packages/edk2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:71b571438eaf653d5c2fd6802b0d4c2e78a6aed7
Branches Tags
packages:main
...
compare: packages:b309382c515a373b3a1a2db510aae95af8d8335f
Branches Tags
packages:main

10 Commits
71b571438e ... b309382c51

Author SHA1 Message Date
openeuler-ci-bot
b309382c51
!239 【轻量级 PR】:fix bad date in changelog 
From: @zhangshaoning_uniontech 
Reviewed-by: @caojinhuahw 
Signed-off-by: @caojinhuahw
 2024-10-23 03:34:18 +00:00
openeuler-ci-bot
dce9b5b1fe
!278 Fix CVE-2023-45236、CVE-2023-45237 
From: @jacob1996 
Reviewed-by: @caojinhuahw 
Signed-off-by: @caojinhuahw
 2024-10-22 13:56:55 +00:00
ShenYage
3a99e54bc5 Fix CVE-2023-45236、CVE-2023-45237 
Signed-off-by: ShenYage <shenyage1@huawei.com>
 2024-10-15 04:15:34 +08:00
openeuler-ci-bot
1c9c634bf8
!274 fix CVE-2024-38796 
From: @zhangxianting 
Reviewed-by: @caojinhuahw 
Signed-off-by: @caojinhuahw
 2024-10-14 01:17:28 +00:00
zhangxianting
a95770f140 fix CVE-2024-38796 2024-10-09 16:26:15 +08:00
openeuler-ci-bot
d4f51e20dd
!254 Fix CVE-2021-3712、CVE-2022-0778 
From: @jacob1996 
Reviewed-by: @caojinhuahw 
Signed-off-by: @caojinhuahw
 2024-09-03 13:37:00 +00:00
ShenYage
0618fd5b42 Fix CVE-2021-3712、CVE-2022-0778 
Signed-off-by: ShenYage <shenyage1@huawei.com>
 2024-09-03 20:38:35 +08:00
openeuler-ci-bot
94aaf22d9a
!243 Fix CVE-2024-5535 
From: @jacob1996 
Reviewed-by: @caojinhuahw 
Signed-off-by: @caojinhuahw
 2024-07-11 12:51:20 +00:00
ShenYage
46460b7c03 Fix CVE-2024-5535 
Signed-off-by: ShenYage <shenyage1@huawei.com>
 2024-07-11 19:18:16 +08:00
张少宁
0e46695e78
fix bad date in changelog 
Signed-off-by: 张少宁 <zhangshaoning@uniontech.com>
 2024-06-17 01:58:09 +00:00
15 changed files with 4712 additions and 2 deletions
Show Stats Expand all files Collapse all files

168
0089-Fix-SSL_select_next_proto-and-add-ALPN-validation-in.patch Normal file
View File

@ -0,0 +1,168 @@
From 85365ebf0d57f82fbaf6b04da477dcba4e82e3a4 Mon Sep 17 00:00:00 2001
From: xuhuiyue <xuhuiyue@huawei.com>
Date: Fri, 28 Jun 2024 17:31:29 +0800
Subject: [PATCH 1/2] Fix SSL_select_next_proto and add ALPN validation in the
client
Fix CVE-2024-5535.
Signed-off-by: xuhuiyue <xuhuiyue@huawei.com>
---
.../Library/OpensslLib/openssl/ssl/ssl_lib.c | 63 ++++++++++++-------
.../openssl/ssl/statem/extensions_clnt.c | 27 +++++++-
.../openssl/ssl/statem/extensions_srvr.c | 3 +-
3 files changed, 68 insertions(+), 25 deletions(-)
diff --git a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c
index ae33d18..cc3f588 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c
@@ -2731,37 +2731,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
unsigned int server_len,
const unsigned char *client, unsigned int client_len)
{
- unsigned int i, j;
- const unsigned char *result;
- int status = OPENSSL_NPN_UNSUPPORTED;
+ PACKET cpkt, csubpkt, spkt, ssubpkt;
+
+ if (!PACKET_buf_init(&cpkt, client, client_len)
+ || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt)
+ || PACKET_remaining(&csubpkt) == 0) {
+ *out = NULL;
+ *outlen = 0;
+ return OPENSSL_NPN_NO_OVERLAP;
+ }
+
+ /*
+ * Set the default opportunistic protocol. Will be overwritten if we find
+ * a match.
+ */
+ *out = (unsigned char *)PACKET_data(&csubpkt);
+ *outlen = (unsigned char)PACKET_remaining(&csubpkt);
/*
* For each protocol in server preference order, see if we support it.
*/
- for (i = 0; i < server_len;) {
- for (j = 0; j < client_len;) {
- if (server[i] == client[j] &&
- memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) {
- /* We found a match */
- result = &server[i];
- status = OPENSSL_NPN_NEGOTIATED;
- goto found;
+ if (PACKET_buf_init(&spkt, server, server_len)) {
+ while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) {
+ if (PACKET_remaining(&ssubpkt) == 0)
+ continue; /* Invalid - ignore it */
+ if (PACKET_buf_init(&cpkt, client, client_len)) {
+ while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) {
+ if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt),
+ PACKET_remaining(&ssubpkt))) {
+ /* We found a match */
+ *out = (unsigned char *)PACKET_data(&ssubpkt);
+ *outlen = (unsigned char)PACKET_remaining(&ssubpkt);
+ return OPENSSL_NPN_NEGOTIATED;
+ }
+ }
+ /* Ignore spurious trailing bytes in the client list */
+ } else {
+ /* This should never happen */
+ return OPENSSL_NPN_NO_OVERLAP;
}
- j += client[j];
- j++;
}
- i += server[i];
- i++;
+ /* Ignore spurious trailing bytes in the server list */
}
- /* There's no overlap between our protocols and the server's list. */
- result = client;
- status = OPENSSL_NPN_NO_OVERLAP;
-
- found:
- *out = (unsigned char *)result + 1;
- *outlen = result[0];
- return status;
+ /*
+ * There's no overlap between our protocols and the server's list. We use
+ * the default opportunistic protocol selected earlier
+ */
+ return OPENSSL_NPN_NO_OVERLAP;
}
#ifndef OPENSSL_NO_NEXTPROTONEG
diff --git a/CryptoPkg/Library/OpensslLib/openssl/ssl/statem/extensions_clnt.c b/CryptoPkg/Library/OpensslLib/openssl/ssl/statem/extensions_clnt.c
index bcce0f1..a307294 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/ssl/statem/extensions_clnt.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/statem/extensions_clnt.c
@@ -1579,7 +1579,8 @@ int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
PACKET_data(pkt),
PACKET_remaining(pkt),
s->ctx->ext.npn_select_cb_arg) !=
- SSL_TLSEXT_ERR_OK) {
+ SSL_TLSEXT_ERR_OK
+ || selected_len == 0) {
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_STOC_NPN,
SSL_R_BAD_EXTENSION);
return 0;
@@ -1609,6 +1610,8 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx)
{
size_t len;
+ PACKET confpkt, protpkt;
+ int valid = 0;
/* We must have requested it. */
if (!s->s3->alpn_sent) {
@@ -1629,6 +1632,28 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
SSL_R_BAD_EXTENSION);
return 0;
}
+
+ /* It must be a protocol that we sent */
+ if (!PACKET_buf_init(&confpkt, s->ext.alpn, s->ext.alpn_len)) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ while (PACKET_get_length_prefixed_1(&confpkt, &protpkt)) {
+ if (PACKET_remaining(&protpkt) != len)
+ continue;
+ if (memcmp(PACKET_data(pkt), PACKET_data(&protpkt), len) == 0) {
+ /* Valid protocol found */
+ valid = 1;
+ break;
+ }
+ }
+
+ if (!valid) {
+ /* The protocol sent from the server does not match one we advertised */
+ SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_ALPN, SSL_R_BAD_EXTENSION);
+ return 0;
+ }
+
OPENSSL_free(s->s3->alpn_selected);
s->s3->alpn_selected = OPENSSL_malloc(len);
if (s->s3->alpn_selected == NULL) {
diff --git a/CryptoPkg/Library/OpensslLib/openssl/ssl/statem/extensions_srvr.c b/CryptoPkg/Library/OpensslLib/openssl/ssl/statem/extensions_srvr.c
index 3b07c6b..0c9b839 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/ssl/statem/extensions_srvr.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/statem/extensions_srvr.c
@@ -1559,9 +1559,10 @@ EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
return EXT_RETURN_FAIL;
}
s->s3->npn_seen = 1;
+ return EXT_RETURN_SENT;
}
- return EXT_RETURN_SENT;
+ return EXT_RETURN_NOT_SENT;
}
#endif
--
2.33.0

1786
0090-Add-a-test-for-ALPN-and-NPN.patch Normal file
View File

File diff suppressed because it is too large Load Diff

148
0091-Fix-i2v_GENERAL_NAME-to-not-assume-NUL-terminated-st.patch Normal file
View File

@ -0,0 +1,148 @@
From 0d8b0b8b00094b3b58bd37fce9f260affe9f6a16 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Wed, 18 Aug 2021 12:24:22 +0100
Subject: [PATCH 1/9] Fix i2v_GENERAL_NAME to not assume NUL terminated strings
ASN.1 strings may not be NUL terminated. Don't assume they are.
CVE-2021-3712
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
---
.../OpensslLib/openssl/crypto/x509v3/v3_alt.c | 10 +++--
.../OpensslLib/openssl/crypto/x509v3/v3_utl.c | 38 ++++++++++++++++---
.../OpensslLib/openssl/include/crypto/x509.h | 5 +++
3 files changed, 44 insertions(+), 9 deletions(-)
diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_alt.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_alt.c
index 7ac2911..79f0f14 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_alt.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_alt.c
@@ -9,6 +9,7 @@
#include <stdio.h>
#include "internal/cryptlib.h"
+#include "crypto/x509.h"
#include <openssl/conf.h>
#include <openssl/x509v3.h>
#include "ext_dat.h"
@@ -99,17 +100,20 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
break;
case GEN_EMAIL:
- if (!X509V3_add_value_uchar("email", gen->d.ia5->data, &ret))
+ if (!x509v3_add_len_value_uchar("email", gen->d.ia5->data,
+ gen->d.ia5->length, &ret))
return NULL;
break;
case GEN_DNS:
- if (!X509V3_add_value_uchar("DNS", gen->d.ia5->data, &ret))
+ if (!x509v3_add_len_value_uchar("DNS", gen->d.ia5->data,
+ gen->d.ia5->length, &ret))
return NULL;
break;
case GEN_URI:
- if (!X509V3_add_value_uchar("URI", gen->d.ia5->data, &ret))
+ if (!x509v3_add_len_value_uchar("URI", gen->d.ia5->data,
+ gen->d.ia5->length, &ret))
return NULL;
break;
diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_utl.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_utl.c
index 7281a7b..004ef55 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_utl.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_utl.c
@@ -12,6 +12,7 @@
#include "e_os.h"
#include "internal/cryptlib.h"
#include <stdio.h>
+#include <string.h>
#include "crypto/ctype.h"
#include <openssl/conf.h>
#include <openssl/crypto.h>
@@ -34,17 +35,26 @@ static int ipv6_hex(unsigned char *out, const char *in, int inlen);
/* Add a CONF_VALUE name value pair to stack */
-int X509V3_add_value(const char *name, const char *value,
- STACK_OF(CONF_VALUE) **extlist)
+static int x509v3_add_len_value(const char *name, const char *value,
+ size_t vallen, STACK_OF(CONF_VALUE) **extlist)
{
CONF_VALUE *vtmp = NULL;
char *tname = NULL, *tvalue = NULL;
int sk_allocated = (*extlist == NULL);
- if (name && (tname = OPENSSL_strdup(name)) == NULL)
- goto err;
- if (value && (tvalue = OPENSSL_strdup(value)) == NULL)
+ if (name != NULL && (tname = OPENSSL_strdup(name)) == NULL)
goto err;
+ if (value != NULL && vallen > 0) {
+ /*
+ * We tolerate a single trailing NUL character, but otherwise no
+ * embedded NULs
+ */
+ if (memchr(value, 0, vallen - 1) != NULL)
+ goto err;
+ tvalue = OPENSSL_strndup(value, vallen);
+ if (tvalue == NULL)
+ goto err;
+ }
if ((vtmp = OPENSSL_malloc(sizeof(*vtmp))) == NULL)
goto err;
if (sk_allocated && (*extlist = sk_CONF_VALUE_new_null()) == NULL)
@@ -67,10 +77,26 @@ int X509V3_add_value(const char *name, const char *value,
return 0;
}
+int X509V3_add_value(const char *name, const char *value,
+ STACK_OF(CONF_VALUE) **extlist)
+{
+ return x509v3_add_len_value(name, value,
+ value != NULL ? strlen((const char *)value) : 0,
+ extlist);
+}
+
int X509V3_add_value_uchar(const char *name, const unsigned char *value,
STACK_OF(CONF_VALUE) **extlist)
{
- return X509V3_add_value(name, (const char *)value, extlist);
+ return x509v3_add_len_value(name, (const char *)value,
+ value != NULL ? strlen((const char *)value) : 0,
+ extlist);
+}
+
+int x509v3_add_len_value_uchar(const char *name, const unsigned char *value,
+ size_t vallen, STACK_OF(CONF_VALUE) **extlist)
+{
+ return x509v3_add_len_value(name, (const char *)value, vallen, extlist);
}
/* Free function for STACK_OF(CONF_VALUE) */
diff --git a/CryptoPkg/Library/OpensslLib/openssl/include/crypto/x509.h b/CryptoPkg/Library/OpensslLib/openssl/include/crypto/x509.h
index b53c2b0..7ffb8ab 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/include/crypto/x509.h
+++ b/CryptoPkg/Library/OpensslLib/openssl/include/crypto/x509.h
@@ -8,6 +8,8 @@
*/
#include "internal/refcount.h"
+#include <openssl/x509.h>
+#include <openssl/conf.h>
/* Internal X509 structures and functions: not for application use */
@@ -284,3 +286,6 @@ int a2i_ipadd(unsigned char *ipout, const char *ipasc);
int x509_set1_time(ASN1_TIME **ptm, const ASN1_TIME *tm);
void x509_init_sig_info(X509 *x);
+
+int x509v3_add_len_value_uchar(const char *name, const unsigned char *value,
+ size_t vallen, STACK_OF(CONF_VALUE) **extlist);
--
2.33.0

53
0092-Fix-POLICYINFO-printing-to-not-assume-NUL-terminated.patch Normal file
View File

@ -0,0 +1,53 @@
From 3667dd5072369630c0977833987a4fc6d0cd6c0f Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Wed, 18 Aug 2021 12:31:38 +0100
Subject: [PATCH 2/9] Fix POLICYINFO printing to not assume NUL terminated
strings
ASN.1 strings may not be NUL terminated. Don't assume they are.
CVE-2021-3712
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
---
.../Library/OpensslLib/openssl/crypto/x509v3/v3_cpols.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_cpols.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_cpols.c
index 1d12c89..861e845 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_cpols.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_cpols.c
@@ -422,7 +422,8 @@ static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals,
qualinfo = sk_POLICYQUALINFO_value(quals, i);
switch (OBJ_obj2nid(qualinfo->pqualid)) {
case NID_id_qt_cps:
- BIO_printf(out, "%*sCPS: %s\n", indent, "",
+ BIO_printf(out, "%*sCPS: %.*s\n", indent, "",
+ qualinfo->d.cpsuri->length,
qualinfo->d.cpsuri->data);
break;
@@ -447,7 +448,8 @@ static void print_notice(BIO *out, USERNOTICE *notice, int indent)
if (notice->noticeref) {
NOTICEREF *ref;
ref = notice->noticeref;
- BIO_printf(out, "%*sOrganization: %s\n", indent, "",
+ BIO_printf(out, "%*sOrganization: %.*s\n", indent, "",
+ ref->organization->length,
ref->organization->data);
BIO_printf(out, "%*sNumber%s: ", indent, "",
sk_ASN1_INTEGER_num(ref->noticenos) > 1 ? "s" : "");
@@ -470,7 +472,8 @@ static void print_notice(BIO *out, USERNOTICE *notice, int indent)
BIO_puts(out, "\n");
}
if (notice->exptext)
- BIO_printf(out, "%*sExplicit Text: %s\n", indent, "",
+ BIO_printf(out, "%*sExplicit Text: %.*s\n", indent, "",
+ notice->exptext->length,
notice->exptext->data);
}
--
2.33.0

33
0093-Fix-printing-of-PROXY_CERT_INFO_EXTENSION-to-not-ass.patch Normal file
View File

@ -0,0 +1,33 @@
From a38c0d6a477fca7df10bc8d57c7428f42f875fd9 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Wed, 18 Aug 2021 14:02:40 +0100
Subject: [PATCH 3/9] Fix printing of PROXY_CERT_INFO_EXTENSION to not assume
NUL terminated strings
ASN.1 strings may not be NUL terminated. Don't assume they are.
CVE-2021-3712
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
---
CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_pci.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_pci.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_pci.c
index 3d124fa..98b6ef2 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_pci.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_pci.c
@@ -77,7 +77,8 @@ static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *pci,
i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage);
BIO_puts(out, "\n");
if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data)
- BIO_printf(out, "%*sPolicy Text: %s\n", indent, "",
+ BIO_printf(out, "%*sPolicy Text: %.*s\n", indent, "",
+ pci->proxyPolicy->policy->length,
pci->proxyPolicy->policy->data);
return 1;
}
--
2.33.0

190
0094-Fix-the-name-constraints-code-to-not-assume-NUL-term.patch Normal file
View File

@ -0,0 +1,190 @@
From 75797fee3d7ec2e69f6edaed8b317cc53782eccf Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Wed, 18 Aug 2021 17:08:58 +0100
Subject: [PATCH 4/9] Fix the name constraints code to not assume NUL
terminated strings
ASN.1 strings may not be NUL terminated. Don't assume they are.
CVE-2021-3712
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
---
.../openssl/crypto/x509v3/v3_ncons.c | 77 +++++++++++++------
1 file changed, 52 insertions(+), 25 deletions(-)
diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_ncons.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_ncons.c
index 2a7b4f0..cb701c4 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_ncons.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_ncons.c
@@ -63,8 +63,31 @@ ASN1_SEQUENCE(NAME_CONSTRAINTS) = {
IMPLEMENT_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE)
IMPLEMENT_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS)
+
+#define IA5_OFFSET_LEN(ia5base, offset) \
+ ((ia5base)->length - ((unsigned char *)(offset) - (ia5base)->data))
+
+/* Like memchr but for ASN1_IA5STRING. Additionally you can specify the
+ * starting point to search from
+ */
+# define ia5memchr(str, start, c) memchr(start, c, IA5_OFFSET_LEN(str, start))
+
+/* Like memrrchr but for ASN1_IA5STRING */
+static char *ia5memrchr(ASN1_IA5STRING *str, int c)
+{
+ int i;
+
+ for (i = str->length; i > 0 && str->data[i - 1] != c; i--);
+
+ if (i == 0)
+ return NULL;
+
+ return (char *)&str->data[i - 1];
+}
+
/*
- * We cannot use strncasecmp here because that applies locale specific rules.
+ * We cannot use strncasecmp here because that applies locale specific rules. It
+ * also doesn't work with ASN1_STRINGs that may have embedded NUL characters.
* For example in Turkish 'I' is not the uppercase character for 'i'. We need to
* do a simple ASCII case comparison ignoring the locale (that is why we use
* numeric constants below).
@@ -89,20 +112,12 @@ static int ia5ncasecmp(const char *s1, const char *s2, size_t n)
/* c1 > c2 */
return 1;
- } else if (*s1 == 0) {
- /* If we get here we know that *s2 == 0 too */
- return 0;
}
}
return 0;
}
-static int ia5casecmp(const char *s1, const char *s2)
-{
- return ia5ncasecmp(s1, s2, SIZE_MAX);
-}
-
static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
{
@@ -337,7 +352,7 @@ static int cn2dnsid(ASN1_STRING *cn, unsigned char **dnsid, size_t *idlen)
--utf8_length;
/* Reject *embedded* NULs */
- if ((size_t)utf8_length != strlen((char *)utf8_value)) {
+ if (memchr(utf8_value, 0, utf8_length) != NULL) {
OPENSSL_free(utf8_value);
return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
}
@@ -536,9 +551,14 @@ static int nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING *base)
{
char *baseptr = (char *)base->data;
char *dnsptr = (char *)dns->data;
+
/* Empty matches everything */
- if (!*baseptr)
+ if (base->length == 0)
return X509_V_OK;
+
+ if (dns->length < base->length)
+ return X509_V_ERR_PERMITTED_VIOLATION;
+
/*
* Otherwise can add zero or more components on the left so compare RHS
* and if dns is longer and expect '.' as preceding character.
@@ -549,7 +569,7 @@ static int nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING *base)
return X509_V_ERR_PERMITTED_VIOLATION;
}
- if (ia5casecmp(baseptr, dnsptr))
+ if (ia5ncasecmp(baseptr, dnsptr, base->length))
return X509_V_ERR_PERMITTED_VIOLATION;
return X509_V_OK;
@@ -560,16 +580,17 @@ static int nc_email(ASN1_IA5STRING *eml, ASN1_IA5STRING *base)
{
const char *baseptr = (char *)base->data;
const char *emlptr = (char *)eml->data;
+ const char *baseat = ia5memrchr(base, '@');
+ const char *emlat = ia5memrchr(eml, '@');
+ size_t basehostlen, emlhostlen;
- const char *baseat = strchr(baseptr, '@');
- const char *emlat = strchr(emlptr, '@');
if (!emlat)
return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
/* Special case: initial '.' is RHS match */
- if (!baseat && (*baseptr == '.')) {
+ if (!baseat && base->length > 0 && (*baseptr == '.')) {
if (eml->length > base->length) {
emlptr += eml->length - base->length;
- if (ia5casecmp(baseptr, emlptr) == 0)
+ if (ia5ncasecmp(baseptr, emlptr, base->length) == 0)
return X509_V_OK;
}
return X509_V_ERR_PERMITTED_VIOLATION;
@@ -589,8 +610,10 @@ static int nc_email(ASN1_IA5STRING *eml, ASN1_IA5STRING *base)
baseptr = baseat + 1;
}
emlptr = emlat + 1;
+ basehostlen = IA5_OFFSET_LEN(base, baseptr);
+ emlhostlen = IA5_OFFSET_LEN(eml, emlptr);
/* Just have hostname left to match: case insensitive */
- if (ia5casecmp(baseptr, emlptr))
+ if (basehostlen != emlhostlen || ia5ncasecmp(baseptr, emlptr, emlhostlen))
return X509_V_ERR_PERMITTED_VIOLATION;
return X509_V_OK;
@@ -601,10 +624,14 @@ static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base)
{
const char *baseptr = (char *)base->data;
const char *hostptr = (char *)uri->data;
- const char *p = strchr(hostptr, ':');
+ const char *p = ia5memchr(uri, (char *)uri->data, ':');
int hostlen;
+
/* Check for foo:// and skip past it */
- if (!p || (p[1] != '/') || (p[2] != '/'))
+ if (p == NULL
+ || IA5_OFFSET_LEN(uri, p) < 3
+ || p[1] != '/'
+ || p[2] != '/')
return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
hostptr = p + 3;
@@ -612,13 +639,13 @@ static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base)
/* Look for a port indicator as end of hostname first */
- p = strchr(hostptr, ':');
+ p = ia5memchr(uri, hostptr, ':');
/* Otherwise look for trailing slash */
- if (!p)
- p = strchr(hostptr, '/');
+ if (p == NULL)
+ p = ia5memchr(uri, hostptr, '/');
- if (!p)
- hostlen = strlen(hostptr);
+ if (p == NULL)
+ hostlen = IA5_OFFSET_LEN(uri, hostptr);
else
hostlen = p - hostptr;
@@ -626,7 +653,7 @@ static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base)
return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
/* Special case: initial '.' is RHS match */
- if (*baseptr == '.') {
+ if (base->length > 0 && *baseptr == '.') {
if (hostlen > base->length) {
p = hostptr + hostlen - base->length;
if (ia5ncasecmp(p, baseptr, base->length) == 0)
--
2.33.0

39
0095-Fix-test-code-to-not-assume-NUL-terminated-strings.patch Normal file
View File

@ -0,0 +1,39 @@
From 60f5589c783f24b5b3b3d7257b422a27e1975631 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Wed, 18 Aug 2021 17:37:41 +0100
Subject: [PATCH 5/9] Fix test code to not assume NUL terminated strings
ASN.1 strings may not be NUL terminated. Don't assume they are.
CVE-2021-3712
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
---
.../Library/OpensslLib/openssl/test/x509_time_test.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/x509_time_test.c b/CryptoPkg/Library/OpensslLib/openssl/test/x509_time_test.c
index b6fd38a..d0993d9 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/test/x509_time_test.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/test/x509_time_test.c
@@ -330,10 +330,12 @@ static int test_x509_time(int idx)
/* if t is not NULL but expected_string is NULL, it is an 'OK' case too */
if (t != NULL && x509_format_tests[idx].expected_string) {
- if (!TEST_str_eq((const char *)t->data,
- x509_format_tests[idx].expected_string)) {
- TEST_info("test_x509_time(%d) failed: expected_string %s, got %s\n",
- idx, x509_format_tests[idx].expected_string, t->data);
+ if (!TEST_mem_eq((const char *)t->data, t->length,
+ x509_format_tests[idx].expected_string,
+ strlen(x509_format_tests[idx].expected_string))) {
+ TEST_info("test_x509_time(%d) failed: expected_string %s, got %.*s\n",
+ idx, x509_format_tests[idx].expected_string, t->length,
+ t->data);
goto out;
}
}
--
2.33.0

55
0096-Fix-append_ia5-function-to-not-assume-NUL-terminated.patch Normal file
View File

@ -0,0 +1,55 @@
From bdb229da3af51e369c97095a445d0d2139ce1b07 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Wed, 18 Aug 2021 17:58:23 +0100
Subject: [PATCH 6/9] Fix append_ia5 function to not assume NUL terminated
strings
ASN.1 strings may not be NUL terminated. Don't assume they are.
CVE-2021-3712
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
---
.../OpensslLib/openssl/crypto/x509v3/v3_utl.c | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_utl.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_utl.c
index 004ef55..513dc68 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_utl.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_utl.c
@@ -528,18 +528,26 @@ static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, const ASN1_IA5STRING *email
/* First some sanity checks */
if (email->type != V_ASN1_IA5STRING)
return 1;
- if (!email->data || !email->length)
+ if (email->data == NULL || email->length == 0)
+ return 1;
+ if (memchr(email->data, 0, email->length) != NULL)
return 1;
if (*sk == NULL)
*sk = sk_OPENSSL_STRING_new(sk_strcmp);
if (*sk == NULL)
return 0;
+
+ emtmp = OPENSSL_strndup((char *)email->data, email->length);
+ if (emtmp == NULL)
+ return 0;
+
/* Don't add duplicates */
- if (sk_OPENSSL_STRING_find(*sk, (char *)email->data) != -1)
+ if (sk_OPENSSL_STRING_find(*sk, emtmp) != -1) {
+ OPENSSL_free(emtmp);
return 1;
- emtmp = OPENSSL_strdup((char *)email->data);
- if (emtmp == NULL || !sk_OPENSSL_STRING_push(*sk, emtmp)) {
- OPENSSL_free(emtmp); /* free on push failure */
+ }
+ if (!sk_OPENSSL_STRING_push(*sk, emtmp)) {
+ OPENSSL_free(emtmp); /* free on push failure */
X509_email_free(*sk);
*sk = NULL;
return 0;
--
2.33.0

32
0097-Fix-NETSCAPE_SPKI_print-function-to-not-assume-NUL-t.patch Normal file
View File

@ -0,0 +1,32 @@
From 4e29f3192f39492f96c5e917659e15b5d62f66ff Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Thu, 19 Aug 2021 12:23:38 +0100
Subject: [PATCH 7/9] Fix NETSCAPE_SPKI_print function to not assume NUL
terminated strings
ASN.1 strings may not be NUL terminated. Don't assume they are.
CVE-2021-3712
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
---
CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/t_spki.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/t_spki.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/t_spki.c
index 51b56d0..64ee77e 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/t_spki.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/t_spki.c
@@ -38,7 +38,7 @@ int NETSCAPE_SPKI_print(BIO *out, NETSCAPE_SPKI *spki)
}
chal = spki->spkac->challenge;
if (chal->length)
- BIO_printf(out, " Challenge String: %s\n", chal->data);
+ BIO_printf(out, " Challenge String: %.*s\n", chal->length, chal->data);
i = OBJ_obj2nid(spki->sig_algor.algorithm);
BIO_printf(out, " Signature Algorithm: %s",
(i == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(i));
--
2.33.0

36
0098-Fix-EC_GROUP_new_from_ecparameters-to-check-the-base.patch Normal file
View File

@ -0,0 +1,36 @@
From d229e59d3007ba8b2620a3014d96f4942651ff0d Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Thu, 19 Aug 2021 12:24:17 +0100
Subject: [PATCH 8/9] Fix EC_GROUP_new_from_ecparameters to check the base
length
Check that there's at least one byte in params->base before trying to
read it.
CVE-2021-3712
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
---
CryptoPkg/Library/OpensslLib/openssl/crypto/ec/ec_asn1.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/ec/ec_asn1.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/ec/ec_asn1.c
index 336afc9..98a742d 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/ec/ec_asn1.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/ec/ec_asn1.c
@@ -747,7 +747,10 @@ EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params)
ret->seed_len = params->curve->seed->length;
}
- if (!params->order || !params->base || !params->base->data) {
+ if (params->order == NULL
+ || params->base == NULL
+ || params->base->data == NULL
+ || params->base->length == 0) {
ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, EC_R_ASN1_ERROR);
goto err;
}
--
2.33.0

69
0099-Fix-possible-infinite-loop-in-BN_mod_sqrt.patch Normal file
View File

@ -0,0 +1,69 @@
From 3b1f22885bdda25e26d41dee35554fe8fae41629 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Mon, 28 Feb 2022 18:26:21 +0100
Subject: [PATCH 9/9] Fix possible infinite loop in BN_mod_sqrt()
The calculation in some cases does not finish for non-prime p.
This fixes CVE-2022-0778.
Based on patch by David Benjamin <davidben@google.com>.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
---
.../OpensslLib/openssl/crypto/bn/bn_sqrt.c | 30 +++++++++++--------
1 file changed, 18 insertions(+), 12 deletions(-)
diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_sqrt.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_sqrt.c
index 1723d5d..53b0f55 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_sqrt.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_sqrt.c
@@ -14,7 +14,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
/*
* Returns 'ret' such that ret^2 == a (mod p), using the Tonelli/Shanks
* algorithm (cf. Henri Cohen, "A Course in Algebraic Computational Number
- * Theory", algorithm 1.5.1). 'p' must be prime!
+ * Theory", algorithm 1.5.1). 'p' must be prime, otherwise an error or
+ * an incorrect "result" will be returned.
*/
{
BIGNUM *ret = in;
@@ -301,18 +302,23 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
goto vrfy;
}
- /* find smallest i such that b^(2^i) = 1 */
- i = 1;
- if (!BN_mod_sqr(t, b, p, ctx))
- goto end;
- while (!BN_is_one(t)) {
- i++;
- if (i == e) {
- BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
- goto end;
+ /* Find the smallest i, 0 < i < e, such that b^(2^i) = 1. */
+ for (i = 1; i < e; i++) {
+ if (i == 1) {
+ if (!BN_mod_sqr(t, b, p, ctx))
+ goto end;
+
+ } else {
+ if (!BN_mod_mul(t, t, t, p, ctx))
+ goto end;
}
- if (!BN_mod_mul(t, t, t, p, ctx))
- goto end;
+ if (BN_is_one(t))
+ break;
+ }
+ /* If not found, a is not a square or p is not prime. */
+ if (i >= e) {
+ BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
+ goto end;
}
/* t := y^2^(e - i - 1) */
--
2.33.0

32
0102-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch Normal file
View File

@ -0,0 +1,32 @@
From c95233b8525ca6828921affd1496146cff262e65 Mon Sep 17 00:00:00 2001
From: Doug Flick <dougflick@microsoft.com>
Date: Fri, 27 Sep 2024 12:08:55 -0700
Subject: [PATCH] MdePkg: Fix overflow issue in BasePeCoffLib
The RelocDir->Size is a UINT32 value, and RelocDir->VirtualAddress is
also a UINT32 value. The current code does not check for overflow when
adding RelocDir->Size to RelocDir->VirtualAddress. This patch adds a
check to ensure that the addition does not overflow.
Signed-off-by: Doug Flick <dougflick@microsoft.com>
Authored-by: sriraamx gobichettipalayam <sri..@intel.com>
---
MdePkg/Library/BasePeCoffLib/BasePeCoff.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
index 1102833..7fa4714 100644
--- a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
+++ b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
@@ -991,7 +991,7 @@ PeCoffLoaderRelocateImage (
RelocDir = &Hdr.Te->DataDirectory[0];
}
- if ((RelocDir != NULL) && (RelocDir->Size > 0)) {
+ if ((RelocDir != NULL) && (RelocDir->Size > 0) && (RelocDir->Size - 1 < MAX_UINT32 - RelocDir->VirtualAddress)) {
RelocBase = (EFI_IMAGE_BASE_RELOCATION *) PeCoffLoaderImageAddress (ImageContext, RelocDir->VirtualAddress, TeStrippedOffset);
RelocBaseEnd = (EFI_IMAGE_BASE_RELOCATION *) PeCoffLoaderImageAddress (ImageContext,
RelocDir->VirtualAddress + RelocDir->Size - 1,
--
2.43.0

1251
0103-NetworkPkg-SECURITY-PATCH-CVE-2023-45237.patch Normal file
View File

File diff suppressed because it is too large Load Diff

785
0104-NetworkPkg-TcpDxe-SECURITY-PATCH-CVE-2023-45236.patch Normal file
View File

@ -0,0 +1,785 @@
From eb90c439566cad8ee71d530d8dcd78b1300e0719 Mon Sep 17 00:00:00 2001
From: Doug Flick <dougflick@microsoft.com>
Date: Wed, 8 May 2024 22:56:29 -0700
Subject: [PATCH 2/2] NetworkPkg TcpDxe: SECURITY PATCH CVE-2023-45236
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4541
REF: https://www.rfc-editor.org/rfc/rfc1948.txt
REF: https://www.rfc-editor.org/rfc/rfc6528.txt
REF: https://www.rfc-editor.org/rfc/rfc9293.txt
Bug Overview:
PixieFail Bug #8
CVE-2023-45236
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
Updates TCP ISN generation to use a cryptographic hash of the
connection's identifying parameters and a secret key.
This prevents an attacker from guessing the ISN used for some other
connection.
This is follows the guidance in RFC 1948, RFC 6528, and RFC 9293.
RFC: 9293 Section 3.4.1. Initial Sequence Number Selection
A TCP implementation MUST use the above type of "clock" for clock-
driven selection of initial sequence numbers (MUST-8), and SHOULD
generate its initial sequence numbers with the expression:
ISN = M + F(localip, localport, remoteip, remoteport, secretkey)
where M is the 4 microsecond timer, and F() is a pseudorandom
function (PRF) of the connection's identifying parameters ("localip,
localport, remoteip, remoteport") and a secret key ("secretkey")
(SHLD-1). F() MUST NOT be computable from the outside (MUST-9), or
an attacker could still guess at sequence numbers from the ISN used
for some other connection. The PRF could be implemented as a
cryptographic hash of the concatenation of the TCP connection
parameters and some secret data. For discussion of the selection of
a specific hash algorithm and management of the secret key data,
please see Section 3 of [42].
For each connection there is a send sequence number and a receive
sequence number. The initial send sequence number (ISS) is chosen by
the data sending TCP peer, and the initial receive sequence number
(IRS) is learned during the connection-establishing procedure.
For a connection to be established or initialized, the two TCP peers
must synchronize on each other's initial sequence numbers. This is
done in an exchange of connection-establishing segments carrying a
control bit called "SYN" (for synchronize) and the initial sequence
numbers. As a shorthand, segments carrying the SYN bit are also
called "SYNs". Hence, the solution requires a suitable mechanism for
picking an initial sequence number and a slightly involved handshake
to exchange the ISNs.
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
---
NetworkPkg/TcpDxe/TcpDriver.c | 89 ++++++++++++-
NetworkPkg/TcpDxe/TcpDxe.inf | 8 +-
NetworkPkg/TcpDxe/TcpFunc.h | 23 ++--
NetworkPkg/TcpDxe/TcpInput.c | 13 +-
NetworkPkg/TcpDxe/TcpMain.h | 59 ++++++--
NetworkPkg/TcpDxe/TcpMisc.c | 244 ++++++++++++++++++++++++++++++++--
NetworkPkg/TcpDxe/TcpTimer.c | 3 +-
7 files changed, 391 insertions(+), 48 deletions(-)
diff --git a/NetworkPkg/TcpDxe/TcpDriver.c b/NetworkPkg/TcpDxe/TcpDriver.c
index 7071527..e2a29d9 100644
--- a/NetworkPkg/TcpDxe/TcpDriver.c
+++ b/NetworkPkg/TcpDxe/TcpDriver.c
@@ -83,6 +83,11 @@ EFI_SERVICE_BINDING_PROTOCOL gTcpServiceBinding = {
TcpServiceBindingDestroyChild
};
+//
+// This is the handle for the Hash2ServiceBinding Protocol instance this driver produces
+// if the platform does not provide one.
+//
+EFI_HANDLE mHash2ServiceHandle = NULL;
/**
Create and start the heartbeat timer for the TCP driver.
@@ -169,6 +174,23 @@ TcpDriverEntryPoint (
EFI_STATUS Status;
UINT32 Random;
+ //
+ // Initialize the Secret used for hashing TCP sequence numbers
+ //
+ // Normally this should be regenerated periodically, but since
+ // this is only used for UEFI networking and not a general purpose
+ // operating system, it is not necessary to regenerate it.
+ //
+ Status = PseudoRandomU32 (&mTcpGlobalSecret);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));
+ return Status;
+ }
+
+ //
+ // Get a random number used to generate a random port number
+ // Intentionally not linking this to mTcpGlobalSecret to avoid leaking information about the secret
+ //
Status = PseudoRandomU32 (&Random);
if (EFI_ERROR (Status)) {
DEBUG ((DEBUG_ERROR, "%a Failed to generate random number: %r\n", __func__, Status));
@@ -213,7 +235,6 @@ TcpDriverEntryPoint (
//
// Initialize ISS and random port.
//
- mTcpGlobalIss = Random % mTcpGlobalIss;
mTcp4RandomPort = (UINT16) (TCP_PORT_KNOWN + (Random % TCP_PORT_KNOWN));
mTcp6RandomPort = mTcp4RandomPort;
@@ -228,6 +249,8 @@ TcpDriverEntryPoint (
@param[in] IpVersion IP_VERSION_4 or IP_VERSION_6.
@retval EFI_OUT_OF_RESOURCES Failed to allocate some resources.
+ @retval EFI_UNSUPPORTED Service Binding Protocols are unavailable.
+ @retval EFI_ALREADY_STARTED The TCP driver is already started on the controller.
@retval EFI_SUCCESS A new IP6 service binding private was created.
**/
@@ -238,11 +261,13 @@ TcpCreateService (
IN UINT8 IpVersion
)
{
- EFI_STATUS Status;
- EFI_GUID *IpServiceBindingGuid;
- EFI_GUID *TcpServiceBindingGuid;
- TCP_SERVICE_DATA *TcpServiceData;
- IP_IO_OPEN_DATA OpenData;
+ EFI_STATUS Status;
+ EFI_GUID *IpServiceBindingGuid;
+ EFI_GUID *TcpServiceBindingGuid;
+ TCP_SERVICE_DATA *TcpServiceData;
+ IP_IO_OPEN_DATA OpenData;
+ EFI_SERVICE_BINDING_PROTOCOL *Hash2ServiceBinding;
+ EFI_HASH2_PROTOCOL *Hash2Protocol;
if (IpVersion == IP_VERSION_4) {
IpServiceBindingGuid = &gEfiIp4ServiceBindingProtocolGuid;
@@ -276,6 +301,33 @@ TcpCreateService (
return EFI_UNSUPPORTED;
}
+ Status = gBS->LocateProtocol (&gEfiHash2ProtocolGuid, NULL, (VOID **)&Hash2Protocol);
+ if (EFI_ERROR (Status)) {
+ //
+ // If we can't find the Hashing protocol, then we need to create one.
+ //
+
+ //
+ // Platform is expected to publish the hash service binding protocol to support TCP.
+ //
+ Status = gBS->LocateProtocol (
+ &gEfiHash2ServiceBindingProtocolGuid,
+ NULL,
+ (VOID **)&Hash2ServiceBinding
+ );
+ if (EFI_ERROR (Status) || (Hash2ServiceBinding == NULL) || (Hash2ServiceBinding->CreateChild == NULL)) {
+ return EFI_UNSUPPORTED;
+ }
+
+ //
+ // Create an instance of the hash protocol for this controller.
+ //
+ Status = Hash2ServiceBinding->CreateChild (Hash2ServiceBinding, &mHash2ServiceHandle);
+ if (EFI_ERROR (Status)) {
+ return EFI_UNSUPPORTED;
+ }
+ }
+
//
// Create the TCP service data.
//
@@ -428,6 +480,7 @@ TcpDestroyService (
EFI_STATUS Status;
LIST_ENTRY *List;
TCP_DESTROY_CHILD_IN_HANDLE_BUF_CONTEXT Context;
+ EFI_SERVICE_BINDING_PROTOCOL *Hash2ServiceBinding;
ASSERT ((IpVersion == IP_VERSION_4) || (IpVersion == IP_VERSION_6));
@@ -444,6 +497,30 @@ TcpDestroyService (
return EFI_SUCCESS;
}
+ //
+ // Destroy the Hash2ServiceBinding instance if it is created by Tcp driver.
+ //
+ if (mHash2ServiceHandle != NULL) {
+ Status = gBS->LocateProtocol (
+ &gEfiHash2ServiceBindingProtocolGuid,
+ NULL,
+ (VOID **)&Hash2ServiceBinding
+ );
+ if (EFI_ERROR (Status) || (Hash2ServiceBinding == NULL) || (Hash2ServiceBinding->DestroyChild == NULL)) {
+ return EFI_UNSUPPORTED;
+ }
+
+ //
+ // Destroy the instance of the hashing protocol for this controller.
+ //
+ Status = Hash2ServiceBinding->DestroyChild (Hash2ServiceBinding, &mHash2ServiceHandle);
+ if (EFI_ERROR (Status)) {
+ return EFI_UNSUPPORTED;
+ }
+
+ mHash2ServiceHandle = NULL;
+ }
+
Status = gBS->OpenProtocol (
NicHandle,
ServiceBindingGuid,
diff --git a/NetworkPkg/TcpDxe/TcpDxe.inf b/NetworkPkg/TcpDxe/TcpDxe.inf
index 1b30980..dc08f76 100644
--- a/NetworkPkg/TcpDxe/TcpDxe.inf
+++ b/NetworkPkg/TcpDxe/TcpDxe.inf
@@ -6,6 +6,7 @@
# stack has been loaded in system. This driver supports both IPv4 and IPv6 network stack.
#
# Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) Microsoft Corporation
#
# SPDX-License-Identifier: BSD-2-Clause-Patent
#
@@ -68,7 +69,6 @@
NetLib
IpIoLib
-
[Protocols]
## SOMETIMES_CONSUMES
## SOMETIMES_PRODUCES
@@ -81,6 +81,12 @@
gEfiIp6ServiceBindingProtocolGuid ## TO_START
gEfiTcp6ProtocolGuid ## BY_START
gEfiTcp6ServiceBindingProtocolGuid ## BY_START
+ gEfiHash2ProtocolGuid ## BY_START
+ gEfiHash2ServiceBindingProtocolGuid ## BY_START
+
+[Guids]
+ gEfiHashAlgorithmMD5Guid ## CONSUMES
+ gEfiHashAlgorithmSha256Guid ## CONSUMES
[Depex]
gEfiHash2ServiceBindingProtocolGuid
diff --git a/NetworkPkg/TcpDxe/TcpFunc.h b/NetworkPkg/TcpDxe/TcpFunc.h
index 05cd3c7..72cf7b8 100644
--- a/NetworkPkg/TcpDxe/TcpFunc.h
+++ b/NetworkPkg/TcpDxe/TcpFunc.h
@@ -2,7 +2,7 @@
Declaration of external functions shared in TCP driver.
Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.<BR>
-
+ Copyright (c) Microsoft Corporation
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
@@ -36,8 +36,11 @@ VOID
@param[in, out] Tcb Pointer to the TCP_CB of this TCP instance.
+ @retval EFI_SUCCESS The operation completed successfully
+ @retval others The underlying functions failed and could not complete the operation
+
**/
-VOID
+EFI_STATUS
TcpInitTcbLocal (
IN OUT TCP_CB *Tcb
);
@@ -128,17 +131,6 @@ TcpCloneTcb (
IN TCP_CB *Tcb
);
-/**
- Compute an ISS to be used by a new connection.
-
- @return The result ISS.
-
-**/
-TCP_SEQNO
-TcpGetIss (
- VOID
- );
-
/**
Get the local mss.
@@ -202,8 +194,11 @@ TcpFormatNetbuf (
@param[in, out] Tcb Pointer to the TCP_CB that wants to initiate a
connection.
+ @retval EFI_SUCCESS The operation completed successfully
+ @retval others The underlying functions failed and could not complete the operation
+
**/
-VOID
+EFI_STATUS
TcpOnAppConnect (
IN OUT TCP_CB *Tcb
);
diff --git a/NetworkPkg/TcpDxe/TcpInput.c b/NetworkPkg/TcpDxe/TcpInput.c
index 5e6c8c5..bf85846 100644
--- a/NetworkPkg/TcpDxe/TcpInput.c
+++ b/NetworkPkg/TcpDxe/TcpInput.c
@@ -759,6 +759,7 @@ TcpInput (
TCP_SEQNO Urg;
UINT16 Checksum;
INT32 Usable;
+ EFI_STATUS Status;
ASSERT ((Version == IP_VERSION_4) || (Version == IP_VERSION_6));
@@ -908,7 +909,17 @@ TcpInput (
Tcb->LocalEnd.Port = Head->DstPort;
Tcb->RemoteEnd.Port = Head->SrcPort;
- TcpInitTcbLocal (Tcb);
+ Status = TcpInitTcbLocal (Tcb);
+ if (EFI_ERROR (Status)) {
+ DEBUG (
+ (DEBUG_ERROR,
+ "TcpInput: discard a segment because failed to init local end for TCB %p\n",
+ Tcb)
+ );
+
+ goto DISCARD;
+ }
+
TcpInitTcbPeer (Tcb, Seg, &Option);
TcpSetState (Tcb, TCP_SYN_RCVD);
diff --git a/NetworkPkg/TcpDxe/TcpMain.h b/NetworkPkg/TcpDxe/TcpMain.h
index 35f12a1..7f517d5 100644
--- a/NetworkPkg/TcpDxe/TcpMain.h
+++ b/NetworkPkg/TcpDxe/TcpMain.h
@@ -3,7 +3,7 @@
It is the common head file for all Tcp*.c in TCP driver.
Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>
-
+ Copyright (c) Microsoft Corporation
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
@@ -13,6 +13,7 @@
#include <Protocol/ServiceBinding.h>
#include <Protocol/DriverBinding.h>
+#include <Protocol/Hash2.h>
#include <Library/IpIoLib.h>
#include <Library/DevicePathLib.h>
#include <Library/PrintLib.h>
@@ -31,7 +32,7 @@ extern EFI_UNICODE_STRING_TABLE *gTcpControllerNameTable;
extern LIST_ENTRY mTcpRunQue;
extern LIST_ENTRY mTcpListenQue;
-extern TCP_SEQNO mTcpGlobalIss;
+extern TCP_SEQNO mTcpGlobalSecret;
extern UINT32 mTcpTick;
///
@@ -45,14 +46,6 @@ extern UINT32 mTcpTick;
#define TCP_EXPIRE_TIME 65535
-///
-/// The implementation selects the initial send sequence number and the unit to
-/// be added when it is increased.
-///
-#define TCP_BASE_ISS 0x4d7e980b
-#define TCP_ISS_INCREMENT_1 2048
-#define TCP_ISS_INCREMENT_2 100
-
typedef union {
EFI_TCP4_CONFIG_DATA Tcp4CfgData;
EFI_TCP6_CONFIG_DATA Tcp6CfgData;
@@ -774,4 +767,50 @@ Tcp6Poll (
IN EFI_TCP6_PROTOCOL *This
);
+/**
+ Retrieves the Initial Sequence Number (ISN) for a TCP connection identified by local
+ and remote IP addresses and ports.
+
+ This method is based on https://datatracker.ietf.org/doc/html/rfc9293#section-3.4.1
+ Where the ISN is computed as follows:
+ ISN = TimeStamp + MD5(LocalIP, LocalPort, RemoteIP, RemotePort, Secret)
+
+ Otherwise:
+ ISN = M + F(localip, localport, remoteip, remoteport, secretkey)
+
+ "Here M is the 4 microsecond timer, and F() is a pseudorandom function (PRF) of the
+ connection's identifying parameters ("localip, localport, remoteip, remoteport")
+ and a secret key ("secretkey") (SHLD-1). F() MUST NOT be computable from the
+ outside (MUST-9), or an attacker could still guess at sequence numbers from the
+ ISN used for some other connection. The PRF could be implemented as a
+ cryptographic hash of the concatenation of the TCP connection parameters and some
+ secret data. For discussion of the selection of a specific hash algorithm and
+ management of the secret key data."
+
+ @param[in] LocalIp A pointer to the local IP address of the TCP connection.
+ @param[in] LocalIpSize The size, in bytes, of the LocalIp buffer.
+ @param[in] LocalPort The local port number of the TCP connection.
+ @param[in] RemoteIp A pointer to the remote IP address of the TCP connection.
+ @param[in] RemoteIpSize The size, in bytes, of the RemoteIp buffer.
+ @param[in] RemotePort The remote port number of the TCP connection.
+ @param[out] Isn A pointer to the variable that will receive the Initial
+ Sequence Number (ISN).
+
+ @retval EFI_SUCCESS The operation completed successfully, and the ISN was
+ retrieved.
+ @retval EFI_INVALID_PARAMETER One or more of the input parameters are invalid.
+ @retval EFI_UNSUPPORTED The operation is not supported.
+
+**/
+EFI_STATUS
+TcpGetIsn (
+ IN UINT8 *LocalIp,
+ IN UINTN LocalIpSize,
+ IN UINT16 LocalPort,
+ IN UINT8 *RemoteIp,
+ IN UINTN RemoteIpSize,
+ IN UINT16 RemotePort,
+ OUT TCP_SEQNO *Isn
+ );
+
#endif
diff --git a/NetworkPkg/TcpDxe/TcpMisc.c b/NetworkPkg/TcpDxe/TcpMisc.c
index 73ed33d..18fa1d9 100644
--- a/NetworkPkg/TcpDxe/TcpMisc.c
+++ b/NetworkPkg/TcpDxe/TcpMisc.c
@@ -3,7 +3,7 @@
(C) Copyright 2014 Hewlett-Packard Development Company, L.P.<BR>
Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.<BR>
-
+ Copyright (c) Microsoft Corporation
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
@@ -20,7 +20,34 @@ LIST_ENTRY mTcpListenQue = {
&mTcpListenQue
};
-TCP_SEQNO mTcpGlobalIss = TCP_BASE_ISS;
+//
+// The Session secret
+// This must be initialized to a random value at boot time
+//
+TCP_SEQNO mTcpGlobalSecret;
+
+//
+// Union to hold either an IPv4 or IPv6 address
+// This is used to simplify the ISN hash computation
+//
+typedef union {
+ UINT8 IPv4[4];
+ UINT8 IPv6[16];
+} NETWORK_ADDRESS;
+
+//
+// The ISN is computed by hashing this structure
+// It is initialized with the local and remote IP addresses and ports
+// and the secret
+//
+//
+typedef struct {
+ UINT16 LocalPort;
+ UINT16 RemotePort;
+ NETWORK_ADDRESS LocalAddress;
+ NETWORK_ADDRESS RemoteAddress;
+ TCP_SEQNO Secret;
+} ISN_HASH_CTX;
CHAR16 *mTcpStateName[] = {
L"TCP_CLOSED",
@@ -42,12 +69,18 @@ CHAR16 *mTcpStateName[] = {
@param[in, out] Tcb Pointer to the TCP_CB of this TCP instance.
+ @retval EFI_SUCCESS The operation completed successfully
+ @retval others The underlying functions failed and could not complete the operation
+
**/
-VOID
+EFI_STATUS
TcpInitTcbLocal (
IN OUT TCP_CB *Tcb
)
{
+ TCP_SEQNO Isn;
+ EFI_STATUS Status;
+
//
// Compute the checksum of the fixed parts of pseudo header
//
@@ -58,6 +91,16 @@ TcpInitTcbLocal (
0x06,
0
);
+
+ Status = TcpGetIsn (
+ Tcb->LocalEnd.Ip.v4.Addr,
+ sizeof (IPv4_ADDRESS),
+ Tcb->LocalEnd.Port,
+ Tcb->RemoteEnd.Ip.v4.Addr,
+ sizeof (IPv4_ADDRESS),
+ Tcb->RemoteEnd.Port,
+ &Isn
+ );
} else {
Tcb->HeadSum = NetIp6PseudoHeadChecksum (
&Tcb->LocalEnd.Ip.v6,
@@ -65,9 +108,25 @@ TcpInitTcbLocal (
0x06,
0
);
+
+ Status = TcpGetIsn (
+ Tcb->LocalEnd.Ip.v6.Addr,
+ sizeof (IPv6_ADDRESS),
+ Tcb->LocalEnd.Port,
+ Tcb->RemoteEnd.Ip.v6.Addr,
+ sizeof (IPv6_ADDRESS),
+ Tcb->RemoteEnd.Port,
+ &Isn
+ );
+ }
+
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "TcpInitTcbLocal: failed to get isn\n"));
+ ASSERT (FALSE);
+ return Status;
}
- Tcb->Iss = TcpGetIss ();
+ Tcb->Iss = Isn;
Tcb->SndUna = Tcb->Iss;
Tcb->SndNxt = Tcb->Iss;
@@ -83,6 +142,8 @@ TcpInitTcbLocal (
Tcb->RetxmitSeqMax = 0;
Tcb->ProbeTimerOn = FALSE;
+
+ return EFI_SUCCESS;
}
/**
@@ -512,18 +573,162 @@ TcpCloneTcb (
}
/**
- Compute an ISS to be used by a new connection.
-
- @return The resulting ISS.
+ Retrieves the Initial Sequence Number (ISN) for a TCP connection identified by local
+ and remote IP addresses and ports.
+
+ This method is based on https://datatracker.ietf.org/doc/html/rfc9293#section-3.4.1
+ Where the ISN is computed as follows:
+ ISN = TimeStamp + MD5(LocalIP, LocalPort, RemoteIP, RemotePort, Secret)
+
+ Otherwise:
+ ISN = M + F(localip, localport, remoteip, remoteport, secretkey)
+
+ "Here M is the 4 microsecond timer, and F() is a pseudorandom function (PRF) of the
+ connection's identifying parameters ("localip, localport, remoteip, remoteport")
+ and a secret key ("secretkey") (SHLD-1). F() MUST NOT be computable from the
+ outside (MUST-9), or an attacker could still guess at sequence numbers from the
+ ISN used for some other connection. The PRF could be implemented as a
+ cryptographic hash of the concatenation of the TCP connection parameters and some
+ secret data. For discussion of the selection of a specific hash algorithm and
+ management of the secret key data."
+
+ @param[in] LocalIp A pointer to the local IP address of the TCP connection.
+ @param[in] LocalIpSize The size, in bytes, of the LocalIp buffer.
+ @param[in] LocalPort The local port number of the TCP connection.
+ @param[in] RemoteIp A pointer to the remote IP address of the TCP connection.
+ @param[in] RemoteIpSize The size, in bytes, of the RemoteIp buffer.
+ @param[in] RemotePort The remote port number of the TCP connection.
+ @param[out] Isn A pointer to the variable that will receive the Initial
+ Sequence Number (ISN).
+
+ @retval EFI_SUCCESS The operation completed successfully, and the ISN was
+ retrieved.
+ @retval EFI_INVALID_PARAMETER One or more of the input parameters are invalid.
+ @retval EFI_UNSUPPORTED The operation is not supported.
**/
-TCP_SEQNO
-TcpGetIss (
- VOID
+EFI_STATUS
+TcpGetIsn (
+ IN UINT8 *LocalIp,
+ IN UINTN LocalIpSize,
+ IN UINT16 LocalPort,
+ IN UINT8 *RemoteIp,
+ IN UINTN RemoteIpSize,
+ IN UINT16 RemotePort,
+ OUT TCP_SEQNO *Isn
)
{
- mTcpGlobalIss += TCP_ISS_INCREMENT_1;
- return mTcpGlobalIss;
+ EFI_STATUS Status;
+ EFI_HASH2_PROTOCOL *Hash2Protocol;
+ EFI_HASH2_OUTPUT HashResult;
+ ISN_HASH_CTX IsnHashCtx;
+ EFI_TIME TimeStamp;
+
+ //
+ // Check that the ISN pointer is valid
+ //
+ if (Isn == NULL) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ //
+ // The local ip may be a v4 or v6 address and may not be NULL
+ //
+ if ((LocalIp == NULL) || (LocalIpSize == 0) || (RemoteIp == NULL) || (RemoteIpSize == 0)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ //
+ // the local ip may be a v4 or v6 address
+ //
+ if ((LocalIpSize != sizeof (EFI_IPv4_ADDRESS)) && (LocalIpSize != sizeof (EFI_IPv6_ADDRESS))) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ //
+ // Locate the Hash Protocol
+ //
+ Status = gBS->LocateProtocol (&gEfiHash2ProtocolGuid, NULL, (VOID **)&Hash2Protocol);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_NET, "Failed to locate Hash Protocol: %r\n", Status));
+
+ //
+ // TcpCreateService(..) is expected to be called prior to this function
+ //
+ ASSERT_EFI_ERROR (Status);
+ return Status;
+ }
+
+ //
+ // Initialize the hash algorithm
+ //
+ Status = Hash2Protocol->HashInit (Hash2Protocol, &gEfiHashAlgorithmSha256Guid);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_NET, "Failed to initialize sha256 hash algorithm: %r\n", Status));
+ return Status;
+ }
+
+ IsnHashCtx.LocalPort = LocalPort;
+ IsnHashCtx.RemotePort = RemotePort;
+ IsnHashCtx.Secret = mTcpGlobalSecret;
+
+ //
+ // Check the IP address family and copy accordingly
+ //
+ if (LocalIpSize == sizeof (EFI_IPv4_ADDRESS)) {
+ CopyMem (&IsnHashCtx.LocalAddress.IPv4, LocalIp, LocalIpSize);
+ } else if (LocalIpSize == sizeof (EFI_IPv6_ADDRESS)) {
+ CopyMem (&IsnHashCtx.LocalAddress.IPv6, LocalIp, LocalIpSize);
+ } else {
+ return EFI_INVALID_PARAMETER; // Unsupported address size
+ }
+
+ //
+ // Repeat the process for the remote IP address
+ //
+ if (RemoteIpSize == sizeof (EFI_IPv4_ADDRESS)) {
+ CopyMem (&IsnHashCtx.RemoteAddress.IPv4, RemoteIp, RemoteIpSize);
+ } else if (RemoteIpSize == sizeof (EFI_IPv6_ADDRESS)) {
+ CopyMem (&IsnHashCtx.RemoteAddress.IPv6, RemoteIp, RemoteIpSize);
+ } else {
+ return EFI_INVALID_PARAMETER; // Unsupported address size
+ }
+
+ //
+ // Compute the hash
+ // Update the hash with the data
+ //
+ Status = Hash2Protocol->HashUpdate (Hash2Protocol, (UINT8 *)&IsnHashCtx, sizeof (IsnHashCtx));
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_NET, "Failed to update hash: %r\n", Status));
+ return Status;
+ }
+
+ //
+ // Finalize the hash and retrieve the result
+ //
+ Status = Hash2Protocol->HashFinal (Hash2Protocol, &HashResult);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_NET, "Failed to finalize hash: %r\n", Status));
+ return Status;
+ }
+
+ Status = gRT->GetTime (&TimeStamp, NULL);
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+
+ //
+ // copy the first 4 bytes of the hash result into the ISN
+ //
+ CopyMem (Isn, HashResult.Md5Hash, sizeof (*Isn));
+
+ //
+ // now add the timestamp to the ISN as 4 microseconds units (1000 / 4 = 250)
+ //
+ *Isn += (TCP_SEQNO)TimeStamp.Nanosecond * 250;
+
+ return Status;
}
/**
@@ -727,17 +932,28 @@ TcpFormatNetbuf (
@param[in, out] Tcb Pointer to the TCP_CB that wants to initiate a
connection.
+ @retval EFI_SUCCESS The operation completed successfully
+ @retval others The underlying functions failed and could not complete the operation
+
**/
-VOID
+EFI_STATUS
TcpOnAppConnect (
IN OUT TCP_CB *Tcb
)
{
- TcpInitTcbLocal (Tcb);
+ EFI_STATUS Status;
+
+ Status = TcpInitTcbLocal (Tcb);
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+
TcpSetState (Tcb, TCP_SYN_SENT);
TcpSetTimer (Tcb, TCP_TIMER_CONNECT, Tcb->ConnectTimeout);
TcpToSendData (Tcb, 1);
+
+ return EFI_SUCCESS;
}
/**
diff --git a/NetworkPkg/TcpDxe/TcpTimer.c b/NetworkPkg/TcpDxe/TcpTimer.c
index 106d947..4d0b7fe 100644
--- a/NetworkPkg/TcpDxe/TcpTimer.c
+++ b/NetworkPkg/TcpDxe/TcpTimer.c
@@ -2,7 +2,7 @@
TCP timer related functions.
Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>
-
+ Copyright (c) Microsoft Corporation
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
@@ -497,7 +497,6 @@ TcpTickingDpc (
INT16 Index;
mTcpTick++;
- mTcpGlobalIss += TCP_ISS_INCREMENT_2;
//
// Don't use LIST_FOR_EACH, which isn't delete safe.
--
2.33.0

37
edk2.spec
View File

@ -5,7 +5,7 @@
Name: edk2
Version: %{stable_date}
Release: 22
Release: 26
Summary: EFI Development Kit II
License: BSD-2-Clause-Patent
URL: https://github.com/tianocore/edk2
@ -104,6 +104,27 @@ Patch0088: 0086-Hardening-around-not_resumable-sessions.patch
Patch0089: 0087-Add-a-test-for-session-cache-overflow.patch
Patch0090: 0088-MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch
Patch0091: 0089-Fix-SSL_select_next_proto-and-add-ALPN-validation-in.patch
Patch0092: 0090-Add-a-test-for-ALPN-and-NPN.patch
Patch0093: 0091-Fix-i2v_GENERAL_NAME-to-not-assume-NUL-terminated-st.patch
Patch0094: 0092-Fix-POLICYINFO-printing-to-not-assume-NUL-terminated.patch
Patch0095: 0093-Fix-printing-of-PROXY_CERT_INFO_EXTENSION-to-not-ass.patch
Patch0096: 0094-Fix-the-name-constraints-code-to-not-assume-NUL-term.patch
Patch0097: 0095-Fix-test-code-to-not-assume-NUL-terminated-strings.patch
Patch0098: 0096-Fix-append_ia5-function-to-not-assume-NUL-terminated.patch
Patch0099: 0097-Fix-NETSCAPE_SPKI_print-function-to-not-assume-NUL-t.patch
Patch0100: 0098-Fix-EC_GROUP_new_from_ecparameters-to-check-the-base.patch
Patch0101: 0099-Fix-possible-infinite-loop-in-BN_mod_sqrt.patch
# Fix CVE-2024-38796
patch0102: 0102-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch
# Fix CVE-2023-45236、CVE-2023-45237
patch0103: 0103-NetworkPkg-SECURITY-PATCH-CVE-2023-45237.patch
patch0104: 0104-NetworkPkg-TcpDxe-SECURITY-PATCH-CVE-2023-45236.patch
BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python2
%description
@ -298,6 +319,18 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys
%endif
%changelog
* Mon Oct 14 2024 shenyage<shenyage1@huawei.com> - 202002-26
- fix CVE-2023-45236、CVE-2023-45237
* Wed Oct 09 2024 zhangxianting <zhangxianting@uniontech.com> - 202002-25
- fix CVE-2024-38796
* Tue Sep 3 2024 shenyage<shenyage1@huawei.com> - 202002-24
- fix CVE-2021-3712、CVE-2022-0778
* Thu Jul 11 2024 shenyage<shenyage1@huawei.com> - 202002-23
- fix CVE-2024-5535
* Tue Jun 11 2024 shenyage<shenyage1@huawei.com> - 202002-22
- fix CVE-2024-1298
@ -355,7 +388,7 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys
* Mon Jun 28 2021 Jiajie Li <lijiajie11@huawei.com> - 202002-4
- Fix CVE-2021-28210
* Wed 19 May 2021 openEuler Buildteam <buildteam@openeuler.org> - 202002-3
* Wed May 19 2021 openEuler Buildteam <buildteam@openeuler.org> - 202002-3
Fix CVE-2019-14562
* Wed Oct 14 2020 zhangxinhao <zhangxinhao1@huawei.com> - 202002-2