[PATCH v2 0/2] NetworkPkg: Support the platform to configure HTTPS CipherList.

[PATCH v2 0/2] NetworkPkg: Support the platform to configure HTTPS CipherList.

[Jiaxin Wu]

V2:
* Rename the file/variable name.
* Refine the error handling returned from GetVariable.

Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Kinney Michael D <michael.d.kinney@intel.com>
Cc: Zimmer Vincent <vincent.zimmer@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Cc: Ye Ting <ting.ye@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>

Jiaxin Wu (2):
  NetworkPkg: Define one private variable for HTTPS to set Tls
    CipherList.
  NetworkPkg: Read HttpTlsCipherList variable and configure it for HTTPS
    session.

 NetworkPkg/HttpDxe/HttpDriver.h             |  3 +-
 NetworkPkg/HttpDxe/HttpDxe.inf              |  3 +-
 NetworkPkg/HttpDxe/HttpsSupport.c           | 92 ++++++++++++++++++++++++++++-
 NetworkPkg/Include/Guid/HttpTlsCipherList.h | 38 ++++++++++++
 NetworkPkg/NetworkPkg.dec                   |  3 +
 5 files changed, 136 insertions(+), 3 deletions(-)
 create mode 100644 NetworkPkg/Include/Guid/HttpTlsCipherList.h

-- 
1.9.5.msysgit.1

[PATCH v2 1/2] NetworkPkg: Define one private variable for HTTPS to set Tls CipherList.

[Jiaxin Wu]

v2:
* Rename the file/variable name.

This variable (HttpTlsCipherList) can be set by any platform that want to
control its own preferred Tls CipherList for the later HTTPS session.

The valid contents of variable must follow the TLS CipherList format defined
in RFC 5246. The valid length of variable must be an integral multiple of 2.
For example, if below cipher suites are preferred:
    CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA256 = {0x00,0x3C}
    CipherSuite TLS_RSA_WITH_AES_256_CBC_SHA256 = {0x00,0x3D}
Then, the contents of variable should be:
    {0x00,0x3C,0x00,0x3D}

Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Kinney Michael D <michael.d.kinney@intel.com>
Cc: Zimmer Vincent <vincent.zimmer@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Cc: Ye Ting <ting.ye@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
---
 NetworkPkg/Include/Guid/HttpTlsCipherList.h | 38 +++++++++++++++++++++++++++++
 NetworkPkg/NetworkPkg.dec                   |  3 +++
 2 files changed, 41 insertions(+)
 create mode 100644 NetworkPkg/Include/Guid/HttpTlsCipherList.h

diff --git a/NetworkPkg/Include/Guid/HttpTlsCipherList.h b/NetworkPkg/Include/Guid/HttpTlsCipherList.h
new file mode 100644
index 0000000..c2e3e65
--- /dev/null
+++ b/NetworkPkg/Include/Guid/HttpTlsCipherList.h
@@ -0,0 +1,38 @@
+/** @file
+  This file defines the HttpTlsCipherList variable for HTTPS to configure Tls Cipher List.
+
+Copyright (c) 2018, Intel Corporation. All rights reserved.<BR>
+This program and the accompanying materials are licensed and made available under
+the terms and conditions of the BSD License that accompanies this distribution.
+The full text of the license may be found at
+http://opensource.org/licenses/bsd-license.php.
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#ifndef __HTTP_TLS_CIPHER_LIST_H__
+#define __HTTP_TLS_CIPHER_LIST_H__
+
+//
+// Private Variable for HTTPS to configure Tls Cipher List.
+// The valid contents of variable must follow the TLS CipherList format defined in RFC 5246. 
+// The valid length of variable must be an integral multiple of 2.
+// For example, if below cipher suites are preferred:
+// 	 CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA256 = {0x00,0x3C}
+//   CipherSuite TLS_RSA_WITH_AES_256_CBC_SHA256 = {0x00,0x3D}
+// Then, the contents of variable should be:
+//   {0x00,0x3C,0x00,0x3D}
+//
+#define EDKII_HTTP_TLS_CIPHER_LIST_GUID \
+  { \
+    0x46ddb415, 0x5244, 0x49c7, { 0x93, 0x74, 0xf0, 0xe2, 0x98, 0xe7, 0xd3, 0x86 } \
+  }
+  
+#define EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE       L"HttpTlsCipherList"
+
+extern EFI_GUID gHttpTlsCipherListGuid;
+
+#endif
+
diff --git a/NetworkPkg/NetworkPkg.dec b/NetworkPkg/NetworkPkg.dec
index 902df37..9742ad5 100644
--- a/NetworkPkg/NetworkPkg.dec
+++ b/NetworkPkg/NetworkPkg.dec
@@ -44,10 +44,13 @@
   gTlsAuthConfigGuid            = { 0xb0eae4f8, 0x9a04, 0x4c6d, { 0xa7, 0x48, 0x79, 0x3d, 0xaa, 0xf, 0x65, 0xdf }}
   
   # Include/Guid/TlsAuthentication.h
   gEfiTlsCaCertificateGuid      = { 0xfd2340D0, 0x3dab, 0x4349, { 0xa6, 0xc7, 0x3b, 0x4f, 0x12, 0xb4, 0x8e, 0xae }}
 
+  # Include/Guid/HttpTlsCipherList.h
+  gHttpTlsCipherListGuid        = { 0x46ddb415, 0x5244, 0x49c7, { 0x93, 0x74, 0xf0, 0xe2, 0x98, 0xe7, 0xd3, 0x86 }}
+
 [PcdsFixedAtBuild]
   ## The max attempt number will be created by iSCSI driver.
   # @Prompt Max attempt number.
   gEfiNetworkPkgTokenSpaceGuid.PcdMaxIScsiAttemptNumber|0x08|UINT8|0x0000000D
 
-- 
1.9.5.msysgit.1

[PATCH v2 2/2] NetworkPkg: Read HttpTlsCipherList variable and configure it for HTTPS session.

[Jiaxin Wu]

v2:
* Refine the error handling returned from GetVariable.

This patch is to read the HttpTlsCipherList variable and configure it for the
later HTTPS session.

If the variable is not set by any platform, EFI_NOT_FOUND will be returned
from GetVariable service. In such a case, the default CipherList created in
TlsDxe driver will be used.

Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Kinney Michael D <michael.d.kinney@intel.com>
Cc: Zimmer Vincent <vincent.zimmer@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Cc: Ye Ting <ting.ye@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
---
 NetworkPkg/HttpDxe/HttpDriver.h   |  3 +-
 NetworkPkg/HttpDxe/HttpDxe.inf    |  3 +-
 NetworkPkg/HttpDxe/HttpsSupport.c | 92 ++++++++++++++++++++++++++++++++++++++-
 3 files changed, 95 insertions(+), 3 deletions(-)

diff --git a/NetworkPkg/HttpDxe/HttpDriver.h b/NetworkPkg/HttpDxe/HttpDriver.h
index 93a412a..3b7a7a2 100644
--- a/NetworkPkg/HttpDxe/HttpDriver.h
+++ b/NetworkPkg/HttpDxe/HttpDriver.h
@@ -1,9 +1,9 @@
 /** @file
   The header files of the driver binding and service binding protocol for HttpDxe driver.
 
-  Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.<BR>
   (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
 
   This program and the accompanying materials
   are licensed and made available under the terms and conditions of the BSD License
   which accompanies this distribution.  The full text of the license may be found at
@@ -59,10 +59,11 @@
 // Produced Protocols
 //
 #include <Protocol/Http.h>
 
 #include <Guid/TlsAuthentication.h>
+#include <Guid/HttpTlsCipherList.h>
 
 #include <IndustryStandard/Tls1.h>
 
 //
 // Driver Version
diff --git a/NetworkPkg/HttpDxe/HttpDxe.inf b/NetworkPkg/HttpDxe/HttpDxe.inf
index 20075f5..56a2472 100644
--- a/NetworkPkg/HttpDxe/HttpDxe.inf
+++ b/NetworkPkg/HttpDxe/HttpDxe.inf
@@ -1,9 +1,9 @@
 ## @file
 #  Implementation of EFI HTTP protocol interfaces.
 #
-#  Copyright (c) 2015 - 2017, Intel Corporation. All rights reserved.<BR>
+#  Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.<BR>
 #
 #  This program and the accompanying materials
 #  are licensed and made available under the terms and conditions of the BSD License
 #  which accompanies this distribution. The full text of the license may be found at
 #  http://opensource.org/licenses/bsd-license.php.
@@ -72,10 +72,11 @@
   gEfiTlsProtocolGuid                              ## SOMETIMES_CONSUMES
   gEfiTlsConfigurationProtocolGuid                 ## SOMETIMES_CONSUMES
 
 [Guids]
   gEfiTlsCaCertificateGuid                         ## SOMETIMES_CONSUMES  ## Variable:L"TlsCaCertificate"
+  gHttpTlsCipherListGuid                           ## SOMETIMES_CONSUMES  ## Variable:L"HttpTlsCipherList"
 
 [Pcd]
   gEfiNetworkPkgTokenSpaceGuid.PcdAllowHttpConnections       ## CONSUMES
   gEfiNetworkPkgTokenSpaceGuid.PcdHttpsAuthenticationMode    ## SOMETIMES_CONSUMES
   gEfiNetworkPkgTokenSpaceGuid.PcdHttpsHostPublicCert        ## SOMETIMES_CONSUMES
diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c b/NetworkPkg/HttpDxe/HttpsSupport.c
index 288082a..fbe4087 100644
--- a/NetworkPkg/HttpDxe/HttpsSupport.c
+++ b/NetworkPkg/HttpDxe/HttpsSupport.c
@@ -1,9 +1,9 @@
 /** @file
   Miscellaneous routines specific to Https for HttpDxe driver.
 
-Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>
 (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD License
 which accompanies this distribution.  The full text of the license may be found at
 http://opensource.org/licenses/bsd-license.php
@@ -492,10 +492,91 @@ TlsConfigCertificate (
   
   return Status;
 }
 
 /**
+  Read the HttpTlsCipherList variable and configure it for HTTPS session.
+
+  @param[in, out]  HttpInstance  The HTTP instance private data.
+
+  @retval EFI_SUCCESS            The prefered HTTP TLS CipherList is configured.
+  @retval EFI_NOT_FOUND          Fail to get 'HttpTlsCipherList' variable.
+  @retval EFI_INVALID_PARAMETER  The contents of variable are invalid.
+  @retval EFI_OUT_OF_RESOURCES   Can't allocate memory resources.
+
+  @retval Others                 Other error as indicated.
+
+**/
+EFI_STATUS
+TlsConfigCipherList (
+  IN OUT HTTP_PROTOCOL      *HttpInstance
+  )
+{
+  EFI_STATUS          Status;
+  UINT8               *CipherList;
+  UINTN               CipherListSize;
+
+  CipherList     = NULL;
+  CipherListSize = 0;
+
+  //
+  // Try to read the HttpTlsCipherList variable.
+  //
+  Status  = gRT->GetVariable (
+                   EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE,
+                   &gHttpTlsCipherListGuid,
+                   NULL,
+                   &CipherListSize,
+                   NULL
+                   );
+  ASSERT (EFI_ERROR (Status));
+  if (Status != EFI_BUFFER_TOO_SMALL) {
+    return Status;
+  }
+
+  if (CipherListSize % sizeof (EFI_TLS_CIPHER) != 0) {
+    return EFI_INVALID_PARAMETER;
+  }
+
+  //
+  // Allocate buffer and read the config variable.
+  //
+  CipherList = AllocatePool (CipherListSize);
+  if (CipherList == NULL) {
+    return EFI_OUT_OF_RESOURCES;
+  }
+
+  Status = gRT->GetVariable (
+                  EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE,
+                  &gHttpTlsCipherListGuid,
+                  NULL,
+                  &CipherListSize,
+                  CipherList
+                  );
+  if (EFI_ERROR (Status)) {
+    //
+    // GetVariable still error or the variable is corrupted.
+    //
+    goto ON_EXIT;
+  }
+
+  ASSERT (CipherList != NULL);
+
+  Status = HttpInstance->Tls->SetSessionData (
+                                HttpInstance->Tls,
+                                EfiTlsCipherList,
+                                CipherList,
+                                CipherListSize
+                                );
+
+ON_EXIT:  
+  FreePool (CipherList);
+  
+  return Status;
+}
+
+/**
   Configure TLS session data.
 
   @param[in, out]  HttpInstance       The HTTP instance private data.
 
   @retval EFI_SUCCESS            TLS session data is configured.
@@ -551,10 +632,19 @@ TlsConfigureSession (
   if (EFI_ERROR (Status)) {
     return Status;
   }
 
   //
+  // Tls Cipher List
+  //
+  Status = TlsConfigCipherList (HttpInstance);
+  if (EFI_ERROR (Status) && Status != EFI_NOT_FOUND) {
+    DEBUG ((EFI_D_ERROR, "TlsConfigCipherList: return %r error.\n", Status));
+    return Status;
+  }
+
+  //
   // Tls Config Certificate
   //
   Status = TlsConfigCertificate (HttpInstance);
   if (EFI_ERROR (Status)) {
     DEBUG ((EFI_D_ERROR, "TlsConfigCertificate: return %r error.\n", Status));
-- 
1.9.5.msysgit.1

Re: [PATCH v2 0/2] NetworkPkg: Support the platform to configure HTTPS CipherList.

[Wu, Jiaxin]

Hi Laszlo, 

Can you help to report one Bugzilla for the new feature request? It's better to describe the reason why we need support in Bugzilla.

Thanks,
Jiaxin  



> -----Original Message-----
> From: Wu, Jiaxin
> Sent: Sunday, February 11, 2018 11:15 AM
> To: edk2-devel@lists.01.org
> Cc: Laszlo Ersek <lersek@redhat.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>; Zimmer, Vincent
> <vincent.zimmer@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Ye,
> Ting <ting.ye@intel.com>; Fu, Siyuan <siyuan.fu@intel.com>; Wu, Jiaxin
> <jiaxin.wu@intel.com>
> Subject: [PATCH v2 0/2] NetworkPkg: Support the platform to configure
> HTTPS CipherList.
> 
> V2:
> * Rename the file/variable name.
> * Refine the error handling returned from GetVariable.
> 
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Kinney Michael D <michael.d.kinney@intel.com>
> Cc: Zimmer Vincent <vincent.zimmer@intel.com>
> Cc: Yao Jiewen <jiewen.yao@intel.com>
> Cc: Ye Ting <ting.ye@intel.com>
> Cc: Fu Siyuan <siyuan.fu@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
> 
> Jiaxin Wu (2):
>   NetworkPkg: Define one private variable for HTTPS to set Tls
>     CipherList.
>   NetworkPkg: Read HttpTlsCipherList variable and configure it for HTTPS
>     session.
> 
>  NetworkPkg/HttpDxe/HttpDriver.h             |  3 +-
>  NetworkPkg/HttpDxe/HttpDxe.inf              |  3 +-
>  NetworkPkg/HttpDxe/HttpsSupport.c           | 92
> ++++++++++++++++++++++++++++-
>  NetworkPkg/Include/Guid/HttpTlsCipherList.h | 38 ++++++++++++
>  NetworkPkg/NetworkPkg.dec                   |  3 +
>  5 files changed, 136 insertions(+), 3 deletions(-)
>  create mode 100644 NetworkPkg/Include/Guid/HttpTlsCipherList.h
> 
> --
> 1.9.5.msysgit.1

Re: [PATCH v2 0/2] NetworkPkg: Support the platform to configure HTTPS CipherList.

[Fu, Siyuan]

Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>

> -----Original Message-----
> From: Wu, Jiaxin
> Sent: Sunday, February 11, 2018 11:15 AM
> To: edk2-devel@lists.01.org
> Cc: Laszlo Ersek <lersek@redhat.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>; Zimmer, Vincent <vincent.zimmer@intel.com>;
> Yao, Jiewen <jiewen.yao@intel.com>; Ye, Ting <ting.ye@intel.com>; Fu,
> Siyuan <siyuan.fu@intel.com>; Wu, Jiaxin <jiaxin.wu@intel.com>
> Subject: [PATCH v2 0/2] NetworkPkg: Support the platform to configure
> HTTPS CipherList.
> 
> V2:
> * Rename the file/variable name.
> * Refine the error handling returned from GetVariable.
> 
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Kinney Michael D <michael.d.kinney@intel.com>
> Cc: Zimmer Vincent <vincent.zimmer@intel.com>
> Cc: Yao Jiewen <jiewen.yao@intel.com>
> Cc: Ye Ting <ting.ye@intel.com>
> Cc: Fu Siyuan <siyuan.fu@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
> 
> Jiaxin Wu (2):
>   NetworkPkg: Define one private variable for HTTPS to set Tls
>     CipherList.
>   NetworkPkg: Read HttpTlsCipherList variable and configure it for HTTPS
>     session.
> 
>  NetworkPkg/HttpDxe/HttpDriver.h             |  3 +-
>  NetworkPkg/HttpDxe/HttpDxe.inf              |  3 +-
>  NetworkPkg/HttpDxe/HttpsSupport.c           | 92
> ++++++++++++++++++++++++++++-
>  NetworkPkg/Include/Guid/HttpTlsCipherList.h | 38 ++++++++++++
>  NetworkPkg/NetworkPkg.dec                   |  3 +
>  5 files changed, 136 insertions(+), 3 deletions(-)
>  create mode 100644 NetworkPkg/Include/Guid/HttpTlsCipherList.h
> 
> --
> 1.9.5.msysgit.1

Re: [PATCH v2 2/2] NetworkPkg: Read HttpTlsCipherList variable and configure it for HTTPS session.

[Ye, Ting]

Hi Jiaxin,

In following code, how about use "gEdkiiHttpTlsCipherListGuid" as the variable GUID as to make it consistent with the variable name?

+  Status  = gRT->GetVariable (
+                   EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE,
+                   &gHttpTlsCipherListGuid,
+                   NULL,
+                   &CipherListSize,
+                   NULL
+                   );

Others are good to me. 
Reviewed-by:  Ye Ting <ting.ye@intel.com>

Best Regards,
Ting

-----Original Message-----
From: Wu, Jiaxin 
Sent: Sunday, February 11, 2018 11:15 AM
To: edk2-devel@lists.01.org
Cc: Laszlo Ersek <lersek@redhat.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Zimmer, Vincent <vincent.zimmer@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Ye, Ting <ting.ye@intel.com>; Fu, Siyuan <siyuan.fu@intel.com>; Wu, Jiaxin <jiaxin.wu@intel.com>
Subject: [PATCH v2 2/2] NetworkPkg: Read HttpTlsCipherList variable and configure it for HTTPS session.

v2:
* Refine the error handling returned from GetVariable.

This patch is to read the HttpTlsCipherList variable and configure it for the later HTTPS session.

If the variable is not set by any platform, EFI_NOT_FOUND will be returned from GetVariable service. In such a case, the default CipherList created in TlsDxe driver will be used.

Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Kinney Michael D <michael.d.kinney@intel.com>
Cc: Zimmer Vincent <vincent.zimmer@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Cc: Ye Ting <ting.ye@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
---
 NetworkPkg/HttpDxe/HttpDriver.h   |  3 +-
 NetworkPkg/HttpDxe/HttpDxe.inf    |  3 +-
 NetworkPkg/HttpDxe/HttpsSupport.c | 92 ++++++++++++++++++++++++++++++++++++++-
 3 files changed, 95 insertions(+), 3 deletions(-)

diff --git a/NetworkPkg/HttpDxe/HttpDriver.h b/NetworkPkg/HttpDxe/HttpDriver.h index 93a412a..3b7a7a2 100644
--- a/NetworkPkg/HttpDxe/HttpDriver.h
+++ b/NetworkPkg/HttpDxe/HttpDriver.h
@@ -1,9 +1,9 @@
 /** @file
   The header files of the driver binding and service binding protocol for HttpDxe driver.
 
-  Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) 2015 - 2018, Intel Corporation. All rights 
+ reserved.<BR>
   (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
 
   This program and the accompanying materials
   are licensed and made available under the terms and conditions of the BSD License
   which accompanies this distribution.  The full text of the license may be found at @@ -59,10 +59,11 @@  // Produced Protocols  //  #include <Protocol/Http.h>
 
 #include <Guid/TlsAuthentication.h>
+#include <Guid/HttpTlsCipherList.h>
 
 #include <IndustryStandard/Tls1.h>
 
 //
 // Driver Version
diff --git a/NetworkPkg/HttpDxe/HttpDxe.inf b/NetworkPkg/HttpDxe/HttpDxe.inf index 20075f5..56a2472 100644
--- a/NetworkPkg/HttpDxe/HttpDxe.inf
+++ b/NetworkPkg/HttpDxe/HttpDxe.inf
@@ -1,9 +1,9 @@
 ## @file
 #  Implementation of EFI HTTP protocol interfaces.
 #
-#  Copyright (c) 2015 - 2017, Intel Corporation. All rights reserved.<BR>
+#  Copyright (c) 2015 - 2018, Intel Corporation. All rights 
+reserved.<BR>
 #
 #  This program and the accompanying materials  #  are licensed and made available under the terms and conditions of the BSD License  #  which accompanies this distribution. The full text of the license may be found at  #  http://opensource.org/licenses/bsd-license.php.
@@ -72,10 +72,11 @@
   gEfiTlsProtocolGuid                              ## SOMETIMES_CONSUMES
   gEfiTlsConfigurationProtocolGuid                 ## SOMETIMES_CONSUMES
 
 [Guids]
   gEfiTlsCaCertificateGuid                         ## SOMETIMES_CONSUMES  ## Variable:L"TlsCaCertificate"
+  gHttpTlsCipherListGuid                           ## SOMETIMES_CONSUMES  ## Variable:L"HttpTlsCipherList"
 
 [Pcd]
   gEfiNetworkPkgTokenSpaceGuid.PcdAllowHttpConnections       ## CONSUMES
   gEfiNetworkPkgTokenSpaceGuid.PcdHttpsAuthenticationMode    ## SOMETIMES_CONSUMES
   gEfiNetworkPkgTokenSpaceGuid.PcdHttpsHostPublicCert        ## SOMETIMES_CONSUMES
diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c b/NetworkPkg/HttpDxe/HttpsSupport.c
index 288082a..fbe4087 100644
--- a/NetworkPkg/HttpDxe/HttpsSupport.c
+++ b/NetworkPkg/HttpDxe/HttpsSupport.c
@@ -1,9 +1,9 @@
 /** @file
   Miscellaneous routines specific to Https for HttpDxe driver.
 
-Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>
 (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>  This program and the accompanying materials  are licensed and made available under the terms and conditions of the BSD License  which accompanies this distribution.  The full text of the license may be found at  http://opensource.org/licenses/bsd-license.php
@@ -492,10 +492,91 @@ TlsConfigCertificate (
   
   return Status;
 }
 
 /**
+  Read the HttpTlsCipherList variable and configure it for HTTPS session.
+
+  @param[in, out]  HttpInstance  The HTTP instance private data.
+
+  @retval EFI_SUCCESS            The prefered HTTP TLS CipherList is configured.
+  @retval EFI_NOT_FOUND          Fail to get 'HttpTlsCipherList' variable.
+  @retval EFI_INVALID_PARAMETER  The contents of variable are invalid.
+  @retval EFI_OUT_OF_RESOURCES   Can't allocate memory resources.
+
+  @retval Others                 Other error as indicated.
+
+**/
+EFI_STATUS
+TlsConfigCipherList (
+  IN OUT HTTP_PROTOCOL      *HttpInstance
+  )
+{
+  EFI_STATUS          Status;
+  UINT8               *CipherList;
+  UINTN               CipherListSize;
+
+  CipherList     = NULL;
+  CipherListSize = 0;
+
+  //
+  // Try to read the HttpTlsCipherList variable.
+  //
+  Status  = gRT->GetVariable (
+                   EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE,
+                   &gHttpTlsCipherListGuid,
+                   NULL,
+                   &CipherListSize,
+                   NULL
+                   );
+  ASSERT (EFI_ERROR (Status));
+  if (Status != EFI_BUFFER_TOO_SMALL) {
+    return Status;
+  }
+
+  if (CipherListSize % sizeof (EFI_TLS_CIPHER) != 0) {
+    return EFI_INVALID_PARAMETER;
+  }
+
+  //
+  // Allocate buffer and read the config variable.
+  //
+  CipherList = AllocatePool (CipherListSize);  if (CipherList == NULL) 
+ {
+    return EFI_OUT_OF_RESOURCES;
+  }
+
+  Status = gRT->GetVariable (
+                  EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE,
+                  &gHttpTlsCipherListGuid,
+                  NULL,
+                  &CipherListSize,
+                  CipherList
+                  );
+  if (EFI_ERROR (Status)) {
+    //
+    // GetVariable still error or the variable is corrupted.
+    //
+    goto ON_EXIT;
+  }
+
+  ASSERT (CipherList != NULL);
+
+  Status = HttpInstance->Tls->SetSessionData (
+                                HttpInstance->Tls,
+                                EfiTlsCipherList,
+                                CipherList,
+                                CipherListSize
+                                );
+
+ON_EXIT:  
+  FreePool (CipherList);
+  
+  return Status;
+}
+
+/**
   Configure TLS session data.
 
   @param[in, out]  HttpInstance       The HTTP instance private data.
 
   @retval EFI_SUCCESS            TLS session data is configured.
@@ -551,10 +632,19 @@ TlsConfigureSession (
   if (EFI_ERROR (Status)) {
     return Status;
   }
 
   //
+  // Tls Cipher List
+  //
+  Status = TlsConfigCipherList (HttpInstance);  if (EFI_ERROR (Status) 
+ && Status != EFI_NOT_FOUND) {
+    DEBUG ((EFI_D_ERROR, "TlsConfigCipherList: return %r error.\n", Status));
+    return Status;
+  }
+
+  //
   // Tls Config Certificate
   //
   Status = TlsConfigCertificate (HttpInstance);
   if (EFI_ERROR (Status)) {
     DEBUG ((EFI_D_ERROR, "TlsConfigCertificate: return %r error.\n", Status));
--
1.9.5.msysgit.1

Re: [PATCH v2 2/2] NetworkPkg: Read HttpTlsCipherList variable and configure it for HTTPS session.

[Wu, Jiaxin]

Thanks the comment, I will integrate it when I commit the patch.



> -----Original Message-----
> From: Ye, Ting
> Sent: Monday, February 12, 2018 11:06 AM
> To: Wu, Jiaxin <jiaxin.wu@intel.com>; edk2-devel@lists.01.org
> Cc: Laszlo Ersek <lersek@redhat.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>; Zimmer, Vincent
> <vincent.zimmer@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Fu,
> Siyuan <siyuan.fu@intel.com>
> Subject: RE: [PATCH v2 2/2] NetworkPkg: Read HttpTlsCipherList variable and
> configure it for HTTPS session.
> 
> Hi Jiaxin,
> 
> In following code, how about use "gEdkiiHttpTlsCipherListGuid" as the
> variable GUID as to make it consistent with the variable name?
> 
> +  Status  = gRT->GetVariable (
> +                   EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE,
> +                   &gHttpTlsCipherListGuid,
> +                   NULL,
> +                   &CipherListSize,
> +                   NULL
> +                   );
> 
> Others are good to me.
> Reviewed-by:  Ye Ting <ting.ye@intel.com>
> 
> Best Regards,
> Ting
> 
> -----Original Message-----
> From: Wu, Jiaxin
> Sent: Sunday, February 11, 2018 11:15 AM
> To: edk2-devel@lists.01.org
> Cc: Laszlo Ersek <lersek@redhat.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>; Zimmer, Vincent
> <vincent.zimmer@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Ye,
> Ting <ting.ye@intel.com>; Fu, Siyuan <siyuan.fu@intel.com>; Wu, Jiaxin
> <jiaxin.wu@intel.com>
> Subject: [PATCH v2 2/2] NetworkPkg: Read HttpTlsCipherList variable and
> configure it for HTTPS session.
> 
> v2:
> * Refine the error handling returned from GetVariable.
> 
> This patch is to read the HttpTlsCipherList variable and configure it for the
> later HTTPS session.
> 
> If the variable is not set by any platform, EFI_NOT_FOUND will be returned
> from GetVariable service. In such a case, the default CipherList created in
> TlsDxe driver will be used.
> 
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Kinney Michael D <michael.d.kinney@intel.com>
> Cc: Zimmer Vincent <vincent.zimmer@intel.com>
> Cc: Yao Jiewen <jiewen.yao@intel.com>
> Cc: Ye Ting <ting.ye@intel.com>
> Cc: Fu Siyuan <siyuan.fu@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
> ---
>  NetworkPkg/HttpDxe/HttpDriver.h   |  3 +-
>  NetworkPkg/HttpDxe/HttpDxe.inf    |  3 +-
>  NetworkPkg/HttpDxe/HttpsSupport.c | 92
> ++++++++++++++++++++++++++++++++++++++-
>  3 files changed, 95 insertions(+), 3 deletions(-)
> 
> diff --git a/NetworkPkg/HttpDxe/HttpDriver.h
> b/NetworkPkg/HttpDxe/HttpDriver.h index 93a412a..3b7a7a2 100644
> --- a/NetworkPkg/HttpDxe/HttpDriver.h
> +++ b/NetworkPkg/HttpDxe/HttpDriver.h
> @@ -1,9 +1,9 @@
>  /** @file
>    The header files of the driver binding and service binding protocol for
> HttpDxe driver.
> 
> -  Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.<BR>
> +  Copyright (c) 2015 - 2018, Intel Corporation. All rights
> + reserved.<BR>
>    (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
> 
>    This program and the accompanying materials
>    are licensed and made available under the terms and conditions of the BSD
> License
>    which accompanies this distribution.  The full text of the license may be
> found at @@ -59,10 +59,11 @@  // Produced Protocols  //  #include
> <Protocol/Http.h>
> 
>  #include <Guid/TlsAuthentication.h>
> +#include <Guid/HttpTlsCipherList.h>
> 
>  #include <IndustryStandard/Tls1.h>
> 
>  //
>  // Driver Version
> diff --git a/NetworkPkg/HttpDxe/HttpDxe.inf
> b/NetworkPkg/HttpDxe/HttpDxe.inf index 20075f5..56a2472 100644
> --- a/NetworkPkg/HttpDxe/HttpDxe.inf
> +++ b/NetworkPkg/HttpDxe/HttpDxe.inf
> @@ -1,9 +1,9 @@
>  ## @file
>  #  Implementation of EFI HTTP protocol interfaces.
>  #
> -#  Copyright (c) 2015 - 2017, Intel Corporation. All rights reserved.<BR>
> +#  Copyright (c) 2015 - 2018, Intel Corporation. All rights
> +reserved.<BR>
>  #
>  #  This program and the accompanying materials  #  are licensed and made
> available under the terms and conditions of the BSD License  #  which
> accompanies this distribution. The full text of the license may be found at  #
> http://opensource.org/licenses/bsd-license.php.
> @@ -72,10 +72,11 @@
>    gEfiTlsProtocolGuid                              ## SOMETIMES_CONSUMES
>    gEfiTlsConfigurationProtocolGuid                 ## SOMETIMES_CONSUMES
> 
>  [Guids]
>    gEfiTlsCaCertificateGuid                         ## SOMETIMES_CONSUMES  ##
> Variable:L"TlsCaCertificate"
> +  gHttpTlsCipherListGuid                           ## SOMETIMES_CONSUMES  ##
> Variable:L"HttpTlsCipherList"
> 
>  [Pcd]
>    gEfiNetworkPkgTokenSpaceGuid.PcdAllowHttpConnections       ##
> CONSUMES
>    gEfiNetworkPkgTokenSpaceGuid.PcdHttpsAuthenticationMode    ##
> SOMETIMES_CONSUMES
>    gEfiNetworkPkgTokenSpaceGuid.PcdHttpsHostPublicCert        ##
> SOMETIMES_CONSUMES
> diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c
> b/NetworkPkg/HttpDxe/HttpsSupport.c
> index 288082a..fbe4087 100644
> --- a/NetworkPkg/HttpDxe/HttpsSupport.c
> +++ b/NetworkPkg/HttpDxe/HttpsSupport.c
> @@ -1,9 +1,9 @@
>  /** @file
>    Miscellaneous routines specific to Https for HttpDxe driver.
> 
> -Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
> +Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>
>  (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>  This
> program and the accompanying materials  are licensed and made available
> under the terms and conditions of the BSD License  which accompanies this
> distribution.  The full text of the license may be found at
> http://opensource.org/licenses/bsd-license.php
> @@ -492,10 +492,91 @@ TlsConfigCertificate (
> 
>    return Status;
>  }
> 
>  /**
> +  Read the HttpTlsCipherList variable and configure it for HTTPS session.
> +
> +  @param[in, out]  HttpInstance  The HTTP instance private data.
> +
> +  @retval EFI_SUCCESS            The prefered HTTP TLS CipherList is configured.
> +  @retval EFI_NOT_FOUND          Fail to get 'HttpTlsCipherList' variable.
> +  @retval EFI_INVALID_PARAMETER  The contents of variable are invalid.
> +  @retval EFI_OUT_OF_RESOURCES   Can't allocate memory resources.
> +
> +  @retval Others                 Other error as indicated.
> +
> +**/
> +EFI_STATUS
> +TlsConfigCipherList (
> +  IN OUT HTTP_PROTOCOL      *HttpInstance
> +  )
> +{
> +  EFI_STATUS          Status;
> +  UINT8               *CipherList;
> +  UINTN               CipherListSize;
> +
> +  CipherList     = NULL;
> +  CipherListSize = 0;
> +
> +  //
> +  // Try to read the HttpTlsCipherList variable.
> +  //
> +  Status  = gRT->GetVariable (
> +                   EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE,
> +                   &gHttpTlsCipherListGuid,
> +                   NULL,
> +                   &CipherListSize,
> +                   NULL
> +                   );
> +  ASSERT (EFI_ERROR (Status));
> +  if (Status != EFI_BUFFER_TOO_SMALL) {
> +    return Status;
> +  }
> +
> +  if (CipherListSize % sizeof (EFI_TLS_CIPHER) != 0) {
> +    return EFI_INVALID_PARAMETER;
> +  }
> +
> +  //
> +  // Allocate buffer and read the config variable.
> +  //
> +  CipherList = AllocatePool (CipherListSize);  if (CipherList == NULL)
> + {
> +    return EFI_OUT_OF_RESOURCES;
> +  }
> +
> +  Status = gRT->GetVariable (
> +                  EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE,
> +                  &gHttpTlsCipherListGuid,
> +                  NULL,
> +                  &CipherListSize,
> +                  CipherList
> +                  );
> +  if (EFI_ERROR (Status)) {
> +    //
> +    // GetVariable still error or the variable is corrupted.
> +    //
> +    goto ON_EXIT;
> +  }
> +
> +  ASSERT (CipherList != NULL);
> +
> +  Status = HttpInstance->Tls->SetSessionData (
> +                                HttpInstance->Tls,
> +                                EfiTlsCipherList,
> +                                CipherList,
> +                                CipherListSize
> +                                );
> +
> +ON_EXIT:
> +  FreePool (CipherList);
> +
> +  return Status;
> +}
> +
> +/**
>    Configure TLS session data.
> 
>    @param[in, out]  HttpInstance       The HTTP instance private data.
> 
>    @retval EFI_SUCCESS            TLS session data is configured.
> @@ -551,10 +632,19 @@ TlsConfigureSession (
>    if (EFI_ERROR (Status)) {
>      return Status;
>    }
> 
>    //
> +  // Tls Cipher List
> +  //
> +  Status = TlsConfigCipherList (HttpInstance);  if (EFI_ERROR (Status)
> + && Status != EFI_NOT_FOUND) {
> +    DEBUG ((EFI_D_ERROR, "TlsConfigCipherList: return %r error.\n", Status));
> +    return Status;
> +  }
> +
> +  //
>    // Tls Config Certificate
>    //
>    Status = TlsConfigCertificate (HttpInstance);
>    if (EFI_ERROR (Status)) {
>      DEBUG ((EFI_D_ERROR, "TlsConfigCertificate: return %r error.\n", Status));
> --
> 1.9.5.msysgit.1

Re: [PATCH v2 0/2] NetworkPkg: Support the platform to configure HTTPS CipherList.

[Laszlo Ersek]

Hi Jiaxin,

On 02/11/18 04:21, Wu, Jiaxin wrote:
> Hi Laszlo, 
> 
> Can you help to report one Bugzilla for the new feature request? It's better to describe the reason why we need support in Bugzilla.

I've filed <https://bugzilla.tianocore.org/show_bug.cgi?id=875>. Thank
you for the patches!

Laszlo

> 
>> -----Original Message-----
>> From: Wu, Jiaxin
>> Sent: Sunday, February 11, 2018 11:15 AM
>> To: edk2-devel@lists.01.org
>> Cc: Laszlo Ersek <lersek@redhat.com>; Kinney, Michael D
>> <michael.d.kinney@intel.com>; Zimmer, Vincent
>> <vincent.zimmer@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Ye,
>> Ting <ting.ye@intel.com>; Fu, Siyuan <siyuan.fu@intel.com>; Wu, Jiaxin
>> <jiaxin.wu@intel.com>
>> Subject: [PATCH v2 0/2] NetworkPkg: Support the platform to configure
>> HTTPS CipherList.
>>
>> V2:
>> * Rename the file/variable name.
>> * Refine the error handling returned from GetVariable.
>>
>> Cc: Laszlo Ersek <lersek@redhat.com>
>> Cc: Kinney Michael D <michael.d.kinney@intel.com>
>> Cc: Zimmer Vincent <vincent.zimmer@intel.com>
>> Cc: Yao Jiewen <jiewen.yao@intel.com>
>> Cc: Ye Ting <ting.ye@intel.com>
>> Cc: Fu Siyuan <siyuan.fu@intel.com>
>> Contributed-under: TianoCore Contribution Agreement 1.0
>> Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
>>
>> Jiaxin Wu (2):
>>   NetworkPkg: Define one private variable for HTTPS to set Tls
>>     CipherList.
>>   NetworkPkg: Read HttpTlsCipherList variable and configure it for HTTPS
>>     session.
>>
>>  NetworkPkg/HttpDxe/HttpDriver.h             |  3 +-
>>  NetworkPkg/HttpDxe/HttpDxe.inf              |  3 +-
>>  NetworkPkg/HttpDxe/HttpsSupport.c           | 92
>> ++++++++++++++++++++++++++++-
>>  NetworkPkg/Include/Guid/HttpTlsCipherList.h | 38 ++++++++++++
>>  NetworkPkg/NetworkPkg.dec                   |  3 +
>>  5 files changed, 136 insertions(+), 3 deletions(-)
>>  create mode 100644 NetworkPkg/Include/Guid/HttpTlsCipherList.h
>>
>> --
>> 1.9.5.msysgit.1
> 
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
> 

Re: [PATCH v2 0/2] NetworkPkg: Support the platform to configure HTTPS CipherList.

[Wu, Jiaxin]

Thanks Laszlo.

If no other comments, I will commit this patch by the end of today.

Best Regards!
Jiaxin

> -----Original Message-----
> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of
> Laszlo Ersek
> Sent: Tuesday, February 13, 2018 3:56 AM
> To: Wu, Jiaxin <jiaxin.wu@intel.com>; edk2-devel@lists.01.org
> Cc: Ye, Ting <ting.ye@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Fu,
> Siyuan <siyuan.fu@intel.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>; Zimmer, Vincent
> <vincent.zimmer@intel.com>
> Subject: Re: [edk2] [PATCH v2 0/2] NetworkPkg: Support the platform to
> configure HTTPS CipherList.
> 
> Hi Jiaxin,
> 
> On 02/11/18 04:21, Wu, Jiaxin wrote:
> > Hi Laszlo,
> >
> > Can you help to report one Bugzilla for the new feature request? It's better
> to describe the reason why we need support in Bugzilla.
> 
> I've filed <https://bugzilla.tianocore.org/show_bug.cgi?id=875>. Thank
> you for the patches!
> 
> Laszlo
> 
> >
> >> -----Original Message-----
> >> From: Wu, Jiaxin
> >> Sent: Sunday, February 11, 2018 11:15 AM
> >> To: edk2-devel@lists.01.org
> >> Cc: Laszlo Ersek <lersek@redhat.com>; Kinney, Michael D
> >> <michael.d.kinney@intel.com>; Zimmer, Vincent
> >> <vincent.zimmer@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Ye,
> >> Ting <ting.ye@intel.com>; Fu, Siyuan <siyuan.fu@intel.com>; Wu, Jiaxin
> >> <jiaxin.wu@intel.com>
> >> Subject: [PATCH v2 0/2] NetworkPkg: Support the platform to configure
> >> HTTPS CipherList.
> >>
> >> V2:
> >> * Rename the file/variable name.
> >> * Refine the error handling returned from GetVariable.
> >>
> >> Cc: Laszlo Ersek <lersek@redhat.com>
> >> Cc: Kinney Michael D <michael.d.kinney@intel.com>
> >> Cc: Zimmer Vincent <vincent.zimmer@intel.com>
> >> Cc: Yao Jiewen <jiewen.yao@intel.com>
> >> Cc: Ye Ting <ting.ye@intel.com>
> >> Cc: Fu Siyuan <siyuan.fu@intel.com>
> >> Contributed-under: TianoCore Contribution Agreement 1.0
> >> Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
> >>
> >> Jiaxin Wu (2):
> >>   NetworkPkg: Define one private variable for HTTPS to set Tls
> >>     CipherList.
> >>   NetworkPkg: Read HttpTlsCipherList variable and configure it for HTTPS
> >>     session.
> >>
> >>  NetworkPkg/HttpDxe/HttpDriver.h             |  3 +-
> >>  NetworkPkg/HttpDxe/HttpDxe.inf              |  3 +-
> >>  NetworkPkg/HttpDxe/HttpsSupport.c           | 92
> >> ++++++++++++++++++++++++++++-
> >>  NetworkPkg/Include/Guid/HttpTlsCipherList.h | 38 ++++++++++++
> >>  NetworkPkg/NetworkPkg.dec                   |  3 +
> >>  5 files changed, 136 insertions(+), 3 deletions(-)
> >>  create mode 100644 NetworkPkg/Include/Guid/HttpTlsCipherList.h
> >>
> >> --
> >> 1.9.5.msysgit.1
> >
> > _______________________________________________
> > edk2-devel mailing list
> > edk2-devel@lists.01.org
> > https://lists.01.org/mailman/listinfo/edk2-devel
> >
> 
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel

Re: [PATCH v2 0/2] NetworkPkg: Support the platform to configure HTTPS CipherList.

[Laszlo Ersek]

Hi Jiaxin,

On 02/13/18 03:01, Wu, Jiaxin wrote:
> Thanks Laszlo.
> 
> If no other comments, I will commit this patch by the end of today.

Thank you again for the patches. I have a workflow-related request:
please do not add my "Reviewed-by" to patches for which I didn't post a
"Reviewed-by" *verbatim* to the mailing list. I'm thankful to you for
both the discussion and for the implementation. However, I didn't do a
meticulous review for these patches, and therefore a Reviewed-by in my
name does not match reality; it mis-represents my participation.

There's nothing do about commits e34914db193f and 7ff68b5edc9f now; I'm
just asking for a more careful handling of Reviewed-by tags in the future.

Thank you!
Laszlo