From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id E4080780091 for ; Tue, 26 Dec 2023 11:29:08 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=8InzjlwSACUCeOdKa5GACmyQf52V4gRpqpyZk8BiaOs=; c=relaxed/simple; d=groups.io; h=ARC-Seal:ARC-Message-Signature:ARC-Authentication-Results:Received-SPF:From:To:CC:Subject:Date:Message-ID:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding:Content-Type; s=20140610; t=1703590147; v=1; b=n3z0X5rcNdaYZylkGPhIPeVshfzA68eEUr6FS8zoRtWbHlFvSWVI96ftqxI0jPiMpKNFpqke aovBmh4ChRjkf1Sm2m0K9Q/Rd29WGX0Zg99sH5xAo5TY8ykuoA4496umyNxOOAGl6XIbgPTl6hT cRjbLPbFloiISDbtKusHN5hQ= X-Received: by 127.0.0.2 with SMTP id MUrlYY7687511xa8IzJHnmY3; Tue, 26 Dec 2023 03:29:07 -0800 X-Received: from NAM04-BN8-obe.outbound.protection.outlook.com (NAM04-BN8-obe.outbound.protection.outlook.com [40.107.100.81]) by mx.groups.io with SMTP id smtpd.web11.80179.1703590146458823043 for ; Tue, 26 Dec 2023 03:29:06 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ka+QAsT7nyW+qS93D+M5Q6euCDxz8I+oaCBT3UZ8h3vxl9dFNJY3AqaohZwFsP1eZNsmNj3r0ob1f8PZ37sdPDEkxLCZIdjWjVkjO/fCYWBYbODFD+bwxtZWUROHQQD9iKtACCDGctTPo5empXZCOz1Kh2Wh94cJSAlhd/QLM9DwEZBGYxBa9uTjjogHqB6aA4PpWLoSu5ffQXCJyVD52mO85fsHupsFtzOZeISfk2S2Bz0Kx5ISMExel2UcEDt+DUKuio7zcvOVddH3gDdZ+oM7L1KzYj64A6w/T2WFyBkXaoaFXrujSCFiNdS/WIGrQ+tF8whOND93wba4T79QZA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=GrZUBvZVr6V+0owlIMTV7QfvAIbWqN08e9P4Krt/zVc=; b=Qtmc68wagnNLxCfHlNG1WZOI2c735IKrfUvgyKGQf3bghhTDMdEaNmgFQDB8S0b9AUyBhQqxgi3yuEFV8OGLi8U5yQOqi79M6IfvZTaJgZPAmENBWlf6Z3d/2F8s4pp7PkHNStb3fR0+rVTiODCjCCmIAPlxscfKBv+Y57b0dpy2lxIUobpoA1/82+xMJHhT5LBepT8D5Ng4lbls3/7s7RhZWsb1lHcEC5QgpqYHNVzuxKo7kxFVQlkgrcgeLeceUL2RsA6wJvzDdHra4zJh956kgp7lLGZMdbXgLch+bqICkbF9x0gRjlpKOMcMSmlLE7jkEl0M6IrWWH03FJXjUA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=edk2.groups.io smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0) X-Received: from DM6PR05CA0051.namprd05.prod.outlook.com (2603:10b6:5:335::20) by MW6PR12MB8899.namprd12.prod.outlook.com (2603:10b6:303:248::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7113.27; Tue, 26 Dec 2023 11:29:03 +0000 X-Received: from DS1PEPF0001708E.namprd03.prod.outlook.com (2603:10b6:5:335:cafe::d5) by DM6PR05CA0051.outlook.office365.com (2603:10b6:5:335::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7135.18 via Frontend Transport; Tue, 26 Dec 2023 11:29:03 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17) smtp.mailfrom=amd.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=amd.com; Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=SATLEXMB04.amd.com; pr=C X-Received: from SATLEXMB04.amd.com (165.204.84.17) by DS1PEPF0001708E.mail.protection.outlook.com (10.167.17.134) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.7135.14 via Frontend Transport; Tue, 26 Dec 2023 11:29:03 +0000 X-Received: from TPE-L1-ABNCHANG.amd.com (10.180.168.240) by SATLEXMB04.amd.com (10.181.40.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.34; Tue, 26 Dec 2023 05:29:01 -0600 From: "Chang, Abner via groups.io" To: CC: Saloni Kasbekar , Zachary Clark-williams , Michael Brown , Nickle Wang , Igor Kulchytskyy Subject: [edk2-devel] [RFC][PATCH 2/2] NetworkPkg: Check platform TLS policy Date: Tue, 26 Dec 2023 19:28:39 +0800 Message-ID: <20231226112839.1152-3-abner.chang@amd.com> In-Reply-To: <20231226112839.1152-1-abner.chang@amd.com> References: <20231226112839.1152-1-abner.chang@amd.com> MIME-Version: 1.0 X-Originating-IP: [10.180.168.240] X-ClientProxiedBy: SATLEXMB03.amd.com (10.181.40.144) To SATLEXMB04.amd.com (10.181.40.145) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DS1PEPF0001708E:EE_|MW6PR12MB8899:EE_ X-MS-Office365-Filtering-Correlation-Id: 81eb4ff7-8f4e-4639-8fce-08dc0605dd35 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: B+8xID5BVN+kNU3N2kWP9OUYUuD9h0mJlADcYGGd60k8T6wp67AGChXzJDqPaSaOjpbxasKdwT2IisV7tFqbNSXfzokTnzTCTuniWPnsRp27j99vi9BHHJxg+K55W/LdDD0iI2IIpKBADri6lKl5v/at6cLDbPYkVz1Zyw/E16KFPOdnMoRNqSusFhSG6b81pOKpmk1f6MVNXaCvPPO7XH+950jhOMvm76ZMtK72HLm4iuTePn5+OP04ckIJ7zTvSo+8NQ1boPwJZ00zBBRJZgI3x8rfT8pNjQB7kNcH2YgLD3yjfM9TFCqgRaz/OxmJKRWGLuXwTK8n6nv1GPQvJkjZPKAs+p9KkmUnLJqn61rdlUmyAeELK0sfwx0+xhqLwf8hAdLCpm7KYpVpfPiN4EZR2Z+r/b5U0VqjSJCIs6UuMOFMkt9W84vLVgLtG++LZ5mJ7sfghmDNTWTrBqvXbmZPGrFGUfVz+ZG3BVvF6jDD+WiFMj5SELraSvxKSxDSLKWaRcU/+Pk92huUw14xbHnElnda0JvUsyAB4HSZYoReUPg29HUG58pa8R8ykydPQQSk2Gv0qENjIXnFBvbJrAz6T+E/cj+wPdb9vMILY07w+QGGPnHNNyr5upXnLI7GfHL3OwaLlagcOoIEQqGPJKOrgrbqWGZQxnx1dBjCQS0N9r776M+ZhYteYoZNhqMKaQ8A1jABX200H8TNTaTNG844AJSTRvotYaoUCGV1PETxSFNoQfBLJTm9DQQYBCDiMI+wAPK+qkLipyFEEjTrUA== X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Dec 2023 11:29:03.4864 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 81eb4ff7-8f4e-4639-8fce-08dc0605dd35 X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[SATLEXMB04.amd.com] X-MS-Exchange-CrossTenant-AuthSource: DS1PEPF0001708E.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW6PR12MB8899 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,abner.chang@amd.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: 7BqzplzVezbgOB2Jkg7bmODCx7686176AA= Content-Transfer-Encoding: quoted-printable Content-Type: text/plain X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=n3z0X5rc; arc=reject ("signature check failed: fail, {[1] = sig:microsoft.com:reject}"); dmarc=none; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io From: Abenr Chang Go through each EDKII_HTTPS_TLS_PLATFORM_POLICY_PROTOCOL protocol instance to check if platform HTTPS TLS policy is provided. Signed-off-by: Abner Chang Cc: Saloni Kasbekar Cc: Zachary Clark-williams Cc: Michael Brown Cc: Nickle Wang Cc: Igor Kulchytskyy --- NetworkPkg/HttpDxe/HttpDxe.inf | 1 + NetworkPkg/HttpDxe/HttpDriver.h | 1 + NetworkPkg/HttpDxe/HttpsSupport.c | 117 +++++++++++++++++++++++++++--- 3 files changed, 107 insertions(+), 12 deletions(-) diff --git a/NetworkPkg/HttpDxe/HttpDxe.inf b/NetworkPkg/HttpDxe/HttpDxe.in= f index c9502d0bb6d..7699bd9cc17 100644 --- a/NetworkPkg/HttpDxe/HttpDxe.inf +++ b/NetworkPkg/HttpDxe/HttpDxe.inf @@ -66,6 +66,7 @@ gEfiTlsProtocolGuid ## SOMETIMES_CONSUMES gEfiTlsConfigurationProtocolGuid ## SOMETIMES_CONSUMES gEdkiiHttpCallbackProtocolGuid ## SOMETIMES_CONSUMES + gEdkiiHttpsTlsPlatformPolicyProtocolGuid ## SOMETIMES_CONSUMES =20 [Guids] gEfiTlsCaCertificateGuid ## SOMETIMES_CONSUMES = ## Variable:L"TlsCaCertificate" diff --git a/NetworkPkg/HttpDxe/HttpDriver.h b/NetworkPkg/HttpDxe/HttpDrive= r.h index 01a6bb7f4b7..5554befad4d 100644 --- a/NetworkPkg/HttpDxe/HttpDriver.h +++ b/NetworkPkg/HttpDxe/HttpDriver.h @@ -48,6 +48,7 @@ #include #include #include +#include =20 #include // diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c b/NetworkPkg/HttpDxe/HttpsSu= pport.c index 7330be42c00..354e5cfc79c 100644 --- a/NetworkPkg/HttpDxe/HttpsSupport.c +++ b/NetworkPkg/HttpDxe/HttpsSupport.c @@ -131,6 +131,93 @@ IsHttpsUrl ( return FALSE; } =20 +/** + Locate all EDKII_HTTPS_TLS_PLATFORM_POLICY_PROTOCOL instances and go thr= ough each + to check if platform HTTPS TLS policy is provided. + + @param[in] HttpHandle The HTTP protocol handle. + @param[in, out] TlsConfigData Pointer to TLS_CONFIG_DATA of this H= TTP instance. + +**/ +VOID +HttpsPlatformTlsPolicy ( + IN EFI_HANDLE HttpHandle, + IN OUT TLS_CONFIG_DATA *TlsConfigData + ) +{ + EFI_STATUS Status; + UINTN NumHandles; + EFI_HANDLE *HandleBuffer; + EFI_HANDLE *HandleBufferIndex; + EDKII_PLATFORM_HTTPS_TLS_CONFIG_DATA PlatformHttpsTlsPolicy; + EDKII_HTTPS_TLS_PLATFORM_POLICY_PROTOCOL *ProtocolInterface; + + if ((HttpHandle =3D=3D NULL) || (TlsConfigData =3D=3D NULL)) { + return; + } + + Status =3D gBS->LocateHandleBuffer ( + ByProtocol, + &gEdkiiHttpsTlsPlatformPolicyProtocolGuid, + NULL, + &NumHandles, + &HandleBuffer + ); + if (EFI_ERROR (Status)) { + DEBUG (( + DEBUG_INFO, + "%a: There is no EDKII_HTTPS_TLS_PLATFORM_POLICY_PROTOCOL instance i= s installed for HTTP this handle:0x%x.\n", + __func__, + HttpHandle + )); + return; + } + + HandleBufferIndex =3D HandleBuffer; + while (NumHandles !=3D 0) { + Status =3D gBS->HandleProtocol ( + *HandleBufferIndex, + &gEdkiiHttpsTlsPlatformPolicyProtocolGuid, + (VOID **)&ProtocolInterface + ); + if (!EFI_ERROR (Status)) { + Status =3D ProtocolInterface->PlatformGetPolicy ( + *HandleBufferIndex, + HttpHandle, + &PlatformHttpsTlsPolicy + ); + if (!EFI_ERROR (Status)) { + if ((PlatformHttpsTlsPolicy.Version.Major =3D=3D 1) && (PlatformHt= tpsTlsPolicy.Version.Minor =3D=3D 0)) { + // + // HTTPS platform TLS policy config data version 1.0. + // + TlsConfigData->ConnectionEnd =3D PlatformHttpsTlsPolicy.Connecti= onEnd; + TlsConfigData->VerifyHost =3D PlatformHttpsTlsPolicy.VerifyHo= st; + TlsConfigData->VerifyMethod =3D PlatformHttpsTlsPolicy.VerifyMe= thod; + Status =3D EFI_SUCCESS; + break; + } + } + } + + HandleBufferIndex++; + NumHandles--; + Status =3D EFI_NOT_FOUND; + } + + FreePool ((VOID *)HandleBuffer); + if (!EFI_ERROR (Status)) { + DEBUG (( + DEBUG_INFO, + "%a: There is a EDKII_HTTPS_TLS_PLATFORM_POLICY_PROTOCOL instance in= stalled for this HTTP handle:0x%x.\n", + __func__, + HttpHandle + )); + } + + return; +} + /** Creates a Tls child handle, open EFI_TLS_PROTOCOL and EFI_TLS_CONFIGURAT= ION_PROTOCOL. =20 @@ -650,6 +737,8 @@ TlsConfigureSession ( HttpInstance->TlsConfigData.VerifyHost.HostName =3D HttpInstance->Remote= Host; HttpInstance->TlsConfigData.SessionState =3D EfiTlsSessionNotStar= ted; =20 + HttpsPlatformTlsPolicy (HttpInstance->Handle, &HttpInstance->TlsConfigDa= ta); + // // EfiTlsConnectionEnd, // EfiTlsVerifyMethod, @@ -676,14 +765,16 @@ TlsConfigureSession ( return Status; } =20 - Status =3D HttpInstance->Tls->SetSessionData ( - HttpInstance->Tls, - EfiTlsVerifyHost, - &HttpInstance->TlsConfigData.VerifyHost, - sizeof (EFI_TLS_VERIFY_HOST) - ); - if (EFI_ERROR (Status)) { - return Status; + if (HttpInstance->TlsConfigData.VerifyMethod !=3D EFI_TLS_VERIFY_NONE) { + Status =3D HttpInstance->Tls->SetSessionData ( + HttpInstance->Tls, + EfiTlsVerifyHost, + &HttpInstance->TlsConfigData.VerifyHost, + sizeof (EFI_TLS_VERIFY_HOST) + ); + if (EFI_ERROR (Status)) { + return Status; + } } =20 Status =3D HttpInstance->Tls->SetSessionData ( @@ -708,10 +799,12 @@ TlsConfigureSession ( // // Tls Config Certificate // - Status =3D TlsConfigCertificate (HttpInstance); - if (EFI_ERROR (Status)) { - DEBUG ((DEBUG_ERROR, "TLS Certificate Config Error!\n")); - return Status; + if (HttpInstance->TlsConfigData.VerifyMethod !=3D EFI_TLS_VERIFY_NONE) { + Status =3D TlsConfigCertificate (HttpInstance); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "TLS Certificate Config Error!\n")); + return Status; + } } =20 // --=20 2.37.1.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#112913): https://edk2.groups.io/g/devel/message/112913 Mute This Topic: https://groups.io/mt/103368439/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-