From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mx.groups.io; dkim=missing; spf=fail (domain: intel.com, ip: , mailfrom: jiaxin.wu@intel.com) Received: from mga05.intel.com (mga05.intel.com []) by groups.io with SMTP; Thu, 26 Sep 2019 20:44:49 -0700 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga105.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 26 Sep 2019 20:44:49 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.64,553,1559545200"; d="scan'208";a="204074807" Received: from jiaxinwu-mobl.ccr.corp.intel.com ([10.239.192.205]) by fmsmga001.fm.intel.com with ESMTP; 26 Sep 2019 20:44:48 -0700 From: "Wu, Jiaxin" To: devel@edk2.groups.io Cc: Wu Jiaxin Subject: [PATCH v1 3/4] NetworkPkg/TlsDxe: Add the support of host validation to TlsDxe driver(CVE-2019-14553) Date: Fri, 27 Sep 2019 11:44:40 +0800 Message-Id: <20190927034441.3096-4-Jiaxin.wu@intel.com> X-Mailer: git-send-email 2.17.1.windows.2 In-Reply-To: <20190927034441.3096-1-Jiaxin.wu@intel.com> References: <20190927034441.3096-1-Jiaxin.wu@intel.com> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=960 CVE: CVE-2019-14553 The new data type named "EfiTlsVerifyHost" and the EFI_TLS_VERIFY_HOST_FLAG are supported in TLS protocol. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Wu Jiaxin Reviewed-by: Ye Ting Reviewed-by: Long Qin Reviewed-by: Fu Siyuan Acked-by: Laszlo Ersek --- NetworkPkg/TlsDxe/TlsProtocol.c | 44 ++++++++++++++++++++++++++++++--- 1 file changed, 41 insertions(+), 3 deletions(-) diff --git a/NetworkPkg/TlsDxe/TlsProtocol.c b/NetworkPkg/TlsDxe/TlsProtocol.c index a7a993fc6f..001e5400d0 100644 --- a/NetworkPkg/TlsDxe/TlsProtocol.c +++ b/NetworkPkg/TlsDxe/TlsProtocol.c @@ -1,9 +1,9 @@ /** @file Implementation of EFI TLS Protocol Interfaces. - Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.
+ Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent **/ @@ -54,16 +54,20 @@ TlsSetSessionData ( EFI_STATUS Status; TLS_INSTANCE *Instance; UINT16 *CipherId; CONST EFI_TLS_CIPHER *TlsCipherList; UINTN CipherCount; + CONST EFI_TLS_VERIFY_HOST *TlsVerifyHost; + EFI_TLS_VERIFY VerifyMethod; + UINTN VerifyMethodSize; UINTN Index; EFI_TPL OldTpl; - Status = EFI_SUCCESS; - CipherId = NULL; + Status = EFI_SUCCESS; + CipherId = NULL; + VerifyMethodSize = sizeof (EFI_TLS_VERIFY); if (This == NULL || Data == NULL || DataSize == 0) { return EFI_INVALID_PARAMETER; } @@ -146,10 +150,44 @@ TlsSetSessionData ( Status = EFI_INVALID_PARAMETER; goto ON_EXIT; } TlsSetVerify (Instance->TlsConn, *((UINT32 *) Data)); + break; + case EfiTlsVerifyHost: + if (DataSize != sizeof (EFI_TLS_VERIFY_HOST)) { + Status = EFI_INVALID_PARAMETER; + goto ON_EXIT; + } + + TlsVerifyHost = (CONST EFI_TLS_VERIFY_HOST *) Data; + + if ((TlsVerifyHost->Flags & EFI_TLS_VERIFY_FLAG_ALWAYS_CHECK_SUBJECT) != 0 && + (TlsVerifyHost->Flags & EFI_TLS_VERIFY_FLAG_NEVER_CHECK_SUBJECT) != 0) { + Status = EFI_INVALID_PARAMETER; + goto ON_EXIT; + } + + if ((TlsVerifyHost->Flags & EFI_TLS_VERIFY_FLAG_NO_WILDCARDS) != 0 && + ((TlsVerifyHost->Flags & EFI_TLS_VERIFY_FLAG_NO_PARTIAL_WILDCARDS) != 0 || + (TlsVerifyHost->Flags & EFI_TLS_VERIFY_FLAG_MULTI_LABEL_WILDCARDS) != 0)) { + Status = EFI_INVALID_PARAMETER; + goto ON_EXIT; + } + + Status = This->GetSessionData (This, EfiTlsVerifyMethod, &VerifyMethod, &VerifyMethodSize); + if (EFI_ERROR (Status)) { + goto ON_EXIT; + } + + if ((VerifyMethod & EFI_TLS_VERIFY_PEER) == 0) { + Status = EFI_INVALID_PARAMETER; + goto ON_EXIT; + } + + Status = TlsSetVerifyHost (Instance->TlsConn, TlsVerifyHost->Flags, TlsVerifyHost->HostName); + break; case EfiTlsSessionID: if (DataSize != sizeof (EFI_TLS_SESSION_ID)) { Status = EFI_INVALID_PARAMETER; goto ON_EXIT; -- 2.17.1.windows.2