public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Chang, Abner via groups.io" <abner.chang=amd.com@groups.io>
To: <devel@edk2.groups.io>
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>,
	Zachary Clark-williams <zachary.clark-williams@intel.com>,
	Michael Brown <mcb30@ipxe.org>, Nickle Wang <nicklew@nvidia.com>,
	Igor Kulchytskyy <igork@ami.com>
Subject: [edk2-devel] [PATCH 3/5] NetworkPkg/HttpDxe: Use HttpsTlsConfigDataProtocol
Date: Sat, 30 Dec 2023 19:29:27 +0800	[thread overview]
Message-ID: <20231230112929.1711-4-abner.chang@amd.com> (raw)
In-Reply-To: <20231230112929.1711-1-abner.chang@amd.com>

From: abnchang <abnchang@amd.com>

Consume HttpsTlsConfigDataProtocol protocol installed
on the HTTP protocol handle to override the default TLS
configuration data.

Signed-off-by: Abner Chang <abner.chang@amd.com>
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Cc: Michael Brown <mcb30@ipxe.org>
Cc: Nickle Wang <nicklew@nvidia.com>
Cc: Igor Kulchytskyy <igork@ami.com>
---
 NetworkPkg/HttpDxe/HttpDxe.inf    |  1 +
 NetworkPkg/HttpDxe/HttpDriver.h   |  1 +
 NetworkPkg/HttpDxe/HttpProto.h    | 10 +---
 NetworkPkg/HttpDxe/HttpsSupport.c | 97 ++++++++++++++++++++++++-------
 4 files changed, 80 insertions(+), 29 deletions(-)

diff --git a/NetworkPkg/HttpDxe/HttpDxe.inf b/NetworkPkg/HttpDxe/HttpDxe.inf
index c9502d0bb6d..ec58677c3f1 100644
--- a/NetworkPkg/HttpDxe/HttpDxe.inf
+++ b/NetworkPkg/HttpDxe/HttpDxe.inf
@@ -66,6 +66,7 @@
   gEfiTlsProtocolGuid                              ## SOMETIMES_CONSUMES
   gEfiTlsConfigurationProtocolGuid                 ## SOMETIMES_CONSUMES
   gEdkiiHttpCallbackProtocolGuid                   ## SOMETIMES_CONSUMES
+  gEdkiiHttpsTlsConfigDataProtocolGuid             ## SOMETIMES_CONSUMES
 
 [Guids]
   gEfiTlsCaCertificateGuid                         ## SOMETIMES_CONSUMES  ## Variable:L"TlsCaCertificate"
diff --git a/NetworkPkg/HttpDxe/HttpDriver.h b/NetworkPkg/HttpDxe/HttpDriver.h
index 01a6bb7f4b7..66c924e3030 100644
--- a/NetworkPkg/HttpDxe/HttpDriver.h
+++ b/NetworkPkg/HttpDxe/HttpDriver.h
@@ -48,6 +48,7 @@
 #include <Protocol/Tls.h>
 #include <Protocol/TlsConfig.h>
 #include <Protocol/HttpCallback.h>
+#include <Protocol/HttpsTlsConfigDataProtocol.h>
 
 #include <Guid/ImageAuthentication.h>
 //
diff --git a/NetworkPkg/HttpDxe/HttpProto.h b/NetworkPkg/HttpDxe/HttpProto.h
index 012f1f4b467..fbccffa8e71 100644
--- a/NetworkPkg/HttpDxe/HttpProto.h
+++ b/NetworkPkg/HttpDxe/HttpProto.h
@@ -76,14 +76,6 @@ typedef struct {
   EFI_HTTP_METHOD           Method;
 } HTTP_TCP_TOKEN_WRAP;
 
-typedef struct {
-  EFI_TLS_VERSION           Version;
-  EFI_TLS_CONNECTION_END    ConnectionEnd;
-  EFI_TLS_VERIFY            VerifyMethod;
-  EFI_TLS_VERIFY_HOST       VerifyHost;
-  EFI_TLS_SESSION_STATE     SessionState;
-} TLS_CONFIG_DATA;
-
 //
 // Callback data for HTTP_PARSER_CALLBACK()
 //
@@ -172,7 +164,7 @@ typedef struct _HTTP_PROTOCOL {
 
   EFI_SERVICE_BINDING_PROTOCOL      *TlsSb;
   EFI_HANDLE                        TlsChildHandle; /// Tls ChildHandle
-  TLS_CONFIG_DATA                   TlsConfigData;
+  HTTPS_TLS_CONFIG_DATA             TlsConfigData;
   EFI_TLS_PROTOCOL                  *Tls;
   EFI_TLS_CONFIGURATION_PROTOCOL    *TlsConfiguration;
   EFI_TLS_SESSION_STATE             TlsSessionState;
diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c b/NetworkPkg/HttpDxe/HttpsSupport.c
index fb7c1ea59f2..96ecdd1d848 100644
--- a/NetworkPkg/HttpDxe/HttpsSupport.c
+++ b/NetworkPkg/HttpDxe/HttpsSupport.c
@@ -131,6 +131,58 @@ IsHttpsUrl (
   return FALSE;
 }
 
+/**
+  Get application HTTP TLS configuration data from HTTP handle.
+
+  @param[in]  HttpInstance  The HTTP protocol handle instance.
+
+  @retval  EFI_SUCCESS      Application HTTP TLS configuration data is
+                            loaded in HttpInstance->TlsConfigData.
+  @retval  EFI_UNSUPPORTED  No application HTTP TLS configuration data
+
+**/
+EFI_STATUS
+GetHttpsTlsConfigData (
+  IN HTTP_PROTOCOL  *HttpInstance
+  )
+{
+  EFI_STATUS                            Status;
+  EDKII_HTTPS_TLS_CONFIG_DATA_PROTOCOL  *HttpsTlsConfigData;
+
+  Status = gBS->HandleProtocol (
+                  HttpInstance->Handle,
+                  &gEdkiiHttpsTlsConfigDataProtocolGuid,
+                  (VOID **)&HttpsTlsConfigData
+                  );
+  if (EFI_ERROR (Status)) {
+    return EFI_UNSUPPORTED;
+  }
+
+  if (HttpsTlsConfigData->Version.Major >= 1) {
+    HttpInstance->TlsConfigData.ConnectionEnd = HttpsTlsConfigData->HttpsTlsConfigData.ConnectionEnd;
+    HttpInstance->TlsConfigData.SessionState  = HttpsTlsConfigData->HttpsTlsConfigData.SessionState;
+    HttpInstance->TlsConfigData.VerifyHost    = HttpsTlsConfigData->HttpsTlsConfigData.VerifyHost;
+    HttpInstance->TlsConfigData.VerifyMethod  = HttpsTlsConfigData->HttpsTlsConfigData.VerifyMethod;
+  } else {
+    DEBUG ((
+      DEBUG_ERROR,
+      "%a: Unsupported version of EDKII_HTTPS_TLS_CONFIG_DATA_PROTOCOL - %d.%d.\n",
+      __func__,
+      HttpsTlsConfigData->Version.Major,
+      HttpsTlsConfigData->Version.Minor
+      ));
+    return EFI_UNSUPPORTED;
+  }
+
+  DEBUG ((
+    DEBUG_VERBOSE,
+    "%a: There is a EDKII_HTTPS_TLS_CONFIG_DATA_PROTOCOL installed on HTTP handle:0x%x.\n",
+    __func__,
+    HttpInstance->Handle
+    ));
+  return EFI_SUCCESS;
+}
+
 /**
   Creates a Tls child handle, open EFI_TLS_PROTOCOL and EFI_TLS_CONFIGURATION_PROTOCOL.
 
@@ -208,6 +260,13 @@ TlsCreateChild (
     return Status;
   }
 
+  // Initial default TLS configuration data.
+  HttpInstance->TlsConfigData.ConnectionEnd       = EfiTlsClient;
+  HttpInstance->TlsConfigData.VerifyMethod        = EFI_TLS_VERIFY_PEER;
+  HttpInstance->TlsConfigData.VerifyHost.Flags    = EFI_TLS_VERIFY_FLAG_NONE;
+  HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance->RemoteHost;
+  HttpInstance->TlsConfigData.SessionState        = EfiTlsSessionNotStarted;
+
   return EFI_SUCCESS;
 }
 
@@ -650,14 +709,8 @@ TlsConfigureSession (
 {
   EFI_STATUS  Status;
 
-  //
-  // TlsConfigData initialization
-  //
-  HttpInstance->TlsConfigData.ConnectionEnd       = EfiTlsClient;
-  HttpInstance->TlsConfigData.VerifyMethod        = EFI_TLS_VERIFY_PEER;
-  HttpInstance->TlsConfigData.VerifyHost.Flags    = EFI_TLS_VERIFY_FLAG_NONE;
-  HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance->RemoteHost;
-  HttpInstance->TlsConfigData.SessionState        = EfiTlsSessionNotStarted;
+  // Get applciation TLS configuration data.
+  GetHttpsTlsConfigData (HttpInstance);
 
   //
   // EfiTlsConnectionEnd,
@@ -685,14 +738,16 @@ TlsConfigureSession (
     return Status;
   }
 
-  Status = HttpInstance->Tls->SetSessionData (
-                                HttpInstance->Tls,
-                                EfiTlsVerifyHost,
-                                &HttpInstance->TlsConfigData.VerifyHost,
-                                sizeof (EFI_TLS_VERIFY_HOST)
-                                );
-  if (EFI_ERROR (Status)) {
-    return Status;
+  if (HttpInstance->TlsConfigData.VerifyMethod != EFI_TLS_VERIFY_NONE) {
+    Status = HttpInstance->Tls->SetSessionData (
+                                  HttpInstance->Tls,
+                                  EfiTlsVerifyHost,
+                                  &HttpInstance->TlsConfigData.VerifyHost,
+                                  sizeof (EFI_TLS_VERIFY_HOST)
+                                  );
+    if (EFI_ERROR (Status)) {
+      return Status;
+    }
   }
 
   Status = HttpInstance->Tls->SetSessionData (
@@ -717,10 +772,12 @@ TlsConfigureSession (
   //
   // Tls Config Certificate
   //
-  Status = TlsConfigCertificate (HttpInstance);
-  if (EFI_ERROR (Status)) {
-    DEBUG ((DEBUG_ERROR, "TLS Certificate Config Error!\n"));
-    return Status;
+  if (HttpInstance->TlsConfigData.VerifyMethod != EFI_TLS_VERIFY_NONE) {
+    Status = TlsConfigCertificate (HttpInstance);
+    if (EFI_ERROR (Status)) {
+      DEBUG ((DEBUG_ERROR, "TLS Certificate Config Error!\n"));
+      return Status;
+    }
   }
 
   //
-- 
2.37.1.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113007): https://edk2.groups.io/g/devel/message/113007
Mute This Topic: https://groups.io/mt/103430432/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



  parent reply	other threads:[~2023-12-30 11:29 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-12-30 11:29 [edk2-devel] [PATCH 0/5] Support HTTP application TLS configuration protocol Chang, Abner via groups.io
2023-12-30 11:29 ` [edk2-devel] [PATCH 1/5] NetworkPkg/HttpDxe: Refactor TlsCreateChild function Chang, Abner via groups.io
2024-01-01 22:09   ` Michael Brown
2024-01-02  2:55     ` Chang, Abner via groups.io
2023-12-30 11:29 ` [edk2-devel] [PATCH 2/5] NetworkPkg: Introduce HttpsTlsConfigDataProtocol Chang, Abner via groups.io
2023-12-30 11:29 ` Chang, Abner via groups.io [this message]
2023-12-30 11:29 ` [edk2-devel] [PATCH 4/5] RedfishPkg/RedfishRestExDxe: Produce EdkiiHttpsTlsConfigData protocol Chang, Abner via groups.io
2023-12-30 11:29 ` [edk2-devel] [PATCH 5/5] RedfishPkg/RedfishRestExDxe: Update the Supported function Chang, Abner via groups.io

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20231230112929.1711-4-abner.chang@amd.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox