From: Jiaxin Wu <jiaxin.wu@intel.com>
To: edk2-devel@lists.01.org
Cc: Ye Ting <ting.ye@intel.com>, Fu Siyuan <siyuan.fu@intel.com>,
Laszlo Ersek <lersek@redhat.com>,
Kinney Michael D <michael.d.kinney@intel.com>,
Wu Jiaxin <jiaxin.wu@intel.com>
Subject: [PATCH v2 1/2] NetworkPkg: Add PCD to enable the HTTP connections switch
Date: Tue, 17 Jan 2017 11:33:11 +0800 [thread overview]
Message-ID: <1484623992-52988-2-git-send-email-jiaxin.wu@intel.com> (raw)
In-Reply-To: <1484623992-52988-1-git-send-email-jiaxin.wu@intel.com>
v2:
* Rename the PCD to PcdAllowHttpConnections.
* Refine the PCD descriptions.
If the value of PcdAllowHttpConnections is TRUE, HTTP connections is
allowed. Both the "https://" and "http://" URI schemes are permitted.
Otherwise, HTTP connections is denied. Only the "https://" URI scheme
is permitted.
Cc: Ye Ting <ting.ye@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Kinney Michael D <michael.d.kinney@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
---
NetworkPkg/HttpBootDxe/HttpBootClient.c | 20 +++++++-
NetworkPkg/HttpBootDxe/HttpBootConfig.c | 81 ++++++++++++++++++++------------
NetworkPkg/HttpBootDxe/HttpBootDxe.inf | 5 +-
NetworkPkg/HttpBootDxe/HttpBootSupport.c | 53 ++++++++++++++++++++-
NetworkPkg/HttpBootDxe/HttpBootSupport.h | 17 ++++++-
NetworkPkg/HttpDxe/HttpDxe.inf | 5 +-
NetworkPkg/HttpDxe/HttpImpl.c | 12 ++++-
NetworkPkg/NetworkPkg.dec | 8 +++-
8 files changed, 164 insertions(+), 37 deletions(-)
diff --git a/NetworkPkg/HttpBootDxe/HttpBootClient.c b/NetworkPkg/HttpBootDxe/HttpBootClient.c
index 916f237..99db3d5 100644
--- a/NetworkPkg/HttpBootDxe/HttpBootClient.c
+++ b/NetworkPkg/HttpBootDxe/HttpBootClient.c
@@ -1,9 +1,9 @@
/** @file
Implementation of the boot file download function.
-Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2015 - 2017, Intel Corporation. All rights reserved.<BR>
(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
This program and the accompanying materials are licensed and made available under
the terms and conditions of the BSD License that accompanies this distribution.
The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php.
@@ -190,10 +190,19 @@ HttpBootDhcp4ExtractUriInfo (
Private->BootFileUriParser = Private->FilePathUriParser;
Private->BootFileUri = Private->FilePathUri;
}
//
+ // Check the URI scheme.
+ //
+ Status = HttpBootCheckUriScheme (Private->BootFileUri);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((EFI_D_ERROR, "HttpBootDhcp4ExtractUriInfo: %r.\n", Status));
+ return Status;
+ }
+
+ //
// Configure the default DNS server if server assigned.
//
if ((SelectOffer->OfferType == HttpOfferTypeDhcpNameUriDns) ||
(SelectOffer->OfferType == HttpOfferTypeDhcpDns) ||
(SelectOffer->OfferType == HttpOfferTypeDhcpIpUriDns)) {
@@ -293,10 +302,19 @@ HttpBootDhcp6ExtractUriInfo (
Private->BootFileUriParser = Private->FilePathUriParser;
Private->BootFileUri = Private->FilePathUri;
}
//
+ // Check the URI scheme.
+ //
+ Status = HttpBootCheckUriScheme (Private->BootFileUri);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((EFI_D_ERROR, "HttpBootDhcp6ExtractUriInfo: %r.\n", Status));
+ return Status;
+ }
+
+ //
// Set the Local station address to IP layer.
//
Status = HttpBootSetIp6Address (Private);
if (EFI_ERROR (Status)) {
return Status;
diff --git a/NetworkPkg/HttpBootDxe/HttpBootConfig.c b/NetworkPkg/HttpBootDxe/HttpBootConfig.c
index 7c883b8..f32bf18 100644
--- a/NetworkPkg/HttpBootDxe/HttpBootConfig.c
+++ b/NetworkPkg/HttpBootDxe/HttpBootConfig.c
@@ -1,9 +1,9 @@
/** @file
Helper functions for configuring or getting the parameters relating to HTTP Boot.
-Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
@@ -444,13 +444,20 @@ HttpBootFormCallback (
IN OUT EFI_IFR_TYPE_VALUE *Value,
OUT EFI_BROWSER_ACTION_REQUEST *ActionRequest
)
{
EFI_INPUT_KEY Key;
- UINTN Index;
CHAR16 *Uri;
+ UINTN UriLen;
+ CHAR8 *AsciiUri;
HTTP_BOOT_FORM_CALLBACK_INFO *CallbackInfo;
+ EFI_STATUS Status;
+
+ Uri = NULL;
+ UriLen = 0;
+ AsciiUri = NULL;
+ Status = EFI_SUCCESS;
if (This == NULL || Value == NULL) {
return EFI_INVALID_PARAMETER;
}
@@ -464,53 +471,67 @@ HttpBootFormCallback (
case KEY_INITIATOR_URI:
//
// Get user input URI string
//
Uri = HiiGetString (CallbackInfo->RegisteredHandle, Value->string, NULL);
- if (Uri == NULL) {
- return EFI_UNSUPPORTED;
- }
//
- // Convert the scheme to all lower case.
+ // The URI should be either an empty string (for corporate environment) ,or http(s) for home environment.
+ // Pop up a message box for the unsupported URI.
//
- for (Index = 0; Index < StrLen (Uri); Index++) {
- if (Uri[Index] == L':') {
- break;
+ if (StrLen (Uri) != 0) {
+ UriLen = StrLen (Uri) + 1;
+ AsciiUri = AllocateZeroPool (UriLen);
+ if (AsciiUri == NULL) {
+ FreePool (Uri);
+ return EFI_OUT_OF_RESOURCES;
}
- if (Uri[Index] >= L'A' && Uri[Index] <= L'Z') {
- Uri[Index] -= (CHAR16)(L'A' - L'a');
+
+ UnicodeStrToAsciiStrS (Uri, AsciiUri, UriLen);
+
+ Status = HttpBootCheckUriScheme (AsciiUri);
+
+ if (Status == EFI_INVALID_PARAMETER) {
+
+ DEBUG ((EFI_D_ERROR, "HttpBootFormCallback: %r.\n", Status));
+
+ CreatePopUp (
+ EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,
+ &Key,
+ L"ERROR: Unsupported URI!",
+ L"Only supports HTTP and HTTPS",
+ NULL
+ );
+ } else if (Status == EFI_ACCESS_DENIED) {
+
+ DEBUG ((EFI_D_ERROR, "HttpBootFormCallback: %r.\n", Status));
+
+ CreatePopUp (
+ EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,
+ &Key,
+ L"ERROR: Unsupported URI!",
+ L"HTTP is disabled",
+ NULL
+ );
}
}
- //
- // Set the converted URI string back
- //
- HiiSetString (CallbackInfo->RegisteredHandle, Value->string, Uri, NULL);
-
- //
- // The URI should be either an empty string (for corporate environment) ,or http(s) for home environment.
- // Pop up a message box for other unsupported URI.
- //
- if ((StrLen (Uri) != 0) && (StrnCmp (Uri, L"http://", 7) != 0) && (StrnCmp (Uri, L"https://", 8) != 0)) {
- CreatePopUp (
- EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,
- &Key,
- L"ERROR: Unsupported URI!",
- L"Only supports HTTP and HTTPS",
- NULL
- );
+ if (Uri != NULL) {
+ FreePool (Uri);
}
- FreePool (Uri);
+ if (AsciiUri != NULL) {
+ FreePool (AsciiUri);
+ }
+
break;
default:
break;
}
- return EFI_SUCCESS;
+ return Status;
}
/**
Initialize the configuration form.
diff --git a/NetworkPkg/HttpBootDxe/HttpBootDxe.inf b/NetworkPkg/HttpBootDxe/HttpBootDxe.inf
index e6ce864..982e6b4 100644
--- a/NetworkPkg/HttpBootDxe/HttpBootDxe.inf
+++ b/NetworkPkg/HttpBootDxe/HttpBootDxe.inf
@@ -1,9 +1,9 @@
## @file
# This modules produce the Load File Protocol for UEFI HTTP boot.
#
-# Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2015 - 2017, Intel Corporation. All rights reserved.<BR>
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License
# which accompanies this distribution. The full text of the license may be found at
# http://opensource.org/licenses/bsd-license.php
#
@@ -92,7 +92,10 @@
## SOMETIMES_CONSUMES ## HII
gHttpBootConfigGuid
gEfiVirtualCdGuid ## SOMETIMES_CONSUMES ## GUID
gEfiVirtualDiskGuid ## SOMETIMES_CONSUMES ## GUID
+[Pcd]
+ gEfiNetworkPkgTokenSpaceGuid.PcdAllowHttpConnections ## CONSUMES
+
[UserExtensions.TianoCore."ExtraFiles"]
HttpBootDxeExtra.uni
diff --git a/NetworkPkg/HttpBootDxe/HttpBootSupport.c b/NetworkPkg/HttpBootDxe/HttpBootSupport.c
index bdb29ae..69b129f 100644
--- a/NetworkPkg/HttpBootDxe/HttpBootSupport.c
+++ b/NetworkPkg/HttpBootDxe/HttpBootSupport.c
@@ -1,9 +1,9 @@
/** @file
Support functions implementation for UEFI HTTP boot driver.
-Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2015 - 2017, Intel Corporation. All rights reserved.<BR>
(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
This program and the accompanying materials are licensed and made available under
the terms and conditions of the BSD License that accompanies this distribution.
The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php.
@@ -987,10 +987,61 @@ HttpIoRecvResponse (
return Status;
}
/**
+ This function checks the HTTP(S) URI scheme.
+
+ @param[in] Uri The pointer to the URI string.
+
+ @retval EFI_SUCCESS The URI scheme is valid.
+ @retval EFI_INVALID_PARAMETER The URI scheme is not HTTP or HTTPS.
+ @retval EFI_ACCESS_DENIED HTTP is disabled and the URI is HTTP.
+
+**/
+EFI_STATUS
+HttpBootCheckUriScheme (
+ IN CHAR8 *Uri
+ )
+{
+ UINTN Index;
+ EFI_STATUS Status;
+
+ Status = EFI_SUCCESS;
+
+ //
+ // Convert the scheme to all lower case.
+ //
+ for (Index = 0; Index < AsciiStrLen (Uri); Index++) {
+ if (Uri[Index] == ':') {
+ break;
+ }
+ if (Uri[Index] >= 'A' && Uri[Index] <= 'Z') {
+ Uri[Index] -= (CHAR8)('A' - 'a');
+ }
+ }
+
+ //
+ // Return EFI_INVALID_PARAMETER if the URI is not HTTP or HTTPS.
+ //
+ if ((AsciiStrnCmp (Uri, "http://", 7) != 0) && (AsciiStrnCmp (Uri, "https://", 8) != 0)) {
+ DEBUG ((EFI_D_ERROR, "HttpBootCheckUriScheme: Invalid Uri.\n"));
+ return EFI_INVALID_PARAMETER;
+ }
+
+ //
+ // HTTP is disabled, return EFI_ACCESS_DENIED if the URI is HTTP.
+ //
+ if (!PcdGetBool (PcdAllowHttpConnections) && (AsciiStrnCmp (Uri, "http://", 7) == 0)) {
+ DEBUG ((EFI_D_ERROR, "HttpBootCheckUriScheme: HTTP is disabled.\n"));
+ return EFI_ACCESS_DENIED;
+ }
+
+ return Status;
+}
+
+/**
Get the URI address string from the input device path.
Caller need to free the buffer in the UriAddress pointer.
@param[in] FilePath Pointer to the device path which contains a URI device path node.
diff --git a/NetworkPkg/HttpBootDxe/HttpBootSupport.h b/NetworkPkg/HttpBootDxe/HttpBootSupport.h
index 4d02427..65302d2 100644
--- a/NetworkPkg/HttpBootDxe/HttpBootSupport.h
+++ b/NetworkPkg/HttpBootDxe/HttpBootSupport.h
@@ -1,9 +1,9 @@
/** @file
Support functions declaration for UEFI HTTP boot driver.
-Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2015 - 2017, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials are licensed and made available under
the terms and conditions of the BSD License that accompanies this distribution.
The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php.
@@ -330,10 +330,25 @@ HttpIoRecvResponse (
IN BOOLEAN RecvMsgHeader,
OUT HTTP_IO_RESPONSE_DATA *ResponseData
);
/**
+ This function checks the HTTP(S) URI scheme.
+
+ @param[in] Uri The pointer to the URI string.
+
+ @retval EFI_SUCCESS The URI scheme is valid.
+ @retval EFI_INVALID_PARAMETER The URI scheme is not HTTP or HTTPS.
+ @retval EFI_ACCESS_DENIED HTTP is disabled and the URI is HTTP.
+
+**/
+EFI_STATUS
+HttpBootCheckUriScheme (
+ IN CHAR8 *Uri
+ );
+
+/**
Get the URI address string from the input device path.
Caller need to free the buffer in the UriAddress pointer.
@param[in] FilePath Pointer to the device path which contains a URI device path node.
diff --git a/NetworkPkg/HttpDxe/HttpDxe.inf b/NetworkPkg/HttpDxe/HttpDxe.inf
index 1118181..df2efdc 100644
--- a/NetworkPkg/HttpDxe/HttpDxe.inf
+++ b/NetworkPkg/HttpDxe/HttpDxe.inf
@@ -1,9 +1,9 @@
## @file
# Implementation of EFI HTTP protocol interfaces.
#
-# Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2015 - 2017, Intel Corporation. All rights reserved.<BR>
#
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License
# which accompanies this distribution. The full text of the license may be found at
# http://opensource.org/licenses/bsd-license.php.
@@ -73,7 +73,10 @@
gEfiTlsConfigurationProtocolGuid ## SOMETIMES_CONSUMES
[Guids]
gEfiTlsCaCertificateGuid ## CONSUMES ## GUID
+[Pcd]
+ gEfiNetworkPkgTokenSpaceGuid.PcdAllowHttpConnections ## CONSUMES
+
[UserExtensions.TianoCore."ExtraFiles"]
HttpDxeExtra.uni
\ No newline at end of file
diff --git a/NetworkPkg/HttpDxe/HttpImpl.c b/NetworkPkg/HttpDxe/HttpImpl.c
index d19f733..85b0083 100644
--- a/NetworkPkg/HttpDxe/HttpImpl.c
+++ b/NetworkPkg/HttpDxe/HttpImpl.c
@@ -1,9 +1,9 @@
/** @file
Implementation of EFI_HTTP_PROTOCOL protocol interfaces.
- Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) 2015 - 2017, Intel Corporation. All rights reserved.<BR>
(C) Copyright 2015-2016 Hewlett Packard Enterprise Development LP<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -353,10 +353,20 @@ EfiHttpRequest (
// be able to determine whether to use http or https.
//
HttpInstance->UseHttps = IsHttpsUrl (Url);
//
+ // HTTP is disabled, return directly if the URI is not HTTPS.
+ //
+ if (!PcdGetBool (PcdAllowHttpConnections) && !(HttpInstance->UseHttps)) {
+
+ DEBUG ((EFI_D_ERROR, "EfiHttpRequest: HTTP is disabled.\n"));
+
+ return EFI_ACCESS_DENIED;
+ }
+
+ //
// Check whether we need to create Tls child and open the TLS protocol.
//
if (HttpInstance->UseHttps && HttpInstance->TlsChildHandle == NULL) {
//
// Use TlsSb to create Tls child and open the TLS protocol.
diff --git a/NetworkPkg/NetworkPkg.dec b/NetworkPkg/NetworkPkg.dec
index 24d45f4..d51f816 100644
--- a/NetworkPkg/NetworkPkg.dec
+++ b/NetworkPkg/NetworkPkg.dec
@@ -2,11 +2,11 @@
# Network Package.
#
# This package provides network modules that conform to UEFI 2.4 specification.
#
# (C) Copyright 2015 Hewlett-Packard Development Company, L.P.<BR>
-# Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.<BR>
#
# This program and the accompanying materials are licensed and made available under
# the terms and conditions of the BSD License which accompanies this distribution.
# The full text of the license may be found at
# http://opensource.org/licenses/bsd-license.php
@@ -77,10 +77,16 @@
## Private Key's size.
# @Prompt Private Key's size.
gEfiNetworkPkgTokenSpaceGuid.PcdIpsecUefiCertificateKeySize|0x3d5|UINT32|0x00000006
+ ## Indicates whether HTTP connections (i.e., unsecured) are permitted or not.
+ # TRUE - HTTP connections is allowed. Both the "https://" and "http://" URI schemes are permitted.
+ # FALSE - HTTP connections is denied. Only the "https://" URI scheme is permitted.
+ # @Prompt Indicates whether HTTP connections are permitted or not.
+ gEfiNetworkPkgTokenSpaceGuid.PcdAllowHttpConnections|FALSE|BOOLEAN|0x00000008
+
[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
## IPv6 DHCP Unique Identifier (DUID) Type configuration (From RFCs 3315 and 6355).
# 01 = DUID Based on Link-layer Address Plus Time [DUID-LLT]
# 04 = UUID-Based DHCPv6 Unique Identifier (DUID-UUID)
# 02 = DUID Assigned by Vendor Based on Enterprise Number [DUID-EN] (not supported)
--
1.9.5.msysgit.1
next prev parent reply other threads:[~2017-01-17 3:33 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-17 3:33 [PATCH v2 0/2] Enable the HTTP connections switch Jiaxin Wu
2017-01-17 3:33 ` Jiaxin Wu [this message]
2017-01-17 8:53 ` [PATCH v2 1/2] NetworkPkg: Add PCD to enable " Laszlo Ersek
2017-01-17 3:33 ` [PATCH v2 2/2] Nt32Pkg.dsc: Add flag to control HTTP connections Jiaxin Wu
2017-01-17 10:02 ` Laszlo Ersek
2017-01-17 10:29 ` Gary Lin
2017-01-18 2:16 ` Wu, Jiaxin
2017-01-18 8:30 ` Laszlo Ersek
2017-01-18 9:27 ` Gary Lin
2017-01-19 3:19 ` Wu, Jiaxin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1484623992-52988-2-git-send-email-jiaxin.wu@intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox