From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM11-DM6-obe.outbound.protection.outlook.com (NAM11-DM6-obe.outbound.protection.outlook.com [40.107.223.62]) by mx.groups.io with SMTP id smtpd.web10.20367.1675249618148519088 for ; Wed, 01 Feb 2023 03:06:58 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@nvidia.com header.s=selector2 header.b=iqUcnT2o; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: nvidia.com, ip: 40.107.223.62, mailfrom: nicklew@nvidia.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CFrd/bG5gby2xawt3JsjxD9ujm4/BYn76QZ7MLBQZ6Z/ilqIogc+ru35dYJcvnEdMYG7V0tgwEGrxBSNxR3pCVhaV29IwM26ooK1+o645vPO+BZzoFUsF185UgwJwXXevSO0UGAse5er8/1MFjYGy6quHpshkAd8I4JdPV/CTWL2r1nY25guYJA3YWm82yDwtvQqu6rbsHWFXuBnClorlt1P3Y5JbERAoG4TzDzmkCDT0yZQd9kCGfXXDmhcw+c6l93Zbtk+5F1wG7JHQa+fE/QJbw6EN2MupHxSxlZiHFXOQCmgYRsh1YEG9rcMqPCTHn14XRdsILw0R8JUI5cMVA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=i3y5+MLz1i9himpHNtuGREz7PNhcdoaWzQdUctKZ5cg=; b=cHSGbLVxWd7rmG+8ypLIOblngmCx2UDf4mCFFqaj6ngApem+tQ8OXGNrunaM0ia8590zp72jzgD38ngYO/4trSAiOAlw5SgOr0MvbHQtl6qIErdGvae6CffnmBu2dYJpi427i4D2ZxzAX0ciT2eSpjbtj1fb/AtDraIoCzR6bsYzqZ5KDPi/vkhL4x3OxY20TH6agITRZe3s4r9DAdlteQhesYmgFlUcnltUX+uujcdgCraXI0lkMBiGQpXdrVGNzqTCgygTu/qg+3jDLvQdvr7dyRIY9ynmLw0Nnx2k0dSrEhZn6Ij3HEPaBrxp06P25DApqL7yTmakTOCeskKtrQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nvidia.com; dmarc=pass action=none header.from=nvidia.com; dkim=pass header.d=nvidia.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=i3y5+MLz1i9himpHNtuGREz7PNhcdoaWzQdUctKZ5cg=; b=iqUcnT2oG5FXtfjd4YYrSsw7wpdcQc6V2pDk6nv+sPFxwJQU94Taod24NagfFvLidqwJ4JpUwYat9ZJC+fXsMiJikCintKdnjmebDRGhsN/JW+lUFl984Z/VnVqvpVk2LuL5er3VlqfF9OuSGEGhM0RaGnwmtGp7tpNdeRkExJzfVyVUOIzP+QHpqV6QRA9xBbD2qMkYMhq+AOD8//YTUjA4aSWJn2/HHs7+2wyYVBUtPw+x7xGKf/yWS0Jgv8WgfmK0qkAXYr4FtU/aD08OPFkpKvZWxQ1jEU4rjshr/jTOrtCFV257LHWly+l1ahMFb8VW6lVGdyYrs5yTsplOdg== Received: from MW4PR12MB7031.namprd12.prod.outlook.com (2603:10b6:303:1ef::6) by CH3PR12MB7593.namprd12.prod.outlook.com (2603:10b6:610:141::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.38; Wed, 1 Feb 2023 11:06:55 +0000 Received: from MW4PR12MB7031.namprd12.prod.outlook.com ([fe80::6b34:f6ce:b778:4075]) by MW4PR12MB7031.namprd12.prod.outlook.com ([fe80::6b34:f6ce:b778:4075%7]) with mapi id 15.20.6043.038; Wed, 1 Feb 2023 11:06:55 +0000 From: "Nickle Wang" To: Michael Brown , "devel@edk2.groups.io" CC: Maciej Rabeda , Siyuan Fu , Abner Chang , Igor Kulchytskyy , Nick Ramirez Subject: Re: [edk2-devel] [PATCH 1/2] NetworkPkg/HttpDxe: provide function to disable TLS host verify Thread-Topic: [edk2-devel] [PATCH 1/2] NetworkPkg/HttpDxe: provide function to disable TLS host verify Thread-Index: AQHZNiqPTYzI6knXhU+NNuqw+JX05q657Gg9 Date: Wed, 1 Feb 2023 11:06:55 +0000 Message-ID: References: <20230201034636.619-1-nicklew@nvidia.com> <010201860c96846b-a8bde2d8-b485-4c67-8946-70263fa807d9-000000@eu-west-1.amazonses.com> In-Reply-To: <010201860c96846b-a8bde2d8-b485-4c67-8946-70263fa807d9-000000@eu-west-1.amazonses.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nvidia.com; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: MW4PR12MB7031:EE_|CH3PR12MB7593:EE_ x-ms-office365-filtering-correlation-id: 16859d0d-19b6-4617-b080-08db04446e04 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: iwlWNRiFKCqqcLGRWftk80LyIv5kIl3z0hOduqd8z51YnOfRWe6cBzF/CMmjrwKsm2Pcc8U4ikkBzbzXaRQDeNa94k2Fs5BN1JAZhiXMZsl+tOB7VZSYEq79U1RXmYjyWWoAIPxHuEW3t1V2a/WPXXpV2/hEuKhEYMisllmpQTirc0WJt3C6zcWq6FLabMjDbS7DwsvSkITW7YJjmLjyDlo6ctgo/+RPziX3qeiEeTHzWSzZibW208CdP1u/OypYUxg3HkiaTxQkQyJSsTWUDMTkwhqQyVZEToU+48yAeiW/AvFbVBIQ58j8jE3WpBE8cRsDj1fl3a5glzz1OP0svFXgJWuUEG2IUmjg4iCIiaGVX/IBAwvjkgXmLno74jJ4bvyzwHZBur76cqiQLDBkEtE5DIezN0osliugGDxw4Q+WZ9/ZX/cZ/jtcaZmahu4GczkK9niuiQ42yefU3/Hf+bBt4maGoUp7XSwVTZCiM4LovJQd035UGo9ED13ue/frtV/Z1yPfATjsjg4z46NDvy820h8oM5Ub7pUmnUzfHRwJVNm3VRKTp8m6MBkkv8Quvw3nWWBoW0A8up16Vyf/YtP+zvUBetx/doK253keRT/gqcrDEcZxmOxJFjZDzr9x/8llVHS3kyE8wRm/tzyMzsW8s2SjvRP8b6DCklYwJYoeceX61UuAWXUGu/1hT0MTQH7LgG40tpzOLOYGNx1yWA== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MW4PR12MB7031.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230025)(4636009)(376002)(396003)(39860400002)(346002)(136003)(366004)(451199018)(19627405001)(41300700001)(122000001)(64756008)(91956017)(66946007)(54906003)(316002)(8676002)(4326008)(66476007)(8936002)(66446008)(66556008)(76116006)(5660300002)(52536014)(110136005)(38100700002)(86362001)(33656002)(38070700005)(6506007)(107886003)(186003)(9686003)(53546011)(71200400001)(2906002)(55016003)(15650500001)(7696005)(83380400001)(478600001);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?RiqhICcu9UYMiLstjW/sAh7vYrWhGqQBq2NaXVa5WJr86qc7pfkFyFM0KktI?= =?us-ascii?Q?nirTUdj+03C1MoK+UczTqZjFTQkXDTcfFVjdEBUuBPBeoI6mtPwYmpbX8t6C?= =?us-ascii?Q?nv+IhMjlsk48onkbd0FX7eOVpwHyYoGByHswOf9LbAVfuHNEhkqMAq2RzZ+/?= =?us-ascii?Q?HFw2PBMqN+uo70mgsE9lVOX8L2LwfNJPchRVZj2nmwZE6mNqLJg0dBBU4xLW?= =?us-ascii?Q?ERXrIDpWWvh17ywsUzkvNBSgizdHW/7OSK5vsycpxfjdae/kQTfPyHq1DQvg?= =?us-ascii?Q?x4R2KPLJVyD50UKEeLfL8aCTDzfL8VxUnHgzuWtfk4sfUndgrqzumme6Wy8O?= =?us-ascii?Q?4Nu13CpwRNz4d6gvo0bERwua/fBocHbG16XWG2LFAri0nM9qNOryULRlDI4b?= =?us-ascii?Q?sRhV2JsTgzH0Og3p3vG484v4yWlMEQQo2zgVmYAxpREka0naLZCNIeetZJhl?= =?us-ascii?Q?BPLE1oNvom6EYRoT9wMYeai/UEgjGLYb6DvoCl6aqlCrAwfpc8qhD2oqEBFQ?= =?us-ascii?Q?278WvL0wNUK0bR4s6mKoGnR2Rr9cN6gUuxn/IcFc9U3IyfRkJmdXaUn3F3Fy?= =?us-ascii?Q?Pjfv6SrYIoqcPMIW6Yxbx6qVVtquac4YzoeSK9p2U4CIT/MnCLFvzCFfR2kL?= =?us-ascii?Q?sCvxJeXVSYMNE0bIFeNf2pfcOfBJWHb1AOs+FqZROrE/q0BmCx3R9pgjLTd4?= =?us-ascii?Q?5eoQEMOe97qwaLy0yiorkB8TP4xdNsugiR03q0k0Kj6iyVR4vO4eyfODGmSH?= =?us-ascii?Q?OXeemtqecng0un17GZvBhxXFiO44+sDU6vBfhYrdTnnBCRDBAukHHMSjoZ/M?= =?us-ascii?Q?Xz4wEItEwlu86O9OmgB5U7iCv3vfOznwcSYNeLsqBNbqViNo++5z66i8CkJy?= =?us-ascii?Q?WbY9ctV8rz9E/YBpDNw1S+frdxve9i8oFxYqrup7Pvw42y2AobYrDqCXBtyi?= =?us-ascii?Q?dRfUL81TEPv9rMo26jZAJHmkEUALC3fHqSfQBH0w7JGoMR1jCSH3meSXpqRh?= =?us-ascii?Q?fDqMYKo1Ka1W7vgx2+o+wndsWYDBlmDkpf8GgyZIKUkxFsa2c2z1PFBwxjoc?= =?us-ascii?Q?Aq0fxLWqrh8D0+qn7kMlUJFQe5JS/Y3XQJ+D2kkcrqGxcJTp4M4DzLFbmIxR?= =?us-ascii?Q?9yk3raK2KNXQ9A4jtkqIO1k4kXGEM1YE/TjNIXzT2p4MpO/KxN8+4rcOBFCB?= =?us-ascii?Q?J54TZB/RYogsKrjNM7/5WypznR4Wim8ox7EiWhT+GYEBvqGz47Uy8ysIlQnL?= =?us-ascii?Q?PJgClx49TxUHt9LtscUa+3XU/DNDwA694v39yWlZdwwTYTNUKURG3AHSoA/+?= =?us-ascii?Q?A905udrvJ1y6FvJBS/X2vonZ8YfztR0MVc32sc+RxdeRbr8Lp1K3pmITPpTI?= =?us-ascii?Q?27BkwrwwQdM2zyw3qBCd17d2q2XNUNOZ66myzTByoQTdZnEOkvoP0leTcAJm?= =?us-ascii?Q?564D/NbfR+Xone0ZJ4Lmx6zUMEtrv/d91Ht2ajE8ifVDXJemds8B9g/6Jkro?= =?us-ascii?Q?YlnJT3NjzLknwE5PLY5FbvjS3cQ9bJyDsgZlNeID2d4AHlCDmOayi+bY1qC2?= =?us-ascii?Q?xYRC1hQ+PM+clFlNVuEJcl7JhOP7kFOGswxR5/DCC47tZ23o4zf8KDpHvDme?= =?us-ascii?Q?w7usSljhGRR9Ma70F33ZumzCRwcMs3ielDhgZTa8bZU3?= MIME-Version: 1.0 X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MW4PR12MB7031.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 16859d0d-19b6-4617-b080-08db04446e04 X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Feb 2023 11:06:55.2989 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: O1IXqmopUdWuZxftbwUtERLgXsl0YBlezxH3gsFcjENBLjQdreRXfr7P4Uyy3yJe1boAp0ooianV4n9o5rRjvw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH3PR12MB7593 Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_MW4PR12MB7031CEF49744E284D2EE1D97D9D19MW4PR12MB7031namp_" --_000_MW4PR12MB7031CEF49744E284D2EE1D97D9D19MW4PR12MB7031namp_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Michael, Thanks for catching this. To prevent the change to data structure, would yo= u suggest me to create new interface in EFI_HTTP_PROTOCOL and disable TLS h= ost verify? Regards, Nickle ________________________________ From: Michael Brown Sent: Wednesday, February 1, 2023 6:47 PM To: devel@edk2.groups.io ; Nickle Wang Cc: Maciej Rabeda ; Siyuan Fu ; Abner Chang ; Igor Kulchytskyy ; Nick Ramirez Subject: Re: [edk2-devel] [PATCH 1/2] NetworkPkg/HttpDxe: provide function = to disable TLS host verify External email: Use caution opening links or attachments On 01/02/2023 03:46, Nickle Wang via groups.io wrote: > diff --git a/MdePkg/Include/Protocol/Http.h b/MdePkg/Include/Protocol/Htt= p.h > index 28e6221593..21a782eaac 100644 > --- a/MdePkg/Include/Protocol/Http.h > +++ b/MdePkg/Include/Protocol/Http.h > @@ -6,6 +6,7 @@ > > Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved. > (C) Copyright 2015-2017 Hewlett Packard Enterprise Development LP
> + Copyright (c) 2023, NVIDIA CORPORATION & AFFILIATES. All rights reserv= ed. > SPDX-License-Identifier: BSD-2-Clause-Patent > > @par Revision Reference: > @@ -161,6 +162,10 @@ typedef struct { > /// this instance will use EFI_DNS6_PROTOCOL and EFI_TCP6_PROTOCOL. > /// > BOOLEAN LocalAddressIsIPv6; > + /// > + /// Verify server certificate during HTTPS handshake. > + /// > + BOOLEAN HostCertificateVerifyDisabled; > > union { > /// This change would break the ABI by changing the layout of a data structure defined in the UEFI specification. Even worse, it does so by inserting a field into the middle of a structure: an ABI mismatch would result in one side attempting to dereference the BOOLEAN value as a pointer. Nacked-by: Michael Brown Thanks, Michael --_000_MW4PR12MB7031CEF49744E284D2EE1D97D9D19MW4PR12MB7031namp_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable
Hi Michael,

Thanks for catching this. To prevent the change to data structure, would yo= u suggest me to create new interface in EFI_HTTP_PROTOCOL and disable = TLS host verify? 

Regards,
Nickle
From: Michael Brown <mcb= 30@ipxe.org>
Sent: Wednesday, February 1, 2023 6:47 PM
To: devel@edk2.groups.io <devel@edk2.groups.io>; Nickle Wang &= lt;nicklew@nvidia.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>; Siyuan Fu &= lt;siyuan.fu@intel.com>; Abner Chang <abner.chang@amd.com>; Igor K= ulchytskyy <igork@ami.com>; Nick Ramirez <nramirez@nvidia.com><= br> Subject: Re: [edk2-devel] [PATCH 1/2] NetworkPkg/HttpDxe: provide fu= nction to disable TLS host verify
 
External email: Use caution opening links or attac= hments


On 01/02/2023 03:46, Nickle Wang via groups.io wrote:
> diff --git a/MdePkg/Include/Protocol/Http.h b/MdePkg/Include/Protocol/= Http.h
> index 28e6221593..21a782eaac 100644
> --- a/MdePkg/Include/Protocol/Http.h
> +++ b/MdePkg/Include/Protocol/Http.h
> @@ -6,6 +6,7 @@
>
>     Copyright (c) 2016 - 2018, Intel Corporation. = All rights reserved.<BR>
>     (C) Copyright 2015-2017 Hewlett Packard Enterp= rise Development LP<BR>
> +  Copyright (c) 2023, NVIDIA CORPORATION & AFFILIATES. All r= ights reserved.
>     SPDX-License-Identifier: BSD-2-Clause-Patent >
>     @par Revision Reference:
> @@ -161,6 +162,10 @@ typedef struct {
>     /// this instance will use EFI_DNS6_PROTOCOL a= nd EFI_TCP6_PROTOCOL.
>     ///
>     BOOLEAN      &nb= sp;      LocalAddressIsIPv6;
> +  ///
> +  /// Verify server certificate during HTTPS handshake.
> +  ///
> +  BOOLEAN         &= nbsp;   HostCertificateVerifyDisabled;
>
>     union {
>       ///

This change would break the ABI by changing the layout of a data
structure defined in the UEFI specification.

Even worse, it does so by inserting a field into the middle of a
structure: an ABI mismatch would result in one side attempting to
dereference the BOOLEAN value as a pointer.

Nacked-by: Michael Brown <mcb30@ipxe.org>

Thanks,

Michael

--_000_MW4PR12MB7031CEF49744E284D2EE1D97D9D19MW4PR12MB7031namp_--