MdePkg[all]  1.08
 All Data Structures Files Functions Variables Typedefs Enumerations Enumerator Macros Pages
Data Structures | Macros | Typedefs | Enumerations | Functions | Variables
Tls.h File Reference

Data Structures

struct  EFI_TLS_VERSION
 
struct  EFI_TLS_CIPHER
 
struct  EFI_TLS_EXTENSION
 
struct  EFI_TLS_VERIFY_HOST
 
struct  EFI_TLS_RANDOM
 
struct  EFI_TLS_MASTER_SECRET
 
struct  EFI_TLS_SESSION_ID
 
struct  EFI_TLS_FRAGMENT_DATA
 
struct  _EFI_TLS_PROTOCOL
 

Macros

#define EFI_TLS_SERVICE_BINDING_PROTOCOL_GUID
 
#define EFI_TLS_PROTOCOL_GUID
 
#define EFI_TLS_VERIFY_NONE   0x0
 
#define EFI_TLS_VERIFY_PEER   0x1
 
#define EFI_TLS_VERIFY_FAIL_IF_NO_PEER_CERT   0x2
 
#define EFI_TLS_VERIFY_CLIENT_ONCE   0x4
 
#define EFI_TLS_VERIFY_FLAG_NONE   0x00
 
#define EFI_TLS_VERIFY_FLAG_ALWAYS_CHECK_SUBJECT   0x01
 
#define EFI_TLS_VERIFY_FLAG_NO_WILDCARDS   0x02
 
#define EFI_TLS_VERIFY_FLAG_NO_PARTIAL_WILDCARDS   0x04
 
#define EFI_TLS_VERIFY_FLAG_MULTI_LABEL_WILDCARDS   0x08
 
#define EFI_TLS_VERIFY_FLAG_SINGLE_LABEL_SUBDOMAINS   0x10
 
#define EFI_TLS_VERIFY_FLAG_NEVER_CHECK_SUBJECT   0x20
 
#define MAX_TLS_SESSION_ID_LENGTH   32
 

Typedefs

typedef struct _EFI_TLS_PROTOCOL EFI_TLS_PROTOCOL
 
typedef UINT8 EFI_TLS_COMPRESSION
 
typedef UINT32 EFI_TLS_VERIFY
 
typedef UINT32 EFI_TLS_VERIFY_HOST_FLAG
 
typedef IN
EFI_TLS_SESSION_DATA_TYPE 		DataType
 
typedef IN
EFI_TLS_SESSION_DATA_TYPE IN
VOID		Data
 
typedef IN
EFI_TLS_SESSION_DATA_TYPE IN
VOID IN UINTN 		DataSize
 
typedef IN UINT8RequestBuffer
 
typedef IN UINT8 IN UINTN RequestSize
 
typedef IN UINT8 IN UINTN OUT
UINT8		Buffer
 
typedef IN UINT8 IN UINTN OUT
UINT8 IN OUT UINTN		BufferSize
 
typedef IN OUT
EFI_TLS_FRAGMENT_DATA ** 		FragmentTable
 
typedef IN OUT
EFI_TLS_FRAGMENT_DATA IN
UINT32		FragmentCount
 
typedef IN OUT
EFI_TLS_FRAGMENT_DATA IN
UINT32 IN EFI_TLS_CRYPT_MODE 		CryptMode
 

Enumerations

enum  EFI_TLS_SESSION_DATA_TYPE {
  EfiTlsVersion, EfiTlsConnectionEnd, EfiTlsCipherList, EfiTlsCompressionMethod,
  EfiTlsExtensionData, EfiTlsVerifyMethod, EfiTlsSessionID, EfiTlsSessionState,
  EfiTlsClientRandom, EfiTlsServerRandom, EfiTlsKeyMaterial, EfiTlsVerifyHost,
  EfiTlsSessionDataTypeMaximum
}
 
enum  EFI_TLS_CONNECTION_END { EfiTlsClient, EfiTlsServer }
 
enum  EFI_TLS_SESSION_STATE {
  EfiTlsSessionNotStarted, EfiTlsSessionHandShaking, EfiTlsSessionDataTransferring, EfiTlsSessionClosing,
  EfiTlsSessionError, EfiTlsSessionStateMaximum
}
 
enum  EFI_TLS_CRYPT_MODE { EfiTlsEncrypt, EfiTlsDecrypt }
 

Functions

typedef EFI_STATUS (EFIAPI *EFI_TLS_SET_SESSION_DATA)(IN EFI_TLS_PROTOCOL *This
 

Variables

EFI_GUID gEfiTlsServiceBindingProtocolGuid
 
EFI_GUID gEfiTlsProtocolGuid
 

Detailed Description

EFI TLS Protocols as defined in UEFI 2.5.

The EFI TLS Service Binding Protocol is used to locate EFI TLS Protocol drivers to create and destroy child of the driver to communicate with other host using TLS protocol. The EFI TLS Protocol provides the ability to manage TLS session.

Copyright (c) 2016, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent

Revision Reference:
This Protocol is introduced in UEFI Specification 2.5

Macro Definition Documentation

#define EFI_TLS_PROTOCOL_GUID
Value:
{ \
0xca959f, 0x6cfa, 0x4db1, {0x95, 0xbc, 0xe4, 0x6c, 0x47, 0x51, 0x43, 0x90 } \
}

The EFI TLS protocol provides the ability to manage TLS session.

#define EFI_TLS_SERVICE_BINDING_PROTOCOL_GUID
Value:
{ \
0x952cb795, 0xff36, 0x48cf, {0xa2, 0x49, 0x4d, 0xf4, 0x86, 0xd6, 0xab, 0x8d } \
}

The EFI TLS Service Binding Protocol is used to locate EFI TLS Protocol drivers to create and destroy child of the driver to communicate with other host using TLS protocol.

#define EFI_TLS_VERIFY_CLIENT_ONCE   0x4

TLS session only verify client once, and doesn't request certificate during re-negotiation.

#define EFI_TLS_VERIFY_FAIL_IF_NO_PEER_CERT   0x2

EFI_TLS_VERIFY_FAIL_IF_NO_PEER_CERT is only meaningful in the server mode. TLS session will fail if client certificate is absent.

#define EFI_TLS_VERIFY_FLAG_ALWAYS_CHECK_SUBJECT   0x01

Always check the Subject Distinguished Name (DN) in the peer certificate even if the certificate contains Subject Alternative Name (SAN).

#define EFI_TLS_VERIFY_FLAG_MULTI_LABEL_WILDCARDS   0x08

Allow the "*" to match more than one labels. Otherwise, only matches a single label.

#define EFI_TLS_VERIFY_FLAG_NEVER_CHECK_SUBJECT   0x20

Never check the Subject Distinguished Name (DN) even there is no Subject Alternative Name (SAN) in the certificate.

#define EFI_TLS_VERIFY_FLAG_NO_PARTIAL_WILDCARDS   0x04

Disable the "*" as wildcard in labels that have a prefix or suffix (e.g. "www*" or "*www").

#define EFI_TLS_VERIFY_FLAG_NO_WILDCARDS   0x02

Disable the match of all wildcards.

#define EFI_TLS_VERIFY_FLAG_NONE   0x00

There is no additional flags set for hostname validation. Wildcards are supported and they match only in the left-most label.

#define EFI_TLS_VERIFY_FLAG_SINGLE_LABEL_SUBDOMAINS   0x10

Restrict to only match direct child sub-domains which start with ".". For example, a name of ".example.com" would match "www.example.com" with this flag, but would not match "www.sub.example.com".

#define EFI_TLS_VERIFY_NONE   0x0

No certificates will be sent or the TLS/SSL handshake will be continued regardless of the certificate verification result.

#define EFI_TLS_VERIFY_PEER   0x1

The TLS/SSL handshake is immediately terminated with an alert message containing the reason for the certificate verification failure.

#define MAX_TLS_SESSION_ID_LENGTH   32

EFI_TLS_SESSION_ID Note: The definition of EFI_TLS_SESSION_ID is from "RFC 5246 A.4.1. Hello Messages".

Typedef Documentation

typedef IN UINT8 IN UINTN OUT UINT8* Buffer
typedef IN UINT8 IN UINTN OUT UINT8 IN OUT UINTN* BufferSize
typedef IN OUT EFI_TLS_FRAGMENT_DATA IN UINT32 IN EFI_TLS_CRYPT_MODE CryptMode
typedef IN EFI_TLS_SESSION_DATA_TYPE IN OUT VOID* Data
typedef IN EFI_TLS_SESSION_DATA_TYPE IN OUT VOID IN OUT UINTN* DataSize
typedef IN EFI_TLS_SESSION_DATA_TYPE DataType
typedef UINT8 EFI_TLS_COMPRESSION

EFI_TLS_COMPRESSION Note: The value of EFI_TLS_COMPRESSION definition is from "RFC 3749".

typedef struct _EFI_TLS_PROTOCOL EFI_TLS_PROTOCOL
typedef UINT32 EFI_TLS_VERIFY

EFI_TLS_VERIFY Use either EFI_TLS_VERIFY_NONE or EFI_TLS_VERIFY_PEER, the last two options are 'ORed' with EFI_TLS_VERIFY_PEER if they are desired.

typedef UINT32 EFI_TLS_VERIFY_HOST_FLAG

EFI_TLS_VERIFY_HOST_FLAG

typedef IN OUT EFI_TLS_FRAGMENT_DATA IN UINT32* FragmentCount
typedef IN OUT EFI_TLS_FRAGMENT_DATA** FragmentTable
typedef IN UINT8* RequestBuffer
typedef IN UINT8 IN UINTN RequestSize

Enumeration Type Documentation

enum EFI_TLS_CONNECTION_END

EFI_TLS_CONNECTION_END to define TLS session as client or server.

Enumerator
EfiTlsClient 
EfiTlsServer 
enum EFI_TLS_CRYPT_MODE

EFI_TLS_CRYPT_MODE

Enumerator
EfiTlsEncrypt 

Encrypt data provided in the fragment buffers.

EfiTlsDecrypt 

Decrypt data provided in the fragment buffers.

enum EFI_TLS_SESSION_DATA_TYPE

EFI_TLS_SESSION_DATA_TYPE

Enumerator
EfiTlsVersion 

TLS session Version. The corresponding Data is of type EFI_TLS_VERSION.

EfiTlsConnectionEnd 

TLS session as client or as server. The corresponding Data is of EFI_TLS_CONNECTION_END.

EfiTlsCipherList 

A priority list of preferred algorithms for the TLS session. The corresponding Data is a list of EFI_TLS_CIPHER.

EfiTlsCompressionMethod 

TLS session compression method. The corresponding Data is of type EFI_TLS_COMPRESSION.

EfiTlsExtensionData 

TLS session extension data. The corresponding Data is a list of type EFI_TLS_EXTENSION .

EfiTlsVerifyMethod 

TLS session verify method. The corresponding Data is of type EFI_TLS_VERIFY.

EfiTlsSessionID 

TLS session data session ID. For SetSessionData(), it is TLS session ID used for session resumption. For GetSessionData(), it is the TLS session ID used for current session. The corresponding Data is of type EFI_TLS_SESSION_ID.

EfiTlsSessionState 

TLS session data session state. The corresponding Data is of type EFI_TLS_SESSION_STATE.

EfiTlsClientRandom 

TLS session data client random. The corresponding Data is of type EFI_TLS_RANDOM.

EfiTlsServerRandom 

TLS session data server random. The corresponding Data is of type EFI_TLS_RANDOM.

EfiTlsKeyMaterial 

TLS session data key material. The corresponding Data is of type EFI_TLS_MASTER_SECRET.

EfiTlsVerifyHost 

TLS session hostname for validation which is used to verify whether the name within the peer certificate matches a given host name. This parameter is invalid when EfiTlsVerifyMethod is EFI_TLS_VERIFY_NONE. The corresponding Data is of type EFI_TLS_VERIFY_HOST.

EfiTlsSessionDataTypeMaximum 
enum EFI_TLS_SESSION_STATE

EFI_TLS_SESSION_STATE

Enumerator
EfiTlsSessionNotStarted 

When a new child of TLS protocol is created, the initial state of TLS session is EfiTlsSessionNotStarted.

EfiTlsSessionHandShaking 

The consumer can call BuildResponsePacket() with NULL to get ClientHello to start the TLS session. Then the status is EfiTlsSessionHandShaking.

EfiTlsSessionDataTransferring 

During handshake, the consumer need call BuildResponsePacket() with input data from peer, then get response packet and send to peer. After handshake finish, the TLS session status becomes EfiTlsSessionDataTransferring, and consumer can use ProcessPacket() for data transferring.

EfiTlsSessionClosing 

Finally, if consumer wants to active close TLS session, consumer need call SetSessionData to set TLS session state to EfiTlsSessionClosing, and call BuildResponsePacket() with NULL to get CloseNotify alert message, and sent it out.

EfiTlsSessionError 

If any error happen during parsing ApplicationData content type, EFI_ABORT will be returned by ProcessPacket(), and TLS session state will become EfiTlsSessionError. Then consumer need call BuildResponsePacket() with NULL to get alert message and sent it out.

EfiTlsSessionStateMaximum 

Function Documentation

typedef EFI_STATUS ( EFIAPI EFI_TLS_PROCESS_PACKET)

Set TLS session data.

The SetSessionData() function set data for a new TLS session. All session data should be set before BuildResponsePacket() invoked.

Parameters
[in]ThisPointer to the EFI_TLS_PROTOCOL instance.
[in]DataTypeTLS session data type.
[in]DataPointer to session data.
[in]DataSizeTotal size of session data.
Return values
EFI_SUCCESSThe TLS session data is set successfully.
EFI_INVALID_PARAMETEROne or more of the following conditions is TRUE: This is NULL. Data is NULL. DataSize is 0.
EFI_UNSUPPORTEDThe DataType is unsupported.
EFI_ACCESS_DENIEDIf the DataType is one of below: EfiTlsClientRandom EfiTlsServerRandom EfiTlsKeyMaterial
EFI_NOT_READYCurrent TLS session state is NOT EfiTlsSessionStateNotStarted.
EFI_OUT_OF_RESOURCESRequired system resources could not be allocated.

Get TLS session data.

The GetSessionData() function return the TLS session information.

Parameters
[in]ThisPointer to the EFI_TLS_PROTOCOL instance.
[in]DataTypeTLS session data type.
[in,out]DataPointer to session data.
[in,out]DataSizeTotal size of session data. On input, it means the size of Data buffer. On output, it means the size of copied Data buffer if EFI_SUCCESS, and means the size of desired Data buffer if EFI_BUFFER_TOO_SMALL.
Return values
EFI_SUCCESSThe TLS session data is got successfully.
EFI_INVALID_PARAMETEROne or more of the following conditions is TRUE: This is NULL. DataSize is NULL. Data is NULL if *DataSize is not zero.
EFI_UNSUPPORTEDThe DataType is unsupported.
EFI_NOT_FOUNDThe TLS session data is not found.
EFI_NOT_READYThe DataType is not ready in current session state.
EFI_BUFFER_TOO_SMALLThe buffer is too small to hold the data.

Build response packet according to TLS state machine. This function is only valid for alert, handshake and change_cipher_spec content type.

The BuildResponsePacket() function builds TLS response packet in response to the TLS request packet specified by RequestBuffer and RequestSize. If RequestBuffer is NULL and RequestSize is 0, and TLS session status is EfiTlsSessionNotStarted, the TLS session will be initiated and the response packet needs to be ClientHello. If RequestBuffer is NULL and RequestSize is 0, and TLS session status is EfiTlsSessionClosing, the TLS session will be closed and response packet needs to be CloseNotify. If RequestBuffer is NULL and RequestSize is 0, and TLS session status is EfiTlsSessionError, the TLS session has errors and the response packet needs to be Alert message based on error type.

Parameters
[in]ThisPointer to the EFI_TLS_PROTOCOL instance.
[in]RequestBufferPointer to the most recently received TLS packet. NULL means TLS need initiate the TLS session and response packet need to be ClientHello.
[in]RequestSizePacket size in bytes for the most recently received TLS packet. 0 is only valid when RequestBuffer is NULL.
[out]BufferPointer to the buffer to hold the built packet.
[in,out]BufferSizePointer to the buffer size in bytes. On input, it is the buffer size provided by the caller. On output, it is the buffer size in fact needed to contain the packet.
Return values
EFI_SUCCESSThe required TLS packet is built successfully.
EFI_INVALID_PARAMETEROne or more of the following conditions is TRUE: This is NULL. RequestBuffer is NULL but RequestSize is NOT 0. RequestSize is 0 but RequestBuffer is NOT NULL. BufferSize is NULL. Buffer is NULL if *BufferSize is not zero.
EFI_BUFFER_TOO_SMALLBufferSize is too small to hold the response packet.
EFI_NOT_READYCurrent TLS session state is NOT ready to build ResponsePacket.
EFI_ABORTEDSomething wrong build response packet.

Decrypt or encrypt TLS packet during session. This function is only valid after session connected and for application_data content type.

The ProcessPacket () function process each inbound or outbound TLS APP packet.

Parameters
[in]ThisPointer to the EFI_TLS_PROTOCOL instance.
[in,out]FragmentTablePointer to a list of fragment. The caller will take responsible to handle the original FragmentTable while it may be reallocated in TLS driver. If CryptMode is EfiTlsEncrypt, on input these fragments contain the TLS header and plain text TLS APP payload; on output these fragments contain the TLS header and cipher text TLS APP payload. If CryptMode is EfiTlsDecrypt, on input these fragments contain the TLS header and cipher text TLS APP payload; on output these fragments contain the TLS header and plain text TLS APP payload.
[in]FragmentCountNumber of fragment.
[in]CryptModeCrypt mode.
Return values
EFI_SUCCESSThe operation completed successfully.
EFI_INVALID_PARAMETEROne or more of the following conditions is TRUE: This is NULL. FragmentTable is NULL. FragmentCount is NULL. CryptoMode is invalid.
EFI_NOT_READYCurrent TLS session state is NOT EfiTlsSessionDataTransferring.
EFI_ABORTEDSomething wrong decryption the message. TLS session status will become EfiTlsSessionError. The caller need call BuildResponsePacket() to generate Error Alert message and send it out.
EFI_OUT_OF_RESOURCESNo enough resource to finish the operation.

Variable Documentation

EFI_GUID gEfiTlsProtocolGuid
EFI_GUID gEfiTlsServiceBindingProtocolGuid