From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) by mx.groups.io with SMTP id smtpd.web10.3371.1572250326379834052 for ; Mon, 28 Oct 2019 01:12:06 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: intel.com, ip: 192.55.52.93, mailfrom: liming.gao@intel.com) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga007.jf.intel.com ([10.7.209.58]) by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 28 Oct 2019 01:12:05 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.68,239,1569308400"; d="scan'208";a="189553091" Received: from fmsmsx105.amr.corp.intel.com ([10.18.124.203]) by orsmga007.jf.intel.com with ESMTP; 28 Oct 2019 01:12:05 -0700 Received: from fmsmsx119.amr.corp.intel.com (10.18.124.207) by FMSMSX105.amr.corp.intel.com (10.18.124.203) with Microsoft SMTP Server (TLS) id 14.3.439.0; Mon, 28 Oct 2019 01:12:05 -0700 Received: from shsmsx102.ccr.corp.intel.com (10.239.4.154) by FMSMSX119.amr.corp.intel.com (10.18.124.207) with Microsoft SMTP Server (TLS) id 14.3.439.0; Mon, 28 Oct 2019 01:12:04 -0700 Received: from shsmsx104.ccr.corp.intel.com ([169.254.5.127]) by shsmsx102.ccr.corp.intel.com ([169.254.2.108]) with mapi id 14.03.0439.000; Mon, 28 Oct 2019 16:12:03 +0800 From: "Liming Gao" To: "devel@edk2.groups.io" , "lersek@redhat.com" CC: David Woodhouse , "Wang, Jian J" , "Wu, Jiaxin" , Sivaraman Nainar , "Lu, XiaoyuX" Subject: Re: [edk2-devel] [PATCH v2 1/8] MdePkg/Include/Protocol/Tls.h: Add the data type of EfiTlsVerifyHost (CVE-2019-14553) Thread-Topic: [edk2-devel] [PATCH v2 1/8] MdePkg/Include/Protocol/Tls.h: Add the data type of EfiTlsVerifyHost (CVE-2019-14553) Thread-Index: AQHVi796NGUPOlv8Hk+0bKT5ArHZsKdvtzig Date: Mon, 28 Oct 2019 08:12:01 +0000 Message-ID: <4A89E2EF3DFEDB4C8BFDE51014F606A14E5327C6@SHSMSX104.ccr.corp.intel.com> References: <20191026053719.10453-1-lersek@redhat.com> <20191026053719.10453-2-lersek@redhat.com> In-Reply-To: <20191026053719.10453-2-lersek@redhat.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Return-Path: liming.gao@intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Liming Gao >-----Original Message----- >From: devel@edk2.groups.io [mailto:devel@edk2.groups.io] On Behalf Of >Laszlo Ersek >Sent: Saturday, October 26, 2019 1:37 PM >To: edk2-devel-groups-io >Cc: David Woodhouse ; Wang, Jian J >; Wu, Jiaxin ; Sivaraman >Nainar ; Lu, XiaoyuX >Subject: [edk2-devel] [PATCH v2 1/8] MdePkg/Include/Protocol/Tls.h: Add >the data type of EfiTlsVerifyHost (CVE-2019-14553) > >From: "Wu, Jiaxin" > >REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D960 >CVE: CVE-2019-14553 >In the patch, we add the new data type named "EfiTlsVerifyHost" and >the EFI_TLS_VERIFY_HOST_FLAG for the TLS protocol consumer (HTTP) >to enable the host name check so as to avoid the potential >Man-In-The-Middle attack. > >Signed-off-by: Wu Jiaxin >Reviewed-by: Ye Ting >Reviewed-by: Long Qin >Reviewed-by: Fu Siyuan >Acked-by: Laszlo Ersek >Message-Id: <20190927034441.3096-2-Jiaxin.wu@intel.com> >Cc: David Woodhouse >Cc: Jian J Wang >Cc: Jiaxin Wu >Cc: Sivaraman Nainar >Cc: Xiaoyu Lu >Signed-off-by: Laszlo Ersek >--- > >Notes: > v2: > - fix whitespace in subject line > - drop Contributed-under line per BZ#1373 > > MdePkg/Include/Protocol/Tls.h | 68 ++++++++++++++++---- > 1 file changed, 57 insertions(+), 11 deletions(-) > >diff --git a/MdePkg/Include/Protocol/Tls.h b/MdePkg/Include/Protocol/Tls.= h >index bf1b6727a1e9..af524ae2a60e 100644 >--- a/MdePkg/Include/Protocol/Tls.h >+++ b/MdePkg/Include/Protocol/Tls.h >@@ -40,12 +40,8 @@ typedef struct _EFI_TLS_PROTOCOL >EFI_TLS_PROTOCOL; > /// > /// EFI_TLS_SESSION_DATA_TYPE > /// > typedef enum { >- /// >- /// Session Configuration >- /// >- > /// > /// TLS session Version. The corresponding Data is of type EFI_TLS_VER= SION. > /// > EfiTlsVersion, >@@ -85,13 +81,8 @@ typedef enum { > /// TLS session data session state. > /// The corresponding Data is of type EFI_TLS_SESSION_STATE. > /// > EfiTlsSessionState, >- >- /// >- /// Session information >- /// >- > /// > /// TLS session data client random. > /// The corresponding Data is of type EFI_TLS_RANDOM. > /// >@@ -105,11 +96,17 @@ typedef enum { > /// TLS session data key material. > /// The corresponding Data is of type EFI_TLS_MASTER_SECRET. > /// > EfiTlsKeyMaterial, >+ /// >+ /// TLS session hostname for validation which is used to verify whethe= r the >name >+ /// within the peer certificate matches a given host name. >+ /// This parameter is invalid when EfiTlsVerifyMethod is >EFI_TLS_VERIFY_NONE. >+ /// The corresponding Data is of type EFI_TLS_VERIFY_HOST. >+ /// >+ EfiTlsVerifyHost, > > EfiTlsSessionDataTypeMaximum >- > } EFI_TLS_SESSION_DATA_TYPE; > > /// > /// EFI_TLS_VERSION >@@ -177,17 +174,66 @@ typedef UINT32 EFI_TLS_VERIFY; > /// the reason for the certificate verification failure. > /// > #define EFI_TLS_VERIFY_PEER 0x1 > /// >-/// TLS session will fail peer certificate is absent. >+/// EFI_TLS_VERIFY_FAIL_IF_NO_PEER_CERT is only meaningful in the server >mode. >+/// TLS session will fail if client certificate is absent. > /// > #define EFI_TLS_VERIFY_FAIL_IF_NO_PEER_CERT 0x2 > /// > /// TLS session only verify client once, and doesn't request certificate= during > /// re-negotiation. > /// > #define EFI_TLS_VERIFY_CLIENT_ONCE 0x4 > >+/// >+/// EFI_TLS_VERIFY_HOST_FLAG >+/// >+typedef UINT32 EFI_TLS_VERIFY_HOST_FLAG; >+/// >+/// There is no additional flags set for hostname validation. >+/// Wildcards are supported and they match only in the left-most label. >+/// >+#define EFI_TLS_VERIFY_FLAG_NONE 0x00 >+/// >+/// Always check the Subject Distinguished Name (DN) in the peer certifi= cate >even if the >+/// certificate contains Subject Alternative Name (SAN). >+/// >+#define EFI_TLS_VERIFY_FLAG_ALWAYS_CHECK_SUBJECT 0x01 >+/// >+/// Disable the match of all wildcards. >+/// >+#define EFI_TLS_VERIFY_FLAG_NO_WILDCARDS 0x02 >+/// >+/// Disable the "*" as wildcard in labels that have a prefix or suffix (= e.g. >"www*" or "*www"). >+/// >+#define EFI_TLS_VERIFY_FLAG_NO_PARTIAL_WILDCARDS 0x04 >+/// >+/// Allow the "*" to match more than one labels. Otherwise, only matches= a >single label. >+/// >+#define EFI_TLS_VERIFY_FLAG_MULTI_LABEL_WILDCARDS 0x08 >+/// >+/// Restrict to only match direct child sub-domains which start with "."= . >+/// For example, a name of ".example.com" would match >"www.example.com" with this flag, >+/// but would not match "www.sub.example.com". >+/// >+#define EFI_TLS_VERIFY_FLAG_SINGLE_LABEL_SUBDOMAINS 0x10 >+/// >+/// Never check the Subject Distinguished Name (DN) even there is no >+/// Subject Alternative Name (SAN) in the certificate. >+/// >+#define EFI_TLS_VERIFY_FLAG_NEVER_CHECK_SUBJECT 0x20 >+ >+/// >+/// EFI_TLS_VERIFY_HOST >+/// >+#pragma pack (1) >+typedef struct { >+ EFI_TLS_VERIFY_HOST_FLAG Flags; >+ CHAR8 *HostName; >+} EFI_TLS_VERIFY_HOST; >+#pragma pack () >+ > /// > /// EFI_TLS_RANDOM > /// Note: The definition of EFI_TLS_RANDOM is from "RFC 5246 A.4.1. > /// Hello Messages". >-- >2.19.1.3.g30247aa5d201 > > > >