Skip to content

Commit

Permalink
NetworkPkg/HttpDxe: Set the HostName for the verification (CVE-2019-1…
Browse files Browse the repository at this point in the history 
…4553)

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=960
CVE: CVE-2019-14553
Set the HostName by consuming TLS protocol to enable the host name
check so as to avoid the potential Man-In-The-Middle attack.

Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20190927034441.3096-5-Jiaxin.wu@intel.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
  • Loading branch information
@jiaxinwu @lersek
jiaxinwu authored and lersek committed Nov 2, 2019
1 parent 703e7ab commit e2fc508
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 4 deletions.
1 change: 1 addition & 0 deletions NetworkPkg/HttpDxe/HttpProto.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,7 @@ typedef struct {
EFI_TLS_VERSION Version;
EFI_TLS_CONNECTION_END ConnectionEnd;
EFI_TLS_VERIFY VerifyMethod;
EFI_TLS_VERIFY_HOST VerifyHost;
EFI_TLS_SESSION_STATE SessionState;
} TLS_CONFIG_DATA;

Expand Down
21 changes: 17 additions & 4 deletions NetworkPkg/HttpDxe/HttpsSupport.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -623,13 +623,16 @@ TlsConfigureSession (
//
// TlsConfigData initialization
//
HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient;
HttpInstance->TlsConfigData.VerifyMethod = EFI_TLS_VERIFY_PEER;
HttpInstance->TlsConfigData.SessionState = EfiTlsSessionNotStarted;
HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient;
HttpInstance->TlsConfigData.VerifyMethod = EFI_TLS_VERIFY_PEER;
HttpInstance->TlsConfigData.VerifyHost.Flags = EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;

This comment has been minimized.

Sign in to view

Copy link
@out0xb2

out0xb2 Feb 27, 2020

Be aware that while EFI_TLS_VERIFY_FLAG_NO_WILDCARDS is perhaps an extra-secure default, it is not appropriate for a non-trivial number of real-world, secure scenarios.
HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance->RemoteHost;
HttpInstance->TlsConfigData.SessionState = EfiTlsSessionNotStarted;

//
// EfiTlsConnectionEnd,
// EfiTlsVerifyMethod
// EfiTlsVerifyMethod,
// EfiTlsVerifyHost,
// EfiTlsSessionState
//
Status = HttpInstance->Tls->SetSessionData (
Expand All @@ -652,6 +655,16 @@ TlsConfigureSession (
return Status;
}

Status = HttpInstance->Tls->SetSessionData (
HttpInstance->Tls,
EfiTlsVerifyHost,
&HttpInstance->TlsConfigData.VerifyHost,
sizeof (EFI_TLS_VERIFY_HOST)
);
if (EFI_ERROR (Status)) {
return Status;
}

Status = HttpInstance->Tls->SetSessionData (
HttpInstance->Tls,
EfiTlsSessionState,
Expand Down

0 comments on commit e2fc508

Please sign in to comment.