\r
Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>\r
(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>\r
-This program and the accompanying materials\r
-are licensed and made available under the terms and conditions of the BSD License\r
-which accompanies this distribution. The full text of the license may be found at\r
-http://opensource.org/licenses/bsd-license.php\r
-\r
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
+SPDX-License-Identifier: BSD-2-Clause-Patent\r
\r
**/\r
\r
UINT32 Index;\r
EFI_SIGNATURE_LIST *CertList;\r
EFI_SIGNATURE_DATA *Cert;\r
+ UINTN CertArraySizeInBytes;\r
UINTN CertCount;\r
UINT32 ItemDataSize;\r
\r
\r
ASSERT (CACert != NULL);\r
\r
+ //\r
+ // Sanity check\r
+ //\r
+ Status = EFI_INVALID_PARAMETER;\r
+ CertCount = 0;\r
+ ItemDataSize = (UINT32) CACertSize;\r
+ while (ItemDataSize > 0) {\r
+ if (ItemDataSize < sizeof (EFI_SIGNATURE_LIST)) {\r
+ DEBUG ((DEBUG_ERROR, "%a: truncated EFI_SIGNATURE_LIST header\n",\r
+ __FUNCTION__));\r
+ goto FreeCACert;\r
+ }\r
+\r
+ CertList = (EFI_SIGNATURE_LIST *) (CACert + (CACertSize - ItemDataSize));\r
+\r
+ if (CertList->SignatureListSize < sizeof (EFI_SIGNATURE_LIST)) {\r
+ DEBUG ((DEBUG_ERROR,\r
+ "%a: SignatureListSize too small for EFI_SIGNATURE_LIST\n",\r
+ __FUNCTION__));\r
+ goto FreeCACert;\r
+ }\r
+\r
+ if (CertList->SignatureListSize > ItemDataSize) {\r
+ DEBUG ((DEBUG_ERROR, "%a: truncated EFI_SIGNATURE_LIST body\n",\r
+ __FUNCTION__));\r
+ goto FreeCACert;\r
+ }\r
+\r
+ if (!CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid)) {\r
+ DEBUG ((DEBUG_ERROR, "%a: only X509 certificates are supported\n",\r
+ __FUNCTION__));\r
+ Status = EFI_UNSUPPORTED;\r
+ goto FreeCACert;\r
+ }\r
+\r
+ if (CertList->SignatureHeaderSize != 0) {\r
+ DEBUG ((DEBUG_ERROR, "%a: SignatureHeaderSize must be 0 for X509\n",\r
+ __FUNCTION__));\r
+ goto FreeCACert;\r
+ }\r
+\r
+ if (CertList->SignatureSize < sizeof (EFI_SIGNATURE_DATA)) {\r
+ DEBUG ((DEBUG_ERROR,\r
+ "%a: SignatureSize too small for EFI_SIGNATURE_DATA\n", __FUNCTION__));\r
+ goto FreeCACert;\r
+ }\r
+\r
+ CertArraySizeInBytes = (CertList->SignatureListSize -\r
+ sizeof (EFI_SIGNATURE_LIST));\r
+ if (CertArraySizeInBytes % CertList->SignatureSize != 0) {\r
+ DEBUG ((DEBUG_ERROR,\r
+ "%a: EFI_SIGNATURE_DATA array not a multiple of SignatureSize\n",\r
+ __FUNCTION__));\r
+ goto FreeCACert;\r
+ }\r
+\r
+ CertCount += CertArraySizeInBytes / CertList->SignatureSize;\r
+ ItemDataSize -= CertList->SignatureListSize;\r
+ }\r
+ if (CertCount == 0) {\r
+ DEBUG ((DEBUG_ERROR, "%a: no X509 certificates provided\n", __FUNCTION__));\r
+ goto FreeCACert;\r
+ }\r
+\r
//\r
// Enumerate all data and erasing the target item.\r
//\r
CipherListSize\r
);\r
\r
-ON_EXIT: \r
+ON_EXIT:\r
FreePool (CipherList);\r
- \r
+\r
return Status;\r
}\r
\r
//\r
// TlsConfigData initialization\r
//\r
- HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient;\r
- HttpInstance->TlsConfigData.VerifyMethod = EFI_TLS_VERIFY_PEER;\r
- HttpInstance->TlsConfigData.SessionState = EfiTlsSessionNotStarted;\r
+ HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient;\r
+ HttpInstance->TlsConfigData.VerifyMethod = EFI_TLS_VERIFY_PEER;\r
+ HttpInstance->TlsConfigData.VerifyHost.Flags = EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;\r
+ HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance->RemoteHost;\r
+ HttpInstance->TlsConfigData.SessionState = EfiTlsSessionNotStarted;\r
\r
//\r
// EfiTlsConnectionEnd,\r
- // EfiTlsVerifyMethod\r
+ // EfiTlsVerifyMethod,\r
+ // EfiTlsVerifyHost,\r
// EfiTlsSessionState\r
//\r
Status = HttpInstance->Tls->SetSessionData (\r
return Status;\r
}\r
\r
+ Status = HttpInstance->Tls->SetSessionData (\r
+ HttpInstance->Tls,\r
+ EfiTlsVerifyHost,\r
+ &HttpInstance->TlsConfigData.VerifyHost,\r
+ sizeof (EFI_TLS_VERIFY_HOST)\r
+ );\r
+ if (EFI_ERROR (Status)) {\r
+ return Status;\r
+ }\r
+\r
Status = HttpInstance->Tls->SetSessionData (\r
HttpInstance->Tls,\r
EfiTlsSessionState,\r
}\r
\r
/**\r
- Receive one TLS PDU. An TLS PDU contains an TLS record header and it's\r
+ Receive one TLS PDU. An TLS PDU contains an TLS record header and its\r
corresponding record data. These two parts will be put into two blocks of buffers in the\r
net buffer.\r
\r
Process one message according to the CryptMode.\r
\r
@param[in] HttpInstance Pointer to HTTP_PROTOCOL structure.\r
- @param[in] Message Pointer to the message buffer needed to processed. \r
+ @param[in] Message Pointer to the message buffer needed to processed.\r
If ProcessMode is EfiTlsEncrypt, the message contain the TLS\r
header and plain text TLS APP payload.\r
- If ProcessMode is EfiTlsDecrypt, the message contain the TLS \r
+ If ProcessMode is EfiTlsDecrypt, the message contain the TLS\r
header and cipher text TLS APP payload.\r
@param[in] MessageSize Pointer to the message buffer size.\r
@param[in] ProcessMode Process mode.\r
@param[in, out] Fragment Only one Fragment returned after the Message is\r
processed successfully.\r
- If ProcessMode is EfiTlsEncrypt, the fragment contain the TLS \r
+ If ProcessMode is EfiTlsEncrypt, the fragment contain the TLS\r
header and cipher text TLS APP payload.\r
- If ProcessMode is EfiTlsDecrypt, the fragment contain the TLS \r
+ If ProcessMode is EfiTlsDecrypt, the fragment contain the TLS\r
header and plain text TLS APP payload.\r
\r
@retval EFI_SUCCESS Message is processed successfully.\r