CryptoPkg: Add support to set TLS security level.
Add Edkiicrypto protocol API to set TLS set security level.
Signed-off-by: Kanagavel S <kanagavels@ami.com>
diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
index e2c49f1..f1cdb72 100644
--- a/CryptoPkg/Driver/Crypto.c
+++ b/CryptoPkg/Driver/Crypto.c
@@ -5125,6 +5125,30 @@
}
/**
+ Set the Tls security level.
+
+ This function Set the Tls security level.
+ If Tls is NULL, nothing is done.
+
+ @param[in] Tls Pointer to the TLS object.
+ @param[in] Level The Tls Security level need to set.
+
+ @retval EFI_SUCCESS The Tls security level was set successfully.
+ @retval EFI_INVALID_PARAMETER The parameters are invalid.
+ @retval EFI_UNSUPPORTED The requested TLS set security level is not supported.
+
+**/
+EFI_STATUS
+EFIAPI
+CryptoServiceTlsSetSecurityLevel (
+ IN VOID *Tls,
+ IN UINT8 Level
+ )
+{
+ return CALL_BASECRYPTLIB (TlsSet.Services.SecurityLevel, TlsSetSecurityLevel, (Tls, Level), EFI_UNSUPPORTED);
+}
+
+/**
Set the signature algorithm list to used by the TLS object.
This function sets the signature algorithms for use by a specified TLS object.
@@ -7137,6 +7161,7 @@
CryptoServicePkcs1v2Decrypt,
CryptoServiceRsaOaepEncrypt,
CryptoServiceRsaOaepDecrypt,
- /// TLS Set (continued)
+ /// TLS Set (Continued)
CryptoServiceTlsSetServerName,
+ CryptoServiceTlsSetSecurityLevel,
};
diff --git a/CryptoPkg/Include/Library/TlsLib.h b/CryptoPkg/Include/Library/TlsLib.h
index fab9b5b..abacbe7 100644
--- a/CryptoPkg/Include/Library/TlsLib.h
+++ b/CryptoPkg/Include/Library/TlsLib.h
@@ -645,6 +645,26 @@
);
/**
+ Set the Tls security level.
+
+ This function Set the Tls security level.
+ If Tls is NULL, nothing is done.
+
+ @param[in] Tls Pointer to the TLS object.
+ @param[in] Level Tls Security level need to set.
+
+ @retval EFI_SUCCESS The Tls security level was set successfully.
+ @retval EFI_INVALID_PARAMETER The parameters are invalid.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetSecurityLevel (
+ IN VOID *Tls,
+ IN UINT8 Level
+ );
+
+/**
Gets the protocol version used by the specified TLS connection.
This function returns the protocol version used by the specified TLS
diff --git a/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h b/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h
index ad6a608..5e92871 100644
--- a/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h
+++ b/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h
@@ -328,6 +328,7 @@
UINT8 SignatureAlgoList : 1;
UINT8 EcCurve : 1;
UINT8 ServerName : 1;
+ UINT8 SecurityLevel : 1;
} Services;
UINT32 Family;
} TlsSet;
diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
index 28d6061..5162cfd 100644
--- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
+++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
@@ -4403,6 +4403,30 @@
}
/**
+ Set the Tls security level.
+
+ This function Set the Tls security level.
+ If Tls is NULL, nothing is done.
+
+ @param[in] Tls Pointer to the TLS object.
+ @param[in] Level Tls Security level need to set.
+
+ @retval EFI_SUCCESS The Tls security level was set successfully.
+ @retval EFI_INVALID_PARAMETER The parameters are invalid.
+ @retval EFI_UNSUPPORTED The requested TLS set security level is not supported.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetSecurityLevel (
+ IN VOID *Tls,
+ IN UINT8 Level
+ )
+{
+ CALL_CRYPTO_SERVICE (TlsSetSecurityLevel, (Tls, Level), EFI_UNSUPPORTED);
+}
+
+/**
Gets the protocol version used by the specified TLS connection.
This function returns the protocol version used by the specified TLS
diff --git a/CryptoPkg/Library/TlsLib/InternalTlsLib.h b/CryptoPkg/Library/TlsLib/InternalTlsLib.h
index aca226b..bdc4132 100644
--- a/CryptoPkg/Library/TlsLib/InternalTlsLib.h
+++ b/CryptoPkg/Library/TlsLib/InternalTlsLib.h
@@ -25,6 +25,16 @@
#include <openssl/bio.h>
#include <openssl/err.h>
+///
+/// TLS Minimum security level
+#define MIN_SECURITY_LEVEL 2
+///
+
+///
+/// TLS Maximum security level
+#define MAX_SECURITY_LEVEL 5
+///
+
typedef struct {
//
// Main SSL Connection which is created by a server or a client
diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c b/CryptoPkg/Library/TlsLib/TlsConfig.c
index ac1fe46..9f92f6a 100644
--- a/CryptoPkg/Library/TlsLib/TlsConfig.c
+++ b/CryptoPkg/Library/TlsLib/TlsConfig.c
@@ -1192,6 +1192,46 @@
}
/**
+ Set the Tls security level.
+
+ This function Set the Tls security level.
+ If Tls is NULL, nothing is done.
+
+ @param[in] Tls Pointer to the TLS object.
+ @param[in] Level Tls Security level need to set.
+
+ @retval EFI_SUCCESS The Tls security level was set successfully.
+ @retval EFI_INVALID_PARAMETER The parameters are invalid.
+ @retval EFI_UNSUPPORTED The requested TLS set security level is not supported.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetSecurityLevel (
+ IN VOID *Tls,
+ IN UINT8 Level
+ )
+{
+ TLS_CONNECTION *TlsConn;
+
+ TlsConn = (TLS_CONNECTION *)Tls;
+
+ if ((TlsConn == NULL) || (TlsConn->Ssl == NULL)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ // Check if the security level is within the valid range (2 to 5).
+ // Return EFI_INVALID_PARAMETER if the level is out of bounds.
+ if ((Level < MIN_SECURITY_LEVEL) || (Level > MAX_SECURITY_LEVEL)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ SSL_set_security_level (TlsConn->Ssl, Level);
+
+ return EFI_SUCCESS;
+}
+
+/**
Gets the protocol version used by the specified TLS connection.
This function returns the protocol version used by the specified TLS
diff --git a/CryptoPkg/Library/TlsLib/TlsInit.c b/CryptoPkg/Library/TlsLib/TlsInit.c
index 6385f0c..96634cf 100644
--- a/CryptoPkg/Library/TlsLib/TlsInit.c
+++ b/CryptoPkg/Library/TlsLib/TlsInit.c
@@ -188,7 +188,7 @@
//
// This retains compatibility with previous version of OpenSSL.
//
- SSL_set_security_level (TlsConn->Ssl, 0);
+ SSL_set_security_level (TlsConn->Ssl, 3);
//
// Initialize the created SSL Object
diff --git a/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c b/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c
index cbf5ee7..d85a2d8 100644
--- a/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c
+++ b/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c
@@ -401,6 +401,31 @@
}
/**
+ Set the Tls security level.
+
+ This function Set the Tls security level.
+ If Tls is NULL, nothing is done.
+
+ @param[in] Tls Pointer to the TLS object.
+ @param[in] Level Tls Security level need to set.
+
+ @retval EFI_SUCCESS The Tls security level was set successfully.
+ @retval EFI_INVALID_PARAMETER The parameters are invalid.
+ @retval EFI_UNSUPPORTED The requested TLS set security level is not supported.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetSecurityLevel (
+ IN VOID *Tls,
+ IN UINT8 Level
+ )
+{
+ ASSERT (FALSE);
+ return EFI_UNSUPPORTED;
+}
+
+/**
Gets the protocol version used by the specified TLS connection.
This function returns the protocol version used by the specified TLS
diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protocol/Crypto.h
index b3a5553..7d3ff54 100644
--- a/CryptoPkg/Private/Protocol/Crypto.h
+++ b/CryptoPkg/Private/Protocol/Crypto.h
@@ -21,7 +21,7 @@
/// the EDK II Crypto Protocol is extended, this version define must be
/// increased.
///
-#define EDKII_CRYPTO_VERSION 18
+#define EDKII_CRYPTO_VERSION 19
///
/// EDK II Crypto Protocol forward declaration
@@ -3970,6 +3970,26 @@
);
/**
+ Set the Tls security level.
+
+ This function Set the Tls security level.
+ If Tls is NULL, nothing is done.
+
+ @param[in] Tls Pointer to the TLS object.
+ @param[in] Level The Tls Security level need to set.
+
+ @retval EFI_SUCCESS The Tls security level was set successfully.
+ @retval EFI_INVALID_PARAMETER The parameters are invalid.
+
+**/
+typedef
+EFI_STATUS
+(EFIAPI *EDKII_CRYPTO_TLS_SET_SECURITY_LEVEL)(
+ IN VOID *Tls,
+ IN UINT8 Level
+ );
+
+/**
Gets the protocol version used by the specified TLS connection.
This function returns the protocol version used by the specified TLS
@@ -5728,8 +5748,9 @@
EDKII_CRYPTO_PKCS1V2_DECRYPT Pkcs1v2Decrypt;
EDKII_CRYPTO_RSA_OAEP_ENCRYPT RsaOaepEncrypt;
EDKII_CRYPTO_RSA_OAEP_DECRYPT RsaOaepDecrypt;
- /// TLS Set (continued)
+ /// TLS Set (Continued)
EDKII_CRYPTO_TLS_SET_SERVER_NAME TlsSetServerName;
+ EDKII_CRYPTO_TLS_SET_SECURITY_LEVEL TlsSetSecurityLevel;
};
extern GUID gEdkiiCryptoProtocolGuid;
