From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) by mx.groups.io with SMTP id smtpd.web09.3474.1634259297388159136 for ; Thu, 14 Oct 2021 17:54:57 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20210112 header.b=S+dht0WS; spf=pass (domain: gmail.com, ip: 209.85.214.179, mailfrom: vineel.kovvuri@gmail.com) Received: by mail-pl1-f179.google.com with SMTP id y1so5317339plk.10 for ; Thu, 14 Oct 2021 17:54:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id; bh=JSxpeT6A519IyIAVg1xAnKNGiO85L4RsxpL9EUcCYoY=; b=S+dht0WSTUfcfAzCrqljYfPKxZTuF1wX7Xztq0WBey4j7x1zq8T98IxX2/9BM0xkU8 c5p6i5TvST1eZmANGxOFF/SrgHEqIsg4rYii+EThqcuJGJFum3fU/2Tz1t4/uXNS91tf DsT3K1/bIYcrVFHtXk17pJ2tYtLtLTimdu8NU0lbsKqz4iDB7LYRBhVRPHrGR5dCca0c xS3cFETbdiAcUbSOuzJTvR3Y2guuRv5Q7nSQK0AZvOKhUA7vpPgwYSiAEsftOhP8l1LS Gf7QJOYqDN26V7xXTtNCl0KPFUQ2YUoMs0L8m6Ai6vTi5LmO5KiK4oaPgK0T9/tK4/at s/yg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=JSxpeT6A519IyIAVg1xAnKNGiO85L4RsxpL9EUcCYoY=; b=FfgZzvi5GHKz5CjEuo21J73QIzAI8dceYHbp8Imy09+PM5Ec993sgizbcqB8zDl74T QpjRl8pzE67D0EpN9uFeRajjO0AJeeKpXpyiS6l+lBZbAdVY7MMaJENTBls3jrFqV6Bd wPBtrNPkbmQyi7og3qTetuxLqYrg4ihZZn216p1NwUshY/nUFJzqpAvn24Rvc0kXVvCC flV3Qy33e/nXqGvevpXs7KLfeCzSlf+zoDxFttI3AZKxq0lWrkDFLSAUZcRSo7N9XRZu xSJB8ECFkoPkRDBPW4OmHtvOQEWXg7QYFgHrEOc8Dt9IpTZfmVDTUmj9y2QG9j6WVyYe 5cag== X-Gm-Message-State: AOAM533tugThNB2MpO0Exx97Uk7+nTcELvmRYlExAVzlsFaBa+Pl18Dy qeWS+DwDhAQnQD75U16lD0k= X-Google-Smtp-Source: ABdhPJy2fRo3nOL3JRZK1Xf3sxBXNCu+wC/UAWyAQFJpTaiseQM7ZUIzaoKy88PDDu8UIrJy6oEjLA== X-Received: by 2002:a17:90b:20d2:: with SMTP id ju18mr23137859pjb.66.1634259296807; Thu, 14 Oct 2021 17:54:56 -0700 (PDT) Return-Path: Received: from VIN-Z2-DEV.redmond.corp.microsoft.com ([50.35.92.111]) by smtp.gmail.com with ESMTPSA id k6sm3831796pfg.18.2021.10.14.17.54.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 14 Oct 2021 17:54:56 -0700 (PDT) From: Vineel Kovvuri X-Google-Original-From: Vineel Kovvuri To: maciej.rabeda@intel.com, jiewen.yao@intel.com, jpere@microsoft.com, Michael.Turner@microsoft.com, sean.brogan@microsoft.com, bret.barkelew@microsoft.com, devel@edk2.groups.io Cc: Vineel Kovvuri Subject: [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation Date: Thu, 14 Oct 2021 17:54:50 -0700 Message-Id: <3419a1fbe89d52b15f1b667b00d102500179a85f.1634236144.git.vineelko@microsoft.com> X-Mailer: git-send-email 2.17.1 The current UEFI implementation of HTTPS during its TLS configuration uses EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As per the spec this flag does is "to disable the match of any wildcards in the host name". So, certificates which are issued with wildcards(*.dm.corp.net etc) in it will fail the TLS host name matching. On the other hand, EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for hostname validation. Wildcards are supported and they match only in the left-most label." this behavior/definition is coming from openssl's X509_check_host() api https://www.openssl.org/docs/man1.1.0/man3/X509_check_host.html Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using certificates issued with wildcards in them would fail to match while trying to communicate with HTTPS endpoint. BugZilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3691 Signed-off-by: Vineel Kovvuri --- NetworkPkg/HttpDxe/HttpsSupport.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c b/NetworkPkg/HttpDxe/HttpsSupport.c index 7e0bf85c3c..0f28ae9447 100644 --- a/NetworkPkg/HttpDxe/HttpsSupport.c +++ b/NetworkPkg/HttpDxe/HttpsSupport.c @@ -625,7 +625,7 @@ TlsConfigureSession ( // HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient; HttpInstance->TlsConfigData.VerifyMethod = EFI_TLS_VERIFY_PEER; - HttpInstance->TlsConfigData.VerifyHost.Flags = EFI_TLS_VERIFY_FLAG_NO_WILDCARDS; + HttpInstance->TlsConfigData.VerifyHost.Flags = EFI_TLS_VERIFY_FLAG_NONE; HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance->RemoteHost; HttpInstance->TlsConfigData.SessionState = EfiTlsSessionNotStarted; -- 2.17.1