From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.groups.io with SMTP id smtpd.web12.3962.1572090714278354270 for ; Sat, 26 Oct 2019 04:51:54 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: redhat.com, ip: 209.132.183.28, mailfrom: philmd@redhat.com) Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com [209.85.221.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id A31BAC049E10 for ; Sat, 26 Oct 2019 11:51:53 +0000 (UTC) Received: by mail-wr1-f70.google.com with SMTP id q14so2804063wrw.4 for ; Sat, 26 Oct 2019 04:51:53 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=ayk4H8N+TaJKEybGFJcH2pVKeWK+7LtUOwBQTpLse7U=; b=iIJX5ddIhd8njF+on9Xxp3JqnhktZ0w1W+jhI02dfnQhb6yxkPUvLXML7BDQNae/Yw P6FDuolJAuPKAZxcaDe9m9s2AUAl3xf60rqBNx6+qSQay7CTvFxluK3WKnwtBXIAwLoV 7zWjZglUEClBZHLfy/YWWkTzecKxs+LKYiSje5I4Rsqvps9Xv/nE9H/VhyB8ghorIM8s 55TPJSB5mnS+CqAYiRpnIPWt2ich6l+2HGtJpLq7n7fi90z+8WuFdK8njVxdjII+vuCC B9gVlNxjd0wlpsrsbHLCVY1N/U/ec/hUnMlged61tIytRdWNqsE75z7h3uBnPwb+0NvO ZJ+g== X-Gm-Message-State: APjAAAWKubp+jPVDHfz12l8NC/JiHzIvFmVjXSPTCe1x7mJ+VUU71teQ Kbomg3hMGWu9OkJavOdCbj58lHgLimQ6roRDbvdgOAcJL2b6uuv2Q1D2XoP2uf+KcJV/kTkkDQi bTiTGq01TDnoekw== X-Received: by 2002:adf:eec9:: with SMTP id a9mr6912088wrp.8.1572090712431; Sat, 26 Oct 2019 04:51:52 -0700 (PDT) X-Google-Smtp-Source: APXvYqz6raQSr0Yk3+YJPdzyW9UnQBTS0Y/fdHVhBRJ0uRxRDYabCahst+PMAwDhDOImvkqjeXkqoA== X-Received: by 2002:adf:eec9:: with SMTP id a9mr6912074wrp.8.1572090712251; Sat, 26 Oct 2019 04:51:52 -0700 (PDT) Received: from [192.168.1.33] (62.red-88-21-202.staticip.rima-tde.net. [88.21.202.62]) by smtp.gmail.com with ESMTPSA id r13sm6048360wra.74.2019.10.26.04.51.51 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 26 Oct 2019 04:51:51 -0700 (PDT) Subject: Re: [edk2-devel] [PATCH v2 2/8] CryptoPkg/TlsLib: Add the new API "TlsSetVerifyHost" (CVE-2019-14553) To: devel@edk2.groups.io, lersek@redhat.com Cc: David Woodhouse , Jian J Wang , Jiaxin Wu , Sivaraman Nainar , Xiaoyu Lu References: <20191026053719.10453-1-lersek@redhat.com> <20191026053719.10453-3-lersek@redhat.com> From: =?UTF-8?B?UGhpbGlwcGUgTWF0aGlldS1EYXVkw6k=?= Message-ID: <46d160b9-851d-ed02-4dab-4c3ca122d7af@redhat.com> Date: Sat, 26 Oct 2019 13:51:50 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.1.1 MIME-Version: 1.0 In-Reply-To: <20191026053719.10453-3-lersek@redhat.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit On 10/26/19 7:37 AM, Laszlo Ersek wrote: > From: "Wu, Jiaxin" > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=960 > CVE: CVE-2019-14553 > In the patch, we add the new API "TlsSetVerifyHost" for the TLS > protocol to set the specified host name that need to be verified. > > Signed-off-by: Wu Jiaxin > Reviewed-by: Ye Ting > Reviewed-by: Long Qin > Reviewed-by: Fu Siyuan > Acked-by: Laszlo Ersek > Message-Id: <20190927034441.3096-3-Jiaxin.wu@intel.com> > Cc: David Woodhouse > Cc: Jian J Wang > Cc: Jiaxin Wu > Cc: Sivaraman Nainar > Cc: Xiaoyu Lu > Signed-off-by: Laszlo Ersek > --- > > Notes: > v2: > - fix whitespace in subject line > - drop Contributed-under line per BZ#1373 > > CryptoPkg/Include/Library/TlsLib.h | 20 +++++++++++ > CryptoPkg/Library/TlsLib/TlsConfig.c | 38 +++++++++++++++++++- > 2 files changed, 57 insertions(+), 1 deletion(-) > > diff --git a/CryptoPkg/Include/Library/TlsLib.h b/CryptoPkg/Include/Library/TlsLib.h > index 9875cb6e746b..3af7d4bc095e 100644 > --- a/CryptoPkg/Include/Library/TlsLib.h > +++ b/CryptoPkg/Include/Library/TlsLib.h > @@ -395,8 +395,28 @@ TlsSetVerify ( > IN VOID *Tls, > IN UINT32 VerifyMode > ); > > +/** > + Set the specified host name to be verified. > + > + @param[in] Tls Pointer to the TLS object. > + @param[in] Flags The setting flags during the validation. > + @param[in] HostName The specified host name to be verified. > + > + @retval EFI_SUCCESS The HostName setting was set successfully. > + @retval EFI_INVALID_PARAMETER The parameter is invalid. > + @retval EFI_ABORTED Invalid HostName setting. > + > +**/ > +EFI_STATUS > +EFIAPI > +TlsSetVerifyHost ( > + IN VOID *Tls, > + IN UINT32 Flags, > + IN CHAR8 *HostName > + ); > + > /** > Sets a TLS/SSL session ID to be used during TLS/SSL connect. > > This function sets a session ID to be used when the TLS/SSL connection is > diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c b/CryptoPkg/Library/TlsLib/TlsConfig.c > index 74b577d60ee3..2bf5aee7c093 100644 > --- a/CryptoPkg/Library/TlsLib/TlsConfig.c > +++ b/CryptoPkg/Library/TlsLib/TlsConfig.c > @@ -1,8 +1,8 @@ > /** @file > SSL/TLS Configuration Library Wrapper Implementation over OpenSSL. > > -Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.
> +Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.
> (C) Copyright 2016 Hewlett Packard Enterprise Development LP
> SPDX-License-Identifier: BSD-2-Clause-Patent > > **/ > @@ -496,8 +496,44 @@ TlsSetVerify ( > // > SSL_set_verify (TlsConn->Ssl, VerifyMode, NULL); > } > > +/** > + Set the specified host name to be verified. > + > + @param[in] Tls Pointer to the TLS object. > + @param[in] Flags The setting flags during the validation. > + @param[in] HostName The specified host name to be verified. > + > + @retval EFI_SUCCESS The HostName setting was set successfully. > + @retval EFI_INVALID_PARAMETER The parameter is invalid. > + @retval EFI_ABORTED Invalid HostName setting. > + > +**/ > +EFI_STATUS > +EFIAPI > +TlsSetVerifyHost ( > + IN VOID *Tls, > + IN UINT32 Flags, > + IN CHAR8 *HostName > + ) > +{ > + TLS_CONNECTION *TlsConn; > + > + TlsConn = (TLS_CONNECTION *) Tls; > + if (TlsConn == NULL || TlsConn->Ssl == NULL || HostName == NULL) { Nitpicking, I'd check HostName first. Reviewed-by: Philippe Mathieu-Daude > + return EFI_INVALID_PARAMETER; > + } > + > + SSL_set_hostflags(TlsConn->Ssl, Flags); > + > + if (SSL_set1_host(TlsConn->Ssl, HostName) == 0) { > + return EFI_ABORTED; > + } > + > + return EFI_SUCCESS; > +} > + > /** > Sets a TLS/SSL session ID to be used during TLS/SSL connect. > > This function sets a session ID to be used when the TLS/SSL connection is >