From: "Chang, Abner via groups.io" <abner.chang=amd.com@groups.io>
To: <devel@edk2.groups.io>
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>,
Zachary Clark-williams <zachary.clark-williams@intel.com>,
Michael Brown <mcb30@ipxe.org>, Nickle Wang <nicklew@nvidia.com>,
Igor Kulchytskyy <igork@ami.com>
Subject: [edk2-devel] [PATCH 3/5] NetworkPkg/HttpDxe: Use HttpsTlsConfigDataProtocol
Date: Sat, 30 Dec 2023 19:29:27 +0800 [thread overview]
Message-ID: <20231230112929.1711-4-abner.chang@amd.com> (raw)
In-Reply-To: <20231230112929.1711-1-abner.chang@amd.com>
From: abnchang <abnchang@amd.com>
Consume HttpsTlsConfigDataProtocol protocol installed
on the HTTP protocol handle to override the default TLS
configuration data.
Signed-off-by: Abner Chang <abner.chang@amd.com>
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Cc: Michael Brown <mcb30@ipxe.org>
Cc: Nickle Wang <nicklew@nvidia.com>
Cc: Igor Kulchytskyy <igork@ami.com>
---
NetworkPkg/HttpDxe/HttpDxe.inf | 1 +
NetworkPkg/HttpDxe/HttpDriver.h | 1 +
NetworkPkg/HttpDxe/HttpProto.h | 10 +---
NetworkPkg/HttpDxe/HttpsSupport.c | 97 ++++++++++++++++++++++++-------
4 files changed, 80 insertions(+), 29 deletions(-)
diff --git a/NetworkPkg/HttpDxe/HttpDxe.inf b/NetworkPkg/HttpDxe/HttpDxe.inf
index c9502d0bb6d..ec58677c3f1 100644
--- a/NetworkPkg/HttpDxe/HttpDxe.inf
+++ b/NetworkPkg/HttpDxe/HttpDxe.inf
@@ -66,6 +66,7 @@
gEfiTlsProtocolGuid ## SOMETIMES_CONSUMES
gEfiTlsConfigurationProtocolGuid ## SOMETIMES_CONSUMES
gEdkiiHttpCallbackProtocolGuid ## SOMETIMES_CONSUMES
+ gEdkiiHttpsTlsConfigDataProtocolGuid ## SOMETIMES_CONSUMES
[Guids]
gEfiTlsCaCertificateGuid ## SOMETIMES_CONSUMES ## Variable:L"TlsCaCertificate"
diff --git a/NetworkPkg/HttpDxe/HttpDriver.h b/NetworkPkg/HttpDxe/HttpDriver.h
index 01a6bb7f4b7..66c924e3030 100644
--- a/NetworkPkg/HttpDxe/HttpDriver.h
+++ b/NetworkPkg/HttpDxe/HttpDriver.h
@@ -48,6 +48,7 @@
#include <Protocol/Tls.h>
#include <Protocol/TlsConfig.h>
#include <Protocol/HttpCallback.h>
+#include <Protocol/HttpsTlsConfigDataProtocol.h>
#include <Guid/ImageAuthentication.h>
//
diff --git a/NetworkPkg/HttpDxe/HttpProto.h b/NetworkPkg/HttpDxe/HttpProto.h
index 012f1f4b467..fbccffa8e71 100644
--- a/NetworkPkg/HttpDxe/HttpProto.h
+++ b/NetworkPkg/HttpDxe/HttpProto.h
@@ -76,14 +76,6 @@ typedef struct {
EFI_HTTP_METHOD Method;
} HTTP_TCP_TOKEN_WRAP;
-typedef struct {
- EFI_TLS_VERSION Version;
- EFI_TLS_CONNECTION_END ConnectionEnd;
- EFI_TLS_VERIFY VerifyMethod;
- EFI_TLS_VERIFY_HOST VerifyHost;
- EFI_TLS_SESSION_STATE SessionState;
-} TLS_CONFIG_DATA;
-
//
// Callback data for HTTP_PARSER_CALLBACK()
//
@@ -172,7 +164,7 @@ typedef struct _HTTP_PROTOCOL {
EFI_SERVICE_BINDING_PROTOCOL *TlsSb;
EFI_HANDLE TlsChildHandle; /// Tls ChildHandle
- TLS_CONFIG_DATA TlsConfigData;
+ HTTPS_TLS_CONFIG_DATA TlsConfigData;
EFI_TLS_PROTOCOL *Tls;
EFI_TLS_CONFIGURATION_PROTOCOL *TlsConfiguration;
EFI_TLS_SESSION_STATE TlsSessionState;
diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c b/NetworkPkg/HttpDxe/HttpsSupport.c
index fb7c1ea59f2..96ecdd1d848 100644
--- a/NetworkPkg/HttpDxe/HttpsSupport.c
+++ b/NetworkPkg/HttpDxe/HttpsSupport.c
@@ -131,6 +131,58 @@ IsHttpsUrl (
return FALSE;
}
+/**
+ Get application HTTP TLS configuration data from HTTP handle.
+
+ @param[in] HttpInstance The HTTP protocol handle instance.
+
+ @retval EFI_SUCCESS Application HTTP TLS configuration data is
+ loaded in HttpInstance->TlsConfigData.
+ @retval EFI_UNSUPPORTED No application HTTP TLS configuration data
+
+**/
+EFI_STATUS
+GetHttpsTlsConfigData (
+ IN HTTP_PROTOCOL *HttpInstance
+ )
+{
+ EFI_STATUS Status;
+ EDKII_HTTPS_TLS_CONFIG_DATA_PROTOCOL *HttpsTlsConfigData;
+
+ Status = gBS->HandleProtocol (
+ HttpInstance->Handle,
+ &gEdkiiHttpsTlsConfigDataProtocolGuid,
+ (VOID **)&HttpsTlsConfigData
+ );
+ if (EFI_ERROR (Status)) {
+ return EFI_UNSUPPORTED;
+ }
+
+ if (HttpsTlsConfigData->Version.Major >= 1) {
+ HttpInstance->TlsConfigData.ConnectionEnd = HttpsTlsConfigData->HttpsTlsConfigData.ConnectionEnd;
+ HttpInstance->TlsConfigData.SessionState = HttpsTlsConfigData->HttpsTlsConfigData.SessionState;
+ HttpInstance->TlsConfigData.VerifyHost = HttpsTlsConfigData->HttpsTlsConfigData.VerifyHost;
+ HttpInstance->TlsConfigData.VerifyMethod = HttpsTlsConfigData->HttpsTlsConfigData.VerifyMethod;
+ } else {
+ DEBUG ((
+ DEBUG_ERROR,
+ "%a: Unsupported version of EDKII_HTTPS_TLS_CONFIG_DATA_PROTOCOL - %d.%d.\n",
+ __func__,
+ HttpsTlsConfigData->Version.Major,
+ HttpsTlsConfigData->Version.Minor
+ ));
+ return EFI_UNSUPPORTED;
+ }
+
+ DEBUG ((
+ DEBUG_VERBOSE,
+ "%a: There is a EDKII_HTTPS_TLS_CONFIG_DATA_PROTOCOL installed on HTTP handle:0x%x.\n",
+ __func__,
+ HttpInstance->Handle
+ ));
+ return EFI_SUCCESS;
+}
+
/**
Creates a Tls child handle, open EFI_TLS_PROTOCOL and EFI_TLS_CONFIGURATION_PROTOCOL.
@@ -208,6 +260,13 @@ TlsCreateChild (
return Status;
}
+ // Initial default TLS configuration data.
+ HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient;
+ HttpInstance->TlsConfigData.VerifyMethod = EFI_TLS_VERIFY_PEER;
+ HttpInstance->TlsConfigData.VerifyHost.Flags = EFI_TLS_VERIFY_FLAG_NONE;
+ HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance->RemoteHost;
+ HttpInstance->TlsConfigData.SessionState = EfiTlsSessionNotStarted;
+
return EFI_SUCCESS;
}
@@ -650,14 +709,8 @@ TlsConfigureSession (
{
EFI_STATUS Status;
- //
- // TlsConfigData initialization
- //
- HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient;
- HttpInstance->TlsConfigData.VerifyMethod = EFI_TLS_VERIFY_PEER;
- HttpInstance->TlsConfigData.VerifyHost.Flags = EFI_TLS_VERIFY_FLAG_NONE;
- HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance->RemoteHost;
- HttpInstance->TlsConfigData.SessionState = EfiTlsSessionNotStarted;
+ // Get applciation TLS configuration data.
+ GetHttpsTlsConfigData (HttpInstance);
//
// EfiTlsConnectionEnd,
@@ -685,14 +738,16 @@ TlsConfigureSession (
return Status;
}
- Status = HttpInstance->Tls->SetSessionData (
- HttpInstance->Tls,
- EfiTlsVerifyHost,
- &HttpInstance->TlsConfigData.VerifyHost,
- sizeof (EFI_TLS_VERIFY_HOST)
- );
- if (EFI_ERROR (Status)) {
- return Status;
+ if (HttpInstance->TlsConfigData.VerifyMethod != EFI_TLS_VERIFY_NONE) {
+ Status = HttpInstance->Tls->SetSessionData (
+ HttpInstance->Tls,
+ EfiTlsVerifyHost,
+ &HttpInstance->TlsConfigData.VerifyHost,
+ sizeof (EFI_TLS_VERIFY_HOST)
+ );
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
}
Status = HttpInstance->Tls->SetSessionData (
@@ -717,10 +772,12 @@ TlsConfigureSession (
//
// Tls Config Certificate
//
- Status = TlsConfigCertificate (HttpInstance);
- if (EFI_ERROR (Status)) {
- DEBUG ((DEBUG_ERROR, "TLS Certificate Config Error!\n"));
- return Status;
+ if (HttpInstance->TlsConfigData.VerifyMethod != EFI_TLS_VERIFY_NONE) {
+ Status = TlsConfigCertificate (HttpInstance);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "TLS Certificate Config Error!\n"));
+ return Status;
+ }
}
//
--
2.37.1.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113007): https://edk2.groups.io/g/devel/message/113007
Mute This Topic: https://groups.io/mt/103430432/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
next prev parent reply other threads:[~2023-12-30 11:29 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-30 11:29 [edk2-devel] [PATCH 0/5] Support HTTP application TLS configuration protocol Chang, Abner via groups.io
2023-12-30 11:29 ` [edk2-devel] [PATCH 1/5] NetworkPkg/HttpDxe: Refactor TlsCreateChild function Chang, Abner via groups.io
2024-01-01 22:09 ` Michael Brown
2024-01-02 2:55 ` Chang, Abner via groups.io
2023-12-30 11:29 ` [edk2-devel] [PATCH 2/5] NetworkPkg: Introduce HttpsTlsConfigDataProtocol Chang, Abner via groups.io
2023-12-30 11:29 ` Chang, Abner via groups.io [this message]
2023-12-30 11:29 ` [edk2-devel] [PATCH 4/5] RedfishPkg/RedfishRestExDxe: Produce EdkiiHttpsTlsConfigData protocol Chang, Abner via groups.io
2023-12-30 11:29 ` [edk2-devel] [PATCH 5/5] RedfishPkg/RedfishRestExDxe: Update the Supported function Chang, Abner via groups.io
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231230112929.1711-4-abner.chang@amd.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox