From: "Wu, Jiaxin" <jiaxin.wu@intel.com>
To: "Ye, Ting" <ting.ye@intel.com>,
"edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Cc: Laszlo Ersek <lersek@redhat.com>,
"Kinney, Michael D" <michael.d.kinney@intel.com>,
"Zimmer, Vincent" <vincent.zimmer@intel.com>,
"Yao, Jiewen" <jiewen.yao@intel.com>,
"Fu, Siyuan" <siyuan.fu@intel.com>
Subject: Re: [PATCH v2 2/2] NetworkPkg: Read HttpTlsCipherList variable and configure it for HTTPS session.
Date: Mon, 12 Feb 2018 03:08:22 +0000 [thread overview]
Message-ID: <895558F6EA4E3B41AC93A00D163B727416381EB4@SHSMSX103.ccr.corp.intel.com> (raw)
In-Reply-To: <BC0C045B0E2A584CA4575E779FA2C12A1A9BA28C@SHSMSX103.ccr.corp.intel.com>
Thanks the comment, I will integrate it when I commit the patch.
> -----Original Message-----
> From: Ye, Ting
> Sent: Monday, February 12, 2018 11:06 AM
> To: Wu, Jiaxin <jiaxin.wu@intel.com>; edk2-devel@lists.01.org
> Cc: Laszlo Ersek <lersek@redhat.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>; Zimmer, Vincent
> <vincent.zimmer@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Fu,
> Siyuan <siyuan.fu@intel.com>
> Subject: RE: [PATCH v2 2/2] NetworkPkg: Read HttpTlsCipherList variable and
> configure it for HTTPS session.
>
> Hi Jiaxin,
>
> In following code, how about use "gEdkiiHttpTlsCipherListGuid" as the
> variable GUID as to make it consistent with the variable name?
>
> + Status = gRT->GetVariable (
> + EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE,
> + &gHttpTlsCipherListGuid,
> + NULL,
> + &CipherListSize,
> + NULL
> + );
>
> Others are good to me.
> Reviewed-by: Ye Ting <ting.ye@intel.com>
>
> Best Regards,
> Ting
>
> -----Original Message-----
> From: Wu, Jiaxin
> Sent: Sunday, February 11, 2018 11:15 AM
> To: edk2-devel@lists.01.org
> Cc: Laszlo Ersek <lersek@redhat.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>; Zimmer, Vincent
> <vincent.zimmer@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Ye,
> Ting <ting.ye@intel.com>; Fu, Siyuan <siyuan.fu@intel.com>; Wu, Jiaxin
> <jiaxin.wu@intel.com>
> Subject: [PATCH v2 2/2] NetworkPkg: Read HttpTlsCipherList variable and
> configure it for HTTPS session.
>
> v2:
> * Refine the error handling returned from GetVariable.
>
> This patch is to read the HttpTlsCipherList variable and configure it for the
> later HTTPS session.
>
> If the variable is not set by any platform, EFI_NOT_FOUND will be returned
> from GetVariable service. In such a case, the default CipherList created in
> TlsDxe driver will be used.
>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Kinney Michael D <michael.d.kinney@intel.com>
> Cc: Zimmer Vincent <vincent.zimmer@intel.com>
> Cc: Yao Jiewen <jiewen.yao@intel.com>
> Cc: Ye Ting <ting.ye@intel.com>
> Cc: Fu Siyuan <siyuan.fu@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
> ---
> NetworkPkg/HttpDxe/HttpDriver.h | 3 +-
> NetworkPkg/HttpDxe/HttpDxe.inf | 3 +-
> NetworkPkg/HttpDxe/HttpsSupport.c | 92
> ++++++++++++++++++++++++++++++++++++++-
> 3 files changed, 95 insertions(+), 3 deletions(-)
>
> diff --git a/NetworkPkg/HttpDxe/HttpDriver.h
> b/NetworkPkg/HttpDxe/HttpDriver.h index 93a412a..3b7a7a2 100644
> --- a/NetworkPkg/HttpDxe/HttpDriver.h
> +++ b/NetworkPkg/HttpDxe/HttpDriver.h
> @@ -1,9 +1,9 @@
> /** @file
> The header files of the driver binding and service binding protocol for
> HttpDxe driver.
>
> - Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.<BR>
> + Copyright (c) 2015 - 2018, Intel Corporation. All rights
> + reserved.<BR>
> (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
>
> This program and the accompanying materials
> are licensed and made available under the terms and conditions of the BSD
> License
> which accompanies this distribution. The full text of the license may be
> found at @@ -59,10 +59,11 @@ // Produced Protocols // #include
> <Protocol/Http.h>
>
> #include <Guid/TlsAuthentication.h>
> +#include <Guid/HttpTlsCipherList.h>
>
> #include <IndustryStandard/Tls1.h>
>
> //
> // Driver Version
> diff --git a/NetworkPkg/HttpDxe/HttpDxe.inf
> b/NetworkPkg/HttpDxe/HttpDxe.inf index 20075f5..56a2472 100644
> --- a/NetworkPkg/HttpDxe/HttpDxe.inf
> +++ b/NetworkPkg/HttpDxe/HttpDxe.inf
> @@ -1,9 +1,9 @@
> ## @file
> # Implementation of EFI HTTP protocol interfaces.
> #
> -# Copyright (c) 2015 - 2017, Intel Corporation. All rights reserved.<BR>
> +# Copyright (c) 2015 - 2018, Intel Corporation. All rights
> +reserved.<BR>
> #
> # This program and the accompanying materials # are licensed and made
> available under the terms and conditions of the BSD License # which
> accompanies this distribution. The full text of the license may be found at #
> http://opensource.org/licenses/bsd-license.php.
> @@ -72,10 +72,11 @@
> gEfiTlsProtocolGuid ## SOMETIMES_CONSUMES
> gEfiTlsConfigurationProtocolGuid ## SOMETIMES_CONSUMES
>
> [Guids]
> gEfiTlsCaCertificateGuid ## SOMETIMES_CONSUMES ##
> Variable:L"TlsCaCertificate"
> + gHttpTlsCipherListGuid ## SOMETIMES_CONSUMES ##
> Variable:L"HttpTlsCipherList"
>
> [Pcd]
> gEfiNetworkPkgTokenSpaceGuid.PcdAllowHttpConnections ##
> CONSUMES
> gEfiNetworkPkgTokenSpaceGuid.PcdHttpsAuthenticationMode ##
> SOMETIMES_CONSUMES
> gEfiNetworkPkgTokenSpaceGuid.PcdHttpsHostPublicCert ##
> SOMETIMES_CONSUMES
> diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c
> b/NetworkPkg/HttpDxe/HttpsSupport.c
> index 288082a..fbe4087 100644
> --- a/NetworkPkg/HttpDxe/HttpsSupport.c
> +++ b/NetworkPkg/HttpDxe/HttpsSupport.c
> @@ -1,9 +1,9 @@
> /** @file
> Miscellaneous routines specific to Https for HttpDxe driver.
>
> -Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
> +Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>
> (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR> This
> program and the accompanying materials are licensed and made available
> under the terms and conditions of the BSD License which accompanies this
> distribution. The full text of the license may be found at
> http://opensource.org/licenses/bsd-license.php
> @@ -492,10 +492,91 @@ TlsConfigCertificate (
>
> return Status;
> }
>
> /**
> + Read the HttpTlsCipherList variable and configure it for HTTPS session.
> +
> + @param[in, out] HttpInstance The HTTP instance private data.
> +
> + @retval EFI_SUCCESS The prefered HTTP TLS CipherList is configured.
> + @retval EFI_NOT_FOUND Fail to get 'HttpTlsCipherList' variable.
> + @retval EFI_INVALID_PARAMETER The contents of variable are invalid.
> + @retval EFI_OUT_OF_RESOURCES Can't allocate memory resources.
> +
> + @retval Others Other error as indicated.
> +
> +**/
> +EFI_STATUS
> +TlsConfigCipherList (
> + IN OUT HTTP_PROTOCOL *HttpInstance
> + )
> +{
> + EFI_STATUS Status;
> + UINT8 *CipherList;
> + UINTN CipherListSize;
> +
> + CipherList = NULL;
> + CipherListSize = 0;
> +
> + //
> + // Try to read the HttpTlsCipherList variable.
> + //
> + Status = gRT->GetVariable (
> + EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE,
> + &gHttpTlsCipherListGuid,
> + NULL,
> + &CipherListSize,
> + NULL
> + );
> + ASSERT (EFI_ERROR (Status));
> + if (Status != EFI_BUFFER_TOO_SMALL) {
> + return Status;
> + }
> +
> + if (CipherListSize % sizeof (EFI_TLS_CIPHER) != 0) {
> + return EFI_INVALID_PARAMETER;
> + }
> +
> + //
> + // Allocate buffer and read the config variable.
> + //
> + CipherList = AllocatePool (CipherListSize); if (CipherList == NULL)
> + {
> + return EFI_OUT_OF_RESOURCES;
> + }
> +
> + Status = gRT->GetVariable (
> + EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE,
> + &gHttpTlsCipherListGuid,
> + NULL,
> + &CipherListSize,
> + CipherList
> + );
> + if (EFI_ERROR (Status)) {
> + //
> + // GetVariable still error or the variable is corrupted.
> + //
> + goto ON_EXIT;
> + }
> +
> + ASSERT (CipherList != NULL);
> +
> + Status = HttpInstance->Tls->SetSessionData (
> + HttpInstance->Tls,
> + EfiTlsCipherList,
> + CipherList,
> + CipherListSize
> + );
> +
> +ON_EXIT:
> + FreePool (CipherList);
> +
> + return Status;
> +}
> +
> +/**
> Configure TLS session data.
>
> @param[in, out] HttpInstance The HTTP instance private data.
>
> @retval EFI_SUCCESS TLS session data is configured.
> @@ -551,10 +632,19 @@ TlsConfigureSession (
> if (EFI_ERROR (Status)) {
> return Status;
> }
>
> //
> + // Tls Cipher List
> + //
> + Status = TlsConfigCipherList (HttpInstance); if (EFI_ERROR (Status)
> + && Status != EFI_NOT_FOUND) {
> + DEBUG ((EFI_D_ERROR, "TlsConfigCipherList: return %r error.\n", Status));
> + return Status;
> + }
> +
> + //
> // Tls Config Certificate
> //
> Status = TlsConfigCertificate (HttpInstance);
> if (EFI_ERROR (Status)) {
> DEBUG ((EFI_D_ERROR, "TlsConfigCertificate: return %r error.\n", Status));
> --
> 1.9.5.msysgit.1
next prev parent reply other threads:[~2018-02-12 3:02 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-11 3:15 [PATCH v2 0/2] NetworkPkg: Support the platform to configure HTTPS CipherList Jiaxin Wu
2018-02-11 3:15 ` [PATCH v2 1/2] NetworkPkg: Define one private variable for HTTPS to set Tls CipherList Jiaxin Wu
2018-02-11 3:15 ` [PATCH v2 2/2] NetworkPkg: Read HttpTlsCipherList variable and configure it for HTTPS session Jiaxin Wu
2018-02-12 3:05 ` Ye, Ting
2018-02-12 3:08 ` Wu, Jiaxin [this message]
2018-02-11 3:21 ` [PATCH v2 0/2] NetworkPkg: Support the platform to configure HTTPS CipherList Wu, Jiaxin
2018-02-12 19:56 ` Laszlo Ersek
2018-02-13 2:01 ` Wu, Jiaxin
2018-02-15 12:05 ` Laszlo Ersek
2018-02-11 3:30 ` Fu, Siyuan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=895558F6EA4E3B41AC93A00D163B727416381EB4@SHSMSX103.ccr.corp.intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox