Provide an option for caller to disable TLS host verify in HttpDxe
driver. When web server uses self-signed certificate and caller has no
way to get root CA from web server, caller can use this option to
disable TLS host verify function. This option is similar to the "-k"
option in "curl" tool.
Signed-off-by: Nickle Wang <nick...@nvidia.com>
Cc: Maciej Rabeda <maciej.rab...@linux.intel.com>
Cc: Siyuan Fu <siyuan...@intel.com>
Cc: Abner Chang <abner.ch...@amd.com>
Cc: Igor Kulchytskyy <ig...@ami.com>
Cc: Nick Ramirez <nrami...@nvidia.com>
---
MdePkg/Include/Protocol/Http.h | 5 +++
NetworkPkg/HttpDxe/HttpProto.h | 2 ++
NetworkPkg/HttpDxe/HttpImpl.c | 2 ++
NetworkPkg/HttpDxe/HttpsSupport.c | 53 +++++++++++++++++--------------
4 files changed, 38 insertions(+), 24 deletions(-)
diff --git a/MdePkg/Include/Protocol/Http.h b/MdePkg/Include/Protocol/Http.h
index 28e6221593..21a782eaac 100644
--- a/MdePkg/Include/Protocol/Http.h
+++ b/MdePkg/Include/Protocol/Http.h
@@ -6,6 +6,7 @@
Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>
(C) Copyright 2015-2017 Hewlett Packard Enterprise Development LP<BR>
+ Copyright (c) 2023, NVIDIA CORPORATION & AFFILIATES. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent
@par Revision Reference:
@@ -161,6 +162,10 @@ typedef struct {
/// this instance will use EFI_DNS6_PROTOCOL and EFI_TCP6_PROTOCOL.
///
BOOLEAN LocalAddressIsIPv6;
+ ///
+ /// Verify server certificate during HTTPS handshake.
+ ///
+ BOOLEAN HostCertificateVerifyDisabled;
union {
///
diff --git a/NetworkPkg/HttpDxe/HttpProto.h b/NetworkPkg/HttpDxe/HttpProto.h
index 620eb39158..72d6b2b3b7 100644
--- a/NetworkPkg/HttpDxe/HttpProto.h
+++ b/NetworkPkg/HttpDxe/HttpProto.h
@@ -3,6 +3,7 @@
Copyright (c) 2015 - 2021, Intel Corporation. All rights reserved.<BR>
(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
+Copyright (c) 2023, NVIDIA CORPORATION & AFFILIATES. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
@@ -176,6 +177,7 @@ typedef struct _HTTP_PROTOCOL {
EFI_TLS_PROTOCOL *Tls;
EFI_TLS_CONFIGURATION_PROTOCOL *TlsConfiguration;
EFI_TLS_SESSION_STATE TlsSessionState;
+ BOOLEAN TlsVerifyHost;
//
// TlsTxData used for transmitting TLS related messages.
diff --git a/NetworkPkg/HttpDxe/HttpImpl.c b/NetworkPkg/HttpDxe/HttpImpl.c
index 7c5c925cf7..df382acf33 100644
--- a/NetworkPkg/HttpDxe/HttpImpl.c
+++ b/NetworkPkg/HttpDxe/HttpImpl.c
@@ -3,6 +3,7 @@
Copyright (c) 2015 - 2021, Intel Corporation. All rights reserved.<BR>
(C) Copyright 2015-2016 Hewlett Packard Enterprise Development LP<BR>
+ Copyright (c) 2023, NVIDIA CORPORATION & AFFILIATES. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent
@@ -162,6 +163,7 @@ EfiHttpConfigure (
HttpInstance->TimeOutMillisec = HttpConfigData->TimeOutMillisec;
HttpInstance->LocalAddressIsIPv6 = HttpConfigData->LocalAddressIsIPv6;
HttpInstance->ConnectionClose = FALSE;
+ HttpInstance->TlsVerifyHost =
(HttpConfigData->HostCertificateVerifyDisabled ? FALSE : TRUE);
if (HttpConfigData->LocalAddressIsIPv6) {
CopyMem (
diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c
b/NetworkPkg/HttpDxe/HttpsSupport.c
index ad611e7c38..685a24b737 100644
--- a/NetworkPkg/HttpDxe/HttpsSupport.c
+++ b/NetworkPkg/HttpDxe/HttpsSupport.c
@@ -3,6 +3,7 @@
Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>
(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
+Copyright (c) 2023, NVIDIA CORPORATION & AFFILIATES. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
@@ -666,24 +667,26 @@ TlsConfigureSession (
return Status;
}
- Status = HttpInstance->Tls->SetSessionData (
- HttpInstance->Tls,
- EfiTlsVerifyMethod,
- &HttpInstance->TlsConfigData.VerifyMethod,
- sizeof (EFI_TLS_VERIFY)
- );
- if (EFI_ERROR (Status)) {
- return Status;
- }
+ if (HttpInstance->TlsVerifyHost) {
+ Status = HttpInstance->Tls->SetSessionData (
+ HttpInstance->Tls,
+ EfiTlsVerifyMethod,
+ &HttpInstance->TlsConfigData.VerifyMethod,
+ sizeof (EFI_TLS_VERIFY)
+ );
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
- Status = HttpInstance->Tls->SetSessionData (
- HttpInstance->Tls,
- EfiTlsVerifyHost,
- &HttpInstance->TlsConfigData.VerifyHost,
- sizeof (EFI_TLS_VERIFY_HOST)
- );
- if (EFI_ERROR (Status)) {
- return Status;
+ Status = HttpInstance->Tls->SetSessionData (
+ HttpInstance->Tls,
+ EfiTlsVerifyHost,
+ &HttpInstance->TlsConfigData.VerifyHost,
+ sizeof (EFI_TLS_VERIFY_HOST)
+ );
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
}
Status = HttpInstance->Tls->SetSessionData (
@@ -705,13 +708,15 @@ TlsConfigureSession (
return Status;
}
- //
- // Tls Config Certificate
- //
- Status = TlsConfigCertificate (HttpInstance);
- if (EFI_ERROR (Status)) {
- DEBUG ((DEBUG_ERROR, "TLS Certificate Config Error!\n"));
- return Status;
+ if (HttpInstance->TlsVerifyHost) {
+ //
+ // Tls Config Certificate
+ //
+ Status = TlsConfigCertificate (HttpInstance);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "TLS Certificate Config Error!\n"));
+ return Status;
+ }
}
//
--
2.39.1.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#99381): https://edk2.groups.io/g/devel/message/99381
Mute This Topic: https://groups.io/mt/96669380/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
