render / rpms / edk2

Forked from rpms/edk2 3 months ago
Clone
Source Code
GIT

Blame SOURCES/edk2-CryptoPkg-TlsLib-TlsSetVerifyHost-parse-IP-address-l.patch

c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta edk2-hyperscale
  1.   63d87e251caa5ac03942a02b780495b62f2ff767
  2.   SOURCES
  3.   edk2-CryptoPkg-TlsLib-TlsSetVerifyHost-parse-IP-address-l.patch
Blob History Raw
63d87e 
From 970b5f67512e00fb26765a14b4a1cb8a8a04276d Mon Sep 17 00:00:00 2001
63d87e 
From: Laszlo Ersek <lersek@redhat.com>
63d87e 
Date: Mon, 2 Dec 2019 12:31:57 +0100
63d87e 
Subject: [PATCH 6/9] CryptoPkg/TlsLib: TlsSetVerifyHost: parse IP address
63d87e 
 literals as such (CVE-2019-14553)
63d87e 
MIME-Version: 1.0
63d87e 
Content-Type: text/plain; charset=UTF-8
63d87e 
Content-Transfer-Encoding: 8bit
63d87e
63d87e 
RH-Author: Laszlo Ersek <lersek@redhat.com>
63d87e 
Message-id: <20191117220052.15700-7-lersek@redhat.com>
63d87e 
Patchwork-id: 92452
63d87e 
O-Subject: [RHEL-8.2.0 edk2 PATCH 6/9] CryptoPkg/TlsLib: TlsSetVerifyHost: parse IP address literals as such (CVE-2019-14553)
63d87e 
Bugzilla: 1536624
63d87e 
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
63d87e 
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
63d87e
63d87e 
Using the inet_pton() function that we imported in the previous patches,
63d87e 
recognize if "HostName" is an IP address literal, and then parse it into
63d87e 
binary representation. Passing the latter to OpenSSL for server
63d87e 
certificate validation is important, per RFC-2818
63d87e 
<https://tools.ietf.org/html/rfc2818#section-3.1>:
63d87e
63d87e 
> In some cases, the URI is specified as an IP address rather than a
63d87e 
> hostname. In this case, the iPAddress subjectAltName must be present in
63d87e 
> the certificate and must exactly match the IP in the URI.
63d87e
63d87e 
Note: we cannot use X509_VERIFY_PARAM_set1_ip_asc() because in the OpenSSL
63d87e 
version that is currently consumed by edk2, said function depends on
63d87e 
sscanf() for parsing IPv4 literals. In
63d87e 
"CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c", we only provide an
63d87e 
empty -- always failing -- stub for sscanf(), however.
63d87e
63d87e 
Cc: David Woodhouse <dwmw2@infradead.org>
63d87e 
Cc: Jian J Wang <jian.j.wang@intel.com>
63d87e 
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
63d87e 
Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>
63d87e 
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
63d87e 
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=960
63d87e 
CVE: CVE-2019-14553
63d87e 
Suggested-by: David Woodhouse <dwmw2@infradead.org>
63d87e 
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
63d87e 
Acked-by: Jian J Wang <jian.j.wang@intel.com>
63d87e 
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
63d87e 
(cherry picked from commit 1e72b1fb2ec597caedb5170079bb213f6d67f32a)
63d87e 
---
63d87e 
 CryptoPkg/Library/TlsLib/TlsConfig.c | 28 ++++++++++++++++++++++++----
63d87e 
 1 file changed, 24 insertions(+), 4 deletions(-)
63d87e
63d87e 
diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c b/CryptoPkg/Library/TlsLib/TlsConfig.c
63d87e 
index 2bf5aee..307eb57 100644
63d87e 
--- a/CryptoPkg/Library/TlsLib/TlsConfig.c
63d87e 
+++ b/CryptoPkg/Library/TlsLib/TlsConfig.c
63d87e 
@@ -517,7 +517,11 @@ TlsSetVerifyHost (
63d87e 
   IN     CHAR8                    *HostName
63d87e 
   )
63d87e 
 {
63d87e 
-  TLS_CONNECTION  *TlsConn;
63d87e 
+  TLS_CONNECTION    *TlsConn;
63d87e 
+  X509_VERIFY_PARAM *VerifyParam;
63d87e 
+  UINTN             BinaryAddressSize;
63d87e 
+  UINT8             BinaryAddress[MAX (NS_INADDRSZ, NS_IN6ADDRSZ)];
63d87e 
+  INTN              ParamStatus;
63d87e
63d87e 
   TlsConn = (TLS_CONNECTION *) Tls;
63d87e 
   if (TlsConn == NULL || TlsConn->Ssl == NULL || HostName == NULL) {
63d87e 
@@ -526,11 +530,27 @@ TlsSetVerifyHost (
63d87e
63d87e 
   SSL_set_hostflags(TlsConn->Ssl, Flags);
63d87e
63d87e 
-  if (SSL_set1_host(TlsConn->Ssl, HostName) == 0) {
63d87e 
-    return EFI_ABORTED;
63d87e 
+  VerifyParam = SSL_get0_param (TlsConn->Ssl);
63d87e 
+  ASSERT (VerifyParam != NULL);
63d87e 
+
63d87e 
+  BinaryAddressSize = 0;
63d87e 
+  if (inet_pton (AF_INET6, HostName, BinaryAddress) == 1) {
63d87e 
+    BinaryAddressSize = NS_IN6ADDRSZ;
63d87e 
+  } else if (inet_pton (AF_INET, HostName, BinaryAddress) == 1) {
63d87e 
+    BinaryAddressSize = NS_INADDRSZ;
63d87e 
   }
63d87e
63d87e 
-  return EFI_SUCCESS;
63d87e 
+  if (BinaryAddressSize > 0) {
63d87e 
+    DEBUG ((DEBUG_VERBOSE, "%a:%a: parsed \"%a\" as an IPv%c address "
63d87e 
+      "literal\n", gEfiCallerBaseName, __FUNCTION__, HostName,
63d87e 
+      (UINTN)((BinaryAddressSize == NS_IN6ADDRSZ) ? '6' : '4')));
63d87e 
+    ParamStatus = X509_VERIFY_PARAM_set1_ip (VerifyParam, BinaryAddress,
63d87e 
+                    BinaryAddressSize);
63d87e 
+  } else {
63d87e 
+    ParamStatus = X509_VERIFY_PARAM_set1_host (VerifyParam, HostName, 0);
63d87e 
+  }
63d87e 
+
63d87e 
+  return (ParamStatus == 1) ? EFI_SUCCESS : EFI_ABORTED;
63d87e 
 }
63d87e
63d87e 
 /**
63d87e 
--
63d87e 
1.8.3.1
63d87e

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation