From: "Laszlo Ersek" <lersek@redhat.com>
To: edk2-devel-groups-io <devel@edk2.groups.io>
Cc: David Woodhouse <dwmw2@infradead.org>,
Jian J Wang <jian.j.wang@intel.com>,
Jiaxin Wu <jiaxin.wu@intel.com>,
Sivaraman Nainar <sivaramann@amiindia.co.in>,
Xiaoyu Lu <xiaoyux.lu@intel.com>
Subject: Re: [edk2-devel] [PATCH v2 0/8] support server identity validation in HTTPS Boot (CVE-2019-14553)
Date: Sat, 2 Nov 2019 12:23:45 +0100 [thread overview]
Message-ID: <f8ffac16-d083-1128-78f0-a43e79a051d3@redhat.com> (raw)
In-Reply-To: <968b685f-2889-ca96-b77e-45e03ebcb905@redhat.com>
On 10/31/19 10:28, Laszlo Ersek wrote:
> On 10/26/19 07:37, Laszlo Ersek wrote:
>> Repo: https://github.com/lersek/edk2.git
>> Branch: bz960_with_inet_pton_v2
>> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=960
>
>> In v2, I have inserted 4 new patches in the middle, to satisfy two
>> additional requirements raised by Siva and David:
>>
>> - If the Subject Alternative Name in the server certificate contains an
>> IP address in binary representation, and the URL specifies an IP
>> address in literal form for "hostname", then both of those things
>> should be compared against each other, after converting the literal
>> from the URL to binary representation. In other words, a server
>> certificate with an IP address SAN should be recognized.
>>
>> - If the URL specifies an IP address literal, then, according to
>> RFC-2818, "the iPAddress subjectAltName must be present in the
>> certificate and must exactly match the IP in the URI". In other words,
>> if a certificate matches the IP address literal from the URL via
>> Common Name only, then the certificate must be rejected.
>>
>> I've also fixed two commit message warts in Jiaxin's patches (see the
>> Notes sections on the patches).
>>
>> I've tested the series painstakingly. [...]
>
>> And here's the test matrix:
>>
>>> Server Certificate URL cURL edk2 unpatched edk2 patched
>>> --------------------- -------------------- ---------------- ---------------- ----------------
>>> Common Subject hostname resolves status expected status expected status expected
>>> Name Alt. Name to IPvX
>>> -------------------------------------------------------------------------------------------------
>>> IP-literal - IP-literal IPv4 accept COMPAT/1 accept NO/2 reject yes
>>> IP-literal - IP-literal IPv6 accept COMPAT/1 accept NO/2 reject yes
>>> IP-literal - domainname IPv4 reject yes accept NO/2 reject yes
>>> IP-literal - domainname IPv6 reject yes accept NO/2 reject yes
>>> IP-literal IP IP-literal IPv4 accept yes accept yes accept yes
>>> IP-literal IP IP-literal IPv6 accept yes accept yes accept yes
>>> IP-literal IP domainname IPv4 reject yes accept NO/2 reject yes
>>> IP-literal IP domainname IPv6 reject yes accept NO/2 reject yes
>>> domainname - IP-literal IPv4 reject yes accept NO/2 reject yes
>>> domainname - IP-literal IPv6 reject yes accept NO/2 reject yes
>>> domainname - domainname IPv4 accept yes accept yes accept yes
>>> domainname - domainname IPv6 accept yes accept yes accept yes
>>> domainname IP IP-literal IPv4 accept yes accept yes accept yes
>>> domainname IP IP-literal IPv6 accept yes accept yes accept yes
>>> domainname IP domainname IPv4 accept yes accept yes accept yes
>>> domainname IP domainname IPv6 accept yes accept yes accept yes
>>>
>>> #1 -- should not be accepted: an IP literal in the URL must match the IP
>>> address in the SAN, regardless of the Common Name; but cURL accepts it
>>> for compatibility
>>>
>>> #2 -- this is (or exemplifies) CVE-2019-14553
>
> Based on the feedback thus far, I'm planning to push this set on
> Saturday (that is, after 1 week of list-time), or perhaps next Monday
> (depends on how my Saturday will look).
Pushed as commit range b15646484eaf..e2fc50812895.
Thanks,
Laszlo
prev parent reply other threads:[~2019-11-02 11:24 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-26 5:37 [PATCH v2 0/8] support server identity validation in HTTPS Boot (CVE-2019-14553) Laszlo Ersek
2019-10-26 5:37 ` [PATCH v2 1/8] MdePkg/Include/Protocol/Tls.h: Add the data type of EfiTlsVerifyHost (CVE-2019-14553) Laszlo Ersek
2019-10-28 8:12 ` [edk2-devel] " Liming Gao
2019-10-26 5:37 ` [PATCH v2 2/8] CryptoPkg/TlsLib: Add the new API "TlsSetVerifyHost" (CVE-2019-14553) Laszlo Ersek
2019-10-26 11:51 ` [edk2-devel] " Philippe Mathieu-Daudé
2019-11-02 11:01 ` Laszlo Ersek
2019-10-28 5:28 ` Wang, Jian J
2019-10-26 5:37 ` [PATCH v2 3/8] CryptoPkg/Crt: turn strchr() into a function (CVE-2019-14553) Laszlo Ersek
2019-10-26 11:47 ` [edk2-devel] " Philippe Mathieu-Daudé
2019-10-28 5:12 ` Wang, Jian J
2019-10-26 5:37 ` [PATCH v2 4/8] CryptoPkg/Crt: satisfy "inet_pton.c" dependencies (CVE-2019-14553) Laszlo Ersek
2019-10-28 5:34 ` Wang, Jian J
2019-10-28 13:06 ` David Woodhouse
2019-10-29 0:47 ` Laszlo Ersek
2019-10-29 2:44 ` [edk2-devel] " Wu, Jiaxin
2019-10-29 3:19 ` Wang, Jian J
2019-10-26 5:37 ` [PATCH v2 5/8] CryptoPkg/Crt: import "inet_pton.c" (CVE-2019-14553) Laszlo Ersek
2019-10-28 6:16 ` Wang, Jian J
2019-10-26 5:37 ` [PATCH v2 6/8] CryptoPkg/TlsLib: TlsSetVerifyHost: parse IP address literals as such (CVE-2019-14553) Laszlo Ersek
2019-10-28 6:12 ` Wang, Jian J
2019-10-26 5:37 ` [PATCH v2 7/8] NetworkPkg/TlsDxe: Add the support of host validation to TlsDxe driver (CVE-2019-14553) Laszlo Ersek
2019-10-26 5:37 ` [PATCH v2 8/8] NetworkPkg/HttpDxe: Set the HostName for the verification (CVE-2019-14553) Laszlo Ersek
2019-10-29 2:37 ` [edk2-devel] [PATCH v2 0/8] support server identity validation in HTTPS Boot (CVE-2019-14553) Wu, Jiaxin
2019-11-02 11:15 ` Laszlo Ersek
2019-10-31 9:28 ` Laszlo Ersek
2019-11-02 11:23 ` Laszlo Ersek [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f8ffac16-d083-1128-78f0-a43e79a051d3@redhat.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox