summaryrefslogtreecommitdiffstats
path: root/NetworkPkg
Commit message (Collapse)AuthorAgeFilesLines
* NetworkPkg/Ip4Dxe: Fix Reset To DefaultAshish Singhal2024-01-191-0/+25
| | | | | | | | | | Exercising reset to default does not reset the settings. Add handler code for the case where configuration is disabled. Signed-off-by: Ashish Singhal <ashishsingha@nvidia.com> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com> Acked-by: Michael D Kinney <michael.d.kinney@intel.com>
* NetworkPkg: RFC1323 definition changed to RFC7323Suqiang Ren2024-01-162-2/+2
| | | | | | | | | | | | | According to UEFI spec 2.10, the definition of RFC1323 has changed to RFC7323 on EFI_TCP6_OPTION. So align this change on NetworkPkg. REF: UEFI spec 2.10 section 28.2.5 Signed-off-by: Suqiang Ren <suqiangx.ren@intel.com> Cc: Saloni Kasbekar <saloni.kasbekar@intel.com> Cc: Zachary Clark-williams <zachary.clark-williams@intel.com> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
* NetworkPkg: Triger regularly scan only if not connect to APHeng Luo2024-01-151-2/+2
| | | | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4605 When UEFI Wi-Fi is in BSS connected state, the platform is considered as a static and Wi-Fi roaming support is not needed. Wifi connection manager should not initiate Scan requests in this state affect BSS client connectivity and must be avoided. Triger regularly scan only if not connect to AP. Signed-off-by: Heng Luo <heng.luo@intel.com> Cc: Saloni Kasbekar <saloni.kasbekar@intel.com> Cc: Zachary Clark-williams <zachary.clark-williams@intel.com> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
* NetworkPkg/HttpDxe: Add HttpEventTlsConfigured HTTP callback eventAbner Chang2024-01-103-3/+16
| | | | | | | | | | | | | | Add HttpEventTlsConfigured HTTP callback event and notify callback functions when TlsConfigureSession () returns. Signed-off-by: Abner Chang <abner.chang@amd.com> Cc: Saloni Kasbekar <saloni.kasbekar@intel.com> Cc: Zachary Clark-williams <zachary.clark-williams@intel.com> Cc: Michael Brown <mcb30@ipxe.org> Cc: Nickle Wang <nicklew@nvidia.com> Cc: Igor Kulchytskyy <igork@ami.com> Reviewed-by: Michael Brown <mcb30@ipxe.org> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
* NetworkPkg/HttpDxe: Consider TLS certificate not found as a success caseAbner Chang2024-01-101-2/+15
| | | | | | | | | | | | | | | | | | We still return EFI_SUCCESS to the caller when TlsConfigCertificate returns error, for the use case the platform doesn't require certificate for the specific HTTP session. This ensures HttpInitSession function still initiated and returns EFI_SUCCESS to the caller. The failure is pushed back to TLS DXE driver if the HTTP communication actually requires certificate. Signed-off-by: Abner Chang <abner.chang@amd.com> Cc: Saloni Kasbekar <saloni.kasbekar@intel.com> Cc: Zachary Clark-williams <zachary.clark-williams@intel.com> Cc: Michael Brown <mcb30@ipxe.org> Cc: Nickle Wang <nicklew@nvidia.com> Cc: Igor Kulchytskyy <igork@ami.com> Reviewed-by: Michael Brown <mcb30@ipxe.org> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
* NetworkPkg/HttpDxe: Refactor TlsCreateChildAbner Chang2024-01-105-65/+64
| | | | | | | | | | | | | | - Use HTTP instance as the parameter for TlsCreateChild function. - Install TLS protocol on the HTTP instance thats create TLS child. Signed-off-by: Abner Chang <abner.chang@amd.com> Cc: Saloni Kasbekar <saloni.kasbekar@intel.com> Cc: Zachary Clark-williams <zachary.clark-williams@intel.com> Cc: Michael Brown <mcb30@ipxe.org> Cc: Nickle Wang <nicklew@nvidia.com> Cc: Igor Kulchytskyy <igork@ami.com> Reviewed-by: Michael Brown <mcb30@ipxe.org> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
* NetworkPkg: Increase HTTP buffer size and enable TCP window scalingAndrei Otcheretianski2023-09-083-25/+27
| | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4505 This gives something like ~3 fold throughput boost. Cc: Saloni Kasbekar <saloni.kasbekar@intel.com> Cc: Zachary Clark-williams <zachary.clark-williams@intel.com> Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com> Acked-by: Michael D Kinney <michael.d.kinney@intel.com>
* MdeModulePkg: Duplicate BaseRngLibTimerLib to MdeModulePkgPierre Gondois2023-09-081-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4504 The BaseRngLibTimerLib allows to generate number based on a timer. This mechanism allows to have a basic non-secure implementation for non-production platforms. To bind and identify Random Number Generators implementations with a GUID, an unsafe GUID should be added. This GUID cannot be added to the MdePkg unless it is also added to a specification. To keep the MdePkg self-contained, copy the BaseRngLibTimerLib to the MdeModulePkg. This will allow to define an unsafe Rng GUID in a later patch in the MdeModulePkg. The MdePkg implementation will be removed later. This allows to give some time to platform owners to switch to the MdeModulePkg implementation. Signed-off-by: Pierre Gondois <pierre.gondois@arm.com> Reviewed-by: Sami Mujawar <sami.mujawar@arm.com> Acked-by: Ard Biesheuvel <ardb@kernel.org> Tested-by: Kun Qin <kun.qin@microsoft.com>
* NetworkPkg/HttpDxe: fix driver binding start issue.devel@edk2.groups.io2023-07-201-2/+11
| | | | | | | | | | | | | | | | | When failure happens in HttpDxeStart, the error handling code release the memory buffer but it does not uninstall HTTP service binding protocol. As the result, application can still locate this protocol and invoke service binding functions in released memory pool. Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Cc: Abner Chang <abner.chang@amd.com> Cc: Igor Kulchytskyy <igork@ami.com> Cc: Nick Ramirez <nramirez@nvidia.com> Signed-off-by: Nickle Wang <nicklew@nvidia.com> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com> Acked-by: Michael D Kinney <michael.d.kinney@intel.com>
* NetworkPkg: Correct the length of EAP Identity when in ASCII formatdevel@edk2.groups.io2023-06-281-4/+17
| | | | | | | | | | | | | | FIX: https://bugzilla.tianocore.org/show_bug.cgi?id=4477 Tls connection fail over WiFi in AMT OCR flow due to invalid identity. This was due to missing conversion between unicode and ascii string which resulted in invalid strlen. Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Zachary Clark-Williams <zachary.clark-williams@intel.com> Signed-off-by: Yi Li <yi1.li@intel.com> Reviewed-by: Zachary Clark-Williams <zachary.clark-williams@intel.com>
* NetworkPkg: Update code to be more C11 compliant by using __func__Rebecca Cran2023-04-102-10/+10
| | | | | | | | | | | | __FUNCTION__ is a pre-standard extension that gcc and Visual C++ among others support, while __func__ was standardized in C99. Since it's more standard, replace __FUNCTION__ with __func__ throughout NetworkPkg. Signed-off-by: Rebecca Cran <rebecca@bsdio.com> Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
* NetworkPkg: Fix conditionally uninitialized variablesMichael Kubacki2023-04-032-1/+4
| | | | | | | | | | | | | | | | Fixes CodeQL alerts for CWE-457: https://cwe.mitre.org/data/definitions/457.html Cc: Erich McMillan <emcmillan@microsoft.com> Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Cc: Michael Kubacki <mikuback@linux.microsoft.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Co-authored-by: Erich McMillan <emcmillan@microsoft.com> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com> Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Oliver Smith-Denny <osd@smith-denny.com>
* NetworkPkg: Add WiFi profile sync protocol supportZachary Clark-Williams2023-01-108-73/+390
| | | | | | | | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3845 Enables KVM and One Click Recovery WLAN capability with WiFi Profile Sync feature and protocol. Adding WiFiProfileSyncProtocol, which supports the profilesync driver operations for transferring WiFi profiles from AMT to the Supplicant. WiFiConnectionManager will check for the WifiProfileSyncProtocol and if found will operate on the premise of a One Click Recovery, or KVM flow with a Wifi profile provided by AMT. Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Wu Jiaxin <jiaxin.wu@intel.com> Cc: Andrei Otcheretianski <andrei.otcheretianski@intel.com> Signed-off-by: Zachary Clark-Williams <zachary.clark-williams@intel.com> Acked-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
* NetworkPkg: Add LoongArch64 architecture.Chao Li2022-10-141-1/+2
| | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4053 Add LoongArch64 architecture in to NetworkPkg. Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Signed-off-by: Chao Li <lichao@loongson.cn> Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
* NetworkPkg/HttpBootDxe: Add LOONGARCH64 architecture for EDK2 CI.Chao Li2022-10-141-0/+3
| | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4053 Add LOONGARCH architecture for EDK2 CI testing. Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Signed-off-by: Chao Li <lichao@loongson.cn> Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
* NetworkPkg: Add LOONGARCH64 architecture for EDK2 CI.Chao Li2022-10-141-1/+2
| | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4053 Add LOONGARCH64 architecture for EDK2 CI testing. Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Signed-off-by: Chao Li <lichao@loongson.cn> Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
* NetworkPkg/TcpDxe: Fix debug macro argumentsMichael Kubacki2022-09-091-10/+2
| | | | | | | | | | Removes Status argument that is not needed from DEBUG macros. Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
* NetworkPkg/HttpBootDxe: Add Support for HTTP Boot Basic AuthenticationSaloni Kasbekar2022-07-194-4/+130
| | | | | | | | | | | | | REF:https://bugzilla.tianocore.org/show_bug.cgi?id=2504 Add support for TLS Client Authentication using Basic Authentication for HTTP Boot Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Wu Jiaxin <jiaxin.wu@intel.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Signed-off-by: Saloni Kasbekar <saloni.kasbekar@intel.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
* NetworkPkg: Add Wi-Fi Wpa3 support in WifiConnectManagerHeng Luo2022-07-016-33/+119
| | | | | | | | | | | | | | | | | | https://bugzilla.tianocore.org/show_bug.cgi?id=3961 Add below Wpa3 support: WPA3-Personal: Ieee80211AkmSuiteSAE = 8 WPA3-Enterprise: Ieee80211AkmSuite8021XSuiteB = 11 Ieee80211AkmSuite8021XSuiteB192 = 12 Wi-Fi CERTIFIED Enhanced Open: Ieee80211AkmSuiteOWE = 18 Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Fu Siyuan <siyuan.fu@intel.com> Cc: Wu Jiaxin <jiaxin.wu@intel.com> Signed-off-by: Heng Luo <heng.luo@intel.com>
* NetworkPkg: Remove RVCT supportRebecca Cran2022-05-131-2/+1
| | | | | | | | RVCT is obsolete and no longer used. Remove support for it. Signed-off-by: Rebecca Cran <quic_rcran@quicinc.com> Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
* NetworkPkg/HttpDxe: Detect HTTP/1.0 serversOliver Steffen2022-04-111-0/+8
| | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2720 Force connection close before the next request if the server identifies as version 1.0. Signed-off-by: Oliver Steffen <osteffen@redhat.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
* NetworkPkg/HttpDxe: Detect 'Connection: close' headerOliver Steffen2022-04-111-0/+11
| | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2720 Force connection close before the next request if the server sends the 'Connection: close' header. Signed-off-by: Oliver Steffen <osteffen@redhat.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
* NetworkPkg/HttpDxe: Add ConnectionClose flag fo HTTP_PROTOCOLOliver Steffen2022-04-112-1/+7
| | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2720 Add ConnectionClose flag to HTTP_PROTOCOL. This boolean is FALSE by default. If set to TRUE, a reconfigure of the Http instance is forced on the next request. The flag is then reset. Signed-off-by: Oliver Steffen <osteffen@redhat.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
* NetworkPkg/HttpDxe: Decofigure Tcp6 before reconfiguringOliver Steffen2022-04-111-0/+12
| | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2720 Check if the state of the HTTP instance is HTTP_STATE_TCP_CONNECTED, or HTTP_STATE_TCP_CLOSED and de-configure the Tcp6 instance before configuring it again. Signed-off-by: Oliver Steffen <osteffen@redhat.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
* NetworkPkg/HttpDxe: Decofigure Tcp4 before reconfiguringOliver Steffen2022-04-111-0/+12
| | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2720 Check if the state of the HTTP instance is HTTP_STATE_TCP_CONNECTED, or HTTP_STATE_TCP_CLOSED and de-configure the Tcp4 instance before configuring it again. Signed-off-by: Oliver Steffen <osteffen@redhat.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
* NetworkPkg: Add PCDs for HTTP DNS RetryCount and RetryIntervalHeng Luo2022-04-114-0/+26
| | | | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3889 Currently the HTTP DNS Retry Interval is 2 second and no retry attempt. If DNS response can't arrive in 2 second, the DNS request is failed, and then HTTP boot is failed. In order to resolve this issue, Add PCDs to support RetryCount and RetryInterval configured in Platform. Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Fu Siyuan <siyuan.fu@intel.com> Cc: Wu Jiaxin <jiaxin.wu@intel.com> Signed-off-by: Heng Luo <heng.luo@intel.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
* NetworkPkg: Fix incorrect unicode string of the AKM/Cipher Suiteedk2-stable202202Heng Luo2022-02-211-4/+12
| | | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3813 The size of buffer should be 3 CHAR16 for Null-terminated Unicode string. The first char is the AKM/Cipher Suite number, the second char is ' ', the third char is '\0'. Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Fu Siyuan <siyuan.fu@intel.com> Cc: Wu Jiaxin <jiaxin.wu@intel.com> Signed-off-by: Heng Luo <heng.luo@intel.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
* NetworkPkg: Add the missing VariablePolicyHelperLib in NetworkPkg.dscLiming Gao2022-01-291-0/+1
| | | | | | | | | This change is required by f4b7b473b4afd0093768905529bfae09a2061d41. Signed-off-by: Liming Gao <gaoliming@byosoft.com.cn> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Siyuan Fu <siyuan.fu@intel.com>
* NetworkPkg: Apply uncrustify changesMichael Kubacki2021-12-07294-30386/+29834
| | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3737 Apply uncrustify changes to .c/.h files in the NetworkPkg package Cc: Andrew Fish <afish@apple.com> Cc: Leif Lindholm <leif@nuviainc.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
* NetworkPkg: Change complex DEBUG_CODE() to DEBUG_CODE_BEGIN/END()Michael D Kinney2021-12-073-8/+8
| | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3767 Update use of DEBUG_CODE(Expression) if Expression is a complex code block with if/while/for/case statements that use {}. Cc: Andrew Fish <afish@apple.com> Cc: Leif Lindholm <leif@nuviainc.com> Cc: Michael Kubacki <michael.kubacki@microsoft.com> Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
* NetworkPkg: Change OPTIONAL keyword usage styleMichael D Kinney2021-12-0726-50/+45
| | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3760 Update all use of ', OPTIONAL' to ' OPTIONAL,' for function params. Cc: Andrew Fish <afish@apple.com> Cc: Leif Lindholm <leif@nuviainc.com> Cc: Michael Kubacki <michael.kubacki@microsoft.com> Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
* NetworkPkg: Change use of EFI_D_* to DEBUG_*Michael D Kinney2021-12-0742-286/+274
| | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3739 Update all use of EFI_D_* defines in DEBUG() macros to DEBUG_* defines. Cc: Andrew Fish <afish@apple.com> Cc: Leif Lindholm <leif@nuviainc.com> Cc: Michael Kubacki <michael.kubacki@microsoft.com> Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
* NetworkPkg: Fix invalid pointer for DNS response token on erroredk2-stable202111Liming Gao2021-11-261-0/+2
| | | | | | | | | | | Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3719 This issue is introduced by the commit 43d7e607. Token->RspData.H2AData is de-allocated on error but it is not set to NULL. HTTP module attempts to free again and cause assert. Signed-off-by: Baraneedharan Anbazhagan <anbazhagan@hp.com> Reviewed-by: Wu Jiaxin <jiaxin.wu@intel.com>
* NetworkPkg: Reproduce builds across source format changesMichael D Kinney2021-11-082-5/+5
| | | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3688 Use DEBUG_LINE_NUMBER instead of __LINE__. Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Cc: Michael Kubacki <michael.kubacki@microsoft.com> Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Tested-by: Michael Kubacki <michael.kubacki@microsoft.com>
* NetworkPkg/NetworkPkg.dsc: Add RngLib mapping for ARM and RISCV64Michael D Kinney2021-11-051-0/+6
| | | | | | | | | | | | | | | | Fix NetworkPkg build breaks for ARM and RISCV64 by adding RngLib mapping. Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Abner Chang <abner.chang@hpe.com> Cc: Daniel Schaefer <daniel.schaefer@hpe.com> Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Daniel Schaefer <daniel.schaefer@hpe.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Acked-by: Abner Chang <abner.chang@hpe.com>
* NetworkPkg/HttpDxe: Enable wildcard host name matching for HTTP+TLS.Vineel Kovvuri2021-11-031-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The current UEFI implementation of HTTPS during its TLS configuration uses EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As per the spec this flag does is "to disable the match of any wildcards in the host name". So, certificates which are issued with wildcards(*.dm.corp.net etc) in it will fail the TLS host name matching. On the other hand, EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for hostname validation. Wildcards are supported and they match only in the left-most label." this behavior/definition is coming from openssl's X509_check_host() api https://www.openssl.org/docs/man1.1.0/man3/X509_check_host.html Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using certificates issued with wildcards in them would fail to match while trying to communicate with HTTPS endpoint. BugZilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3691 Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com> Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
* NetworkPkg/HttpBootDxe: make file extension check case-insensitiveLin, Gary (HPS OE-Linux)2021-10-221-3/+3
| | | | | | | | | | | | | | | https://bugzilla.tianocore.org/show_bug.cgi?id=3694 HttpBootCheckImageType() was using the case-sensitive AsciiStrCmp() to check the file extensions and this could reject the images with upper-case file names. Using the case-insensitive AsciiStriCmp() to avoid the issue. Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Signed-off-by: Gary Lin <gary.lin@hpe.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
* NetworkPkg: Add HTTP Additional Event NotificationsHeng Luo2021-07-287-2/+163
| | | | | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3496 Add new EDKII_HTTP_CALLBACK_PROTOCOL in NetworkPkg, Send HTTP Events via EDKII_HTTP_CALLBACK_PROTOCOL when Dns/ConnectTcp/TlsConnectSession/InitSession occurs. Signed-off-by: Heng Luo <heng.luo@intel.com> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
* NetworkPkg: Making the HTTP IO timeout value programmable with PCDZachary Clark-Williams2021-07-289-21/+43
| | | | | | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3507 HTTP boot has a default set forced timeout value of 5 seconds for getting the recovery image from a remote source. This change allows the HTTP boot flow to get the IO timeout value from the PcdHttpIoTimeout. PcdHttpIoTimeout value is set in platform code. Signed-off-by: Zachary Clark-Williams <zachary.clark-williams@intel.com> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
* NetworkPkg: introduce the NETWORK_ISCSI_MD5_ENABLE feature test macroLaszlo Ersek2021-06-303-1/+23
| | | | | | | | | | | | | | | | | | | | | | | | | | Introduce the NETWORK_ISCSI_MD5_ENABLE feature test macro for NetworkPkg. When explicitly set to FALSE, remove MD5 from IScsiDxe's CHAP algorithm list. Set NETWORK_ISCSI_MD5_ENABLE to TRUE by default, for compatibility reasons. Not just to minimize the disruption for platforms that currently include IScsiDxe, but also because RFC 7143 mandates MD5 for CHAP, and some vendors' iSCSI targets support MD5 only. With MD5 enabled, IScsiDxe will suggest SHA256, and then fall back to MD5 if the target requests it. With MD5 disabled, IScsiDxe will suggest SHA256, and break off the connection (and session) if the target doesn't support SHA256. Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Philippe Mathieu-Daudé <philmd@redhat.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3355 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <20210629163337.14120-7-lersek@redhat.com>
* NetworkPkg/IScsiDxe: support SHA256 in CHAPLaszlo Ersek2021-06-302-1/+14
| | | | | | | | | | | | | | | | | | | Insert a SHA256 CHAP_HASH structure at the start of "mChapHash". Update ISCSI_CHAP_MAX_DIGEST_SIZE to SHA256_DIGEST_SIZE (32). This enables the initiator and the target to negotiate SHA256 for CHAP, in preference to MD5. Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Philippe Mathieu-Daudé <philmd@redhat.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3355 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Message-Id: <20210629163337.14120-6-lersek@redhat.com>
* NetworkPkg/IScsiDxe: support multiple hash algorithms for CHAPLaszlo Ersek2021-06-304-23/+207
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Introduce the "mChapHash" table, containing the hash algorithms supported for CHAP. Hash algos listed at the beginning of the table are preferred by the initiator. In ISCSI_CHAP_STEP_ONE, send such a CHAP_A value that is the comma-separated, ordered list of algorithm identifiers from "mChapHash". Pre-format this value string at driver startup, in the new function IScsiCHAPInitHashList(). (In IScsiCHAPInitHashList(), also enforce that every hash algo's digest size fit into ISCSI_CHAP_MAX_DIGEST_SIZE, as the latter controls the digest, outgoing challenge, and hex *allocations*.) In ISCSI_CHAP_STEP_TWO, allow the target to select one of the offered hash algorithms, and remember the selection for the later steps. For ISCSI_CHAP_STEP_THREE, hash the challenge from the target with the selected hash algo. In ISCSI_CHAP_STEP_THREE, send the correctly sized digest to the target. If the initiator wants mutual authentication, then generate a challenge with as many bytes as the target's digest will have, in ISCSI_CHAP_STEP_FOUR. In ISCSI_CHAP_STEP_FOUR (i.e., when mutual authentication is required by the initiator), verify the target's response (digest) with the selected algorithm. Clear the selected hash algorithm before every login (remember that in IScsiDxe, every login is a leading login). There is no peer-observable change from this patch, as it only reworks the current MD5 support into the new internal representation. Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Philippe Mathieu-Daudé <philmd@redhat.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3355 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Message-Id: <20210629163337.14120-5-lersek@redhat.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
* NetworkPkg/IScsiDxe: distinguish "maximum" and "selected" CHAP digest sizesLaszlo Ersek2021-06-302-17/+22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | IScsiDxe uses the ISCSI_CHAP_RSP_LEN macro for expressing the size of the digest (16) that it solely supports at this point (MD5). ISCSI_CHAP_RSP_LEN is used for both (a) *allocating* digest-related buffers (binary buffers and hex encodings alike), and (b) *processing* binary digest buffers (comparing them, filling them, reading them). In preparation for adding other hash algorithms, split purpose (a) from purpose (b). For purpose (a) -- buffer allocation --, introduce ISCSI_CHAP_MAX_DIGEST_SIZE. For purpose (b) -- processing --, rely on MD5_DIGEST_SIZE from <BaseCryptLib.h>. Distinguishing these purposes is justified because purpose (b) -- processing -- must depend on the hashing algorithm negotiated between initiator and target, while for purpose (a) -- allocation --, using the maximum supported digest size is suitable. For now, because only MD5 is supported, introduce ISCSI_CHAP_MAX_DIGEST_SIZE *as* MD5_DIGEST_SIZE. Note that the argument for using the digest size as the size of the outgoing challenge (in case mutual authentication is desired by the initiator) remains in place. Because of this, the above two purposes are distinguished for the "ISCSI_CHAP_AUTH_DATA.OutChallenge" field as well. This patch is functionally a no-op, just yet. Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Philippe Mathieu-Daudé <philmd@redhat.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3355 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Message-Id: <20210629163337.14120-4-lersek@redhat.com>
* NetworkPkg/IScsiDxe: add horizontal whitespace to IScsiCHAP filesLaszlo Ersek2021-06-302-18/+18
| | | | | | | | | | | | | | | | | In the next patches, we'll need more room for various macro and parameter names. For maintaining the current visual alignments, insert some horizontal whitespace in preparation. "git show -b" produces no output for this patch; the patch introduces no functional changes. Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Philippe Mathieu-Daudé <philmd@redhat.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3355 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Message-Id: <20210629163337.14120-3-lersek@redhat.com>
* NetworkPkg/IScsiDxe: re-set session-level authentication state before loginLaszlo Ersek2021-06-301-0/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | RFC 7143 explains that a single iSCSI session may use multiple TCP connections. The first connection established is called the leading connection. The login performed on the leading connection is called the leading login. Before the session is considered full-featured, the leading login must succeed. Further (non-leading) connections can be associated with the session later. (It's unclear to me from RFC 7143 whether the non-leading connections require individual (non-leading) logins as well, but that particular question is irrelevant from the perspective of this patch; see below.) The data model in IScsiDxe exhibits some confusion, regarding connection / session association: - On one hand, the "ISCSI_SESSION.Conns" field is a *set* (it has type LIST_ENTRY), and accordingly, connections can be added to, and removed from, a session, with the IScsiAttatchConnection() and IScsiDetatchConnection() functions. - On the other hand, ISCSI_MAX_CONNS_PER_SESSION has value 1, therefore no session will ever use more than 1 connection at a time (refer to instances of "Session->MaxConnections" in "NetworkPkg/IScsiDxe/IScsiProto.c"). This one-to-many confusion between ISCSI_SESSION and ISCSI_CONNECTION is very visible in the CHAP logic, where the progress of the authentication is maintained *per connection*, in the "ISCSI_CONNECTION.AuthStep" field (with values such as ISCSI_AUTH_INITIAL, ISCSI_CHAP_STEP_ONE, etc), but the *data* for the authentication are maintained *per session*, in the "AuthType" and "AuthData" fields of ISCSI_SESSION. Clearly, this makes no sense if multiple connections are eligible for logging in. Knowing that IScsiDxe uses only one connection per session (put differently: knowing that any connection is a leading connection, and any login is a leading login), there is no functionality bug. But the data model is still broken: "AuthType", "AuthData", and "AuthStep" should be maintained at the *same* level -- be it "session-level" or "(leading) connection-level". Fixing this data model bug is more than what I'm signing up for. However, I do need to add one function, in preparation for multi-hash support: whenever a new login is attempted (put differently: whenever the leading login is re-attempted), which always happens with a fresh connection, the session-level authentication data needs to be rewound to a sane initial state. Introduce the IScsiSessionResetAuthData() function. Call it from the central -- session-level -- IScsiSessionLogin() function, just before the latter calls the -- connection-level -- IScsiConnLogin() function. Right now, do nothing in IScsiSessionResetAuthData(); so functionally speaking, the patch is a no-op. Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Philippe Mathieu-Daudé <philmd@redhat.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3355 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <20210629163337.14120-2-lersek@redhat.com>
* NetworkPkg/IScsiDxe: check IScsiHexToBin() return valuesLaszlo Ersek2021-06-091-6/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | IScsiDxe (that is, the initiator) receives two hex-encoded strings from the iSCSI target: - CHAP_C, where the target challenges the initiator, - CHAP_R, where the target answers the challenge from the initiator (in case the initiator wants mutual authentication). Accordingly, we have two IScsiHexToBin() call sites: - At the CHAP_C decoding site, check whether the decoding succeeds. The decoded buffer ("AuthData->InChallenge") can accommodate 1024 bytes, which is a permissible restriction on the target, per <https://tools.ietf.org/html/rfc7143#section-12.1.3>. Shorter challenges from the target are acceptable. - At the CHAP_R decoding site, enforce that the decoding both succeed, and provide exactly ISCSI_CHAP_RSP_LEN bytes. CHAP_R contains the digest calculated by the target, therefore it must be of fixed size. We may only call IScsiCHAPAuthTarget() if "TargetRsp" has been fully populated. Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Philippe Mathieu-Daudé <philmd@redhat.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Message-Id: <20210608121259.32451-11-lersek@redhat.com>
* NetworkPkg/IScsiDxe: fix IScsiHexToBin() buffer overflowLaszlo Ersek2021-06-092-3/+20
| | | | | | | | | | | | | | | | | | | | | | | | | | The IScsiHexToBin() function documents the EFI_BUFFER_TOO_SMALL return condition, but never actually checks whether the decoded buffer fits into the caller-provided room (i.e., the input value of "BinLength"), and EFI_BUFFER_TOO_SMALL is never returned. The decoding of "HexStr" can overflow "BinBuffer". This is remotely exploitable, as shown in a subsequent patch, which adds error checking to the IScsiHexToBin() call sites. This issue allows the target to compromise the initiator. Introduce EFI_BAD_BUFFER_SIZE, in addition to the existent EFI_BUFFER_TOO_SMALL, for reporting a special case of the buffer overflow, plus actually catch the buffer overflow. Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Philippe Mathieu-Daudé <philmd@redhat.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <20210608121259.32451-10-lersek@redhat.com>
* NetworkPkg/IScsiDxe: fix IScsiHexToBin() hex parsingLaszlo Ersek2021-06-092-2/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The IScsiHexToBin() function has the following parser issues: (1) If the *subject sequence* in "HexStr" is empty, the function returns EFI_SUCCESS (with "BinLength" set to 0 on output). Such inputs should be rejected. (2) The function mis-handles a "HexStr" that ends with a stray nibble. For example, if "HexStr" is "0xABC", the function decodes it to the bytes {0xAB, 0x0C}, sets "BinLength" to 2 on output, and returns EFI_SUCCESS. Such inputs should be rejected. (3) If an invalid hex char is found in "HexStr", the function treats it as end-of-hex-string, and returns EFI_SUCCESS. Such inputs should be rejected. All of the above cases are remotely triggerable, as shown in a subsequent patch, which adds error checking to the IScsiHexToBin() call sites. While the initiator is not immediately compromised, incorrectly parsing CHAP_R from the target, in case of mutual authentication, is not great. Extend the interface contract of IScsiHexToBin() with EFI_INVALID_PARAMETER, for reporting issues (1) through (3), and implement the new checks. Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Philippe Mathieu-Daudé <philmd@redhat.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <20210608121259.32451-9-lersek@redhat.com>
* NetworkPkg/IScsiDxe: reformat IScsiHexToBin() leading comment blockLaszlo Ersek2021-06-092-16/+16
| | | | | | | | | | | | | | | | | | We'll need further return values for IScsiHexToBin() in a subsequent patch; make room for them in the leading comment block of the function. While at it, rewrap the comment block to 80 characters width. No functional changes. Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Philippe Mathieu-Daudé <philmd@redhat.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <20210608121259.32451-8-lersek@redhat.com>
* NetworkPkg/IScsiDxe: assert that IScsiBinToHex() always succeedsLaszlo Ersek2021-06-091-12/+15
| | | | | | | | | | | | | | | | | | | | | | | IScsiBinToHex() is called for encoding: - the answer to the target's challenge; that is, CHAP_R; - the challenge for the target, in case mutual authentication is enabled; that is, CHAP_C. The initiator controls the size of both blobs, the sizes of their hex encodings are correctly calculated in "RspLen" and "ChallengeLen". Therefore the IScsiBinToHex() calls never fail; assert that. Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Philippe Mathieu-Daudé <philmd@redhat.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Message-Id: <20210608121259.32451-7-lersek@redhat.com>