From: Jiaxin Wu <jiaxin.wu@intel.com>
To: edk2-devel@lists.01.org
Cc: Laszlo Ersek <lersek@redhat.com>,
Kinney Michael D <michael.d.kinney@intel.com>,
Zimmer Vincent <vincent.zimmer@intel.com>,
Yao Jiewen <jiewen.yao@intel.com>, Ye Ting <ting.ye@intel.com>,
Fu Siyuan <siyuan.fu@intel.com>, Wu Jiaxin <jiaxin.wu@intel.com>
Subject: [Patch 2/2] NetworkPkg: Read TlsCipherList variable and configure it for HTTPS session.
Date: Fri, 9 Feb 2018 11:59:38 +0800 [thread overview]
Message-ID: <1518148778-14300-3-git-send-email-jiaxin.wu@intel.com> (raw)
In-Reply-To: <1518148778-14300-1-git-send-email-jiaxin.wu@intel.com>
This patch is to read the TlsCipherList variable and configure it for the
later HTTPS session.
If the variable is not set by any platform, EFI_NOT_FOUND will be returned
from GetVariable service. In such a case, the default CipherList created in
TlsDxe driver will be used.
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Kinney Michael D <michael.d.kinney@intel.com>
Cc: Zimmer Vincent <vincent.zimmer@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Cc: Ye Ting <ting.ye@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
---
NetworkPkg/HttpDxe/HttpDriver.h | 3 +-
NetworkPkg/HttpDxe/HttpDxe.inf | 3 +-
NetworkPkg/HttpDxe/HttpsSupport.c | 92 ++++++++++++++++++++++++++++++++++++++-
3 files changed, 95 insertions(+), 3 deletions(-)
diff --git a/NetworkPkg/HttpDxe/HttpDriver.h b/NetworkPkg/HttpDxe/HttpDriver.h
index 93a412a..eba7d32 100644
--- a/NetworkPkg/HttpDxe/HttpDriver.h
+++ b/NetworkPkg/HttpDxe/HttpDriver.h
@@ -1,9 +1,9 @@
/** @file
The header files of the driver binding and service binding protocol for HttpDxe driver.
- Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.<BR>
(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -59,10 +59,11 @@
// Produced Protocols
//
#include <Protocol/Http.h>
#include <Guid/TlsAuthentication.h>
+#include <Guid/TlsCipherList.h>
#include <IndustryStandard/Tls1.h>
//
// Driver Version
diff --git a/NetworkPkg/HttpDxe/HttpDxe.inf b/NetworkPkg/HttpDxe/HttpDxe.inf
index 20075f5..b1d7bd2 100644
--- a/NetworkPkg/HttpDxe/HttpDxe.inf
+++ b/NetworkPkg/HttpDxe/HttpDxe.inf
@@ -1,9 +1,9 @@
## @file
# Implementation of EFI HTTP protocol interfaces.
#
-# Copyright (c) 2015 - 2017, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.<BR>
#
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License
# which accompanies this distribution. The full text of the license may be found at
# http://opensource.org/licenses/bsd-license.php.
@@ -72,10 +72,11 @@
gEfiTlsProtocolGuid ## SOMETIMES_CONSUMES
gEfiTlsConfigurationProtocolGuid ## SOMETIMES_CONSUMES
[Guids]
gEfiTlsCaCertificateGuid ## SOMETIMES_CONSUMES ## Variable:L"TlsCaCertificate"
+ gTlsCipherListGuid ## SOMETIMES_CONSUMES ## Variable:L"TlsCipherList"
[Pcd]
gEfiNetworkPkgTokenSpaceGuid.PcdAllowHttpConnections ## CONSUMES
gEfiNetworkPkgTokenSpaceGuid.PcdHttpsAuthenticationMode ## SOMETIMES_CONSUMES
gEfiNetworkPkgTokenSpaceGuid.PcdHttpsHostPublicCert ## SOMETIMES_CONSUMES
diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c b/NetworkPkg/HttpDxe/HttpsSupport.c
index 288082a..62cb867 100644
--- a/NetworkPkg/HttpDxe/HttpsSupport.c
+++ b/NetworkPkg/HttpDxe/HttpsSupport.c
@@ -1,9 +1,9 @@
/** @file
Miscellaneous routines specific to Https for HttpDxe driver.
-Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>
(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
@@ -492,10 +492,91 @@ TlsConfigCertificate (
return Status;
}
/**
+ Read the TlsCipherList variable and configure it for HTTPS session.
+
+ @param[in, out] HttpInstance The HTTP instance private data.
+
+ @retval EFI_SUCCESS The prefered TLS CipherList is configured.
+ @retval EFI_NOT_FOUND Fail to get 'TlsCipherList' variable.
+ @retval EFI_INVALID_PARAMETER The contents of variable are invalid.
+ @retval EFI_OUT_OF_RESOURCES Can't allocate memory resources.
+
+ @retval Others Other error as indicated.
+
+**/
+EFI_STATUS
+TlsConfigCipherList (
+ IN OUT HTTP_PROTOCOL *HttpInstance
+ )
+{
+ EFI_STATUS Status;
+ UINT8 *CipherList;
+ UINTN CipherListSize;
+
+ CipherList = NULL;
+ CipherListSize = 0;
+
+ //
+ // Try to read the TlsCipherList variable.
+ //
+ Status = gRT->GetVariable (
+ EDKII_TLS_CIPHER_LIST_VARIABLE,
+ &gTlsCipherListGuid,
+ NULL,
+ &CipherListSize,
+ NULL
+ );
+
+ if (EFI_ERROR (Status) && Status != EFI_BUFFER_TOO_SMALL) {
+ return Status;
+ }
+
+ if (CipherListSize % sizeof (EFI_TLS_CIPHER) != 0) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ //
+ // Allocate buffer and read the config variable.
+ //
+ CipherList = AllocatePool (CipherListSize);
+ if (CipherList == NULL) {
+ return EFI_OUT_OF_RESOURCES;
+ }
+
+ Status = gRT->GetVariable (
+ EDKII_TLS_CIPHER_LIST_VARIABLE,
+ &gTlsCipherListGuid,
+ NULL,
+ &CipherListSize,
+ CipherList
+ );
+ if (EFI_ERROR (Status)) {
+ //
+ // GetVariable still error or the variable is corrupted.
+ //
+ goto ON_EXIT;
+ }
+
+ ASSERT (CipherList != NULL);
+
+ Status = HttpInstance->Tls->SetSessionData (
+ HttpInstance->Tls,
+ EfiTlsCipherList,
+ CipherList,
+ CipherListSize
+ );
+
+ON_EXIT:
+ FreePool (CipherList);
+
+ return Status;
+}
+
+/**
Configure TLS session data.
@param[in, out] HttpInstance The HTTP instance private data.
@retval EFI_SUCCESS TLS session data is configured.
@@ -551,10 +632,19 @@ TlsConfigureSession (
if (EFI_ERROR (Status)) {
return Status;
}
//
+ // Tls Cipher List
+ //
+ Status = TlsConfigCipherList (HttpInstance);
+ if (EFI_ERROR (Status) && Status != EFI_NOT_FOUND) {
+ DEBUG ((EFI_D_ERROR, "TlsConfigCipherList: return %r error.\n", Status));
+ return Status;
+ }
+
+ //
// Tls Config Certificate
//
Status = TlsConfigCertificate (HttpInstance);
if (EFI_ERROR (Status)) {
DEBUG ((EFI_D_ERROR, "TlsConfigCertificate: return %r error.\n", Status));
--
1.9.5.msysgit.1
next prev parent reply other threads:[~2018-02-09 3:54 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-09 3:59 [Patch 0/2] NetworkPkg: Support the platform to configure TLS CipherList Jiaxin Wu
2018-02-09 3:59 ` [Patch 1/2] NetworkPkg: Define one private variable for TLS CipherList configuration Jiaxin Wu
2018-02-09 3:59 ` Jiaxin Wu [this message]
2018-02-09 10:16 ` [Patch 2/2] NetworkPkg: Read TlsCipherList variable and configure it for HTTPS session Laszlo Ersek
2018-02-11 2:45 ` Wu, Jiaxin
2018-02-09 5:22 ` [Patch 0/2] NetworkPkg: Support the platform to configure TLS CipherList Fu, Siyuan
2018-02-09 5:25 ` Wu, Jiaxin
2018-02-09 7:08 ` Li, Ruth
2018-02-09 7:10 ` Wu, Jiaxin
2018-02-09 10:11 ` Laszlo Ersek
2018-02-11 2:33 ` Wu, Jiaxin
2018-02-12 18:53 ` Laszlo Ersek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1518148778-14300-3-git-send-email-jiaxin.wu@intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox