From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) by mx.groups.io with SMTP id smtpd.web10.3608.1634260314423567778 for ; Thu, 14 Oct 2021 18:11:54 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=FdqEmdA9; spf=pass (domain: intel.com, ip: 134.134.136.65, mailfrom: jiewen.yao@intel.com) X-IronPort-AV: E=McAfee;i="6200,9189,10137"; a="227779779" X-IronPort-AV: E=Sophos;i="5.85,374,1624345200"; d="scan'208";a="227779779" Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by orsmga103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 14 Oct 2021 18:11:53 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.85,374,1624345200"; d="scan'208";a="548942079" Received: from orsmsx601.amr.corp.intel.com ([10.22.229.14]) by fmsmga004.fm.intel.com with ESMTP; 14 Oct 2021 18:11:53 -0700 Received: from orsmsx612.amr.corp.intel.com (10.22.229.25) by ORSMSX601.amr.corp.intel.com (10.22.229.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.12; Thu, 14 Oct 2021 18:11:52 -0700 Received: from orsedg603.ED.cps.intel.com (10.7.248.4) by orsmsx612.amr.corp.intel.com (10.22.229.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.12 via Frontend Transport; Thu, 14 Oct 2021 18:11:52 -0700 Received: from NAM12-BN8-obe.outbound.protection.outlook.com (104.47.55.175) by edgegateway.intel.com (134.134.137.100) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2242.12; Thu, 14 Oct 2021 18:11:52 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=M/VOiJ+NQteqFjDkkhWhtcj6dZhi84xXcWhPFLx3BYm/DzdNlcE9yTXPo72X8hdlUu1IAzYmnQOyAUEjHu7Bkxsnng6PPGv/jseaH7hCMRX10LQ/wUZeKNVOwJjEnEreVV4qN8uViksUDhq6waPeHztOFt9CmhuCnXgDvOU3yM7Hn7dhEuiVeeVx7f5aHMD2zfWcE4EpFnaqJKDw1JZMOPLal7ViYc/wiqo2G8Kyrc1TxRium8y+6cFKK4yt+oQ7xL7xDgoTgNP7YMOGmYeyLHg9a5ruW6wSF07HKbaozGtN25eR3y62P0ibKh0KDbn+bDRnk3v0sZWr7bfdMWj9hw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=FHaynUWy6uZcZVzOTqx+iwHMh7DTdRroB2XNzo/dpws=; b=oSaf1jfKYZ6jh5+agVkzIMIG/Tde4g3QEXz92oQbXEuexUyQ4W4kz2F240gKtA5KvJc7cIA+nyEpJ8rbEFdZjGcOOPbmYY9Wgg53aU/1tESgzGUom/dIj+s/7HGdp88qzzB6xMMBeF0hgDHywTAN4YjmqpLWCV8pgzaB9CKaQ/UCK9H+8Nz01y+Z8WOII0WDepzqyqWg3yw0TRI0qcrZKXkP5OTbClVpyzk12shCYXrfATVIe9zuIm9xjtTpWnGVZW2FUhH+gd9TwvJ6h8rLCKrcr7iWn6YVNYaB9yVpBOgiDjNNVtvjXJTNluu8cGLt9tYqh2YVKfFtQJxsm/pp2A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FHaynUWy6uZcZVzOTqx+iwHMh7DTdRroB2XNzo/dpws=; b=FdqEmdA9esvQHBiXAOZj8Mr8qMLliGjbICURqn39Fzlgrg7M9pZXm7vDLRhb9xZFngE+cf3k5C+CErSahxVoZrjQFZFydhsPNWlXtTw/PWorKrbHNrh/ianZBY9x6/DDmm8o8eY1vw2EcWW/mkEGnZHzM4t4muJPKAHhb9zecPY= Received: from PH0PR11MB4885.namprd11.prod.outlook.com (2603:10b6:510:35::14) by PH0PR11MB4871.namprd11.prod.outlook.com (2603:10b6:510:30::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4608.16; Fri, 15 Oct 2021 01:11:51 +0000 Received: from PH0PR11MB4885.namprd11.prod.outlook.com ([fe80::c5cb:e37a:9f3:8f80]) by PH0PR11MB4885.namprd11.prod.outlook.com ([fe80::c5cb:e37a:9f3:8f80%6]) with mapi id 15.20.4608.017; Fri, 15 Oct 2021 01:11:51 +0000 From: "Yao, Jiewen" To: Vineel Kovvuri , "Rabeda, Maciej" , "jpere@microsoft.com" , "Michael.Turner@microsoft.com" , "sean.brogan@microsoft.com" , "bret.barkelew@microsoft.com" , "devel@edk2.groups.io" CC: Vineel Kovvuri Subject: Re: [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation Thread-Topic: [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation Thread-Index: AQHXwSmog4fPjdhOnkqdpUY5JQX/s6vTQOpQ Date: Fri, 15 Oct 2021 01:11:50 +0000 Message-ID: References: <3419a1fbe89d52b15f1b667b00d102500179a85f.1634236144.git.vineelko@microsoft.com> In-Reply-To: <3419a1fbe89d52b15f1b667b00d102500179a85f.1634236144.git.vineelko@microsoft.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-version: 11.6.200.16 dlp-product: dlpe-windows dlp-reaction: no-action authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 39233b86-4b23-48cb-be75-08d98f78c4d6 x-ms-traffictypediagnostic: PH0PR11MB4871: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:7691; x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: TfZVWUQT06l+Rvmu+QqHDadIk/HHBWwJNmdmH2O0MKDYEaEZTKRCQjo0478w5yFHMJYw9oqRawvZMwbC3PNh1InLUkPcESkwqnS/pFexzxon5dsEvH1gccEsBIKiYc+PP3tXknVziTQRyy83Hwz6T9GibTroVh0D6AAHzdIOFvUfKQNZhA/KQKZ9Vy64S2aFriq5oZhulJstXU0c0pDwcPLug7T6XfoRklaL90V8LfAx3FA88O6906X2crMHgwrZI8K4RHIdUkNOGhZ17iR8Ue0QrnLddhz5pweKr6tWtWsmOPRTLuWSlE8O34KzvH195Pvxi+pMXyYgNUFroG0HLjWhmj3Bs6Xg8icTfL3+Ay7O2Et2n/ln5Yh7Cqm5i64IsQ7moBaSYFIH3XdbzjP+oNwrQ/R1Ndep9JmLDeVH1XSFAfaKCdmnEMdY4z/3Co2zc/OKjgPeOGvxqkJlx/ZeExf4ObuYrWtlAlXP8p92hc5oBFSdGJO2EJ01p7XjcMx1lsVtz91TuOdxDDsi4uUaYfFSmcHfiSnlNRKw+bCLwAlykZBzTdBU37wTVfmTCgdQIEdXXmTPffZigOQrS6GqmA6PA/kzKji70Oueh3lunSktyjt1V+ropTFz8T94hbz1Dvqegf+ZNSrNaz4JRHojIZvTVW3fyY4IUzMJmefiWg8/XhkGsp8X3Mw4WzRZBV2iZvanp6GZqfxNNdQdF1Il/4xfigIGZWl+51MdFuJYHNw5MzO0+qM/5NZjEUwwQnSvHtvj4KWwICJHmRNCs5wBngIi2Oi37AZlqY0WYBMY4MgM0WlP+Xb5RAsSRWbXh7dHXHylOp0kH34ffv4S5ucIig== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR11MB4885.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(366004)(64756008)(82960400001)(66476007)(66556008)(2906002)(66446008)(83380400001)(8676002)(122000001)(186003)(5660300002)(38100700002)(66946007)(86362001)(76116006)(33656002)(55016002)(6506007)(38070700005)(7696005)(8936002)(45080400002)(71200400001)(53546011)(966005)(508600001)(110136005)(4326008)(52536014)(316002)(9686003)(26005);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?gsLmme7DpbZyZEafe8yiho9ijOLB3PKTcFG1+aRtNCJonwgwbDrLDrIR2sNa?= =?us-ascii?Q?ABttn8ddoGpb+gjl8G51WfPTyPBqbxhS0wW0STc8u7Du8O4xXrrqziXXEnvD?= =?us-ascii?Q?+2CCc8qxukBxiUvsDoIM+beZfRvCH4T4Juxgnh6rziVgphUzGwNzqTE02LKL?= =?us-ascii?Q?8VNbJMaSDj0kVRgP4zzI73s6HodL3YFwIA5EyPyKQyhHgIyGzsz8X+yXHp+q?= =?us-ascii?Q?UXlivBPUMBF2WuikeE/gx22M8n1TBYvjHh1l/WRrpVCPBRn6PDQQeoJdWTxZ?= =?us-ascii?Q?N8/3dHx5MAk/Tb9Rtn2qdY3lzFymDD1zxhKZ5wVeh0LvJ0wPHC6NUG/j6Gb+?= =?us-ascii?Q?SVLLVQ8EbEQh7ELUoGvwQDyYTqVi05Kme3wiQlhJOUlAu78gzSxz7UrF4HTd?= =?us-ascii?Q?iQX6CbY/k0uVoN+AjDCW86wMGAHgqzK07wO4VZkHgWVOMqSfQNk4N98mmI1l?= =?us-ascii?Q?gSiq7RMqqIbORRd9QhfzdA6WqI2SAkpYV+WqUgPr1JAoJdbrsZdknyVvrh6B?= =?us-ascii?Q?LR3Ut5+aY3JWYZRrX6UqpER9HQvc//caaBmjCRT3VzLKRddG9ZGRjT9VtwRo?= =?us-ascii?Q?0RwtlgBiKpblGptsr1CAxvXoilQqxKGQ7oTKeqFGnz2t9az+hLKe31CMqk/L?= =?us-ascii?Q?74vkiqMGWTq2zxS5sESRrS99FdxeEss7SiJ77cvbqrK/V6heOOzWIX8GmXE5?= =?us-ascii?Q?B+oN/hoIb7dFhvshhPVcCXKJddiUDX9R2Qmb8SPhRcpnipDj/3PjRhCtv0c4?= =?us-ascii?Q?GsP3GjQ/7iHTNzB6+OtQt3QXb99tAynIxGn+XU4/KTTlfLfqU/K2JnF74BKB?= =?us-ascii?Q?lD+/urMol2r6m3yYQ312RkP40j4fJUBlzQP0I9Bc8HGGCp8IIO1dfa3++SLr?= =?us-ascii?Q?9m0uRjWbM+dqFjs7GRbqieP1wQ1pJPXCTki2zGlgF9UnLg2nlPlMQ77akpFs?= =?us-ascii?Q?20vXNzxal0gaPUA/XUWnWUymEt+VJa9i8LY1GfubDkWk46Upc3esXk0kYKxT?= =?us-ascii?Q?ZTkbeFtky03+oG3Vy0PwSrNPa26mEi2dzL8UpF/gvDpayD+zBiiX6MdD/eJO?= =?us-ascii?Q?WTL59a23N8WyUW8xdxS7Iq1iTXtvmVD9iRxiNFqER31GLJ7dmlj4/lCwfQYc?= =?us-ascii?Q?xRCU5DWavI4T4YAbwnWCkCPuPLKlJNIk7R/aS4ewgzCQcJz0mLb3XPANf8+t?= =?us-ascii?Q?glf92hZouWEwubUa6P6WQuxLw9LhwtgZvzRnPu26fgCaF2q1/jj7miBvdFW0?= =?us-ascii?Q?21wM7g1TVHcrXgI6iI3/RvnrxHqhpyHEr6NYun+0WA0jdJOvb3w2sd0w5sin?= =?us-ascii?Q?zXqTZAChXl2+JhBNHogzj7wR?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB4885.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 39233b86-4b23-48cb-be75-08d98f78c4d6 X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Oct 2021 01:11:51.0164 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: aJN4xxcPVBQYU2zzrta2yljw+KJChAvh974Hui93RcGIpRcmfdtSKi17tCoEjjl3ihYCRaXN6nuxPUye6fLnIw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR11MB4871 Return-Path: jiewen.yao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Jiewen Yao Since this https://bugzilla.tianocore.org/show_bug.cgi?id=3D3691 (networkpk= g) is separated from https://bugzilla.tianocore.org/show_bug.cgi?id=3D3679 = (cryptopkg), I will handle those two separately. I will only help merge 3679, and I would expect networkpkg maintainer handl= e 3691. Since this impacts the security policy, after NetworkPkg maintainer review,= I recommend we wait for longer time (1~2 WW) to see if any other people ha= s comment for this one. Thank you Yao Jiewen > -----Original Message----- > From: Vineel Kovvuri > Sent: Friday, October 15, 2021 8:55 AM > To: Rabeda, Maciej ; Yao, Jiewen > ; jpere@microsoft.com; > Michael.Turner@microsoft.com; sean.brogan@microsoft.com; > bret.barkelew@microsoft.com; devel@edk2.groups.io > Cc: Vineel Kovvuri > Subject: [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS > implementation >=20 > The current UEFI implementation of HTTPS during its TLS configuration use= s > EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As per the > spec > this flag does is "to disable the match of any wildcards in the host name= ". So, > certificates which are issued with wildcards(*.dm.corp.net etc) in it wil= l fail > the TLS host name matching. On the other hand, > EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for > hostname > validation. Wildcards are supported and they match only in the left-most = label." > this behavior/definition is coming from openssl's X509_check_host() api > https://www.openssl.org/docs/man1.1.0/man3/X509_check_host.html >=20 > Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using certificates > issued > with wildcards in them would fail to match while trying to communicate wi= th > HTTPS endpoint. >=20 > BugZilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3691 >=20 > Signed-off-by: Vineel Kovvuri > --- > NetworkPkg/HttpDxe/HttpsSupport.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) >=20 > diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c > b/NetworkPkg/HttpDxe/HttpsSupport.c > index 7e0bf85c3c..0f28ae9447 100644 > --- a/NetworkPkg/HttpDxe/HttpsSupport.c > +++ b/NetworkPkg/HttpDxe/HttpsSupport.c > @@ -625,7 +625,7 @@ TlsConfigureSession ( > // > HttpInstance->TlsConfigData.ConnectionEnd =3D EfiTlsClient; > HttpInstance->TlsConfigData.VerifyMethod =3D EFI_TLS_VERIFY_PEE= R; > - HttpInstance->TlsConfigData.VerifyHost.Flags =3D > EFI_TLS_VERIFY_FLAG_NO_WILDCARDS; > + HttpInstance->TlsConfigData.VerifyHost.Flags =3D > EFI_TLS_VERIFY_FLAG_NONE; > HttpInstance->TlsConfigData.VerifyHost.HostName =3D HttpInstance- > >RemoteHost; > HttpInstance->TlsConfigData.SessionState =3D EfiTlsSessionNotSt= arted; >=20 > -- > 2.17.1