From nobody Wed May 8 20:10:33 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+90585+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+90585+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1655495268; cv=none; d=zohomail.com; s=zohoarc; b=bx/olUWKXTswT6JjEJXUGJOgCFy05dPW2XgiQTBODw+iBIsk4nFHzR+jshJNU3o0WKl1K3e8ycDnvdmkRelV+/0fcknGD+SGjUMC7xbiPQwXUr+lSnyLp6b7j+OhYXYwKt5yKFuthsQSHD/9OwJSr/UlNcYWGnGddnekfmhsHq0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1655495268; h=Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Sender:Subject:To; bh=+yjp+zcXRtsQhq9Fz8cg+PeKt/X9lb9VEZIhXrtaM6w=; b=ZGFojDCvZxiwka1kxeq5tE7+dM+OmYfjrbiNVxDJrUhJPqpwucAhdt3uaB0axvgJHX5KbcphAgdJ0z/qkm6eLB0J6uZgZA+RKq0N2FiOjb1epR6ru31OQzhFNiSLVhDGn3qI9qfphcbs8wfNYV0tamPSMh6msiqY57jis9ikXw0= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+90585+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1655495268639414.81299415860417; Fri, 17 Jun 2022 12:47:48 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id VK4sYY1788612xLZdASIIAPb; Fri, 17 Jun 2022 12:47:48 -0700 X-Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by mx.groups.io with SMTP id smtpd.web12.1852.1655494568111241883 for ; Fri, 17 Jun 2022 12:36:09 -0700 X-IronPort-AV: E=McAfee;i="6400,9594,10380"; a="268287990" X-IronPort-AV: E=Sophos;i="5.92,306,1650956400"; d="scan'208";a="268287990" X-Received: from fmsmga007.fm.intel.com ([10.253.24.52]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Jun 2022 12:36:06 -0700 X-IronPort-AV: E=Sophos;i="5.92,306,1650956400"; d="scan'208";a="590243779" X-Received: from fmbiosdev02.amr.corp.intel.com ([10.80.127.10]) by fmsmga007-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Jun 2022 12:36:06 -0700 From: "Saloni Kasbekar" To: devel@edk2.groups.io Cc: Saloni Kasbekar , Maciej Rabeda , Wu Jiaxin , Siyuan Fu Subject: [edk2-devel] [PATCH] NetworkPkg/HttpBootDxe: Add Support for HTTP Boot Basic Authentication Date: Fri, 17 Jun 2022 12:35:59 -0700 Message-Id: <23405fd0316d53f7976b38f0576a70df34440df8.1655487158.git.saloni.kasbekar@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,saloni.kasbekar@intel.com X-Gm-Message-State: r3F3jPNCCjXpHAykYea4kxrux1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1655495268; bh=O6jqca4g9sHUz5p5Xm2gF/9+9xYw32ORPe1ByVE4GqI=; h=Cc:Date:From:Reply-To:Subject:To; b=DIjAZ9uQg96uj+fgixKb8glqVhcFOldRD1hJR+jy/y7pLQpMr/29XPtniWNmEyseQ88 tnvI+9Wg96XHBKllGbMmnTXKLoLq/do7eFXHuu9PrMV7mzmKFHsxi4sCmrdgS5iU06/+Z 4pY85UqYnbV6VdKBDVZ8ril0HAEFC9scNu4= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1655495270300100003 Content-Type: text/plain; charset="utf-8" REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D2504 Add support for TLS Client Authentication using Basic Authentication for HTTP Boot Cc: Maciej Rabeda Cc: Wu Jiaxin Cc: Siyuan Fu Signed-off-by: Saloni Kasbekar --- MdePkg/Include/IndustryStandard/Http11.h | 8 +++ MdePkg/Include/Protocol/HttpBootCallback.h | 6 +- NetworkPkg/HttpBootDxe/HttpBootClient.c | 84 +++++++++++++++++++++- NetworkPkg/HttpBootDxe/HttpBootClient.h | 6 +- NetworkPkg/HttpBootDxe/HttpBootDxe.h | 6 ++ NetworkPkg/HttpBootDxe/HttpBootImpl.c | 23 +++++- 6 files changed, 128 insertions(+), 5 deletions(-) diff --git a/MdePkg/Include/IndustryStandard/Http11.h b/MdePkg/Include/Indu= stryStandard/Http11.h index f1f113e04b..2137ef1f1a 100644 --- a/MdePkg/Include/IndustryStandard/Http11.h +++ b/MdePkg/Include/IndustryStandard/Http11.h @@ -204,6 +204,14 @@ /// #define HTTP_HEADER_IF_NONE_MATCH "If-None-Match" =20 +/// +/// The WWW-Authenticate Response Header +/// If a server receives a request for an access-protected object, and an +/// acceptable Authorization header is not sent, the server responds with +/// a "401 Unauthorized" status code, and a WWW-Authenticate header. +/// +#define HTTP_HEADER_WWW_AUTHENTICATE "WWW-Authenticate" + /// /// Authorization Request Header /// The Authorization field value consists of credentials diff --git a/MdePkg/Include/Protocol/HttpBootCallback.h b/MdePkg/Include/Pr= otocol/HttpBootCallback.h index 926f6c1b30..b56c631b1f 100644 --- a/MdePkg/Include/Protocol/HttpBootCallback.h +++ b/MdePkg/Include/Protocol/HttpBootCallback.h @@ -32,7 +32,7 @@ typedef enum { /// HttpBootDhcp6, /// - /// Data points to an EFI_HTTP_MESSAGE structure, whichcontians a HTTP r= equest message + /// Data points to an EFI_HTTP_MESSAGE structure, which contains a HTTP = request message /// to be transmitted. /// HttpBootHttpRequest, @@ -46,6 +46,10 @@ typedef enum { /// buffer of the entity body data. /// HttpBootHttpEntityBody, + /// + /// Data points to the authentication information to provide to the HTTP= server. + /// + HttpBootHttpAuthInfo, HttpBootTypeMax } EFI_HTTP_BOOT_CALLBACK_DATA_TYPE; =20 diff --git a/NetworkPkg/HttpBootDxe/HttpBootClient.c b/NetworkPkg/HttpBootD= xe/HttpBootClient.c index 62e87238fe..448141fb7c 100644 --- a/NetworkPkg/HttpBootDxe/HttpBootClient.c +++ b/NetworkPkg/HttpBootDxe/HttpBootClient.c @@ -922,6 +922,7 @@ HttpBootGetBootFileCallback ( @retval EFI_BUFFER_TOO_SMALL The BufferSize is too small to read the= current directory entry. BufferSize has been updated with the si= ze needed to complete the request. + @retval EFI_ACCESS_DENIED The server needs to authenticate the cl= ient. @retval Others Unexpected error happened. =20 **/ @@ -951,6 +952,9 @@ HttpBootGetBootFile ( CHAR16 *Url; BOOLEAN IdentityMode; UINTN ReceivedSize; + CHAR8 BaseAuthValue[80]; + EFI_HTTP_HEADER *HttpHeader; + CHAR8 *Data; =20 ASSERT (Private !=3D NULL); ASSERT (Private->HttpCreated); @@ -1009,8 +1013,9 @@ HttpBootGetBootFile ( // Host // Accept // User-Agent + // [Authorization] // - HttpIoHeader =3D HttpIoCreateHeader (3); + HttpIoHeader =3D HttpIoCreateHeader ((Private->AuthData !=3D NULL) ? 4 := 3); if (HttpIoHeader =3D=3D NULL) { Status =3D EFI_OUT_OF_RESOURCES; goto ERROR_2; @@ -1063,6 +1068,35 @@ HttpBootGetBootFile ( goto ERROR_3; } =20 + // + // Add HTTP header field 4: Authorization + // + if (Private->AuthData !=3D NULL) { + ASSERT (HttpIoHeader->MaxHeaderCount =3D=3D 4); + + if ((Private->AuthScheme !=3D NULL) && (CompareMem (Private->AuthSchem= e, "Basic", 5) !=3D 0)) { + Status =3D EFI_UNSUPPORTED; + goto ERROR_3; + } + + AsciiSPrint ( + BaseAuthValue, + sizeof (BaseAuthValue), + "%a %a", + "Basic", + Private->AuthData + ); + + Status =3D HttpIoSetHeader ( + HttpIoHeader, + HTTP_HEADER_AUTHORIZATION, + BaseAuthValue + ); + if (EFI_ERROR (Status)) { + goto ERROR_3; + } + } + // // 2.2 Build the rest of HTTP request info. // @@ -1111,6 +1145,7 @@ HttpBootGetBootFile ( goto ERROR_4; } =20 + Data =3D NULL; Status =3D HttpIoRecvResponse ( &Private->HttpIo, TRUE, @@ -1121,6 +1156,53 @@ HttpBootGetBootFile ( StatusCode =3D HttpIo->RspToken.Message->Data.Response->StatusCode; HttpBootPrintErrorMessage (StatusCode); Status =3D ResponseData->Status; + if ((StatusCode =3D=3D HTTP_STATUS_401_UNAUTHORIZED) || \ + (StatusCode =3D=3D HTTP_STATUS_407_PROXY_AUTHENTICATION_REQUIRED= )) + { + // + // Server indicates the user has to provide a user-id and password= as a means of identification. + // + if (Private->HttpBootCallback !=3D NULL) { + Data =3D AllocateZeroPool (sizeof (CHAR8) * HTTP_BOOT_AUTHENTICA= TION_INFO_MAX_LEN); + if (Data =3D=3D NULL) { + Status =3D EFI_OUT_OF_RESOURCES; + goto ERROR_4; + } + + Status =3D Private->HttpBootCallback->Callback ( + Private->HttpBootCallback, + HttpBootHttpAuthInfo, + TRUE, + HTTP_BOOT_AUTHENTICATION_I= NFO_MAX_LEN, + Data + ); + if (EFI_ERROR (Status)) { + if (Data !=3D NULL) { + FreePool (Data); + } + + goto ERROR_5; + } + + Private->AuthData =3D (CHAR8 *)Data; + } + + HttpHeader =3D HttpFindHeader ( + ResponseData->HeaderCount, + ResponseData->Headers, + HTTP_HEADER_WWW_AUTHENTICATE + ); + if (HttpHeader !=3D NULL) { + Private->AuthScheme =3D AllocateZeroPool (AsciiStrLen (HttpHeade= r->FieldValue) + 1); + if (Private->AuthScheme =3D=3D NULL) { + return EFI_OUT_OF_RESOURCES; + } + + CopyMem (Private->AuthScheme, HttpHeader->FieldValue, AsciiStrLe= n (HttpHeader->FieldValue)); + } + + Status =3D EFI_ACCESS_DENIED; + } } =20 goto ERROR_5; diff --git a/NetworkPkg/HttpBootDxe/HttpBootClient.h b/NetworkPkg/HttpBootD= xe/HttpBootClient.h index 406529dfd9..2fba713679 100644 --- a/NetworkPkg/HttpBootDxe/HttpBootClient.h +++ b/NetworkPkg/HttpBootDxe/HttpBootClient.h @@ -10,8 +10,9 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #ifndef __EFI_HTTP_BOOT_HTTP_H__ #define __EFI_HTTP_BOOT_HTTP_H__ =20 -#define HTTP_BOOT_BLOCK_SIZE 1500 -#define HTTP_USER_AGENT_EFI_HTTP_BOOT "UefiHttpBoot/1.0" +#define HTTP_BOOT_BLOCK_SIZE 1500 +#define HTTP_USER_AGENT_EFI_HTTP_BOOT "UefiHttpBoot/1.0" +#define HTTP_BOOT_AUTHENTICATION_INFO_MAX_LEN 255 =20 // // Record the data length and start address of a data block. @@ -106,6 +107,7 @@ HttpBootCreateHttpIo ( @retval EFI_BUFFER_TOO_SMALL The BufferSize is too small to read the= current directory entry. BufferSize has been updated with the si= ze needed to complete the request. + @retval EFI_ACCESS_DENIED The server needs to authenticate the cl= ient. @retval Others Unexpected error happened. =20 **/ diff --git a/NetworkPkg/HttpBootDxe/HttpBootDxe.h b/NetworkPkg/HttpBootDxe/= HttpBootDxe.h index 5acbae9bfa..5ff8ad4698 100644 --- a/NetworkPkg/HttpBootDxe/HttpBootDxe.h +++ b/NetworkPkg/HttpBootDxe/HttpBootDxe.h @@ -183,6 +183,12 @@ struct _HTTP_BOOT_PRIVATE_DATA { UINT64 ReceivedSize; UINT32 Percentage; =20 + // + // Data for the server to authenticate the client + // + CHAR8 *AuthData; + CHAR8 *AuthScheme; + // // HII callback info block // diff --git a/NetworkPkg/HttpBootDxe/HttpBootImpl.c b/NetworkPkg/HttpBootDxe= /HttpBootImpl.c index 3da585a291..b4c61925b9 100644 --- a/NetworkPkg/HttpBootDxe/HttpBootImpl.c +++ b/NetworkPkg/HttpBootDxe/HttpBootImpl.c @@ -360,7 +360,18 @@ HttpBootLoadFile ( NULL, &Private->ImageType ); - if (EFI_ERROR (Status) && (Status !=3D EFI_BUFFER_TOO_SMALL)) { + if ((Private->AuthData !=3D NULL) && (Status =3D=3D EFI_ACCESS_DENIED)= ) { + // + // Try to use HTTP HEAD method again since the Authentication inform= ation is provided. + // + Status =3D HttpBootGetBootFile ( + Private, + TRUE, + &Private->BootFileSize, + NULL, + &Private->ImageType + ); + } else if ((EFI_ERROR (Status)) && (Status !=3D EFI_BUFFER_TOO_SMALL))= { // // Failed to get file size by HEAD method, may be trunked encoding, = try HTTP GET method. // @@ -489,6 +500,16 @@ HttpBootStop ( } } =20 + if (Private->AuthData !=3D NULL) { + FreePool (Private->AuthData); + Private->AuthData =3D NULL; + } + + if (Private->AuthScheme !=3D NULL) { + FreePool (Private->AuthScheme); + Private->AuthScheme =3D NULL; + } + if (Private->DnsServerIp !=3D NULL) { FreePool (Private->DnsServerIp); Private->DnsServerIp =3D NULL; --=20 2.26.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90585): https://edk2.groups.io/g/devel/message/90585 Mute This Topic: https://groups.io/mt/91829185/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-