[PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation

public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed

* [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation
@ 2021-10-15  0:54 Vineel Kovvuri
  2021-10-15  1:11 ` Yao, Jiewen
                   ` (2 more replies)
  0 siblings, 3 replies; 8+ messages in thread
From: Vineel Kovvuri @ 2021-10-15  0:54 UTC (permalink / raw)
  To: maciej.rabeda, jiewen.yao, jpere, Michael.Turner, sean.brogan,
	bret.barkelew, devel
  Cc: Vineel Kovvuri

The current UEFI implementation of HTTPS during its TLS configuration uses
EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As per the spec
this flag does is "to disable the match of any wildcards in the host name". So,
certificates which are issued with wildcards(*.dm.corp.net etc) in it will fail
the TLS host name matching. On the other hand,
EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for hostname
validation. Wildcards are supported and they match only in the left-most label."
this behavior/definition is coming from openssl's X509_check_host() api
https://www.openssl.org/docs/man1.1.0/man3/X509_check_host.html

Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using certificates issued
with wildcards in them would fail to match while trying to communicate with
HTTPS endpoint.

BugZilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3691

Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
---
 NetworkPkg/HttpDxe/HttpsSupport.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c b/NetworkPkg/HttpDxe/HttpsSupport.c
index 7e0bf85c3c..0f28ae9447 100644
--- a/NetworkPkg/HttpDxe/HttpsSupport.c
+++ b/NetworkPkg/HttpDxe/HttpsSupport.c
@@ -625,7 +625,7 @@ TlsConfigureSession (
   //
   HttpInstance->TlsConfigData.ConnectionEnd       = EfiTlsClient;
   HttpInstance->TlsConfigData.VerifyMethod        = EFI_TLS_VERIFY_PEER;
-  HttpInstance->TlsConfigData.VerifyHost.Flags    = EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
+  HttpInstance->TlsConfigData.VerifyHost.Flags    = EFI_TLS_VERIFY_FLAG_NONE;
   HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance->RemoteHost;
   HttpInstance->TlsConfigData.SessionState        = EfiTlsSessionNotStarted;

-- 
2.17.1

^ permalink raw reply related	[flat|nested] 8+ messages in thread

* Re: [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation
  2021-10-15  0:54 [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation Vineel Kovvuri
@ 2021-10-15  1:11 ` Yao, Jiewen
  2021-10-22 10:32 ` [edk2-devel] " Maciej Rabeda
  2021-11-02  1:15 ` Wu, Jiaxin
  2 siblings, 0 replies; 8+ messages in thread
From: Yao, Jiewen @ 2021-10-15  1:11 UTC (permalink / raw)
  To: Vineel Kovvuri, Rabeda, Maciej, jpere@microsoft.com,
	Michael.Turner@microsoft.com, sean.brogan@microsoft.com,
	bret.barkelew@microsoft.com, devel@edk2.groups.io
  Cc: Vineel Kovvuri

Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>

Since this https://bugzilla.tianocore.org/show_bug.cgi?id=3691 (networkpkg) is separated from https://bugzilla.tianocore.org/show_bug.cgi?id=3679 (cryptopkg), I will handle those two separately.
I will only help merge 3679, and I would expect networkpkg maintainer handle 3691.

Since this impacts the security policy, after NetworkPkg maintainer review, I recommend we wait for longer time (1~2 WW) to see if any other people has comment for this one.

Thank you
Yao Jiewen

> -----Original Message-----
> From: Vineel Kovvuri <vineel.kovvuri@gmail.com>
> Sent: Friday, October 15, 2021 8:55 AM
> To: Rabeda, Maciej <maciej.rabeda@intel.com>; Yao, Jiewen
> <jiewen.yao@intel.com>; jpere@microsoft.com;
> Michael.Turner@microsoft.com; sean.brogan@microsoft.com;
> bret.barkelew@microsoft.com; devel@edk2.groups.io
> Cc: Vineel Kovvuri <vineelko@microsoft.com>
> Subject: [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS
> implementation
> 
> The current UEFI implementation of HTTPS during its TLS configuration uses
> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As per the
> spec
> this flag does is "to disable the match of any wildcards in the host name". So,
> certificates which are issued with wildcards(*.dm.corp.net etc) in it will fail
> the TLS host name matching. On the other hand,
> EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for
> hostname
> validation. Wildcards are supported and they match only in the left-most label."
> this behavior/definition is coming from openssl's X509_check_host() api
> https://www.openssl.org/docs/man1.1.0/man3/X509_check_host.html
> 
> Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using certificates
> issued
> with wildcards in them would fail to match while trying to communicate with
> HTTPS endpoint.
> 
> BugZilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3691
> 
> Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
> ---
>  NetworkPkg/HttpDxe/HttpsSupport.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c
> b/NetworkPkg/HttpDxe/HttpsSupport.c
> index 7e0bf85c3c..0f28ae9447 100644
> --- a/NetworkPkg/HttpDxe/HttpsSupport.c
> +++ b/NetworkPkg/HttpDxe/HttpsSupport.c
> @@ -625,7 +625,7 @@ TlsConfigureSession (
>    //
>    HttpInstance->TlsConfigData.ConnectionEnd       = EfiTlsClient;
>    HttpInstance->TlsConfigData.VerifyMethod        = EFI_TLS_VERIFY_PEER;
> -  HttpInstance->TlsConfigData.VerifyHost.Flags    =
> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
> +  HttpInstance->TlsConfigData.VerifyHost.Flags    =
> EFI_TLS_VERIFY_FLAG_NONE;
>    HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance-
> >RemoteHost;
>    HttpInstance->TlsConfigData.SessionState        = EfiTlsSessionNotStarted;
> 
> --
> 2.17.1


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation
  2021-10-15  0:54 [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation Vineel Kovvuri
  2021-10-15  1:11 ` Yao, Jiewen
@ 2021-10-22 10:32 ` Maciej Rabeda
  2021-11-02  1:15 ` Wu, Jiaxin
  2 siblings, 0 replies; 8+ messages in thread
From: Maciej Rabeda @ 2021-10-22 10:32 UTC (permalink / raw)
  To: devel, vineel.kovvuri, maciej.rabeda, jiewen.yao, jpere,
	Michael.Turner, sean.brogan, bret.barkelew
  Cc: Vineel Kovvuri

Hi Vineel,

I do not have any problems with this patch. Before I merge, I would like 
Jiaxin to look at it, since he has submitted that code.

Thanks,
Maciej

On 15-Oct-21 02:54, Vineel Kovvuri wrote:
> The current UEFI implementation of HTTPS during its TLS configuration uses
> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As per the spec
> this flag does is "to disable the match of any wildcards in the host name". So,
> certificates which are issued with wildcards(*.dm.corp.net etc) in it will fail
> the TLS host name matching. On the other hand,
> EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for hostname
> validation. Wildcards are supported and they match only in the left-most label."
> this behavior/definition is coming from openssl's X509_check_host() api
> https://www.openssl.org/docs/man1.1.0/man3/X509_check_host.html
>
> Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using certificates issued
> with wildcards in them would fail to match while trying to communicate with
> HTTPS endpoint.
>
> BugZilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3691
>
> Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
> ---
>   NetworkPkg/HttpDxe/HttpsSupport.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c b/NetworkPkg/HttpDxe/HttpsSupport.c
> index 7e0bf85c3c..0f28ae9447 100644
> --- a/NetworkPkg/HttpDxe/HttpsSupport.c
> +++ b/NetworkPkg/HttpDxe/HttpsSupport.c
> @@ -625,7 +625,7 @@ TlsConfigureSession (
>     //
>     HttpInstance->TlsConfigData.ConnectionEnd       = EfiTlsClient;
>     HttpInstance->TlsConfigData.VerifyMethod        = EFI_TLS_VERIFY_PEER;
> -  HttpInstance->TlsConfigData.VerifyHost.Flags    = EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
> +  HttpInstance->TlsConfigData.VerifyHost.Flags    = EFI_TLS_VERIFY_FLAG_NONE;
>     HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance->RemoteHost;
>     HttpInstance->TlsConfigData.SessionState        = EfiTlsSessionNotStarted;
>   


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation
  2021-10-15  0:54 [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation Vineel Kovvuri
  2021-10-15  1:11 ` Yao, Jiewen
  2021-10-22 10:32 ` [edk2-devel] " Maciej Rabeda
@ 2021-11-02  1:15 ` Wu, Jiaxin
  2021-11-02 18:57   ` Vineel Kovvuri
  2 siblings, 1 reply; 8+ messages in thread
From: Wu, Jiaxin @ 2021-11-02  1:15 UTC (permalink / raw)
  To: devel@edk2.groups.io, vineel.kovvuri@gmail.com, Rabeda, Maciej,
	Yao, Jiewen, jpere@microsoft.com, Michael.Turner@microsoft.com,
	sean.brogan@microsoft.com, bret.barkelew@microsoft.com
  Cc: Vineel Kovvuri

It's good to me change the default the verify flag.

Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>

Thanks,
Jiaxin

> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Vineel
> Kovvuri
> Sent: Friday, October 15, 2021 8:55 AM
> To: Rabeda, Maciej <maciej.rabeda@intel.com>; Yao, Jiewen
> <jiewen.yao@intel.com>; jpere@microsoft.com;
> Michael.Turner@microsoft.com; sean.brogan@microsoft.com;
> bret.barkelew@microsoft.com; devel@edk2.groups.io
> Cc: Vineel Kovvuri <vineelko@microsoft.com>
> Subject: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2
> HTTPS/TLS implementation
> 
> The current UEFI implementation of HTTPS during its TLS configuration uses
> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As per
> the spec
> this flag does is "to disable the match of any wildcards in the host name". So,
> certificates which are issued with wildcards(*.dm.corp.net etc) in it will fail
> the TLS host name matching. On the other hand,
> EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for
> hostname
> validation. Wildcards are supported and they match only in the left-most
> label."
> this behavior/definition is coming from openssl's X509_check_host() api
> https://www.openssl.org/docs/man1.1.0/man3/X509_check_host.html
> 
> Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using certificates
> issued
> with wildcards in them would fail to match while trying to communicate with
> HTTPS endpoint.
> 
> BugZilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3691
> 
> Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
> ---
>  NetworkPkg/HttpDxe/HttpsSupport.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c
> b/NetworkPkg/HttpDxe/HttpsSupport.c
> index 7e0bf85c3c..0f28ae9447 100644
> --- a/NetworkPkg/HttpDxe/HttpsSupport.c
> +++ b/NetworkPkg/HttpDxe/HttpsSupport.c
> @@ -625,7 +625,7 @@ TlsConfigureSession (
>    //
>    HttpInstance->TlsConfigData.ConnectionEnd       = EfiTlsClient;
>    HttpInstance->TlsConfigData.VerifyMethod        = EFI_TLS_VERIFY_PEER;
> -  HttpInstance->TlsConfigData.VerifyHost.Flags    =
> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
> +  HttpInstance->TlsConfigData.VerifyHost.Flags    =
> EFI_TLS_VERIFY_FLAG_NONE;
>    HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance-
> >RemoteHost;
>    HttpInstance->TlsConfigData.SessionState        = EfiTlsSessionNotStarted;
> 
> --
> 2.17.1
> 
> 
> 
> 
> 


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation
  2021-11-02  1:15 ` Wu, Jiaxin
@ 2021-11-02 18:57   ` Vineel Kovvuri
  2021-11-02 19:54     ` Maciej Rabeda
       [not found]     ` <16B3D2D0C1325DDF.24252@groups.io>
  0 siblings, 2 replies; 8+ messages in thread
From: Vineel Kovvuri @ 2021-11-02 18:57 UTC (permalink / raw)
  To: Wu, Jiaxin, devel@edk2.groups.io, vineel.kovvuri@gmail.com,
	Rabeda, Maciej, Yao, Jiewen, Jancarlo Perez, Mike Turner,
	Sean Brogan, Bret Barkelew

Hi Folks,

Thanks for reviewing the patch. May I know what are the next steps to get it in to edk2?
I have already updated the same in https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Release-Planning

Thanks,
Vineel

-----Original Message-----
From: Wu, Jiaxin <jiaxin.wu@intel.com> 
Sent: Monday, November 1, 2021 6:15 PM
To: devel@edk2.groups.io; vineel.kovvuri@gmail.com; Rabeda, Maciej <maciej.rabeda@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Jancarlo Perez <jpere@microsoft.com>; Mike Turner <Michael.Turner@microsoft.com>; Sean Brogan <sean.brogan@microsoft.com>; Bret Barkelew <Bret.Barkelew@microsoft.com>
Cc: Vineel Kovvuri <vineelko@microsoft.com>
Subject: [EXTERNAL] RE: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation

It's good to me change the default the verify flag.

Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>

Thanks,
Jiaxin

> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Vineel 
> Kovvuri
> Sent: Friday, October 15, 2021 8:55 AM
> To: Rabeda, Maciej <maciej.rabeda@intel.com>; Yao, Jiewen 
> <jiewen.yao@intel.com>; jpere@microsoft.com; 
> Michael.Turner@microsoft.com; sean.brogan@microsoft.com; 
> bret.barkelew@microsoft.com; devel@edk2.groups.io
> Cc: Vineel Kovvuri <vineelko@microsoft.com>
> Subject: [edk2-devel] [PATCH] Enable wildcard host name matching in 
> EDK2 HTTPS/TLS implementation
> 
> The current UEFI implementation of HTTPS during its TLS configuration 
> uses EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As 
> per the spec this flag does is "to disable the match of any wildcards 
> in the host name". So, certificates which are issued with 
> wildcards(*.dm.corp.net etc) in it will fail the TLS host name 
> matching. On the other hand,
> EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for 
> hostname validation. Wildcards are supported and they match only in 
> the left-most label."
> this behavior/definition is coming from openssl's X509_check_host() 
> api
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
> openssl.org%2Fdocs%2Fman1.1.0%2Fman3%2FX509_check_host.html&amp;data=0
> 4%7C01%7Cvineelko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7
> C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637714125291796675%7CUnkno
> wn%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiL
> CJXVCI6Mn0%3D%7C1000&amp;sdata=Ygz4XOYjA0m7JL6acQ1Jv55fxJJv6pFvE6n%2F%
> 2Bc6jwBU%3D&amp;reserved=0
> 
> Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using 
> certificates issued with wildcards in them would fail to match while 
> trying to communicate with HTTPS endpoint.
> 
> BugZilla: 
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugz
> illa.tianocore.org%2Fshow_bug.cgi%3Fid%3D3691&amp;data=04%7C01%7Cvinee
> lko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7C72f988bf86f14
> 1af91ab2d7cd011db47%7C1%7C0%7C637714125291806667%7CUnknown%7CTWFpbGZsb
> 3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%
> 7C1000&amp;sdata=q5qkhZ5fyWdx2SBzKytPsx%2BB%2BWfvCeZp56gEVln2SsA%3D&am
> p;reserved=0
> 
> Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
> ---
>  NetworkPkg/HttpDxe/HttpsSupport.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c
> b/NetworkPkg/HttpDxe/HttpsSupport.c
> index 7e0bf85c3c..0f28ae9447 100644
> --- a/NetworkPkg/HttpDxe/HttpsSupport.c
> +++ b/NetworkPkg/HttpDxe/HttpsSupport.c
> @@ -625,7 +625,7 @@ TlsConfigureSession (
>    //
>    HttpInstance->TlsConfigData.ConnectionEnd       = EfiTlsClient;
>    HttpInstance->TlsConfigData.VerifyMethod        = EFI_TLS_VERIFY_PEER;
> -  HttpInstance->TlsConfigData.VerifyHost.Flags    =
> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
> +  HttpInstance->TlsConfigData.VerifyHost.Flags    =
> EFI_TLS_VERIFY_FLAG_NONE;
>    HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance-
> >RemoteHost;
>    HttpInstance->TlsConfigData.SessionState        = EfiTlsSessionNotStarted;
> 
> --
> 2.17.1
> 
> 
> 
> 
> 


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation
  2021-11-02 18:57   ` Vineel Kovvuri
@ 2021-11-02 19:54     ` Maciej Rabeda
       [not found]     ` <16B3D2D0C1325DDF.24252@groups.io>
  1 sibling, 0 replies; 8+ messages in thread
From: Maciej Rabeda @ 2021-11-02 19:54 UTC (permalink / raw)
  To: devel, vineelko, Wu, Jiaxin, vineel.kovvuri@gmail.com,
	Rabeda, Maciej, Yao, Jiewen, Jancarlo Perez, Mike Turner,
	Sean Brogan, Bret Barkelew

Hi Vineel,

I will integrate the change to edk2 tomorrow.

For now:
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>

Thanks,
Maciej

On 02-Nov-21 19:57, Vineel Kovvuri via groups.io wrote:
> Hi Folks,
>
> Thanks for reviewing the patch. May I know what are the next steps to get it in to edk2?
> I have already updated the same in https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Release-Planning
>
> Thanks,
> Vineel
>
> -----Original Message-----
> From: Wu, Jiaxin <jiaxin.wu@intel.com>
> Sent: Monday, November 1, 2021 6:15 PM
> To: devel@edk2.groups.io; vineel.kovvuri@gmail.com; Rabeda, Maciej <maciej.rabeda@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Jancarlo Perez <jpere@microsoft.com>; Mike Turner <Michael.Turner@microsoft.com>; Sean Brogan <sean.brogan@microsoft.com>; Bret Barkelew <Bret.Barkelew@microsoft.com>
> Cc: Vineel Kovvuri <vineelko@microsoft.com>
> Subject: [EXTERNAL] RE: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation
>
> It's good to me change the default the verify flag.
>
> Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
>
> Thanks,
> Jiaxin
>
>> -----Original Message-----
>> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Vineel
>> Kovvuri
>> Sent: Friday, October 15, 2021 8:55 AM
>> To: Rabeda, Maciej <maciej.rabeda@intel.com>; Yao, Jiewen
>> <jiewen.yao@intel.com>; jpere@microsoft.com;
>> Michael.Turner@microsoft.com; sean.brogan@microsoft.com;
>> bret.barkelew@microsoft.com; devel@edk2.groups.io
>> Cc: Vineel Kovvuri <vineelko@microsoft.com>
>> Subject: [edk2-devel] [PATCH] Enable wildcard host name matching in
>> EDK2 HTTPS/TLS implementation
>>
>> The current UEFI implementation of HTTPS during its TLS configuration
>> uses EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As
>> per the spec this flag does is "to disable the match of any wildcards
>> in the host name". So, certificates which are issued with
>> wildcards(*.dm.corp.net etc) in it will fail the TLS host name
>> matching. On the other hand,
>> EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for
>> hostname validation. Wildcards are supported and they match only in
>> the left-most label."
>> this behavior/definition is coming from openssl's X509_check_host()
>> api
>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
>> openssl.org%2Fdocs%2Fman1.1.0%2Fman3%2FX509_check_host.html&amp;data=0
>> 4%7C01%7Cvineelko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7
>> C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637714125291796675%7CUnkno
>> wn%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiL
>> CJXVCI6Mn0%3D%7C1000&amp;sdata=Ygz4XOYjA0m7JL6acQ1Jv55fxJJv6pFvE6n%2F%
>> 2Bc6jwBU%3D&amp;reserved=0
>>
>> Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using
>> certificates issued with wildcards in them would fail to match while
>> trying to communicate with HTTPS endpoint.
>>
>> BugZilla:
>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugz
>> illa.tianocore.org%2Fshow_bug.cgi%3Fid%3D3691&amp;data=04%7C01%7Cvinee
>> lko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7C72f988bf86f14
>> 1af91ab2d7cd011db47%7C1%7C0%7C637714125291806667%7CUnknown%7CTWFpbGZsb
>> 3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%
>> 7C1000&amp;sdata=q5qkhZ5fyWdx2SBzKytPsx%2BB%2BWfvCeZp56gEVln2SsA%3D&am
>> p;reserved=0
>>
>> Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
>> ---
>>   NetworkPkg/HttpDxe/HttpsSupport.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c
>> b/NetworkPkg/HttpDxe/HttpsSupport.c
>> index 7e0bf85c3c..0f28ae9447 100644
>> --- a/NetworkPkg/HttpDxe/HttpsSupport.c
>> +++ b/NetworkPkg/HttpDxe/HttpsSupport.c
>> @@ -625,7 +625,7 @@ TlsConfigureSession (
>>     //
>>     HttpInstance->TlsConfigData.ConnectionEnd       = EfiTlsClient;
>>     HttpInstance->TlsConfigData.VerifyMethod        = EFI_TLS_VERIFY_PEER;
>> -  HttpInstance->TlsConfigData.VerifyHost.Flags    =
>> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
>> +  HttpInstance->TlsConfigData.VerifyHost.Flags    =
>> EFI_TLS_VERIFY_FLAG_NONE;
>>     HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance-
>>> RemoteHost;
>>     HttpInstance->TlsConfigData.SessionState        = EfiTlsSessionNotStarted;
>>
>> --
>> 2.17.1
>>
>>
>>
>>
>>
>
>
> 
>
>


^ permalink raw reply	[flat|nested] 8+ messages in thread

[parent not found: <16B3D2D0C1325DDF.24252@groups.io>]

* Re: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation
       [not found]     ` <16B3D2D0C1325DDF.24252@groups.io>
@ 2021-11-03 21:29       ` Maciej Rabeda
  2021-11-03 21:38         ` Vineel Kovvuri
  0 siblings, 1 reply; 8+ messages in thread
From: Maciej Rabeda @ 2021-11-03 21:29 UTC (permalink / raw)
  To: devel, vineelko, Wu, Jiaxin, vineel.kovvuri@gmail.com,
	Rabeda, Maciej, Yao, Jiewen, Jancarlo Perez, Mike Turner,
	Sean Brogan, Bret Barkelew

Changed commit title to: "NetworkPkg/HttpDxe: Enable wildcard host name 
matching for HTTP+TLS."

Patch merged.
PR: https://github.com/tianocore/edk2/pull/2168
Commit: 
https://github.com/tianocore/edk2/commit/6f9e83f757ed7c5c78d071f475b2e72d899c2aef

On 02-Nov-21 20:54, Maciej Rabeda wrote:
> Hi Vineel,
>
> I will integrate the change to edk2 tomorrow.
>
> For now:
> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
>
> Thanks,
> Maciej
>
> On 02-Nov-21 19:57, Vineel Kovvuri via groups.io wrote:
>> Hi Folks,
>>
>> Thanks for reviewing the patch. May I know what are the next steps to 
>> get it in to edk2?
>> I have already updated the same in 
>> https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Release-Planning
>>
>> Thanks,
>> Vineel
>>
>> -----Original Message-----
>> From: Wu, Jiaxin <jiaxin.wu@intel.com>
>> Sent: Monday, November 1, 2021 6:15 PM
>> To: devel@edk2.groups.io; vineel.kovvuri@gmail.com; Rabeda, Maciej 
>> <maciej.rabeda@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; 
>> Jancarlo Perez <jpere@microsoft.com>; Mike Turner 
>> <Michael.Turner@microsoft.com>; Sean Brogan 
>> <sean.brogan@microsoft.com>; Bret Barkelew <Bret.Barkelew@microsoft.com>
>> Cc: Vineel Kovvuri <vineelko@microsoft.com>
>> Subject: [EXTERNAL] RE: [edk2-devel] [PATCH] Enable wildcard host 
>> name matching in EDK2 HTTPS/TLS implementation
>>
>> It's good to me change the default the verify flag.
>>
>> Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
>>
>> Thanks,
>> Jiaxin
>>
>>> -----Original Message-----
>>> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Vineel
>>> Kovvuri
>>> Sent: Friday, October 15, 2021 8:55 AM
>>> To: Rabeda, Maciej <maciej.rabeda@intel.com>; Yao, Jiewen
>>> <jiewen.yao@intel.com>; jpere@microsoft.com;
>>> Michael.Turner@microsoft.com; sean.brogan@microsoft.com;
>>> bret.barkelew@microsoft.com; devel@edk2.groups.io
>>> Cc: Vineel Kovvuri <vineelko@microsoft.com>
>>> Subject: [edk2-devel] [PATCH] Enable wildcard host name matching in
>>> EDK2 HTTPS/TLS implementation
>>>
>>> The current UEFI implementation of HTTPS during its TLS configuration
>>> uses EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As
>>> per the spec this flag does is "to disable the match of any wildcards
>>> in the host name". So, certificates which are issued with
>>> wildcards(*.dm.corp.net etc) in it will fail the TLS host name
>>> matching. On the other hand,
>>> EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for
>>> hostname validation. Wildcards are supported and they match only in
>>> the left-most label."
>>> this behavior/definition is coming from openssl's X509_check_host()
>>> api
>>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
>>> openssl.org%2Fdocs%2Fman1.1.0%2Fman3%2FX509_check_host.html&amp;data=0
>>> 4%7C01%7Cvineelko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7
>>> C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637714125291796675%7CUnkno
>>> wn%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiL
>>> CJXVCI6Mn0%3D%7C1000&amp;sdata=Ygz4XOYjA0m7JL6acQ1Jv55fxJJv6pFvE6n%2F%
>>> 2Bc6jwBU%3D&amp;reserved=0
>>>
>>> Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using
>>> certificates issued with wildcards in them would fail to match while
>>> trying to communicate with HTTPS endpoint.
>>>
>>> BugZilla:
>>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugz
>>> illa.tianocore.org%2Fshow_bug.cgi%3Fid%3D3691&amp;data=04%7C01%7Cvinee
>>> lko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7C72f988bf86f14
>>> 1af91ab2d7cd011db47%7C1%7C0%7C637714125291806667%7CUnknown%7CTWFpbGZsb
>>> 3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%
>>> 7C1000&amp;sdata=q5qkhZ5fyWdx2SBzKytPsx%2BB%2BWfvCeZp56gEVln2SsA%3D&am
>>> p;reserved=0
>>>
>>> Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
>>> ---
>>>   NetworkPkg/HttpDxe/HttpsSupport.c | 2 +-
>>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c
>>> b/NetworkPkg/HttpDxe/HttpsSupport.c
>>> index 7e0bf85c3c..0f28ae9447 100644
>>> --- a/NetworkPkg/HttpDxe/HttpsSupport.c
>>> +++ b/NetworkPkg/HttpDxe/HttpsSupport.c
>>> @@ -625,7 +625,7 @@ TlsConfigureSession (
>>>     //
>>>     HttpInstance->TlsConfigData.ConnectionEnd       = EfiTlsClient;
>>>     HttpInstance->TlsConfigData.VerifyMethod        = 
>>> EFI_TLS_VERIFY_PEER;
>>> -  HttpInstance->TlsConfigData.VerifyHost.Flags    =
>>> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
>>> +  HttpInstance->TlsConfigData.VerifyHost.Flags    =
>>> EFI_TLS_VERIFY_FLAG_NONE;
>>>     HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance-
>>>> RemoteHost;
>>>     HttpInstance->TlsConfigData.SessionState        = 
>>> EfiTlsSessionNotStarted;
>>>
>>> -- 
>>> 2.17.1
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>
>
>
>
> 
>
>


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation
  2021-11-03 21:29       ` Maciej Rabeda
@ 2021-11-03 21:38         ` Vineel Kovvuri
  0 siblings, 0 replies; 8+ messages in thread
From: Vineel Kovvuri @ 2021-11-03 21:38 UTC (permalink / raw)
  To: devel, maciej.rabeda
  Cc: Vineel Kovvuri, Wu, Jiaxin, Rabeda, Maciej, Yao, Jiewen,
	Jancarlo Perez, Mike Turner, Sean Brogan, Bret Barkelew

[-- Attachment #1: Type: text/plain, Size: 5283 bytes --]

Thanks a lot Maciej for merging the PR.

Thanks,
Vineel


On Wed, Nov 3, 2021 at 2:29 PM Rabeda, Maciej <maciej.rabeda@linux.intel.com>
wrote:

> Changed commit title to: "NetworkPkg/HttpDxe: Enable wildcard host name
> matching for HTTP+TLS."
>
> Patch merged.
> PR: https://github.com/tianocore/edk2/pull/2168
> Commit:
>
> https://github.com/tianocore/edk2/commit/6f9e83f757ed7c5c78d071f475b2e72d899c2aef
>
> On 02-Nov-21 20:54, Maciej Rabeda wrote:
> > Hi Vineel,
> >
> > I will integrate the change to edk2 tomorrow.
> >
> > For now:
> > Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
> >
> > Thanks,
> > Maciej
> >
> > On 02-Nov-21 19:57, Vineel Kovvuri via groups.io wrote:
> >> Hi Folks,
> >>
> >> Thanks for reviewing the patch. May I know what are the next steps to
> >> get it in to edk2?
> >> I have already updated the same in
> >>
> https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Release-Planning
> >>
> >> Thanks,
> >> Vineel
> >>
> >> -----Original Message-----
> >> From: Wu, Jiaxin <jiaxin.wu@intel.com>
> >> Sent: Monday, November 1, 2021 6:15 PM
> >> To: devel@edk2.groups.io; vineel.kovvuri@gmail.com; Rabeda, Maciej
> >> <maciej.rabeda@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>;
> >> Jancarlo Perez <jpere@microsoft.com>; Mike Turner
> >> <Michael.Turner@microsoft.com>; Sean Brogan
> >> <sean.brogan@microsoft.com>; Bret Barkelew <Bret.Barkelew@microsoft.com
> >
> >> Cc: Vineel Kovvuri <vineelko@microsoft.com>
> >> Subject: [EXTERNAL] RE: [edk2-devel] [PATCH] Enable wildcard host
> >> name matching in EDK2 HTTPS/TLS implementation
> >>
> >> It's good to me change the default the verify flag.
> >>
> >> Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
> >>
> >> Thanks,
> >> Jiaxin
> >>
> >>> -----Original Message-----
> >>> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Vineel
> >>> Kovvuri
> >>> Sent: Friday, October 15, 2021 8:55 AM
> >>> To: Rabeda, Maciej <maciej.rabeda@intel.com>; Yao, Jiewen
> >>> <jiewen.yao@intel.com>; jpere@microsoft.com;
> >>> Michael.Turner@microsoft.com; sean.brogan@microsoft.com;
> >>> bret.barkelew@microsoft.com; devel@edk2.groups.io
> >>> Cc: Vineel Kovvuri <vineelko@microsoft.com>
> >>> Subject: [edk2-devel] [PATCH] Enable wildcard host name matching in
> >>> EDK2 HTTPS/TLS implementation
> >>>
> >>> The current UEFI implementation of HTTPS during its TLS configuration
> >>> uses EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As
> >>> per the spec this flag does is "to disable the match of any wildcards
> >>> in the host name". So, certificates which are issued with
> >>> wildcards(*.dm.corp.net etc) in it will fail the TLS host name
> >>> matching. On the other hand,
> >>> EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for
> >>> hostname validation. Wildcards are supported and they match only in
> >>> the left-most label."
> >>> this behavior/definition is coming from openssl's X509_check_host()
> >>> api
> >>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
> >>> openssl.org%2Fdocs%2Fman1.1.0%2Fman3%2FX509_check_host.html&amp;data=0
> >>> 4%7C01%7Cvineelko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7
> >>> C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637714125291796675%7CUnkno
> >>> wn%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiL
> >>> CJXVCI6Mn0%3D%7C1000&amp;sdata=Ygz4XOYjA0m7JL6acQ1Jv55fxJJv6pFvE6n%2F%
> >>> 2Bc6jwBU%3D&amp;reserved=0
> >>>
> >>> Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using
> >>> certificates issued with wildcards in them would fail to match while
> >>> trying to communicate with HTTPS endpoint.
> >>>
> >>> BugZilla:
> >>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugz
> >>> illa.tianocore.org%2Fshow_bug.cgi%3Fid%3D3691&amp;data=04%7C01%7Cvinee
> >>> lko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7C72f988bf86f14
> >>> 1af91ab2d7cd011db47%7C1%7C0%7C637714125291806667%7CUnknown%7CTWFpbGZsb
> >>> 3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%
> >>> 7C1000&amp;sdata=q5qkhZ5fyWdx2SBzKytPsx%2BB%2BWfvCeZp56gEVln2SsA%3D&am
> >>> p;reserved=0
> >>>
> >>> Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
> >>> ---
> >>>   NetworkPkg/HttpDxe/HttpsSupport.c | 2 +-
> >>>   1 file changed, 1 insertion(+), 1 deletion(-)
> >>>
> >>> diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c
> >>> b/NetworkPkg/HttpDxe/HttpsSupport.c
> >>> index 7e0bf85c3c..0f28ae9447 100644
> >>> --- a/NetworkPkg/HttpDxe/HttpsSupport.c
> >>> +++ b/NetworkPkg/HttpDxe/HttpsSupport.c
> >>> @@ -625,7 +625,7 @@ TlsConfigureSession (
> >>>     //
> >>>     HttpInstance->TlsConfigData.ConnectionEnd       = EfiTlsClient;
> >>>     HttpInstance->TlsConfigData.VerifyMethod        =
> >>> EFI_TLS_VERIFY_PEER;
> >>> -  HttpInstance->TlsConfigData.VerifyHost.Flags    =
> >>> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
> >>> +  HttpInstance->TlsConfigData.VerifyHost.Flags    =
> >>> EFI_TLS_VERIFY_FLAG_NONE;
> >>>     HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance-
> >>>> RemoteHost;
> >>>     HttpInstance->TlsConfigData.SessionState        =
> >>> EfiTlsSessionNotStarted;
> >>>
> >>> --
> >>> 2.17.1
> >>>
> >>>
> >>>
> >>>
> >>>
> >>
> >>
> >>
> >>
> >>
> >
> >
> >
> > 
> >
> >
>
>

[-- Attachment #2: Type: text/html, Size: 9666 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2021-11-03 21:38 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-10-15  0:54 [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation Vineel Kovvuri
2021-10-15  1:11 ` Yao, Jiewen
2021-10-22 10:32 ` [edk2-devel] " Maciej Rabeda
2021-11-02  1:15 ` Wu, Jiaxin
2021-11-02 18:57   ` Vineel Kovvuri
2021-11-02 19:54     ` Maciej Rabeda
     [not found]     ` <16B3D2D0C1325DDF.24252@groups.io>
2021-11-03 21:29       ` Maciej Rabeda
2021-11-03 21:38         ` Vineel Kovvuri

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox