Hi Michael,

Thanks for catching this. To prevent the change to data structure, would you suggest me to create new interface in EFI_HTTP_PROTOCOL and disable TLS host verify? 

Regards,
Nickle
From: Michael Brown <mcb30@ipxe.org>
Sent: Wednesday, February 1, 2023 6:47 PM
To: devel@edk2.groups.io <devel@edk2.groups.io>; Nickle Wang <nicklew@nvidia.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>; Siyuan Fu <siyuan.fu@intel.com>; Abner Chang <abner.chang@amd.com>; Igor Kulchytskyy <igork@ami.com>; Nick Ramirez <nramirez@nvidia.com>
Subject: Re: [edk2-devel] [PATCH 1/2] NetworkPkg/HttpDxe: provide function to disable TLS host verify
 
External email: Use caution opening links or attachments


On 01/02/2023 03:46, Nickle Wang via groups.io wrote:
> diff --git a/MdePkg/Include/Protocol/Http.h b/MdePkg/Include/Protocol/Http.h
> index 28e6221593..21a782eaac 100644
> --- a/MdePkg/Include/Protocol/Http.h
> +++ b/MdePkg/Include/Protocol/Http.h
> @@ -6,6 +6,7 @@
>
>     Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>
>     (C) Copyright 2015-2017 Hewlett Packard Enterprise Development LP<BR>
> +  Copyright (c) 2023, NVIDIA CORPORATION & AFFILIATES. All rights reserved.
>     SPDX-License-Identifier: BSD-2-Clause-Patent
>
>     @par Revision Reference:
> @@ -161,6 +162,10 @@ typedef struct {
>     /// this instance will use EFI_DNS6_PROTOCOL and EFI_TCP6_PROTOCOL.
>     ///
>     BOOLEAN             LocalAddressIsIPv6;
> +  ///
> +  /// Verify server certificate during HTTPS handshake.
> +  ///
> +  BOOLEAN             HostCertificateVerifyDisabled;
>
>     union {
>       ///

This change would break the ABI by changing the layout of a data
structure defined in the UEFI specification.

Even worse, it does so by inserting a field into the middle of a
structure: an ABI mismatch would result in one side attempting to
dereference the BOOLEAN value as a pointer.

Nacked-by: Michael Brown <mcb30@ipxe.org>

Thanks,

Michael