From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id 22217941780 for ; Sat, 30 Dec 2023 11:29:56 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=Wm1HLsMn/yvA0NeVsz+1aU9v0gpa+zY4Zpnq/lDWY2M=; c=relaxed/simple; d=groups.io; h=ARC-Seal:ARC-Message-Signature:ARC-Authentication-Results:Received-SPF:From:To:CC:Subject:Date:Message-ID:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding:Content-Type; s=20140610; t=1703935795; v=1; b=r+ZwlBuprl1SmOgUvRYrn0qi9b2gUnVcdzuSp//2T7RJAPZFX9JoqecXUBAWidvtx2w+mu50 EO8/wFos/YBmEA2CD6SlVvzwZyqDJ17JdKlmr2vh72vSgLj6abzvx1h7odZ3gFK0RpoSOCrX/1R rZ0NcozEz/qmAr8CZ5YVjs+U= X-Received: by 127.0.0.2 with SMTP id lpSmYY7687511xNX6AFMUPu7; Sat, 30 Dec 2023 03:29:55 -0800 X-Received: from NAM10-BN7-obe.outbound.protection.outlook.com (NAM10-BN7-obe.outbound.protection.outlook.com [40.107.92.72]) by mx.groups.io with SMTP id smtpd.web11.182760.1703935795155797791 for ; Sat, 30 Dec 2023 03:29:55 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=la9H1LQUHUbKxArIK2oPTfqnYwWLSJ4gdyunuYPbhfK1RsXc4LgURJEFker0tPYlaoYUuI6BzBfez9unaw36rErHSEa535VhKlO2sBc7nm5NvKRfzKftGKWbXSMc5LB2GUx9R+MJapRsGD4ceSEBXyQIic52La3szc9dROIuchaqdFMwC4sV9+/TKk9+BcU1DEA8W8V2RZmZdviVF5GUXIGp+ZOdiigjlVVIhf3cbna9e3gHjlYZdSwW3O/F8rGr9g4A/DFSVks0ZHRPmXAMZLe4DJ/V9N9IpZ8767ohOR5FTn4MPx/Lwd7sjvBTy290OfCOGnVX5vMUn1yw2GStjA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0VEXHHbtK1HYtbjAwumwNAFppjlXRjvLs/DBghB0PAs=; b=ZCliyzQS+9nnLTXqrAR9s1bumygJ1BVkUgOKmBgPdwNCfDe+KSztmXOzSzzzsHiL3F6DqZsG6QvDpB8srviseqT1PT0TCEgN2RAoBWiQL6CFVRsRLLGp4eqadgFBMF50LQErkT9X7b/m8J2hkjytyCELNzDdHSaUz51ll84u+9/T85NCpS/rE/eVR04xI+Mp62HX2oakWS8VBGS0NTTILCSgEvyu8XpvJM5F3tQGwPqsVmIsr2RlmdgZo9QxdC6rNt7CgJbzpz1GEXPAjuKKRKULagWgxOTUg03cLohuaAfsQSliNSdBv3/8GmGRI/xu5cHUr/urJLah21+cEOqbmQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=edk2.groups.io smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0) X-Received: from DS7PR03CA0136.namprd03.prod.outlook.com (2603:10b6:5:3b4::21) by CH3PR12MB8970.namprd12.prod.outlook.com (2603:10b6:610:176::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7135.22; Sat, 30 Dec 2023 11:29:51 +0000 X-Received: from DS1PEPF00017095.namprd03.prod.outlook.com (2603:10b6:5:3b4:cafe::93) by DS7PR03CA0136.outlook.office365.com (2603:10b6:5:3b4::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7135.22 via Frontend Transport; Sat, 30 Dec 2023 11:29:51 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17) smtp.mailfrom=amd.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=amd.com; Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=SATLEXMB04.amd.com; pr=C X-Received: from SATLEXMB04.amd.com (165.204.84.17) by DS1PEPF00017095.mail.protection.outlook.com (10.167.17.138) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.7159.9 via Frontend Transport; Sat, 30 Dec 2023 11:29:51 +0000 X-Received: from TPE-L1-ABNCHANG.amd.com (10.180.168.240) by SATLEXMB04.amd.com (10.181.40.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.34; Sat, 30 Dec 2023 05:29:48 -0600 From: "Chang, Abner via groups.io" To: CC: Saloni Kasbekar , Zachary Clark-williams , Michael Brown , Nickle Wang , Igor Kulchytskyy Subject: [edk2-devel] [PATCH 3/5] NetworkPkg/HttpDxe: Use HttpsTlsConfigDataProtocol Date: Sat, 30 Dec 2023 19:29:27 +0800 Message-ID: <20231230112929.1711-4-abner.chang@amd.com> In-Reply-To: <20231230112929.1711-1-abner.chang@amd.com> References: <20231230112929.1711-1-abner.chang@amd.com> MIME-Version: 1.0 X-Originating-IP: [10.180.168.240] X-ClientProxiedBy: SATLEXMB03.amd.com (10.181.40.144) To SATLEXMB04.amd.com (10.181.40.145) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DS1PEPF00017095:EE_|CH3PR12MB8970:EE_ X-MS-Office365-Filtering-Correlation-Id: 44c75d95-0b59-479b-2d87-08dc092aa342 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: 0lVaU/XAhyOmEqu0wz9ZS9D+Nxck6aDb7w1d2HK+lVtfDx1MO6iHdbkY0on8j91dXkiFy0SU8shs5XtKJBIehbeGeMe9QAiyZQZlhVYhSzz6aP+LT2EbkHtkd+fztDQcWvHXWkJCwUQBGQBX1xOEVgrYwakd2fbpi0iA0q4CxOFZPvzUd/AEBvcP7v9aRxufexC+omDWNkOiBxvlGGG2j6uNSYdLLkYv1seaqbYJwQ9Y9e65etnhc25F0Q9NOeny43BpEglO2qz6309HhRV3CHpvqikFuaGg8/EbgWkYgjoU7axCLMGUowcjr89+ZIffDpJRiWNBlAWhpkgtVfj0u0co6PmEWKSg25k9lnBO3tL4egJPzZ03drxp/nJJC9pibTEWArRet9Qjx4+yBooiCuqOele14x2IXAkmLbMKz4tu70uqxFCIAuV9EXumyASfWVDieh3RCvK1nQklRS0xYOoItP8/YulXa965kFIXHE53Gub+K50LBcBFE7u2lf4IpcMGC6T5dWuo+RcfTjQ4G55hH+kjTMiOm1SrUcF39XytJMbCUTtGCky2dW/Pva4zaP5hatj/tzmeLGRGWmNlg7nXsjuoXXYmGcTKSNzU/sG2ldcVRVAoXiH6oc+VuBpcxtLTmr6iTk70PZ8LgUPE8ZkR4CvXTNu8QP5Ag1Mi9xHPoJ2KcbZYoV1PWl4/7BQnprbdlH4nlfx68Z0k3ii/f1+i3mtd4P4nYVopwdrfPQbF3w3TyYjzOiK5DIDh8JrZLKbIrzoHzrxwROe1FUQ2LxsBKtsTjegL5sefmPShx4aNCOnuTEqiCXhCrftDfkIVjj5SCitKYgNE6cmShkQn/w== X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 30 Dec 2023 11:29:51.1129 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 44c75d95-0b59-479b-2d87-08dc092aa342 X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[SATLEXMB04.amd.com] X-MS-Exchange-CrossTenant-AuthSource: DS1PEPF00017095.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH3PR12MB8970 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,abner.chang@amd.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: 1Mb9mNd1bmAnZVWYG1hybpb7x7686176AA= Content-Transfer-Encoding: quoted-printable Content-Type: text/plain X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=r+ZwlBup; dmarc=none; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io From: abnchang Consume HttpsTlsConfigDataProtocol protocol installed on the HTTP protocol handle to override the default TLS configuration data. Signed-off-by: Abner Chang Cc: Saloni Kasbekar Cc: Zachary Clark-williams Cc: Michael Brown Cc: Nickle Wang Cc: Igor Kulchytskyy --- NetworkPkg/HttpDxe/HttpDxe.inf | 1 + NetworkPkg/HttpDxe/HttpDriver.h | 1 + NetworkPkg/HttpDxe/HttpProto.h | 10 +--- NetworkPkg/HttpDxe/HttpsSupport.c | 97 ++++++++++++++++++++++++------- 4 files changed, 80 insertions(+), 29 deletions(-) diff --git a/NetworkPkg/HttpDxe/HttpDxe.inf b/NetworkPkg/HttpDxe/HttpDxe.in= f index c9502d0bb6d..ec58677c3f1 100644 --- a/NetworkPkg/HttpDxe/HttpDxe.inf +++ b/NetworkPkg/HttpDxe/HttpDxe.inf @@ -66,6 +66,7 @@ gEfiTlsProtocolGuid ## SOMETIMES_CONSUMES gEfiTlsConfigurationProtocolGuid ## SOMETIMES_CONSUMES gEdkiiHttpCallbackProtocolGuid ## SOMETIMES_CONSUMES + gEdkiiHttpsTlsConfigDataProtocolGuid ## SOMETIMES_CONSUMES =20 [Guids] gEfiTlsCaCertificateGuid ## SOMETIMES_CONSUMES = ## Variable:L"TlsCaCertificate" diff --git a/NetworkPkg/HttpDxe/HttpDriver.h b/NetworkPkg/HttpDxe/HttpDrive= r.h index 01a6bb7f4b7..66c924e3030 100644 --- a/NetworkPkg/HttpDxe/HttpDriver.h +++ b/NetworkPkg/HttpDxe/HttpDriver.h @@ -48,6 +48,7 @@ #include #include #include +#include =20 #include // diff --git a/NetworkPkg/HttpDxe/HttpProto.h b/NetworkPkg/HttpDxe/HttpProto.= h index 012f1f4b467..fbccffa8e71 100644 --- a/NetworkPkg/HttpDxe/HttpProto.h +++ b/NetworkPkg/HttpDxe/HttpProto.h @@ -76,14 +76,6 @@ typedef struct { EFI_HTTP_METHOD Method; } HTTP_TCP_TOKEN_WRAP; =20 -typedef struct { - EFI_TLS_VERSION Version; - EFI_TLS_CONNECTION_END ConnectionEnd; - EFI_TLS_VERIFY VerifyMethod; - EFI_TLS_VERIFY_HOST VerifyHost; - EFI_TLS_SESSION_STATE SessionState; -} TLS_CONFIG_DATA; - // // Callback data for HTTP_PARSER_CALLBACK() // @@ -172,7 +164,7 @@ typedef struct _HTTP_PROTOCOL { =20 EFI_SERVICE_BINDING_PROTOCOL *TlsSb; EFI_HANDLE TlsChildHandle; /// Tls ChildHandle - TLS_CONFIG_DATA TlsConfigData; + HTTPS_TLS_CONFIG_DATA TlsConfigData; EFI_TLS_PROTOCOL *Tls; EFI_TLS_CONFIGURATION_PROTOCOL *TlsConfiguration; EFI_TLS_SESSION_STATE TlsSessionState; diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c b/NetworkPkg/HttpDxe/HttpsSu= pport.c index fb7c1ea59f2..96ecdd1d848 100644 --- a/NetworkPkg/HttpDxe/HttpsSupport.c +++ b/NetworkPkg/HttpDxe/HttpsSupport.c @@ -131,6 +131,58 @@ IsHttpsUrl ( return FALSE; } =20 +/** + Get application HTTP TLS configuration data from HTTP handle. + + @param[in] HttpInstance The HTTP protocol handle instance. + + @retval EFI_SUCCESS Application HTTP TLS configuration data is + loaded in HttpInstance->TlsConfigData. + @retval EFI_UNSUPPORTED No application HTTP TLS configuration data + +**/ +EFI_STATUS +GetHttpsTlsConfigData ( + IN HTTP_PROTOCOL *HttpInstance + ) +{ + EFI_STATUS Status; + EDKII_HTTPS_TLS_CONFIG_DATA_PROTOCOL *HttpsTlsConfigData; + + Status =3D gBS->HandleProtocol ( + HttpInstance->Handle, + &gEdkiiHttpsTlsConfigDataProtocolGuid, + (VOID **)&HttpsTlsConfigData + ); + if (EFI_ERROR (Status)) { + return EFI_UNSUPPORTED; + } + + if (HttpsTlsConfigData->Version.Major >=3D 1) { + HttpInstance->TlsConfigData.ConnectionEnd =3D HttpsTlsConfigData->Http= sTlsConfigData.ConnectionEnd; + HttpInstance->TlsConfigData.SessionState =3D HttpsTlsConfigData->Http= sTlsConfigData.SessionState; + HttpInstance->TlsConfigData.VerifyHost =3D HttpsTlsConfigData->Http= sTlsConfigData.VerifyHost; + HttpInstance->TlsConfigData.VerifyMethod =3D HttpsTlsConfigData->Http= sTlsConfigData.VerifyMethod; + } else { + DEBUG (( + DEBUG_ERROR, + "%a: Unsupported version of EDKII_HTTPS_TLS_CONFIG_DATA_PROTOCOL - %= d.%d.\n", + __func__, + HttpsTlsConfigData->Version.Major, + HttpsTlsConfigData->Version.Minor + )); + return EFI_UNSUPPORTED; + } + + DEBUG (( + DEBUG_VERBOSE, + "%a: There is a EDKII_HTTPS_TLS_CONFIG_DATA_PROTOCOL installed on HTTP= handle:0x%x.\n", + __func__, + HttpInstance->Handle + )); + return EFI_SUCCESS; +} + /** Creates a Tls child handle, open EFI_TLS_PROTOCOL and EFI_TLS_CONFIGURAT= ION_PROTOCOL. =20 @@ -208,6 +260,13 @@ TlsCreateChild ( return Status; } =20 + // Initial default TLS configuration data. + HttpInstance->TlsConfigData.ConnectionEnd =3D EfiTlsClient; + HttpInstance->TlsConfigData.VerifyMethod =3D EFI_TLS_VERIFY_PEER; + HttpInstance->TlsConfigData.VerifyHost.Flags =3D EFI_TLS_VERIFY_FLAG_= NONE; + HttpInstance->TlsConfigData.VerifyHost.HostName =3D HttpInstance->Remote= Host; + HttpInstance->TlsConfigData.SessionState =3D EfiTlsSessionNotStar= ted; + return EFI_SUCCESS; } =20 @@ -650,14 +709,8 @@ TlsConfigureSession ( { EFI_STATUS Status; =20 - // - // TlsConfigData initialization - // - HttpInstance->TlsConfigData.ConnectionEnd =3D EfiTlsClient; - HttpInstance->TlsConfigData.VerifyMethod =3D EFI_TLS_VERIFY_PEER; - HttpInstance->TlsConfigData.VerifyHost.Flags =3D EFI_TLS_VERIFY_FLAG_= NONE; - HttpInstance->TlsConfigData.VerifyHost.HostName =3D HttpInstance->Remote= Host; - HttpInstance->TlsConfigData.SessionState =3D EfiTlsSessionNotStar= ted; + // Get applciation TLS configuration data. + GetHttpsTlsConfigData (HttpInstance); =20 // // EfiTlsConnectionEnd, @@ -685,14 +738,16 @@ TlsConfigureSession ( return Status; } =20 - Status =3D HttpInstance->Tls->SetSessionData ( - HttpInstance->Tls, - EfiTlsVerifyHost, - &HttpInstance->TlsConfigData.VerifyHost, - sizeof (EFI_TLS_VERIFY_HOST) - ); - if (EFI_ERROR (Status)) { - return Status; + if (HttpInstance->TlsConfigData.VerifyMethod !=3D EFI_TLS_VERIFY_NONE) { + Status =3D HttpInstance->Tls->SetSessionData ( + HttpInstance->Tls, + EfiTlsVerifyHost, + &HttpInstance->TlsConfigData.VerifyHost, + sizeof (EFI_TLS_VERIFY_HOST) + ); + if (EFI_ERROR (Status)) { + return Status; + } } =20 Status =3D HttpInstance->Tls->SetSessionData ( @@ -717,10 +772,12 @@ TlsConfigureSession ( // // Tls Config Certificate // - Status =3D TlsConfigCertificate (HttpInstance); - if (EFI_ERROR (Status)) { - DEBUG ((DEBUG_ERROR, "TLS Certificate Config Error!\n")); - return Status; + if (HttpInstance->TlsConfigData.VerifyMethod !=3D EFI_TLS_VERIFY_NONE) { + Status =3D TlsConfigCertificate (HttpInstance); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "TLS Certificate Config Error!\n")); + return Status; + } } =20 // --=20 2.37.1.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#113007): https://edk2.groups.io/g/devel/message/113007 Mute This Topic: https://groups.io/mt/103430432/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-