[edk2-devel] [PATCH 3/5] NetworkPkg/HttpDxe: Use HttpsTlsConfigDataProtocol

Sat, 30 Dec 2023 03:29:58 -0800 

From: abnchang <abnch...@amd.com>

Consume HttpsTlsConfigDataProtocol protocol installed
on the HTTP protocol handle to override the default TLS
configuration data.

Signed-off-by: Abner Chang <abner.ch...@amd.com>
Cc: Saloni Kasbekar <saloni.kasbe...@intel.com>
Cc: Zachary Clark-williams <zachary.clark-willi...@intel.com>
Cc: Michael Brown <mc...@ipxe.org>
Cc: Nickle Wang <nick...@nvidia.com>
Cc: Igor Kulchytskyy <ig...@ami.com>
---
 NetworkPkg/HttpDxe/HttpDxe.inf    |  1 +
 NetworkPkg/HttpDxe/HttpDriver.h   |  1 +
 NetworkPkg/HttpDxe/HttpProto.h    | 10 +---
 NetworkPkg/HttpDxe/HttpsSupport.c | 97 ++++++++++++++++++++++++-------
 4 files changed, 80 insertions(+), 29 deletions(-)

diff --git a/NetworkPkg/HttpDxe/HttpDxe.inf b/NetworkPkg/HttpDxe/HttpDxe.inf
index c9502d0bb6d..ec58677c3f1 100644
--- a/NetworkPkg/HttpDxe/HttpDxe.inf
+++ b/NetworkPkg/HttpDxe/HttpDxe.inf
@@ -66,6 +66,7 @@
   gEfiTlsProtocolGuid                              ## SOMETIMES_CONSUMES
   gEfiTlsConfigurationProtocolGuid                 ## SOMETIMES_CONSUMES
   gEdkiiHttpCallbackProtocolGuid                   ## SOMETIMES_CONSUMES
+  gEdkiiHttpsTlsConfigDataProtocolGuid             ## SOMETIMES_CONSUMES
 
 [Guids]
   gEfiTlsCaCertificateGuid                         ## SOMETIMES_CONSUMES  ## 
Variable:L"TlsCaCertificate"
diff --git a/NetworkPkg/HttpDxe/HttpDriver.h b/NetworkPkg/HttpDxe/HttpDriver.h
index 01a6bb7f4b7..66c924e3030 100644
--- a/NetworkPkg/HttpDxe/HttpDriver.h
+++ b/NetworkPkg/HttpDxe/HttpDriver.h
@@ -48,6 +48,7 @@
 #include <Protocol/Tls.h>
 #include <Protocol/TlsConfig.h>
 #include <Protocol/HttpCallback.h>
+#include <Protocol/HttpsTlsConfigDataProtocol.h>
 
 #include <Guid/ImageAuthentication.h>
 //
diff --git a/NetworkPkg/HttpDxe/HttpProto.h b/NetworkPkg/HttpDxe/HttpProto.h
index 012f1f4b467..fbccffa8e71 100644
--- a/NetworkPkg/HttpDxe/HttpProto.h
+++ b/NetworkPkg/HttpDxe/HttpProto.h
@@ -76,14 +76,6 @@ typedef struct {
   EFI_HTTP_METHOD           Method;
 } HTTP_TCP_TOKEN_WRAP;
 
-typedef struct {
-  EFI_TLS_VERSION           Version;
-  EFI_TLS_CONNECTION_END    ConnectionEnd;
-  EFI_TLS_VERIFY            VerifyMethod;
-  EFI_TLS_VERIFY_HOST       VerifyHost;
-  EFI_TLS_SESSION_STATE     SessionState;
-} TLS_CONFIG_DATA;
-
 //
 // Callback data for HTTP_PARSER_CALLBACK()
 //
@@ -172,7 +164,7 @@ typedef struct _HTTP_PROTOCOL {
 
   EFI_SERVICE_BINDING_PROTOCOL      *TlsSb;
   EFI_HANDLE                        TlsChildHandle; /// Tls ChildHandle
-  TLS_CONFIG_DATA                   TlsConfigData;
+  HTTPS_TLS_CONFIG_DATA             TlsConfigData;
   EFI_TLS_PROTOCOL                  *Tls;
   EFI_TLS_CONFIGURATION_PROTOCOL    *TlsConfiguration;
   EFI_TLS_SESSION_STATE             TlsSessionState;
diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c 
b/NetworkPkg/HttpDxe/HttpsSupport.c
index fb7c1ea59f2..96ecdd1d848 100644
--- a/NetworkPkg/HttpDxe/HttpsSupport.c
+++ b/NetworkPkg/HttpDxe/HttpsSupport.c
@@ -131,6 +131,58 @@ IsHttpsUrl (
   return FALSE;
 }
 
+/**
+  Get application HTTP TLS configuration data from HTTP handle.
+
+  @param[in]  HttpInstance  The HTTP protocol handle instance.
+
+  @retval  EFI_SUCCESS      Application HTTP TLS configuration data is
+                            loaded in HttpInstance->TlsConfigData.
+  @retval  EFI_UNSUPPORTED  No application HTTP TLS configuration data
+
+**/
+EFI_STATUS
+GetHttpsTlsConfigData (
+  IN HTTP_PROTOCOL  *HttpInstance
+  )
+{
+  EFI_STATUS                            Status;
+  EDKII_HTTPS_TLS_CONFIG_DATA_PROTOCOL  *HttpsTlsConfigData;
+
+  Status = gBS->HandleProtocol (
+                  HttpInstance->Handle,
+                  &gEdkiiHttpsTlsConfigDataProtocolGuid,
+                  (VOID **)&HttpsTlsConfigData
+                  );
+  if (EFI_ERROR (Status)) {
+    return EFI_UNSUPPORTED;
+  }
+
+  if (HttpsTlsConfigData->Version.Major >= 1) {
+    HttpInstance->TlsConfigData.ConnectionEnd = 
HttpsTlsConfigData->HttpsTlsConfigData.ConnectionEnd;
+    HttpInstance->TlsConfigData.SessionState  = 
HttpsTlsConfigData->HttpsTlsConfigData.SessionState;
+    HttpInstance->TlsConfigData.VerifyHost    = 
HttpsTlsConfigData->HttpsTlsConfigData.VerifyHost;
+    HttpInstance->TlsConfigData.VerifyMethod  = 
HttpsTlsConfigData->HttpsTlsConfigData.VerifyMethod;
+  } else {
+    DEBUG ((
+      DEBUG_ERROR,
+      "%a: Unsupported version of EDKII_HTTPS_TLS_CONFIG_DATA_PROTOCOL - 
%d.%d.\n",
+      __func__,
+      HttpsTlsConfigData->Version.Major,
+      HttpsTlsConfigData->Version.Minor
+      ));
+    return EFI_UNSUPPORTED;
+  }
+
+  DEBUG ((
+    DEBUG_VERBOSE,
+    "%a: There is a EDKII_HTTPS_TLS_CONFIG_DATA_PROTOCOL installed on HTTP 
handle:0x%x.\n",
+    __func__,
+    HttpInstance->Handle
+    ));
+  return EFI_SUCCESS;
+}
+
 /**
   Creates a Tls child handle, open EFI_TLS_PROTOCOL and 
EFI_TLS_CONFIGURATION_PROTOCOL.
 
@@ -208,6 +260,13 @@ TlsCreateChild (
     return Status;
   }
 
+  // Initial default TLS configuration data.
+  HttpInstance->TlsConfigData.ConnectionEnd       = EfiTlsClient;
+  HttpInstance->TlsConfigData.VerifyMethod        = EFI_TLS_VERIFY_PEER;
+  HttpInstance->TlsConfigData.VerifyHost.Flags    = EFI_TLS_VERIFY_FLAG_NONE;
+  HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance->RemoteHost;
+  HttpInstance->TlsConfigData.SessionState        = EfiTlsSessionNotStarted;
+
   return EFI_SUCCESS;
 }
 
@@ -650,14 +709,8 @@ TlsConfigureSession (
 {
   EFI_STATUS  Status;
 
-  //
-  // TlsConfigData initialization
-  //
-  HttpInstance->TlsConfigData.ConnectionEnd       = EfiTlsClient;
-  HttpInstance->TlsConfigData.VerifyMethod        = EFI_TLS_VERIFY_PEER;
-  HttpInstance->TlsConfigData.VerifyHost.Flags    = EFI_TLS_VERIFY_FLAG_NONE;
-  HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance->RemoteHost;
-  HttpInstance->TlsConfigData.SessionState        = EfiTlsSessionNotStarted;
+  // Get applciation TLS configuration data.
+  GetHttpsTlsConfigData (HttpInstance);
 
   //
   // EfiTlsConnectionEnd,
@@ -685,14 +738,16 @@ TlsConfigureSession (
     return Status;
   }
 
-  Status = HttpInstance->Tls->SetSessionData (
-                                HttpInstance->Tls,
-                                EfiTlsVerifyHost,
-                                &HttpInstance->TlsConfigData.VerifyHost,
-                                sizeof (EFI_TLS_VERIFY_HOST)
-                                );
-  if (EFI_ERROR (Status)) {
-    return Status;
+  if (HttpInstance->TlsConfigData.VerifyMethod != EFI_TLS_VERIFY_NONE) {
+    Status = HttpInstance->Tls->SetSessionData (
+                                  HttpInstance->Tls,
+                                  EfiTlsVerifyHost,
+                                  &HttpInstance->TlsConfigData.VerifyHost,
+                                  sizeof (EFI_TLS_VERIFY_HOST)
+                                  );
+    if (EFI_ERROR (Status)) {
+      return Status;
+    }
   }
 
   Status = HttpInstance->Tls->SetSessionData (
@@ -717,10 +772,12 @@ TlsConfigureSession (
   //
   // Tls Config Certificate
   //
-  Status = TlsConfigCertificate (HttpInstance);
-  if (EFI_ERROR (Status)) {
-    DEBUG ((DEBUG_ERROR, "TLS Certificate Config Error!\n"));
-    return Status;
+  if (HttpInstance->TlsConfigData.VerifyMethod != EFI_TLS_VERIFY_NONE) {
+    Status = TlsConfigCertificate (HttpInstance);
+    if (EFI_ERROR (Status)) {
+      DEBUG ((DEBUG_ERROR, "TLS Certificate Config Error!\n"));
+      return Status;
+    }
   }
 
   //
-- 
2.37.1.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113007): https://edk2.groups.io/g/devel/message/113007
Mute This Topic: https://groups.io/mt/103430432/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to