @retval EFI_OUT_OF_RESOURCES Memory allocation failed. + +**/ +STATIC +EFI_STATUS +EFIAPI +TlsSetSignatureAlgoList ( + IN VOID *Tls, + IN UINT8 *Data, + IN UINTN DataSize + ) +{ + TLS_CONNECTION *TlsConn; + UINTN Index; + UINTN SignAlgoStrSize; + CHAR8 *SignAlgoStr; + CHAR8 *Pos; + UINT8 *SignatureAlgoList; + EFI_STATUS Status; + + TlsConn =3D (TLS_CONNECTION *)Tls; + + if ((TlsConn =3D=3D NULL) || (TlsConn->Ssl =3D=3D NULL) || (Data =3D=3D = NULL) || (DataSize < 3) || + ((DataSize % 2) =3D=3D 0) || (Data[0] !=3D DataSize - 1)) + { + return EFI_INVALID_PARAMETER; + } + + SignatureAlgoList =3D Data + 1; + SignAlgoStrSize =3D 0; + for (Index =3D 0; Index < Data[0]; Index +=3D 2) { + CONST CHAR8 *Tmp; + + if (SignatureAlgoList[Index] >=3D ARRAY_SIZE (TlsHashAlgoToName)) { + return EFI_INVALID_PARAMETER; + } + + Tmp =3D TlsHashAlgoToName[SignatureAlgoList[Index]].Name; + if (!Tmp) { + return EFI_INVALID_PARAMETER; + } + + // Add 1 for the '+' + SignAlgoStrSize +=3D AsciiStrLen (Tmp) + 1; + + if (SignatureAlgoList[Index + 1] >=3D ARRAY_SIZE (TlsSignatureAlgoToNa= me)) { + return EFI_INVALID_PARAMETER; + } + + Tmp =3D TlsSignatureAlgoToName[SignatureAlgoList[Index + 1]].Name; + if (!Tmp) { + return EFI_INVALID_PARAMETER; + } + + // Add 1 for the ':' or for the NULL terminator + SignAlgoStrSize +=3D AsciiStrLen (Tmp) + 1; + } + + if (!SignAlgoStrSize) { + return EFI_UNSUPPORTED; + } + + SignAlgoStr =3D AllocatePool (SignAlgoStrSize); + if (SignAlgoStr =3D=3D NULL) { + return EFI_OUT_OF_RESOURCES; + } + + Pos =3D SignAlgoStr; + for (Index =3D 0; Index < Data[0]; Index +=3D 2) { + CONST CHAR8 *Tmp; + + Tmp =3D TlsHashAlgoToName[SignatureAlgoList[Index]].Name; + CopyMem (Pos, Tmp, AsciiStrLen (Tmp)); + Pos +=3D AsciiStrLen (Tmp); + *Pos++ =3D '+'; + + Tmp =3D TlsSignatureAlgoToName[SignatureAlgoList[Index + 1]].Name; + CopyMem (Pos, Tmp, AsciiStrLen (Tmp)); + Pos +=3D AsciiStrLen (Tmp); + *Pos++ =3D ':'; + } + + *(Pos - 1) =3D '\0'; + + if (SSL_set1_sigalgs_list (TlsConn->Ssl, SignAlgoStr) < 1) { + Status =3D EFI_INVALID_PARAMETER; + } else { + Status =3D EFI_SUCCESS; + } + + FreePool (SignAlgoStr); + return Status; +} + +/** + Set the EC curve to be used for TLS flows + + This function sets the EC curve to be used for TLS flows. + + @param[in] Tls Pointer to a TLS object. + @param[in] Data An EC named curve as defined in section 5= .1.1 of RFC 4492. + @param[in] DataSize Size of Data, it should be sizeof (UINT32) + + @retval EFI_SUCCESS The EC curve was set successfully. + @retval EFI_INVALID_PARAMETER The parameters are invalid. + @retval EFI_UNSUPPORTED The requested TLS EC curve is not support= ed + +**/ +EFI_STATUS +EFIAPI +TlsSetEcCurve ( + IN VOID *Tls, + IN UINT8 *Data, + IN UINTN DataSize + ) +{ + #if !FixedPcdGetBool (PcdOpensslEcEnabled) + return EFI_UNSUPPORTED; + #else + TLS_CONNECTION *TlsConn; + EC_KEY *Ecdh; + INT32 Nid, Ret; + + TlsConn =3D (TLS_CONNECTION *)Tls; + + if ((TlsConn =3D=3D NULL) || (TlsConn->Ssl =3D=3D NULL) || (Data =3D=3D = NULL) || (DataSize !=3D sizeof (UINT32))) { + return EFI_INVALID_PARAMETER; + } + + switch (*((UINT32 *)Data)) { + case TlsEcNamedCurveSecp256r1: + return EFI_UNSUPPORTED; + case TlsEcNamedCurveSecp384r1: + Nid =3D NID_secp384r1; + break; + case TlsEcNamedCurveSecp521r1: + Nid =3D NID_secp521r1; + break; + case TlsEcNamedCurveX25519: + Nid =3D NID_X25519; + break; + case TlsEcNamedCurveX448: + Nid =3D NID_X448; + break; + default: + return EFI_UNSUPPORTED; + } + + if (SSL_set1_curves (TlsConn->Ssl, &Nid, 1) !=3D 1) { + return EFI_INVALID_PARAMETER; + } + + Ecdh =3D EC_KEY_new_by_curve_name (Nid); + if (!Ecdh) { + return EFI_INVALID_PARAMETER; + } + + Ret =3D SSL_set_tmp_ecdh (TlsConn->Ssl, Ecdh); + EC_KEY_free (Ecdh); + + if (Ret !=3D 1) { + return EFI_INVALID_PARAMETER; + } + + return EFI_SUCCESS; + #endif +} + +/** + Configure the TLS object. + + This function allows to configure the TLS object + + @param[in] Tls Pointer to a TLS object. + @param[in] Type The type of the configuration. + @param[in] Data The data associated with the configuratio= n type. + @param[in] DataSize The size of Data. + + @retval EFI_SUCCESS The configuration was successful. + @retval EFI_INVALID_PARAMETER The parameters are invalid. + @retval EFI_UNSUPPORTED The configuration or configuration type a= re not supported + @retval EFI_OUT_OF_RESOURCES Memory allocation failed. + +**/ +EFI_STATUS +EFIAPI +TlsSetConfiguration ( + IN VOID *Tls, + IN EFI_TLS_CONFIG_TYPE Type, + IN UINT8 *Data, + IN UINTN DataSize + ) +{ + switch (Type) { + case EfiTlsConfigSignatureAlgo: + return TlsSetSignatureAlgoList (Tls, Data, DataSize); + case EfiTlsConfigEcCurve: + return TlsSetEcCurve (Tls, Data, DataSize); + default: + return EFI_UNSUPPORTED; + } +} + /** Gets the protocol version used by the specified TLS connection. =20 diff --git a/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c b/CryptoPkg/Libra= ry/TlsLibNull/TlsConfigNull.c index 03726fd7264c..22d258c7f18f 100644 --- a/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c +++ b/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c @@ -8,6 +8,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent **/ =20 #include "InternalTlsLib.h" +#include =20 /** Set a new TLS/SSL method for a particular TLS object. @@ -292,6 +293,35 @@ TlsSetCertRevocationList ( return EFI_UNSUPPORTED; } =20 +/** + Configure the TLS object. + + This function allows to configure the TLS object + + @param[in] Tls Pointer to a TLS object. + @param[in] Type The type of the configuration. + @param[in] Data The data associated with the configuratio= n type. + @param[in] DataSize The size of Data. + + @retval EFI_SUCCESS The configuration was successful. + @retval EFI_INVALID_PARAMETER The parameters are invalid. + @retval EFI_UNSUPPORTED The configuration or configuration type a= re not supported + @retval EFI_OUT_OF_RESOURCES Memory allocation failed. + +**/ +EFI_STATUS +EFIAPI +TlsSetConfiguration ( + IN VOID *Tls, + IN EFI_TLS_CONFIG_TYPE Type, + IN UINT8 *Data, + IN UINTN DataSize + ) +{ + ASSERT (FALSE); + return EFI_UNSUPPORTED; +} + /** Gets the protocol version used by the specified TLS connection. =20 diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protoc= ol/Crypto.h index c417568e9600..8de05a99bdcc 100644 --- a/CryptoPkg/Private/Protocol/Crypto.h +++ b/CryptoPkg/Private/Protocol/Crypto.h @@ -13,6 +13,7 @@ #include #include #include +#include =20 /// /// The version of the EDK II Crypto Protocol. @@ -3361,6 +3362,32 @@ EFI_STATUS IN OUT UINTN *DataSize ); =20 +/** + Set the signature algorithm list to used by the TLS object. + + This function sets the signature algorithms for use by a specified TLS o= bject. + + @param[in] Tls Pointer to a TLS object. + @param[in] SignatureAlgoList Array of UINT8 of signature algorithms. T= he array consists of + pairs of the hash algorithm and the signa= ture algorithm as defined + in RFC 5246 + @param[in] SignatureAlgoNum The length the SignatureAlgoList. Must be= divisible by 2. + + @retval EFI_SUCCESS The signature algorithm list was set succ= essfully. + @retval EFI_INVALID_PARAMETER The parameters are invalid. + @retval EFI_UNSUPPORTED No supported TLS signature algorithm was = found in SignatureAlgoList + @retval EFI_OUT_OF_RESOURCES Memory allocation failed. + +**/ +typedef +EFI_STATUS +(EFIAPI *EDKII_CRYPTO_TLS_SET_CONFIGURATION)( + IN VOID *Tls, + IN EFI_TLS_CONFIG_TYPE Type, + IN UINT8 *Data, + IN UINTN DataSize + ); + /** Gets the CA-supplied certificate revocation list data set in the specifi= ed TLS object. @@ -3656,6 +3683,7 @@ struct _EDKII_CRYPTO_PROTOCOL { EDKII_CRYPTO_TLS_SET_HOST_PUBLIC_CERT TlsSetHostPublicCert; EDKII_CRYPTO_TLS_SET_HOST_PRIVATE_KEY TlsSetHostPrivateKey; EDKII_CRYPTO_TLS_SET_CERT_REVOCATION_LIST TlsSetCertRevocationL= ist; + EDKII_CRYPTO_TLS_SET_CONFIGURATION TlsSetConfiguration; /// TLS Get EDKII_CRYPTO_TLS_GET_VERSION TlsGetVersion; EDKII_CRYPTO_TLS_GET_CONNECTION_END TlsGetConnectionEnd; --=20 2.31.1.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#89926): https://edk2.groups.io/g/devel/message/89926 Mute This Topic: https://groups.io/mt/91262939/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Thu May 2 03:34:29 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+89927+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+89927+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1653184489; cv=none; d=zohomail.com; s=zohoarc; b=O+yyPW5WMhjnutrv5QGRFUtpHEKntnEdWwez+kB/Q8qlTnQsFQ4XhbhiQsdJZ/RwN58U3QW8fkxOh5U9wyJLTU/LcY7cpfEtzSwQJtnBQ806Z/14FEEbvvipDoRhxPuB2n0oaSW6YIupFsW5EvLTbbGdKZ3m5uw6FmG9fmoFlM0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1653184489; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=Or25QEwcyrExSYGuqFhZanu69LsZUTyjEThCvHZJjeo=; b=RaIIz7eYf2S4Peq+t2xXzox9bfgd5gB9LJKyHCh0dOvYu+uZNYRfuxU5p4XPuNvfqAYNB86+LB5uEYoSmPl35kN+nye4P52AMwpWvAuk6opX/t6Rk9Mr9dEBV/lDl2NOy6wR7GxIXC1Th0Rl4jkqwrUcsrb1dgLBVaA2ykJDQ4g= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+89927+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1653184489488560.6538763514841; Sat, 21 May 2022 18:54:49 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id uDRhYY1788612xdBA2k2lhAa; Sat, 21 May 2022 18:54:48 -0700 X-Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by mx.groups.io with SMTP id smtpd.web08.12308.1653184484313245119 for ; Sat, 21 May 2022 18:54:48 -0700 X-IronPort-AV: E=McAfee;i="6400,9594,10354"; a="272638252" X-IronPort-AV: E=Sophos;i="5.91,243,1647327600"; d="scan'208";a="272638252" X-Received: from orsmga008.jf.intel.com ([10.7.209.65]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 May 2022 18:54:47 -0700 X-IronPort-AV: E=Sophos;i="5.91,243,1647327600"; d="scan'208";a="599981533" X-Received: from shwdejointd178.ccr.corp.intel.com ([10.239.153.103]) by orsmga008-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 May 2022 18:54:45 -0700 From: "yi1 li" To: devel@edk2.groups.io Cc: yi1 li , Jiewen Yao , Jian J Wang , Xiaoyu Lu , Guomin Jiang Subject: [edk2-devel] [PATCH 3/5] CryptoPkg: Add APIs TlsShutdown and TlsExportKey to TlsLib Date: Sun, 22 May 2022 09:54:17 +0800 Message-Id: <2586704e02647e6f1d1d5e805eb0f267ad6d73ad.1653183737.git.yi1.li@intel.com> In-Reply-To: References: MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,yi1.li@intel.com X-Gm-Message-State: F1EGPQRgEkfhdNM6tSDwAJ1Ox1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1653184488; bh=4LzreeiA1m4EVj+zINXZI+VrY4G48CeMjN0bVmflIec=; h=Cc:Date:From:Reply-To:Subject:To; b=nCTzDUTs9l8NiC2S7wHGhVDLBuRauXP7JAzLNiThoyrQ2waAZIODyz3rmQ+NHI4ei5+ qWwR9fgQm+LKQINPjXOFXmQcxqxxGuOBp8SgpjYwOQAbSMT12tnsS3LCzI1/o9KO6J4vi 6VOO/wV9RYfB8PnOOBP3dVl3d+DvE8E/bwQ= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1653184490951100001 Content-Type: text/plain; charset="utf-8" From: yi1 li REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3892 Add the following API and implementation to the TLS library: 1.TlsShutdown: Shutdown the TLS connection without releasing the resources, meaning a new connection can be started without calling TlsNew() and without setting certificates etc. 2.TlsExportKey: Derive keying material from a TLS connection using the mechanism described in RFC 5705 and export the key material (needed by EAP methods such as EAP-TTLS and EAP-PEAP). Cc: Jiewen Yao Cc: Jian J Wang Cc: Xiaoyu Lu Cc: Guomin Jiang Signed-off-by: Yi Li --- CryptoPkg/Driver/Crypto.c | 62 +++++++++++++++++++ CryptoPkg/Include/Library/TlsLib.h | 48 ++++++++++++++ .../Pcd/PcdCryptoServiceFamilyEnable.h | 2 + .../BaseCryptLibOnProtocolPpi/CryptLib.c | 59 ++++++++++++++++++ CryptoPkg/Library/TlsLib/TlsConfig.c | 50 +++++++++++++++ CryptoPkg/Library/TlsLib/TlsProcess.c | 32 ++++++++++ CryptoPkg/Library/TlsLibNull/TlsConfigNull.c | 33 ++++++++++ CryptoPkg/Library/TlsLibNull/TlsProcessNull.c | 23 +++++++ CryptoPkg/Private/Protocol/Crypto.h | 50 +++++++++++++++ 9 files changed, 359 insertions(+) diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c index 6c05c1a69447..6a86c4dba6a2 100644 --- a/CryptoPkg/Driver/Crypto.c +++ b/CryptoPkg/Driver/Crypto.c @@ -3882,6 +3882,28 @@ CryptoServiceTlsWrite ( return CALL_BASECRYPTLIB (Tls.Services.Write, TlsWrite, (Tls, Buffer, Bu= fferSize), 0); } =20 +/** + Shutdown a TLS connection. + + Shutdown the TLS connection without releasing the resources, meaning a n= ew + connection can be started without calling TlsNew() and without setting + certificates etc. + + @param[in] Tls Pointer to the TLS object to shutdown. + + @retval EFI_SUCCESS The TLS is shutdown successfully. + @retval EFI_INVALID_PARAMETER Tls is NULL. + @retval EFI_PROTOCOL_ERROR Some other error occurred. +**/ +EFI_STATUS +EFIAPI +CryptoServiceTlsShutdown ( + IN VOID *Tls + ) +{ + return CALL_BASECRYPTLIB (Tls.Services.Shutdown, TlsShutdown, (Tls), EFI= _UNSUPPORTED); +} + /** Set a new TLS/SSL method for a particular TLS object. =20 @@ -4498,6 +4520,44 @@ CryptoServiceTlsGetCertRevocationList ( return CALL_BASECRYPTLIB (TlsGet.Services.CertRevocationList, TlsGetCert= RevocationList, (Data, DataSize), EFI_UNSUPPORTED); } =20 +/** + Derive keying material from a TLS connection. + + This function exports keying material using the mechanism described in R= FC + 5705. + + @param[in] Tls Pointer to the TLS object + @param[in] Label Description of the key for the PRF function + @param[in] Context, Optional context + @param[in] ContextLen The length of the context value in bytes + @param[out] KeyBuffer Buffer to hold the output of the TLS-PRF + @param[in] KeyBufferLen The length of the KeyBuffer + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_INVALID_PARAMETER The TLS object is invalid. + @retval EFI_PROTOCOL_ERROR Some other error occurred. + +**/ +EFI_STATUS +EFIAPI +CryptoServiceTlsExportKey ( + IN VOID *Tls, + IN CONST VOID *Label, + IN CONST VOID *Context, + IN UINTN ContextLen, + OUT VOID *KeyBuffer, + IN UINTN KeyBufferLen + ) +{ + return CALL_BASECRYPTLIB ( + TlsGet.Services.ExportKey, + TlsExportKey, + (Tls, Label, Context, ContextLen, + KeyBuffer, KeyBufferLen), + EFI_UNSUPPORTED + ); +} + /** Carries out the RSA-SSA signature generation with EMSA-PSS encoding sche= me. =20 @@ -4785,6 +4845,7 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto =3D { CryptoServiceTlsCtrlTrafficIn, CryptoServiceTlsRead, CryptoServiceTlsWrite, + CryptoServiceTlsShutdown, /// TLS Set CryptoServiceTlsSetVersion, CryptoServiceTlsSetConnectionEnd, @@ -4812,6 +4873,7 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto =3D { CryptoServiceTlsGetHostPublicCert, CryptoServiceTlsGetHostPrivateKey, CryptoServiceTlsGetCertRevocationList, + CryptoServiceTlsExportKey, /// RSA PSS CryptoServiceRsaPssSign, CryptoServiceRsaPssVerify, diff --git a/CryptoPkg/Include/Library/TlsLib.h b/CryptoPkg/Include/Library= /TlsLib.h index 24c1c1ed6477..8a109ec89d3d 100644 --- a/CryptoPkg/Include/Library/TlsLib.h +++ b/CryptoPkg/Include/Library/TlsLib.h @@ -310,6 +310,25 @@ TlsWrite ( IN UINTN BufferSize ); =20 +/** + Shutdown a TLS connection. + + Shutdown the TLS connection without releasing the resources, meaning a n= ew + connection can be started without calling TlsNew() and without setting + certificates etc. + + @param[in] Tls Pointer to the TLS object to shutdown. + + @retval EFI_SUCCESS The TLS is shutdown successfully. + @retval EFI_INVALID_PARAMETER Tls is NULL. + @retval EFI_PROTOCOL_ERROR Some other error occurred. +**/ +EFI_STATUS +EFIAPI +TlsShutdown ( + IN VOID *Tls + ); + /** Set a new TLS/SSL method for a particular TLS object. =20 @@ -851,4 +870,33 @@ TlsGetCertRevocationList ( IN OUT UINTN *DataSize ); =20 +/** + Derive keying material from a TLS connection. + + This function exports keying material using the mechanism described in R= FC + 5705. + + @param[in] Tls Pointer to the TLS object + @param[in] Label Description of the key for the PRF function + @param[in] Context, Optional context + @param[in] ContextLen The length of the context value in bytes + @param[out] KeyBuffer Buffer to hold the output of the TLS-PRF + @param[in] KeyBufferLen The length of the KeyBuffer + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_INVALID_PARAMETER The TLS object is invalid. + @retval EFI_PROTOCOL_ERROR Some other error occurred. + +**/ +EFI_STATUS +EFIAPI +TlsExportKey ( + IN VOID *Tls, + IN CONST VOID *Label, + IN CONST VOID *Context, + IN UINTN ContextLen, + OUT VOID *KeyBuffer, + IN UINTN KeyBufferLen + ); + #endif // __TLS_LIB_H__ diff --git a/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h b/CryptoP= kg/Include/Pcd/PcdCryptoServiceFamilyEnable.h index 6f5cde161006..589794776808 100644 --- a/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h +++ b/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h @@ -251,6 +251,7 @@ typedef struct { UINT8 CtrlTrafficIn : 1; UINT8 Read : 1; UINT8 Write : 1; + UINT8 Shutdown : 1; } Services; UINT32 Family; } Tls; @@ -286,6 +287,7 @@ typedef struct { UINT8 HostPublicCert : 1; UINT8 HostPrivateKey : 1; UINT8 CertRevocationList : 1; + UINT8 ExportKey : 1; } Services; UINT32 Family; } TlsGet; diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/Crypt= oPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c index 757b8e40e442..1c7c90e432de 100644 --- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c +++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c @@ -3025,6 +3025,28 @@ TlsWrite ( CALL_CRYPTO_SERVICE (TlsWrite, (Tls, Buffer, BufferSize), 0); } =20 +/** + Shutdown a TLS connection. + + Shutdown the TLS connection without releasing the resources, meaning a n= ew + connection can be started without calling TlsNew() and without setting + certificates etc. + + @param[in] Tls Pointer to the TLS object to shutdown. + + @retval EFI_SUCCESS The TLS is shutdown successfully. + @retval EFI_INVALID_PARAMETER Tls is NULL. + @retval EFI_PROTOCOL_ERROR Some other error occurred. +**/ +EFI_STATUS +EFIAPI +TlsShutdown ( + IN VOID *Tls + ) +{ + CALL_CRYPTO_SERVICE (TlsShutdown, (Tls), EFI_UNSUPPORTED); +} + /** Set a new TLS/SSL method for a particular TLS object. =20 @@ -3644,3 +3666,40 @@ TlsGetCertRevocationList ( { CALL_CRYPTO_SERVICE (TlsGetCertRevocationList, (Data, DataSize), EFI_UNS= UPPORTED); } + +/** + Derive keying material from a TLS connection. + + This function exports keying material using the mechanism described in R= FC + 5705. + + @param[in] Tls Pointer to the TLS object + @param[in] Label Description of the key for the PRF function + @param[in] Context, Optional context + @param[in] ContextLen The length of the context value in bytes + @param[out] KeyBuffer Buffer to hold the output of the TLS-PRF + @param[in] KeyBufferLen The length of the KeyBuffer + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_INVALID_PARAMETER The TLS object is invalid. + @retval EFI_PROTOCOL_ERROR Some other error occurred. + +**/ +EFI_STATUS +EFIAPI +TlsExportKey ( + IN VOID *Tls, + IN CONST VOID *Label, + IN CONST VOID *Context, + IN UINTN ContextLen, + OUT VOID *KeyBuffer, + IN UINTN KeyBufferLen + ) +{ + CALL_CRYPTO_SERVICE ( + TlsExportKey, + (Tls, Label, Context, ContextLen, + KeyBuffer, KeyBufferLen), + EFI_UNSUPPORTED + ); +} diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c b/CryptoPkg/Library/TlsLi= b/TlsConfig.c index 5c32f1c3329f..b45050c18770 100644 --- a/CryptoPkg/Library/TlsLib/TlsConfig.c +++ b/CryptoPkg/Library/TlsLib/TlsConfig.c @@ -1555,3 +1555,53 @@ TlsGetCertRevocationList ( { return EFI_UNSUPPORTED; } + +/** + Derive keying material from a TLS connection. + + This function exports keying material using the mechanism described in R= FC + 5705. + + @param[in] Tls Pointer to the TLS object + @param[in] Label Description of the key for the PRF function + @param[in] Context, Optional context + @param[in] ContextLen The length of the context value in bytes + @param[out] KeyBuffer Buffer to hold the output of the TLS-PRF + @param[in] KeyBufferLen The length of the KeyBuffer + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_INVALID_PARAMETER The TLS object is invalid. + @retval EFI_PROTOCOL_ERROR Some other error occurred. + +**/ +EFI_STATUS +EFIAPI +TlsExportKey ( + IN VOID *Tls, + IN CONST VOID *Label, + IN CONST VOID *Context, + IN UINTN ContextLen, + OUT VOID *KeyBuffer, + IN UINTN KeyBufferLen + ) +{ + TLS_CONNECTION *TlsConn; + + TlsConn =3D (TLS_CONNECTION *)Tls; + + if ((TlsConn =3D=3D NULL) || (TlsConn->Ssl =3D=3D NULL)) { + return EFI_INVALID_PARAMETER; + } + + return SSL_export_keying_material ( + TlsConn->Ssl, + KeyBuffer, + KeyBufferLen, + Label, + AsciiStrLen (Label), + Context, + ContextLen, + Context !