From nobody Mon Apr 29 15:35:04 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+82075+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+82075+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1634261870; cv=none; d=zohomail.com; s=zohoarc; b=Ph6FSOL5pvKhl1NXHHsEi2nbCZFtP/FhZ8NucX05tWkuz+A5UqjVFEsrMNOP5GGMvCMzTk+/iNhqb4Bna+CSSOXmRhLrEIcLgkvnE38HmhOpOLYeFUWLVlKBkY7VO7ZPZSia/5yYO/gCLVePHXciBz29G1voN1V7EAA1ytk7gQM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1634261870; h=Cc:Date:From:List-Subscribe:List-Id:List-Help:List-Unsubscribe:Message-ID:Reply-To:Sender:Subject:To; bh=+TDzlK1ElfZ1W5/mgI9fRll1TH9fUaspX81hxCJsQlg=; b=AWJ6mPBf1RtYyjcHRaAf0sCn9xB+4ukp5YnmJfzTTUjmtZ94YwNSq3ZNmkNFpPECyvPYG70KUT2+RpWXVEV5yFfhOWNRgd2h55IIO56jTauPq2rS63uPQpIwp7QRS4rQUwykbV0cLAOhxTAppR+qhEnQbIX6m3X6g8yjSjYsvQU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+82075+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1634261870432153.4859803489926; Thu, 14 Oct 2021 18:37:50 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id DRxfYY1788612xJTi8PjEWlH; Thu, 14 Oct 2021 18:37:50 -0700 X-Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) by mx.groups.io with SMTP id smtpd.web09.3474.1634259297388159136 for ; Thu, 14 Oct 2021 17:54:57 -0700 X-Received: by mail-pl1-f179.google.com with SMTP id y1so5317339plk.10 for ; Thu, 14 Oct 2021 17:54:57 -0700 (PDT) X-Gm-Message-State: xTvnKWdHvLmilQKcaT5CelTbx1787277AA= X-Google-Smtp-Source: ABdhPJy2fRo3nOL3JRZK1Xf3sxBXNCu+wC/UAWyAQFJpTaiseQM7ZUIzaoKy88PDDu8UIrJy6oEjLA== X-Received: by 2002:a17:90b:20d2:: with SMTP id ju18mr23137859pjb.66.1634259296807; Thu, 14 Oct 2021 17:54:56 -0700 (PDT) X-Received: from VIN-Z2-DEV.redmond.corp.microsoft.com ([50.35.92.111]) by smtp.gmail.com with ESMTPSA id k6sm3831796pfg.18.2021.10.14.17.54.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 14 Oct 2021 17:54:56 -0700 (PDT) From: Vineel Kovvuri X-Google-Original-From: Vineel Kovvuri To: maciej.rabeda@intel.com, jiewen.yao@intel.com, jpere@microsoft.com, Michael.Turner@microsoft.com, sean.brogan@microsoft.com, bret.barkelew@microsoft.com, devel@edk2.groups.io Cc: Vineel Kovvuri Subject: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation Date: Thu, 14 Oct 2021 17:54:50 -0700 Message-Id: <3419a1fbe89d52b15f1b667b00d102500179a85f.1634236144.git.vineelko@microsoft.com> Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,vineel.kovvuri@gmail.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1634261870; bh=02HItnklhzavayFdvMZm0u/RwX3UvLZ7d3TddMCEEyw=; h=Cc:Date:From:Reply-To:Subject:To; b=Do8gdl45LwzTlX+Tar5EFqyASko58UMlPCw/9CNbsG2YUrxcz/eJQi7rT+M9vsmuG6f uYfzDIgsa2U/tW4cYJvUI/30gwyuknvHtJqIsw/0gOG1DsJenW0N5d+4hrZI/ZzMc+mTr gXDejgVz5OoxkkTGJ0DT7piyvn6ojRAZvUQ= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1634261872346100005 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" The current UEFI implementation of HTTPS during its TLS configuration uses EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As per the spec this flag does is "to disable the match of any wildcards in the host name".= So, certificates which are issued with wildcards(*.dm.corp.net etc) in it will = fail the TLS host name matching. On the other hand, EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for hostn= ame validation. Wildcards are supported and they match only in the left-most la= bel." this behavior/definition is coming from openssl's X509_check_host() api https://www.openssl.org/docs/man1.1.0/man3/X509_check_host.html Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using certificates is= sued with wildcards in them would fail to match while trying to communicate with HTTPS endpoint. BugZilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3691 Signed-off-by: Vineel Kovvuri Reviewed-by: Jiaxin Wu Reviewed-by: Jiewen Yao Reviewed-by: Maciej Rabeda --- NetworkPkg/HttpDxe/HttpsSupport.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c b/NetworkPkg/HttpDxe/HttpsSu= pport.c index 7e0bf85c3c..0f28ae9447 100644 --- a/NetworkPkg/HttpDxe/HttpsSupport.c +++ b/NetworkPkg/HttpDxe/HttpsSupport.c @@ -625,7 +625,7 @@ TlsConfigureSession ( // HttpInstance->TlsConfigData.ConnectionEnd =3D EfiTlsClient; HttpInstance->TlsConfigData.VerifyMethod =3D EFI_TLS_VERIFY_PEER; - HttpInstance->TlsConfigData.VerifyHost.Flags =3D EFI_TLS_VERIFY_FLAG_= NO_WILDCARDS; + HttpInstance->TlsConfigData.VerifyHost.Flags =3D EFI_TLS_VERIFY_FLAG_= NONE; HttpInstance->TlsConfigData.VerifyHost.HostName =3D HttpInstance->Remote= Host; HttpInstance->TlsConfigData.SessionState =3D EfiTlsSessionNotStar= ted; =20 --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#82075): https://edk2.groups.io/g/devel/message/82075 Mute This Topic: https://groups.io/mt/86329439/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-