From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=66.187.233.73; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id BC41722551B8F for ; Thu, 22 Mar 2018 09:33:08 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 3C16C406804D; Thu, 22 Mar 2018 16:39:40 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-114.rdu2.redhat.com [10.10.120.114]) by smtp.corp.redhat.com (Postfix) with ESMTP id 80B7E111CB9E; Thu, 22 Mar 2018 16:39:39 +0000 (UTC) From: Laszlo Ersek To: edk2-devel-01 Cc: Jiaxin Wu , Siyuan Fu Date: Thu, 22 Mar 2018 17:39:32 +0100 Message-Id: <20180322163933.29122-5-lersek@redhat.com> In-Reply-To: <20180322163933.29122-1-lersek@redhat.com> References: <20180322163933.29122-1-lersek@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Thu, 22 Mar 2018 16:39:40 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Thu, 22 Mar 2018 16:39:40 +0000 (UTC) for IP:'10.11.54.3' DOMAIN:'int-mx03.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'lersek@redhat.com' RCPT:'' Subject: [PATCH 4/5] NetworkPkg/HttpDxe: sanity-check the TlsCaCertificate variable before use X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Mar 2018 16:33:09 -0000 In TlsConfigCertificate(), make sure that the set of EFI_SIGNATURE_LIST objects that the platform stored to "TlsCaCertificate" is well-formed. In addition, because HttpInstance->TlsConfiguration->SetData() expects X509 certificates only, ensure that the EFI_SIGNATURE_LIST objects only report X509 certificates, as described under EFI_CERT_X509_GUID in the UEFI-2.7 spec. Cc: Jiaxin Wu Cc: Siyuan Fu Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=909 Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek --- NetworkPkg/HttpDxe/HttpDxe.inf | 3 +- NetworkPkg/HttpDxe/HttpsSupport.c | 65 ++++++++++++++++++++ 2 files changed, 67 insertions(+), 1 deletion(-) diff --git a/NetworkPkg/HttpDxe/HttpDxe.inf b/NetworkPkg/HttpDxe/HttpDxe.inf index 938e894d9f09..6c0688d1305b 100644 --- a/NetworkPkg/HttpDxe/HttpDxe.inf +++ b/NetworkPkg/HttpDxe/HttpDxe.inf @@ -75,9 +75,10 @@ [Protocols] [Guids] gEfiTlsCaCertificateGuid ## SOMETIMES_CONSUMES ## Variable:L"TlsCaCertificate" gEdkiiHttpTlsCipherListGuid ## SOMETIMES_CONSUMES ## Variable:L"HttpTlsCipherList" + gEfiCertX509Guid ## SOMETIMES_CONSUMES ## GUID # Check the cert type [Pcd] gEfiNetworkPkgTokenSpaceGuid.PcdAllowHttpConnections ## CONSUMES [UserExtensions.TianoCore."ExtraFiles"] - HttpDxeExtra.uni \ No newline at end of file + HttpDxeExtra.uni diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c b/NetworkPkg/HttpDxe/HttpsSupport.c index baab77225fdf..d658512f6d9f 100644 --- a/NetworkPkg/HttpDxe/HttpsSupport.c +++ b/NetworkPkg/HttpDxe/HttpsSupport.c @@ -384,6 +384,7 @@ TlsConfigCertificate ( UINT32 Index; EFI_SIGNATURE_LIST *CertList; EFI_SIGNATURE_DATA *Cert; + UINTN CertArraySizeInBytes; UINTN CertCount; UINT32 ItemDataSize; @@ -429,6 +430,70 @@ TlsConfigCertificate ( ASSERT (CACert != NULL); + // + // Sanity check + // + Status = EFI_INVALID_PARAMETER; + CertCount = 0; + ItemDataSize = (UINT32) CACertSize; + while (ItemDataSize > 0) { + if (ItemDataSize < sizeof (EFI_SIGNATURE_LIST)) { + DEBUG ((DEBUG_ERROR, "%a: truncated EFI_SIGNATURE_LIST header\n", + __FUNCTION__)); + goto FreeCACert; + } + + CertList = (EFI_SIGNATURE_LIST *) (CACert + (CACertSize - ItemDataSize)); + + if (CertList->SignatureListSize < sizeof (EFI_SIGNATURE_LIST)) { + DEBUG ((DEBUG_ERROR, + "%a: SignatureListSize too small for EFI_SIGNATURE_LIST\n", + __FUNCTION__)); + goto FreeCACert; + } + + if (CertList->SignatureListSize > ItemDataSize) { + DEBUG ((DEBUG_ERROR, "%a: truncated EFI_SIGNATURE_LIST body\n", + __FUNCTION__)); + goto FreeCACert; + } + + if (!CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid)) { + DEBUG ((DEBUG_ERROR, "%a: only X509 certificates are supported\n", + __FUNCTION__)); + Status = EFI_UNSUPPORTED; + goto FreeCACert; + } + + if (CertList->SignatureHeaderSize != 0) { + DEBUG ((DEBUG_ERROR, "%a: SignatureHeaderSize must be 0 for X509\n", + __FUNCTION__)); + goto FreeCACert; + } + + if (CertList->SignatureSize < sizeof (EFI_SIGNATURE_DATA)) { + DEBUG ((DEBUG_ERROR, + "%a: SignatureSize too small for EFI_SIGNATURE_DATA\n", __FUNCTION__)); + goto FreeCACert; + } + + CertArraySizeInBytes = (CertList->SignatureListSize - + sizeof (EFI_SIGNATURE_LIST)); + if (CertArraySizeInBytes % CertList->SignatureSize != 0) { + DEBUG ((DEBUG_ERROR, + "%a: EFI_SIGNATURE_DATA array not a multiple of SignatureSize\n", + __FUNCTION__)); + goto FreeCACert; + } + + CertCount += CertArraySizeInBytes / CertList->SignatureSize; + ItemDataSize -= CertList->SignatureListSize; + } + if (CertCount == 0) { + DEBUG ((DEBUG_ERROR, "%a: no X509 certificates provided\n", __FUNCTION__)); + goto FreeCACert; + } + // // Enumerate all data and erasing the target item. // -- 2.14.1.3.gb7cf6e02401b