=3D NULL + ) =3D=3D 1 ? + EFI_SUCCESS : EFI_PROTOCOL_ERROR; +} diff --git a/CryptoPkg/Library/TlsLib/TlsProcess.c b/CryptoPkg/Library/TlsL= ib/TlsProcess.c index 0f2ad7a9fbc0..a803d86c4f4e 100644 --- a/CryptoPkg/Library/TlsLib/TlsProcess.c +++ b/CryptoPkg/Library/TlsLib/TlsProcess.c @@ -461,3 +461,35 @@ TlsWrite ( // return SSL_write (TlsConn->Ssl, Buffer, (UINT32)BufferSize); } + +/** + Shutdown a TLS connection. + + Shutdown the TLS connection without releasing the resources, meaning a n= ew + connection can be started without calling TlsNew() and without setting + certificates etc. + + @param[in] Tls Pointer to the TLS object to shutdown. + + @retval EFI_SUCCESS The TLS is shutdown successfully. + @retval EFI_INVALID_PARAMETER Tls is NULL. + @retval EFI_PROTOCOL_ERROR Some other error occurred. +**/ +EFI_STATUS +EFIAPI +TlsShutdown ( + IN VOID *Tls + ) +{ + TLS_CONNECTION *TlsConn; + + TlsConn =3D (TLS_CONNECTION *)Tls; + + if ((TlsConn =3D=3D NULL) || ((TlsConn->Ssl) =3D=3D NULL)) { + return EFI_INVALID_PARAMETER; + } + + SSL_set_quiet_shutdown (TlsConn->Ssl, 1); + SSL_shutdown (TlsConn->Ssl); + return SSL_clear (TlsConn->Ssl) =3D=3D 1 ? EFI_SUCCESS : EFI_PROTOCOL_ER= ROR; +} diff --git a/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c b/CryptoPkg/Libra= ry/TlsLibNull/TlsConfigNull.c index 22d258c7f18f..b2c7e6869f53 100644 --- a/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c +++ b/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c @@ -647,3 +647,36 @@ TlsGetCertRevocationList ( ASSERT (FALSE); return EFI_UNSUPPORTED; } + +/** + Derive keying material from a TLS connection. + + This function exports keying material using the mechanism described in R= FC + 5705. + + @param[in] Tls Pointer to the TLS object + @param[in] Label Description of the key for the PRF function + @param[in] Context, Optional context + @param[in] ContextLen The length of the context value in bytes + @param[out] KeyBuffer Buffer to hold the output of the TLS-PRF + @param[in] KeyBufferLen The length of the KeyBuffer + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_INVALID_PARAMETER The TLS object is invalid. + @retval EFI_PROTOCOL_ERROR Some other error occurred. + +**/ +EFI_STATUS +EFIAPI +TlsExportKey ( + IN VOID *Tls, + IN CONST VOID *Label, + IN CONST VOID *Context, + IN UINTN ContextLen, + OUT VOID *KeyBuffer, + IN UINTN KeyBufferLen + ) +{ + ASSERT (FALSE); + return EFI_UNSUPPORTED; +} diff --git a/CryptoPkg/Library/TlsLibNull/TlsProcessNull.c b/CryptoPkg/Libr= ary/TlsLibNull/TlsProcessNull.c index 0958ddd8d608..395dac548d22 100644 --- a/CryptoPkg/Library/TlsLibNull/TlsProcessNull.c +++ b/CryptoPkg/Library/TlsLibNull/TlsProcessNull.c @@ -245,3 +245,26 @@ TlsWrite ( ASSERT (FALSE); return 0; } + +/** + Shutdown a TLS connection. + + Shutdown the TLS connection without releasing the resources, meaning a n= ew + connection can be started without calling TlsNew() and without setting + certificates etc. + + @param[in] Tls Pointer to the TLS object to shutdown. + + @retval EFI_SUCCESS The TLS is shutdown successfully. + @retval EFI_INVALID_PARAMETER Tls is NULL. + @retval EFI_PROTOCOL_ERROR Some other error occurred. +**/ +EFI_STATUS +EFIAPI +TlsShutdown ( + IN VOID *Tls + ) +{ + ASSERT (FALSE); + return EFI_UNSUPPORTED; +} diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protoc= ol/Crypto.h index 8de05a99bdcc..bc94cbb66311 100644 --- a/CryptoPkg/Private/Protocol/Crypto.h +++ b/CryptoPkg/Private/Protocol/Crypto.h @@ -2868,6 +2868,25 @@ INTN IN UINTN BufferSize ); =20 +/** + Shutdown a TLS connection. + + Shutdown the TLS connection without releasing the resources, meaning a n= ew + connection can be started without calling TlsNew() and without setting + certificates etc. + + @param[in] Tls Pointer to the TLS object to shutdown. + + @retval EFI_SUCCESS The TLS is shutdown successfully. + @retval EFI_INVALID_PARAMETER Tls is NULL. + @retval EFI_PROTOCOL_ERROR Some other error occurred. +**/ +typedef +EFI_STATUS +(EFIAPI *EDKII_CRYPTO_TLS_SHUTDOWN)( + IN VOID *Tls + ); + /** Set a new TLS/SSL method for a particular TLS object. =20 @@ -3388,6 +3407,35 @@ EFI_STATUS IN UINTN DataSize ); =20 +/** + Derive keying material from a TLS connection. + + This function exports keying material using the mechanism described in R= FC + 5705. + + @param[in] Tls Pointer to the TLS object + @param[in] Label Description of the key for the PRF function + @param[in] Context, Optional context + @param[in] ContextLen The length of the context value in bytes + @param[out] KeyBuffer Buffer to hold the output of the TLS-PRF + @param[in] KeyBufferLen The length of the KeyBuffer + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_INVALID_PARAMETER The TLS object is invalid. + @retval EFI_PROTOCOL_ERROR Some other error occurred. + +**/ +typedef +EFI_STATUS +(EFIAPI *EDKII_CRYPTO_TLS_EXPORT_KEY)( + IN VOID *Tls, + IN CONST VOID *Label, + IN CONST VOID *Context, + IN UINTN ContextLen, + OUT VOID *KeyBuffer, + IN UINTN KeyBufferLen + ); + /** Gets the CA-supplied certificate revocation list data set in the specifi= ed TLS object. @@ -3671,6 +3719,7 @@ struct _EDKII_CRYPTO_PROTOCOL { EDKII_CRYPTO_TLS_CTRL_TRAFFIC_IN TlsCtrlTrafficIn; EDKII_CRYPTO_TLS_READ TlsRead; EDKII_CRYPTO_TLS_WRITE TlsWrite; + EDKII_CRYPTO_TLS_SHUTDOWN TlsShutdown; /// TLS Set EDKII_CRYPTO_TLS_SET_VERSION TlsSetVersion; EDKII_CRYPTO_TLS_SET_CONNECTION_END TlsSetConnectionEnd; @@ -3698,6 +3747,7 @@ struct _EDKII_CRYPTO_PROTOCOL { EDKII_CRYPTO_TLS_GET_HOST_PUBLIC_CERT TlsGetHostPublicCert; EDKII_CRYPTO_TLS_GET_HOST_PRIVATE_KEY TlsGetHostPrivateKey; EDKII_CRYPTO_TLS_GET_CERT_REVOCATION_LIST TlsGetCertRevocationL= ist; + EDKII_CRYPTO_TLS_EXPORT_KEY TlsExportKey; /// RSA PSS EDKII_CRYPTO_RSA_PSS_SIGN RsaPssSign; EDKII_CRYPTO_RSA_PSS_VERIFY RsaPssVerify; --=20 2.31.1.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#89927): https://edk2.groups.io/g/devel/message/89927 Mute This Topic: https://groups.io/mt/91262940/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Thu May 2 03:34:29 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+89928+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+89928+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1653184493; cv=none; d=zohomail.com; s=zohoarc; b=nzCgXW4m+N0NEuwf/PaVdrVn6FaepAyYvb3Gxht0Ao101t/FweryGB3lTdSJzl2j3Br9foCvOZyH8/js1iUzx0N8wc2HMUIk7oZLJon2cUb8ikhOoSCQs7GeZUiCbKZl+kKLd3Ebv0Deq/KuU0pAi5wkxok0ohnRgJLMy5+oSBs= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1653184493; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=16S5R/UOSg97C6uwDldYMtJe8gKm/Ipy7ZRZHAR21TQ=; b=iQMmVCB8sOYBC0S5m2UUWKata0mXixyOW4cdmnWPhPQukLUBaAALq9jeuzVyI8QJ4MtjNlTbCs7h/+nist2O+KqaQsJZVaUR/DB6hrreSZjvV6ME1B9hWZD5eoCj8caBMQFB/KV5Ze7ap4NMmWilF4KfXT1r1E7/osWwcfjCcao= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+89928+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1653184493914739.2270899969722; Sat, 21 May 2022 18:54:53 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id D0sJYY1788612xeExBvFWNMW; Sat, 21 May 2022 18:54:53 -0700 X-Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by mx.groups.io with SMTP id smtpd.web08.12308.1653184484313245119 for ; Sat, 21 May 2022 18:54:52 -0700 X-IronPort-AV: E=McAfee;i="6400,9594,10354"; a="272638260" X-IronPort-AV: E=Sophos;i="5.91,243,1647327600"; d="scan'208";a="272638260" X-Received: from orsmga008.jf.intel.com ([10.7.209.65]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 May 2022 18:54:52 -0700 X-IronPort-AV: E=Sophos;i="5.91,243,1647327600"; d="scan'208";a="599981621" X-Received: from shwdejointd178.ccr.corp.intel.com ([10.239.153.103]) by orsmga008-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 May 2022 18:54:49 -0700 From: "yi1 li" To: devel@edk2.groups.io Cc: yi1 li , Jiewen Yao , Jian J Wang , Xiaoyu Lu , Guomin Jiang , Maciej Rabeda , Jiaxin Wu , Siyuan Fu Subject: [edk2-devel] [PATCH 4/5] CryptoPkg: Add implementation for TlsSetHostPrivateKey() Date: Sun, 22 May 2022 09:54:18 +0800 Message-Id: In-Reply-To: References: MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,yi1.li@intel.com X-Gm-Message-State: NO7S6sjv511U3jqBh8Hq1Xcwx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1653184493; bh=wK7XAz/dgZF9u5JRt6UzMiXso7jZAVTM1PFIdPVGSrk=; h=Cc:Date:From:Reply-To:Subject:To; b=W0NhgD/ZNqY4W6DJOcco7kVWjJTI+bbdDmKefaahns9vp7Ay7N77NXStG2wL0x1C7Lg iGTp5bSXPrQIxdZ5aleovDE3S2R3C+Gvxtlj35tvL+lpNMv3IbCGXm16s4kn/rmJ9moSy 3c1E5PMdfSdpkqh/dikov8HUBnIWQIwghdg= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1653184494929100001 Content-Type: text/plain; charset="utf-8" From: yi1 li Add Password to TlsSetHostPrivateKey() param list, Set Password to NULL when useless. This function adds the local private key (PEM-encoded RSA or PKCS#8 private key) into the specified TLS object for TLS negotiation. Cc: Jiewen Yao Cc: Jian J Wang Cc: Xiaoyu Lu Cc: Guomin Jiang Cc: Maciej Rabeda Cc: Jiaxin Wu Cc: Siyuan Fu Signed-off-by: Yi Li --- CryptoPkg/Driver/Crypto.c | 6 +- CryptoPkg/Include/Library/TlsLib.h | 4 +- .../BaseCryptLibOnProtocolPpi/CryptLib.c | 6 +- CryptoPkg/Library/TlsLib/TlsConfig.c | 81 ++++++++++++++++++- CryptoPkg/Library/TlsLibNull/TlsConfigNull.c | 4 +- CryptoPkg/Private/Protocol/Crypto.h | 4 +- 6 files changed, 96 insertions(+), 9 deletions(-) diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c index 6a86c4dba6a2..b2e3cbde5bd3 100644 --- a/CryptoPkg/Driver/Crypto.c +++ b/CryptoPkg/Driver/Crypto.c @@ -4136,6 +4136,7 @@ CryptoServiceTlsSetHostPublicCert ( @param[in] Data Pointer to the data buffer of a PEM-encoded RSA or PKCS#8 private key. @param[in] DataSize The size of data buffer in bytes. + @param[in] Password Pointer to private key password, set it to NULL = if not used. =20 @retval EFI_SUCCESS The operation succeeded. @retval EFI_UNSUPPORTED This function is not supported. @@ -4147,10 +4148,11 @@ EFIAPI CryptoServiceTlsSetHostPrivateKey ( IN VOID *Tls, IN VOID *Data, - IN UINTN DataSize + IN UINTN DataSize, + IN VOID *Password OPTIONAL ) { - return CALL_BASECRYPTLIB (TlsSet.Services.HostPrivateKey, TlsSetHostPriv= ateKey, (Tls, Data, DataSize), EFI_UNSUPPORTED); + return CALL_BASECRYPTLIB (TlsSet.Services.HostPrivateKey, TlsSetHostPriv= ateKey, (Tls, Data, DataSize, Password), EFI_UNSUPPORTED); } =20 /** diff --git a/CryptoPkg/Include/Library/TlsLib.h b/CryptoPkg/Include/Library= /TlsLib.h index 8a109ec89d3d..01b1087e3d2e 100644 --- a/CryptoPkg/Include/Library/TlsLib.h +++ b/CryptoPkg/Include/Library/TlsLib.h @@ -534,6 +534,7 @@ TlsSetHostPublicCert ( @param[in] Data Pointer to the data buffer of a PEM-encoded RSA or PKCS#8 private key. @param[in] DataSize The size of data buffer in bytes. + @param[in] Password Pointer to private key password, set it to NULL = if not used. =20 @retval EFI_SUCCESS The operation succeeded. @retval EFI_UNSUPPORTED This function is not supported. @@ -545,7 +546,8 @@ EFIAPI TlsSetHostPrivateKey ( IN VOID *Tls, IN VOID *Data, - IN UINTN DataSize + IN UINTN DataSize, + IN VOID *Password OPTIONAL ); =20 /** diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/Crypt= oPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c index 1c7c90e432de..d1405e26f9fc 100644 --- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c +++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c @@ -3279,6 +3279,7 @@ TlsSetHostPublicCert ( @param[in] Data Pointer to the data buffer of a PEM-encoded RSA or PKCS#8 private key. @param[in] DataSize The size of data buffer in bytes. + @param[in] Password Pointer to private key password, set it to NULL = if not used. =20 @retval EFI_SUCCESS The operation succeeded. @retval EFI_UNSUPPORTED This function is not supported. @@ -3290,10 +3291,11 @@ EFIAPI TlsSetHostPrivateKey ( IN VOID *Tls, IN VOID *Data, - IN UINTN DataSize + IN UINTN DataSize, + IN VOID *Password OPTIONAL ) { - CALL_CRYPTO_SERVICE (TlsSetHostPrivateKey, (Tls, Data, DataSize), EFI_UN= SUPPORTED); + CALL_CRYPTO_SERVICE (TlsSetHostPrivateKey, (Tls, Data, DataSize, Passwor= d), EFI_UNSUPPORTED); } =20 /** diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c b/CryptoPkg/Library/TlsLi= b/TlsConfig.c index b45050c18770..e7d4474dff8d 100644 --- a/CryptoPkg/Library/TlsLib/TlsConfig.c +++ b/CryptoPkg/Library/TlsLib/TlsConfig.c @@ -870,6 +870,7 @@ ON_EXIT: @param[in] Data Pointer to the data buffer of a PEM-encoded RSA or PKCS#8 private key. @param[in] DataSize The size of data buffer in bytes. + @param[in] Password Pointer to private key password, set it to NULL = if not used. =20 @retval EFI_SUCCESS The operation succeeded. @retval EFI_UNSUPPORTED This function is not supported. @@ -881,10 +882,86 @@ EFIAPI TlsSetHostPrivateKey ( IN VOID *Tls, IN VOID *Data, - IN UINTN DataSize + IN UINTN DataSize, + IN VOID *Password OPTIONAL ) { - return EFI_UNSUPPORTED; + TLS_CONNECTION *TlsConn; + BIO *Bio; + + TlsConn =3D (TLS_CONNECTION *)Tls; + + if ((TlsConn =3D=3D NULL) || (TlsConn->Ssl =3D=3D NULL) || (Data =3D=3D = NULL) || (DataSize =3D=3D 0)) { + return EFI_INVALID_PARAMETER; + } + + if (SSL_use_PrivateKey_ASN1 ( + EVP_PKEY_RSA, + TlsConn->Ssl, + Data, + (long)DataSize + ) =3D=3D 1) + { + goto verify; + } + + if (SSL_use_PrivateKey_ASN1 ( + EVP_PKEY_DSA, + TlsConn->Ssl, + Data, + (long)DataSize + ) =3D=3D 1) + { + goto verify; + } + + if (SSL_use_PrivateKey_ASN1 ( + EVP_PKEY_EC, + TlsConn->Ssl, + Data, + (long)DataSize + ) =3D=3D 1) + { + goto verify; + } + + if (SSL_use_RSAPrivateKey_ASN1 ( + TlsConn->Ssl, + Data, + (long)DataSize + ) =3D=3D 1) + { + goto verify; + } + + // Try to parse the private key in PEM format encoded PKC#8 + Bio =3D BIO_new_mem_buf (Data, (long)DataSize); + if (Bio !=3D NULL) { + EVP_PKEY *Pkey; + BOOLEAN Verify; + + Verify =3D FALSE; + Pkey =3D PEM_read_bio_PrivateKey (Bio, NULL, NULL, Password); + if ((Pkey !=3D NULL) && (SSL_use_PrivateKey (TlsConn->Ssl, Pkey) =3D= =3D 1)) { + Verify =3D TRUE; + } + + EVP_PKEY_free (Pkey); + BIO_free (Bio); + + if (Verify) { + goto verify; + } + } + + return EFI_ABORTED; + +verify: + if (SSL_check_private_key (TlsConn->Ssl) =3D=3D 1) { + return EFI_SUCCESS; + } + + return EFI_ABORTED; } =20 /** diff --git a/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c b/CryptoPkg/Libra= ry/TlsLibNull/TlsConfigNull.c index b2c7e6869f53..9ab95f7269ee 100644 --- a/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c +++ b/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c @@ -250,6 +250,7 @@ TlsSetHostPublicCert ( @param[in] Data Pointer to the data buffer of a PEM-encoded RSA or PKCS#8 private key. @param[in] DataSize The size of data buffer in bytes. + @param[in] Password Pointer to private key password, set it to NULL = if not used. =20 @retval EFI_SUCCESS The operation succeeded. @retval EFI_UNSUPPORTED This function is not supported. @@ -261,7 +262,8 @@ EFIAPI TlsSetHostPrivateKey ( IN VOID *Tls, IN VOID *Data, - IN UINTN DataSize + IN UINTN DataSize, + IN VOID *Password OPTIONAL ) { ASSERT (FALSE); diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protoc= ol/Crypto.h index bc94cbb66311..ab01ff985da7 100644 --- a/CryptoPkg/Private/Protocol/Crypto.h +++ b/CryptoPkg/Private/Protocol/Crypto.h @@ -3092,6 +3092,7 @@ EFI_STATUS @param[in] Data Pointer to the data buffer of a PEM-encoded RSA or PKCS#8 private key. @param[in] DataSize The size of data buffer in bytes. + @param[in] Password Pointer to private key password, set it to NULL = if not used. =20 @retval EFI_SUCCESS The operation succeeded. @retval EFI_UNSUPPORTED This function is not supported. @@ -3103,7 +3104,8 @@ EFI_STATUS (EFIAPI *EDKII_CRYPTO_TLS_SET_HOST_PRIVATE_KEY)( IN VOID *Tls, IN VOID *Data, - IN UINTN DataSize + IN UINTN DataSize, + IN VOID *Password OPTIONAL ); =20 /** --=20 2.31.1.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#89928): https://edk2.groups.io/g/devel/message/89928 Mute This Topic: https://groups.io/mt/91262941/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Thu May 2 03:34:29 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+89929+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+89929+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1653184497; cv=none; d=zohomail.com; s=zohoarc; b=WHfy6w9ekj32nr9DcGIU3GDXLVdbYk9GBwLdWKOd2FeIghWZhSkOmRyQYRgNdBDx96hQr/v6jC6gyPkTBsnPIxAJd3PKHUXB65vNf8ShB6Il6g4WcpQXm1LEOqi4+MNpO1GrghnePhdV67v6kphlHC8P5I2RsLmptIjDZE/DYI8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1653184497; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=cLSSiNJMCUu/Ge+eIxAUJ3aZyUBx0s7NjmHTakq2DP0=; b=RL1wRhC4KL8X6FEM+gS60BSGXupgACevF9sQB9Vo+1p/MXWOcNblozIRMWI4/s9pQ1uFScJv6mXH3bYAPEtiE+CLbJtIuBe+1h9MdEcOALMAVzjvPuQ3XGdgghuy6JbUmtIJF1EzJAhj+/3TKt1AktyXxXEVPVWbcyVk2K9p2og= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+89929+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 165318449779730.406752492537976; Sat, 21 May 2022 18:54:57 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id vgMsYY1788612x8BjmFqX631; Sat, 21 May 2022 18:54:57 -0700 X-Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by mx.groups.io with SMTP id smtpd.web08.12308.1653184484313245119 for ; Sat, 21 May 2022 18:54:56 -0700 X-IronPort-AV: E=McAfee;i="6400,9594,10354"; a="272638284" X-IronPort-AV: E=Sophos;i="5.91,243,1647327600"; d="scan'208";a="272638284" X-Received: from orsmga008.jf.intel.com ([10.7.209.65]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 May 2022 18:54:55 -0700 X-IronPort-AV: E=Sophos;i="5.91,243,1647327600"; d="scan'208";a="599981683" X-Received: from shwdejointd178.ccr.corp.intel.com ([10.239.153.103]) by orsmga008-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 May 2022 18:54:53 -0700 From: "yi1 li" To: devel@edk2.groups.io Cc: Yi Li , Jiewen Yao , Jian J Wang , Xiaoyu Lu , Guomin Jiang , Maciej Rabeda , Jiaxin Wu , Siyuan Fu Subject: [edk2-devel] [PATCH 5/5] NetworkPkg/TlsDxe: Sync to new TlsSetHostPrivateKey() API Date: Sun, 22 May 2022 09:54:19 +0800 Message-Id: In-Reply-To: References: MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,yi1.li@intel.com X-Gm-Message-State: eM2305cO2zO4FV0CCP8ZCU3Hx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1653184497; bh=Qhwt1uCay1gco72QfeCAkDiCswDpRCMjfMNtzFkAtpA=; h=Cc:Date:From:Reply-To:Subject:To; b=r3LW5oDeZI+9kWEDyDkRcFiqarpVrPt5iS9ItV6WJMGG3J18U7UzKqpH/aH+B1HKUvz ti1IGYT4x0ILxrlhrf3P2MBdZAMyLD0cYW4xwhw1cSY8AMxNxI5frjz6etF1ISYdEjw/a bMn89xlkwayP6vii6f7fnTufQLWEJE10o4s= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1653184498903100001 Content-Type: text/plain; charset="utf-8" Add NULL to param list to sync with new TlsSetHostPrivateKey() in TlsLib. Cc: Jiewen Yao Cc: Jian J Wang Cc: Xiaoyu Lu Cc: Guomin Jiang Cc: Maciej Rabeda Cc: Jiaxin Wu Cc: Siyuan Fu Signed-off-by: Yi Li --- NetworkPkg/TlsDxe/TlsConfigProtocol.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/NetworkPkg/TlsDxe/TlsConfigProtocol.c b/NetworkPkg/TlsDxe/TlsC= onfigProtocol.c index 33729fdf6c31..13532bb66c8a 100644 --- a/NetworkPkg/TlsDxe/TlsConfigProtocol.c +++ b/NetworkPkg/TlsDxe/TlsConfigProtocol.c @@ -65,7 +65,7 @@ TlsConfigurationSetData ( Status =3D TlsSetHostPublicCert (Instance->TlsConn, Data, DataSize); break; case EfiTlsConfigDataTypeHostPrivateKey: - Status =3D TlsSetHostPrivateKey (Instance->TlsConn, Data, DataSize); + Status =3D TlsSetHostPrivateKey (Instance->TlsConn, Data, DataSize, = NULL); break; case EfiTlsConfigDataTypeCertRevocationList: Status =3D TlsSetCertRevocationList (Data, DataSize); --=20 2.31.1.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#89929): https://edk2.groups.io/g/devel/message/89929 Mute This Topic: https://groups.io/mt/91262943/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-