From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from na01-obe.outbound.protection.outlook.com (na01-obe.outbound.protection.outlook.com [52.101.61.14]) by mx.groups.io with SMTP id smtpd.web09.2501.1635879729756366376 for ; Tue, 02 Nov 2021 12:02:10 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@microsoft.com header.s=selector2 header.b=Cc3+2mkR; spf=pass (domain: microsoft.com, ip: 52.101.61.14, mailfrom: vineelko@microsoft.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ead4IDhzm8cNK6zwXhEa2ZPpRNgiKPmOn7OxiXpSd8Z5gIM5H0pJ7ypavE9H/vDcztaIAhhfOFRgcgEHZ6mvp7jkXA2aW0S5zNNP/c+namK7S/j7KHtWr6Tmc2KmrfD6ptYPJl7YNCTOgIpuveqWBoytvwVJm3BTs5VvsqX6cdIYuXGGmlKkSi/bq+wqQAx7jTTM9Kp2wXMhW/IWJg7pPNRevXq4Lzb1XHAOpTth1Odv6MtwmrofENaaeLTh6FBDC27woM+qS6iEk83+acx7s7BhLmxZvm9rNP0mvGELw3iV2gDNmvxSpxFM3x4ckQsBib46JIO/8aEvGdQA5aEq4g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=SAf6snel9AWCOPQeWPl986inpYOegia/6uxDbWUGWEo=; b=P5IHtfv4smYQzHJycLVjg1ZnWD/GmBV8P0DdOhEcsd4WWcFXRCE2E3kugTWPZDO+Sy2N/3cug5OZu8Zpqk5Q9SE4IokonWMhlMgD4NImFCrdMMHm+yKVQbYOqCiE6tr+fyK2iFJc/zdyi3YfjQJarCpWA59D4VQLJu1nw0FzgqK3CY5Qg6wdJvaN65LEd3CSnNHB5ZajnrGGalT5E7V/FFfevz14FjJhhDxF2dl/VUUkmUOp9ezO16KSm7O9sru1Iaaq4IOKx5Fuaf9T9jI1XkiUZqWtF0w+cEgcRx9pcR/eL+z4JXfX98X0ft4komcaqIdwmC11F8OMVFuusoweKw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SAf6snel9AWCOPQeWPl986inpYOegia/6uxDbWUGWEo=; b=Cc3+2mkRyGq/U/+L7FY+Ry92KFycJrWviydv0NlUz18KkwKSbfdHSsONBu4lGNp5IowCB6HlK26ngdYmfHyMHCaL0Th3dv5wq8wzNYviVtgTpW+NS+OVFNIi1W/P7zU1/4MtIcMe3mLIiaGtuwkvlMLrDR1GO7UhBT3129yy4QM= Received: from MW2PR2101MB1036.namprd21.prod.outlook.com (2603:10b6:302:a::12) by MW2PR2101MB1098.namprd21.prod.outlook.com (2603:10b6:302:a::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4649.8; Tue, 2 Nov 2021 18:57:58 +0000 Received: from MW2PR2101MB1036.namprd21.prod.outlook.com ([fe80::1156:6cd3:ec2a:59e3]) by MW2PR2101MB1036.namprd21.prod.outlook.com ([fe80::1156:6cd3:ec2a:59e3%5]) with mapi id 15.20.4669.004; Tue, 2 Nov 2021 18:57:58 +0000 From: "Vineel Kovvuri" To: "Wu, Jiaxin" , "devel@edk2.groups.io" , "vineel.kovvuri@gmail.com" , "Rabeda, Maciej" , "Yao, Jiewen" , Jancarlo Perez , Mike Turner , Sean Brogan , Bret Barkelew Subject: Re: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation Thread-Topic: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation Thread-Index: AQHXz4cfhCnrRRI1LUul7KH0i/eU1avwlsOg Date: Tue, 2 Nov 2021 18:57:57 +0000 Message-ID: References: <3419a1fbe89d52b15f1b667b00d102500179a85f.1634236144.git.vineelko@microsoft.com> In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=514696af-cb6f-455a-8bbe-36c2b0f68460;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2021-11-02T18:53:22Z;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: a4d7dbc3-e3c7-4bd9-5abc-08d99e32afa6 x-ms-traffictypediagnostic: MW2PR2101MB1098: x-ld-processed: 72f988bf-86f1-41af-91ab-2d7cd011db47,ExtAddr x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:5236; x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: tm+TCCIXUlYRIbX9yewWK1Hq89JtSToWK5PfmIQFUzhxKxsdzeWo4yOwLlpgFQbIU+TrwcVBB29epMEYga5VFSAU2sQUYsm6sjbqmziBAtlEe9sPRl1f0wL0EEREtMAvuz/o0k90RwBSlGllbcnFZdnQGdXxhTOvQmMEKJhmNl1evpx92st65xnL/tHYb9Ihd5vs66Z3TN1rtMbQHGQlMdJxVVjIJC3nnniSCTkJM57MpT5x1vLYXjoVnYY7Mwk6J9l+MLm4dHCjCz9Gi8JUaB/jOLMTqPwIFUKjAqKoU5eLoHup9f/WuhvheAycDkez0dHobyWn4VeuW2k2TyCP6cH01q3v2HhjB/l8WiMG1HSD+z4fpNvo69OixgWLGC6X37Cd/i/ZW6hzuL2iwQqmR9W+iHneGnfG4Je+qeG6O2sMlSJcecPpGXB8gcHhbiz0HcY5hSADyxOaXbz3gjlLKZjtRe1Ba7aq5zxeSKBRwLazFnlkvUi7J2WiXJzkmwtUmcTcjyOiTy8d58iKNvJchQ1NOQumCknx+9AlnQxDMhNv9i+idHv/1AJnMuUWwvfpz3za1XnmAnGzPrluLA4Br6cLHcLVieg6an6yUbIY0SkcsXI7/Zekp75TR+LxzOG914rQpHw598+zLVE/ynfMtI22QypT+iTf1pB0iaQO2rexPUinFBYBX95XcQ1//Rws+7EBIg3sq3oaPU0Dyvd1Sgn1AOxbhaHiwBWckxEjtugTu64x0f5OPvPXhT4ygeUlt4zhMnoaSkx/rww8AYRk3DqFBOsPegi49GlfWhv6VPfxPXLQbNMWzY+g9Ugo2BHWF3YLFbd//Ia7iziQe0tTANBJzizpQWs9Qu/Go3Shi04= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MW2PR2101MB1036.namprd21.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(366004)(921005)(9686003)(8676002)(2906002)(122000001)(55016002)(82950400001)(6636002)(186003)(5660300002)(82960400001)(52536014)(6506007)(33656002)(966005)(53546011)(66476007)(71200400001)(83380400001)(110136005)(66556008)(508600001)(8936002)(86362001)(10290500003)(66946007)(26005)(316002)(8990500004)(7696005)(64756008)(38100700002)(66446008)(76116006)(38070700005);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?ML39SgYxpfgOnzTCpEYTq7GznwvtFNjcGzy8x0NmDogY21OjVdaUEzQelEYj?= =?us-ascii?Q?iL2LKdrleE5erz3wzaqa5QP2Fa+dhfU/E1jOBgdGEDxUuDXFx3GdFwV4HgRb?= =?us-ascii?Q?GeaLQ2K0YSrhjt+E7WQ3AbGGikOOAN5WNVJ4rnyVkxdKG7lejazwK2eRLgy+?= =?us-ascii?Q?rxJSdYWv7kZP95iWeqCmDxVkRUlZnvLq1saCrNHOj+xoJPBcw2T8nShZBt+/?= =?us-ascii?Q?iP7fw39zi4vlcLfm6AhDF1F0q5elD3rG/y8nD7IGpAVPRKu+k/1BSztbghlv?= =?us-ascii?Q?FCbe7MLkGZwY809Jn693A+T0rG5H7HBwG3bihfGYKzBHM1xciqsIUfzr2FJB?= =?us-ascii?Q?S7A89Sp3a013XpGYfNJHN5kcKOxjxcx+erv2Lm1bYYB/mOe9+iv40QB+wdiN?= =?us-ascii?Q?rUX/WDWgk1o9vYdwuc/ZdcJhkSwefVGNmupwTlxmI/k+Mlh1vfNo8zsF6tU3?= =?us-ascii?Q?CrzJG3lMx8Y32dADSIhBzddxZQGJkS2noMNRbnjKEZbBPDwQ1cVXW+U12H5+?= =?us-ascii?Q?3OsyTGaO89iZODfVMoBcMthlc6KvUYiwP49H1LiCBQg6acLll0Cn62r5FcgG?= =?us-ascii?Q?R6Uh03HbBaXGPCxQEe8Ghxi5K/sFtVXiUVA6gben434OSY8pVHb/uJyfo6xd?= =?us-ascii?Q?9aW5NxCU2VIP3OCU2xy1aKdXkrTGMmHbXpkk/RC7l0VogRlo4CpZUCd2WN2O?= =?us-ascii?Q?DuVRlLQi1Q2+7HbQZTUTaobDhFwPl5OgzF0dLYDx7BUxV5hMiQsUSwFEqCy2?= =?us-ascii?Q?5HTOB5aCtzHrWEBZ9vLJ5MMIPw2eZObsGiEv+rr/it82I0XIqgmZ14scsL7u?= =?us-ascii?Q?vKMvRvnj5+gJit/BCYnzJ+gYqkrZe9FKCBi+xmrYUzzFS/uPj1OnQ8JF9gno?= =?us-ascii?Q?pjV11TO1xO54jrrQmHYDgM20tmLjDdCWe1ImYbf9VwNg5nOfFZleknN4Xq1P?= =?us-ascii?Q?xpWw0nL6zQHQR3xbZzG2RZZaDd/5MzI0sPAF3uY6kQ6+smLITqpCp7vh3Y3E?= =?us-ascii?Q?2WfmMyK5Cdt7NKypWVu5m7wn0lOXRwcbvNDKxHxaLaBAp5yhi5qAQy0vwEzt?= =?us-ascii?Q?eNYnf8jozX4BVt+LeoOCXFyaSfAwnltdKk3zPtyXxsRujKMBZlFf81jaRKdt?= =?us-ascii?Q?vcOnyhhvaYDh7LWdPL6ZME+AOsQ/rMvtGAg6tU+aT8XifJG9rk0HEZyny/OO?= =?us-ascii?Q?0iaNFxmBQQhhVzfUgqRaQRh92C3a7wbRYSwfYAJdpzSK6Uhefwo0undin9Po?= =?us-ascii?Q?UPM2ft2MJAUAgCVL2H8fTMzcE3ItKBbWKwQsC3twasdcmBduQtZeVnjyQ/eo?= =?us-ascii?Q?utsm5PI/6Q8p+e93tV1wnZNXy0i05d8sb2ZxLgtuzRwVhfwXnQU+Lvt3mGX5?= =?us-ascii?Q?vLaxXCpU9Yl/DlkKBrQHWEGIr9OJgfhvk9EdKuFk+jLZecE9Lvj1Oy3ohJef?= =?us-ascii?Q?K8fBa9ReP8JVHJiL5BN4iu7y50lUFVJUCa5qv1JiqnPC25K5Le+fS6+j5/JU?= =?us-ascii?Q?OBpHarKY8CLi+CRppFX6/miNrqadDXPcv6CrKzXLyJUxT8wyBdLoCnVG4xZ/?= =?us-ascii?Q?XugZ6IGTq/PgE26Q1pf1qdzursA/QcmVNoD2Ew3hAmBZ5ulVat9J61gFHozA?= =?us-ascii?Q?qw=3D=3D?= MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MW2PR2101MB1036.namprd21.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: a4d7dbc3-e3c7-4bd9-5abc-08d99e32afa6 X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Nov 2021 18:57:57.9645 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: UrUPtHNgpb0RKKJPfO70XNgTo7q/pTWBuC4OYJFO7k9cSiahVK8AEkQ5IIqFgp/I28MabOQIACZwp3dQJfClWQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2PR2101MB1098 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Folks, Thanks for reviewing the patch. May I know what are the next steps to get i= t in to edk2? I have already updated the same in https://github.com/tianocore/tianocore.g= ithub.io/wiki/EDK-II-Release-Planning Thanks, Vineel -----Original Message----- From: Wu, Jiaxin =20 Sent: Monday, November 1, 2021 6:15 PM To: devel@edk2.groups.io; vineel.kovvuri@gmail.com; Rabeda, Maciej ; Yao, Jiewen ; Jancarlo Perez ; Mike Turner ; Sean Brogan <= sean.brogan@microsoft.com>; Bret Barkelew Cc: Vineel Kovvuri Subject: [EXTERNAL] RE: [edk2-devel] [PATCH] Enable wildcard host name matc= hing in EDK2 HTTPS/TLS implementation It's good to me change the default the verify flag. Reviewed-by: Jiaxin Wu Thanks, Jiaxin > -----Original Message----- > From: devel@edk2.groups.io On Behalf Of Vineel=20 > Kovvuri > Sent: Friday, October 15, 2021 8:55 AM > To: Rabeda, Maciej ; Yao, Jiewen=20 > ; jpere@microsoft.com;=20 > Michael.Turner@microsoft.com; sean.brogan@microsoft.com;=20 > bret.barkelew@microsoft.com; devel@edk2.groups.io > Cc: Vineel Kovvuri > Subject: [edk2-devel] [PATCH] Enable wildcard host name matching in=20 > EDK2 HTTPS/TLS implementation >=20 > The current UEFI implementation of HTTPS during its TLS configuration=20 > uses EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As=20 > per the spec this flag does is "to disable the match of any wildcards=20 > in the host name". So, certificates which are issued with=20 > wildcards(*.dm.corp.net etc) in it will fail the TLS host name=20 > matching. On the other hand, > EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for=20 > hostname validation. Wildcards are supported and they match only in=20 > the left-most label." > this behavior/definition is coming from openssl's X509_check_host()=20 > api > https://nam06.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww. > openssl.org%2Fdocs%2Fman1.1.0%2Fman3%2FX509_check_host.html&data=3D0 > 4%7C01%7Cvineelko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7 > C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637714125291796675%7CUnkno > wn%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiL > CJXVCI6Mn0%3D%7C1000&sdata=3DYgz4XOYjA0m7JL6acQ1Jv55fxJJv6pFvE6n%2F% > 2Bc6jwBU%3D&reserved=3D0 >=20 > Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using=20 > certificates issued with wildcards in them would fail to match while=20 > trying to communicate with HTTPS endpoint. >=20 > BugZilla:=20 > https://nam06.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fbugz > illa.tianocore.org%2Fshow_bug.cgi%3Fid%3D3691&data=3D04%7C01%7Cvinee > lko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7C72f988bf86f14 > 1af91ab2d7cd011db47%7C1%7C0%7C637714125291806667%7CUnknown%7CTWFpbGZsb > 3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D% > 7C1000&sdata=3Dq5qkhZ5fyWdx2SBzKytPsx%2BB%2BWfvCeZp56gEVln2SsA%3D&am > p;reserved=3D0 >=20 > Signed-off-by: Vineel Kovvuri > --- > NetworkPkg/HttpDxe/HttpsSupport.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) >=20 > diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c > b/NetworkPkg/HttpDxe/HttpsSupport.c > index 7e0bf85c3c..0f28ae9447 100644 > --- a/NetworkPkg/HttpDxe/HttpsSupport.c > +++ b/NetworkPkg/HttpDxe/HttpsSupport.c > @@ -625,7 +625,7 @@ TlsConfigureSession ( > // > HttpInstance->TlsConfigData.ConnectionEnd =3D EfiTlsClient; > HttpInstance->TlsConfigData.VerifyMethod =3D EFI_TLS_VERIFY_PEE= R; > - HttpInstance->TlsConfigData.VerifyHost.Flags =3D > EFI_TLS_VERIFY_FLAG_NO_WILDCARDS; > + HttpInstance->TlsConfigData.VerifyHost.Flags =3D > EFI_TLS_VERIFY_FLAG_NONE; > HttpInstance->TlsConfigData.VerifyHost.HostName =3D HttpInstance- > >RemoteHost; > HttpInstance->TlsConfigData.SessionState =3D EfiTlsSessionNotSt= arted; >=20 > -- > 2.17.1 >=20 >=20 >=20 >=20 >=20