Re: [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation


Maciej Rabeda
 

Hi Vineel,

I will integrate the change to edk2 tomorrow.

For now:
Reviewed-by: Maciej Rabeda <maciej.rabeda@...>

Thanks,
Maciej

On 02-Nov-21 19:57, Vineel Kovvuri via groups.io wrote:
Hi Folks,

Thanks for reviewing the patch. May I know what are the next steps to get it in to edk2?
I have already updated the same in https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Release-Planning

Thanks,
Vineel

-----Original Message-----
From: Wu, Jiaxin <jiaxin.wu@...>
Sent: Monday, November 1, 2021 6:15 PM
To: devel@edk2.groups.io; vineel.kovvuri@...; Rabeda, Maciej <maciej.rabeda@...>; Yao, Jiewen <jiewen.yao@...>; Jancarlo Perez <jpere@...>; Mike Turner <Michael.Turner@...>; Sean Brogan <sean.brogan@...>; Bret Barkelew <Bret.Barkelew@...>
Cc: Vineel Kovvuri <vineelko@...>
Subject: [EXTERNAL] RE: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation

It's good to me change the default the verify flag.

Reviewed-by: Jiaxin Wu <jiaxin.wu@...>

Thanks,
Jiaxin

-----Original Message-----
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Vineel
Kovvuri
Sent: Friday, October 15, 2021 8:55 AM
To: Rabeda, Maciej <maciej.rabeda@...>; Yao, Jiewen
<jiewen.yao@...>; jpere@...;
Michael.Turner@...; sean.brogan@...;
bret.barkelew@...; devel@edk2.groups.io
Cc: Vineel Kovvuri <vineelko@...>
Subject: [edk2-devel] [PATCH] Enable wildcard host name matching in
EDK2 HTTPS/TLS implementation

The current UEFI implementation of HTTPS during its TLS configuration
uses EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As
per the spec this flag does is "to disable the match of any wildcards
in the host name". So, certificates which are issued with
wildcards(*.dm.corp.net etc) in it will fail the TLS host name
matching. On the other hand,
EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for
hostname validation. Wildcards are supported and they match only in
the left-most label."
this behavior/definition is coming from openssl's X509_check_host()
api
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
openssl.org%2Fdocs%2Fman1.1.0%2Fman3%2FX509_check_host.html&amp;data=0
4%7C01%7Cvineelko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7
C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637714125291796675%7CUnkno
wn%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiL
CJXVCI6Mn0%3D%7C1000&amp;sdata=Ygz4XOYjA0m7JL6acQ1Jv55fxJJv6pFvE6n%2F%
2Bc6jwBU%3D&amp;reserved=0

Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using
certificates issued with wildcards in them would fail to match while
trying to communicate with HTTPS endpoint.

BugZilla:
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugz
illa.tianocore.org%2Fshow_bug.cgi%3Fid%3D3691&amp;data=04%7C01%7Cvinee
lko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7C72f988bf86f14
1af91ab2d7cd011db47%7C1%7C0%7C637714125291806667%7CUnknown%7CTWFpbGZsb
3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%
7C1000&amp;sdata=q5qkhZ5fyWdx2SBzKytPsx%2BB%2BWfvCeZp56gEVln2SsA%3D&am
p;reserved=0

Signed-off-by: Vineel Kovvuri <vineelko@...>
---
NetworkPkg/HttpDxe/HttpsSupport.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c
b/NetworkPkg/HttpDxe/HttpsSupport.c
index 7e0bf85c3c..0f28ae9447 100644
--- a/NetworkPkg/HttpDxe/HttpsSupport.c
+++ b/NetworkPkg/HttpDxe/HttpsSupport.c
@@ -625,7 +625,7 @@ TlsConfigureSession (
//
HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient;
HttpInstance->TlsConfigData.VerifyMethod = EFI_TLS_VERIFY_PEER;
- HttpInstance->TlsConfigData.VerifyHost.Flags =
EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
+ HttpInstance->TlsConfigData.VerifyHost.Flags =
EFI_TLS_VERIFY_FLAG_NONE;
HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance-
RemoteHost;
HttpInstance->TlsConfigData.SessionState = EfiTlsSessionNotStarted;

--
2.17.1






Join devel@edk2.groups.io to automatically receive all group messages.