From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM12-BN8-obe.outbound.protection.outlook.com (NAM12-BN8-obe.outbound.protection.outlook.com [40.107.237.47]) by mx.groups.io with SMTP id smtpd.web11.15502.1675223207839719560 for ; Tue, 31 Jan 2023 19:46:48 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@nvidia.com header.s=selector2 header.b=bBv3cuXO; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: nvidia.com, ip: 40.107.237.47, mailfrom: nicklew@nvidia.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Io7WNWaAO+Ba4D01nLWiMP3KpdrpRj9q6PRaCET2S5j5WzPINcK2LQgYa9xNOMdzyDsij3VthFRzxPiiD90I6klvq8nvgwV0DeXrFbq/7sam1gp7gK2p3rhhGtq6SDWz7gGKjydaEY/IAQmQHR84hYbLjgBh602ipCk0W9r8ac/J7KCbJH2YuxtX5TzwZuOoa5RlJ99VdXLFLzKd+LUMs4mo/ui/U9qTyHEabHX3MqWlDG53PSNNReslUatXcMg8yaN76NjaR/nXiSKszRkboQNYHcjJ/Sq81sQX1/H3TE5Y6PmeuYW74t1pTnmrxAM5tRU0te5tyYNCDh5CKmi4ng== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=GoxPBeTzCIfxjljjVWwStxwlXj7bUD0PiGnQXpVa+Ig=; b=FFWNY/zAOvYycdzp9bOcarVamDXR8SOxmiA5NxKFcZ26Ju0XlqruIQNbYiL6SxjqklO6+FGxMiuXr18NJHkfXxam56p02SVIOSqulBQAK4Al/9TKUufMKPZPQD33S6JPqu17ySz3Hlfc+jQMQAyXIScxHRCCQ9Zo1luklRW4IOHPCzEIHKFg9jKpT9hDKi6x8jmicUjfvn4hvWFUFLyWftcjfD/SChsJ77eqlQDXxxZXmX7mGOar6pXUYaPAe9oitCZit2r8J+8u548qCQigcMU1O1zzU1Zdgy4iHMrt4QHfXcbzU/GYBoBJX4ORAyIf3e3VzsnfP1IO0hU0/PYj/w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.118.233) smtp.rcpttodomain=edk2.groups.io smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GoxPBeTzCIfxjljjVWwStxwlXj7bUD0PiGnQXpVa+Ig=; b=bBv3cuXODGkGhKrHsKEjOID46/QacLSEIzFc4zZmtXuDAulP4YvmcMplKfTatqBCaeZ92G1x5msf1OMh4VmxPb8lkmmFiHaLlyOBHKk3Kf70wIduNLCZDHHRimXoUWUu8mLJMlFlQiSYC8ueIri/3wSabzknQmp1mric0VUIVSS77fuJkdsyRZzbbLCMYfEoUE2wBrBYR09muzPfb37KIdHNogTP3ebnzJrOkLSIFvkNK0d/7uVVTIHQgp4MQPo++IzYeJK1oHOcJtFB3JHcptDz/qnhGUSKnTV2c+uKFB2Y9Gg8K1z8/+1xyIGSq9UY9JaKnXeGShhfRRGEkVWYJQ== Received: from DS7PR05CA0082.namprd05.prod.outlook.com (2603:10b6:8:57::23) by SA1PR12MB7222.namprd12.prod.outlook.com (2603:10b6:806:2bf::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6064.24; Wed, 1 Feb 2023 03:46:45 +0000 Received: from DM6NAM11FT035.eop-nam11.prod.protection.outlook.com (2603:10b6:8:57:cafe::50) by DS7PR05CA0082.outlook.office365.com (2603:10b6:8:57::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6064.24 via Frontend Transport; Wed, 1 Feb 2023 03:46:45 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.118.233) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.118.233 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.118.233; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.118.233) by DM6NAM11FT035.mail.protection.outlook.com (10.13.172.100) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.22 via Frontend Transport; Wed, 1 Feb 2023 03:46:44 +0000 Received: from drhqmail201.nvidia.com (10.126.190.180) by mail.nvidia.com (10.127.129.6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Tue, 31 Jan 2023 19:46:38 -0800 Received: from drhqmail201.nvidia.com (10.126.190.180) by drhqmail201.nvidia.com (10.126.190.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Tue, 31 Jan 2023 19:46:38 -0800 Received: from NV-CL38DL3.nvidia.com (10.127.8.10) by mail.nvidia.com (10.126.190.180) with Microsoft SMTP Server id 15.2.986.36 via Frontend Transport; Tue, 31 Jan 2023 19:46:37 -0800 From: "Nickle Wang" To: CC: Maciej Rabeda , Siyuan Fu , Abner Chang , Igor Kulchytskyy , Nick Ramirez Subject: [PATCH 1/2] NetworkPkg/HttpDxe: provide function to disable TLS host verify Date: Wed, 1 Feb 2023 11:46:36 +0800 Message-ID: <20230201034636.619-1-nicklew@nvidia.com> X-Mailer: git-send-email 2.17.1 MIME-Version: 1.0 Return-Path: nicklew@nvidia.com X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DM6NAM11FT035:EE_|SA1PR12MB7222:EE_ X-MS-Office365-Filtering-Correlation-Id: 43e1bd3a-70e1-473c-c376-08db0406f04a X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: dnzIpFat+yWhOVdIVa6uE2JvzxMa/bHu7MWGlZ0ibjDW0rGKg8oyOJAxX4/RCCDUm3QlFTbga/sVXOPXLvoDsadKHVys+/WTyd1nzyFt65fYY9BPUmNQYCvmL27ptN/IZDvFMpdTjFcHtDbDxRlOpPtlJ9o222UrFce8HiSkrHr664WGUGqZ+A8P1C48vkEazpkxAKHoALmSFgBTKlgrrW8HvhQjfG6zRs+PD0yZHUQg/bczjQuVUCBRj2orOdy2IAcjb2BLQpyq3CPOaVh3tRuUCPyeuX/4YpRYN7wKEuMzmBvA5mbq9JNTlLiMZ6/l8N5H5yjUDJ8eZ3n3Q8b7VBGFyMMFndwswvrWLeT/0RRx7ZiuT3D56UL6rF4uM9VlzOj/OOtpCMX9V8H9oDA6EVx6BuX6BgiFwVITKQeiImc6pAKlpUSZlLUXDRs+oqj/hk7efMKkj6vhlW8P5N7yhNebozAlmDYiE7qyBxx1YV9CHsgMqxdJnlaaDeY+vfPP+HjYMmrceQwh1mm28J3w4DcYgoYOe8FCh29CXz3DlfN/GtddSUhdpblBf7qZK2Js/eAab/g/HgwavYrwWRz+EVRTmJLDXPgxi6U0RdKUF4sWjoqPDk3lMJ6qxIkPBKao2VtOhzTZQxIrbohU29Ebl/21E15/2y5ePABx1wHwHk13EP87Pm/ysIaUuvBDWAjvbmlNy95z2GeohyizJs0/zA== X-Forefront-Antispam-Report: CIP:216.228.118.233;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc7edge2.nvidia.com;CAT:NONE;SFS:(13230025)(4636009)(39860400002)(376002)(136003)(346002)(396003)(451199018)(36840700001)(46966006)(40470700004)(316002)(2616005)(82740400003)(7636003)(82310400005)(186003)(356005)(26005)(47076005)(336012)(83380400001)(426003)(36860700001)(40460700003)(36756003)(2906002)(15650500001)(54906003)(5660300002)(40480700001)(107886003)(1076003)(7696005)(478600001)(86362001)(70206006)(6916009)(70586007)(8676002)(8936002)(41300700001)(4326008);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Feb 2023 03:46:44.9397 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 43e1bd3a-70e1-473c-c376-08db0406f04a X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.118.233];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: DM6NAM11FT035.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR12MB7222 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain Provide an option for caller to disable TLS host verify in HttpDxe driver. When web server uses self-signed certificate and caller has no way to get root CA from web server, caller can use this option to disable TLS host verify function. This option is similar to the "-k" option in "curl" tool. Signed-off-by: Nickle Wang Cc: Maciej Rabeda Cc: Siyuan Fu Cc: Abner Chang Cc: Igor Kulchytskyy Cc: Nick Ramirez --- MdePkg/Include/Protocol/Http.h | 5 +++ NetworkPkg/HttpDxe/HttpProto.h | 2 ++ NetworkPkg/HttpDxe/HttpImpl.c | 2 ++ NetworkPkg/HttpDxe/HttpsSupport.c | 53 +++++++++++++++++-------------- 4 files changed, 38 insertions(+), 24 deletions(-) diff --git a/MdePkg/Include/Protocol/Http.h b/MdePkg/Include/Protocol/Http.= h index 28e6221593..21a782eaac 100644 --- a/MdePkg/Include/Protocol/Http.h +++ b/MdePkg/Include/Protocol/Http.h @@ -6,6 +6,7 @@ =20 Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.
(C) Copyright 2015-2017 Hewlett Packard Enterprise Development LP
+ Copyright (c) 2023, NVIDIA CORPORATION & AFFILIATES. All rights reserved= . SPDX-License-Identifier: BSD-2-Clause-Patent =20 @par Revision Reference: @@ -161,6 +162,10 @@ typedef struct { /// this instance will use EFI_DNS6_PROTOCOL and EFI_TCP6_PROTOCOL. /// BOOLEAN LocalAddressIsIPv6; + /// + /// Verify server certificate during HTTPS handshake. + /// + BOOLEAN HostCertificateVerifyDisabled; =20 union { /// diff --git a/NetworkPkg/HttpDxe/HttpProto.h b/NetworkPkg/HttpDxe/HttpProto.= h index 620eb39158..72d6b2b3b7 100644 --- a/NetworkPkg/HttpDxe/HttpProto.h +++ b/NetworkPkg/HttpDxe/HttpProto.h @@ -3,6 +3,7 @@ =20 Copyright (c) 2015 - 2021, Intel Corporation. All rights reserved.
(C) Copyright 2016 Hewlett Packard Enterprise Development LP
+Copyright (c) 2023, NVIDIA CORPORATION & AFFILIATES. All rights reserved. SPDX-License-Identifier: BSD-2-Clause-Patent =20 **/ @@ -176,6 +177,7 @@ typedef struct _HTTP_PROTOCOL { EFI_TLS_PROTOCOL *Tls; EFI_TLS_CONFIGURATION_PROTOCOL *TlsConfiguration; EFI_TLS_SESSION_STATE TlsSessionState; + BOOLEAN TlsVerifyHost; =20 // // TlsTxData used for transmitting TLS related messages. diff --git a/NetworkPkg/HttpDxe/HttpImpl.c b/NetworkPkg/HttpDxe/HttpImpl.c index 7c5c925cf7..df382acf33 100644 --- a/NetworkPkg/HttpDxe/HttpImpl.c +++ b/NetworkPkg/HttpDxe/HttpImpl.c @@ -3,6 +3,7 @@ =20 Copyright (c) 2015 - 2021, Intel Corporation. All rights reserved.
(C) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
+ Copyright (c) 2023, NVIDIA CORPORATION & AFFILIATES. All rights reserved= . =20 SPDX-License-Identifier: BSD-2-Clause-Patent =20 @@ -162,6 +163,7 @@ EfiHttpConfigure ( HttpInstance->TimeOutMillisec =3D HttpConfigData->TimeOutMillisec; HttpInstance->LocalAddressIsIPv6 =3D HttpConfigData->LocalAddressIsIPv= 6; HttpInstance->ConnectionClose =3D FALSE; + HttpInstance->TlsVerifyHost =3D (HttpConfigData->HostCertificateV= erifyDisabled ? FALSE : TRUE); =20 if (HttpConfigData->LocalAddressIsIPv6) { CopyMem ( diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c b/NetworkPkg/HttpDxe/HttpsSu= pport.c index ad611e7c38..685a24b737 100644 --- a/NetworkPkg/HttpDxe/HttpsSupport.c +++ b/NetworkPkg/HttpDxe/HttpsSupport.c @@ -3,6 +3,7 @@ =20 Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.
(C) Copyright 2016 Hewlett Packard Enterprise Development LP
+Copyright (c) 2023, NVIDIA CORPORATION & AFFILIATES. All rights reserved. SPDX-License-Identifier: BSD-2-Clause-Patent =20 **/ @@ -666,24 +667,26 @@ TlsConfigureSession ( return Status; } =20 - Status =3D HttpInstance->Tls->SetSessionData ( - HttpInstance->Tls, - EfiTlsVerifyMethod, - &HttpInstance->TlsConfigData.VerifyMethod, - sizeof (EFI_TLS_VERIFY) - ); - if (EFI_ERROR (Status)) { - return Status; - } + if (HttpInstance->TlsVerifyHost) { + Status =3D HttpInstance->Tls->SetSessionData ( + HttpInstance->Tls, + EfiTlsVerifyMethod, + &HttpInstance->TlsConfigData.VerifyMetho= d, + sizeof (EFI_TLS_VERIFY) + ); + if (EFI_ERROR (Status)) { + return Status; + } =20 - Status =3D HttpInstance->Tls->SetSessionData ( - HttpInstance->Tls, - EfiTlsVerifyHost, - &HttpInstance->TlsConfigData.VerifyHost, - sizeof (EFI_TLS_VERIFY_HOST) - ); - if (EFI_ERROR (Status)) { - return Status; + Status =3D HttpInstance->Tls->SetSessionData ( + HttpInstance->Tls, + EfiTlsVerifyHost, + &HttpInstance->TlsConfigData.VerifyHost, + sizeof (EFI_TLS_VERIFY_HOST) + ); + if (EFI_ERROR (Status)) { + return Status; + } } =20 Status =3D HttpInstance->Tls->SetSessionData ( @@ -705,13 +708,15 @@ TlsConfigureSession ( return Status; } =20 - // - // Tls Config Certificate - // - Status =3D TlsConfigCertificate (HttpInstance); - if (EFI_ERROR (Status)) { - DEBUG ((DEBUG_ERROR, "TLS Certificate Config Error!\n")); - return Status; + if (HttpInstance->TlsVerifyHost) { + // + // Tls Config Certificate + // + Status =3D TlsConfigCertificate (HttpInstance); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "TLS Certificate Config Error!\n")); + return Status; + } } =20 // --=20 2.39.1.windows.1