From nobody Sun May 19 00:17:28 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1518318925620105.2126926608853; Sat, 10 Feb 2018 19:15:25 -0800 (PST) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 7635522361E4C; Sat, 10 Feb 2018 19:09:36 -0800 (PST) Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 7AE2122361E40 for ; Sat, 10 Feb 2018 19:09:33 -0800 (PST) Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 10 Feb 2018 19:15:21 -0800 Received: from jiaxinwu-mobl2.ccr.corp.intel.com ([10.239.196.51]) by fmsmga005.fm.intel.com with ESMTP; 10 Feb 2018 19:15:19 -0800 X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=134.134.136.31; helo=mga06.intel.com; envelope-from=jiaxin.wu@intel.com; receiver=edk2-devel@lists.01.org X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.46,493,1511856000"; d="scan'208";a="203071653" From: Jiaxin Wu To: edk2-devel@lists.01.org Date: Sun, 11 Feb 2018 11:15:15 +0800 Message-Id: <1518318916-12816-2-git-send-email-jiaxin.wu@intel.com> X-Mailer: git-send-email 1.9.5.msysgit.1 In-Reply-To: <1518318916-12816-1-git-send-email-jiaxin.wu@intel.com> References: <1518318916-12816-1-git-send-email-jiaxin.wu@intel.com> Subject: [edk2] [PATCH v2 1/2] NetworkPkg: Define one private variable for HTTPS to set Tls CipherList. X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Zimmer Vincent , Ye Ting , Wu Jiaxin , Yao Jiewen , Kinney Michael D , Fu Siyuan , Laszlo Ersek MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" v2: * Rename the file/variable name. This variable (HttpTlsCipherList) can be set by any platform that want to control its own preferred Tls CipherList for the later HTTPS session. The valid contents of variable must follow the TLS CipherList format defined in RFC 5246. The valid length of variable must be an integral multiple of 2. For example, if below cipher suites are preferred: CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA256 =3D {0x00,0x3C} CipherSuite TLS_RSA_WITH_AES_256_CBC_SHA256 =3D {0x00,0x3D} Then, the contents of variable should be: {0x00,0x3C,0x00,0x3D} Cc: Laszlo Ersek Cc: Kinney Michael D Cc: Zimmer Vincent Cc: Yao Jiewen Cc: Ye Ting Cc: Fu Siyuan Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Wu Jiaxin Reviewed-by: Fu Siyuan --- NetworkPkg/Include/Guid/HttpTlsCipherList.h | 38 +++++++++++++++++++++++++= ++++ NetworkPkg/NetworkPkg.dec | 3 +++ 2 files changed, 41 insertions(+) create mode 100644 NetworkPkg/Include/Guid/HttpTlsCipherList.h diff --git a/NetworkPkg/Include/Guid/HttpTlsCipherList.h b/NetworkPkg/Inclu= de/Guid/HttpTlsCipherList.h new file mode 100644 index 0000000..c2e3e65 --- /dev/null +++ b/NetworkPkg/Include/Guid/HttpTlsCipherList.h @@ -0,0 +1,38 @@ +/** @file + This file defines the HttpTlsCipherList variable for HTTPS to configure = Tls Cipher List. + +Copyright (c) 2018, Intel Corporation. All rights reserved.
+This program and the accompanying materials are licensed and made availabl= e under +the terms and conditions of the BSD License that accompanies this distribu= tion. +The full text of the license may be found at +http://opensource.org/licenses/bsd-license.php. + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLI= ED. + +**/ + +#ifndef __HTTP_TLS_CIPHER_LIST_H__ +#define __HTTP_TLS_CIPHER_LIST_H__ + +// +// Private Variable for HTTPS to configure Tls Cipher List. +// The valid contents of variable must follow the TLS CipherList format de= fined in RFC 5246.=20 +// The valid length of variable must be an integral multiple of 2. +// For example, if below cipher suites are preferred: +// CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA256 =3D {0x00,0x3C} +// CipherSuite TLS_RSA_WITH_AES_256_CBC_SHA256 =3D {0x00,0x3D} +// Then, the contents of variable should be: +// {0x00,0x3C,0x00,0x3D} +// +#define EDKII_HTTP_TLS_CIPHER_LIST_GUID \ + { \ + 0x46ddb415, 0x5244, 0x49c7, { 0x93, 0x74, 0xf0, 0xe2, 0x98, 0xe7, 0xd3= , 0x86 } \ + } + =20 +#define EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE L"HttpTlsCipherList" + +extern EFI_GUID gHttpTlsCipherListGuid; + +#endif + diff --git a/NetworkPkg/NetworkPkg.dec b/NetworkPkg/NetworkPkg.dec index 902df37..9742ad5 100644 --- a/NetworkPkg/NetworkPkg.dec +++ b/NetworkPkg/NetworkPkg.dec @@ -44,10 +44,13 @@ gTlsAuthConfigGuid =3D { 0xb0eae4f8, 0x9a04, 0x4c6d, { 0xa7, = 0x48, 0x79, 0x3d, 0xaa, 0xf, 0x65, 0xdf }} =20 # Include/Guid/TlsAuthentication.h gEfiTlsCaCertificateGuid =3D { 0xfd2340D0, 0x3dab, 0x4349, { 0xa6, = 0xc7, 0x3b, 0x4f, 0x12, 0xb4, 0x8e, 0xae }} =20 + # Include/Guid/HttpTlsCipherList.h + gHttpTlsCipherListGuid =3D { 0x46ddb415, 0x5244, 0x49c7, { 0x93, = 0x74, 0xf0, 0xe2, 0x98, 0xe7, 0xd3, 0x86 }} + [PcdsFixedAtBuild] ## The max attempt number will be created by iSCSI driver. # @Prompt Max attempt number. gEfiNetworkPkgTokenSpaceGuid.PcdMaxIScsiAttemptNumber|0x08|UINT8|0x00000= 00D =20 --=20 1.9.5.msysgit.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel From nobody Sun May 19 00:17:28 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1518318927623891.8868809172617; Sat, 10 Feb 2018 19:15:27 -0800 (PST) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id D1ADA22361E4F; Sat, 10 Feb 2018 19:09:36 -0800 (PST) Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 7A755223DB787 for ; Sat, 10 Feb 2018 19:09:35 -0800 (PST) Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 10 Feb 2018 19:15:23 -0800 Received: from jiaxinwu-mobl2.ccr.corp.intel.com ([10.239.196.51]) by fmsmga005.fm.intel.com with ESMTP; 10 Feb 2018 19:15:21 -0800 X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=134.134.136.31; helo=mga06.intel.com; envelope-from=jiaxin.wu@intel.com; receiver=edk2-devel@lists.01.org X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.46,493,1511856000"; d="scan'208";a="203071667" From: Jiaxin Wu To: edk2-devel@lists.01.org Date: Sun, 11 Feb 2018 11:15:16 +0800 Message-Id: <1518318916-12816-3-git-send-email-jiaxin.wu@intel.com> X-Mailer: git-send-email 1.9.5.msysgit.1 In-Reply-To: <1518318916-12816-1-git-send-email-jiaxin.wu@intel.com> References: <1518318916-12816-1-git-send-email-jiaxin.wu@intel.com> Subject: [edk2] [PATCH v2 2/2] NetworkPkg: Read HttpTlsCipherList variable and configure it for HTTPS session. X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Zimmer Vincent , Ye Ting , Wu Jiaxin , Yao Jiewen , Kinney Michael D , Fu Siyuan , Laszlo Ersek MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" v2: * Refine the error handling returned from GetVariable. This patch is to read the HttpTlsCipherList variable and configure it for t= he later HTTPS session. If the variable is not set by any platform, EFI_NOT_FOUND will be returned from GetVariable service. In such a case, the default CipherList created in TlsDxe driver will be used. Cc: Laszlo Ersek Cc: Kinney Michael D Cc: Zimmer Vincent Cc: Yao Jiewen Cc: Ye Ting Cc: Fu Siyuan Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Wu Jiaxin Reviewed-by: Ye Ting Reviewed-by: Fu Siyuan --- NetworkPkg/HttpDxe/HttpDriver.h | 3 +- NetworkPkg/HttpDxe/HttpDxe.inf | 3 +- NetworkPkg/HttpDxe/HttpsSupport.c | 92 +++++++++++++++++++++++++++++++++++= +++- 3 files changed, 95 insertions(+), 3 deletions(-) diff --git a/NetworkPkg/HttpDxe/HttpDriver.h b/NetworkPkg/HttpDxe/HttpDrive= r.h index 93a412a..3b7a7a2 100644 --- a/NetworkPkg/HttpDxe/HttpDriver.h +++ b/NetworkPkg/HttpDxe/HttpDriver.h @@ -1,9 +1,9 @@ /** @file The header files of the driver binding and service binding protocol for = HttpDxe driver. =20 - Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.
+ Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.
(C) Copyright 2016 Hewlett Packard Enterprise Development LP
=20 This program and the accompanying materials are licensed and made available under the terms and conditions of the BS= D License which accompanies this distribution. The full text of the license may b= e found at @@ -59,10 +59,11 @@ // Produced Protocols // #include =20 #include +#include =20 #include =20 // // Driver Version diff --git a/NetworkPkg/HttpDxe/HttpDxe.inf b/NetworkPkg/HttpDxe/HttpDxe.inf index 20075f5..56a2472 100644 --- a/NetworkPkg/HttpDxe/HttpDxe.inf +++ b/NetworkPkg/HttpDxe/HttpDxe.inf @@ -1,9 +1,9 @@ ## @file # Implementation of EFI HTTP protocol interfaces. # -# Copyright (c) 2015 - 2017, Intel Corporation. All rights reserved.
+# Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.
# # This program and the accompanying materials # are licensed and made available under the terms and conditions of the B= SD License # which accompanies this distribution. The full text of the license may b= e found at # http://opensource.org/licenses/bsd-license.php. @@ -72,10 +72,11 @@ gEfiTlsProtocolGuid ## SOMETIMES_CONSUMES gEfiTlsConfigurationProtocolGuid ## SOMETIMES_CONSUMES =20 [Guids] gEfiTlsCaCertificateGuid ## SOMETIMES_CONSUMES = ## Variable:L"TlsCaCertificate" + gHttpTlsCipherListGuid ## SOMETIMES_CONSUMES = ## Variable:L"HttpTlsCipherList" =20 [Pcd] gEfiNetworkPkgTokenSpaceGuid.PcdAllowHttpConnections ## CONSUMES gEfiNetworkPkgTokenSpaceGuid.PcdHttpsAuthenticationMode ## SOMETIMES_= CONSUMES gEfiNetworkPkgTokenSpaceGuid.PcdHttpsHostPublicCert ## SOMETIMES_= CONSUMES diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c b/NetworkPkg/HttpDxe/HttpsSu= pport.c index 288082a..fbe4087 100644 --- a/NetworkPkg/HttpDxe/HttpsSupport.c +++ b/NetworkPkg/HttpDxe/HttpsSupport.c @@ -1,9 +1,9 @@ /** @file Miscellaneous routines specific to Https for HttpDxe driver. =20 -Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.
+Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.
(C) Copyright 2016 Hewlett Packard Enterprise Development LP
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD = License which accompanies this distribution. The full text of the license may be = found at http://opensource.org/licenses/bsd-license.php @@ -492,10 +492,91 @@ TlsConfigCertificate ( =20 return Status; } =20 /** + Read the HttpTlsCipherList variable and configure it for HTTPS session. + + @param[in, out] HttpInstance The HTTP instance private data. + + @retval EFI_SUCCESS The prefered HTTP TLS CipherList is confi= gured. + @retval EFI_NOT_FOUND Fail to get 'HttpTlsCipherList' variable. + @retval EFI_INVALID_PARAMETER The contents of variable are invalid. + @retval EFI_OUT_OF_RESOURCES Can't allocate memory resources. + + @retval Others Other error as indicated. + +**/ +EFI_STATUS +TlsConfigCipherList ( + IN OUT HTTP_PROTOCOL *HttpInstance + ) +{ + EFI_STATUS Status; + UINT8 *CipherList; + UINTN CipherListSize; + + CipherList =3D NULL; + CipherListSize =3D 0; + + // + // Try to read the HttpTlsCipherList variable. + // + Status =3D gRT->GetVariable ( + EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE, + &gHttpTlsCipherListGuid, + NULL, + &CipherListSize, + NULL + ); + ASSERT (EFI_ERROR (Status)); + if (Status !=3D EFI_BUFFER_TOO_SMALL) { + return Status; + } + + if (CipherListSize % sizeof (EFI_TLS_CIPHER) !=3D 0) { + return EFI_INVALID_PARAMETER; + } + + // + // Allocate buffer and read the config variable. + // + CipherList =3D AllocatePool (CipherListSize); + if (CipherList =3D=3D NULL) { + return EFI_OUT_OF_RESOURCES; + } + + Status =3D gRT->GetVariable ( + EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE, + &gHttpTlsCipherListGuid, + NULL, + &CipherListSize, + CipherList + ); + if (EFI_ERROR (Status)) { + // + // GetVariable still error or the variable is corrupted. + // + goto ON_EXIT; + } + + ASSERT (CipherList !=3D NULL); + + Status =3D HttpInstance->Tls->SetSessionData ( + HttpInstance->Tls, + EfiTlsCipherList, + CipherList, + CipherListSize + ); + +ON_EXIT: =20 + FreePool (CipherList); + =20 + return Status; +} + +/** Configure TLS session data. =20 @param[in, out] HttpInstance The HTTP instance private data. =20 @retval EFI_SUCCESS TLS session data is configured. @@ -551,10 +632,19 @@ TlsConfigureSession ( if (EFI_ERROR (Status)) { return Status; } =20 // + // Tls Cipher List + // + Status =3D TlsConfigCipherList (HttpInstance); + if (EFI_ERROR (Status) && Status !=3D EFI_NOT_FOUND) { + DEBUG ((EFI_D_ERROR, "TlsConfigCipherList: return %r error.\n", Status= )); + return Status; + } + + // // Tls Config Certificate // Status =3D TlsConfigCertificate (HttpInstance); if (EFI_ERROR (Status)) { DEBUG ((EFI_D_ERROR, "TlsConfigCertificate: return %r error.\n", Statu= s)); --=20 1.9.5.msysgit.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel