* [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation
@ 2021-10-15 0:54 Vineel Kovvuri
2021-10-15 1:11 ` Yao, Jiewen
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: Vineel Kovvuri @ 2021-10-15 0:54 UTC (permalink / raw)
To: maciej.rabeda, jiewen.yao, jpere, Michael.Turner, sean.brogan,
bret.barkelew, devel
Cc: Vineel Kovvuri
The current UEFI implementation of HTTPS during its TLS configuration uses
EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As per the spec
this flag does is "to disable the match of any wildcards in the host name". So,
certificates which are issued with wildcards(*.dm.corp.net etc) in it will fail
the TLS host name matching. On the other hand,
EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for hostname
validation. Wildcards are supported and they match only in the left-most label."
this behavior/definition is coming from openssl's X509_check_host() api
https://www.openssl.org/docs/man1.1.0/man3/X509_check_host.html
Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using certificates issued
with wildcards in them would fail to match while trying to communicate with
HTTPS endpoint.
BugZilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3691
Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
---
NetworkPkg/HttpDxe/HttpsSupport.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c b/NetworkPkg/HttpDxe/HttpsSupport.c
index 7e0bf85c3c..0f28ae9447 100644
--- a/NetworkPkg/HttpDxe/HttpsSupport.c
+++ b/NetworkPkg/HttpDxe/HttpsSupport.c
@@ -625,7 +625,7 @@ TlsConfigureSession (
//
HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient;
HttpInstance->TlsConfigData.VerifyMethod = EFI_TLS_VERIFY_PEER;
- HttpInstance->TlsConfigData.VerifyHost.Flags = EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
+ HttpInstance->TlsConfigData.VerifyHost.Flags = EFI_TLS_VERIFY_FLAG_NONE;
HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance->RemoteHost;
HttpInstance->TlsConfigData.SessionState = EfiTlsSessionNotStarted;
--
2.17.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation
2021-10-15 0:54 [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation Vineel Kovvuri
@ 2021-10-15 1:11 ` Yao, Jiewen
2021-10-22 10:32 ` [edk2-devel] " Maciej Rabeda
2021-11-02 1:15 ` Wu, Jiaxin
2 siblings, 0 replies; 8+ messages in thread
From: Yao, Jiewen @ 2021-10-15 1:11 UTC (permalink / raw)
To: Vineel Kovvuri, Rabeda, Maciej, jpere@microsoft.com,
Michael.Turner@microsoft.com, sean.brogan@microsoft.com,
bret.barkelew@microsoft.com, devel@edk2.groups.io
Cc: Vineel Kovvuri
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
Since this https://bugzilla.tianocore.org/show_bug.cgi?id=3691 (networkpkg) is separated from https://bugzilla.tianocore.org/show_bug.cgi?id=3679 (cryptopkg), I will handle those two separately.
I will only help merge 3679, and I would expect networkpkg maintainer handle 3691.
Since this impacts the security policy, after NetworkPkg maintainer review, I recommend we wait for longer time (1~2 WW) to see if any other people has comment for this one.
Thank you
Yao Jiewen
> -----Original Message-----
> From: Vineel Kovvuri <vineel.kovvuri@gmail.com>
> Sent: Friday, October 15, 2021 8:55 AM
> To: Rabeda, Maciej <maciej.rabeda@intel.com>; Yao, Jiewen
> <jiewen.yao@intel.com>; jpere@microsoft.com;
> Michael.Turner@microsoft.com; sean.brogan@microsoft.com;
> bret.barkelew@microsoft.com; devel@edk2.groups.io
> Cc: Vineel Kovvuri <vineelko@microsoft.com>
> Subject: [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS
> implementation
>
> The current UEFI implementation of HTTPS during its TLS configuration uses
> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As per the
> spec
> this flag does is "to disable the match of any wildcards in the host name". So,
> certificates which are issued with wildcards(*.dm.corp.net etc) in it will fail
> the TLS host name matching. On the other hand,
> EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for
> hostname
> validation. Wildcards are supported and they match only in the left-most label."
> this behavior/definition is coming from openssl's X509_check_host() api
> https://www.openssl.org/docs/man1.1.0/man3/X509_check_host.html
>
> Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using certificates
> issued
> with wildcards in them would fail to match while trying to communicate with
> HTTPS endpoint.
>
> BugZilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3691
>
> Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
> ---
> NetworkPkg/HttpDxe/HttpsSupport.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c
> b/NetworkPkg/HttpDxe/HttpsSupport.c
> index 7e0bf85c3c..0f28ae9447 100644
> --- a/NetworkPkg/HttpDxe/HttpsSupport.c
> +++ b/NetworkPkg/HttpDxe/HttpsSupport.c
> @@ -625,7 +625,7 @@ TlsConfigureSession (
> //
> HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient;
> HttpInstance->TlsConfigData.VerifyMethod = EFI_TLS_VERIFY_PEER;
> - HttpInstance->TlsConfigData.VerifyHost.Flags =
> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
> + HttpInstance->TlsConfigData.VerifyHost.Flags =
> EFI_TLS_VERIFY_FLAG_NONE;
> HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance-
> >RemoteHost;
> HttpInstance->TlsConfigData.SessionState = EfiTlsSessionNotStarted;
>
> --
> 2.17.1
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation
2021-10-15 0:54 [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation Vineel Kovvuri
2021-10-15 1:11 ` Yao, Jiewen
@ 2021-10-22 10:32 ` Maciej Rabeda
2021-11-02 1:15 ` Wu, Jiaxin
2 siblings, 0 replies; 8+ messages in thread
From: Maciej Rabeda @ 2021-10-22 10:32 UTC (permalink / raw)
To: devel, vineel.kovvuri, maciej.rabeda, jiewen.yao, jpere,
Michael.Turner, sean.brogan, bret.barkelew
Cc: Vineel Kovvuri
Hi Vineel,
I do not have any problems with this patch. Before I merge, I would like
Jiaxin to look at it, since he has submitted that code.
Thanks,
Maciej
On 15-Oct-21 02:54, Vineel Kovvuri wrote:
> The current UEFI implementation of HTTPS during its TLS configuration uses
> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As per the spec
> this flag does is "to disable the match of any wildcards in the host name". So,
> certificates which are issued with wildcards(*.dm.corp.net etc) in it will fail
> the TLS host name matching. On the other hand,
> EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for hostname
> validation. Wildcards are supported and they match only in the left-most label."
> this behavior/definition is coming from openssl's X509_check_host() api
> https://www.openssl.org/docs/man1.1.0/man3/X509_check_host.html
>
> Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using certificates issued
> with wildcards in them would fail to match while trying to communicate with
> HTTPS endpoint.
>
> BugZilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3691
>
> Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
> ---
> NetworkPkg/HttpDxe/HttpsSupport.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c b/NetworkPkg/HttpDxe/HttpsSupport.c
> index 7e0bf85c3c..0f28ae9447 100644
> --- a/NetworkPkg/HttpDxe/HttpsSupport.c
> +++ b/NetworkPkg/HttpDxe/HttpsSupport.c
> @@ -625,7 +625,7 @@ TlsConfigureSession (
> //
> HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient;
> HttpInstance->TlsConfigData.VerifyMethod = EFI_TLS_VERIFY_PEER;
> - HttpInstance->TlsConfigData.VerifyHost.Flags = EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
> + HttpInstance->TlsConfigData.VerifyHost.Flags = EFI_TLS_VERIFY_FLAG_NONE;
> HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance->RemoteHost;
> HttpInstance->TlsConfigData.SessionState = EfiTlsSessionNotStarted;
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation
2021-10-15 0:54 [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation Vineel Kovvuri
2021-10-15 1:11 ` Yao, Jiewen
2021-10-22 10:32 ` [edk2-devel] " Maciej Rabeda
@ 2021-11-02 1:15 ` Wu, Jiaxin
2021-11-02 18:57 ` Vineel Kovvuri
2 siblings, 1 reply; 8+ messages in thread
From: Wu, Jiaxin @ 2021-11-02 1:15 UTC (permalink / raw)
To: devel@edk2.groups.io, vineel.kovvuri@gmail.com, Rabeda, Maciej,
Yao, Jiewen, jpere@microsoft.com, Michael.Turner@microsoft.com,
sean.brogan@microsoft.com, bret.barkelew@microsoft.com
Cc: Vineel Kovvuri
It's good to me change the default the verify flag.
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
Thanks,
Jiaxin
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Vineel
> Kovvuri
> Sent: Friday, October 15, 2021 8:55 AM
> To: Rabeda, Maciej <maciej.rabeda@intel.com>; Yao, Jiewen
> <jiewen.yao@intel.com>; jpere@microsoft.com;
> Michael.Turner@microsoft.com; sean.brogan@microsoft.com;
> bret.barkelew@microsoft.com; devel@edk2.groups.io
> Cc: Vineel Kovvuri <vineelko@microsoft.com>
> Subject: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2
> HTTPS/TLS implementation
>
> The current UEFI implementation of HTTPS during its TLS configuration uses
> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As per
> the spec
> this flag does is "to disable the match of any wildcards in the host name". So,
> certificates which are issued with wildcards(*.dm.corp.net etc) in it will fail
> the TLS host name matching. On the other hand,
> EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for
> hostname
> validation. Wildcards are supported and they match only in the left-most
> label."
> this behavior/definition is coming from openssl's X509_check_host() api
> https://www.openssl.org/docs/man1.1.0/man3/X509_check_host.html
>
> Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using certificates
> issued
> with wildcards in them would fail to match while trying to communicate with
> HTTPS endpoint.
>
> BugZilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3691
>
> Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
> ---
> NetworkPkg/HttpDxe/HttpsSupport.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c
> b/NetworkPkg/HttpDxe/HttpsSupport.c
> index 7e0bf85c3c..0f28ae9447 100644
> --- a/NetworkPkg/HttpDxe/HttpsSupport.c
> +++ b/NetworkPkg/HttpDxe/HttpsSupport.c
> @@ -625,7 +625,7 @@ TlsConfigureSession (
> //
> HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient;
> HttpInstance->TlsConfigData.VerifyMethod = EFI_TLS_VERIFY_PEER;
> - HttpInstance->TlsConfigData.VerifyHost.Flags =
> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
> + HttpInstance->TlsConfigData.VerifyHost.Flags =
> EFI_TLS_VERIFY_FLAG_NONE;
> HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance-
> >RemoteHost;
> HttpInstance->TlsConfigData.SessionState = EfiTlsSessionNotStarted;
>
> --
> 2.17.1
>
>
>
>
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation
2021-11-02 1:15 ` Wu, Jiaxin
@ 2021-11-02 18:57 ` Vineel Kovvuri
2021-11-02 19:54 ` Maciej Rabeda
[not found] ` <16B3D2D0C1325DDF.24252@groups.io>
0 siblings, 2 replies; 8+ messages in thread
From: Vineel Kovvuri @ 2021-11-02 18:57 UTC (permalink / raw)
To: Wu, Jiaxin, devel@edk2.groups.io, vineel.kovvuri@gmail.com,
Rabeda, Maciej, Yao, Jiewen, Jancarlo Perez, Mike Turner,
Sean Brogan, Bret Barkelew
Hi Folks,
Thanks for reviewing the patch. May I know what are the next steps to get it in to edk2?
I have already updated the same in https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Release-Planning
Thanks,
Vineel
-----Original Message-----
From: Wu, Jiaxin <jiaxin.wu@intel.com>
Sent: Monday, November 1, 2021 6:15 PM
To: devel@edk2.groups.io; vineel.kovvuri@gmail.com; Rabeda, Maciej <maciej.rabeda@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Jancarlo Perez <jpere@microsoft.com>; Mike Turner <Michael.Turner@microsoft.com>; Sean Brogan <sean.brogan@microsoft.com>; Bret Barkelew <Bret.Barkelew@microsoft.com>
Cc: Vineel Kovvuri <vineelko@microsoft.com>
Subject: [EXTERNAL] RE: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation
It's good to me change the default the verify flag.
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
Thanks,
Jiaxin
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Vineel
> Kovvuri
> Sent: Friday, October 15, 2021 8:55 AM
> To: Rabeda, Maciej <maciej.rabeda@intel.com>; Yao, Jiewen
> <jiewen.yao@intel.com>; jpere@microsoft.com;
> Michael.Turner@microsoft.com; sean.brogan@microsoft.com;
> bret.barkelew@microsoft.com; devel@edk2.groups.io
> Cc: Vineel Kovvuri <vineelko@microsoft.com>
> Subject: [edk2-devel] [PATCH] Enable wildcard host name matching in
> EDK2 HTTPS/TLS implementation
>
> The current UEFI implementation of HTTPS during its TLS configuration
> uses EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As
> per the spec this flag does is "to disable the match of any wildcards
> in the host name". So, certificates which are issued with
> wildcards(*.dm.corp.net etc) in it will fail the TLS host name
> matching. On the other hand,
> EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for
> hostname validation. Wildcards are supported and they match only in
> the left-most label."
> this behavior/definition is coming from openssl's X509_check_host()
> api
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
> openssl.org%2Fdocs%2Fman1.1.0%2Fman3%2FX509_check_host.html&data=0
> 4%7C01%7Cvineelko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7
> C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637714125291796675%7CUnkno
> wn%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiL
> CJXVCI6Mn0%3D%7C1000&sdata=Ygz4XOYjA0m7JL6acQ1Jv55fxJJv6pFvE6n%2F%
> 2Bc6jwBU%3D&reserved=0
>
> Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using
> certificates issued with wildcards in them would fail to match while
> trying to communicate with HTTPS endpoint.
>
> BugZilla:
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugz
> illa.tianocore.org%2Fshow_bug.cgi%3Fid%3D3691&data=04%7C01%7Cvinee
> lko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7C72f988bf86f14
> 1af91ab2d7cd011db47%7C1%7C0%7C637714125291806667%7CUnknown%7CTWFpbGZsb
> 3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%
> 7C1000&sdata=q5qkhZ5fyWdx2SBzKytPsx%2BB%2BWfvCeZp56gEVln2SsA%3D&am
> p;reserved=0
>
> Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
> ---
> NetworkPkg/HttpDxe/HttpsSupport.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c
> b/NetworkPkg/HttpDxe/HttpsSupport.c
> index 7e0bf85c3c..0f28ae9447 100644
> --- a/NetworkPkg/HttpDxe/HttpsSupport.c
> +++ b/NetworkPkg/HttpDxe/HttpsSupport.c
> @@ -625,7 +625,7 @@ TlsConfigureSession (
> //
> HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient;
> HttpInstance->TlsConfigData.VerifyMethod = EFI_TLS_VERIFY_PEER;
> - HttpInstance->TlsConfigData.VerifyHost.Flags =
> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
> + HttpInstance->TlsConfigData.VerifyHost.Flags =
> EFI_TLS_VERIFY_FLAG_NONE;
> HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance-
> >RemoteHost;
> HttpInstance->TlsConfigData.SessionState = EfiTlsSessionNotStarted;
>
> --
> 2.17.1
>
>
>
>
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation
2021-11-02 18:57 ` Vineel Kovvuri
@ 2021-11-02 19:54 ` Maciej Rabeda
[not found] ` <16B3D2D0C1325DDF.24252@groups.io>
1 sibling, 0 replies; 8+ messages in thread
From: Maciej Rabeda @ 2021-11-02 19:54 UTC (permalink / raw)
To: devel, vineelko, Wu, Jiaxin, vineel.kovvuri@gmail.com,
Rabeda, Maciej, Yao, Jiewen, Jancarlo Perez, Mike Turner,
Sean Brogan, Bret Barkelew
Hi Vineel,
I will integrate the change to edk2 tomorrow.
For now:
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Thanks,
Maciej
On 02-Nov-21 19:57, Vineel Kovvuri via groups.io wrote:
> Hi Folks,
>
> Thanks for reviewing the patch. May I know what are the next steps to get it in to edk2?
> I have already updated the same in https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Release-Planning
>
> Thanks,
> Vineel
>
> -----Original Message-----
> From: Wu, Jiaxin <jiaxin.wu@intel.com>
> Sent: Monday, November 1, 2021 6:15 PM
> To: devel@edk2.groups.io; vineel.kovvuri@gmail.com; Rabeda, Maciej <maciej.rabeda@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Jancarlo Perez <jpere@microsoft.com>; Mike Turner <Michael.Turner@microsoft.com>; Sean Brogan <sean.brogan@microsoft.com>; Bret Barkelew <Bret.Barkelew@microsoft.com>
> Cc: Vineel Kovvuri <vineelko@microsoft.com>
> Subject: [EXTERNAL] RE: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation
>
> It's good to me change the default the verify flag.
>
> Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
>
> Thanks,
> Jiaxin
>
>> -----Original Message-----
>> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Vineel
>> Kovvuri
>> Sent: Friday, October 15, 2021 8:55 AM
>> To: Rabeda, Maciej <maciej.rabeda@intel.com>; Yao, Jiewen
>> <jiewen.yao@intel.com>; jpere@microsoft.com;
>> Michael.Turner@microsoft.com; sean.brogan@microsoft.com;
>> bret.barkelew@microsoft.com; devel@edk2.groups.io
>> Cc: Vineel Kovvuri <vineelko@microsoft.com>
>> Subject: [edk2-devel] [PATCH] Enable wildcard host name matching in
>> EDK2 HTTPS/TLS implementation
>>
>> The current UEFI implementation of HTTPS during its TLS configuration
>> uses EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As
>> per the spec this flag does is "to disable the match of any wildcards
>> in the host name". So, certificates which are issued with
>> wildcards(*.dm.corp.net etc) in it will fail the TLS host name
>> matching. On the other hand,
>> EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for
>> hostname validation. Wildcards are supported and they match only in
>> the left-most label."
>> this behavior/definition is coming from openssl's X509_check_host()
>> api
>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
>> openssl.org%2Fdocs%2Fman1.1.0%2Fman3%2FX509_check_host.html&data=0
>> 4%7C01%7Cvineelko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7
>> C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637714125291796675%7CUnkno
>> wn%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiL
>> CJXVCI6Mn0%3D%7C1000&sdata=Ygz4XOYjA0m7JL6acQ1Jv55fxJJv6pFvE6n%2F%
>> 2Bc6jwBU%3D&reserved=0
>>
>> Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using
>> certificates issued with wildcards in them would fail to match while
>> trying to communicate with HTTPS endpoint.
>>
>> BugZilla:
>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugz
>> illa.tianocore.org%2Fshow_bug.cgi%3Fid%3D3691&data=04%7C01%7Cvinee
>> lko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7C72f988bf86f14
>> 1af91ab2d7cd011db47%7C1%7C0%7C637714125291806667%7CUnknown%7CTWFpbGZsb
>> 3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%
>> 7C1000&sdata=q5qkhZ5fyWdx2SBzKytPsx%2BB%2BWfvCeZp56gEVln2SsA%3D&am
>> p;reserved=0
>>
>> Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
>> ---
>> NetworkPkg/HttpDxe/HttpsSupport.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c
>> b/NetworkPkg/HttpDxe/HttpsSupport.c
>> index 7e0bf85c3c..0f28ae9447 100644
>> --- a/NetworkPkg/HttpDxe/HttpsSupport.c
>> +++ b/NetworkPkg/HttpDxe/HttpsSupport.c
>> @@ -625,7 +625,7 @@ TlsConfigureSession (
>> //
>> HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient;
>> HttpInstance->TlsConfigData.VerifyMethod = EFI_TLS_VERIFY_PEER;
>> - HttpInstance->TlsConfigData.VerifyHost.Flags =
>> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
>> + HttpInstance->TlsConfigData.VerifyHost.Flags =
>> EFI_TLS_VERIFY_FLAG_NONE;
>> HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance-
>>> RemoteHost;
>> HttpInstance->TlsConfigData.SessionState = EfiTlsSessionNotStarted;
>>
>> --
>> 2.17.1
>>
>>
>>
>>
>>
>
>
>
>
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation
[not found] ` <16B3D2D0C1325DDF.24252@groups.io>
@ 2021-11-03 21:29 ` Maciej Rabeda
2021-11-03 21:38 ` Vineel Kovvuri
0 siblings, 1 reply; 8+ messages in thread
From: Maciej Rabeda @ 2021-11-03 21:29 UTC (permalink / raw)
To: devel, vineelko, Wu, Jiaxin, vineel.kovvuri@gmail.com,
Rabeda, Maciej, Yao, Jiewen, Jancarlo Perez, Mike Turner,
Sean Brogan, Bret Barkelew
Changed commit title to: "NetworkPkg/HttpDxe: Enable wildcard host name
matching for HTTP+TLS."
Patch merged.
PR: https://github.com/tianocore/edk2/pull/2168
Commit:
https://github.com/tianocore/edk2/commit/6f9e83f757ed7c5c78d071f475b2e72d899c2aef
On 02-Nov-21 20:54, Maciej Rabeda wrote:
> Hi Vineel,
>
> I will integrate the change to edk2 tomorrow.
>
> For now:
> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
>
> Thanks,
> Maciej
>
> On 02-Nov-21 19:57, Vineel Kovvuri via groups.io wrote:
>> Hi Folks,
>>
>> Thanks for reviewing the patch. May I know what are the next steps to
>> get it in to edk2?
>> I have already updated the same in
>> https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Release-Planning
>>
>> Thanks,
>> Vineel
>>
>> -----Original Message-----
>> From: Wu, Jiaxin <jiaxin.wu@intel.com>
>> Sent: Monday, November 1, 2021 6:15 PM
>> To: devel@edk2.groups.io; vineel.kovvuri@gmail.com; Rabeda, Maciej
>> <maciej.rabeda@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>;
>> Jancarlo Perez <jpere@microsoft.com>; Mike Turner
>> <Michael.Turner@microsoft.com>; Sean Brogan
>> <sean.brogan@microsoft.com>; Bret Barkelew <Bret.Barkelew@microsoft.com>
>> Cc: Vineel Kovvuri <vineelko@microsoft.com>
>> Subject: [EXTERNAL] RE: [edk2-devel] [PATCH] Enable wildcard host
>> name matching in EDK2 HTTPS/TLS implementation
>>
>> It's good to me change the default the verify flag.
>>
>> Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
>>
>> Thanks,
>> Jiaxin
>>
>>> -----Original Message-----
>>> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Vineel
>>> Kovvuri
>>> Sent: Friday, October 15, 2021 8:55 AM
>>> To: Rabeda, Maciej <maciej.rabeda@intel.com>; Yao, Jiewen
>>> <jiewen.yao@intel.com>; jpere@microsoft.com;
>>> Michael.Turner@microsoft.com; sean.brogan@microsoft.com;
>>> bret.barkelew@microsoft.com; devel@edk2.groups.io
>>> Cc: Vineel Kovvuri <vineelko@microsoft.com>
>>> Subject: [edk2-devel] [PATCH] Enable wildcard host name matching in
>>> EDK2 HTTPS/TLS implementation
>>>
>>> The current UEFI implementation of HTTPS during its TLS configuration
>>> uses EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As
>>> per the spec this flag does is "to disable the match of any wildcards
>>> in the host name". So, certificates which are issued with
>>> wildcards(*.dm.corp.net etc) in it will fail the TLS host name
>>> matching. On the other hand,
>>> EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for
>>> hostname validation. Wildcards are supported and they match only in
>>> the left-most label."
>>> this behavior/definition is coming from openssl's X509_check_host()
>>> api
>>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
>>> openssl.org%2Fdocs%2Fman1.1.0%2Fman3%2FX509_check_host.html&data=0
>>> 4%7C01%7Cvineelko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7
>>> C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637714125291796675%7CUnkno
>>> wn%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiL
>>> CJXVCI6Mn0%3D%7C1000&sdata=Ygz4XOYjA0m7JL6acQ1Jv55fxJJv6pFvE6n%2F%
>>> 2Bc6jwBU%3D&reserved=0
>>>
>>> Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using
>>> certificates issued with wildcards in them would fail to match while
>>> trying to communicate with HTTPS endpoint.
>>>
>>> BugZilla:
>>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugz
>>> illa.tianocore.org%2Fshow_bug.cgi%3Fid%3D3691&data=04%7C01%7Cvinee
>>> lko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7C72f988bf86f14
>>> 1af91ab2d7cd011db47%7C1%7C0%7C637714125291806667%7CUnknown%7CTWFpbGZsb
>>> 3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%
>>> 7C1000&sdata=q5qkhZ5fyWdx2SBzKytPsx%2BB%2BWfvCeZp56gEVln2SsA%3D&am
>>> p;reserved=0
>>>
>>> Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
>>> ---
>>> NetworkPkg/HttpDxe/HttpsSupport.c | 2 +-
>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c
>>> b/NetworkPkg/HttpDxe/HttpsSupport.c
>>> index 7e0bf85c3c..0f28ae9447 100644
>>> --- a/NetworkPkg/HttpDxe/HttpsSupport.c
>>> +++ b/NetworkPkg/HttpDxe/HttpsSupport.c
>>> @@ -625,7 +625,7 @@ TlsConfigureSession (
>>> //
>>> HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient;
>>> HttpInstance->TlsConfigData.VerifyMethod =
>>> EFI_TLS_VERIFY_PEER;
>>> - HttpInstance->TlsConfigData.VerifyHost.Flags =
>>> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
>>> + HttpInstance->TlsConfigData.VerifyHost.Flags =
>>> EFI_TLS_VERIFY_FLAG_NONE;
>>> HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance-
>>>> RemoteHost;
>>> HttpInstance->TlsConfigData.SessionState =
>>> EfiTlsSessionNotStarted;
>>>
>>> --
>>> 2.17.1
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>
>
>
>
>
>
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation
2021-11-03 21:29 ` Maciej Rabeda
@ 2021-11-03 21:38 ` Vineel Kovvuri
0 siblings, 0 replies; 8+ messages in thread
From: Vineel Kovvuri @ 2021-11-03 21:38 UTC (permalink / raw)
To: devel, maciej.rabeda
Cc: Vineel Kovvuri, Wu, Jiaxin, Rabeda, Maciej, Yao, Jiewen,
Jancarlo Perez, Mike Turner, Sean Brogan, Bret Barkelew
[-- Attachment #1: Type: text/plain, Size: 5283 bytes --]
Thanks a lot Maciej for merging the PR.
Thanks,
Vineel
On Wed, Nov 3, 2021 at 2:29 PM Rabeda, Maciej <maciej.rabeda@linux.intel.com>
wrote:
> Changed commit title to: "NetworkPkg/HttpDxe: Enable wildcard host name
> matching for HTTP+TLS."
>
> Patch merged.
> PR: https://github.com/tianocore/edk2/pull/2168
> Commit:
>
> https://github.com/tianocore/edk2/commit/6f9e83f757ed7c5c78d071f475b2e72d899c2aef
>
> On 02-Nov-21 20:54, Maciej Rabeda wrote:
> > Hi Vineel,
> >
> > I will integrate the change to edk2 tomorrow.
> >
> > For now:
> > Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
> >
> > Thanks,
> > Maciej
> >
> > On 02-Nov-21 19:57, Vineel Kovvuri via groups.io wrote:
> >> Hi Folks,
> >>
> >> Thanks for reviewing the patch. May I know what are the next steps to
> >> get it in to edk2?
> >> I have already updated the same in
> >>
> https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Release-Planning
> >>
> >> Thanks,
> >> Vineel
> >>
> >> -----Original Message-----
> >> From: Wu, Jiaxin <jiaxin.wu@intel.com>
> >> Sent: Monday, November 1, 2021 6:15 PM
> >> To: devel@edk2.groups.io; vineel.kovvuri@gmail.com; Rabeda, Maciej
> >> <maciej.rabeda@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>;
> >> Jancarlo Perez <jpere@microsoft.com>; Mike Turner
> >> <Michael.Turner@microsoft.com>; Sean Brogan
> >> <sean.brogan@microsoft.com>; Bret Barkelew <Bret.Barkelew@microsoft.com
> >
> >> Cc: Vineel Kovvuri <vineelko@microsoft.com>
> >> Subject: [EXTERNAL] RE: [edk2-devel] [PATCH] Enable wildcard host
> >> name matching in EDK2 HTTPS/TLS implementation
> >>
> >> It's good to me change the default the verify flag.
> >>
> >> Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
> >>
> >> Thanks,
> >> Jiaxin
> >>
> >>> -----Original Message-----
> >>> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Vineel
> >>> Kovvuri
> >>> Sent: Friday, October 15, 2021 8:55 AM
> >>> To: Rabeda, Maciej <maciej.rabeda@intel.com>; Yao, Jiewen
> >>> <jiewen.yao@intel.com>; jpere@microsoft.com;
> >>> Michael.Turner@microsoft.com; sean.brogan@microsoft.com;
> >>> bret.barkelew@microsoft.com; devel@edk2.groups.io
> >>> Cc: Vineel Kovvuri <vineelko@microsoft.com>
> >>> Subject: [edk2-devel] [PATCH] Enable wildcard host name matching in
> >>> EDK2 HTTPS/TLS implementation
> >>>
> >>> The current UEFI implementation of HTTPS during its TLS configuration
> >>> uses EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As
> >>> per the spec this flag does is "to disable the match of any wildcards
> >>> in the host name". So, certificates which are issued with
> >>> wildcards(*.dm.corp.net etc) in it will fail the TLS host name
> >>> matching. On the other hand,
> >>> EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for
> >>> hostname validation. Wildcards are supported and they match only in
> >>> the left-most label."
> >>> this behavior/definition is coming from openssl's X509_check_host()
> >>> api
> >>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
> >>> openssl.org%2Fdocs%2Fman1.1.0%2Fman3%2FX509_check_host.html&data=0
> >>> 4%7C01%7Cvineelko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7
> >>> C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637714125291796675%7CUnkno
> >>> wn%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiL
> >>> CJXVCI6Mn0%3D%7C1000&sdata=Ygz4XOYjA0m7JL6acQ1Jv55fxJJv6pFvE6n%2F%
> >>> 2Bc6jwBU%3D&reserved=0
> >>>
> >>> Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using
> >>> certificates issued with wildcards in them would fail to match while
> >>> trying to communicate with HTTPS endpoint.
> >>>
> >>> BugZilla:
> >>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugz
> >>> illa.tianocore.org%2Fshow_bug.cgi%3Fid%3D3691&data=04%7C01%7Cvinee
> >>> lko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7C72f988bf86f14
> >>> 1af91ab2d7cd011db47%7C1%7C0%7C637714125291806667%7CUnknown%7CTWFpbGZsb
> >>> 3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%
> >>> 7C1000&sdata=q5qkhZ5fyWdx2SBzKytPsx%2BB%2BWfvCeZp56gEVln2SsA%3D&am
> >>> p;reserved=0
> >>>
> >>> Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
> >>> ---
> >>> NetworkPkg/HttpDxe/HttpsSupport.c | 2 +-
> >>> 1 file changed, 1 insertion(+), 1 deletion(-)
> >>>
> >>> diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c
> >>> b/NetworkPkg/HttpDxe/HttpsSupport.c
> >>> index 7e0bf85c3c..0f28ae9447 100644
> >>> --- a/NetworkPkg/HttpDxe/HttpsSupport.c
> >>> +++ b/NetworkPkg/HttpDxe/HttpsSupport.c
> >>> @@ -625,7 +625,7 @@ TlsConfigureSession (
> >>> //
> >>> HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient;
> >>> HttpInstance->TlsConfigData.VerifyMethod =
> >>> EFI_TLS_VERIFY_PEER;
> >>> - HttpInstance->TlsConfigData.VerifyHost.Flags =
> >>> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
> >>> + HttpInstance->TlsConfigData.VerifyHost.Flags =
> >>> EFI_TLS_VERIFY_FLAG_NONE;
> >>> HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance-
> >>>> RemoteHost;
> >>> HttpInstance->TlsConfigData.SessionState =
> >>> EfiTlsSessionNotStarted;
> >>>
> >>> --
> >>> 2.17.1
> >>>
> >>>
> >>>
> >>>
> >>>
> >>
> >>
> >>
> >>
> >>
> >
> >
> >
> >
> >
> >
>
>
[-- Attachment #2: Type: text/html, Size: 9666 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2021-11-03 21:38 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-10-15 0:54 [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation Vineel Kovvuri
2021-10-15 1:11 ` Yao, Jiewen
2021-10-22 10:32 ` [edk2-devel] " Maciej Rabeda
2021-11-02 1:15 ` Wu, Jiaxin
2021-11-02 18:57 ` Vineel Kovvuri
2021-11-02 19:54 ` Maciej Rabeda
[not found] ` <16B3D2D0C1325DDF.24252@groups.io>
2021-11-03 21:29 ` Maciej Rabeda
2021-11-03 21:38 ` Vineel Kovvuri
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox