From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [207.211.31.120])
 by mx.groups.io with SMTP id smtpd.web09.2200.1572068267629720709
 for <devel@edk2.groups.io>;
 Fri, 25 Oct 2019 22:37:47 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Ux0sDPxv;
 spf=pass (domain: redhat.com, ip: 207.211.31.120, mailfrom: lersek@redhat.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1572068266;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=guEjwIG9ZThKy6eSYUhMjcBito2vEjAgSrM43mDAS2Y=;
	b=Ux0sDPxvOyAUm1HWKxHFxiZ6k3rOE/8DvGogEX1g/96tO/JWtR/6XFwb9LNgeRP566hia9
	uabzT2RnFHGBXHr1eQKesg1SedfT7StjIsl2tMzIDSQhQuvKWVkqNbLgpnPAJD7Q/PVL1N
	Cq3uA7xfHwKByACc43h4MfQzgsgaLOc=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-103-2gXl77ulOC22nX5cfMB3jg-1; Sat, 26 Oct 2019 01:37:40 -0400
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id BCA5E100550E;
	Sat, 26 Oct 2019 05:37:39 +0000 (UTC)
Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-26.ams2.redhat.com [10.36.116.26])
	by smtp.corp.redhat.com (Postfix) with ESMTP id D5EDC5D9CA;
	Sat, 26 Oct 2019 05:37:36 +0000 (UTC)
From: "Laszlo Ersek" <lersek@redhat.com>
To: edk2-devel-groups-io <devel@edk2.groups.io>
Cc: David Woodhouse <dwmw2@infradead.org>,
	Jian J Wang <jian.j.wang@intel.com>,
	Jiaxin Wu <jiaxin.wu@intel.com>,
	Sivaraman Nainar <sivaramann@amiindia.co.in>,
	Xiaoyu Lu <xiaoyux.lu@intel.com>
Subject: [PATCH v2 6/8] CryptoPkg/TlsLib: TlsSetVerifyHost: parse IP address literals as such (CVE-2019-14553)
Date: Sat, 26 Oct 2019 07:37:17 +0200
Message-Id: <20191026053719.10453-7-lersek@redhat.com>
In-Reply-To: <20191026053719.10453-1-lersek@redhat.com>
References: <20191026053719.10453-1-lersek@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
X-MC-Unique: 2gXl77ulOC22nX5cfMB3jg-1
X-Mimecast-Spam-Score: 0
Content-Type: text/plain; charset=WINDOWS-1252
Content-Transfer-Encoding: quoted-printable

Using the inet_pton() function that we imported in the previous patches,
recognize if "HostName" is an IP address literal, and then parse it into
binary representation. Passing the latter to OpenSSL for server
certificate validation is important, per RFC-2818
<https://tools.ietf.org/html/rfc2818#section-3.1>:

> In some cases, the URI is specified as an IP address rather than a
> hostname. In this case, the iPAddress subjectAltName must be present in
> the certificate and must exactly match the IP in the URI.

Note: we cannot use X509_VERIFY_PARAM_set1_ip_asc() because in the OpenSSL
version that is currently consumed by edk2, said function depends on
sscanf() for parsing IPv4 literals. In
"CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c", we only provide an
empty -- always failing -- stub for sscanf(), however.

Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D960
CVE: CVE-2019-14553
Suggested-by: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---

Notes:
    v2:
    - new patch

 CryptoPkg/Library/TlsLib/TlsConfig.c | 28 +++++++++++++++++---
 1 file changed, 24 insertions(+), 4 deletions(-)

diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c b/CryptoPkg/Library/TlsLi=
b/TlsConfig.c
index 2bf5aee7c093..307eb57896dc 100644
--- a/CryptoPkg/Library/TlsLib/TlsConfig.c
+++ b/CryptoPkg/Library/TlsLib/TlsConfig.c
@@ -516,22 +516,42 @@ TlsSetVerifyHost (
   IN     UINT32                   Flags,
   IN     CHAR8                    *HostName
   )
 {
-  TLS_CONNECTION  *TlsConn;
+  TLS_CONNECTION    *TlsConn;
+  X509_VERIFY_PARAM *VerifyParam;
+  UINTN             BinaryAddressSize;
+  UINT8             BinaryAddress[MAX (NS_INADDRSZ, NS_IN6ADDRSZ)];
+  INTN              ParamStatus;
=20
   TlsConn =3D (TLS_CONNECTION *) Tls;
   if (TlsConn =3D=3D NULL || TlsConn->Ssl =3D=3D NULL || HostName =3D=3D N=
ULL) {
      return EFI_INVALID_PARAMETER;
   }
=20
   SSL_set_hostflags(TlsConn->Ssl, Flags);
=20
-  if (SSL_set1_host(TlsConn->Ssl, HostName) =3D=3D 0) {
-    return EFI_ABORTED;
+  VerifyParam =3D SSL_get0_param (TlsConn->Ssl);
+  ASSERT (VerifyParam !=3D NULL);
+
+  BinaryAddressSize =3D 0;
+  if (inet_pton (AF_INET6, HostName, BinaryAddress) =3D=3D 1) {
+    BinaryAddressSize =3D NS_IN6ADDRSZ;
+  } else if (inet_pton (AF_INET, HostName, BinaryAddress) =3D=3D 1) {
+    BinaryAddressSize =3D NS_INADDRSZ;
+  }
+
+  if (BinaryAddressSize > 0) {
+    DEBUG ((DEBUG_VERBOSE, "%a:%a: parsed \"%a\" as an IPv%c address "
+      "literal\n", gEfiCallerBaseName, __FUNCTION__, HostName,
+      (UINTN)((BinaryAddressSize =3D=3D NS_IN6ADDRSZ) ? '6' : '4')));
+    ParamStatus =3D X509_VERIFY_PARAM_set1_ip (VerifyParam, BinaryAddress,
+                    BinaryAddressSize);
+  } else {
+    ParamStatus =3D X509_VERIFY_PARAM_set1_host (VerifyParam, HostName, 0)=
;
   }
=20
-  return EFI_SUCCESS;
+  return (ParamStatus =3D=3D 1) ? EFI_SUCCESS : EFI_ABORTED;
 }
=20
 /**
   Sets a TLS/SSL session ID to be used during TLS/SSL connect.
--=20
2.19.1.3.g30247aa5d201