From: Jiaxin Wu <jiaxin.wu@intel.com>
To: edk2-devel@lists.01.org
Cc: Laszlo Ersek <lersek@redhat.com>,
Kinney Michael D <michael.d.kinney@intel.com>,
Zimmer Vincent <vincent.zimmer@intel.com>,
Yao Jiewen <jiewen.yao@intel.com>, Ye Ting <ting.ye@intel.com>,
Fu Siyuan <siyuan.fu@intel.com>, Wu Jiaxin <jiaxin.wu@intel.com>
Subject: [PATCH v2 2/2] NetworkPkg: Read HttpTlsCipherList variable and configure it for HTTPS session.
Date: Sun, 11 Feb 2018 11:15:16 +0800 [thread overview]
Message-ID: <1518318916-12816-3-git-send-email-jiaxin.wu@intel.com> (raw)
In-Reply-To: <1518318916-12816-1-git-send-email-jiaxin.wu@intel.com>
v2:
* Refine the error handling returned from GetVariable.
This patch is to read the HttpTlsCipherList variable and configure it for the
later HTTPS session.
If the variable is not set by any platform, EFI_NOT_FOUND will be returned
from GetVariable service. In such a case, the default CipherList created in
TlsDxe driver will be used.
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Kinney Michael D <michael.d.kinney@intel.com>
Cc: Zimmer Vincent <vincent.zimmer@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Cc: Ye Ting <ting.ye@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
---
NetworkPkg/HttpDxe/HttpDriver.h | 3 +-
NetworkPkg/HttpDxe/HttpDxe.inf | 3 +-
NetworkPkg/HttpDxe/HttpsSupport.c | 92 ++++++++++++++++++++++++++++++++++++++-
3 files changed, 95 insertions(+), 3 deletions(-)
diff --git a/NetworkPkg/HttpDxe/HttpDriver.h b/NetworkPkg/HttpDxe/HttpDriver.h
index 93a412a..3b7a7a2 100644
--- a/NetworkPkg/HttpDxe/HttpDriver.h
+++ b/NetworkPkg/HttpDxe/HttpDriver.h
@@ -1,9 +1,9 @@
/** @file
The header files of the driver binding and service binding protocol for HttpDxe driver.
- Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.<BR>
(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -59,10 +59,11 @@
// Produced Protocols
//
#include <Protocol/Http.h>
#include <Guid/TlsAuthentication.h>
+#include <Guid/HttpTlsCipherList.h>
#include <IndustryStandard/Tls1.h>
//
// Driver Version
diff --git a/NetworkPkg/HttpDxe/HttpDxe.inf b/NetworkPkg/HttpDxe/HttpDxe.inf
index 20075f5..56a2472 100644
--- a/NetworkPkg/HttpDxe/HttpDxe.inf
+++ b/NetworkPkg/HttpDxe/HttpDxe.inf
@@ -1,9 +1,9 @@
## @file
# Implementation of EFI HTTP protocol interfaces.
#
-# Copyright (c) 2015 - 2017, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.<BR>
#
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License
# which accompanies this distribution. The full text of the license may be found at
# http://opensource.org/licenses/bsd-license.php.
@@ -72,10 +72,11 @@
gEfiTlsProtocolGuid ## SOMETIMES_CONSUMES
gEfiTlsConfigurationProtocolGuid ## SOMETIMES_CONSUMES
[Guids]
gEfiTlsCaCertificateGuid ## SOMETIMES_CONSUMES ## Variable:L"TlsCaCertificate"
+ gHttpTlsCipherListGuid ## SOMETIMES_CONSUMES ## Variable:L"HttpTlsCipherList"
[Pcd]
gEfiNetworkPkgTokenSpaceGuid.PcdAllowHttpConnections ## CONSUMES
gEfiNetworkPkgTokenSpaceGuid.PcdHttpsAuthenticationMode ## SOMETIMES_CONSUMES
gEfiNetworkPkgTokenSpaceGuid.PcdHttpsHostPublicCert ## SOMETIMES_CONSUMES
diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c b/NetworkPkg/HttpDxe/HttpsSupport.c
index 288082a..fbe4087 100644
--- a/NetworkPkg/HttpDxe/HttpsSupport.c
+++ b/NetworkPkg/HttpDxe/HttpsSupport.c
@@ -1,9 +1,9 @@
/** @file
Miscellaneous routines specific to Https for HttpDxe driver.
-Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>
(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
@@ -492,10 +492,91 @@ TlsConfigCertificate (
return Status;
}
/**
+ Read the HttpTlsCipherList variable and configure it for HTTPS session.
+
+ @param[in, out] HttpInstance The HTTP instance private data.
+
+ @retval EFI_SUCCESS The prefered HTTP TLS CipherList is configured.
+ @retval EFI_NOT_FOUND Fail to get 'HttpTlsCipherList' variable.
+ @retval EFI_INVALID_PARAMETER The contents of variable are invalid.
+ @retval EFI_OUT_OF_RESOURCES Can't allocate memory resources.
+
+ @retval Others Other error as indicated.
+
+**/
+EFI_STATUS
+TlsConfigCipherList (
+ IN OUT HTTP_PROTOCOL *HttpInstance
+ )
+{
+ EFI_STATUS Status;
+ UINT8 *CipherList;
+ UINTN CipherListSize;
+
+ CipherList = NULL;
+ CipherListSize = 0;
+
+ //
+ // Try to read the HttpTlsCipherList variable.
+ //
+ Status = gRT->GetVariable (
+ EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE,
+ &gHttpTlsCipherListGuid,
+ NULL,
+ &CipherListSize,
+ NULL
+ );
+ ASSERT (EFI_ERROR (Status));
+ if (Status != EFI_BUFFER_TOO_SMALL) {
+ return Status;
+ }
+
+ if (CipherListSize % sizeof (EFI_TLS_CIPHER) != 0) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ //
+ // Allocate buffer and read the config variable.
+ //
+ CipherList = AllocatePool (CipherListSize);
+ if (CipherList == NULL) {
+ return EFI_OUT_OF_RESOURCES;
+ }
+
+ Status = gRT->GetVariable (
+ EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE,
+ &gHttpTlsCipherListGuid,
+ NULL,
+ &CipherListSize,
+ CipherList
+ );
+ if (EFI_ERROR (Status)) {
+ //
+ // GetVariable still error or the variable is corrupted.
+ //
+ goto ON_EXIT;
+ }
+
+ ASSERT (CipherList != NULL);
+
+ Status = HttpInstance->Tls->SetSessionData (
+ HttpInstance->Tls,
+ EfiTlsCipherList,
+ CipherList,
+ CipherListSize
+ );
+
+ON_EXIT:
+ FreePool (CipherList);
+
+ return Status;
+}
+
+/**
Configure TLS session data.
@param[in, out] HttpInstance The HTTP instance private data.
@retval EFI_SUCCESS TLS session data is configured.
@@ -551,10 +632,19 @@ TlsConfigureSession (
if (EFI_ERROR (Status)) {
return Status;
}
//
+ // Tls Cipher List
+ //
+ Status = TlsConfigCipherList (HttpInstance);
+ if (EFI_ERROR (Status) && Status != EFI_NOT_FOUND) {
+ DEBUG ((EFI_D_ERROR, "TlsConfigCipherList: return %r error.\n", Status));
+ return Status;
+ }
+
+ //
// Tls Config Certificate
//
Status = TlsConfigCertificate (HttpInstance);
if (EFI_ERROR (Status)) {
DEBUG ((EFI_D_ERROR, "TlsConfigCertificate: return %r error.\n", Status));
--
1.9.5.msysgit.1
next prev parent reply other threads:[~2018-02-11 3:09 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-11 3:15 [PATCH v2 0/2] NetworkPkg: Support the platform to configure HTTPS CipherList Jiaxin Wu
2018-02-11 3:15 ` [PATCH v2 1/2] NetworkPkg: Define one private variable for HTTPS to set Tls CipherList Jiaxin Wu
2018-02-11 3:15 ` Jiaxin Wu [this message]
2018-02-12 3:05 ` [PATCH v2 2/2] NetworkPkg: Read HttpTlsCipherList variable and configure it for HTTPS session Ye, Ting
2018-02-12 3:08 ` Wu, Jiaxin
2018-02-11 3:21 ` [PATCH v2 0/2] NetworkPkg: Support the platform to configure HTTPS CipherList Wu, Jiaxin
2018-02-12 19:56 ` Laszlo Ersek
2018-02-13 2:01 ` Wu, Jiaxin
2018-02-15 12:05 ` Laszlo Ersek
2018-02-11 3:30 ` Fu, Siyuan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1518318916-12816-3-git-send-email-jiaxin.wu@intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox