* Re: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation
2021-10-15 0:54 Vineel Kovvuri
@ 2021-10-22 10:32 ` Maciej Rabeda
2021-11-02 1:15 ` Wu, Jiaxin
1 sibling, 0 replies; 7+ messages in thread
From: Maciej Rabeda @ 2021-10-22 10:32 UTC (permalink / raw)
To: devel, vineel.kovvuri, maciej.rabeda, jiewen.yao, jpere,
Michael.Turner, sean.brogan, bret.barkelew
Cc: Vineel Kovvuri
Hi Vineel,
I do not have any problems with this patch. Before I merge, I would like
Jiaxin to look at it, since he has submitted that code.
Thanks,
Maciej
On 15-Oct-21 02:54, Vineel Kovvuri wrote:
> The current UEFI implementation of HTTPS during its TLS configuration uses
> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As per the spec
> this flag does is "to disable the match of any wildcards in the host name". So,
> certificates which are issued with wildcards(*.dm.corp.net etc) in it will fail
> the TLS host name matching. On the other hand,
> EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for hostname
> validation. Wildcards are supported and they match only in the left-most label."
> this behavior/definition is coming from openssl's X509_check_host() api
> https://www.openssl.org/docs/man1.1.0/man3/X509_check_host.html
>
> Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using certificates issued
> with wildcards in them would fail to match while trying to communicate with
> HTTPS endpoint.
>
> BugZilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3691
>
> Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
> ---
> NetworkPkg/HttpDxe/HttpsSupport.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c b/NetworkPkg/HttpDxe/HttpsSupport.c
> index 7e0bf85c3c..0f28ae9447 100644
> --- a/NetworkPkg/HttpDxe/HttpsSupport.c
> +++ b/NetworkPkg/HttpDxe/HttpsSupport.c
> @@ -625,7 +625,7 @@ TlsConfigureSession (
> //
> HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient;
> HttpInstance->TlsConfigData.VerifyMethod = EFI_TLS_VERIFY_PEER;
> - HttpInstance->TlsConfigData.VerifyHost.Flags = EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
> + HttpInstance->TlsConfigData.VerifyHost.Flags = EFI_TLS_VERIFY_FLAG_NONE;
> HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance->RemoteHost;
> HttpInstance->TlsConfigData.SessionState = EfiTlsSessionNotStarted;
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation
2021-10-15 0:54 Vineel Kovvuri
2021-10-22 10:32 ` [edk2-devel] " Maciej Rabeda
@ 2021-11-02 1:15 ` Wu, Jiaxin
2021-11-02 18:57 ` Vineel Kovvuri
1 sibling, 1 reply; 7+ messages in thread
From: Wu, Jiaxin @ 2021-11-02 1:15 UTC (permalink / raw)
To: devel@edk2.groups.io, vineel.kovvuri@gmail.com, Rabeda, Maciej,
Yao, Jiewen, jpere@microsoft.com, Michael.Turner@microsoft.com,
sean.brogan@microsoft.com, bret.barkelew@microsoft.com
Cc: Vineel Kovvuri
It's good to me change the default the verify flag.
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
Thanks,
Jiaxin
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Vineel
> Kovvuri
> Sent: Friday, October 15, 2021 8:55 AM
> To: Rabeda, Maciej <maciej.rabeda@intel.com>; Yao, Jiewen
> <jiewen.yao@intel.com>; jpere@microsoft.com;
> Michael.Turner@microsoft.com; sean.brogan@microsoft.com;
> bret.barkelew@microsoft.com; devel@edk2.groups.io
> Cc: Vineel Kovvuri <vineelko@microsoft.com>
> Subject: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2
> HTTPS/TLS implementation
>
> The current UEFI implementation of HTTPS during its TLS configuration uses
> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As per
> the spec
> this flag does is "to disable the match of any wildcards in the host name". So,
> certificates which are issued with wildcards(*.dm.corp.net etc) in it will fail
> the TLS host name matching. On the other hand,
> EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for
> hostname
> validation. Wildcards are supported and they match only in the left-most
> label."
> this behavior/definition is coming from openssl's X509_check_host() api
> https://www.openssl.org/docs/man1.1.0/man3/X509_check_host.html
>
> Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using certificates
> issued
> with wildcards in them would fail to match while trying to communicate with
> HTTPS endpoint.
>
> BugZilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3691
>
> Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
> ---
> NetworkPkg/HttpDxe/HttpsSupport.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c
> b/NetworkPkg/HttpDxe/HttpsSupport.c
> index 7e0bf85c3c..0f28ae9447 100644
> --- a/NetworkPkg/HttpDxe/HttpsSupport.c
> +++ b/NetworkPkg/HttpDxe/HttpsSupport.c
> @@ -625,7 +625,7 @@ TlsConfigureSession (
> //
> HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient;
> HttpInstance->TlsConfigData.VerifyMethod = EFI_TLS_VERIFY_PEER;
> - HttpInstance->TlsConfigData.VerifyHost.Flags =
> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
> + HttpInstance->TlsConfigData.VerifyHost.Flags =
> EFI_TLS_VERIFY_FLAG_NONE;
> HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance-
> >RemoteHost;
> HttpInstance->TlsConfigData.SessionState = EfiTlsSessionNotStarted;
>
> --
> 2.17.1
>
>
>
>
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation
2021-11-02 1:15 ` Wu, Jiaxin
@ 2021-11-02 18:57 ` Vineel Kovvuri
2021-11-02 19:54 ` Maciej Rabeda
[not found] ` <16B3D2D0C1325DDF.24252@groups.io>
0 siblings, 2 replies; 7+ messages in thread
From: Vineel Kovvuri @ 2021-11-02 18:57 UTC (permalink / raw)
To: Wu, Jiaxin, devel@edk2.groups.io, vineel.kovvuri@gmail.com,
Rabeda, Maciej, Yao, Jiewen, Jancarlo Perez, Mike Turner,
Sean Brogan, Bret Barkelew
Hi Folks,
Thanks for reviewing the patch. May I know what are the next steps to get it in to edk2?
I have already updated the same in https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Release-Planning
Thanks,
Vineel
-----Original Message-----
From: Wu, Jiaxin <jiaxin.wu@intel.com>
Sent: Monday, November 1, 2021 6:15 PM
To: devel@edk2.groups.io; vineel.kovvuri@gmail.com; Rabeda, Maciej <maciej.rabeda@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Jancarlo Perez <jpere@microsoft.com>; Mike Turner <Michael.Turner@microsoft.com>; Sean Brogan <sean.brogan@microsoft.com>; Bret Barkelew <Bret.Barkelew@microsoft.com>
Cc: Vineel Kovvuri <vineelko@microsoft.com>
Subject: [EXTERNAL] RE: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation
It's good to me change the default the verify flag.
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
Thanks,
Jiaxin
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Vineel
> Kovvuri
> Sent: Friday, October 15, 2021 8:55 AM
> To: Rabeda, Maciej <maciej.rabeda@intel.com>; Yao, Jiewen
> <jiewen.yao@intel.com>; jpere@microsoft.com;
> Michael.Turner@microsoft.com; sean.brogan@microsoft.com;
> bret.barkelew@microsoft.com; devel@edk2.groups.io
> Cc: Vineel Kovvuri <vineelko@microsoft.com>
> Subject: [edk2-devel] [PATCH] Enable wildcard host name matching in
> EDK2 HTTPS/TLS implementation
>
> The current UEFI implementation of HTTPS during its TLS configuration
> uses EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As
> per the spec this flag does is "to disable the match of any wildcards
> in the host name". So, certificates which are issued with
> wildcards(*.dm.corp.net etc) in it will fail the TLS host name
> matching. On the other hand,
> EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for
> hostname validation. Wildcards are supported and they match only in
> the left-most label."
> this behavior/definition is coming from openssl's X509_check_host()
> api
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
> openssl.org%2Fdocs%2Fman1.1.0%2Fman3%2FX509_check_host.html&data=0
> 4%7C01%7Cvineelko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7
> C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637714125291796675%7CUnkno
> wn%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiL
> CJXVCI6Mn0%3D%7C1000&sdata=Ygz4XOYjA0m7JL6acQ1Jv55fxJJv6pFvE6n%2F%
> 2Bc6jwBU%3D&reserved=0
>
> Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using
> certificates issued with wildcards in them would fail to match while
> trying to communicate with HTTPS endpoint.
>
> BugZilla:
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugz
> illa.tianocore.org%2Fshow_bug.cgi%3Fid%3D3691&data=04%7C01%7Cvinee
> lko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7C72f988bf86f14
> 1af91ab2d7cd011db47%7C1%7C0%7C637714125291806667%7CUnknown%7CTWFpbGZsb
> 3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%
> 7C1000&sdata=q5qkhZ5fyWdx2SBzKytPsx%2BB%2BWfvCeZp56gEVln2SsA%3D&am
> p;reserved=0
>
> Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
> ---
> NetworkPkg/HttpDxe/HttpsSupport.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c
> b/NetworkPkg/HttpDxe/HttpsSupport.c
> index 7e0bf85c3c..0f28ae9447 100644
> --- a/NetworkPkg/HttpDxe/HttpsSupport.c
> +++ b/NetworkPkg/HttpDxe/HttpsSupport.c
> @@ -625,7 +625,7 @@ TlsConfigureSession (
> //
> HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient;
> HttpInstance->TlsConfigData.VerifyMethod = EFI_TLS_VERIFY_PEER;
> - HttpInstance->TlsConfigData.VerifyHost.Flags =
> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
> + HttpInstance->TlsConfigData.VerifyHost.Flags =
> EFI_TLS_VERIFY_FLAG_NONE;
> HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance-
> >RemoteHost;
> HttpInstance->TlsConfigData.SessionState = EfiTlsSessionNotStarted;
>
> --
> 2.17.1
>
>
>
>
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation
2021-11-02 18:57 ` Vineel Kovvuri
@ 2021-11-02 19:54 ` Maciej Rabeda
[not found] ` <16B3D2D0C1325DDF.24252@groups.io>
1 sibling, 0 replies; 7+ messages in thread
From: Maciej Rabeda @ 2021-11-02 19:54 UTC (permalink / raw)
To: devel, vineelko, Wu, Jiaxin, vineel.kovvuri@gmail.com,
Rabeda, Maciej, Yao, Jiewen, Jancarlo Perez, Mike Turner,
Sean Brogan, Bret Barkelew
Hi Vineel,
I will integrate the change to edk2 tomorrow.
For now:
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Thanks,
Maciej
On 02-Nov-21 19:57, Vineel Kovvuri via groups.io wrote:
> Hi Folks,
>
> Thanks for reviewing the patch. May I know what are the next steps to get it in to edk2?
> I have already updated the same in https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Release-Planning
>
> Thanks,
> Vineel
>
> -----Original Message-----
> From: Wu, Jiaxin <jiaxin.wu@intel.com>
> Sent: Monday, November 1, 2021 6:15 PM
> To: devel@edk2.groups.io; vineel.kovvuri@gmail.com; Rabeda, Maciej <maciej.rabeda@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Jancarlo Perez <jpere@microsoft.com>; Mike Turner <Michael.Turner@microsoft.com>; Sean Brogan <sean.brogan@microsoft.com>; Bret Barkelew <Bret.Barkelew@microsoft.com>
> Cc: Vineel Kovvuri <vineelko@microsoft.com>
> Subject: [EXTERNAL] RE: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation
>
> It's good to me change the default the verify flag.
>
> Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
>
> Thanks,
> Jiaxin
>
>> -----Original Message-----
>> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Vineel
>> Kovvuri
>> Sent: Friday, October 15, 2021 8:55 AM
>> To: Rabeda, Maciej <maciej.rabeda@intel.com>; Yao, Jiewen
>> <jiewen.yao@intel.com>; jpere@microsoft.com;
>> Michael.Turner@microsoft.com; sean.brogan@microsoft.com;
>> bret.barkelew@microsoft.com; devel@edk2.groups.io
>> Cc: Vineel Kovvuri <vineelko@microsoft.com>
>> Subject: [edk2-devel] [PATCH] Enable wildcard host name matching in
>> EDK2 HTTPS/TLS implementation
>>
>> The current UEFI implementation of HTTPS during its TLS configuration
>> uses EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As
>> per the spec this flag does is "to disable the match of any wildcards
>> in the host name". So, certificates which are issued with
>> wildcards(*.dm.corp.net etc) in it will fail the TLS host name
>> matching. On the other hand,
>> EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for
>> hostname validation. Wildcards are supported and they match only in
>> the left-most label."
>> this behavior/definition is coming from openssl's X509_check_host()
>> api
>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
>> openssl.org%2Fdocs%2Fman1.1.0%2Fman3%2FX509_check_host.html&data=0
>> 4%7C01%7Cvineelko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7
>> C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637714125291796675%7CUnkno
>> wn%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiL
>> CJXVCI6Mn0%3D%7C1000&sdata=Ygz4XOYjA0m7JL6acQ1Jv55fxJJv6pFvE6n%2F%
>> 2Bc6jwBU%3D&reserved=0
>>
>> Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using
>> certificates issued with wildcards in them would fail to match while
>> trying to communicate with HTTPS endpoint.
>>
>> BugZilla:
>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugz
>> illa.tianocore.org%2Fshow_bug.cgi%3Fid%3D3691&data=04%7C01%7Cvinee
>> lko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7C72f988bf86f14
>> 1af91ab2d7cd011db47%7C1%7C0%7C637714125291806667%7CUnknown%7CTWFpbGZsb
>> 3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%
>> 7C1000&sdata=q5qkhZ5fyWdx2SBzKytPsx%2BB%2BWfvCeZp56gEVln2SsA%3D&am
>> p;reserved=0
>>
>> Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
>> ---
>> NetworkPkg/HttpDxe/HttpsSupport.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c
>> b/NetworkPkg/HttpDxe/HttpsSupport.c
>> index 7e0bf85c3c..0f28ae9447 100644
>> --- a/NetworkPkg/HttpDxe/HttpsSupport.c
>> +++ b/NetworkPkg/HttpDxe/HttpsSupport.c
>> @@ -625,7 +625,7 @@ TlsConfigureSession (
>> //
>> HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient;
>> HttpInstance->TlsConfigData.VerifyMethod = EFI_TLS_VERIFY_PEER;
>> - HttpInstance->TlsConfigData.VerifyHost.Flags =
>> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
>> + HttpInstance->TlsConfigData.VerifyHost.Flags =
>> EFI_TLS_VERIFY_FLAG_NONE;
>> HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance-
>>> RemoteHost;
>> HttpInstance->TlsConfigData.SessionState = EfiTlsSessionNotStarted;
>>
>> --
>> 2.17.1
>>
>>
>>
>>
>>
>
>
>
>
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation
@ 2021-11-02 20:19 Vineel Kovvuri
0 siblings, 0 replies; 7+ messages in thread
From: Vineel Kovvuri @ 2021-11-02 20:19 UTC (permalink / raw)
To: Rabeda, Maciej, devel@edk2.groups.io, Wu, Jiaxin, Rabeda, Maciej,
Yao, Jiewen, Jancarlo Perez, Mike Turner, Sean Brogan,
Bret Barkelew, Vineel Kovvuri
[-- Attachment #1: Type: text/plain, Size: 4974 bytes --]
Thanks a lot Maciej. Much appreciated.
________________________________
From: Rabeda, Maciej <maciej.rabeda@linux.intel.com>
Sent: Tuesday, November 2, 2021 12:54 PM
To: devel@edk2.groups.io; vineelko@microsoft.com; Wu, Jiaxin; vineel.kovvuri@gmail.com; Rabeda, Maciej; Yao, Jiewen; Jancarlo Perez; Mike Turner; Sean Brogan; Bret Barkelew
Subject: Re: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation
Hi Vineel,
I will integrate the change to edk2 tomorrow.
For now:
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Thanks,
Maciej
On 02-Nov-21 19:57, Vineel Kovvuri via groups.io wrote:
> Hi Folks,
>
> Thanks for reviewing the patch. May I know what are the next steps to get it in to edk2?
> I have already updated the same in https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Release-Planning
>
> Thanks,
> Vineel
>
> -----Original Message-----
> From: Wu, Jiaxin <jiaxin.wu@intel.com>
> Sent: Monday, November 1, 2021 6:15 PM
> To: devel@edk2.groups.io; vineel.kovvuri@gmail.com; Rabeda, Maciej <maciej.rabeda@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Jancarlo Perez <jpere@microsoft.com>; Mike Turner <Michael.Turner@microsoft.com>; Sean Brogan <sean.brogan@microsoft.com>; Bret Barkelew <Bret.Barkelew@microsoft.com>
> Cc: Vineel Kovvuri <vineelko@microsoft.com>
> Subject: [EXTERNAL] RE: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation
>
> It's good to me change the default the verify flag.
>
> Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
>
> Thanks,
> Jiaxin
>
>> -----Original Message-----
>> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Vineel
>> Kovvuri
>> Sent: Friday, October 15, 2021 8:55 AM
>> To: Rabeda, Maciej <maciej.rabeda@intel.com>; Yao, Jiewen
>> <jiewen.yao@intel.com>; jpere@microsoft.com;
>> Michael.Turner@microsoft.com; sean.brogan@microsoft.com;
>> bret.barkelew@microsoft.com; devel@edk2.groups.io
>> Cc: Vineel Kovvuri <vineelko@microsoft.com>
>> Subject: [edk2-devel] [PATCH] Enable wildcard host name matching in
>> EDK2 HTTPS/TLS implementation
>>
>> The current UEFI implementation of HTTPS during its TLS configuration
>> uses EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As
>> per the spec this flag does is "to disable the match of any wildcards
>> in the host name". So, certificates which are issued with
>> wildcards(*.dm.corp.net etc) in it will fail the TLS host name
>> matching. On the other hand,
>> EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for
>> hostname validation. Wildcards are supported and they match only in
>> the left-most label."
>> this behavior/definition is coming from openssl's X509_check_host()
>> api
>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
>> openssl.org%2Fdocs%2Fman1.1.0%2Fman3%2FX509_check_host.html&data=0
>> 4%7C01%7Cvineelko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7
>> C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637714125291796675%7CUnkno
>> wn%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiL
>> CJXVCI6Mn0%3D%7C1000&sdata=Ygz4XOYjA0m7JL6acQ1Jv55fxJJv6pFvE6n%2F%
>> 2Bc6jwBU%3D&reserved=0
>>
>> Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using
>> certificates issued with wildcards in them would fail to match while
>> trying to communicate with HTTPS endpoint.
>>
>> BugZilla:
>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugz
>> illa.tianocore.org%2Fshow_bug.cgi%3Fid%3D3691&data=04%7C01%7Cvinee
>> lko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7C72f988bf86f14
>> 1af91ab2d7cd011db47%7C1%7C0%7C637714125291806667%7CUnknown%7CTWFpbGZsb
>> 3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%
>> 7C1000&sdata=q5qkhZ5fyWdx2SBzKytPsx%2BB%2BWfvCeZp56gEVln2SsA%3D&am
>> p;reserved=0
>>
>> Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
>> ---
>> NetworkPkg/HttpDxe/HttpsSupport.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c
>> b/NetworkPkg/HttpDxe/HttpsSupport.c
>> index 7e0bf85c3c..0f28ae9447 100644
>> --- a/NetworkPkg/HttpDxe/HttpsSupport.c
>> +++ b/NetworkPkg/HttpDxe/HttpsSupport.c
>> @@ -625,7 +625,7 @@ TlsConfigureSession (
>> //
>> HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient;
>> HttpInstance->TlsConfigData.VerifyMethod = EFI_TLS_VERIFY_PEER;
>> - HttpInstance->TlsConfigData.VerifyHost.Flags =
>> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
>> + HttpInstance->TlsConfigData.VerifyHost.Flags =
>> EFI_TLS_VERIFY_FLAG_NONE;
>> HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance-
>>> RemoteHost;
>> HttpInstance->TlsConfigData.SessionState = EfiTlsSessionNotStarted;
>>
>> --
>> 2.17.1
>>
>>
>>
>>
>>
>
>
>
>
>
[-- Attachment #2: Type: text/html, Size: 7507 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation
[not found] ` <16B3D2D0C1325DDF.24252@groups.io>
@ 2021-11-03 21:29 ` Maciej Rabeda
2021-11-03 21:38 ` Vineel Kovvuri
0 siblings, 1 reply; 7+ messages in thread
From: Maciej Rabeda @ 2021-11-03 21:29 UTC (permalink / raw)
To: devel, vineelko, Wu, Jiaxin, vineel.kovvuri@gmail.com,
Rabeda, Maciej, Yao, Jiewen, Jancarlo Perez, Mike Turner,
Sean Brogan, Bret Barkelew
Changed commit title to: "NetworkPkg/HttpDxe: Enable wildcard host name
matching for HTTP+TLS."
Patch merged.
PR: https://github.com/tianocore/edk2/pull/2168
Commit:
https://github.com/tianocore/edk2/commit/6f9e83f757ed7c5c78d071f475b2e72d899c2aef
On 02-Nov-21 20:54, Maciej Rabeda wrote:
> Hi Vineel,
>
> I will integrate the change to edk2 tomorrow.
>
> For now:
> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
>
> Thanks,
> Maciej
>
> On 02-Nov-21 19:57, Vineel Kovvuri via groups.io wrote:
>> Hi Folks,
>>
>> Thanks for reviewing the patch. May I know what are the next steps to
>> get it in to edk2?
>> I have already updated the same in
>> https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Release-Planning
>>
>> Thanks,
>> Vineel
>>
>> -----Original Message-----
>> From: Wu, Jiaxin <jiaxin.wu@intel.com>
>> Sent: Monday, November 1, 2021 6:15 PM
>> To: devel@edk2.groups.io; vineel.kovvuri@gmail.com; Rabeda, Maciej
>> <maciej.rabeda@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>;
>> Jancarlo Perez <jpere@microsoft.com>; Mike Turner
>> <Michael.Turner@microsoft.com>; Sean Brogan
>> <sean.brogan@microsoft.com>; Bret Barkelew <Bret.Barkelew@microsoft.com>
>> Cc: Vineel Kovvuri <vineelko@microsoft.com>
>> Subject: [EXTERNAL] RE: [edk2-devel] [PATCH] Enable wildcard host
>> name matching in EDK2 HTTPS/TLS implementation
>>
>> It's good to me change the default the verify flag.
>>
>> Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
>>
>> Thanks,
>> Jiaxin
>>
>>> -----Original Message-----
>>> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Vineel
>>> Kovvuri
>>> Sent: Friday, October 15, 2021 8:55 AM
>>> To: Rabeda, Maciej <maciej.rabeda@intel.com>; Yao, Jiewen
>>> <jiewen.yao@intel.com>; jpere@microsoft.com;
>>> Michael.Turner@microsoft.com; sean.brogan@microsoft.com;
>>> bret.barkelew@microsoft.com; devel@edk2.groups.io
>>> Cc: Vineel Kovvuri <vineelko@microsoft.com>
>>> Subject: [edk2-devel] [PATCH] Enable wildcard host name matching in
>>> EDK2 HTTPS/TLS implementation
>>>
>>> The current UEFI implementation of HTTPS during its TLS configuration
>>> uses EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As
>>> per the spec this flag does is "to disable the match of any wildcards
>>> in the host name". So, certificates which are issued with
>>> wildcards(*.dm.corp.net etc) in it will fail the TLS host name
>>> matching. On the other hand,
>>> EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for
>>> hostname validation. Wildcards are supported and they match only in
>>> the left-most label."
>>> this behavior/definition is coming from openssl's X509_check_host()
>>> api
>>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
>>> openssl.org%2Fdocs%2Fman1.1.0%2Fman3%2FX509_check_host.html&data=0
>>> 4%7C01%7Cvineelko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7
>>> C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637714125291796675%7CUnkno
>>> wn%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiL
>>> CJXVCI6Mn0%3D%7C1000&sdata=Ygz4XOYjA0m7JL6acQ1Jv55fxJJv6pFvE6n%2F%
>>> 2Bc6jwBU%3D&reserved=0
>>>
>>> Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using
>>> certificates issued with wildcards in them would fail to match while
>>> trying to communicate with HTTPS endpoint.
