From: Laszlo Ersek <lersek@redhat.com>
To: edk2-devel-01 <edk2-devel@lists.01.org>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>, Siyuan Fu <siyuan.fu@intel.com>
Subject: [PATCH 4/5] NetworkPkg/HttpDxe: sanity-check the TlsCaCertificate variable before use
Date: Thu, 22 Mar 2018 17:39:32 +0100 [thread overview]
Message-ID: <20180322163933.29122-5-lersek@redhat.com> (raw)
In-Reply-To: <20180322163933.29122-1-lersek@redhat.com>
In TlsConfigCertificate(), make sure that the set of EFI_SIGNATURE_LIST
objects that the platform stored to "TlsCaCertificate" is well-formed.
In addition, because HttpInstance->TlsConfiguration->SetData() expects
X509 certificates only, ensure that the EFI_SIGNATURE_LIST objects only
report X509 certificates, as described under EFI_CERT_X509_GUID in the
UEFI-2.7 spec.
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=909
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
NetworkPkg/HttpDxe/HttpDxe.inf | 3 +-
NetworkPkg/HttpDxe/HttpsSupport.c | 65 ++++++++++++++++++++
2 files changed, 67 insertions(+), 1 deletion(-)
diff --git a/NetworkPkg/HttpDxe/HttpDxe.inf b/NetworkPkg/HttpDxe/HttpDxe.inf
index 938e894d9f09..6c0688d1305b 100644
--- a/NetworkPkg/HttpDxe/HttpDxe.inf
+++ b/NetworkPkg/HttpDxe/HttpDxe.inf
@@ -75,9 +75,10 @@ [Protocols]
[Guids]
gEfiTlsCaCertificateGuid ## SOMETIMES_CONSUMES ## Variable:L"TlsCaCertificate"
gEdkiiHttpTlsCipherListGuid ## SOMETIMES_CONSUMES ## Variable:L"HttpTlsCipherList"
+ gEfiCertX509Guid ## SOMETIMES_CONSUMES ## GUID # Check the cert type
[Pcd]
gEfiNetworkPkgTokenSpaceGuid.PcdAllowHttpConnections ## CONSUMES
[UserExtensions.TianoCore."ExtraFiles"]
- HttpDxeExtra.uni
\ No newline at end of file
+ HttpDxeExtra.uni
diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c b/NetworkPkg/HttpDxe/HttpsSupport.c
index baab77225fdf..d658512f6d9f 100644
--- a/NetworkPkg/HttpDxe/HttpsSupport.c
+++ b/NetworkPkg/HttpDxe/HttpsSupport.c
@@ -384,6 +384,7 @@ TlsConfigCertificate (
UINT32 Index;
EFI_SIGNATURE_LIST *CertList;
EFI_SIGNATURE_DATA *Cert;
+ UINTN CertArraySizeInBytes;
UINTN CertCount;
UINT32 ItemDataSize;
@@ -429,6 +430,70 @@ TlsConfigCertificate (
ASSERT (CACert != NULL);
+ //
+ // Sanity check
+ //
+ Status = EFI_INVALID_PARAMETER;
+ CertCount = 0;
+ ItemDataSize = (UINT32) CACertSize;
+ while (ItemDataSize > 0) {
+ if (ItemDataSize < sizeof (EFI_SIGNATURE_LIST)) {
+ DEBUG ((DEBUG_ERROR, "%a: truncated EFI_SIGNATURE_LIST header\n",
+ __FUNCTION__));
+ goto FreeCACert;
+ }
+
+ CertList = (EFI_SIGNATURE_LIST *) (CACert + (CACertSize - ItemDataSize));
+
+ if (CertList->SignatureListSize < sizeof (EFI_SIGNATURE_LIST)) {
+ DEBUG ((DEBUG_ERROR,
+ "%a: SignatureListSize too small for EFI_SIGNATURE_LIST\n",
+ __FUNCTION__));
+ goto FreeCACert;
+ }
+
+ if (CertList->SignatureListSize > ItemDataSize) {
+ DEBUG ((DEBUG_ERROR, "%a: truncated EFI_SIGNATURE_LIST body\n",
+ __FUNCTION__));
+ goto FreeCACert;
+ }
+
+ if (!CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid)) {
+ DEBUG ((DEBUG_ERROR, "%a: only X509 certificates are supported\n",
+ __FUNCTION__));
+ Status = EFI_UNSUPPORTED;
+ goto FreeCACert;
+ }
+
+ if (CertList->SignatureHeaderSize != 0) {
+ DEBUG ((DEBUG_ERROR, "%a: SignatureHeaderSize must be 0 for X509\n",
+ __FUNCTION__));
+ goto FreeCACert;
+ }
+
+ if (CertList->SignatureSize < sizeof (EFI_SIGNATURE_DATA)) {
+ DEBUG ((DEBUG_ERROR,
+ "%a: SignatureSize too small for EFI_SIGNATURE_DATA\n", __FUNCTION__));
+ goto FreeCACert;
+ }
+
+ CertArraySizeInBytes = (CertList->SignatureListSize -
+ sizeof (EFI_SIGNATURE_LIST));
+ if (CertArraySizeInBytes % CertList->SignatureSize != 0) {
+ DEBUG ((DEBUG_ERROR,
+ "%a: EFI_SIGNATURE_DATA array not a multiple of SignatureSize\n",
+ __FUNCTION__));
+ goto FreeCACert;
+ }
+
+ CertCount += CertArraySizeInBytes / CertList->SignatureSize;
+ ItemDataSize -= CertList->SignatureListSize;
+ }
+ if (CertCount == 0) {
+ DEBUG ((DEBUG_ERROR, "%a: no X509 certificates provided\n", __FUNCTION__));
+ goto FreeCACert;
+ }
+
//
// Enumerate all data and erasing the target item.
//
--
2.14.1.3.gb7cf6e02401b
next prev parent reply other threads:[~2018-03-22 16:33 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-22 16:39 [PATCH 0/5] NetworkPkg: HTTP and TLS updates Laszlo Ersek
2018-03-22 16:39 ` [PATCH 1/5] NetworkPkg/HttpBootDxe: fix typo in DHCPv4 packet parsing Laszlo Ersek
2018-03-22 16:39 ` [PATCH 2/5] NetworkPkg/HttpDxe: use error handler epilogue in TlsConfigCertificate() Laszlo Ersek
2018-03-22 16:39 ` [PATCH 3/5] NetworkPkg/HttpDxe: drop misleading comment / status code in cert config Laszlo Ersek
2018-03-22 16:39 ` Laszlo Ersek [this message]
2018-03-22 16:39 ` [PATCH 5/5] NetworkPkg/TlsAuthConfigDxe: preserve TlsCaCertificate variable attributes Laszlo Ersek
2018-03-27 9:32 ` [PATCH 0/5] NetworkPkg: HTTP and TLS updates Laszlo Ersek
2018-03-28 4:32 ` Fu, Siyuan
2018-03-28 5:35 ` Wu, Jiaxin
2018-03-28 11:18 ` Laszlo Ersek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180322163933.29122-5-lersek@redhat.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox