tyler.durden
/
audk
mirror of https://github.com/acidanthera/audk.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

NetworkPkg/HttpDxe: Set the HostName for the verification (CVE-2019-14553) 

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=960
CVE: CVE-2019-14553
Set the HostName by consuming TLS protocol to enable the host name
check so as to avoid the potential Man-In-The-Middle attack.

Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20190927034441.3096-5-Jiaxin.wu@intel.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
This commit is contained in:
Wu, Jiaxin 2019-09-27 11:44:41 +08:00 committed by Laszlo Ersek
parent 703e7ab21f
commit e2fc508128
2 changed files with 18 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
NetworkPkg/HttpDxe/HttpProto.h
View File

@ -82,6 +82,7 @@ typedef struct {
EFI_TLS_VERSION Version; EFI_TLS_VERSION Version;
EFI_TLS_CONNECTION_END ConnectionEnd; EFI_TLS_CONNECTION_END ConnectionEnd;
EFI_TLS_VERIFY VerifyMethod; EFI_TLS_VERIFY VerifyMethod;
EFI_TLS_VERIFY_HOST VerifyHost;
EFI_TLS_SESSION_STATE SessionState; EFI_TLS_SESSION_STATE SessionState;
} TLS_CONFIG_DATA; } TLS_CONFIG_DATA;

21
NetworkPkg/HttpDxe/HttpsSupport.c
View File

@ -623,13 +623,16 @@ TlsConfigureSession (
// //
// TlsConfigData initialization // TlsConfigData initialization
// //
HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient; HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient;
HttpInstance->TlsConfigData.VerifyMethod = EFI_TLS_VERIFY_PEER; HttpInstance->TlsConfigData.VerifyMethod = EFI_TLS_VERIFY_PEER;
HttpInstance->TlsConfigData.SessionState = EfiTlsSessionNotStarted; HttpInstance->TlsConfigData.VerifyHost.Flags = EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance->RemoteHost;
HttpInstance->TlsConfigData.SessionState = EfiTlsSessionNotStarted;
// //
// EfiTlsConnectionEnd, // EfiTlsConnectionEnd,
// EfiTlsVerifyMethod // EfiTlsVerifyMethod,
// EfiTlsVerifyHost,
// EfiTlsSessionState // EfiTlsSessionState
// //
Status = HttpInstance->Tls->SetSessionData ( Status = HttpInstance->Tls->SetSessionData (
@ -652,6 +655,16 @@ TlsConfigureSession (
return Status; return Status;
} }
Status = HttpInstance->Tls->SetSessionData (
HttpInstance->Tls,
EfiTlsVerifyHost,
&HttpInstance->TlsConfigData.VerifyHost,
sizeof (EFI_TLS_VERIFY_HOST)
);
if (EFI_ERROR (Status)) {
return Status;
}
Status = HttpInstance->Tls->SetSessionData ( Status = HttpInstance->Tls->SetSessionData (
HttpInstance->Tls, HttpInstance->Tls,
EfiTlsSessionState, EfiTlsSessionState,