diff options
| author | Wu, Jiaxin <jiaxin.wu@intel.com> | 2019-09-27 11:44:40 +0800 |
|---|---|---|
| committer | Laszlo Ersek <lersek@redhat.com> | 2019-11-02 12:08:19 +0100 |
| commit | 703e7ab21ff8fda9ababf7751d59bd28ad5da947 (patch) | |
| tree | 182d4186014ace18026a6f4ec47d5ee127750f4b /NetworkPkg | |
| parent | 1e72b1fb2ec597caedb5170079bb213f6d67f32a (diff) | |
| download | edk2-703e7ab21ff8fda9ababf7751d59bd28ad5da947.tar.gz edk2-703e7ab21ff8fda9ababf7751d59bd28ad5da947.tar.bz2 edk2-703e7ab21ff8fda9ababf7751d59bd28ad5da947.zip | |
NetworkPkg/TlsDxe: Add the support of host validation to TlsDxe driver (CVE-2019-14553)
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=960
CVE: CVE-2019-14553
The new data type named "EfiTlsVerifyHost" and the
EFI_TLS_VERIFY_HOST_FLAG are supported in TLS protocol.
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20190927034441.3096-4-Jiaxin.wu@intel.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Diffstat (limited to 'NetworkPkg')
| -rw-r--r-- | NetworkPkg/TlsDxe/TlsProtocol.c | 44 |
1 files changed, 41 insertions, 3 deletions
diff --git a/NetworkPkg/TlsDxe/TlsProtocol.c b/NetworkPkg/TlsDxe/TlsProtocol.c index a7a993fc6f..001e5400d0 100644 --- a/NetworkPkg/TlsDxe/TlsProtocol.c +++ b/NetworkPkg/TlsDxe/TlsProtocol.c @@ -1,7 +1,7 @@ /** @file
Implementation of EFI TLS Protocol Interfaces.
- Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
@@ -56,12 +56,16 @@ TlsSetSessionData ( UINT16 *CipherId;
CONST EFI_TLS_CIPHER *TlsCipherList;
UINTN CipherCount;
+ CONST EFI_TLS_VERIFY_HOST *TlsVerifyHost;
+ EFI_TLS_VERIFY VerifyMethod;
+ UINTN VerifyMethodSize;
UINTN Index;
EFI_TPL OldTpl;
- Status = EFI_SUCCESS;
- CipherId = NULL;
+ Status = EFI_SUCCESS;
+ CipherId = NULL;
+ VerifyMethodSize = sizeof (EFI_TLS_VERIFY);
if (This == NULL || Data == NULL || DataSize == 0) {
return EFI_INVALID_PARAMETER;
@@ -149,6 +153,40 @@ TlsSetSessionData ( TlsSetVerify (Instance->TlsConn, *((UINT32 *) Data));
break;
+ case EfiTlsVerifyHost:
+ if (DataSize != sizeof (EFI_TLS_VERIFY_HOST)) {
+ Status = EFI_INVALID_PARAMETER;
+ goto ON_EXIT;
+ }
+
+ TlsVerifyHost = (CONST EFI_TLS_VERIFY_HOST *) Data;
+
+ if ((TlsVerifyHost->Flags & EFI_TLS_VERIFY_FLAG_ALWAYS_CHECK_SUBJECT) != 0 &&
+ (TlsVerifyHost->Flags & EFI_TLS_VERIFY_FLAG_NEVER_CHECK_SUBJECT) != 0) {
+ Status = EFI_INVALID_PARAMETER;
+ goto ON_EXIT;
+ }
+
+ if ((TlsVerifyHost->Flags & EFI_TLS_VERIFY_FLAG_NO_WILDCARDS) != 0 &&
+ ((TlsVerifyHost->Flags & EFI_TLS_VERIFY_FLAG_NO_PARTIAL_WILDCARDS) != 0 ||
+ (TlsVerifyHost->Flags & EFI_TLS_VERIFY_FLAG_MULTI_LABEL_WILDCARDS) != 0)) {
+ Status = EFI_INVALID_PARAMETER;
+ goto ON_EXIT;
+ }
+
+ Status = This->GetSessionData (This, EfiTlsVerifyMethod, &VerifyMethod, &VerifyMethodSize);
+ if (EFI_ERROR (Status)) {
+ goto ON_EXIT;
+ }
+
+ if ((VerifyMethod & EFI_TLS_VERIFY_PEER) == 0) {
+ Status = EFI_INVALID_PARAMETER;
+ goto ON_EXIT;
+ }
+
+ Status = TlsSetVerifyHost (Instance->TlsConn, TlsVerifyHost->Flags, TlsVerifyHost->HostName);
+
+ break;
case EfiTlsSessionID:
if (DataSize != sizeof (EFI_TLS_SESSION_ID)) {
Status = EFI_INVALID_PARAMETER;
|