From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga18.intel.com (mga18.intel.com [134.134.136.126]) by mx.groups.io with SMTP id smtpd.web11.262.1665178478972669259 for ; Fri, 07 Oct 2022 14:34:50 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=I/Q/FAPO; spf=pass (domain: intel.com, ip: 134.134.136.126, mailfrom: saloni.kasbekar@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1665178490; x=1696714490; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=NaJKlQ2FROWcdstOdtgkHVmttA5wvNJvmXm/vZqcSLw=; b=I/Q/FAPO6YDvYw7DvBIUnf5odtB5BtFOoZ2u+hw86yzzHWZnMTExDT6P Zu6NHZZfBxNzS7ETuNc0x11FxwjuiP3uFDEpr/bwTPF4SaKxEJRa2hx1y CUMJdCEIT80adpzGmH2Wm+2xWlINAj5YRnsXx4xIFXY7moRkdvBerBLAM HIIg7VkoE/UdPYLPnzx9DCykZgcMWWfNrffujLv2n5RddJGcoIPTsYo8F ToR479dLFmVbvPchiLYs0fPLGpaEf49JThCmOODMORV90zyUKpzI4suqu lDiHvToRz8fz8V/giLOv9oLJ35UgMQGOt/vZtAuiYR48wb693CJFYWQEV g==; X-IronPort-AV: E=McAfee;i="6500,9779,10493"; a="287069126" X-IronPort-AV: E=Sophos;i="5.95,167,1661842800"; d="scan'208";a="287069126" Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 07 Oct 2022 14:34:46 -0700 X-IronPort-AV: E=McAfee;i="6500,9779,10493"; a="658479404" X-IronPort-AV: E=Sophos;i="5.95,167,1661842800"; d="scan'208";a="658479404" Received: from fmbiosdev02.amr.corp.intel.com ([10.80.127.10]) by orsmga001-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 07 Oct 2022 14:34:46 -0700 From: "Saloni Kasbekar" To: devel@edk2.groups.io Cc: Saloni Kasbekar , Maciej Rabeda , Wu Jiaxin , Siyuan Fu Subject: [[edk2-staging/HttpProxy PATCH v2] 6/6] NetworkPkg/HttpDxe: Support HTTPS EndPoint server with Proxy Date: Fri, 7 Oct 2022 14:34:30 -0700 Message-Id: X-Mailer: git-send-email 2.36.1.windows.1 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3951 Add support for Proxy server to connect to a HTTPS EndPoint server. TLS Connection to be created during GET/HEAD after CONNECT method. Cc: Maciej Rabeda Cc: Wu Jiaxin Cc: Siyuan Fu Signed-off-by: Saloni Kasbekar --- NetworkPkg/HttpDxe/HttpImpl.c | 9 +++---- NetworkPkg/HttpDxe/HttpProto.c | 40 ++++++++++++++++++------------- NetworkPkg/HttpDxe/HttpProto.h | 8 +++++-- NetworkPkg/HttpDxe/HttpsSupport.c | 16 +++++++++---- 4 files changed, 46 insertions(+), 27 deletions(-) diff --git a/NetworkPkg/HttpDxe/HttpImpl.c b/NetworkPkg/HttpDxe/HttpImpl.c index 2a305e0864..f7d6a4c8f6 100644 --- a/NetworkPkg/HttpDxe/HttpImpl.c +++ b/NetworkPkg/HttpDxe/HttpImpl.c @@ -511,9 +511,10 @@ EfiHttpRequest ( if ((HttpInstance->ConnectionClose == FALSE) && (HttpInstance->RemotePort == RemotePort) && (AsciiStrCmp (HttpInstance->RemoteHost, HostName) == 0) && - (!HttpInstance->UseHttps || (HttpInstance->UseHttps && - !TlsConfigure && - (HttpInstance->TlsSessionState == EfiTlsSessionDataTransferring)))) + (!HttpInstance->UseHttps || + HttpInstance->ProxyConnected || (HttpInstance->UseHttps && + !TlsConfigure && + (HttpInstance->TlsSessionState == EfiTlsSessionDataTransferring)))) { // // Host Name and port number of the request URL are the same with previous call to Request(). @@ -666,7 +667,7 @@ EfiHttpRequest ( goto Error2; } - if (!Configure && !ReConfigure && !TlsConfigure) { + if ((!Configure && !ReConfigure) && ((HttpInstance->ProxyConnected && TlsConfigure) || (!TlsConfigure))) { // // For the new HTTP token, create TX TCP token events. // diff --git a/NetworkPkg/HttpDxe/HttpProto.c b/NetworkPkg/HttpDxe/HttpProto.c index 6767d90c7d..cc69401943 100644 --- a/NetworkPkg/HttpDxe/HttpProto.c +++ b/NetworkPkg/HttpDxe/HttpProto.c @@ -1222,6 +1222,7 @@ HttpConfigureTcp6 ( connect one TLS session if required. @param[in] HttpInstance The HTTP instance private data. + @param[in] TlsConfigure The Flag indicates whether it's the new Tls session. @retval EFI_SUCCESS The TCP connection is established. @retval EFI_NOT_READY TCP4 protocol child is not created or configured. @@ -1230,7 +1231,8 @@ HttpConfigureTcp6 ( **/ EFI_STATUS HttpConnectTcp4 ( - IN HTTP_PROTOCOL *HttpInstance + IN HTTP_PROTOCOL *HttpInstance, + IN BOOLEAN TlsConfigure ) { EFI_STATUS Status; @@ -1253,16 +1255,18 @@ HttpConnectTcp4 ( return Status; } - if (Tcp4State == Tcp4StateEstablished) { + if ((Tcp4State == Tcp4StateEstablished) && (!HttpInstance->ProxyConnected || !TlsConfigure)) { return EFI_SUCCESS; - } else if (Tcp4State > Tcp4StateEstablished ) { + } else if (Tcp4State > Tcp4StateEstablished) { HttpCloseConnection (HttpInstance); } - Status = HttpCreateConnection (HttpInstance); - if (EFI_ERROR (Status)) { - DEBUG ((DEBUG_ERROR, "Tcp4 Connection fail - %x\n", Status)); - return Status; + if (!HttpInstance->ProxyConnected) { + Status = HttpCreateConnection (HttpInstance); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Tcp4 Connection fail - %x\n", Status)); + return Status; + } } // @@ -1314,6 +1318,7 @@ HttpConnectTcp4 ( connect one TLS session if required. @param[in] HttpInstance The HTTP instance private data. + @param[in] TlsConfigure The Flag indicates whether it's the new Tls session. @retval EFI_SUCCESS The TCP connection is established. @retval EFI_NOT_READY TCP6 protocol child is not created or configured. @@ -1322,7 +1327,8 @@ HttpConnectTcp4 ( **/ EFI_STATUS HttpConnectTcp6 ( - IN HTTP_PROTOCOL *HttpInstance + IN HTTP_PROTOCOL *HttpInstance, + IN BOOLEAN TlsConfigure ) { EFI_STATUS Status; @@ -1346,16 +1352,18 @@ HttpConnectTcp6 ( return Status; } - if (Tcp6State == Tcp6StateEstablished) { + if ((Tcp6State == Tcp6StateEstablished) && (!HttpInstance->ProxyConnected || !TlsConfigure)) { return EFI_SUCCESS; - } else if (Tcp6State > Tcp6StateEstablished ) { + } else if (Tcp6State > Tcp6StateEstablished) { HttpCloseConnection (HttpInstance); } - Status = HttpCreateConnection (HttpInstance); - if (EFI_ERROR (Status)) { - DEBUG ((DEBUG_ERROR, "Tcp6 Connection fail - %x\n", Status)); - return Status; + if (!HttpInstance->ProxyConnected) { + Status = HttpCreateConnection (HttpInstance); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Tcp6 Connection fail - %x\n", Status)); + return Status; + } } // @@ -1450,7 +1458,7 @@ HttpInitSession ( // // Connect TCP. // - Status = HttpConnectTcp4 (HttpInstance); + Status = HttpConnectTcp4 (HttpInstance, TlsConfigure); if (EFI_ERROR (Status)) { return Status; } @@ -1468,7 +1476,7 @@ HttpInitSession ( // // Connect TCP. // - Status = HttpConnectTcp6 (HttpInstance); + Status = HttpConnectTcp6 (HttpInstance, TlsConfigure); if (EFI_ERROR (Status)) { return Status; } diff --git a/NetworkPkg/HttpDxe/HttpProto.h b/NetworkPkg/HttpDxe/HttpProto.h index 3e4e86dad9..6fd2082e1b 100644 --- a/NetworkPkg/HttpDxe/HttpProto.h +++ b/NetworkPkg/HttpDxe/HttpProto.h @@ -407,6 +407,7 @@ HttpConfigureTcp6 ( connect one TLS session if required. @param[in] HttpInstance The HTTP instance private data. + @param[in] TlsConfigure The Flag indicates whether it's the new Tls session. @retval EFI_SUCCESS The TCP connection is established. @retval EFI_NOT_READY TCP4 protocol child is not created or configured. @@ -415,7 +416,8 @@ HttpConfigureTcp6 ( **/ EFI_STATUS HttpConnectTcp4 ( - IN HTTP_PROTOCOL *HttpInstance + IN HTTP_PROTOCOL *HttpInstance, + IN BOOLEAN TlsConfigure ); /** @@ -423,6 +425,7 @@ HttpConnectTcp4 ( connect one TLS session if required. @param[in] HttpInstance The HTTP instance private data. + @param[in] TlsConfigure The Flag indicates whether it's the new Tls session. @retval EFI_SUCCESS The TCP connection is established. @retval EFI_NOT_READY TCP6 protocol child is not created or configured. @@ -431,7 +434,8 @@ HttpConnectTcp4 ( **/ EFI_STATUS HttpConnectTcp6 ( - IN HTTP_PROTOCOL *HttpInstance + IN HTTP_PROTOCOL *HttpInstance, + IN BOOLEAN TlsConfigure ); /** diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c b/NetworkPkg/HttpDxe/HttpsSupport.c index ad611e7c38..81c65758d3 100644 --- a/NetworkPkg/HttpDxe/HttpsSupport.c +++ b/NetworkPkg/HttpDxe/HttpsSupport.c @@ -644,11 +644,17 @@ TlsConfigureSession ( // // TlsConfigData initialization // - HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient; - HttpInstance->TlsConfigData.VerifyMethod = EFI_TLS_VERIFY_PEER; - HttpInstance->TlsConfigData.VerifyHost.Flags = EFI_TLS_VERIFY_FLAG_NONE; - HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance->RemoteHost; - HttpInstance->TlsConfigData.SessionState = EfiTlsSessionNotStarted; + HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient; + HttpInstance->TlsConfigData.VerifyMethod = EFI_TLS_VERIFY_PEER; + HttpInstance->TlsConfigData.VerifyHost.Flags = EFI_TLS_VERIFY_FLAG_NONE; + HttpInstance->TlsConfigData.SessionState = EfiTlsSessionNotStarted; + + if (HttpInstance->ProxyConnected) { + ASSERT (HttpInstance->EndPointHostName != NULL); + HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance->EndPointHostName; + } else { + HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance->RemoteHost; + } // // EfiTlsConnectionEnd, -- 2.36.1.windows.1