diff options
| author | Laszlo Ersek <lersek@redhat.com> | 2019-10-24 21:17:36 +0200 |
|---|---|---|
| committer | Laszlo Ersek <lersek@redhat.com> | 2019-11-02 12:08:05 +0100 |
| commit | 1e72b1fb2ec597caedb5170079bb213f6d67f32a (patch) | |
| tree | 2885689a4ce69c5340223cc10d77d4f1b2839667 /CryptoPkg | |
| parent | 8d16ef8269b2ff373d8da674e59992adfdc032d3 (diff) | |
| download | edk2-1e72b1fb2ec597caedb5170079bb213f6d67f32a.tar.gz edk2-1e72b1fb2ec597caedb5170079bb213f6d67f32a.tar.bz2 edk2-1e72b1fb2ec597caedb5170079bb213f6d67f32a.zip | |
CryptoPkg/TlsLib: TlsSetVerifyHost: parse IP address literals as such (CVE-2019-14553)
Using the inet_pton() function that we imported in the previous patches,
recognize if "HostName" is an IP address literal, and then parse it into
binary representation. Passing the latter to OpenSSL for server
certificate validation is important, per RFC-2818
<https://tools.ietf.org/html/rfc2818#section-3.1>:
> In some cases, the URI is specified as an IP address rather than a
> hostname. In this case, the iPAddress subjectAltName must be present in
> the certificate and must exactly match the IP in the URI.
Note: we cannot use X509_VERIFY_PARAM_set1_ip_asc() because in the OpenSSL
version that is currently consumed by edk2, said function depends on
sscanf() for parsing IPv4 literals. In
"CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c", we only provide an
empty -- always failing -- stub for sscanf(), however.
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=960
CVE: CVE-2019-14553
Suggested-by: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Acked-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
Diffstat (limited to 'CryptoPkg')
| -rw-r--r-- | CryptoPkg/Library/TlsLib/TlsConfig.c | 28 |
1 files changed, 24 insertions, 4 deletions
diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c b/CryptoPkg/Library/TlsLib/TlsConfig.c index 2bf5aee7c0..307eb57896 100644 --- a/CryptoPkg/Library/TlsLib/TlsConfig.c +++ b/CryptoPkg/Library/TlsLib/TlsConfig.c @@ -517,7 +517,11 @@ TlsSetVerifyHost ( IN CHAR8 *HostName
)
{
- TLS_CONNECTION *TlsConn;
+ TLS_CONNECTION *TlsConn;
+ X509_VERIFY_PARAM *VerifyParam;
+ UINTN BinaryAddressSize;
+ UINT8 BinaryAddress[MAX (NS_INADDRSZ, NS_IN6ADDRSZ)];
+ INTN ParamStatus;
TlsConn = (TLS_CONNECTION *) Tls;
if (TlsConn == NULL || TlsConn->Ssl == NULL || HostName == NULL) {
@@ -526,11 +530,27 @@ TlsSetVerifyHost ( SSL_set_hostflags(TlsConn->Ssl, Flags);
- if (SSL_set1_host(TlsConn->Ssl, HostName) == 0) {
- return EFI_ABORTED;
+ VerifyParam = SSL_get0_param (TlsConn->Ssl);
+ ASSERT (VerifyParam != NULL);
+
+ BinaryAddressSize = 0;
+ if (inet_pton (AF_INET6, HostName, BinaryAddress) == 1) {
+ BinaryAddressSize = NS_IN6ADDRSZ;
+ } else if (inet_pton (AF_INET, HostName, BinaryAddress) == 1) {
+ BinaryAddressSize = NS_INADDRSZ;
}
- return EFI_SUCCESS;
+ if (BinaryAddressSize > 0) {
+ DEBUG ((DEBUG_VERBOSE, "%a:%a: parsed \"%a\" as an IPv%c address "
+ "literal\n", gEfiCallerBaseName, __FUNCTION__, HostName,
+ (UINTN)((BinaryAddressSize == NS_IN6ADDRSZ) ? '6' : '4')));
+ ParamStatus = X509_VERIFY_PARAM_set1_ip (VerifyParam, BinaryAddress,
+ BinaryAddressSize);
+ } else {
+ ParamStatus = X509_VERIFY_PARAM_set1_host (VerifyParam, HostName, 0);
+ }
+
+ return (ParamStatus == 1) ? EFI_SUCCESS : EFI_ABORTED;
}
/**
|