From 22ebe3ff84003e9256759e230ac68da35c6d77a2 Mon Sep 17 00:00:00 2001

From: Laszlo Ersek <lersek@redhat.com>

Date: Mon, 2 Dec 2019 12:31:37 +0100

Subject: [PATCH 1/9] MdePkg/Include/Protocol/Tls.h: Add the data type of

 EfiTlsVerifyHost (CVE-2019-14553)

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

RH-Author: Laszlo Ersek <lersek@redhat.com>

Message-id: <20191117220052.15700-2-lersek@redhat.com>

Patchwork-id: 92457

O-Subject: [RHEL-8.2.0 edk2 PATCH 1/9] MdePkg/Include/Protocol/Tls.h: Add the data type of EfiTlsVerifyHost (CVE-2019-14553)

Bugzilla: 1536624

RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>

RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>

From: "Wu, Jiaxin" <jiaxin.wu@intel.com>

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=960

CVE: CVE-2019-14553

In the patch, we add the new data type named "EfiTlsVerifyHost" and

the EFI_TLS_VERIFY_HOST_FLAG for the TLS protocol consumer (HTTP)

to enable the host name check so as to avoid the potential

Man-In-The-Middle attack.

Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>

Reviewed-by: Ye Ting <ting.ye@intel.com>

Reviewed-by: Long Qin <qin.long@intel.com>

Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>

Acked-by: Laszlo Ersek <lersek@redhat.com>

Message-Id: <20190927034441.3096-2-Jiaxin.wu@intel.com>

Cc: David Woodhouse <dwmw2@infradead.org>

Cc: Jian J Wang <jian.j.wang@intel.com>

Cc: Jiaxin Wu <jiaxin.wu@intel.com>

Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>

Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>

Signed-off-by: Laszlo Ersek <lersek@redhat.com>

Reviewed-by: Liming Gao <liming.gao@intel.com>

(cherry picked from commit 31efec82796cb950e99d1622aa9c0eb8380613a0)

---

 MdePkg/Include/Protocol/Tls.h | 68 ++++++++++++++++++++++++++++++++++++-------

 1 file changed, 57 insertions(+), 11 deletions(-)

diff --git a/MdePkg/Include/Protocol/Tls.h b/MdePkg/Include/Protocol/Tls.h

index bf1b672..af524ae 100644

--- a/MdePkg/Include/Protocol/Tls.h

+++ b/MdePkg/Include/Protocol/Tls.h

@@ -42,10 +42,6 @@ typedef struct _EFI_TLS_PROTOCOL EFI_TLS_PROTOCOL;

 ///

 typedef enum {

   ///

-  /// Session Configuration

-  ///

-

-  ///

   /// TLS session Version. The corresponding Data is of type EFI_TLS_VERSION.

   ///

   EfiTlsVersion,

@@ -86,11 +82,6 @@ typedef enum {

   /// The corresponding Data is of type EFI_TLS_SESSION_STATE.

   ///

   EfiTlsSessionState,

-

-  ///

-  /// Session information

-  ///

-

   ///

   /// TLS session data client random.

   /// The corresponding Data is of type EFI_TLS_RANDOM.

@@ -106,9 +97,15 @@ typedef enum {

   /// The corresponding Data is of type EFI_TLS_MASTER_SECRET.

   ///

   EfiTlsKeyMaterial,

+  ///

+  /// TLS session hostname for validation which is used to verify whether the name

+  /// within the peer certificate matches a given host name.

+  /// This parameter is invalid when EfiTlsVerifyMethod is EFI_TLS_VERIFY_NONE.

+  /// The corresponding Data is of type EFI_TLS_VERIFY_HOST.

+  ///

+  EfiTlsVerifyHost,

   EfiTlsSessionDataTypeMaximum

-

 } EFI_TLS_SESSION_DATA_TYPE;

 ///

@@ -178,7 +175,8 @@ typedef UINT32  EFI_TLS_VERIFY;

 ///

 #define EFI_TLS_VERIFY_PEER                  0x1

 ///

-/// TLS session will fail peer certificate is absent.

+/// EFI_TLS_VERIFY_FAIL_IF_NO_PEER_CERT is only meaningful in the server mode.

+/// TLS session will fail if client certificate is absent.

 ///

 #define EFI_TLS_VERIFY_FAIL_IF_NO_PEER_CERT  0x2

 ///

@@ -188,6 +186,54 @@ typedef UINT32  EFI_TLS_VERIFY;

 #define EFI_TLS_VERIFY_CLIENT_ONCE           0x4

 ///

+/// EFI_TLS_VERIFY_HOST_FLAG

+///

+typedef UINT32 EFI_TLS_VERIFY_HOST_FLAG;

+///

+/// There is no additional flags set for hostname validation.

+/// Wildcards are supported and they match only in the left-most label.

+///

+#define EFI_TLS_VERIFY_FLAG_NONE                    0x00

+///

+/// Always check the Subject Distinguished Name (DN) in the peer certificate even if the

+/// certificate contains Subject Alternative Name (SAN).

+///

+#define EFI_TLS_VERIFY_FLAG_ALWAYS_CHECK_SUBJECT    0x01

+///

+/// Disable the match of all wildcards.

+///

+#define EFI_TLS_VERIFY_FLAG_NO_WILDCARDS            0x02

+///

+/// Disable the "*" as wildcard in labels that have a prefix or suffix (e.g. "www*" or "*www").

+///

+#define EFI_TLS_VERIFY_FLAG_NO_PARTIAL_WILDCARDS    0x04

+///

+/// Allow the "*" to match more than one labels. Otherwise, only matches a single label.

+///

+#define EFI_TLS_VERIFY_FLAG_MULTI_LABEL_WILDCARDS   0x08

+///

+/// Restrict to only match direct child sub-domains which start with ".".

+/// For example, a name of ".example.com" would match "www.example.com" with this flag,

+/// but would not match "www.sub.example.com".

+///

+#define EFI_TLS_VERIFY_FLAG_SINGLE_LABEL_SUBDOMAINS 0x10

+///

+/// Never check the Subject Distinguished Name (DN) even there is no

+/// Subject Alternative Name (SAN) in the certificate.

+///

+#define EFI_TLS_VERIFY_FLAG_NEVER_CHECK_SUBJECT     0x20

+

+///

+/// EFI_TLS_VERIFY_HOST

+///

+#pragma pack (1)

+typedef struct {

+  EFI_TLS_VERIFY_HOST_FLAG Flags;

+  CHAR8                    *HostName;

+} EFI_TLS_VERIFY_HOST;

+#pragma pack ()

+

+///

 /// EFI_TLS_RANDOM

 /// Note: The definition of EFI_TLS_RANDOM is from "RFC 5246 A.4.1.

 ///       Hello Messages".

-- 

1.8.3.1