From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [207.211.31.120]) by mx.groups.io with SMTP id smtpd.web09.2200.1572068267629720709 for ; Fri, 25 Oct 2019 22:37:47 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Ux0sDPxv; spf=pass (domain: redhat.com, ip: 207.211.31.120, mailfrom: lersek@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1572068266; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=guEjwIG9ZThKy6eSYUhMjcBito2vEjAgSrM43mDAS2Y=; b=Ux0sDPxvOyAUm1HWKxHFxiZ6k3rOE/8DvGogEX1g/96tO/JWtR/6XFwb9LNgeRP566hia9 uabzT2RnFHGBXHr1eQKesg1SedfT7StjIsl2tMzIDSQhQuvKWVkqNbLgpnPAJD7Q/PVL1N Cq3uA7xfHwKByACc43h4MfQzgsgaLOc= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-103-2gXl77ulOC22nX5cfMB3jg-1; Sat, 26 Oct 2019 01:37:40 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id BCA5E100550E; Sat, 26 Oct 2019 05:37:39 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-26.ams2.redhat.com [10.36.116.26]) by smtp.corp.redhat.com (Postfix) with ESMTP id D5EDC5D9CA; Sat, 26 Oct 2019 05:37:36 +0000 (UTC) From: "Laszlo Ersek" To: edk2-devel-groups-io Cc: David Woodhouse , Jian J Wang , Jiaxin Wu , Sivaraman Nainar , Xiaoyu Lu Subject: [PATCH v2 6/8] CryptoPkg/TlsLib: TlsSetVerifyHost: parse IP address literals as such (CVE-2019-14553) Date: Sat, 26 Oct 2019 07:37:17 +0200 Message-Id: <20191026053719.10453-7-lersek@redhat.com> In-Reply-To: <20191026053719.10453-1-lersek@redhat.com> References: <20191026053719.10453-1-lersek@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-MC-Unique: 2gXl77ulOC22nX5cfMB3jg-1 X-Mimecast-Spam-Score: 0 Content-Type: text/plain; charset=WINDOWS-1252 Content-Transfer-Encoding: quoted-printable Using the inet_pton() function that we imported in the previous patches, recognize if "HostName" is an IP address literal, and then parse it into binary representation. Passing the latter to OpenSSL for server certificate validation is important, per RFC-2818 : > In some cases, the URI is specified as an IP address rather than a > hostname. In this case, the iPAddress subjectAltName must be present in > the certificate and must exactly match the IP in the URI. Note: we cannot use X509_VERIFY_PARAM_set1_ip_asc() because in the OpenSSL version that is currently consumed by edk2, said function depends on sscanf() for parsing IPv4 literals. In "CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c", we only provide an empty -- always failing -- stub for sscanf(), however. Cc: David Woodhouse Cc: Jian J Wang Cc: Jiaxin Wu Cc: Sivaraman Nainar Cc: Xiaoyu Lu Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D960 CVE: CVE-2019-14553 Suggested-by: David Woodhouse Signed-off-by: Laszlo Ersek --- Notes: v2: - new patch CryptoPkg/Library/TlsLib/TlsConfig.c | 28 +++++++++++++++++--- 1 file changed, 24 insertions(+), 4 deletions(-) diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c b/CryptoPkg/Library/TlsLi= b/TlsConfig.c index 2bf5aee7c093..307eb57896dc 100644 --- a/CryptoPkg/Library/TlsLib/TlsConfig.c +++ b/CryptoPkg/Library/TlsLib/TlsConfig.c @@ -516,22 +516,42 @@ TlsSetVerifyHost ( IN UINT32 Flags, IN CHAR8 *HostName ) { - TLS_CONNECTION *TlsConn; + TLS_CONNECTION *TlsConn; + X509_VERIFY_PARAM *VerifyParam; + UINTN BinaryAddressSize; + UINT8 BinaryAddress[MAX (NS_INADDRSZ, NS_IN6ADDRSZ)]; + INTN ParamStatus; =20 TlsConn =3D (TLS_CONNECTION *) Tls; if (TlsConn =3D=3D NULL || TlsConn->Ssl =3D=3D NULL || HostName =3D=3D N= ULL) { return EFI_INVALID_PARAMETER; } =20 SSL_set_hostflags(TlsConn->Ssl, Flags); =20 - if (SSL_set1_host(TlsConn->Ssl, HostName) =3D=3D 0) { - return EFI_ABORTED; + VerifyParam =3D SSL_get0_param (TlsConn->Ssl); + ASSERT (VerifyParam !=3D NULL); + + BinaryAddressSize =3D 0; + if (inet_pton (AF_INET6, HostName, BinaryAddress) =3D=3D 1) { + BinaryAddressSize =3D NS_IN6ADDRSZ; + } else if (inet_pton (AF_INET, HostName, BinaryAddress) =3D=3D 1) { + BinaryAddressSize =3D NS_INADDRSZ; + } + + if (BinaryAddressSize > 0) { + DEBUG ((DEBUG_VERBOSE, "%a:%a: parsed \"%a\" as an IPv%c address " + "literal\n", gEfiCallerBaseName, __FUNCTION__, HostName, + (UINTN)((BinaryAddressSize =3D=3D NS_IN6ADDRSZ) ? '6' : '4'))); + ParamStatus =3D X509_VERIFY_PARAM_set1_ip (VerifyParam, BinaryAddress, + BinaryAddressSize); + } else { + ParamStatus =3D X509_VERIFY_PARAM_set1_host (VerifyParam, HostName, 0)= ; } =20 - return EFI_SUCCESS; + return (ParamStatus =3D=3D 1) ? EFI_SUCCESS : EFI_ABORTED; } =20 /** Sets a TLS/SSL session ID to be used during TLS/SSL connect. --=20 2.19.1.3.g30247aa5d201