In TlsConfigCertificate(), make sure that the set of EFI_SIGNATURE_LIST objects that the platform stored to "TlsCaCertificate" is well-formed.
In addition, because HttpInstance->TlsConfiguration->SetData() expects X509 certificates only, ensure that the EFI_SIGNATURE_LIST objects only report X509 certificates, as described under EFI_CERT_X509_GUID in the UEFI-2.7 spec. Cc: Jiaxin Wu <jiaxin...@intel.com> Cc: Siyuan Fu <siyuan...@intel.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=909 Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek <ler...@redhat.com> --- NetworkPkg/HttpDxe/HttpDxe.inf | 3 +- NetworkPkg/HttpDxe/HttpsSupport.c | 65 ++++++++++++++++++++ 2 files changed, 67 insertions(+), 1 deletion(-) diff --git a/NetworkPkg/HttpDxe/HttpDxe.inf b/NetworkPkg/HttpDxe/HttpDxe.inf index 938e894d9f09..6c0688d1305b 100644 --- a/NetworkPkg/HttpDxe/HttpDxe.inf +++ b/NetworkPkg/HttpDxe/HttpDxe.inf @@ -75,9 +75,10 @@ [Protocols] [Guids] gEfiTlsCaCertificateGuid ## SOMETIMES_CONSUMES ## Variable:L"TlsCaCertificate" gEdkiiHttpTlsCipherListGuid ## SOMETIMES_CONSUMES ## Variable:L"HttpTlsCipherList" + gEfiCertX509Guid ## SOMETIMES_CONSUMES ## GUID # Check the cert type [Pcd] gEfiNetworkPkgTokenSpaceGuid.PcdAllowHttpConnections ## CONSUMES [UserExtensions.TianoCore."ExtraFiles"] - HttpDxeExtra.uni \ No newline at end of file + HttpDxeExtra.uni diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c b/NetworkPkg/HttpDxe/HttpsSupport.c index baab77225fdf..d658512f6d9f 100644 --- a/NetworkPkg/HttpDxe/HttpsSupport.c +++ b/NetworkPkg/HttpDxe/HttpsSupport.c @@ -384,6 +384,7 @@ TlsConfigCertificate ( UINT32 Index; EFI_SIGNATURE_LIST *CertList; EFI_SIGNATURE_DATA *Cert; + UINTN CertArraySizeInBytes; UINTN CertCount; UINT32 ItemDataSize; @@ -429,6 +430,70 @@ TlsConfigCertificate ( ASSERT (CACert != NULL); + // + // Sanity check + // + Status = EFI_INVALID_PARAMETER; + CertCount = 0; + ItemDataSize = (UINT32) CACertSize; + while (ItemDataSize > 0) { + if (ItemDataSize < sizeof (EFI_SIGNATURE_LIST)) { + DEBUG ((DEBUG_ERROR, "%a: truncated EFI_SIGNATURE_LIST header\n", + __FUNCTION__)); + goto FreeCACert; + } + + CertList = (EFI_SIGNATURE_LIST *) (CACert + (CACertSize - ItemDataSize)); + + if (CertList->SignatureListSize < sizeof (EFI_SIGNATURE_LIST)) { + DEBUG ((DEBUG_ERROR, + "%a: SignatureListSize too small for EFI_SIGNATURE_LIST\n", + __FUNCTION__)); + goto FreeCACert; + } + + if (CertList->SignatureListSize > ItemDataSize) { + DEBUG ((DEBUG_ERROR, "%a: truncated EFI_SIGNATURE_LIST body\n", + __FUNCTION__)); + goto FreeCACert; + } + + if (!CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid)) { + DEBUG ((DEBUG_ERROR, "%a: only X509 certificates are supported\n", + __FUNCTION__)); + Status = EFI_UNSUPPORTED; + goto FreeCACert; + } + + if (CertList->SignatureHeaderSize != 0) { + DEBUG ((DEBUG_ERROR, "%a: SignatureHeaderSize must be 0 for X509\n", + __FUNCTION__)); + goto FreeCACert; + } + + if (CertList->SignatureSize < sizeof (EFI_SIGNATURE_DATA)) { + DEBUG ((DEBUG_ERROR, + "%a: SignatureSize too small for EFI_SIGNATURE_DATA\n", __FUNCTION__)); + goto FreeCACert; + } + + CertArraySizeInBytes = (CertList->SignatureListSize - + sizeof (EFI_SIGNATURE_LIST)); + if (CertArraySizeInBytes % CertList->SignatureSize != 0) { + DEBUG ((DEBUG_ERROR, + "%a: EFI_SIGNATURE_DATA array not a multiple of SignatureSize\n", + __FUNCTION__)); + goto FreeCACert; + } + + CertCount += CertArraySizeInBytes / CertList->SignatureSize; + ItemDataSize -= CertList->SignatureListSize; + } + if (CertCount == 0) { + DEBUG ((DEBUG_ERROR, "%a: no X509 certificates provided\n", __FUNCTION__)); + goto FreeCACert; + } + // // Enumerate all data and erasing the target item. // -- 2.14.1.3.gb7cf6e02401b _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
