From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by mx.groups.io with SMTP id smtpd.web09.7193.1572316671131282627 for ; Mon, 28 Oct 2019 19:37:51 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: intel.com, ip: 192.55.52.88, mailfrom: jiaxin.wu@intel.com) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga003.jf.intel.com ([10.7.209.27]) by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 28 Oct 2019 19:37:50 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.68,242,1569308400"; d="scan'208";a="202701813" Received: from fmsmsx106.amr.corp.intel.com ([10.18.124.204]) by orsmga003.jf.intel.com with ESMTP; 28 Oct 2019 19:37:50 -0700 Received: from fmsmsx608.amr.corp.intel.com (10.18.126.88) by FMSMSX106.amr.corp.intel.com (10.18.124.204) with Microsoft SMTP Server (TLS) id 14.3.439.0; Mon, 28 Oct 2019 19:37:49 -0700 Received: from fmsmsx608.amr.corp.intel.com (10.18.126.88) by fmsmsx608.amr.corp.intel.com (10.18.126.88) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Mon, 28 Oct 2019 19:37:49 -0700 Received: from shsmsx101.ccr.corp.intel.com (10.239.4.153) by fmsmsx608.amr.corp.intel.com (10.18.126.88) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.1713.5 via Frontend Transport; Mon, 28 Oct 2019 19:37:49 -0700 Received: from shsmsx107.ccr.corp.intel.com ([169.254.9.63]) by SHSMSX101.ccr.corp.intel.com ([169.254.1.213]) with mapi id 14.03.0439.000; Tue, 29 Oct 2019 10:37:47 +0800 From: "Wu, Jiaxin" To: "devel@edk2.groups.io" , "lersek@redhat.com" CC: David Woodhouse , "Wang, Jian J" , Sivaraman Nainar , "Lu, XiaoyuX" Subject: Re: [edk2-devel] [PATCH v2 0/8] support server identity validation in HTTPS Boot (CVE-2019-14553) Thread-Topic: [edk2-devel] [PATCH v2 0/8] support server identity validation in HTTPS Boot (CVE-2019-14553) Thread-Index: AQHVi793xqYrGHcmSU6BSt6NNGpDHKdw6vfA Date: Tue, 29 Oct 2019 02:37:46 +0000 Message-ID: <895558F6EA4E3B41AC93A00D163B727416F915C1@SHSMSX107.ccr.corp.intel.com> References: <20191026053719.10453-1-lersek@redhat.com> In-Reply-To: <20191026053719.10453-1-lersek@redhat.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiN2E2NzE5ZGEtMThhZi00MTU5LTkyZWUtMTdlZjkxMjNiODdiIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiV2VKN2daeTB4MDFTT0xSNXhYSFkyM3pUVG1WMXY2b3BXXC9BdnBhaXVOSUtiWEUzRmhtZnZib05kK2dsekhBU0wifQ== x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.2.0.6 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Return-Path: jiaxin.wu@intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Test matrix - that's a great summary! The result is also good to me. Thanks Laszlo's patches to fix the gap. Series Reviewed-by: Jiaxin Wu > -----Original Message----- > From: devel@edk2.groups.io On Behalf Of Laszlo > Ersek > Sent: Saturday, October 26, 2019 1:37 PM > To: edk2-devel-groups-io > Cc: David Woodhouse ; Wang, Jian J > ; Wu, Jiaxin ; Sivaraman > Nainar ; Lu, XiaoyuX > Subject: [edk2-devel] [PATCH v2 0/8] support server identity validation = in > HTTPS Boot (CVE-2019-14553) >=20 > Repo: https://github.com/lersek/edk2.git > Branch: bz960_with_inet_pton_v2 > Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D960 >=20 > Previous posting from Jiaxin: >=20 > [edk2-devel] [PATCH v1 0/4] > Support HTTPS HostName validation feature(CVE-2019-14553) >=20 > https://edk2.groups.io/g/devel/message/48183 > http://mid.mail-archive.com/20190927034441.3096-1-Jiaxin.wu@intel.com >=20 > In v2, I have inserted 4 new patches in the middle, to satisfy two > additional requirements raised by Siva and David: >=20 > - If the Subject Alternative Name in the server certificate contains an > IP address in binary representation, and the URL specifies an IP > address in literal form for "hostname", then both of those things > should be compared against each other, after converting the literal > from the URL to binary representation. In other words, a server > certificate with an IP address SAN should be recognized. >=20 > - If the URL specifies an IP address literal, then, according to > RFC-2818, "the iPAddress subjectAltName must be present in the > certificate and must exactly match the IP in the URI". In other words, > if a certificate matches the IP address literal from the URL via > Common Name only, then the certificate must be rejected. >=20 > I've also fixed two commit message warts in Jiaxin's patches (see the > Notes sections on the patches). >=20 > I've tested the series painstakingly. Here's the script I wrote for > certificate generation: >=20 > > ## @file > > # Bash shell script for generating test certificates, for > > # . > > # > > # Copyright (C) 2019, Red Hat, Inc. > > # > > # SPDX-License-Identifier: BSD-2-Clause-Patent > > # > > # Customize te variables in section "Configuration", then run the scri= pt with > > # "bash gencerts.sh". > > # > > # The script creates 17 files in the current working directory: > > # - one CA certificate (note: key is discarded); > > # > > # - for the (IPv4 domain name, IPv4 address) pair, one keypair (that i= s, a > > # CA-issued certificate, plus the private key) for each case below: > > # - Common Name =3D IPv4 domain name, no subjectAltName, > > # - Common Name =3D IPv4 domain name, IPv4 address in > subjectAltName, > > # - Common Name =3D IPv4 address literal, no subjectAltName, > > # - Common Name =3D IPv4 address literal, IPv4 address in subjectAlt= Name; > > # > > # - for the (IPv6 domain name, IPv6 address) pair, a similar set of fi= les. > > # > > # Finally, the script prints some commands for the root user that are > related > > # to the following OVMF feature: OVMF can HTTPS boot while trusting th= e > same > > # set of CA certificates that the virt host trusts. The commands insta= ll the > > # new CA certificate on the host (note: this should never be done in > > # production, in spite of the CA key being discarded), and also extrac= t all CA > > # certs in the format that OVMF expects. (This edk2-specific extractio= n is > > # normally performed by the "update-ca-trust" command, but if yours is= n't > > # up-to-date enough for that, build and install p11-kit from source, a= nd set > > # MY_P11_KIT_PREFIX, before invoking this script.) See > "OvmfPkg/README" for > > # passing the extracted CA certs to OVMF on the QEMU cmdline. > > ## > > set -e -u -C > > > > # Configuration. > > CA_NAME=3DTianoCore_BZ_960_CA > > IPV4_NAME=3Dipv4-server > > IPV4_ADDR=3D192.168.124.2 > > IPV6_NAME=3Dipv6-server > > IPV6_ADDR=3Dfd33:eb1b:9b36::2 > > > > # Create a temporary directory for transient files. > > TMP_D=3D$(mktemp -d) > > trap 'rm -f -r -- "$TMP_D"' EXIT > > > > # Set some helper variables. > > TMP_EXT=3D$TMP_D/ext # OpenSSL extensions > > TMP_CSR=3D$TMP_D/csr # certificate request > > TMP_CA_KEY=3D$TMP_D/ca.key # CA key > > TMP_CA_SRL=3D$TMP_D/ca.srl # CA serial number > > > > # Generate the CA certificate. > > openssl req -x509 -nodes \ > > -subj /CN=3D"$CA_NAME" \ > > -out "$CA_NAME".crt \ > > -keyout "$TMP_CA_KEY" > > > > # Create a CA-issued certificate. > > # Parameters: > > # $1: Common Name > > # $2: IPv4 or IPv6 address literal, to be used in SAN; or empty string > > gencrt() > > { > > local CN=3D"$1" > > local SANIP=3D"$2" > > local STEM > > local EXT > > > > if test -z "$SANIP"; then > > # File name stem consists of Common Name only. No certificate > extensions. > > STEM=3Dsvr_$CN > > EXT=3D > > else > > # File name stem includes Common Name and IP address literal. > > STEM=3Dsvr_${CN}_${SANIP} > > > > # SAN IP extension in the certificate. Rewrite the ad-hoc extensio= ns file > > # with the current SAN IP. > > echo "subjectAltName=3DIP:$SANIP" >| "$TMP_EXT" > > EXT=3D"-extfile $TMP_EXT" > > fi > > STEM=3D${STEM//[:.]/_} > > > > # Generate CSR. > > openssl req -new -nodes \ > > -subj /CN=3D"$CN" \ > > -out "$TMP_CSR" \ > > -keyout "$STEM".key > > > > # Sign the certificate request, potentially adding the SAN IP. > > openssl x509 -req -CAcreateserial $EXT \ > > -in "$TMP_CSR" \ > > -out "$STEM".crt \ > > -CA "$CA_NAME".crt \ > > -CAkey "$TMP_CA_KEY" \ > > -CAserial "$TMP_CA_SRL" > > } > > > > # Generate all certificates. > > gencrt "$IPV4_NAME" "" # domain name in CN, no SAN IPv4 > > gencrt "$IPV4_NAME" "$IPV4_ADDR" # domain name in CN, SAN IPv4 > > gencrt "$IPV4_ADDR" "" # IPv4 literal in CN, no SAN IPv4 > > gencrt "$IPV4_ADDR" "$IPV4_ADDR" # IPv4 literal in CN, SAN IPv4 > > gencrt "$IPV6_NAME" "" # domain name in CN, no SAN IPv6 > > gencrt "$IPV6_NAME" "$IPV6_ADDR" # domain name in CN, SAN IPv6 > > gencrt "$IPV6_ADDR" "" # IPv6 literal in CN, no SAN IPv6 > > gencrt "$IPV6_ADDR" "$IPV6_ADDR" # IPv6 literal in CN, SAN IPv6 > > > > # Print commands for the root user: > > # - for making the CA a trusted CA > > echo > > echo install -o root -g root -m 644 -t /etc/pki/ca-trust/source/anchor= s \ > > "$PWD/$CA_NAME".crt > > echo restorecon -Fvv /etc/pki/ca-trust/source/anchors/"$CA_NAME".crt > > echo update-ca-trust extract > > > > # - and for extracting the CA certificates for OVMF. > > if test -v MY_P11_KIT_PREFIX; then > > echo mkdir -p -v /etc/pki/ca-trust/extracted/edk2 > > echo chmod -c --reference=3D/etc/pki/ca-trust/extracted/java \ > > /etc/pki/ca-trust/extracted/edk2 > > echo "$MY_P11_KIT_PREFIX/bin/p11-kit" extract --overwrite \ > > --format=3Dedk2-cacerts \ > > --filter=3Dca-anchors \ > > --purpose=3Dserver-auth \ > > /etc/pki/ca-trust/extracted/edk2/cacerts.bin > > echo chmod -c --reference=3D/etc/pki/ca-trust/extracted/java/cacerts= \ > > /etc/pki/ca-trust/extracted/edk2/cacerts.bin > > echo restorecon -FvvR /etc/pki/ca-trust/extracted/edk2 > > fi >=20 > And here's the test matrix: >=20 > > Server Certificate URL cURL edk2 un= patched edk2 > patched > > --------------------- -------------------- ---------------- -------= --------- -------------- > -- > > Common Subject hostname resolves status expected status > expected status expected > > Name Alt. Name to IPvX > > ----------------------------------------------------------------------= --------------------- > ------ > > IP-literal - IP-literal IPv4 accept COMPAT/1 accept = NO/2 reject > yes > > IP-literal - IP-literal IPv6 accept COMPAT/1 accept = NO/2 reject > yes > > IP-literal - domainname IPv4 reject yes accept = NO/2 reject > yes > > IP-literal - domainname IPv6 reject yes accept = NO/2 reject > yes > > IP-literal IP IP-literal IPv4 accept yes accept = yes accept yes > > IP-literal IP IP-literal IPv6 accept yes accept = yes accept yes > > IP-literal IP domainname IPv4 reject yes accept = NO/2 reject > yes > > IP-literal IP domainname IPv6 reject yes accept = NO/2 reject > yes > > domainname - IP-literal IPv4 reject yes accept = NO/2 reject > yes > > domainname - IP-literal IPv6 reject yes accept = NO/2 reject > yes > > domainname - domainname IPv4 accept yes accept = yes > accept yes > > domainname - domainname IPv6 accept yes accept = yes > accept yes > > domainname IP IP-literal IPv4 accept yes accept = yes accept > yes > > domainname IP IP-literal IPv6 accept yes accept = yes accept > yes > > domainname IP domainname IPv4 accept yes accept = yes > accept yes > > domainname IP domainname IPv6 accept yes accept = yes > accept yes > > > > #1 -- should not be accepted: an IP literal in the URL must match the = IP > > address in the SAN, regardless of the Common Name; but cURL accepts it > > for compatibility > > > > #2 -- this is (or exemplifies) CVE-2019-14553 >=20 > Cc: David Woodhouse > Cc: Jian J Wang > Cc: Jiaxin Wu > Cc: Sivaraman Nainar > Cc: Xiaoyu Lu >=20 > Thanks, > Laszlo >=20 > Laszlo Ersek (4): > CryptoPkg/Crt: turn strchr() into a function (CVE-2019-14553) > CryptoPkg/Crt: satisfy "inet_pton.c" dependencies (CVE-2019-14553) > CryptoPkg/Crt: import "inet_pton.c" (CVE-2019-14553) > CryptoPkg/TlsLib: TlsSetVerifyHost: parse IP address literals as such > (CVE-2019-14553) >=20 > Wu, Jiaxin (4): > MdePkg/Include/Protocol/Tls.h: Add the data type of EfiTlsVerifyHost > (CVE-2019-14553) > CryptoPkg/TlsLib: Add the new API "TlsSetVerifyHost" (CVE-2019-14553) > NetworkPkg/TlsDxe: Add the support of host validation to TlsDxe driver > (CVE-2019-14553) > NetworkPkg/HttpDxe: Set the HostName for the verification > (CVE-2019-14553) >=20 > CryptoPkg/Include/Library/TlsLib.h | 20 ++ > CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf | 1 + > CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c | 5 + > CryptoPkg/Library/BaseCryptLib/SysCall/inet_pton.c | 257 > ++++++++++++++++++++ > CryptoPkg/Library/Include/CrtLibSupport.h | 19 +- > CryptoPkg/Library/Include/arpa/inet.h | 9 + > CryptoPkg/Library/Include/arpa/nameser.h | 9 + > CryptoPkg/Library/Include/netinet/in.h | 9 + > CryptoPkg/Library/Include/sys/param.h | 9 + > CryptoPkg/Library/Include/sys/socket.h | 9 + > CryptoPkg/Library/TlsLib/TlsConfig.c | 58 ++++- > MdePkg/Include/Protocol/Tls.h | 68 +++++- > NetworkPkg/HttpDxe/HttpProto.h | 1 + > NetworkPkg/HttpDxe/HttpsSupport.c | 21 +- > NetworkPkg/TlsDxe/TlsProtocol.c | 44 +++- > 15 files changed, 519 insertions(+), 20 deletions(-) > create mode 100644 CryptoPkg/Library/Include/arpa/inet.h > create mode 100644 CryptoPkg/Library/Include/arpa/nameser.h > create mode 100644 CryptoPkg/Library/Include/netinet/in.h > create mode 100644 CryptoPkg/Library/Include/sys/param.h > create mode 100644 CryptoPkg/Library/Include/sys/socket.h > create mode 100644 CryptoPkg/Library/BaseCryptLib/SysCall/inet_pton.c >=20 > -- > 2.19.1.3.g30247aa5d201 >=20 >=20 >=20