summaryrefslogtreecommitdiff
path: root/NetworkPkg
AgeCommit message (Collapse)AuthorFilesLines
2023-09-08NetworkPkg: Increase HTTP buffer size and enable TCP window scalingAndrei Otcheretianski3-25/+27
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4505 This gives something like ~3 fold throughput boost. Cc: Saloni Kasbekar <saloni.kasbekar@intel.com> Cc: Zachary Clark-williams <zachary.clark-williams@intel.com> Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com> Acked-by: Michael D Kinney <michael.d.kinney@intel.com>
2023-09-08MdeModulePkg: Duplicate BaseRngLibTimerLib to MdeModulePkgPierre Gondois1-2/+2
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4504 The BaseRngLibTimerLib allows to generate number based on a timer. This mechanism allows to have a basic non-secure implementation for non-production platforms. To bind and identify Random Number Generators implementations with a GUID, an unsafe GUID should be added. This GUID cannot be added to the MdePkg unless it is also added to a specification. To keep the MdePkg self-contained, copy the BaseRngLibTimerLib to the MdeModulePkg. This will allow to define an unsafe Rng GUID in a later patch in the MdeModulePkg. The MdePkg implementation will be removed later. This allows to give some time to platform owners to switch to the MdeModulePkg implementation. Signed-off-by: Pierre Gondois <pierre.gondois@arm.com> Reviewed-by: Sami Mujawar <sami.mujawar@arm.com> Acked-by: Ard Biesheuvel <ardb@kernel.org> Tested-by: Kun Qin <kun.qin@microsoft.com>
2023-07-20NetworkPkg/HttpDxe: fix driver binding start issue.devel@edk2.groups.io1-2/+11
When failure happens in HttpDxeStart, the error handling code release the memory buffer but it does not uninstall HTTP service binding protocol. As the result, application can still locate this protocol and invoke service binding functions in released memory pool. Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Cc: Abner Chang <abner.chang@amd.com> Cc: Igor Kulchytskyy <igork@ami.com> Cc: Nick Ramirez <nramirez@nvidia.com> Signed-off-by: Nickle Wang <nicklew@nvidia.com> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com> Acked-by: Michael D Kinney <michael.d.kinney@intel.com>
2023-06-28NetworkPkg: Correct the length of EAP Identity when in ASCII formatdevel@edk2.groups.io1-4/+17
FIX: https://bugzilla.tianocore.org/show_bug.cgi?id=4477 Tls connection fail over WiFi in AMT OCR flow due to invalid identity. This was due to missing conversion between unicode and ascii string which resulted in invalid strlen. Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Zachary Clark-Williams <zachary.clark-williams@intel.com> Signed-off-by: Yi Li <yi1.li@intel.com> Reviewed-by: Zachary Clark-Williams <zachary.clark-williams@intel.com>
2023-04-10NetworkPkg: Update code to be more C11 compliant by using __func__Rebecca Cran2-10/+10
__FUNCTION__ is a pre-standard extension that gcc and Visual C++ among others support, while __func__ was standardized in C99. Since it's more standard, replace __FUNCTION__ with __func__ throughout NetworkPkg. Signed-off-by: Rebecca Cran <rebecca@bsdio.com> Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
2023-04-03NetworkPkg: Fix conditionally uninitialized variablesMichael Kubacki2-1/+4
Fixes CodeQL alerts for CWE-457: https://cwe.mitre.org/data/definitions/457.html Cc: Erich McMillan <emcmillan@microsoft.com> Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Cc: Michael Kubacki <mikuback@linux.microsoft.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Co-authored-by: Erich McMillan <emcmillan@microsoft.com> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com> Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Oliver Smith-Denny <osd@smith-denny.com>
2023-01-10NetworkPkg: Add WiFi profile sync protocol supportZachary Clark-Williams8-73/+390
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3845 Enables KVM and One Click Recovery WLAN capability with WiFi Profile Sync feature and protocol. Adding WiFiProfileSyncProtocol, which supports the profilesync driver operations for transferring WiFi profiles from AMT to the Supplicant. WiFiConnectionManager will check for the WifiProfileSyncProtocol and if found will operate on the premise of a One Click Recovery, or KVM flow with a Wifi profile provided by AMT. Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Wu Jiaxin <jiaxin.wu@intel.com> Cc: Andrei Otcheretianski <andrei.otcheretianski@intel.com> Signed-off-by: Zachary Clark-Williams <zachary.clark-williams@intel.com> Acked-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
2022-10-14NetworkPkg: Add LoongArch64 architecture.Chao Li1-1/+2
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4053 Add LoongArch64 architecture in to NetworkPkg. Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Signed-off-by: Chao Li <lichao@loongson.cn> Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
2022-10-14NetworkPkg/HttpBootDxe: Add LOONGARCH64 architecture for EDK2 CI.Chao Li1-0/+3
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4053 Add LOONGARCH architecture for EDK2 CI testing. Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Signed-off-by: Chao Li <lichao@loongson.cn> Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
2022-10-14NetworkPkg: Add LOONGARCH64 architecture for EDK2 CI.Chao Li1-1/+2
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4053 Add LOONGARCH64 architecture for EDK2 CI testing. Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Signed-off-by: Chao Li <lichao@loongson.cn> Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
2022-09-09NetworkPkg/TcpDxe: Fix debug macro argumentsMichael Kubacki1-10/+2
Removes Status argument that is not needed from DEBUG macros. Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
2022-07-19NetworkPkg/HttpBootDxe: Add Support for HTTP Boot Basic AuthenticationSaloni Kasbekar4-4/+130
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=2504 Add support for TLS Client Authentication using Basic Authentication for HTTP Boot Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Wu Jiaxin <jiaxin.wu@intel.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Signed-off-by: Saloni Kasbekar <saloni.kasbekar@intel.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
2022-07-01NetworkPkg: Add Wi-Fi Wpa3 support in WifiConnectManagerHeng Luo6-33/+119
https://bugzilla.tianocore.org/show_bug.cgi?id=3961 Add below Wpa3 support: WPA3-Personal: Ieee80211AkmSuiteSAE = 8 WPA3-Enterprise: Ieee80211AkmSuite8021XSuiteB = 11 Ieee80211AkmSuite8021XSuiteB192 = 12 Wi-Fi CERTIFIED Enhanced Open: Ieee80211AkmSuiteOWE = 18 Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Fu Siyuan <siyuan.fu@intel.com> Cc: Wu Jiaxin <jiaxin.wu@intel.com> Signed-off-by: Heng Luo <heng.luo@intel.com>
2022-05-13NetworkPkg: Remove RVCT supportRebecca Cran1-2/+1
RVCT is obsolete and no longer used. Remove support for it. Signed-off-by: Rebecca Cran <quic_rcran@quicinc.com> Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
2022-04-11NetworkPkg/HttpDxe: Detect HTTP/1.0 serversOliver Steffen1-0/+8
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2720 Force connection close before the next request if the server identifies as version 1.0. Signed-off-by: Oliver Steffen <osteffen@redhat.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
2022-04-11NetworkPkg/HttpDxe: Detect 'Connection: close' headerOliver Steffen1-0/+11
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2720 Force connection close before the next request if the server sends the 'Connection: close' header. Signed-off-by: Oliver Steffen <osteffen@redhat.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
2022-04-11NetworkPkg/HttpDxe: Add ConnectionClose flag fo HTTP_PROTOCOLOliver Steffen2-1/+7
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2720 Add ConnectionClose flag to HTTP_PROTOCOL. This boolean is FALSE by default. If set to TRUE, a reconfigure of the Http instance is forced on the next request. The flag is then reset. Signed-off-by: Oliver Steffen <osteffen@redhat.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
2022-04-11NetworkPkg/HttpDxe: Decofigure Tcp6 before reconfiguringOliver Steffen1-0/+12
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2720 Check if the state of the HTTP instance is HTTP_STATE_TCP_CONNECTED, or HTTP_STATE_TCP_CLOSED and de-configure the Tcp6 instance before configuring it again. Signed-off-by: Oliver Steffen <osteffen@redhat.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
2022-04-11NetworkPkg/HttpDxe: Decofigure Tcp4 before reconfiguringOliver Steffen1-0/+12
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2720 Check if the state of the HTTP instance is HTTP_STATE_TCP_CONNECTED, or HTTP_STATE_TCP_CLOSED and de-configure the Tcp4 instance before configuring it again. Signed-off-by: Oliver Steffen <osteffen@redhat.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
2022-04-11NetworkPkg: Add PCDs for HTTP DNS RetryCount and RetryIntervalHeng Luo4-0/+26
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3889 Currently the HTTP DNS Retry Interval is 2 second and no retry attempt. If DNS response can't arrive in 2 second, the DNS request is failed, and then HTTP boot is failed. In order to resolve this issue, Add PCDs to support RetryCount and RetryInterval configured in Platform. Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Fu Siyuan <siyuan.fu@intel.com> Cc: Wu Jiaxin <jiaxin.wu@intel.com> Signed-off-by: Heng Luo <heng.luo@intel.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
2022-02-21NetworkPkg: Fix incorrect unicode string of the AKM/Cipher Suiteedk2-stable202202Heng Luo1-4/+12
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3813 The size of buffer should be 3 CHAR16 for Null-terminated Unicode string. The first char is the AKM/Cipher Suite number, the second char is ' ', the third char is '\0'. Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Fu Siyuan <siyuan.fu@intel.com> Cc: Wu Jiaxin <jiaxin.wu@intel.com> Signed-off-by: Heng Luo <heng.luo@intel.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
2022-01-29NetworkPkg: Add the missing VariablePolicyHelperLib in NetworkPkg.dscLiming Gao1-0/+1
This change is required by f4b7b473b4afd0093768905529bfae09a2061d41. Signed-off-by: Liming Gao <gaoliming@byosoft.com.cn> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Siyuan Fu <siyuan.fu@intel.com>
2021-12-07NetworkPkg: Apply uncrustify changesMichael Kubacki294-30386/+29834
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3737 Apply uncrustify changes to .c/.h files in the NetworkPkg package Cc: Andrew Fish <afish@apple.com> Cc: Leif Lindholm <leif@nuviainc.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
2021-12-07NetworkPkg: Change complex DEBUG_CODE() to DEBUG_CODE_BEGIN/END()Michael D Kinney3-8/+8
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3767 Update use of DEBUG_CODE(Expression) if Expression is a complex code block with if/while/for/case statements that use {}. Cc: Andrew Fish <afish@apple.com> Cc: Leif Lindholm <leif@nuviainc.com> Cc: Michael Kubacki <michael.kubacki@microsoft.com> Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
2021-12-07NetworkPkg: Change OPTIONAL keyword usage styleMichael D Kinney26-50/+45
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3760 Update all use of ', OPTIONAL' to ' OPTIONAL,' for function params. Cc: Andrew Fish <afish@apple.com> Cc: Leif Lindholm <leif@nuviainc.com> Cc: Michael Kubacki <michael.kubacki@microsoft.com> Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
2021-12-07NetworkPkg: Change use of EFI_D_* to DEBUG_*Michael D Kinney42-286/+274
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3739 Update all use of EFI_D_* defines in DEBUG() macros to DEBUG_* defines. Cc: Andrew Fish <afish@apple.com> Cc: Leif Lindholm <leif@nuviainc.com> Cc: Michael Kubacki <michael.kubacki@microsoft.com> Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
2021-11-26NetworkPkg: Fix invalid pointer for DNS response token on erroredk2-stable202111Liming Gao1-0/+2
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3719 This issue is introduced by the commit 43d7e607. Token->RspData.H2AData is de-allocated on error but it is not set to NULL. HTTP module attempts to free again and cause assert. Signed-off-by: Baraneedharan Anbazhagan <anbazhagan@hp.com> Reviewed-by: Wu Jiaxin <jiaxin.wu@intel.com>
2021-11-08NetworkPkg: Reproduce builds across source format changesMichael D Kinney2-5/+5
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3688 Use DEBUG_LINE_NUMBER instead of __LINE__. Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Cc: Michael Kubacki <michael.kubacki@microsoft.com> Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Tested-by: Michael Kubacki <michael.kubacki@microsoft.com>
2021-11-05NetworkPkg/NetworkPkg.dsc: Add RngLib mapping for ARM and RISCV64Michael D Kinney1-0/+6
Fix NetworkPkg build breaks for ARM and RISCV64 by adding RngLib mapping. Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Abner Chang <abner.chang@hpe.com> Cc: Daniel Schaefer <daniel.schaefer@hpe.com> Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Daniel Schaefer <daniel.schaefer@hpe.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Acked-by: Abner Chang <abner.chang@hpe.com>
2021-11-03NetworkPkg/HttpDxe: Enable wildcard host name matching for HTTP+TLS.Vineel Kovvuri1-1/+1
The current UEFI implementation of HTTPS during its TLS configuration uses EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As per the spec this flag does is "to disable the match of any wildcards in the host name". So, certificates which are issued with wildcards(*.dm.corp.net etc) in it will fail the TLS host name matching. On the other hand, EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for hostname validation. Wildcards are supported and they match only in the left-most label." this behavior/definition is coming from openssl's X509_check_host() api https://www.openssl.org/docs/man1.1.0/man3/X509_check_host.html Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using certificates issued with wildcards in them would fail to match while trying to communicate with HTTPS endpoint. BugZilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3691 Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com> Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
2021-10-22NetworkPkg/HttpBootDxe: make file extension check case-insensitiveLin, Gary (HPS OE-Linux)1-3/+3
https://bugzilla.tianocore.org/show_bug.cgi?id=3694 HttpBootCheckImageType() was using the case-sensitive AsciiStrCmp() to check the file extensions and this could reject the images with upper-case file names. Using the case-insensitive AsciiStriCmp() to avoid the issue. Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Signed-off-by: Gary Lin <gary.lin@hpe.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
2021-07-28NetworkPkg: Add HTTP Additional Event NotificationsHeng Luo7-2/+163
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3496 Add new EDKII_HTTP_CALLBACK_PROTOCOL in NetworkPkg, Send HTTP Events via EDKII_HTTP_CALLBACK_PROTOCOL when Dns/ConnectTcp/TlsConnectSession/InitSession occurs. Signed-off-by: Heng Luo <heng.luo@intel.com> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
2021-07-28NetworkPkg: Making the HTTP IO timeout value programmable with PCDZachary Clark-Williams9-21/+43
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3507 HTTP boot has a default set forced timeout value of 5 seconds for getting the recovery image from a remote source. This change allows the HTTP boot flow to get the IO timeout value from the PcdHttpIoTimeout. PcdHttpIoTimeout value is set in platform code. Signed-off-by: Zachary Clark-Williams <zachary.clark-williams@intel.com> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
2021-06-30NetworkPkg: introduce the NETWORK_ISCSI_MD5_ENABLE feature test macroLaszlo Ersek3-1/+23
Introduce the NETWORK_ISCSI_MD5_ENABLE feature test macro for NetworkPkg. When explicitly set to FALSE, remove MD5 from IScsiDxe's CHAP algorithm list. Set NETWORK_ISCSI_MD5_ENABLE to TRUE by default, for compatibility reasons. Not just to minimize the disruption for platforms that currently include IScsiDxe, but also because RFC 7143 mandates MD5 for CHAP, and some vendors' iSCSI targets support MD5 only. With MD5 enabled, IScsiDxe will suggest SHA256, and then fall back to MD5 if the target requests it. With MD5 disabled, IScsiDxe will suggest SHA256, and break off the connection (and session) if the target doesn't support SHA256. Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Philippe Mathieu-Daudé <philmd@redhat.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3355 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <20210629163337.14120-7-lersek@redhat.com>
2021-06-30NetworkPkg/IScsiDxe: support SHA256 in CHAPLaszlo Ersek2-1/+14
Insert a SHA256 CHAP_HASH structure at the start of "mChapHash". Update ISCSI_CHAP_MAX_DIGEST_SIZE to SHA256_DIGEST_SIZE (32). This enables the initiator and the target to negotiate SHA256 for CHAP, in preference to MD5. Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Philippe Mathieu-Daudé <philmd@redhat.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3355 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Message-Id: <20210629163337.14120-6-lersek@redhat.com>
2021-06-30NetworkPkg/IScsiDxe: support multiple hash algorithms for CHAPLaszlo Ersek4-23/+207
Introduce the "mChapHash" table, containing the hash algorithms supported for CHAP. Hash algos listed at the beginning of the table are preferred by the initiator. In ISCSI_CHAP_STEP_ONE, send such a CHAP_A value that is the comma-separated, ordered list of algorithm identifiers from "mChapHash". Pre-format this value string at driver startup, in the new function IScsiCHAPInitHashList(). (In IScsiCHAPInitHashList(), also enforce that every hash algo's digest size fit into ISCSI_CHAP_MAX_DIGEST_SIZE, as the latter controls the digest, outgoing challenge, and hex *allocations*.) In ISCSI_CHAP_STEP_TWO, allow the target to select one of the offered hash algorithms, and remember the selection for the later steps. For ISCSI_CHAP_STEP_THREE, hash the challenge from the target with the selected hash algo. In ISCSI_CHAP_STEP_THREE, send the correctly sized digest to the target. If the initiator wants mutual authentication, then generate a challenge with as many bytes as the target's digest will have, in ISCSI_CHAP_STEP_FOUR. In ISCSI_CHAP_STEP_FOUR (i.e., when mutual authentication is required by the initiator), verify the target's response (digest) with the selected algorithm. Clear the selected hash algorithm before every login (remember that in IScsiDxe, every login is a leading login). There is no peer-observable change from this patch, as it only reworks the current MD5 support into the new internal representation. Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Philippe Mathieu-Daudé <philmd@redhat.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3355 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Message-Id: <20210629163337.14120-5-lersek@redhat.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
2021-06-30NetworkPkg/IScsiDxe: distinguish "maximum" and "selected" CHAP digest sizesLaszlo Ersek2-17/+22
IScsiDxe uses the ISCSI_CHAP_RSP_LEN macro for expressing the size of the digest (16) that it solely supports at this point (MD5). ISCSI_CHAP_RSP_LEN is used for both (a) *allocating* digest-related buffers (binary buffers and hex encodings alike), and (b) *processing* binary digest buffers (comparing them, filling them, reading them). In preparation for adding other hash algorithms, split purpose (a) from purpose (b). For purpose (a) -- buffer allocation --, introduce ISCSI_CHAP_MAX_DIGEST_SIZE. For purpose (b) -- processing --, rely on MD5_DIGEST_SIZE from <BaseCryptLib.h>. Distinguishing these purposes is justified because purpose (b) -- processing -- must depend on the hashing algorithm negotiated between initiator and target, while for purpose (a) -- allocation --, using the maximum supported digest size is suitable. For now, because only MD5 is supported, introduce ISCSI_CHAP_MAX_DIGEST_SIZE *as* MD5_DIGEST_SIZE. Note that the argument for using the digest size as the size of the outgoing challenge (in case mutual authentication is desired by the initiator) remains in place. Because of this, the above two purposes are distinguished for the "ISCSI_CHAP_AUTH_DATA.OutChallenge" field as well. This patch is functionally a no-op, just yet. Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Philippe Mathieu-Daudé <philmd@redhat.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3355 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Message-Id: <20210629163337.14120-4-lersek@redhat.com>
2021-06-30NetworkPkg/IScsiDxe: add horizontal whitespace to IScsiCHAP filesLaszlo Ersek2-18/+18
In the next patches, we'll need more room for various macro and parameter names. For maintaining the current visual alignments, insert some horizontal whitespace in preparation. "git show -b" produces no output for this patch; the patch introduces no functional changes. Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Philippe Mathieu-Daudé <philmd@redhat.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3355 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Message-Id: <20210629163337.14120-3-lersek@redhat.com>
2021-06-30NetworkPkg/IScsiDxe: re-set session-level authentication state before loginLaszlo Ersek1-0/+18
RFC 7143 explains that a single iSCSI session may use multiple TCP connections. The first connection established is called the leading connection. The login performed on the leading connection is called the leading login. Before the session is considered full-featured, the leading login must succeed. Further (non-leading) connections can be associated with the session later. (It's unclear to me from RFC 7143 whether the non-leading connections require individual (non-leading) logins as well, but that particular question is irrelevant from the perspective of this patch; see below.) The data model in IScsiDxe exhibits some confusion, regarding connection / session association: - On one hand, the "ISCSI_SESSION.Conns" field is a *set* (it has type LIST_ENTRY), and accordingly, connections can be added to, and removed from, a session, with the IScsiAttatchConnection() and IScsiDetatchConnection() functions. - On the other hand, ISCSI_MAX_CONNS_PER_SESSION has value 1, therefore no session will ever use more than 1 connection at a time (refer to instances of "Session->MaxConnections" in "NetworkPkg/IScsiDxe/IScsiProto.c"). This one-to-many confusion between ISCSI_SESSION and ISCSI_CONNECTION is very visible in the CHAP logic, where the progress of the authentication is maintained *per connection*, in the "ISCSI_CONNECTION.AuthStep" field (with values such as ISCSI_AUTH_INITIAL, ISCSI_CHAP_STEP_ONE, etc), but the *data* for the authentication are maintained *per session*, in the "AuthType" and "AuthData" fields of ISCSI_SESSION. Clearly, this makes no sense if multiple connections are eligible for logging in. Knowing that IScsiDxe uses only one connection per session (put differently: knowing that any connection is a leading connection, and any login is a leading login), there is no functionality bug. But the data model is still broken: "AuthType", "AuthData", and "AuthStep" should be maintained at the *same* level -- be it "session-level" or "(leading) connection-level". Fixing this data model bug is more than what I'm signing up for. However, I do need to add one function, in preparation for multi-hash support: whenever a new login is attempted (put differently: whenever the leading login is re-attempted), which always happens with a fresh connection, the session-level authentication data needs to be rewound to a sane initial state. Introduce the IScsiSessionResetAuthData() function. Call it from the central -- session-level -- IScsiSessionLogin() function, just before the latter calls the -- connection-level -- IScsiConnLogin() function. Right now, do nothing in IScsiSessionResetAuthData(); so functionally speaking, the patch is a no-op. Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Philippe Mathieu-Daudé <philmd@redhat.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3355 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <20210629163337.14120-2-lersek@redhat.com>
2021-06-09NetworkPkg/IScsiDxe: check IScsiHexToBin() return valuesLaszlo Ersek1-6/+14
IScsiDxe (that is, the initiator) receives two hex-encoded strings from the iSCSI target: - CHAP_C, where the target challenges the initiator, - CHAP_R, where the target answers the challenge from the initiator (in case the initiator wants mutual authentication). Accordingly, we have two IScsiHexToBin() call sites: - At the CHAP_C decoding site, check whether the decoding succeeds. The decoded buffer ("AuthData->InChallenge") can accommodate 1024 bytes, which is a permissible restriction on the target, per <https://tools.ietf.org/html/rfc7143#section-12.1.3>. Shorter challenges from the target are acceptable. - At the CHAP_R decoding site, enforce that the decoding both succeed, and provide exactly ISCSI_CHAP_RSP_LEN bytes. CHAP_R contains the digest calculated by the target, therefore it must be of fixed size. We may only call IScsiCHAPAuthTarget() if "TargetRsp" has been fully populated. Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Philippe Mathieu-Daudé <philmd@redhat.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Message-Id: <20210608121259.32451-11-lersek@redhat.com>
2021-06-09NetworkPkg/IScsiDxe: fix IScsiHexToBin() buffer overflowLaszlo Ersek2-3/+20
The IScsiHexToBin() function documents the EFI_BUFFER_TOO_SMALL return condition, but never actually checks whether the decoded buffer fits into the caller-provided room (i.e., the input value of "BinLength"), and EFI_BUFFER_TOO_SMALL is never returned. The decoding of "HexStr" can overflow "BinBuffer". This is remotely exploitable, as shown in a subsequent patch, which adds error checking to the IScsiHexToBin() call sites. This issue allows the target to compromise the initiator. Introduce EFI_BAD_BUFFER_SIZE, in addition to the existent EFI_BUFFER_TOO_SMALL, for reporting a special case of the buffer overflow, plus actually catch the buffer overflow. Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Philippe Mathieu-Daudé <philmd@redhat.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <20210608121259.32451-10-lersek@redhat.com>
2021-06-09NetworkPkg/IScsiDxe: fix IScsiHexToBin() hex parsingLaszlo Ersek2-2/+11
The IScsiHexToBin() function has the following parser issues: (1) If the *subject sequence* in "HexStr" is empty, the function returns EFI_SUCCESS (with "BinLength" set to 0 on output). Such inputs should be rejected. (2) The function mis-handles a "HexStr" that ends with a stray nibble. For example, if "HexStr" is "0xABC", the function decodes it to the bytes {0xAB, 0x0C}, sets "BinLength" to 2 on output, and returns EFI_SUCCESS. Such inputs should be rejected. (3) If an invalid hex char is found in "HexStr", the function treats it as end-of-hex-string, and returns EFI_SUCCESS. Such inputs should be rejected. All of the above cases are remotely triggerable, as shown in a subsequent patch, which adds error checking to the IScsiHexToBin() call sites. While the initiator is not immediately compromised, incorrectly parsing CHAP_R from the target, in case of mutual authentication, is not great. Extend the interface contract of IScsiHexToBin() with EFI_INVALID_PARAMETER, for reporting issues (1) through (3), and implement the new checks. Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Philippe Mathieu-Daudé <philmd@redhat.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <20210608121259.32451-9-lersek@redhat.com>
2021-06-09NetworkPkg/IScsiDxe: reformat IScsiHexToBin() leading comment blockLaszlo Ersek2-16/+16
We'll need further return values for IScsiHexToBin() in a subsequent patch; make room for them in the leading comment block of the function. While at it, rewrap the comment block to 80 characters width. No functional changes. Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Philippe Mathieu-Daudé <philmd@redhat.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <20210608121259.32451-8-lersek@redhat.com>
2021-06-09NetworkPkg/IScsiDxe: assert that IScsiBinToHex() always succeedsLaszlo Ersek1-12/+15
IScsiBinToHex() is called for encoding: - the answer to the target's challenge; that is, CHAP_R; - the challenge for the target, in case mutual authentication is enabled; that is, CHAP_C. The initiator controls the size of both blobs, the sizes of their hex encodings are correctly calculated in "RspLen" and "ChallengeLen". Therefore the IScsiBinToHex() calls never fail; assert that. Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Philippe Mathieu-Daudé <philmd@redhat.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Message-Id: <20210608121259.32451-7-lersek@redhat.com>
2021-06-09NetworkPkg/IScsiDxe: fix potential integer overflow in IScsiBinToHex()Laszlo Ersek4-4/+18
Considering IScsiBinToHex(): > if (((*HexLength) - 3) < BinLength * 2) { > *HexLength = BinLength * 2 + 3; > } the following subexpressions are problematic: (*HexLength) - 3 BinLength * 2 BinLength * 2 + 3 The first one may wrap under zero, the latter two may wrap over MAX_UINT32. Rewrite the calculation using SafeIntLib. While at it, change the type of the "Index" variable from UINTN to UINT32. The largest "Index"-based value that we calculate is Index * 2 + 2 (with (Index == BinLength)) Because the patch makes BinLength * 2 + 3 safe to calculate in UINT32, using UINT32 for Index * 2 + 2 (with (Index == BinLength)) is safe too. Consistently using UINT32 improves readability. This patch is best reviewed with "git show -W". The integer overflows that this patch fixes are theoretical; a subsequent patch in the series will audit the IScsiBinToHex() call sites, and show that none of them can fail. Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Philippe Mathieu-Daudé <philmd@redhat.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <20210608121259.32451-6-lersek@redhat.com>
2021-06-09NetworkPkg/IScsiDxe: clean up library class dependenciesLaszlo Ersek2-12/+11
Sort the library class dependencies in the #include directives and in the INF file. Remove the DpcLib class from the #include directives -- it is not listed in the INF file, and IScsiDxe doesn't call either DpcLib API (QueueDpc(), DispatchDpc()). No functional changes. Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Philippe Mathieu-Daudé <philmd@redhat.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Message-Id: <20210608121259.32451-5-lersek@redhat.com>
2021-06-09NetworkPkg/IScsiDxe: clean up "ISCSI_CHAP_AUTH_DATA.OutChallengeLength"Laszlo Ersek2-5/+7
The "ISCSI_CHAP_AUTH_DATA.OutChallenge" field is declared as a UINT8 array with ISCSI_CHAP_AUTH_MAX_LEN (1024) elements. However, when the challenge is generated and formatted, only ISCSI_CHAP_RSP_LEN (16) octets are used in the array. Change the array size to ISCSI_CHAP_RSP_LEN, and remove the (now unused) ISCSI_CHAP_AUTH_MAX_LEN macro. Remove the "ISCSI_CHAP_AUTH_DATA.OutChallengeLength" field, which is superfluous too. Most importantly, explain in a new comment *why* tying the challenge size to the digest size (ISCSI_CHAP_RSP_LEN) has always made sense. (See also Linux kernel commit 19f5f88ed779, "scsi: target: iscsi: tie the challenge length to the hash digest size", 2019-11-06.) For sure, the motivation that the new comment now explains has always been there, and has always been the same, for IScsiDxe; it's just that now we spell it out too. No change in peer-visible behavior. Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Philippe Mathieu-Daudé <philmd@redhat.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Message-Id: <20210608121259.32451-4-lersek@redhat.com>
2021-06-09NetworkPkg/IScsiDxe: simplify "ISCSI_CHAP_AUTH_DATA.InChallenge" sizeLaszlo Ersek2-2/+2
The ISCSI_CHAP_AUTH_MAX_LEN macro is defined with value 1024. The usage of this macro currently involves a semantic (not functional) bug, which we're going to fix in a subsequent patch, eliminating ISCSI_CHAP_AUTH_MAX_LEN altogether. For now, remove the macro's usage from all "ISCSI_CHAP_AUTH_DATA.InChallenge" contexts. This is doable without duplicating open-coded constants. No changes in functionality. Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Philippe Mathieu-Daudé <philmd@redhat.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Message-Id: <20210608121259.32451-3-lersek@redhat.com>
2021-06-09NetworkPkg/IScsiDxe: wrap IScsiCHAP source files to 80 charactersLaszlo Ersek2-22/+71
Working with overlong lines is difficult for me; rewrap the CHAP-related source files in IScsiDxe to 80 characters width. No functional changes. Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Philippe Mathieu-Daudé <philmd@redhat.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <20210608121259.32451-2-lersek@redhat.com>
2021-03-31NetworkPkg: Consume MdeLibs.dsc.inc for RegisterFilterLibDandan Bi1-1/+3
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3246 MdeLibs.dsc.inc was added for some basic/default library instances provided by MdePkg and RegisterFilterLibNull Library was also added into it as the first version of MdeLibs.dsc.inc. So update platform dsc to consume MdeLibs.dsc.inc for RegisterFilterLibNull which will be consumed by IoLib and BaseLib. Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Signed-off-by: Dandan Bi <dandan.bi@intel.com> Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Liming Gao <liming.gao@intel.com> Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com> Acked-by: Ard Biesheuvel <ardb@kernel.org>