>>>
>>> BugZilla:
>>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugz
>>> illa.tianocore.org%2Fshow_bug.cgi%3Fid%3D3691&data=04%7C01%7Cvinee
>>> lko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7C72f988bf86f14
>>> 1af91ab2d7cd011db47%7C1%7C0%7C637714125291806667%7CUnknown%7CTWFpbGZsb
>>> 3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%
>>> 7C1000&sdata=q5qkhZ5fyWdx2SBzKytPsx%2BB%2BWfvCeZp56gEVln2SsA%3D&am
>>> p;reserved=0
>>>
>>> Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
>>> ---
>>> NetworkPkg/HttpDxe/HttpsSupport.c | 2 +-
>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c
>>> b/NetworkPkg/HttpDxe/HttpsSupport.c
>>> index 7e0bf85c3c..0f28ae9447 100644
>>> --- a/NetworkPkg/HttpDxe/HttpsSupport.c
>>> +++ b/NetworkPkg/HttpDxe/HttpsSupport.c
>>> @@ -625,7 +625,7 @@ TlsConfigureSession (
>>> //
>>> HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient;
>>> HttpInstance->TlsConfigData.VerifyMethod =
>>> EFI_TLS_VERIFY_PEER;
>>> - HttpInstance->TlsConfigData.VerifyHost.Flags =
>>> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
>>> + HttpInstance->TlsConfigData.VerifyHost.Flags =
>>> EFI_TLS_VERIFY_FLAG_NONE;
>>> HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance-
>>>> RemoteHost;
>>> HttpInstance->TlsConfigData.SessionState =
>>> EfiTlsSessionNotStarted;
>>>
>>> --
>>> 2.17.1
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>
>
>
>
>
>
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation
2021-11-03 21:29 ` Maciej Rabeda
@ 2021-11-03 21:38 ` Vineel Kovvuri
0 siblings, 0 replies; 7+ messages in thread
From: Vineel Kovvuri @ 2021-11-03 21:38 UTC (permalink / raw)
To: devel, maciej.rabeda
Cc: Vineel Kovvuri, Wu, Jiaxin, Rabeda, Maciej, Yao, Jiewen,
Jancarlo Perez, Mike Turner, Sean Brogan, Bret Barkelew
[-- Attachment #1: Type: text/plain, Size: 5283 bytes --]
Thanks a lot Maciej for merging the PR.
Thanks,
Vineel
On Wed, Nov 3, 2021 at 2:29 PM Rabeda, Maciej <maciej.rabeda@linux.intel.com>
wrote:
> Changed commit title to: "NetworkPkg/HttpDxe: Enable wildcard host name
> matching for HTTP+TLS."
>
> Patch merged.
> PR: https://github.com/tianocore/edk2/pull/2168
> Commit:
>
> https://github.com/tianocore/edk2/commit/6f9e83f757ed7c5c78d071f475b2e72d899c2aef
>
> On 02-Nov-21 20:54, Maciej Rabeda wrote:
> > Hi Vineel,
> >
> > I will integrate the change to edk2 tomorrow.
> >
> > For now:
> > Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
> >
> > Thanks,
> > Maciej
> >
> > On 02-Nov-21 19:57, Vineel Kovvuri via groups.io wrote:
> >> Hi Folks,
> >>
> >> Thanks for reviewing the patch. May I know what are the next steps to
> >> get it in to edk2?
> >> I have already updated the same in
> >>
> https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Release-Planning
> >>
> >> Thanks,
> >> Vineel
> >>
> >> -----Original Message-----
> >> From: Wu, Jiaxin <jiaxin.wu@intel.com>
> >> Sent: Monday, November 1, 2021 6:15 PM
> >> To: devel@edk2.groups.io; vineel.kovvuri@gmail.com; Rabeda, Maciej
> >> <maciej.rabeda@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>;
> >> Jancarlo Perez <jpere@microsoft.com>; Mike Turner
> >> <Michael.Turner@microsoft.com>; Sean Brogan
> >> <sean.brogan@microsoft.com>; Bret Barkelew <Bret.Barkelew@microsoft.com
> >
> >> Cc: Vineel Kovvuri <vineelko@microsoft.com>
> >> Subject: [EXTERNAL] RE: [edk2-devel] [PATCH] Enable wildcard host
> >> name matching in EDK2 HTTPS/TLS implementation
> >>
> >> It's good to me change the default the verify flag.
> >>
> >> Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
> >>
> >> Thanks,
> >> Jiaxin
> >>
> >>> -----Original Message-----
> >>> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Vineel
> >>> Kovvuri
> >>> Sent: Friday, October 15, 2021 8:55 AM
> >>> To: Rabeda, Maciej <maciej.rabeda@intel.com>; Yao, Jiewen
> >>> <jiewen.yao@intel.com>; jpere@microsoft.com;
> >>> Michael.Turner@microsoft.com; sean.brogan@microsoft.com;
> >>> bret.barkelew@microsoft.com; devel@edk2.groups.io
> >>> Cc: Vineel Kovvuri <vineelko@microsoft.com>
> >>> Subject: [edk2-devel] [PATCH] Enable wildcard host name matching in
> >>> EDK2 HTTPS/TLS implementation
> >>>
> >>> The current UEFI implementation of HTTPS during its TLS configuration
> >>> uses EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As
> >>> per the spec this flag does is "to disable the match of any wildcards
> >>> in the host name". So, certificates which are issued with
> >>> wildcards(*.dm.corp.net etc) in it will fail the TLS host name
> >>> matching. On the other hand,
> >>> EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for
> >>> hostname validation. Wildcards are supported and they match only in
> >>> the left-most label."
> >>> this behavior/definition is coming from openssl's X509_check_host()
> >>> api
> >>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
> >>> openssl.org%2Fdocs%2Fman1.1.0%2Fman3%2FX509_check_host.html&data=0
> >>> 4%7C01%7Cvineelko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7
> >>> C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637714125291796675%7CUnkno
> >>> wn%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiL
> >>> CJXVCI6Mn0%3D%7C1000&sdata=Ygz4XOYjA0m7JL6acQ1Jv55fxJJv6pFvE6n%2F%
> >>> 2Bc6jwBU%3D&reserved=0
> >>>
> >>> Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using
> >>> certificates issued with wildcards in them would fail to match while
> >>> trying to communicate with HTTPS endpoint.
> >>>
> >>> BugZilla:
> >>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugz
> >>> illa.tianocore.org%2Fshow_bug.cgi%3Fid%3D3691&data=04%7C01%7Cvinee
> >>> lko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7C72f988bf86f14
> >>> 1af91ab2d7cd011db47%7C1%7C0%7C637714125291806667%7CUnknown%7CTWFpbGZsb
> >>> 3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%
> >>> 7C1000&sdata=q5qkhZ5fyWdx2SBzKytPsx%2BB%2BWfvCeZp56gEVln2SsA%3D&am
> >>> p;reserved=0
> >>>
> >>> Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
> >>> ---
> >>> NetworkPkg/HttpDxe/HttpsSupport.c | 2 +-
> >>> 1 file changed, 1 insertion(+), 1 deletion(-)
> >>>
> >>> diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c
> >>> b/NetworkPkg/HttpDxe/HttpsSupport.c
> >>> index 7e0bf85c3c..0f28ae9447 100644
> >>> --- a/NetworkPkg/HttpDxe/HttpsSupport.c
> >>> +++ b/NetworkPkg/HttpDxe/HttpsSupport.c
> >>> @@ -625,7 +625,7 @@ TlsConfigureSession (
> >>> //
> >>> HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient;
> >>> HttpInstance->TlsConfigData.VerifyMethod =
> >>> EFI_TLS_VERIFY_PEER;
> >>> - HttpInstance->TlsConfigData.VerifyHost.Flags =
> >>> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
> >>> + HttpInstance->TlsConfigData.VerifyHost.Flags =
> >>> EFI_TLS_VERIFY_FLAG_NONE;
> >>> HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance-
> >>>> RemoteHost;
> >>> HttpInstance->TlsConfigData.SessionState =
> >>> EfiTlsSessionNotStarted;
> >>>
> >>> --
> >>> 2.17.1
> >>>
> >>>
> >>>
> >>>
> >>>
> >>
> >>
> >>
> >>
> >>
> >
> >
> >
> >
> >
> >
>
>
[-- Attachment #2: Type: text/html, Size: 9666 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-11-03 21:38 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-11-02 20:19 [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation Vineel Kovvuri
-- strict thread matches above, loose matches on Subject: below --
2021-10-15 0:54 Vineel Kovvuri
2021-10-22 10:32 ` [edk2-devel] " Maciej Rabeda
2021-11-02 1:15 ` Wu, Jiaxin
2021-11-02 18:57 ` Vineel Kovvuri
2021-11-02 19:54 ` Maciej Rabeda
[not found] ` <16B3D2D0C1325DDF.24252@groups.io>
2021-11-03 21:29 ` Maciej Rabeda
2021-11-03 21:38 ` Vineel Kovvuri
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox