public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Nickle Wang" <nicklew@nvidia.com>
To: <devel@edk2.groups.io>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>,
	Siyuan Fu <siyuan.fu@intel.com>,
	Abner Chang <abner.chang@amd.com>,
	Igor Kulchytskyy <igork@ami.com>,
	Nick Ramirez <nramirez@nvidia.com>
Subject: [PATCH 1/2] NetworkPkg/HttpDxe: provide function to disable TLS host verify
Date: Wed, 1 Feb 2023 11:46:36 +0800	[thread overview]
Message-ID: <20230201034636.619-1-nicklew@nvidia.com> (raw)

Provide an option for caller to disable TLS host verify in HttpDxe
driver. When web server uses self-signed certificate and caller has no
way to get root CA from web server, caller can use this option to
disable TLS host verify function. This option is similar to the "-k"
option in "curl" tool.

Signed-off-by: Nickle Wang <nicklew@nvidia.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Abner Chang <abner.chang@amd.com>
Cc: Igor Kulchytskyy <igork@ami.com>
Cc: Nick Ramirez <nramirez@nvidia.com>
---
 MdePkg/Include/Protocol/Http.h    |  5 +++
 NetworkPkg/HttpDxe/HttpProto.h    |  2 ++
 NetworkPkg/HttpDxe/HttpImpl.c     |  2 ++
 NetworkPkg/HttpDxe/HttpsSupport.c | 53 +++++++++++++++++--------------
 4 files changed, 38 insertions(+), 24 deletions(-)

diff --git a/MdePkg/Include/Protocol/Http.h b/MdePkg/Include/Protocol/Http.h
index 28e6221593..21a782eaac 100644
--- a/MdePkg/Include/Protocol/Http.h
+++ b/MdePkg/Include/Protocol/Http.h
@@ -6,6 +6,7 @@
 
   Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>
   (C) Copyright 2015-2017 Hewlett Packard Enterprise Development LP<BR>
+  Copyright (c) 2023, NVIDIA CORPORATION & AFFILIATES. All rights reserved.
   SPDX-License-Identifier: BSD-2-Clause-Patent
 
   @par Revision Reference:
@@ -161,6 +162,10 @@ typedef struct {
   /// this instance will use EFI_DNS6_PROTOCOL and EFI_TCP6_PROTOCOL.
   ///
   BOOLEAN             LocalAddressIsIPv6;
+  ///
+  /// Verify server certificate during HTTPS handshake.
+  ///
+  BOOLEAN             HostCertificateVerifyDisabled;
 
   union {
     ///
diff --git a/NetworkPkg/HttpDxe/HttpProto.h b/NetworkPkg/HttpDxe/HttpProto.h
index 620eb39158..72d6b2b3b7 100644
--- a/NetworkPkg/HttpDxe/HttpProto.h
+++ b/NetworkPkg/HttpDxe/HttpProto.h
@@ -3,6 +3,7 @@
 
 Copyright (c) 2015 - 2021, Intel Corporation. All rights reserved.<BR>
 (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
+Copyright (c) 2023, NVIDIA CORPORATION & AFFILIATES. All rights reserved.
 SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
@@ -176,6 +177,7 @@ typedef struct _HTTP_PROTOCOL {
   EFI_TLS_PROTOCOL                  *Tls;
   EFI_TLS_CONFIGURATION_PROTOCOL    *TlsConfiguration;
   EFI_TLS_SESSION_STATE             TlsSessionState;
+  BOOLEAN                           TlsVerifyHost;
 
   //
   // TlsTxData used for transmitting TLS related messages.
diff --git a/NetworkPkg/HttpDxe/HttpImpl.c b/NetworkPkg/HttpDxe/HttpImpl.c
index 7c5c925cf7..df382acf33 100644
--- a/NetworkPkg/HttpDxe/HttpImpl.c
+++ b/NetworkPkg/HttpDxe/HttpImpl.c
@@ -3,6 +3,7 @@
 
   Copyright (c) 2015 - 2021, Intel Corporation. All rights reserved.<BR>
   (C) Copyright 2015-2016 Hewlett Packard Enterprise Development LP<BR>
+  Copyright (c) 2023, NVIDIA CORPORATION & AFFILIATES. All rights reserved.
 
   SPDX-License-Identifier: BSD-2-Clause-Patent
 
@@ -162,6 +163,7 @@ EfiHttpConfigure (
     HttpInstance->TimeOutMillisec    = HttpConfigData->TimeOutMillisec;
     HttpInstance->LocalAddressIsIPv6 = HttpConfigData->LocalAddressIsIPv6;
     HttpInstance->ConnectionClose    = FALSE;
+    HttpInstance->TlsVerifyHost      = (HttpConfigData->HostCertificateVerifyDisabled ? FALSE : TRUE);
 
     if (HttpConfigData->LocalAddressIsIPv6) {
       CopyMem (
diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c b/NetworkPkg/HttpDxe/HttpsSupport.c
index ad611e7c38..685a24b737 100644
--- a/NetworkPkg/HttpDxe/HttpsSupport.c
+++ b/NetworkPkg/HttpDxe/HttpsSupport.c
@@ -3,6 +3,7 @@
 
 Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>
 (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
+Copyright (c) 2023, NVIDIA CORPORATION & AFFILIATES. All rights reserved.
 SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
@@ -666,24 +667,26 @@ TlsConfigureSession (
     return Status;
   }
 
-  Status = HttpInstance->Tls->SetSessionData (
-                                HttpInstance->Tls,
-                                EfiTlsVerifyMethod,
-                                &HttpInstance->TlsConfigData.VerifyMethod,
-                                sizeof (EFI_TLS_VERIFY)
-                                );
-  if (EFI_ERROR (Status)) {
-    return Status;
-  }
+  if (HttpInstance->TlsVerifyHost) {
+    Status = HttpInstance->Tls->SetSessionData (
+                                  HttpInstance->Tls,
+                                  EfiTlsVerifyMethod,
+                                  &HttpInstance->TlsConfigData.VerifyMethod,
+                                  sizeof (EFI_TLS_VERIFY)
+                                  );
+    if (EFI_ERROR (Status)) {
+      return Status;
+    }
 
-  Status = HttpInstance->Tls->SetSessionData (
-                                HttpInstance->Tls,
-                                EfiTlsVerifyHost,
-                                &HttpInstance->TlsConfigData.VerifyHost,
-                                sizeof (EFI_TLS_VERIFY_HOST)
-                                );
-  if (EFI_ERROR (Status)) {
-    return Status;
+    Status = HttpInstance->Tls->SetSessionData (
+                                  HttpInstance->Tls,
+                                  EfiTlsVerifyHost,
+                                  &HttpInstance->TlsConfigData.VerifyHost,
+                                  sizeof (EFI_TLS_VERIFY_HOST)
+                                  );
+    if (EFI_ERROR (Status)) {
+      return Status;
+    }
   }
 
   Status = HttpInstance->Tls->SetSessionData (
@@ -705,13 +708,15 @@ TlsConfigureSession (
     return Status;
   }
 
-  //
-  // Tls Config Certificate
-  //
-  Status = TlsConfigCertificate (HttpInstance);
-  if (EFI_ERROR (Status)) {
-    DEBUG ((DEBUG_ERROR, "TLS Certificate Config Error!\n"));
-    return Status;
+  if (HttpInstance->TlsVerifyHost) {
+    //
+    // Tls Config Certificate
+    //
+    Status = TlsConfigCertificate (HttpInstance);
+    if (EFI_ERROR (Status)) {
+      DEBUG ((DEBUG_ERROR, "TLS Certificate Config Error!\n"));
+      return Status;
+    }
   }
 
   //
-- 
2.39.1.windows.1


             reply	other threads:[~2023-02-01  3:46 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-02-01  3:46 Nickle Wang [this message]
2023-02-01 10:47 ` [edk2-devel] [PATCH 1/2] NetworkPkg/HttpDxe: provide function to disable TLS host verify Michael Brown
2023-02-01 11:06   ` Nickle Wang
2023-02-01 11:27     ` Michael Brown
2023-02-02  6:34       ` Nickle Wang
     [not found]       ` <173FEE62613A7ADA.16586@groups.io>
2023-03-07  8:21         ` Nickle Wang
2023-03-07 10:19           ` Michael Brown

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230201034636.619-1-nicklew@nvidia.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox