public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Laszlo Ersek" <lersek@redhat.com>
To: edk2-devel-groups-io <devel@edk2.groups.io>
Cc: David Woodhouse <dwmw2@infradead.org>,
	Jian J Wang <jian.j.wang@intel.com>,
	Jiaxin Wu <jiaxin.wu@intel.com>,
	Sivaraman Nainar <sivaramann@amiindia.co.in>,
	Xiaoyu Lu <xiaoyux.lu@intel.com>
Subject: Re: [edk2-devel] [PATCH v2 0/8] support server identity validation in HTTPS Boot (CVE-2019-14553)
Date: Sat, 2 Nov 2019 12:23:45 +0100	[thread overview]
Message-ID: <f8ffac16-d083-1128-78f0-a43e79a051d3@redhat.com> (raw)
In-Reply-To: <968b685f-2889-ca96-b77e-45e03ebcb905@redhat.com>

On 10/31/19 10:28, Laszlo Ersek wrote:
> On 10/26/19 07:37, Laszlo Ersek wrote:
>> Repo:   https://github.com/lersek/edk2.git
>> Branch: bz960_with_inet_pton_v2
>> Ref:    https://bugzilla.tianocore.org/show_bug.cgi?id=960
> 
>> In v2, I have inserted 4 new patches in the middle, to satisfy two
>> additional requirements raised by Siva and David:
>>
>> - If the Subject Alternative Name in the server certificate contains an
>>   IP address in binary representation, and the URL specifies an IP
>>   address in literal form for "hostname", then both of those things
>>   should be compared against each other, after converting the literal
>>   from the URL to binary representation. In other words, a server
>>   certificate with an IP address SAN should be recognized.
>>
>> - If the URL specifies an IP address literal, then, according to
>>   RFC-2818, "the iPAddress subjectAltName must be present in the
>>   certificate and must exactly match the IP in the URI". In other words,
>>   if a certificate matches the IP address literal from the URL via
>>   Common Name only, then the certificate must be rejected.
>>
>> I've also fixed two commit message warts in Jiaxin's patches (see the
>> Notes sections on the patches).
>>
>> I've tested the series painstakingly. [...]
> 
>> And here's the test matrix:
>>
>>> Server Certificate     URL                   cURL              edk2 unpatched    edk2 patched
>>> ---------------------  --------------------  ----------------  ----------------  ----------------
>>> Common      Subject    hostname    resolves  status  expected  status  expected  status  expected
>>> Name        Alt. Name              to IPvX
>>> -------------------------------------------------------------------------------------------------
>>> IP-literal  -          IP-literal  IPv4      accept  COMPAT/1  accept  NO/2      reject  yes
>>> IP-literal  -          IP-literal  IPv6      accept  COMPAT/1  accept  NO/2      reject  yes
>>> IP-literal  -          domainname  IPv4      reject  yes       accept  NO/2      reject  yes
>>> IP-literal  -          domainname  IPv6      reject  yes       accept  NO/2      reject  yes
>>> IP-literal  IP         IP-literal  IPv4      accept  yes       accept  yes       accept  yes
>>> IP-literal  IP         IP-literal  IPv6      accept  yes       accept  yes       accept  yes
>>> IP-literal  IP         domainname  IPv4      reject  yes       accept  NO/2      reject  yes
>>> IP-literal  IP         domainname  IPv6      reject  yes       accept  NO/2      reject  yes
>>> domainname  -          IP-literal  IPv4      reject  yes       accept  NO/2      reject  yes
>>> domainname  -          IP-literal  IPv6      reject  yes       accept  NO/2      reject  yes
>>> domainname  -          domainname  IPv4      accept  yes       accept  yes       accept  yes
>>> domainname  -          domainname  IPv6      accept  yes       accept  yes       accept  yes
>>> domainname  IP         IP-literal  IPv4      accept  yes       accept  yes       accept  yes
>>> domainname  IP         IP-literal  IPv6      accept  yes       accept  yes       accept  yes
>>> domainname  IP         domainname  IPv4      accept  yes       accept  yes       accept  yes
>>> domainname  IP         domainname  IPv6      accept  yes       accept  yes       accept  yes
>>>
>>> #1 -- should not be accepted: an IP literal in the URL must match the IP
>>> address in the SAN, regardless of the Common Name; but cURL accepts it
>>> for compatibility
>>>
>>> #2 -- this is (or exemplifies) CVE-2019-14553
> 
> Based on the feedback thus far, I'm planning to push this set on
> Saturday (that is, after 1 week of list-time), or perhaps next Monday
> (depends on how my Saturday will look).


Pushed as commit range b15646484eaf..e2fc50812895.

Thanks,
Laszlo


      reply	other threads:[~2019-11-02 11:24 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-10-26  5:37 [PATCH v2 0/8] support server identity validation in HTTPS Boot (CVE-2019-14553) Laszlo Ersek
2019-10-26  5:37 ` [PATCH v2 1/8] MdePkg/Include/Protocol/Tls.h: Add the data type of EfiTlsVerifyHost (CVE-2019-14553) Laszlo Ersek
2019-10-28  8:12   ` [edk2-devel] " Liming Gao
2019-10-26  5:37 ` [PATCH v2 2/8] CryptoPkg/TlsLib: Add the new API "TlsSetVerifyHost" (CVE-2019-14553) Laszlo Ersek
2019-10-26 11:51   ` [edk2-devel] " Philippe Mathieu-Daudé
2019-11-02 11:01     ` Laszlo Ersek
2019-10-28  5:28   ` Wang, Jian J
2019-10-26  5:37 ` [PATCH v2 3/8] CryptoPkg/Crt: turn strchr() into a function (CVE-2019-14553) Laszlo Ersek
2019-10-26 11:47   ` [edk2-devel] " Philippe Mathieu-Daudé
2019-10-28  5:12   ` Wang, Jian J
2019-10-26  5:37 ` [PATCH v2 4/8] CryptoPkg/Crt: satisfy "inet_pton.c" dependencies (CVE-2019-14553) Laszlo Ersek
2019-10-28  5:34   ` Wang, Jian J
2019-10-28 13:06   ` David Woodhouse
2019-10-29  0:47     ` Laszlo Ersek
2019-10-29  2:44       ` [edk2-devel] " Wu, Jiaxin
2019-10-29  3:19         ` Wang, Jian J
2019-10-26  5:37 ` [PATCH v2 5/8] CryptoPkg/Crt: import "inet_pton.c" (CVE-2019-14553) Laszlo Ersek
2019-10-28  6:16   ` Wang, Jian J
2019-10-26  5:37 ` [PATCH v2 6/8] CryptoPkg/TlsLib: TlsSetVerifyHost: parse IP address literals as such (CVE-2019-14553) Laszlo Ersek
2019-10-28  6:12   ` Wang, Jian J
2019-10-26  5:37 ` [PATCH v2 7/8] NetworkPkg/TlsDxe: Add the support of host validation to TlsDxe driver (CVE-2019-14553) Laszlo Ersek
2019-10-26  5:37 ` [PATCH v2 8/8] NetworkPkg/HttpDxe: Set the HostName for the verification (CVE-2019-14553) Laszlo Ersek
2019-10-29  2:37 ` [edk2-devel] [PATCH v2 0/8] support server identity validation in HTTPS Boot (CVE-2019-14553) Wu, Jiaxin
2019-11-02 11:15   ` Laszlo Ersek
2019-10-31  9:28 ` Laszlo Ersek
2019-11-02 11:23   ` Laszlo Ersek [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=f8ffac16-d083-1128-78f0-a43e79a051d3@redhat.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox