]> git.proxmox.com Git - mirror_edk2.git/commitdiff
projects / mirror_edk2.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 703e7ab)
NetworkPkg/HttpDxe: Set the HostName for the verification (CVE-2019-14553)
authorWu, Jiaxin <jiaxin.wu@intel.com>
Fri, 27 Sep 2019 03:44:41 +0000 (11:44 +0800)
committerLaszlo Ersek <lersek@redhat.com>
Sat, 2 Nov 2019 11:08:25 +0000 (12:08 +0100)
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=960
CVE: CVE-2019-14553
Set the HostName by consuming TLS protocol to enable the host name
check so as to avoid the potential Man-In-The-Middle attack.

Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20190927034441.3096-5-Jiaxin.wu@intel.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
NetworkPkg/HttpDxe/HttpProto.h patch | blob | blame | history
NetworkPkg/HttpDxe/HttpsSupport.c patch | blob | blame | history

diff --git a/NetworkPkg/HttpDxe/HttpProto.h b/NetworkPkg/HttpDxe/HttpProto.h
index 6e1f51748a734e04abcb57a9e77ea86ae76db545..34308e016d3ebcf9784321a4f7996252e9695e02 100644 (file)
--- a/NetworkPkg/HttpDxe/HttpProto.h
+++ b/NetworkPkg/HttpDxe/HttpProto.h
@@ -82,6 +82,7 @@ typedef struct {
   EFI_TLS_VERSION               Version;\r
   EFI_TLS_CONNECTION_END        ConnectionEnd;\r
   EFI_TLS_VERIFY                VerifyMethod;\r
+  EFI_TLS_VERIFY_HOST           VerifyHost;\r
   EFI_TLS_SESSION_STATE         SessionState;\r
 } TLS_CONFIG_DATA;\r
 \r
diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c b/NetworkPkg/HttpDxe/HttpsSupport.c
index 988bbcbce7d891dae18b007c85efbee66ffb3385..5dfb13bd6021ff12a0a4ca2a859cf998e124b5b2 100644 (file)
--- a/NetworkPkg/HttpDxe/HttpsSupport.c
+++ b/NetworkPkg/HttpDxe/HttpsSupport.c
@@ -623,13 +623,16 @@ TlsConfigureSession (
   //\r
   // TlsConfigData initialization\r
   //\r
-  HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient;\r
-  HttpInstance->TlsConfigData.VerifyMethod = EFI_TLS_VERIFY_PEER;\r
-  HttpInstance->TlsConfigData.SessionState = EfiTlsSessionNotStarted;\r
+  HttpInstance->TlsConfigData.ConnectionEnd       = EfiTlsClient;\r
+  HttpInstance->TlsConfigData.VerifyMethod        = EFI_TLS_VERIFY_PEER;\r
+  HttpInstance->TlsConfigData.VerifyHost.Flags    = EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;\r
+  HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance->RemoteHost;\r
+  HttpInstance->TlsConfigData.SessionState        = EfiTlsSessionNotStarted;\r
 \r
   //\r
   // EfiTlsConnectionEnd,\r
-  // EfiTlsVerifyMethod\r
+  // EfiTlsVerifyMethod,\r
+  // EfiTlsVerifyHost,\r
   // EfiTlsSessionState\r
   //\r
   Status = HttpInstance->Tls->SetSessionData (\r
@@ -652,6 +655,16 @@ TlsConfigureSession (
     return Status;\r
   }\r
 \r
+  Status = HttpInstance->Tls->SetSessionData (\r
+                                HttpInstance->Tls,\r
+                                EfiTlsVerifyHost,\r
+                                &HttpInstance->TlsConfigData.VerifyHost,\r
+                                sizeof (EFI_TLS_VERIFY_HOST)\r
+                                );\r
+  if (EFI_ERROR (Status)) {\r
+    return Status;\r
+  }\r
+\r
   Status = HttpInstance->Tls->SetSessionData (\r
                                 HttpInstance->Tls,\r
                                 EfiTlsSessionState,\r
EFI Development Kit II mirror for PVE