[PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation

[PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation

[Vineel Kovvuri]

The current UEFI implementation of HTTPS during its TLS configuration uses
EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As per the spec
this flag does is "to disable the match of any wildcards in the host name". So,
certificates which are issued with wildcards(*.dm.corp.net etc) in it will fail
the TLS host name matching. On the other hand,
EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for hostname
validation. Wildcards are supported and they match only in the left-most label."
this behavior/definition is coming from openssl's X509_check_host() api
https://www.openssl.org/docs/man1.1.0/man3/X509_check_host.html

Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using certificates issued
with wildcards in them would fail to match while trying to communicate with
HTTPS endpoint.

BugZilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3691

Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
---
 NetworkPkg/HttpDxe/HttpsSupport.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c b/NetworkPkg/HttpDxe/HttpsSupport.c
index 7e0bf85c3c..0f28ae9447 100644
--- a/NetworkPkg/HttpDxe/HttpsSupport.c
+++ b/NetworkPkg/HttpDxe/HttpsSupport.c
@@ -625,7 +625,7 @@ TlsConfigureSession (
   //
   HttpInstance->TlsConfigData.ConnectionEnd       = EfiTlsClient;
   HttpInstance->TlsConfigData.VerifyMethod        = EFI_TLS_VERIFY_PEER;
-  HttpInstance->TlsConfigData.VerifyHost.Flags    = EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
+  HttpInstance->TlsConfigData.VerifyHost.Flags    = EFI_TLS_VERIFY_FLAG_NONE;
   HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance->RemoteHost;
   HttpInstance->TlsConfigData.SessionState        = EfiTlsSessionNotStarted;
 
-- 
2.17.1

Re: [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation

[Yao, Jiewen]

Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>

Since this https://bugzilla.tianocore.org/show_bug.cgi?id=3691 (networkpkg) is separated from https://bugzilla.tianocore.org/show_bug.cgi?id=3679 (cryptopkg), I will handle those two separately.
I will only help merge 3679, and I would expect networkpkg maintainer handle 3691.

Since this impacts the security policy, after NetworkPkg maintainer review, I recommend we wait for longer time (1~2 WW) to see if any other people has comment for this one.

Thank you
Yao Jiewen

> -----Original Message-----
> From: Vineel Kovvuri <vineel.kovvuri@gmail.com>
> Sent: Friday, October 15, 2021 8:55 AM
> To: Rabeda, Maciej <maciej.rabeda@intel.com>; Yao, Jiewen
> <jiewen.yao@intel.com>; jpere@microsoft.com;
> Michael.Turner@microsoft.com; sean.brogan@microsoft.com;
> bret.barkelew@microsoft.com; devel@edk2.groups.io
> Cc: Vineel Kovvuri <vineelko@microsoft.com>
> Subject: [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS
> implementation
> 
> The current UEFI implementation of HTTPS during its TLS configuration uses
> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As per the
> spec
> this flag does is "to disable the match of any wildcards in the host name". So,
> certificates which are issued with wildcards(*.dm.corp.net etc) in it will fail
> the TLS host name matching. On the other hand,
> EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for
> hostname
> validation. Wildcards are supported and they match only in the left-most label."
> this behavior/definition is coming from openssl's X509_check_host() api
> https://www.openssl.org/docs/man1.1.0/man3/X509_check_host.html
> 
> Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using certificates
> issued
> with wildcards in them would fail to match while trying to communicate with
> HTTPS endpoint.
> 
> BugZilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3691
> 
> Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
> ---
>  NetworkPkg/HttpDxe/HttpsSupport.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c
> b/NetworkPkg/HttpDxe/HttpsSupport.c
> index 7e0bf85c3c..0f28ae9447 100644
> --- a/NetworkPkg/HttpDxe/HttpsSupport.c
> +++ b/NetworkPkg/HttpDxe/HttpsSupport.c
> @@ -625,7 +625,7 @@ TlsConfigureSession (
>    //
>    HttpInstance->TlsConfigData.ConnectionEnd       = EfiTlsClient;
>    HttpInstance->TlsConfigData.VerifyMethod        = EFI_TLS_VERIFY_PEER;
> -  HttpInstance->TlsConfigData.VerifyHost.Flags    =
> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
> +  HttpInstance->TlsConfigData.VerifyHost.Flags    =
> EFI_TLS_VERIFY_FLAG_NONE;
>    HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance-
> >RemoteHost;
>    HttpInstance->TlsConfigData.SessionState        = EfiTlsSessionNotStarted;
> 
> --
> 2.17.1

Re: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation

[Maciej Rabeda]

Hi Vineel,

I do not have any problems with this patch. Before I merge, I would like 
Jiaxin to look at it, since he has submitted that code.

Thanks,
Maciej

On 15-Oct-21 02:54, Vineel Kovvuri wrote:
> The current UEFI implementation of HTTPS during its TLS configuration uses
> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As per the spec
> this flag does is "to disable the match of any wildcards in the host name". So,
> certificates which are issued with wildcards(*.dm.corp.net etc) in it will fail
> the TLS host name matching. On the other hand,
> EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for hostname
> validation. Wildcards are supported and they match only in the left-most label."
> this behavior/definition is coming from openssl's X509_check_host() api
> https://www.openssl.org/docs/man1.1.0/man3/X509_check_host.html
>
> Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using certificates issued
> with wildcards in them would fail to match while trying to communicate with
> HTTPS endpoint.
>
> BugZilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3691
>
> Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
> ---
>   NetworkPkg/HttpDxe/HttpsSupport.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c b/NetworkPkg/HttpDxe/HttpsSupport.c
> index 7e0bf85c3c..0f28ae9447 100644
> --- a/NetworkPkg/HttpDxe/HttpsSupport.c
> +++ b/NetworkPkg/HttpDxe/HttpsSupport.c
> @@ -625,7 +625,7 @@ TlsConfigureSession (
>     //
>     HttpInstance->TlsConfigData.ConnectionEnd       = EfiTlsClient;
>     HttpInstance->TlsConfigData.VerifyMethod        = EFI_TLS_VERIFY_PEER;
> -  HttpInstance->TlsConfigData.VerifyHost.Flags    = EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
> +  HttpInstance->TlsConfigData.VerifyHost.Flags    = EFI_TLS_VERIFY_FLAG_NONE;
>     HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance->RemoteHost;
>     HttpInstance->TlsConfigData.SessionState        = EfiTlsSessionNotStarted;
>   

Re: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation

[Wu, Jiaxin]

It's good to me change the default the verify flag.

Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>

Thanks,
Jiaxin

> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Vineel
> Kovvuri
> Sent: Friday, October 15, 2021 8:55 AM
> To: Rabeda, Maciej <maciej.rabeda@intel.com>; Yao, Jiewen
> <jiewen.yao@intel.com>; jpere@microsoft.com;
> Michael.Turner@microsoft.com; sean.brogan@microsoft.com;
> bret.barkelew@microsoft.com; devel@edk2.groups.io
> Cc: Vineel Kovvuri <vineelko@microsoft.com>
> Subject: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2
> HTTPS/TLS implementation
> 
> The current UEFI implementation of HTTPS during its TLS configuration uses
> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As per
> the spec
> this flag does is "to disable the match of any wildcards in the host name". So,
> certificates which are issued with wildcards(*.dm.corp.net etc) in it will fail
> the TLS host name matching. On the other hand,
> EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for
> hostname
> validation. Wildcards are supported and they match only in the left-most
> label."
> this behavior/definition is coming from openssl's X509_check_host() api
> https://www.openssl.org/docs/man1.1.0/man3/X509_check_host.html
> 
> Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using certificates
> issued
> with wildcards in them would fail to match while trying to communicate with
> HTTPS endpoint.
> 
> BugZilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3691
> 
> Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
> ---
>  NetworkPkg/HttpDxe/HttpsSupport.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c
> b/NetworkPkg/HttpDxe/HttpsSupport.c
> index 7e0bf85c3c..0f28ae9447 100644
> --- a/NetworkPkg/HttpDxe/HttpsSupport.c
> +++ b/NetworkPkg/HttpDxe/HttpsSupport.c
> @@ -625,7 +625,7 @@ TlsConfigureSession (
>    //
>    HttpInstance->TlsConfigData.ConnectionEnd       = EfiTlsClient;
>    HttpInstance->TlsConfigData.VerifyMethod        = EFI_TLS_VERIFY_PEER;
> -  HttpInstance->TlsConfigData.VerifyHost.Flags    =
> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
> +  HttpInstance->TlsConfigData.VerifyHost.Flags    =
> EFI_TLS_VERIFY_FLAG_NONE;
>    HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance-
> >RemoteHost;
>    HttpInstance->TlsConfigData.SessionState        = EfiTlsSessionNotStarted;
> 
> --
> 2.17.1
> 
> 
> 
> 
> 

Re: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation

[Vineel Kovvuri]

Hi Folks,

Thanks for reviewing the patch. May I know what are the next steps to get it in to edk2?
I have already updated the same in https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Release-Planning

Thanks,
Vineel

-----Original Message-----
From: Wu, Jiaxin <jiaxin.wu@intel.com> 
Sent: Monday, November 1, 2021 6:15 PM
To: devel@edk2.groups.io; vineel.kovvuri@gmail.com; Rabeda, Maciej <maciej.rabeda@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Jancarlo Perez <jpere@microsoft.com>; Mike Turner <Michael.Turner@microsoft.com>; Sean Brogan <sean.brogan@microsoft.com>; Bret Barkelew <Bret.Barkelew@microsoft.com>
Cc: Vineel Kovvuri <vineelko@microsoft.com>
Subject: [EXTERNAL] RE: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation

It's good to me change the default the verify flag.

Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>

Thanks,
Jiaxin

> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Vineel 
> Kovvuri
> Sent: Friday, October 15, 2021 8:55 AM
> To: Rabeda, Maciej <maciej.rabeda@intel.com>; Yao, Jiewen 
> <jiewen.yao@intel.com>; jpere@microsoft.com; 
> Michael.Turner@microsoft.com; sean.brogan@microsoft.com; 
> bret.barkelew@microsoft.com; devel@edk2.groups.io
> Cc: Vineel Kovvuri <vineelko@microsoft.com>
> Subject: [edk2-devel] [PATCH] Enable wildcard host name matching in 
> EDK2 HTTPS/TLS implementation
> 
> The current UEFI implementation of HTTPS during its TLS configuration 
> uses EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As 
> per the spec this flag does is "to disable the match of any wildcards 
> in the host name". So, certificates which are issued with 
> wildcards(*.dm.corp.net etc) in it will fail the TLS host name 
> matching. On the other hand,
> EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for 
> hostname validation. Wildcards are supported and they match only in 
> the left-most label."
> this behavior/definition is coming from openssl's X509_check_host() 
> api
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
> openssl.org%2Fdocs%2Fman1.1.0%2Fman3%2FX509_check_host.html&amp;data=0
> 4%7C01%7Cvineelko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7
> C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637714125291796675%7CUnkno
> wn%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiL
> CJXVCI6Mn0%3D%7C1000&amp;sdata=Ygz4XOYjA0m7JL6acQ1Jv55fxJJv6pFvE6n%2F%
> 2Bc6jwBU%3D&amp;reserved=0
> 
> Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using 
> certificates issued with wildcards in them would fail to match while 
> trying to communicate with HTTPS endpoint.
> 
> BugZilla: 
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugz
> illa.tianocore.org%2Fshow_bug.cgi%3Fid%3D3691&amp;data=04%7C01%7Cvinee
> lko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7C72f988bf86f14
> 1af91ab2d7cd011db47%7C1%7C0%7C637714125291806667%7CUnknown%7CTWFpbGZsb
> 3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%
> 7C1000&amp;sdata=q5qkhZ5fyWdx2SBzKytPsx%2BB%2BWfvCeZp56gEVln2SsA%3D&am
> p;reserved=0
> 
> Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
> ---
>  NetworkPkg/HttpDxe/HttpsSupport.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c
> b/NetworkPkg/HttpDxe/HttpsSupport.c
> index 7e0bf85c3c..0f28ae9447 100644
> --- a/NetworkPkg/HttpDxe/HttpsSupport.c
> +++ b/NetworkPkg/HttpDxe/HttpsSupport.c
> @@ -625,7 +625,7 @@ TlsConfigureSession (
>    //
>    HttpInstance->TlsConfigData.ConnectionEnd       = EfiTlsClient;
>    HttpInstance->TlsConfigData.VerifyMethod        = EFI_TLS_VERIFY_PEER;
> -  HttpInstance->TlsConfigData.VerifyHost.Flags    =
> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
> +  HttpInstance->TlsConfigData.VerifyHost.Flags    =
> EFI_TLS_VERIFY_FLAG_NONE;
>    HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance-
> >RemoteHost;
>    HttpInstance->TlsConfigData.SessionState        = EfiTlsSessionNotStarted;
> 
> --
> 2.17.1
> 
> 
> 
> 
> 

Re: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation

[Maciej Rabeda]

Hi Vineel,

I will integrate the change to edk2 tomorrow.

For now:
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>

Thanks,
Maciej

On 02-Nov-21 19:57, Vineel Kovvuri via groups.io wrote:
> Hi Folks,
>
> Thanks for reviewing the patch. May I know what are the next steps to get it in to edk2?
> I have already updated the same in https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Release-Planning
>
> Thanks,
> Vineel
>
> -----Original Message-----
> From: Wu, Jiaxin <jiaxin.wu@intel.com>
> Sent: Monday, November 1, 2021 6:15 PM
> To: devel@edk2.groups.io; vineel.kovvuri@gmail.com; Rabeda, Maciej <maciej.rabeda@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Jancarlo Perez <jpere@microsoft.com>; Mike Turner <Michael.Turner@microsoft.com>; Sean Brogan <sean.brogan@microsoft.com>; Bret Barkelew <Bret.Barkelew@microsoft.com>
> Cc: Vineel Kovvuri <vineelko@microsoft.com>
> Subject: [EXTERNAL] RE: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation
>
> It's good to me change the default the verify flag.
>
> Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
>
> Thanks,
> Jiaxin
>
>> -----Original Message-----
>> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Vineel
>> Kovvuri
>> Sent: Friday, October 15, 2021 8:55 AM
>> To: Rabeda, Maciej <maciej.rabeda@intel.com>; Yao, Jiewen
>> <jiewen.yao@intel.com>; jpere@microsoft.com;
>> Michael.Turner@microsoft.com; sean.brogan@microsoft.com;
>> bret.barkelew@microsoft.com; devel@edk2.groups.io
>> Cc: Vineel Kovvuri <vineelko@microsoft.com>
>> Subject: [edk2-devel] [PATCH] Enable wildcard host name matching in
>> EDK2 HTTPS/TLS implementation
>>
>> The current UEFI implementation of HTTPS during its TLS configuration
>> uses EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As
>> per the spec this flag does is "to disable the match of any wildcards
>> in the host name". So, certificates which are issued with
>> wildcards(*.dm.corp.net etc) in it will fail the TLS host name
>> matching. On the other hand,
>> EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for
>> hostname validation. Wildcards are supported and they match only in
>> the left-most label."
>> this behavior/definition is coming from openssl's X509_check_host()
>> api
>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
>> openssl.org%2Fdocs%2Fman1.1.0%2Fman3%2FX509_check_host.html&amp;data=0
>> 4%7C01%7Cvineelko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7
>> C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637714125291796675%7CUnkno
>> wn%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiL
>> CJXVCI6Mn0%3D%7C1000&amp;sdata=Ygz4XOYjA0m7JL6acQ1Jv55fxJJv6pFvE6n%2F%
>> 2Bc6jwBU%3D&amp;reserved=0
>>
>> Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using
>> certificates issued with wildcards in them would fail to match while
>> trying to communicate with HTTPS endpoint.
>>
>> BugZilla:
>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugz
>> illa.tianocore.org%2Fshow_bug.cgi%3Fid%3D3691&amp;data=04%7C01%7Cvinee
>> lko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7C72f988bf86f14
>> 1af91ab2d7cd011db47%7C1%7C0%7C637714125291806667%7CUnknown%7CTWFpbGZsb
>> 3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%
>> 7C1000&amp;sdata=q5qkhZ5fyWdx2SBzKytPsx%2BB%2BWfvCeZp56gEVln2SsA%3D&am
>> p;reserved=0
>>
>> Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
>> ---
>>   NetworkPkg/HttpDxe/HttpsSupport.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c
>> b/NetworkPkg/HttpDxe/HttpsSupport.c
>> index 7e0bf85c3c..0f28ae9447 100644
>> --- a/NetworkPkg/HttpDxe/HttpsSupport.c
>> +++ b/NetworkPkg/HttpDxe/HttpsSupport.c
>> @@ -625,7 +625,7 @@ TlsConfigureSession (
>>     //
>>     HttpInstance->TlsConfigData.ConnectionEnd       = EfiTlsClient;
>>     HttpInstance->TlsConfigData.VerifyMethod        = EFI_TLS_VERIFY_PEER;
>> -  HttpInstance->TlsConfigData.VerifyHost.Flags    =
>> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
>> +  HttpInstance->TlsConfigData.VerifyHost.Flags    =
>> EFI_TLS_VERIFY_FLAG_NONE;
>>     HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance-
>>> RemoteHost;
>>     HttpInstance->TlsConfigData.SessionState        = EfiTlsSessionNotStarted;
>>
>> --
>> 2.17.1
>>
>>
>>
>>
>>
>
>
> 
>
>

Re: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation

[Vineel Kovvuri]

[-- Attachment #1: Type: text/plain, Size: 4974 bytes --]

Thanks a lot Maciej. Much appreciated.

________________________________
From: Rabeda, Maciej <maciej.rabeda@linux.intel.com>
Sent: Tuesday, November 2, 2021 12:54 PM
To: devel@edk2.groups.io; vineelko@microsoft.com; Wu, Jiaxin; vineel.kovvuri@gmail.com; Rabeda, Maciej; Yao, Jiewen; Jancarlo Perez; Mike Turner; Sean Brogan; Bret Barkelew
Subject: Re: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation

Hi Vineel,

I will integrate the change to edk2 tomorrow.

For now:
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>

Thanks,
Maciej

On 02-Nov-21 19:57, Vineel Kovvuri via groups.io wrote:
> Hi Folks,
>
> Thanks for reviewing the patch. May I know what are the next steps to get it in to edk2?
> I have already updated the same in https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Release-Planning
>
> Thanks,
> Vineel
>
> -----Original Message-----
> From: Wu, Jiaxin <jiaxin.wu@intel.com>
> Sent: Monday, November 1, 2021 6:15 PM
> To: devel@edk2.groups.io; vineel.kovvuri@gmail.com; Rabeda, Maciej <maciej.rabeda@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Jancarlo Perez <jpere@microsoft.com>; Mike Turner <Michael.Turner@microsoft.com>; Sean Brogan <sean.brogan@microsoft.com>; Bret Barkelew <Bret.Barkelew@microsoft.com>
> Cc: Vineel Kovvuri <vineelko@microsoft.com>
> Subject: [EXTERNAL] RE: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation
>
> It's good to me change the default the verify flag.
>
> Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
>
> Thanks,
> Jiaxin
>
>> -----Original Message-----
>> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Vineel
>> Kovvuri
>> Sent: Friday, October 15, 2021 8:55 AM
>> To: Rabeda, Maciej <maciej.rabeda@intel.com>; Yao, Jiewen
>> <jiewen.yao@intel.com>; jpere@microsoft.com;
>> Michael.Turner@microsoft.com; sean.brogan@microsoft.com;
>> bret.barkelew@microsoft.com; devel@edk2.groups.io
>> Cc: Vineel Kovvuri <vineelko@microsoft.com>
>> Subject: [edk2-devel] [PATCH] Enable wildcard host name matching in
>> EDK2 HTTPS/TLS implementation
>>
>> The current UEFI implementation of HTTPS during its TLS configuration
>> uses EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As
>> per the spec this flag does is "to disable the match of any wildcards
>> in the host name". So, certificates which are issued with
>> wildcards(*.dm.corp.net etc) in it will fail the TLS host name
>> matching. On the other hand,
>> EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for
>> hostname validation. Wildcards are supported and they match only in
>> the left-most label."
>> this behavior/definition is coming from openssl's X509_check_host()
>> api
>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
>> openssl.org%2Fdocs%2Fman1.1.0%2Fman3%2FX509_check_host.html&amp;data=0
>> 4%7C01%7Cvineelko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7
>> C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637714125291796675%7CUnkno
>> wn%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiL
>> CJXVCI6Mn0%3D%7C1000&amp;sdata=Ygz4XOYjA0m7JL6acQ1Jv55fxJJv6pFvE6n%2F%
>> 2Bc6jwBU%3D&amp;reserved=0
>>
>> Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using
>> certificates issued with wildcards in them would fail to match while
>> trying to communicate with HTTPS endpoint.
>>
>> BugZilla:
>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugz
>> illa.tianocore.org%2Fshow_bug.cgi%3Fid%3D3691&amp;data=04%7C01%7Cvinee
>> lko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7C72f988bf86f14
>> 1af91ab2d7cd011db47%7C1%7C0%7C637714125291806667%7CUnknown%7CTWFpbGZsb
>> 3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%
>> 7C1000&amp;sdata=q5qkhZ5fyWdx2SBzKytPsx%2BB%2BWfvCeZp56gEVln2SsA%3D&am
>> p;reserved=0
>>
>> Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
>> ---
>>   NetworkPkg/HttpDxe/HttpsSupport.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c
>> b/NetworkPkg/HttpDxe/HttpsSupport.c
>> index 7e0bf85c3c..0f28ae9447 100644
>> --- a/NetworkPkg/HttpDxe/HttpsSupport.c
>> +++ b/NetworkPkg/HttpDxe/HttpsSupport.c
>> @@ -625,7 +625,7 @@ TlsConfigureSession (
>>     //
>>     HttpInstance->TlsConfigData.ConnectionEnd       = EfiTlsClient;
>>     HttpInstance->TlsConfigData.VerifyMethod        = EFI_TLS_VERIFY_PEER;
>> -  HttpInstance->TlsConfigData.VerifyHost.Flags    =
>> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
>> +  HttpInstance->TlsConfigData.VerifyHost.Flags    =
>> EFI_TLS_VERIFY_FLAG_NONE;
>>     HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance-
>>> RemoteHost;
>>     HttpInstance->TlsConfigData.SessionState        = EfiTlsSessionNotStarted;
>>
>> --
>> 2.17.1
>>
>>
>>
>>
>>
>
>
> 
>
>


[-- Attachment #2: Type: text/html, Size: 7507 bytes --]

Re: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation

[Maciej Rabeda]

Changed commit title to: "NetworkPkg/HttpDxe: Enable wildcard host name 
matching for HTTP+TLS."

Patch merged.
PR: https://github.com/tianocore/edk2/pull/2168
Commit: 
https://github.com/tianocore/edk2/commit/6f9e83f757ed7c5c78d071f475b2e72d899c2aef

On 02-Nov-21 20:54, Maciej Rabeda wrote:
> Hi Vineel,
>
> I will integrate the change to edk2 tomorrow.
>
> For now:
> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
>
> Thanks,
> Maciej
>
> On 02-Nov-21 19:57, Vineel Kovvuri via groups.io wrote:
>> Hi Folks,
>>
>> Thanks for reviewing the patch. May I know what are the next steps to 
>> get it in to edk2?
>> I have already updated the same in 
>> https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Release-Planning
>>
>> Thanks,
>> Vineel
>>
>> -----Original Message-----
>> From: Wu, Jiaxin <jiaxin.wu@intel.com>
>> Sent: Monday, November 1, 2021 6:15 PM
>> To: devel@edk2.groups.io; vineel.kovvuri@gmail.com; Rabeda, Maciej 
>> <maciej.rabeda@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; 
>> Jancarlo Perez <jpere@microsoft.com>; Mike Turner 
>> <Michael.Turner@microsoft.com>; Sean Brogan 
>> <sean.brogan@microsoft.com>; Bret Barkelew <Bret.Barkelew@microsoft.com>
>> Cc: Vineel Kovvuri <vineelko@microsoft.com>
>> Subject: [EXTERNAL] RE: [edk2-devel] [PATCH] Enable wildcard host 
>> name matching in EDK2 HTTPS/TLS implementation
>>
>> It's good to me change the default the verify flag.
>>
>> Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
>>
>> Thanks,
>> Jiaxin
>>
>>> -----Original Message-----
>>> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Vineel
>>> Kovvuri
>>> Sent: Friday, October 15, 2021 8:55 AM
>>> To: Rabeda, Maciej <maciej.rabeda@intel.com>; Yao, Jiewen
>>> <jiewen.yao@intel.com>; jpere@microsoft.com;
>>> Michael.Turner@microsoft.com; sean.brogan@microsoft.com;
>>> bret.barkelew@microsoft.com; devel@edk2.groups.io
>>> Cc: Vineel Kovvuri <vineelko@microsoft.com>
>>> Subject: [edk2-devel] [PATCH] Enable wildcard host name matching in
>>> EDK2 HTTPS/TLS implementation
>>>
>>> The current UEFI implementation of HTTPS during its TLS configuration
>>> uses EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As
>>> per the spec this flag does is "to disable the match of any wildcards
>>> in the host name". So, certificates which are issued with
>>> wildcards(*.dm.corp.net etc) in it will fail the TLS host name
>>> matching. On the other hand,
>>> EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for
>>> hostname validation. Wildcards are supported and they match only in
>>> the left-most label."
>>> this behavior/definition is coming from openssl's X509_check_host()
>>> api
>>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
>>> openssl.org%2Fdocs%2Fman1.1.0%2Fman3%2FX509_check_host.html&amp;data=0
>>> 4%7C01%7Cvineelko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7
>>> C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637714125291796675%7CUnkno
>>> wn%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiL
>>> CJXVCI6Mn0%3D%7C1000&amp;sdata=Ygz4XOYjA0m7JL6acQ1Jv55fxJJv6pFvE6n%2F%
>>> 2Bc6jwBU%3D&amp;reserved=0
>>>
>>> Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using
>>> certificates issued with wildcards in them would fail to match while
>>> trying to communicate with HTTPS endpoint.
>>>
>>> BugZilla:
>>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugz
>>> illa.tianocore.org%2Fshow_bug.cgi%3Fid%3D3691&amp;data=04%7C01%7Cvinee
>>> lko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7C72f988bf86f14
>>> 1af91ab2d7cd011db47%7C1%7C0%7C637714125291806667%7CUnknown%7CTWFpbGZsb
>>> 3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%
>>> 7C1000&amp;sdata=q5qkhZ5fyWdx2SBzKytPsx%2BB%2BWfvCeZp56gEVln2SsA%3D&am
>>> p;reserved=0
>>>
>>> Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
>>> ---
>>>   NetworkPkg/HttpDxe/HttpsSupport.c | 2 +-
>>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c
>>> b/NetworkPkg/HttpDxe/HttpsSupport.c
>>> index 7e0bf85c3c..0f28ae9447 100644
>>> --- a/NetworkPkg/HttpDxe/HttpsSupport.c
>>> +++ b/NetworkPkg/HttpDxe/HttpsSupport.c
>>> @@ -625,7 +625,7 @@ TlsConfigureSession (
>>>     //
>>>     HttpInstance->TlsConfigData.ConnectionEnd       = EfiTlsClient;
>>>     HttpInstance->TlsConfigData.VerifyMethod        = 
>>> EFI_TLS_VERIFY_PEER;
>>> -  HttpInstance->TlsConfigData.VerifyHost.Flags    =
>>> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
>>> +  HttpInstance->TlsConfigData.VerifyHost.Flags    =
>>> EFI_TLS_VERIFY_FLAG_NONE;
>>>     HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance-
>>>> RemoteHost;
>>>     HttpInstance->TlsConfigData.SessionState        = 
>>> EfiTlsSessionNotStarted;
>>>
>>> -- 
>>> 2.17.1
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>
>
>
>
> 
>
>

Re: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation

[Vineel Kovvuri]

[-- Attachment #1: Type: text/plain, Size: 5283 bytes --]

Thanks a lot Maciej for merging the PR.

Thanks,
Vineel


On Wed, Nov 3, 2021 at 2:29 PM Rabeda, Maciej <maciej.rabeda@linux.intel.com>
wrote:

> Changed commit title to: "NetworkPkg/HttpDxe: Enable wildcard host name
> matching for HTTP+TLS."
>
> Patch merged.
> PR: https://github.com/tianocore/edk2/pull/2168
> Commit:
>
> https://github.com/tianocore/edk2/commit/6f9e83f757ed7c5c78d071f475b2e72d899c2aef
>
> On 02-Nov-21 20:54, Maciej Rabeda wrote:
> > Hi Vineel,
> >
> > I will integrate the change to edk2 tomorrow.
> >
> > For now:
> > Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
> >
> > Thanks,
> > Maciej
> >
> > On 02-Nov-21 19:57, Vineel Kovvuri via groups.io wrote:
> >> Hi Folks,
> >>
> >> Thanks for reviewing the patch. May I know what are the next steps to
> >> get it in to edk2?
> >> I have already updated the same in
> >>
> https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Release-Planning
> >>
> >> Thanks,
> >> Vineel
> >>
> >> -----Original Message-----
> >> From: Wu, Jiaxin <jiaxin.wu@intel.com>
> >> Sent: Monday, November 1, 2021 6:15 PM
> >> To: devel@edk2.groups.io; vineel.kovvuri@gmail.com; Rabeda, Maciej
> >> <maciej.rabeda@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>;
> >> Jancarlo Perez <jpere@microsoft.com>; Mike Turner
> >> <Michael.Turner@microsoft.com>; Sean Brogan
> >> <sean.brogan@microsoft.com>; Bret Barkelew <Bret.Barkelew@microsoft.com
> >
> >> Cc: Vineel Kovvuri <vineelko@microsoft.com>
> >> Subject: [EXTERNAL] RE: [edk2-devel] [PATCH] Enable wildcard host
> >> name matching in EDK2 HTTPS/TLS implementation
> >>
> >> It's good to me change the default the verify flag.
> >>
> >> Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
> >>
> >> Thanks,
> >> Jiaxin
> >>
> >>> -----Original Message-----
> >>> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Vineel
> >>> Kovvuri
> >>> Sent: Friday, October 15, 2021 8:55 AM
> >>> To: Rabeda, Maciej <maciej.rabeda@intel.com>; Yao, Jiewen
> >>> <jiewen.yao@intel.com>; jpere@microsoft.com;
> >>> Michael.Turner@microsoft.com; sean.brogan@microsoft.com;
> >>> bret.barkelew@microsoft.com; devel@edk2.groups.io
> >>> Cc: Vineel Kovvuri <vineelko@microsoft.com>
> >>> Subject: [edk2-devel] [PATCH] Enable wildcard host name matching in
> >>> EDK2 HTTPS/TLS implementation
> >>>
> >>> The current UEFI implementation of HTTPS during its TLS configuration
> >>> uses EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As
> >>> per the spec this flag does is "to disable the match of any wildcards
> >>> in the host name". So, certificates which are issued with
> >>> wildcards(*.dm.corp.net etc) in it will fail the TLS host name
> >>> matching. On the other hand,
> >>> EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for
> >>> hostname validation. Wildcards are supported and they match only in
> >>> the left-most label."
> >>> this behavior/definition is coming from openssl's X509_check_host()
> >>> api
> >>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
> >>> openssl.org%2Fdocs%2Fman1.1.0%2Fman3%2FX509_check_host.html&amp;data=0
> >>> 4%7C01%7Cvineelko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7
> >>> C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637714125291796675%7CUnkno
> >>> wn%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiL
> >>> CJXVCI6Mn0%3D%7C1000&amp;sdata=Ygz4XOYjA0m7JL6acQ1Jv55fxJJv6pFvE6n%2F%
> >>> 2Bc6jwBU%3D&amp;reserved=0
> >>>
> >>> Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using
> >>> certificates issued with wildcards in them would fail to match while
> >>> trying to communicate with HTTPS endpoint.
> >>>
> >>> BugZilla:
> >>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugz
> >>> illa.tianocore.org%2Fshow_bug.cgi%3Fid%3D3691&amp;data=04%7C01%7Cvinee
> >>> lko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7C72f988bf86f14
> >>> 1af91ab2d7cd011db47%7C1%7C0%7C637714125291806667%7CUnknown%7CTWFpbGZsb
> >>> 3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%
> >>> 7C1000&amp;sdata=q5qkhZ5fyWdx2SBzKytPsx%2BB%2BWfvCeZp56gEVln2SsA%3D&am
> >>> p;reserved=0
> >>>
> >>> Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
> >>> ---
> >>>   NetworkPkg/HttpDxe/HttpsSupport.c | 2 +-
> >>>   1 file changed, 1 insertion(+), 1 deletion(-)
> >>>
> >>> diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c
> >>> b/NetworkPkg/HttpDxe/HttpsSupport.c
> >>> index 7e0bf85c3c..0f28ae9447 100644
> >>> --- a/NetworkPkg/HttpDxe/HttpsSupport.c
> >>> +++ b/NetworkPkg/HttpDxe/HttpsSupport.c
> >>> @@ -625,7 +625,7 @@ TlsConfigureSession (
> >>>     //
> >>>     HttpInstance->TlsConfigData.ConnectionEnd       = EfiTlsClient;
> >>>     HttpInstance->TlsConfigData.VerifyMethod        =
> >>> EFI_TLS_VERIFY_PEER;
> >>> -  HttpInstance->TlsConfigData.VerifyHost.Flags    =
> >>> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
> >>> +  HttpInstance->TlsConfigData.VerifyHost.Flags    =
> >>> EFI_TLS_VERIFY_FLAG_NONE;
> >>>     HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance-
> >>>> RemoteHost;
> >>>     HttpInstance->TlsConfigData.SessionState        =
> >>> EfiTlsSessionNotStarted;
> >>>
> >>> --
> >>> 2.17.1
> >>>
> >>>
> >>>
> >>>
> >>>
> >>
> >>
> >>
> >>
> >>
> >
> >
> >
> > 
> >
> >
>
>

[-- Attachment #2: Type: text/html, Size: 9666 bytes --]