From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga01.intel.com (mga01.intel.com [192.55.52.88])
 by mx.groups.io with SMTP id smtpd.web11.3126.1635974978816376196
 for <devel@edk2.groups.io>;
 Wed, 03 Nov 2021 14:29:39 -0700
Authentication-Results: mx.groups.io;
 dkim=missing; spf=none, err=permanent DNS error (domain: linux.intel.com, ip: 192.55.52.88, mailfrom: maciej.rabeda@linux.intel.com)
X-IronPort-AV: E=McAfee;i="6200,9189,10157"; a="255235272"
X-IronPort-AV: E=Sophos;i="5.87,207,1631602800"; 
   d="scan'208";a="255235272"
Received: from orsmga004.jf.intel.com ([10.7.209.38])
  by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 03 Nov 2021 14:29:37 -0700
X-IronPort-AV: E=Sophos;i="5.87,207,1631602800"; 
   d="scan'208";a="600057183"
Received: from mrabeda-mobl.ger.corp.intel.com (HELO [10.249.151.228]) ([10.249.151.228])
  by orsmga004-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 03 Nov 2021 14:29:34 -0700
Message-ID: <5796ad5f-b2f7-6305-b56d-22763c3e5080@linux.intel.com>
Date: Wed, 3 Nov 2021 22:29:33 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
 Thunderbird/91.2.1
Subject: Re: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation
From: "Maciej Rabeda" <maciej.rabeda@linux.intel.com>
To: devel@edk2.groups.io, vineelko@microsoft.com,
 "Wu, Jiaxin" <jiaxin.wu@intel.com>,
 "vineel.kovvuri@gmail.com" <vineel.kovvuri@gmail.com>,
 "Rabeda, Maciej" <maciej.rabeda@intel.com>,
 "Yao, Jiewen" <jiewen.yao@intel.com>, Jancarlo Perez <jpere@microsoft.com>,
 Mike Turner <Michael.Turner@microsoft.com>,
 Sean Brogan <sean.brogan@microsoft.com>,
 Bret Barkelew <Bret.Barkelew@microsoft.com>
Reply-To: devel@edk2.groups.io, maciej.rabeda@linux.intel.com
References: <3419a1fbe89d52b15f1b667b00d102500179a85f.1634236144.git.vineelko@microsoft.com>
 <DM8PR11MB565609D23F7C8F9CBF95C9E7FE8B9@DM8PR11MB5656.namprd11.prod.outlook.com>
 <MW2PR2101MB1036C53E0C325865B3A5F601D88B9@MW2PR2101MB1036.namprd21.prod.outlook.com>
 <16B3D2D0C1325DDF.24252@groups.io>
In-Reply-To: <16B3D2D0C1325DDF.24252@groups.io>
Content-Language: pl
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit

Changed commit title to: "NetworkPkg/HttpDxe: Enable wildcard host name 
matching for HTTP+TLS."

Patch merged.
PR: https://github.com/tianocore/edk2/pull/2168
Commit: 
https://github.com/tianocore/edk2/commit/6f9e83f757ed7c5c78d071f475b2e72d899c2aef

On 02-Nov-21 20:54, Maciej Rabeda wrote:
> Hi Vineel,
>
> I will integrate the change to edk2 tomorrow.
>
> For now:
> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
>
> Thanks,
> Maciej
>
> On 02-Nov-21 19:57, Vineel Kovvuri via groups.io wrote:
>> Hi Folks,
>>
>> Thanks for reviewing the patch. May I know what are the next steps to 
>> get it in to edk2?
>> I have already updated the same in 
>> https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Release-Planning
>>
>> Thanks,
>> Vineel
>>
>> -----Original Message-----
>> From: Wu, Jiaxin <jiaxin.wu@intel.com>
>> Sent: Monday, November 1, 2021 6:15 PM
>> To: devel@edk2.groups.io; vineel.kovvuri@gmail.com; Rabeda, Maciej 
>> <maciej.rabeda@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; 
>> Jancarlo Perez <jpere@microsoft.com>; Mike Turner 
>> <Michael.Turner@microsoft.com>; Sean Brogan 
>> <sean.brogan@microsoft.com>; Bret Barkelew <Bret.Barkelew@microsoft.com>
>> Cc: Vineel Kovvuri <vineelko@microsoft.com>
>> Subject: [EXTERNAL] RE: [edk2-devel] [PATCH] Enable wildcard host 
>> name matching in EDK2 HTTPS/TLS implementation
>>
>> It's good to me change the default the verify flag.
>>
>> Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
>>
>> Thanks,
>> Jiaxin
>>
>>> -----Original Message-----
>>> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Vineel
>>> Kovvuri
>>> Sent: Friday, October 15, 2021 8:55 AM
>>> To: Rabeda, Maciej <maciej.rabeda@intel.com>; Yao, Jiewen
>>> <jiewen.yao@intel.com>; jpere@microsoft.com;
>>> Michael.Turner@microsoft.com; sean.brogan@microsoft.com;
>>> bret.barkelew@microsoft.com; devel@edk2.groups.io
>>> Cc: Vineel Kovvuri <vineelko@microsoft.com>
>>> Subject: [edk2-devel] [PATCH] Enable wildcard host name matching in
>>> EDK2 HTTPS/TLS implementation
>>>
>>> The current UEFI implementation of HTTPS during its TLS configuration
>>> uses EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As
>>> per the spec this flag does is "to disable the match of any wildcards
>>> in the host name". So, certificates which are issued with
>>> wildcards(*.dm.corp.net etc) in it will fail the TLS host name
>>> matching. On the other hand,
>>> EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for
>>> hostname validation. Wildcards are supported and they match only in
>>> the left-most label."
>>> this behavior/definition is coming from openssl's X509_check_host()
>>> api
>>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
>>> openssl.org%2Fdocs%2Fman1.1.0%2Fman3%2FX509_check_host.html&amp;data=0
>>> 4%7C01%7Cvineelko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7
>>> C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637714125291796675%7CUnkno
>>> wn%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiL
>>> CJXVCI6Mn0%3D%7C1000&amp;sdata=Ygz4XOYjA0m7JL6acQ1Jv55fxJJv6pFvE6n%2F%
>>> 2Bc6jwBU%3D&amp;reserved=0
>>>
>>> Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using
>>> certificates issued with wildcards in them would fail to match while
>>> trying to communicate with HTTPS endpoint.
>>>
>>> BugZilla:
>>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugz
>>> illa.tianocore.org%2Fshow_bug.cgi%3Fid%3D3691&amp;data=04%7C01%7Cvinee
>>> lko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7C72f988bf86f14
>>> 1af91ab2d7cd011db47%7C1%7C0%7C637714125291806667%7CUnknown%7CTWFpbGZsb
>>> 3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%
>>> 7C1000&amp;sdata=q5qkhZ5fyWdx2SBzKytPsx%2BB%2BWfvCeZp56gEVln2SsA%3D&am
>>> p;reserved=0
>>>
>>> Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
>>> ---
>>>   NetworkPkg/HttpDxe/HttpsSupport.c | 2 +-
>>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c
>>> b/NetworkPkg/HttpDxe/HttpsSupport.c
>>> index 7e0bf85c3c..0f28ae9447 100644
>>> --- a/NetworkPkg/HttpDxe/HttpsSupport.c
>>> +++ b/NetworkPkg/HttpDxe/HttpsSupport.c
>>> @@ -625,7 +625,7 @@ TlsConfigureSession (
>>>     //
>>>     HttpInstance->TlsConfigData.ConnectionEnd       = EfiTlsClient;
>>>     HttpInstance->TlsConfigData.VerifyMethod        = 
>>> EFI_TLS_VERIFY_PEER;
>>> -  HttpInstance->TlsConfigData.VerifyHost.Flags    =
>>> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
>>> +  HttpInstance->TlsConfigData.VerifyHost.Flags    =
>>> EFI_TLS_VERIFY_FLAG_NONE;
>>>     HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance-
>>>> RemoteHost;
>>>     HttpInstance->TlsConfigData.SessionState        = 
>>> EfiTlsSessionNotStarted;
>>>
>>> -- 
>>> 2.17.1
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>
>
>
>
> 
>
>