From nobody Mon Feb 9 16:02:26 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+49470+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+49470+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1572068270; cv=none; d=zoho.com; s=zohoarc; b=jXy3q68CNOMRbXIbSqvZlw1veZ4R2cennhqFEC0D4aBMj7daZhSgWMkStEEgXQaxxHz7bzQa7yCZ+6BUP2RxRBv6tnRRavt9JG8wPaY2FEgr9QJh6TZ9Z27Zfjn453d9+LQEDQGQ30xrBMv0K6ksTDRIt5OCwOnA7QT+PAEVaaU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1572068270; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=k+VfYodpYHb4MrcvrZXCCICj+ju/RW4+WSoom3qPSz0=; b=HDf8O51uAxspi6jyrkONfETtkSwNbkYZya6X7HVZEglai60R2uT5ysB8s87alzWhPt+4XbAxE3xS5ogOTCPQtSWASjjpL5d/GqPsKYrreV/CUUUP4D5/HLW80Wg5WP95RtgRy2TUPdfaZGegvxyC/oUSkYUMVF413niWaevprRA= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+49470+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1572068270148505.9929433010303; Fri, 25 Oct 2019 22:37:50 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id gSo4YY1788612x2gjBibY6bR; Fri, 25 Oct 2019 22:37:49 -0700 X-Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [207.211.31.120]) by mx.groups.io with SMTP id smtpd.web12.2109.1572068268956202917 for ; Fri, 25 Oct 2019 22:37:49 -0700 X-Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-171-8KM3Sy7uPcuryBOalap9gg-1; Sat, 26 Oct 2019 01:37:46 -0400 X-Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id A017C800D4C; Sat, 26 Oct 2019 05:37:44 +0000 (UTC) X-Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-26.ams2.redhat.com [10.36.116.26]) by smtp.corp.redhat.com (Postfix) with ESMTP id AE78C5D9CA; Sat, 26 Oct 2019 05:37:42 +0000 (UTC) From: "Laszlo Ersek" To: edk2-devel-groups-io Cc: David Woodhouse , Jian J Wang , Jiaxin Wu , Sivaraman Nainar , Xiaoyu Lu Subject: [edk2-devel] [PATCH v2 8/8] NetworkPkg/HttpDxe: Set the HostName for the verification (CVE-2019-14553) Date: Sat, 26 Oct 2019 07:37:19 +0200 Message-Id: <20191026053719.10453-9-lersek@redhat.com> In-Reply-To: <20191026053719.10453-1-lersek@redhat.com> References: <20191026053719.10453-1-lersek@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-MC-Unique: 8KM3Sy7uPcuryBOalap9gg-1 X-Mimecast-Spam-Score: 0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,lersek@redhat.com X-Gm-Message-State: KM8Q48KxXXjQVppGSHC8D3KMx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1572068269; bh=jFeMrR8TT80MTl2mGcwLdSNXun9Vdb1PhgC5+viRjSY=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=xRqD+cD0ujFuzD3vo9KLmjlvwOlhgJ9d2iAkCuTzlWsRCNeENLMRpFZ+0I2UnvZpt2U AAz7IxeEeNwvje6FUueWvldgcu8KPQ8hlFN7PDbcXIeF3I50PEWGj+ruOdVMELTKW2a8m 6FqJYfW0zUtD5tQGY/RgqO+mX2Bix5P4hJM= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" From: "Wu, Jiaxin" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D960 CVE: CVE-2019-14553 Set the HostName by consuming TLS protocol to enable the host name check so as to avoid the potential Man-In-The-Middle attack. Signed-off-by: Wu Jiaxin Reviewed-by: Ye Ting Reviewed-by: Long Qin Reviewed-by: Fu Siyuan Acked-by: Laszlo Ersek Message-Id: <20190927034441.3096-5-Jiaxin.wu@intel.com> Cc: David Woodhouse Cc: Jian J Wang Cc: Jiaxin Wu Cc: Sivaraman Nainar Cc: Xiaoyu Lu Signed-off-by: Laszlo Ersek --- Notes: v2: - fix whitespace in subject line - drop Contributed-under line per BZ#1373 NetworkPkg/HttpDxe/HttpProto.h | 1 + NetworkPkg/HttpDxe/HttpsSupport.c | 21 ++++++++++++++++---- 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/NetworkPkg/HttpDxe/HttpProto.h b/NetworkPkg/HttpDxe/HttpProto.h index 6e1f51748a73..34308e016d3e 100644 --- a/NetworkPkg/HttpDxe/HttpProto.h +++ b/NetworkPkg/HttpDxe/HttpProto.h @@ -81,8 +81,9 @@ typedef struct { typedef struct { EFI_TLS_VERSION Version; EFI_TLS_CONNECTION_END ConnectionEnd; EFI_TLS_VERIFY VerifyMethod; + EFI_TLS_VERIFY_HOST VerifyHost; EFI_TLS_SESSION_STATE SessionState; } TLS_CONFIG_DATA; =20 // diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c b/NetworkPkg/HttpDxe/HttpsSu= pport.c index 988bbcbce7d8..5dfb13bd6021 100644 --- a/NetworkPkg/HttpDxe/HttpsSupport.c +++ b/NetworkPkg/HttpDxe/HttpsSupport.c @@ -622,15 +622,18 @@ TlsConfigureSession ( =20 // // TlsConfigData initialization // - HttpInstance->TlsConfigData.ConnectionEnd =3D EfiTlsClient; - HttpInstance->TlsConfigData.VerifyMethod =3D EFI_TLS_VERIFY_PEER; - HttpInstance->TlsConfigData.SessionState =3D EfiTlsSessionNotStarted; + HttpInstance->TlsConfigData.ConnectionEnd =3D EfiTlsClient; + HttpInstance->TlsConfigData.VerifyMethod =3D EFI_TLS_VERIFY_PEER; + HttpInstance->TlsConfigData.VerifyHost.Flags =3D EFI_TLS_VERIFY_FLAG_= NO_WILDCARDS; + HttpInstance->TlsConfigData.VerifyHost.HostName =3D HttpInstance->Remote= Host; + HttpInstance->TlsConfigData.SessionState =3D EfiTlsSessionNotStar= ted; =20 // // EfiTlsConnectionEnd, - // EfiTlsVerifyMethod + // EfiTlsVerifyMethod, + // EfiTlsVerifyHost, // EfiTlsSessionState // Status =3D HttpInstance->Tls->SetSessionData ( HttpInstance->Tls, @@ -651,8 +654,18 @@ TlsConfigureSession ( if (EFI_ERROR (Status)) { return Status; } =20 + Status =3D HttpInstance->Tls->SetSessionData ( + HttpInstance->Tls, + EfiTlsVerifyHost, + &HttpInstance->TlsConfigData.VerifyHost, + sizeof (EFI_TLS_VERIFY_HOST) + ); + if (EFI_ERROR (Status)) { + return Status; + } + Status =3D HttpInstance->Tls->SetSessionData ( HttpInstance->Tls, EfiTlsSessionState, &(HttpInstance->TlsConfigData.SessionState= ), --=20 2.19.1.3.g30247aa5d201 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#49470): https://edk2.groups.io/g/devel/message/49470 Mute This Topic: https://groups.io/mt/37952592/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-