From: abnchang <abnchang@amd.com>
Consume HttpsTlsConfigDataProtocol protocol installed
on the HTTP protocol handle to override the default TLS
configuration data.
Signed-off-by: Abner Chang <abner.chang@amd.com>
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Cc: Michael Brown <mcb30@ipxe.org>
Cc: Nickle Wang <nicklew@nvidia.com>
Cc: Igor Kulchytskyy <igork@ami.com>
---
NetworkPkg/HttpDxe/HttpDxe.inf | 1 +
NetworkPkg/HttpDxe/HttpDriver.h | 1 +
NetworkPkg/HttpDxe/HttpProto.h | 10 +---
NetworkPkg/HttpDxe/HttpsSupport.c | 97 ++++++++++++++++++++++++-------
4 files changed, 80 insertions(+), 29 deletions(-)
diff --git a/NetworkPkg/HttpDxe/HttpDxe.inf b/NetworkPkg/HttpDxe/HttpDxe.inf
index c9502d0bb6d..ec58677c3f1 100644
--- a/NetworkPkg/HttpDxe/HttpDxe.inf
+++ b/NetworkPkg/HttpDxe/HttpDxe.inf
@@ -66,6 +66,7 @@
gEfiTlsProtocolGuid ## SOMETIMES_CONSUMES
gEfiTlsConfigurationProtocolGuid ## SOMETIMES_CONSUMES
gEdkiiHttpCallbackProtocolGuid ## SOMETIMES_CONSUMES
+ gEdkiiHttpsTlsConfigDataProtocolGuid ## SOMETIMES_CONSUMES
[Guids]
gEfiTlsCaCertificateGuid ## SOMETIMES_CONSUMES ## Variable:L"TlsCaCertificate"
diff --git a/NetworkPkg/HttpDxe/HttpDriver.h b/NetworkPkg/HttpDxe/HttpDriver.h
index 01a6bb7f4b7..66c924e3030 100644
--- a/NetworkPkg/HttpDxe/HttpDriver.h
+++ b/NetworkPkg/HttpDxe/HttpDriver.h
@@ -48,6 +48,7 @@
#include <Protocol/Tls.h>
#include <Protocol/TlsConfig.h>
#include <Protocol/HttpCallback.h>
+#include <Protocol/HttpsTlsConfigDataProtocol.h>
#include <Guid/ImageAuthentication.h>
//
diff --git a/NetworkPkg/HttpDxe/HttpProto.h b/NetworkPkg/HttpDxe/HttpProto.h
index 012f1f4b467..fbccffa8e71 100644
--- a/NetworkPkg/HttpDxe/HttpProto.h
+++ b/NetworkPkg/HttpDxe/HttpProto.h
@@ -76,14 +76,6 @@ typedef struct {
EFI_HTTP_METHOD Method;
} HTTP_TCP_TOKEN_WRAP;
-typedef struct {
- EFI_TLS_VERSION Version;
- EFI_TLS_CONNECTION_END ConnectionEnd;
- EFI_TLS_VERIFY VerifyMethod;
- EFI_TLS_VERIFY_HOST VerifyHost;
- EFI_TLS_SESSION_STATE SessionState;
-} TLS_CONFIG_DATA;
-
//
// Callback data for HTTP_PARSER_CALLBACK()
//
@@ -172,7 +164,7 @@ typedef struct _HTTP_PROTOCOL {
EFI_SERVICE_BINDING_PROTOCOL *TlsSb;
EFI_HANDLE TlsChildHandle; /// Tls ChildHandle
- TLS_CONFIG_DATA TlsConfigData;
+ HTTPS_TLS_CONFIG_DATA TlsConfigData;
EFI_TLS_PROTOCOL *Tls;
EFI_TLS_CONFIGURATION_PROTOCOL *TlsConfiguration;
EFI_TLS_SESSION_STATE TlsSessionState;
diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c b/NetworkPkg/HttpDxe/HttpsSupport.c
index fb7c1ea59f2..96ecdd1d848 100644
--- a/NetworkPkg/HttpDxe/HttpsSupport.c
+++ b/NetworkPkg/HttpDxe/HttpsSupport.c
@@ -131,6 +131,58 @@ IsHttpsUrl (
return FALSE;
}
+/**
+ Get application HTTP TLS configuration data from HTTP handle.
+
+ @param[in] HttpInstance The HTTP protocol handle instance.
+
+ @retval EFI_SUCCESS Application HTTP TLS configuration data is
+ loaded in HttpInstance->TlsConfigData.
+ @retval EFI_UNSUPPORTED No application HTTP TLS configuration data
+
+**/
+EFI_STATUS
+GetHttpsTlsConfigData (
+ IN HTTP_PROTOCOL *HttpInstance
+ )
+{
+ EFI_STATUS Status;
+ EDKII_HTTPS_TLS_CONFIG_DATA_PROTOCOL *HttpsTlsConfigData;
+
+ Status = gBS->HandleProtocol (
+ HttpInstance->Handle,
+ &gEdkiiHttpsTlsConfigDataProtocolGuid,
+ (VOID **)&HttpsTlsConfigData
+ );
+ if (EFI_ERROR (Status)) {
+ return EFI_UNSUPPORTED;
+ }
+
+ if (HttpsTlsConfigData->Version.Major >= 1) {
+ HttpInstance->TlsConfigData.ConnectionEnd = HttpsTlsConfigData->HttpsTlsConfigData.ConnectionEnd;
+ HttpInstance->TlsConfigData.SessionState = HttpsTlsConfigData->HttpsTlsConfigData.SessionState;
+ HttpInstance->TlsConfigData.VerifyHost = HttpsTlsConfigData->HttpsTlsConfigData.VerifyHost;
+ HttpInstance->TlsConfigData.VerifyMethod = HttpsTlsConfigData->HttpsTlsConfigData.VerifyMethod;
+ } else {
+ DEBUG ((
+ DEBUG_ERROR,
+ "%a: Unsupported version of EDKII_HTTPS_TLS_CONFIG_DATA_PROTOCOL - %d.%d.\n",
+ __func__,
+ HttpsTlsConfigData->Version.Major,
+ HttpsTlsConfigData->Version.Minor
+ ));
+ return EFI_UNSUPPORTED;
+ }
+
+ DEBUG ((
+ DEBUG_VERBOSE,
+ "%a: There is a EDKII_HTTPS_TLS_CONFIG_DATA_PROTOCOL installed on HTTP handle:0x%x.\n",
+ __func__,
+ HttpInstance->Handle
+ ));
+ return EFI_SUCCESS;
+}
+
/**
Creates a Tls child handle, open EFI_TLS_PROTOCOL and EFI_TLS_CONFIGURATION_PROTOCOL.
@@ -208,6 +260,13 @@ TlsCreateChild (
return Status;
}
+ // Initial default TLS configuration data.
+ HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient;
+ HttpInstance->TlsConfigData.VerifyMethod = EFI_TLS_VERIFY_PEER;
+ HttpInstance->TlsConfigData.VerifyHost.Flags = EFI_TLS_VERIFY_FLAG_NONE;
+ HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance->RemoteHost;
+ HttpInstance->TlsConfigData.SessionState = EfiTlsSessionNotStarted;
+
return EFI_SUCCESS;
}
@@ -650,14 +709,8 @@ TlsConfigureSession (
{
EFI_STATUS Status;
- //
- // TlsConfigData initialization
- //
- HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient;
- HttpInstance->TlsConfigData.VerifyMethod = EFI_TLS_VERIFY_PEER;
- HttpInstance->TlsConfigData.VerifyHost.Flags = EFI_TLS_VERIFY_FLAG_NONE;
- HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance->RemoteHost;
- HttpInstance->TlsConfigData.SessionState = EfiTlsSessionNotStarted;
+ // Get applciation TLS configuration data.
+ GetHttpsTlsConfigData (HttpInstance);
//
// EfiTlsConnectionEnd,
@@ -685,14 +738,16 @@ TlsConfigureSession (
return Status;
}
- Status = HttpInstance->Tls->SetSessionData (
- HttpInstance->Tls,
- EfiTlsVerifyHost,
- &HttpInstance->TlsConfigData.VerifyHost,
- sizeof (EFI_TLS_VERIFY_HOST)
- );
- if (EFI_ERROR (Status)) {
- return Status;
+ if (HttpInstance->TlsConfigData.VerifyMethod != EFI_TLS_VERIFY_NONE) {
+ Status = HttpInstance->Tls->SetSessionData (
+ HttpInstance->Tls,
+ EfiTlsVerifyHost,
+ &HttpInstance->TlsConfigData.VerifyHost,
+ sizeof (EFI_TLS_VERIFY_HOST)
+ );
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
}
Status = HttpInstance->Tls->SetSessionData (
@@ -717,10 +772,12 @@ TlsConfigureSession (
//
// Tls Config Certificate
//
- Status = TlsConfigCertificate (HttpInstance);
- if (EFI_ERROR (Status)) {
- DEBUG ((DEBUG_ERROR, "TLS Certificate Config Error!\n"));
- return Status;
+ if (HttpInstance->TlsConfigData.VerifyMethod != EFI_TLS_VERIFY_NONE) {
+ Status = TlsConfigCertificate (HttpInstance);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "TLS Certificate Config Error!\n"));
+ return Status;
+ }
}
//
--
2.37.1.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113007): https://edk2.groups.io/g/devel/message/113007
Mute This Topic: https://groups.io/mt/103430432/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-© 2016 - 2026 Red Hat, Inc.