From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-io1-f41.google.com (mail-io1-f41.google.com [209.85.166.41]) by mx.groups.io with SMTP id smtpd.web12.3326.1635975506670426700 for ; Wed, 03 Nov 2021 14:38:26 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20210112 header.b=Go9JvGtb; spf=pass (domain: gmail.com, ip: 209.85.166.41, mailfrom: vineel.kovvuri@gmail.com) Received: by mail-io1-f41.google.com with SMTP id q203so4440235iod.12 for ; Wed, 03 Nov 2021 14:38:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=2CXOPhchdRwvzZ0HP+HA9BEgvNaOJm0LZhx+k7MJExE=; b=Go9JvGtb3T/kDXPPaXijW0OXFnp1MmVcfYCFuhz+3rfXuNkgjpXCzbX1AQevRKTPfp ko6U5sHIBWRfDb1WpGuUTAbHyziLCwHl+F9NTfxOxBZplmx7LXuL765SrAbx0B/OBWEr LsCBPsQMCkskKbhHFJOg8ZEYcAZKU5+o3rlIeYdTtQ8GWfrAqtw9mphPlZGeOovIwuAE HeJlPwPEL44UBmgCo35n+PIvTgg7WXxyLmNAeZpmCQl7tu771yCToswlNPud/IT4ZtQk mPFGjFPMczT+YE0OtZg+1vY1xagOKrKULTLx5kkjYrI8attgi52rka2kFi8mRWNP4MU1 nDGQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2CXOPhchdRwvzZ0HP+HA9BEgvNaOJm0LZhx+k7MJExE=; b=A2djNh6Hfnq41eilEakS8BviTEw4Dl2LlyyfzJGEgAhrNhMKqbPfRa8RscORrYTliz AWMSdVdgaZT8OoyVWnP0MOWdUo9Ftvbr+X28sua18xeikLu2RV5IIijnbVRu52ldvUnq nqCHPcSUqTJ6707cJfAckphWL8aKEbVLKs4X2mYgjiegde/DZoyAKiidSv9s07HkRcMX zScygzyI6Q4oyFUBV+/UYyq6P/UmkaFwE23V7lrqv+AU2/6smkX3/R4b8CC8WO03GGy2 CNjz4+JRvOIUA2R7rivXv5BwsWsFDt027el9/Cdh9hJNApA78pkTItAhSz745EiTOP+F Tg3w== X-Gm-Message-State: AOAM532j9XEHvIhtDqDuPkOVhFGF/AR+DQzze1l4SIh0gliQSJ6O7U31 Ec2zBTXm04FLC1WB/AcX6m1Mm6MS5I5mZxfw2AZOKPF1dm8Msg== X-Google-Smtp-Source: ABdhPJzlV3Lacx9+cTLqi5Z1/1lr17Ojcgq82vqUmBVPcXwDXkdWnfgUTXnvSZRJJAGVK4S9I6EqGta4+w8Wb8yISkM= X-Received: by 2002:a05:6602:2ccc:: with SMTP id j12mr7118989iow.113.1635975505934; Wed, 03 Nov 2021 14:38:25 -0700 (PDT) MIME-Version: 1.0 References: <3419a1fbe89d52b15f1b667b00d102500179a85f.1634236144.git.vineelko@microsoft.com> <16B3D2D0C1325DDF.24252@groups.io> <5796ad5f-b2f7-6305-b56d-22763c3e5080@linux.intel.com> In-Reply-To: <5796ad5f-b2f7-6305-b56d-22763c3e5080@linux.intel.com> From: Vineel Kovvuri Date: Wed, 3 Nov 2021 14:38:15 -0700 Message-ID: Subject: Re: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation To: devel@edk2.groups.io, maciej.rabeda@linux.intel.com Cc: Vineel Kovvuri , "Wu, Jiaxin" , "Rabeda, Maciej" , "Yao, Jiewen" , Jancarlo Perez , Mike Turner , Sean Brogan , Bret Barkelew Content-Type: multipart/alternative; boundary="000000000000e47e3705cfe93a98" --000000000000e47e3705cfe93a98 Content-Type: text/plain; charset="UTF-8" Thanks a lot Maciej for merging the PR. Thanks, Vineel On Wed, Nov 3, 2021 at 2:29 PM Rabeda, Maciej wrote: > Changed commit title to: "NetworkPkg/HttpDxe: Enable wildcard host name > matching for HTTP+TLS." > > Patch merged. > PR: https://github.com/tianocore/edk2/pull/2168 > Commit: > > https://github.com/tianocore/edk2/commit/6f9e83f757ed7c5c78d071f475b2e72d899c2aef > > On 02-Nov-21 20:54, Maciej Rabeda wrote: > > Hi Vineel, > > > > I will integrate the change to edk2 tomorrow. > > > > For now: > > Reviewed-by: Maciej Rabeda > > > > Thanks, > > Maciej > > > > On 02-Nov-21 19:57, Vineel Kovvuri via groups.io wrote: > >> Hi Folks, > >> > >> Thanks for reviewing the patch. May I know what are the next steps to > >> get it in to edk2? > >> I have already updated the same in > >> > https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Release-Planning > >> > >> Thanks, > >> Vineel > >> > >> -----Original Message----- > >> From: Wu, Jiaxin > >> Sent: Monday, November 1, 2021 6:15 PM > >> To: devel@edk2.groups.io; vineel.kovvuri@gmail.com; Rabeda, Maciej > >> ; Yao, Jiewen ; > >> Jancarlo Perez ; Mike Turner > >> ; Sean Brogan > >> ; Bret Barkelew > > >> Cc: Vineel Kovvuri > >> Subject: [EXTERNAL] RE: [edk2-devel] [PATCH] Enable wildcard host > >> name matching in EDK2 HTTPS/TLS implementation > >> > >> It's good to me change the default the verify flag. > >> > >> Reviewed-by: Jiaxin Wu > >> > >> Thanks, > >> Jiaxin > >> > >>> -----Original Message----- > >>> From: devel@edk2.groups.io On Behalf Of Vineel > >>> Kovvuri > >>> Sent: Friday, October 15, 2021 8:55 AM > >>> To: Rabeda, Maciej ; Yao, Jiewen > >>> ; jpere@microsoft.com; > >>> Michael.Turner@microsoft.com; sean.brogan@microsoft.com; > >>> bret.barkelew@microsoft.com; devel@edk2.groups.io > >>> Cc: Vineel Kovvuri > >>> Subject: [edk2-devel] [PATCH] Enable wildcard host name matching in > >>> EDK2 HTTPS/TLS implementation > >>> > >>> The current UEFI implementation of HTTPS during its TLS configuration > >>> uses EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As > >>> per the spec this flag does is "to disable the match of any wildcards > >>> in the host name". So, certificates which are issued with > >>> wildcards(*.dm.corp.net etc) in it will fail the TLS host name > >>> matching. On the other hand, > >>> EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for > >>> hostname validation. Wildcards are supported and they match only in > >>> the left-most label." > >>> this behavior/definition is coming from openssl's X509_check_host() > >>> api > >>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww. > >>> openssl.org%2Fdocs%2Fman1.1.0%2Fman3%2FX509_check_host.html&data=0 > >>> 4%7C01%7Cvineelko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7 > >>> C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637714125291796675%7CUnkno > >>> wn%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiL > >>> CJXVCI6Mn0%3D%7C1000&sdata=Ygz4XOYjA0m7JL6acQ1Jv55fxJJv6pFvE6n%2F% > >>> 2Bc6jwBU%3D&reserved=0 > >>> > >>> Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using > >>> certificates issued with wildcards in them would fail to match while > >>> trying to communicate with HTTPS endpoint. > >>> > >>> BugZilla: > >>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugz > >>> illa.tianocore.org%2Fshow_bug.cgi%3Fid%3D3691&data=04%7C01%7Cvinee > >>> lko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7C72f988bf86f14 > >>> 1af91ab2d7cd011db47%7C1%7C0%7C637714125291806667%7CUnknown%7CTWFpbGZsb > >>> 3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D% > >>> 7C1000&sdata=q5qkhZ5fyWdx2SBzKytPsx%2BB%2BWfvCeZp56gEVln2SsA%3D&am > >>> p;reserved=0 > >>> > >>> Signed-off-by: Vineel Kovvuri > >>> --- > >>> NetworkPkg/HttpDxe/HttpsSupport.c | 2 +- > >>> 1 file changed, 1 insertion(+), 1 deletion(-) > >>> > >>> diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c > >>> b/NetworkPkg/HttpDxe/HttpsSupport.c > >>> index 7e0bf85c3c..0f28ae9447 100644 > >>> --- a/NetworkPkg/HttpDxe/HttpsSupport.c > >>> +++ b/NetworkPkg/HttpDxe/HttpsSupport.c > >>> @@ -625,7 +625,7 @@ TlsConfigureSession ( > >>> // > >>> HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient; > >>> HttpInstance->TlsConfigData.VerifyMethod = > >>> EFI_TLS_VERIFY_PEER; > >>> - HttpInstance->TlsConfigData.VerifyHost.Flags = > >>> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS; > >>> + HttpInstance->TlsConfigData.VerifyHost.Flags = > >>> EFI_TLS_VERIFY_FLAG_NONE; > >>> HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance- > >>>> RemoteHost; > >>> HttpInstance->TlsConfigData.SessionState = > >>> EfiTlsSessionNotStarted; > >>> > >>> -- > >>> 2.17.1 > >>> > >>> > >>> > >>> > >>> > >> > >> > >> > >> > >> > > > > > > > > > > > > > > --000000000000e47e3705cfe93a98 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Thanks a lot Maciej for merging the PR.

Thanks,
Vineel

=

On Wed, Nov 3, 2021 at 2:29 PM Rabeda, Maciej <maciej.rabeda@linux.intel.com> wrote:<= br>
Changed commit t= itle to: "NetworkPkg/HttpDxe: Enable wildcard host name
matching for HTTP+TLS."

Patch merged.
PR: https://github.com/tianocore/edk2/pull/2168
Commit:
https://github.com/= tianocore/edk2/commit/6f9e83f757ed7c5c78d071f475b2e72d899c2aef

On 02-Nov-21 20:54, Maciej Rabeda wrote:
> Hi Vineel,
>
> I will integrate the change to edk2 tomorrow.
>
> For now:
> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
>
> Thanks,
> Maciej
>
> On 02-Nov-21 19:57, Vineel Kovvuri via groups.io wrote:
>> Hi Folks,
>>
>> Thanks for reviewing the patch. May I know what are the next steps= to
>> get it in to edk2?
>> I have already updated the same in
>> https://github= .com/tianocore/tianocore.github.io/wiki/EDK-II-Release-Planning
>>
>> Thanks,
>> Vineel
>>
>> -----Original Message-----
>> From: Wu, Jiaxin <jiaxin.wu@intel.com>
>> Sent: Monday, November 1, 2021 6:15 PM
>> To: deve= l@edk2.groups.io; vineel.kovvuri@gmail.com; Rabeda, Maciej
>> <m= aciej.rabeda@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>;
>> Jancarlo Perez <jpere@microsoft.com>; Mike Turner
>> <Michael.Turner@microsoft.com>; Sean Brogan
>> <sean.brogan@microsoft.com>; Bret Barkelew <Bret.Barkelew@microsoft.com= >
>> Cc: Vineel Kovvuri <vineelko@microsoft.com>
>> Subject: [EXTERNAL] RE: [edk2-devel] [PATCH] Enable wildcard host =
>> name matching in EDK2 HTTPS/TLS implementation
>>
>> It's good to me change the default the verify flag.
>>
>> Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
>>
>> Thanks,
>> Jiaxin
>>
>>> -----Original Message-----
>>> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Vineel
>>> Kovvuri
>>> Sent: Friday, October 15, 2021 8:55 AM
>>> To: Rabeda, Maciej <maciej.rabeda@intel.com>; Yao, Jiewen
>>> <= jiewen.yao@intel.com>; jpere@microsoft.com;
>>> Michael.Turner@microsoft.com; sean.brogan@microsoft.com;
>>> bret.barkelew@microsoft.com; devel@edk2.groups.io
>>> Cc: Vineel Kovvuri <vineelko@microsoft.com>
>>> Subject: [edk2-devel] [PATCH] Enable wildcard host name matchi= ng in
>>> EDK2 HTTPS/TLS implementation
>>>
>>> The current UEFI implementation of HTTPS during its TLS config= uration
>>> uses EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verificati= on. As
>>> per the spec this flag does is "to disable the match of a= ny wildcards
>>> in the host name". So, certificates which are issued with=
>>> wildcards(*.dm.corp.net etc) in it will fail the TLS host name >>> matching. On the other hand,
>>> EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional f= lags set for
>>> hostname validation. Wildcards are supported and they match on= ly in
>>> the left-most label."
>>> this behavior/definition is coming from openssl's X509_che= ck_host()
>>> api
>>> https://nam06.sa= felinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.
>>> openssl.org%2Fdocs%2Fman1.1.0%2Fman3%2FX509_check_host.html&a= mp;data=3D0
>>> 4%7C01%7Cvineelko%40microsoft.com%7C1a8a6c07efcb42e043a008d99= d9e3fba%7
>>> C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637714125291796675= %7CUnkno
>>> wn%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6I= k1haWwiL
>>> CJXVCI6Mn0%3D%7C1000&amp;sdata=3DYgz4XOYjA0m7JL6acQ1Jv55fx= JJv6pFvE6n%2F%
>>> 2Bc6jwBU%3D&amp;reserved=3D0
>>>
>>> Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using >>> certificates issued with wildcards in them would fail to match= while
>>> trying to communicate with HTTPS endpoint.
>>>
>>> BugZilla:
>>> https://nam06.s= afelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fbugz
>>> illa.tianocore.org%2Fshow_bug.cgi%3Fid%3D3691&amp;data= =3D04%7C01%7Cvinee
>>> lko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7C72f9= 88bf86f14
>>> 1af91ab2d7cd011db47%7C1%7C0%7C637714125291806667%7CUnknown%7CT= WFpbGZsb
>>> 3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI= 6Mn0%3D%
>>> 7C1000&amp;sdata=3Dq5qkhZ5fyWdx2SBzKytPsx%2BB%2BWfvCeZp56g= EVln2SsA%3D&am
>>> p;reserved=3D0
>>>
>>> Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
>>> ---
>>> =C2=A0 NetworkPkg/HttpDxe/HttpsSupport.c | 2 +-
>>> =C2=A0 1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c
>>> b/NetworkPkg/HttpDxe/HttpsSupport.c
>>> index 7e0bf85c3c..0f28ae9447 100644
>>> --- a/NetworkPkg/HttpDxe/HttpsSupport.c
>>> +++ b/NetworkPkg/HttpDxe/HttpsSupport.c
>>> @@ -625,7 +625,7 @@ TlsConfigureSession (
>>> =C2=A0=C2=A0=C2=A0 //
>>> =C2=A0=C2=A0=C2=A0 HttpInstance->TlsConfigData.ConnectionEn= d=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =3D EfiTlsClient;
>>> =C2=A0=C2=A0=C2=A0 HttpInstance->TlsConfigData.VerifyMethod= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =3D
>>> EFI_TLS_VERIFY_PEER;
>>> -=C2=A0 HttpInstance->TlsConfigData.VerifyHost.Flags=C2=A0= =C2=A0=C2=A0 =3D
>>> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
>>> +=C2=A0 HttpInstance->TlsConfigData.VerifyHost.Flags=C2=A0= =C2=A0=C2=A0 =3D
>>> EFI_TLS_VERIFY_FLAG_NONE;
>>> =C2=A0=C2=A0=C2=A0 HttpInstance->TlsConfigData.VerifyHost.H= ostName =3D HttpInstance-
>>>> RemoteHost;
>>> =C2=A0=C2=A0=C2=A0 HttpInstance->TlsConfigData.SessionState= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =3D
>>> EfiTlsSessionNotStarted;
>>>
>>> --
>>> 2.17.1
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>
>
>
>
>
>
>

--000000000000e47e3705cfe93a98--