diff --git a/0022-Bugfix-for-CVE-2023-45236-CVE-2023-45237.patch b/1001-Bugfix-for-CVE-2023-45237.patch similarity index 56% rename from 0022-Bugfix-for-CVE-2023-45236-CVE-2023-45237.patch rename to 1001-Bugfix-for-CVE-2023-45237.patch index 1caaa010560975f58dcd57e8e1804de3508d9afb..7f2801efc53b5a281b1eef34d86a8270e13de4e9 100644 --- a/0022-Bugfix-for-CVE-2023-45236-CVE-2023-45237.patch +++ b/1001-Bugfix-for-CVE-2023-45237.patch @@ -1,41 +1,118 @@ -From 1c9af085980f33cb9fe9d824b7d3e65226c0d20a Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Mon, 5 Aug 2024 09:08:42 +0800 -Subject: [PATCH] Bugfix for CVE-2023-45236 & CVE-2023-45237 - ---- - NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c | 9 +- - NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c | 9 +- - NetworkPkg/DnsDxe/DnsDhcp.c | 9 +- - NetworkPkg/DnsDxe/DnsImpl.c | 10 +- - NetworkPkg/HttpBootDxe/HttpBootDhcp6.c | 9 +- - NetworkPkg/IScsiDxe/IScsiCHAP.c | 18 ++- - NetworkPkg/IScsiDxe/IScsiMisc.c | 13 +-- - NetworkPkg/IScsiDxe/IScsiMisc.h | 5 +- - NetworkPkg/Include/Library/NetLib.h | 26 +++-- - NetworkPkg/Ip4Dxe/Ip4Driver.c | 9 +- - NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c | 9 +- - NetworkPkg/Ip6Dxe/Ip6Driver.c | 15 ++- - NetworkPkg/Ip6Dxe/Ip6If.c | 10 +- - NetworkPkg/Ip6Dxe/Ip6Mld.c | 12 +- - NetworkPkg/Ip6Dxe/Ip6Nd.c | 31 ++++- - NetworkPkg/Ip6Dxe/Ip6Nd.h | 6 +- - NetworkPkg/Library/DxeNetLib/DxeNetLib.c | 130 +++++++++++++++++---- - NetworkPkg/Library/DxeNetLib/DxeNetLib.inf | 7 ++ - NetworkPkg/NetworkPkg.dec | 6 + - NetworkPkg/TcpDxe/TcpDriver.c | 13 ++- - NetworkPkg/Udp4Dxe/Udp4Driver.c | 9 +- - NetworkPkg/Udp6Dxe/Udp6Driver.c | 9 +- - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c | 7 +- - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c | 1 - - NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c | 11 +- - 25 files changed, 316 insertions(+), 77 deletions(-) - -diff --git a/NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c b/NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c -index 8c37e93b..338b1bee 100644 ---- a/NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c -+++ b/NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c -@@ -189,6 +189,13 @@ Dhcp4CreateService ( +From b2669f14cbc7a8a4d121e2cffa1372aa8d9ae0df Mon Sep 17 00:00:00 2001 +From: Doug Flick +Date: Wed, 8 May 2024 22:56:28 -0700 +Subject: [PATCH] NetworkPkg: SECURITY PATCH CVE-2023-45237 + +REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4542 + +Bug Overview: +PixieFail Bug #9 +CVE-2023-45237 +CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N +CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) + +Use of a Weak PseudoRandom Number Generator + +Change Overview: + +Updates all Instances of NET_RANDOM (NetRandomInitSeed ()) to either + +> +> EFI_STATUS +> EFIAPI +> PseudoRandomU32 ( +> OUT UINT32 *Output +> ); +> + +or (depending on the use case) + +> +> EFI_STATUS +> EFIAPI +> PseudoRandom ( +> OUT VOID *Output, +> IN UINTN OutputLength +> ); +> + +This is because the use of + +Example: + +The following code snippet PseudoRandomU32 () function is used: + +> +> UINT32 Random; +> +> Status = PseudoRandomU32 (&Random); +> if (EFI_ERROR (Status)) { +> DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", +__func__, Status)); +> return Status; +> } +> + +This also introduces a new PCD to enable/disable the use of the +secure implementation of algorithms for PseudoRandom () and +instead depend on the default implementation. This may be required for +some platforms where the UEFI Spec defined algorithms are not available. + +> +> PcdEnforceSecureRngAlgorithms +> + +If the platform does not have any one of the UEFI defined +secure RNG algorithms then the driver will assert. + +Cc: Saloni Kasbekar +Cc: Zachary Clark-williams + +Signed-off-by: Doug Flick [MSFT] +Reviewed-by: Saloni Kasbekar +--- + NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c | 10 +- + NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c | 11 +- + NetworkPkg/DnsDxe/DnsDhcp.c | 10 +- + NetworkPkg/DnsDxe/DnsImpl.c | 11 +- + NetworkPkg/HttpBootDxe/HttpBootDhcp6.c | 10 +- + NetworkPkg/IScsiDxe/IScsiCHAP.c | 19 ++- + NetworkPkg/IScsiDxe/IScsiMisc.c | 14 +-- + NetworkPkg/IScsiDxe/IScsiMisc.h | 6 +- + NetworkPkg/Include/Library/NetLib.h | 40 +++++-- + NetworkPkg/Ip4Dxe/Ip4Driver.c | 10 +- + NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c | 9 +- + NetworkPkg/Ip6Dxe/Ip6Driver.c | 17 ++- + NetworkPkg/Ip6Dxe/Ip6If.c | 12 +- + NetworkPkg/Ip6Dxe/Ip6Mld.c | 12 +- + NetworkPkg/Ip6Dxe/Ip6Nd.c | 33 +++++- + NetworkPkg/Ip6Dxe/Ip6Nd.h | 8 +- + NetworkPkg/Library/DxeNetLib/DxeNetLib.c | 130 ++++++++++++++++++--- + NetworkPkg/Library/DxeNetLib/DxeNetLib.inf | 14 ++- + NetworkPkg/NetworkPkg.dec | 7 ++ + NetworkPkg/SecurityFixes.yaml | 39 +++++++ + NetworkPkg/TcpDxe/TcpDriver.c | 15 ++- + NetworkPkg/TcpDxe/TcpDxe.inf | 3 + + NetworkPkg/Udp4Dxe/Udp4Driver.c | 10 +- + NetworkPkg/Udp6Dxe/Udp6Driver.c | 11 +- + NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c | 9 +- + NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c | 11 +- + NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c | 12 +- + 27 files changed, 410 insertions(+), 83 deletions(-) + +diff --git a/NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c b/NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c +index 8c37e93be3a8..892caee36846 100644 +--- a/NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c ++++ b/NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c +@@ -1,6 +1,7 @@ + /** @file + + Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
++Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent + + **/ +@@ -189,6 +190,13 @@ Dhcp4CreateService ( { DHCP_SERVICE *DhcpSb; EFI_STATUS Status; @@ -43,13 +120,13 @@ index 8c37e93b..338b1bee 100644 + + Status = PseudoRandomU32 (&Random); + if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "Failed to generate random number: %r\n", Status)); ++ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); + return Status; + } *Service = NULL; DhcpSb = AllocateZeroPool (sizeof (DHCP_SERVICE)); -@@ -203,7 +210,7 @@ Dhcp4CreateService ( +@@ -203,7 +211,7 @@ Dhcp4CreateService ( DhcpSb->Image = ImageHandle; InitializeListHead (&DhcpSb->Children); DhcpSb->DhcpState = Dhcp4Stopped; @@ -58,11 +135,20 @@ index 8c37e93b..338b1bee 100644 CopyMem ( &DhcpSb->ServiceBinding, &mDhcp4ServiceBindingTemplate, -diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c -index b591a460..1e49990b 100644 ---- a/NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c -+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c -@@ -123,6 +123,13 @@ Dhcp6CreateService ( +diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c +index b591a4605bc9..e7f2787a98ba 100644 +--- a/NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c ++++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c +@@ -3,7 +3,7 @@ + implementation for Dhcp6 Driver. + + Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
+- ++ Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent + + **/ +@@ -123,6 +123,13 @@ Dhcp6CreateService ( { DHCP6_SERVICE *Dhcp6Srv; EFI_STATUS Status; @@ -70,13 +156,13 @@ index b591a460..1e49990b 100644 + + Status = PseudoRandomU32 (&Random); + if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "Failed to generate random number: %r\n", Status)); ++ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); + return Status; + } *Service = NULL; Dhcp6Srv = AllocateZeroPool (sizeof (DHCP6_SERVICE)); -@@ -147,7 +154,7 @@ Dhcp6CreateService ( +@@ -147,7 +154,7 @@ Dhcp6CreateService ( Dhcp6Srv->Signature = DHCP6_SERVICE_SIGNATURE; Dhcp6Srv->Controller = Controller; Dhcp6Srv->Image = ImageHandle; @@ -85,11 +171,19 @@ index b591a460..1e49990b 100644 CopyMem ( &Dhcp6Srv->ServiceBinding, -diff --git a/NetworkPkg/DnsDxe/DnsDhcp.c b/NetworkPkg/DnsDxe/DnsDhcp.c -index 933565a3..0b95d528 100644 ---- a/NetworkPkg/DnsDxe/DnsDhcp.c -+++ b/NetworkPkg/DnsDxe/DnsDhcp.c -@@ -277,6 +277,7 @@ GetDns4ServerFromDhcp4 ( +diff --git a/NetworkPkg/DnsDxe/DnsDhcp.c b/NetworkPkg/DnsDxe/DnsDhcp.c +index 933565a32df1..9eb3c1d2d81d 100644 +--- a/NetworkPkg/DnsDxe/DnsDhcp.c ++++ b/NetworkPkg/DnsDxe/DnsDhcp.c +@@ -2,6 +2,7 @@ + Functions implementation related with DHCPv4/v6 for DNS driver. + + Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.
++Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent + + **/ +@@ -277,6 +278,7 @@ GetDns4ServerFromDhcp4 ( EFI_DHCP4_TRANSMIT_RECEIVE_TOKEN Token; BOOLEAN IsDone; UINTN Index; @@ -97,20 +191,20 @@ index 933565a3..0b95d528 100644 Image = Instance->Service->ImageHandle; Controller = Instance->Service->ControllerHandle; -@@ -292,6 +293,12 @@ GetDns4ServerFromDhcp4 ( +@@ -292,6 +294,12 @@ GetDns4ServerFromDhcp4 ( Data = NULL; InterfaceInfo = NULL; + Status = PseudoRandomU32 (&Random); + if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "Failed to generate random number: %r\n", Status)); ++ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); + return Status; + } + ZeroMem ((UINT8 *)ParaList, sizeof (ParaList)); ZeroMem (&MnpConfigData, sizeof (EFI_MANAGED_NETWORK_CONFIG_DATA)); -@@ -467,7 +474,7 @@ GetDns4ServerFromDhcp4 ( +@@ -467,7 +475,7 @@ GetDns4ServerFromDhcp4 ( Status = Dhcp4->Build (Dhcp4, &SeedPacket, 0, NULL, 2, ParaList, &Token.Packet); @@ -119,11 +213,19 @@ index 933565a3..0b95d528 100644 Token.Packet->Dhcp4.Header.Reserved = HTONS ((UINT16)0x8000); -diff --git a/NetworkPkg/DnsDxe/DnsImpl.c b/NetworkPkg/DnsDxe/DnsImpl.c -index d3118128..876b163c 100644 ---- a/NetworkPkg/DnsDxe/DnsImpl.c -+++ b/NetworkPkg/DnsDxe/DnsImpl.c -@@ -1963,6 +1963,14 @@ ConstructDNSQuery ( +diff --git a/NetworkPkg/DnsDxe/DnsImpl.c b/NetworkPkg/DnsDxe/DnsImpl.c +index d311812800fd..c2629bb8df1f 100644 +--- a/NetworkPkg/DnsDxe/DnsImpl.c ++++ b/NetworkPkg/DnsDxe/DnsImpl.c +@@ -2,6 +2,7 @@ + DnsDxe support functions implementation. + + Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.
++Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent + + **/ +@@ -1963,6 +1964,14 @@ ConstructDNSQuery ( NET_FRAGMENT Frag; DNS_HEADER *DnsHeader; DNS_QUERY_SECTION *DnsQuery; @@ -132,13 +234,13 @@ index d3118128..876b163c 100644 + + Status = PseudoRandomU32 (&Random); + if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "Failed to generate random number: %r\n", Status)); ++ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); + return Status; + } // // Messages carried by UDP are restricted to 512 bytes (not counting the IP -@@ -1977,7 +1985,7 @@ ConstructDNSQuery ( +@@ -1977,7 +1986,7 @@ ConstructDNSQuery ( // Fill header // DnsHeader = (DNS_HEADER *)Frag.Bulk; @@ -147,11 +249,19 @@ index d3118128..876b163c 100644 DnsHeader->Flags.Uint16 = 0x0000; DnsHeader->Flags.Bits.RD = 1; DnsHeader->Flags.Bits.OpCode = DNS_FLAGS_OPCODE_STANDARD; -diff --git a/NetworkPkg/HttpBootDxe/HttpBootDhcp6.c b/NetworkPkg/HttpBootDxe/HttpBootDhcp6.c -index b22cef4f..74b86340 100644 ---- a/NetworkPkg/HttpBootDxe/HttpBootDhcp6.c -+++ b/NetworkPkg/HttpBootDxe/HttpBootDhcp6.c -@@ -951,6 +951,7 @@ HttpBootDhcp6Sarr ( +diff --git a/NetworkPkg/HttpBootDxe/HttpBootDhcp6.c b/NetworkPkg/HttpBootDxe/HttpBootDhcp6.c +index b22cef4ff587..f964515b0fa6 100644 +--- a/NetworkPkg/HttpBootDxe/HttpBootDhcp6.c ++++ b/NetworkPkg/HttpBootDxe/HttpBootDhcp6.c +@@ -2,6 +2,7 @@ + Functions implementation related with DHCPv6 for HTTP boot driver. + + Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.
++Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent + + **/ +@@ -951,6 +952,7 @@ HttpBootDhcp6Sarr ( UINT32 OptCount; UINT8 Buffer[HTTP_BOOT_DHCP6_OPTION_MAX_SIZE]; EFI_STATUS Status; @@ -159,20 +269,20 @@ index b22cef4f..74b86340 100644 Dhcp6 = Private->Dhcp6; ASSERT (Dhcp6 != NULL); -@@ -961,6 +962,12 @@ HttpBootDhcp6Sarr ( +@@ -961,6 +963,12 @@ HttpBootDhcp6Sarr ( OptCount = HttpBootBuildDhcp6Options (Private, OptList, Buffer); ASSERT (OptCount > 0); + Status = PseudoRandomU32 (&Random); + if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "Failed to generate random number: %r\n", Status)); ++ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); + return Status; + } + Retransmit = AllocateZeroPool (sizeof (EFI_DHCP6_RETRANSMISSION)); if (Retransmit == NULL) { return EFI_OUT_OF_RESOURCES; -@@ -976,7 +983,7 @@ HttpBootDhcp6Sarr ( +@@ -976,7 +984,7 @@ HttpBootDhcp6Sarr ( Config.IaInfoEvent = NULL; Config.RapidCommit = FALSE; Config.ReconfigureAccept = FALSE; @@ -181,11 +291,19 @@ index b22cef4f..74b86340 100644 Config.IaDescriptor.Type = EFI_DHCP6_IA_TYPE_NA; Config.SolicitRetransmission = Retransmit; Retransmit->Irt = 4; -diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c -index b507f11c..9dda7d1f 100644 ---- a/NetworkPkg/IScsiDxe/IScsiCHAP.c -+++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c -@@ -576,16 +576,24 @@ IScsiCHAPToSendReq ( +diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c +index b507f11cd45e..bebb1ac29b9c 100644 +--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c ++++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c +@@ -3,6 +3,7 @@ + Configuration. + + Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.
++Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent + + **/ +@@ -576,16 +577,24 @@ IScsiCHAPToSendReq ( // // CHAP_I= // @@ -215,11 +333,19 @@ index b507f11c..9dda7d1f 100644 BinToHexStatus = IScsiBinToHex ( (UINT8 *)AuthData->OutChallenge, AuthData->Hash->DigestSize, -diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c -index 78dc5c73..5c67f532 100644 ---- a/NetworkPkg/IScsiDxe/IScsiMisc.c -+++ b/NetworkPkg/IScsiDxe/IScsiMisc.c -@@ -474,20 +474,17 @@ IScsiNetNtoi ( +diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c +index 78dc5c73d35a..2159b8494963 100644 +--- a/NetworkPkg/IScsiDxe/IScsiMisc.c ++++ b/NetworkPkg/IScsiDxe/IScsiMisc.c +@@ -2,6 +2,7 @@ + Miscellaneous routines for iSCSI driver. + + Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.
++Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent + + **/ +@@ -474,20 +475,17 @@ IScsiNetNtoi ( @param[in, out] Rand The buffer to contain random numbers. @param[in] RandLength The length of the Rand buffer. @@ -245,11 +371,19 @@ index 78dc5c73..5c67f532 100644 } /** -diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h -index a951eee7..82c15986 100644 ---- a/NetworkPkg/IScsiDxe/IScsiMisc.h -+++ b/NetworkPkg/IScsiDxe/IScsiMisc.h -@@ -202,8 +202,11 @@ IScsiNetNtoi ( +diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h +index a951eee70ec9..91b2cd22613d 100644 +--- a/NetworkPkg/IScsiDxe/IScsiMisc.h ++++ b/NetworkPkg/IScsiDxe/IScsiMisc.h +@@ -2,6 +2,7 @@ + Miscellaneous definitions for iSCSI driver. + + Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.
++Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent + + **/ +@@ -202,8 +203,11 @@ IScsiNetNtoi ( @param[in, out] Rand The buffer to contain random numbers. @param[in] RandLength The length of the Rand buffer. @@ -262,11 +396,19 @@ index a951eee7..82c15986 100644 IScsiGenRandom ( IN OUT UINT8 *Rand, IN UINTN RandLength -diff --git a/NetworkPkg/Include/Library/NetLib.h b/NetworkPkg/Include/Library/NetLib.h -index 8c0e62b3..d2b17876 100644 ---- a/NetworkPkg/Include/Library/NetLib.h -+++ b/NetworkPkg/Include/Library/NetLib.h -@@ -539,8 +539,6 @@ extern EFI_IPv4_ADDRESS mZeroIp4Addr; +diff --git a/NetworkPkg/Include/Library/NetLib.h b/NetworkPkg/Include/Library/NetLib.h +index 8c0e62b3889c..e8108b79db8f 100644 +--- a/NetworkPkg/Include/Library/NetLib.h ++++ b/NetworkPkg/Include/Library/NetLib.h +@@ -3,6 +3,7 @@ + It provides basic functions for the UEFI network stack. + + Copyright (c) 2005 - 2018, Intel Corporation. All rights reserved.
++Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent + + **/ +@@ -539,8 +540,6 @@ extern EFI_IPv4_ADDRESS mZeroIp4Addr; #define TICKS_PER_MS 10000U #define TICKS_PER_SECOND 10000000U @@ -275,30 +417,27 @@ index 8c0e62b3..d2b17876 100644 /** Extract a UINT32 from a byte stream. -@@ -579,20 +577,24 @@ NetPutUint32 ( - IN UINT32 Data +@@ -580,19 +579,40 @@ NetPutUint32 ( ); --/** + /** - Initialize a random seed using current time and monotonic count. -+/* -+Generate a 32-bit pseudo-random number. ++ Generate a Random output data given a length. - Get current time and monotonic count first. Then initialize a random seed - based on some basic mathematics operation on the hour, day, minute, second, - nanosecond and year of the current time and the monotonic count value. -+ @param[out] Output - The buffer to store the generated random number. ++ @param[out] Output - The buffer to store the generated random data. ++ @param[in] OutputLength - The length of the output buffer. - @return The random seed initialized with current time. -+@return EFI_SUCCESS on success, error code on failure. -+*/ -+EFI_STATUS -+EFIAPI -+PseudoRandomU32 ( -+ OUT UINT32 *Output -+ ); ++ @retval EFI_SUCCESS On Success ++ @retval EFI_INVALID_PARAMETER Pointer is null or size is zero ++ @retval EFI_NOT_FOUND RNG protocol not found ++ @retval Others Error from RngProtocol->GetRNG() --**/ ++ @return Status code + **/ -UINT32 +EFI_STATUS EFIAPI @@ -307,14 +446,39 @@ index 8c0e62b3..d2b17876 100644 +PseudoRandom ( + OUT VOID *Output, + IN UINTN OutputLength ++ ); ++ ++/** ++ Generate a 32-bit pseudo-random number. ++ ++ @param[out] Output - The buffer to store the generated random number. ++ ++ @retval EFI_SUCCESS On Success ++ @retval EFI_NOT_FOUND RNG protocol not found ++ @retval Others Error from RngProtocol->GetRNG() ++ ++ @return Status code ++**/ ++EFI_STATUS ++EFIAPI ++PseudoRandomU32 ( ++ OUT UINT32 *Output ); #define NET_LIST_USER_STRUCT(Entry, Type, Field) \ -diff --git a/NetworkPkg/Ip4Dxe/Ip4Driver.c b/NetworkPkg/Ip4Dxe/Ip4Driver.c -index ec483ff0..3b3544d3 100644 ---- a/NetworkPkg/Ip4Dxe/Ip4Driver.c -+++ b/NetworkPkg/Ip4Dxe/Ip4Driver.c -@@ -549,11 +549,18 @@ Ip4DriverBindingStart ( +diff --git a/NetworkPkg/Ip4Dxe/Ip4Driver.c b/NetworkPkg/Ip4Dxe/Ip4Driver.c +index ec483ff01fa9..683423f38dc7 100644 +--- a/NetworkPkg/Ip4Dxe/Ip4Driver.c ++++ b/NetworkPkg/Ip4Dxe/Ip4Driver.c +@@ -2,6 +2,7 @@ + The driver binding and service binding protocol for IP4 driver. + + Copyright (c) 2005 - 2019, Intel Corporation. All rights reserved.
++Copyright (c) Microsoft Corporation + (C) Copyright 2015 Hewlett-Packard Development Company, L.P.
+ + SPDX-License-Identifier: BSD-2-Clause-Patent +@@ -549,11 +550,18 @@ Ip4DriverBindingStart ( EFI_IP4_CONFIG2_PROTOCOL *Ip4Cfg2; UINTN Index; IP4_CONFIG2_DATA_ITEM *DataItem; @@ -326,14 +490,14 @@ index ec483ff0..3b3544d3 100644 + Status = PseudoRandomU32 (&Random); + if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "Failed to generate random number: %r\n", Status)); ++ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); + return Status; + } + // // Test for the Ip4 service binding protocol // -@@ -653,7 +660,7 @@ Ip4DriverBindingStart ( +@@ -653,7 +661,7 @@ Ip4DriverBindingStart ( // // Initialize the IP4 ID // @@ -342,11 +506,11 @@ index ec483ff0..3b3544d3 100644 return Status; -diff --git a/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c b/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c -index 70e232ce..cadb99a3 100644 ---- a/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c -+++ b/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c -@@ -2276,6 +2276,13 @@ Ip6ConfigInitInstance ( +diff --git a/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c b/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c +index 70e232ce6c4d..4c1354d26cc1 100644 +--- a/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c ++++ b/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c +@@ -2276,6 +2276,13 @@ Ip6ConfigInitInstance ( UINTN Index; UINT16 IfIndex; IP6_CONFIG_DATA_ITEM *DataItem; @@ -354,13 +518,13 @@ index 70e232ce..cadb99a3 100644 + + Status = PseudoRandomU32 (&Random); + if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "Failed to generate random number: %r\n", Status)); ++ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); + return Status; + } IpSb = IP6_SERVICE_FROM_IP6_CONFIG_INSTANCE (Instance); -@@ -2381,7 +2388,7 @@ Ip6ConfigInitInstance ( +@@ -2381,7 +2388,7 @@ Ip6ConfigInitInstance ( // The NV variable is not set, so generate a random IAID, and write down the // fresh new configuration as the NV variable now. // @@ -369,11 +533,20 @@ index 70e232ce..cadb99a3 100644 for (Index = 0; Index < IpSb->SnpMode.HwAddressSize; Index++) { Instance->IaId |= (IpSb->SnpMode.CurrentAddress.Addr[Index] << ((Index << 3) & 31)); -diff --git a/NetworkPkg/Ip6Dxe/Ip6Driver.c b/NetworkPkg/Ip6Dxe/Ip6Driver.c -index b483a7d1..05854202 100644 ---- a/NetworkPkg/Ip6Dxe/Ip6Driver.c -+++ b/NetworkPkg/Ip6Dxe/Ip6Driver.c -@@ -316,7 +316,11 @@ Ip6CreateService ( +diff --git a/NetworkPkg/Ip6Dxe/Ip6Driver.c b/NetworkPkg/Ip6Dxe/Ip6Driver.c +index b483a7d136d9..cbe011dad472 100644 +--- a/NetworkPkg/Ip6Dxe/Ip6Driver.c ++++ b/NetworkPkg/Ip6Dxe/Ip6Driver.c +@@ -3,7 +3,7 @@ + + Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.
+ (C) Copyright 2015 Hewlett-Packard Development Company, L.P.
+- ++ Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent + + **/ +@@ -316,7 +316,11 @@ Ip6CreateService ( IpSb->CurHopLimit = IP6_HOP_LIMIT; IpSb->LinkMTU = IP6_MIN_LINK_MTU; IpSb->BaseReachableTime = IP6_REACHABLE_TIME; @@ -386,7 +559,7 @@ index b483a7d1..05854202 100644 // // RFC4861 RETRANS_TIMER: 1,000 milliseconds // -@@ -516,11 +520,18 @@ Ip6DriverBindingStart ( +@@ -516,11 +520,18 @@ Ip6DriverBindingStart ( EFI_STATUS Status; EFI_IP6_CONFIG_PROTOCOL *Ip6Cfg; IP6_CONFIG_DATA_ITEM *DataItem; @@ -398,14 +571,14 @@ index b483a7d1..05854202 100644 + Status = PseudoRandomU32 (&Random); + if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "Failed to generate random number: %r\n", Status)); ++ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); + return Status; + } + // // Test for the Ip6 service binding protocol // -@@ -656,7 +667,7 @@ Ip6DriverBindingStart ( +@@ -656,7 +667,7 @@ Ip6DriverBindingStart ( // // Initialize the IP6 ID // @@ -414,11 +587,20 @@ index b483a7d1..05854202 100644 return EFI_SUCCESS; -diff --git a/NetworkPkg/Ip6Dxe/Ip6If.c b/NetworkPkg/Ip6Dxe/Ip6If.c -index 4629c05f..8c044adf 100644 ---- a/NetworkPkg/Ip6Dxe/Ip6If.c -+++ b/NetworkPkg/Ip6Dxe/Ip6If.c -@@ -89,6 +89,14 @@ Ip6SetAddress ( +diff --git a/NetworkPkg/Ip6Dxe/Ip6If.c b/NetworkPkg/Ip6Dxe/Ip6If.c +index 4629c05f25a0..f3d11c4d2155 100644 +--- a/NetworkPkg/Ip6Dxe/Ip6If.c ++++ b/NetworkPkg/Ip6Dxe/Ip6If.c +@@ -2,7 +2,7 @@ + Implement IP6 pseudo interface. + + Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
+- ++ Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent + + **/ +@@ -89,6 +89,14 @@ Ip6SetAddress ( IP6_PREFIX_LIST_ENTRY *PrefixEntry; UINT64 Delay; IP6_DELAY_JOIN_LIST *DelayNode; @@ -427,13 +609,13 @@ index 4629c05f..8c044adf 100644 + + Status = PseudoRandomU32 (&Random); + if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "Failed to generate random number: %r\n", Status)); ++ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); + return Status; + } NET_CHECK_SIGNATURE (Interface, IP6_INTERFACE_SIGNATURE); -@@ -164,7 +172,7 @@ Ip6SetAddress ( +@@ -164,7 +172,7 @@ Ip6SetAddress ( // Thus queue the address to be processed in Duplicate Address Detection module // after the delay time (in milliseconds). // @@ -442,11 +624,11 @@ index 4629c05f..8c044adf 100644 Delay = MultU64x32 (Delay, IP6_ONE_SECOND_IN_MS); Delay = RShiftU64 (Delay, 32); -diff --git a/NetworkPkg/Ip6Dxe/Ip6Mld.c b/NetworkPkg/Ip6Dxe/Ip6Mld.c -index e6b2b653..c2ead864 100644 ---- a/NetworkPkg/Ip6Dxe/Ip6Mld.c -+++ b/NetworkPkg/Ip6Dxe/Ip6Mld.c -@@ -696,7 +696,15 @@ Ip6UpdateDelayTimer ( +diff --git a/NetworkPkg/Ip6Dxe/Ip6Mld.c b/NetworkPkg/Ip6Dxe/Ip6Mld.c +index e6b2b653e295..498a11854305 100644 +--- a/NetworkPkg/Ip6Dxe/Ip6Mld.c ++++ b/NetworkPkg/Ip6Dxe/Ip6Mld.c +@@ -696,7 +696,15 @@ Ip6UpdateDelayTimer ( IN OUT IP6_MLD_GROUP *Group ) { @@ -457,13 +639,13 @@ index e6b2b653..c2ead864 100644 + + Status = PseudoRandomU32 (&Random); + if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "Failed to generate random number: %r\n", Status)); ++ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); + return Status; + } // // If the Query packet specifies a Maximum Response Delay of zero, perform timer -@@ -715,7 +723,7 @@ Ip6UpdateDelayTimer ( +@@ -715,7 +723,7 @@ Ip6UpdateDelayTimer ( // is less than the remaining value of the running timer. // if ((Group->DelayTimer == 0) || (Delay < Group->DelayTimer)) { @@ -472,11 +654,20 @@ index e6b2b653..c2ead864 100644 } return EFI_SUCCESS; -diff --git a/NetworkPkg/Ip6Dxe/Ip6Nd.c b/NetworkPkg/Ip6Dxe/Ip6Nd.c -index c10c7017..1d51e11f 100644 ---- a/NetworkPkg/Ip6Dxe/Ip6Nd.c -+++ b/NetworkPkg/Ip6Dxe/Ip6Nd.c -@@ -16,17 +16,28 @@ EFI_MAC_ADDRESS mZeroMacAddress; +diff --git a/NetworkPkg/Ip6Dxe/Ip6Nd.c b/NetworkPkg/Ip6Dxe/Ip6Nd.c +index c10c7017f88d..72aa45c10f3f 100644 +--- a/NetworkPkg/Ip6Dxe/Ip6Nd.c ++++ b/NetworkPkg/Ip6Dxe/Ip6Nd.c +@@ -2,7 +2,7 @@ + Implementation of Neighbor Discovery support routines. + + Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
+- ++ Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent + + **/ +@@ -16,17 +16,28 @@ EFI_MAC_ADDRESS mZeroMacAddress; @param[in, out] IpSb Points to the IP6_SERVICE. @@ -492,14 +683,14 @@ index c10c7017..1d51e11f 100644 - UINT32 Random; + UINT32 Random; + EFI_STATUS Status; -+ + +- Random = (NetRandomInitSeed () / 4294967295UL) * IP6_RANDOM_FACTOR_SCALE; + Status = PseudoRandomU32 (&Random); + if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "Failed to generate random number: %r\n", Status)); ++ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); + return Status; + } - -- Random = (NetRandomInitSeed () / 4294967295UL) * IP6_RANDOM_FACTOR_SCALE; ++ + Random = (Random / 4294967295UL) * IP6_RANDOM_FACTOR_SCALE; Random = Random + IP6_MIN_RANDOM_FACTOR_SCALED; IpSb->ReachableTime = (IpSb->BaseReachableTime * Random) / IP6_RANDOM_FACTOR_SCALE; @@ -508,7 +699,7 @@ index c10c7017..1d51e11f 100644 } /** -@@ -972,10 +983,17 @@ Ip6InitDADProcess ( +@@ -972,10 +983,17 @@ Ip6InitDADProcess ( IP6_SERVICE *IpSb; EFI_STATUS Status; UINT32 MaxDelayTick; @@ -519,14 +710,14 @@ index c10c7017..1d51e11f 100644 + Status = PseudoRandomU32 (&Random); + if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "Failed to generate random number: %r\n", Status)); ++ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); + return Status; + } + // // Do nothing if we have already started DAD on the address. // -@@ -1014,7 +1032,7 @@ Ip6InitDADProcess ( +@@ -1014,7 +1032,7 @@ Ip6InitDADProcess ( Entry->Transmit = 0; Entry->Receive = 0; MaxDelayTick = IP6_MAX_RTR_SOLICITATION_DELAY / IP6_TIMER_INTERVAL_IN_MS; @@ -535,7 +726,7 @@ index c10c7017..1d51e11f 100644 Entry->AddressInfo = AddressInfo; Entry->Callback = Callback; Entry->Context = Context; -@@ -2078,7 +2096,10 @@ Ip6ProcessRouterAdvertise ( +@@ -2078,7 +2096,10 @@ Ip6ProcessRouterAdvertise ( // in BaseReachableTime and recompute a ReachableTime. // IpSb->BaseReachableTime = ReachableTime; @@ -547,11 +738,20 @@ index c10c7017..1d51e11f 100644 } if (RetransTimer != 0) { -diff --git a/NetworkPkg/Ip6Dxe/Ip6Nd.h b/NetworkPkg/Ip6Dxe/Ip6Nd.h -index bf64e911..739e87ff 100644 ---- a/NetworkPkg/Ip6Dxe/Ip6Nd.h -+++ b/NetworkPkg/Ip6Dxe/Ip6Nd.h -@@ -780,10 +780,10 @@ Ip6OnArpResolved ( +diff --git a/NetworkPkg/Ip6Dxe/Ip6Nd.h b/NetworkPkg/Ip6Dxe/Ip6Nd.h +index bf64e9114e13..5795e23c7d71 100644 +--- a/NetworkPkg/Ip6Dxe/Ip6Nd.h ++++ b/NetworkPkg/Ip6Dxe/Ip6Nd.h +@@ -2,7 +2,7 @@ + Definition of Neighbor Discovery support routines. + + Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.
+- ++ Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent + + **/ +@@ -780,10 +780,10 @@ Ip6OnArpResolved ( /** Update the ReachableTime in IP6 service binding instance data, in milliseconds. @@ -565,11 +765,19 @@ index bf64e911..739e87ff 100644 Ip6UpdateReachableTime ( IN OUT IP6_SERVICE *IpSb ); -diff --git a/NetworkPkg/Library/DxeNetLib/DxeNetLib.c b/NetworkPkg/Library/DxeNetLib/DxeNetLib.c -index fd4a9e15..a1b42adc 100644 ---- a/NetworkPkg/Library/DxeNetLib/DxeNetLib.c -+++ b/NetworkPkg/Library/DxeNetLib/DxeNetLib.c -@@ -31,6 +31,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent +diff --git a/NetworkPkg/Library/DxeNetLib/DxeNetLib.c b/NetworkPkg/Library/DxeNetLib/DxeNetLib.c +index fd4a9e15a892..01c13c08d203 100644 +--- a/NetworkPkg/Library/DxeNetLib/DxeNetLib.c ++++ b/NetworkPkg/Library/DxeNetLib/DxeNetLib.c +@@ -3,6 +3,7 @@ + + Copyright (c) 2005 - 2018, Intel Corporation. All rights reserved.
+ (C) Copyright 2015 Hewlett Packard Enterprise Development LP
++Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent + **/ + +@@ -31,6 +32,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include #include #include @@ -577,55 +785,54 @@ index fd4a9e15..a1b42adc 100644 #define NIC_ITEM_CONFIG_SIZE (sizeof (NIC_IP4_CONFIG_INFO) + sizeof (EFI_IP4_ROUTE_TABLE) * MAX_IP4_CONFIG_IN_VARIABLE) #define DEFAULT_ZERO_START ((UINTN) ~0) -@@ -127,6 +128,24 @@ GLOBAL_REMOVE_IF_UNREFERENCED VLAN_DEVICE_PATH mNetVlanDevicePathTemplate = { +@@ -127,6 +129,25 @@ GLOBAL_REMOVE_IF_UNREFERENCED VLAN_DEVICE_PATH mNetVlanDevicePathTemplate = { 0 }; +// -+// These represent UEFI SPEC & NIST SP-800-90 approved algorithms that should be supported by the RNG protocol -+// and are generally considered secure. This list enforces a minimum set of secure algorithms that must -+// be supported by the RNG protocol. ++// These represent UEFI SPEC defined algorithms that should be supported by ++// the RNG protocol and are generally considered secure. +// -+// The order of the algorithms in this array is important. The first algorithm that is supported by the RNG -+// protocol will be used to generate the seed for the random number generator. -+// If your platform needs to use a specific algorithm to generate the seed for the random number generator, ++// The order of the algorithms in this array is important. This order is the order ++// in which the algorithms will be tried by the RNG protocol. ++// If your platform needs to use a specific algorithm for the random number generator, +// then you should place that algorithm first in the array. +// +GLOBAL_REMOVE_IF_UNREFERENCED EFI_GUID *mSecureHashAlgorithms[] = { + &gEfiRngAlgorithmSp80090Ctr256Guid, // SP800-90A DRBG CTR using AES-256 + &gEfiRngAlgorithmSp80090Hmac256Guid, // SP800-90A DRBG HMAC using SHA-256 -+ &gEfiRngAlgorithmSp80090Hash256Guid // SP800-90A DRBG Hash using SHA-256 ++ &gEfiRngAlgorithmSp80090Hash256Guid, // SP800-90A DRBG Hash using SHA-256 ++ &gEfiRngAlgorithmArmRndr, // unspecified SP800-90A DRBG via ARM RNDR register ++ &gEfiRngAlgorithmRaw, // Raw data from NRBG (or TRNG) +}; + -+#define mSecureHashAlgorithmsSize (sizeof (mSecureHashAlgorithms) / sizeof (EFI_GUID *)) ++#define SECURE_HASH_ALGORITHMS_SIZE (sizeof (mSecureHashAlgorithms) / sizeof (EFI_GUID *)) + /** Locate the handles that support SNP, then open one of them to send the syslog packets. The caller isn't required to close -@@ -883,35 +902,104 @@ Ip6Swap128 ( - return Ip6; +@@ -884,34 +905,107 @@ Ip6Swap128 ( } --/** + /** - Initialize a random seed using current time and monotonic count. -+/* -+Generate a Random output data given a length. ++ Generate a Random output data given a length. - Get current time and monotonic count first. Then initialize a random seed - based on some basic mathematics operation on the hour, day, minute, second, - nanosecond and year of the current time and the monotonic count value. -+@param[out] Output - The buffer to store the generated random data. -+@param[in] OutputLength - The length of the output buffer. ++ @param[out] Output - The buffer to store the generated random data. ++ @param[in] OutputLength - The length of the output buffer. - @return The random seed initialized with current time. -- --**/ ++ @retval EFI_SUCCESS On Success ++ @retval EFI_INVALID_PARAMETER Pointer is null or size is zero ++ @retval EFI_NOT_FOUND RNG protocol not found ++ @retval Others Error from RngProtocol->GetRNG() + ++ @return Status code + **/ -UINT32 -+@retval EFI_SUCCESS On Success -+@retval EFI_INVALID_PARAMETER Pointer is null or size is zero -+@retval EFI_NOT_FOUND RNG protocol not found -+@Retval Others Error from RngProtocol->GetRNG() -+*/ +EFI_STATUS EFIAPI -NetRandomInitSeed ( @@ -640,6 +847,7 @@ index fd4a9e15..a1b42adc 100644 - UINT64 MonotonicCount; + EFI_RNG_PROTOCOL *RngProtocol; + EFI_STATUS Status; ++ UINTN AlgorithmIndex; + + if ((Output == NULL) || (OutputLength == 0)) { + return EFI_INVALID_PARAMETER; @@ -653,8 +861,8 @@ index fd4a9e15..a1b42adc 100644 + } + + if (PcdGetBool (PcdEnforceSecureRngAlgorithms)) { -+ for (UINTN i = 0; i < mSecureHashAlgorithmsSize; i++) { -+ Status = RngProtocol->GetRNG (RngProtocol, mSecureHashAlgorithms[i], OutputLength, (UINT8 *)Output); ++ for (AlgorithmIndex = 0; AlgorithmIndex < SECURE_HASH_ALGORITHMS_SIZE; AlgorithmIndex++) { ++ Status = RngProtocol->GetRNG (RngProtocol, mSecureHashAlgorithms[AlgorithmIndex], OutputLength, (UINT8 *)Output); + if (!EFI_ERROR (Status)) { + // + // Secure Algorithm was supported on this platform @@ -664,7 +872,7 @@ index fd4a9e15..a1b42adc 100644 + // + // Secure Algorithm was not supported on this platform + // -+ DEBUG ((DEBUG_ERROR, "Failed to generate random data using secure algorithm %d: %r\n", i, Status)); ++ DEBUG ((DEBUG_ERROR, "Failed to generate random data using secure algorithm %d: %r\n", AlgorithmIndex, Status)); + + // + // Try the next secure algorithm @@ -674,7 +882,7 @@ index fd4a9e15..a1b42adc 100644 + // + // Some other error occurred + // -+ DEBUG ((DEBUG_ERROR, "Failed to generate random data using secure algorithm %d: %r\n", i, Status)); ++ DEBUG ((DEBUG_ERROR, "Failed to generate random data using secure algorithm %d: %r\n", AlgorithmIndex, Status)); + ASSERT_EFI_ERROR (Status); + return Status; + } @@ -687,37 +895,38 @@ index fd4a9e15..a1b42adc 100644 + ASSERT_EFI_ERROR (Status); + return Status; + } - -- gRT->GetTime (&Time, NULL); -- Seed = (Time.Hour << 24 | Time.Day << 16 | Time.Minute << 8 | Time.Second); -- Seed ^= Time.Nanosecond; -- Seed ^= Time.Year << 7; ++ + // + // Lets try using the default algorithm (which may not be secure) + // + Status = RngProtocol->GetRNG (RngProtocol, NULL, OutputLength, (UINT8 *)Output); + if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "Failed to generate random data: %r\n", Status)); ++ DEBUG ((DEBUG_ERROR, "%a failed to generate random data: %r\n", __func__, Status)); + ASSERT_EFI_ERROR (Status); + return Status; + } -- gBS->GetNextMonotonicCount (&MonotonicCount); -- Seed += (UINT32)MonotonicCount; +- gRT->GetTime (&Time, NULL); +- Seed = (Time.Hour << 24 | Time.Day << 16 | Time.Minute << 8 | Time.Second); +- Seed ^= Time.Nanosecond; +- Seed ^= Time.Year << 7; + return EFI_SUCCESS; +} ++ ++/** ++ Generate a 32-bit pseudo-random number. + +- gBS->GetNextMonotonicCount (&MonotonicCount); +- Seed += (UINT32)MonotonicCount; ++ @param[out] Output - The buffer to store the generated random number. - return Seed; -+/* -+Generate a 32-bit pseudo-random number. ++ @retval EFI_SUCCESS On Success ++ @retval EFI_NOT_FOUND RNG protocol not found ++ @retval Others Error from RngProtocol->GetRNG() + -+@param[out] Output - The buffer to store the generated random number. -+ -+@retval EFI_SUCCESS On Success -+@retval EFI_INVALID_PARAMETER Pointer is null or size is zero -+@retval EFI_NOT_FOUND RNG protocol not found -+@Retval Others Error from RngProtocol->GetRNG() -+*/ ++ @return Status code ++**/ +EFI_STATUS +EFIAPI +PseudoRandomU32 ( @@ -728,21 +937,32 @@ index fd4a9e15..a1b42adc 100644 } /** -diff --git a/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf b/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf -index 8145d256..98152b1f 100644 ---- a/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf -+++ b/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf -@@ -50,6 +50,9 @@ +diff --git a/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf b/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf +index 8145d256ec10..a8f534a29358 100644 +--- a/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf ++++ b/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf +@@ -3,6 +3,7 @@ + # + # Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
+ # (C) Copyright 2015 Hewlett Packard Enterprise Development LP
++# Copyright (c) Microsoft Corporation + # SPDX-License-Identifier: BSD-2-Clause-Patent + # + ## +@@ -49,7 +50,11 @@ + gEfiSmbiosTableGuid ## SOMETIMES_CONSUMES ## SystemTable gEfiSmbios3TableGuid ## SOMETIMES_CONSUMES ## SystemTable gEfiAdapterInfoMediaStateGuid ## SOMETIMES_CONSUMES - +- ++ gEfiRngAlgorithmRaw ## CONSUMES + gEfiRngAlgorithmSp80090Ctr256Guid ## CONSUMES + gEfiRngAlgorithmSp80090Hmac256Guid ## CONSUMES + gEfiRngAlgorithmSp80090Hash256Guid ## CONSUMES ++ gEfiRngAlgorithmArmRndr ## CONSUMES [Protocols] gEfiSimpleNetworkProtocolGuid ## SOMETIMES_CONSUMES -@@ -59,3 +62,7 @@ +@@ -59,3 +64,10 @@ gEfiComponentNameProtocolGuid ## SOMETIMES_CONSUMES gEfiComponentName2ProtocolGuid ## SOMETIMES_CONSUMES gEfiAdapterInformationProtocolGuid ## SOMETIMES_CONSUMES @@ -750,11 +970,22 @@ index 8145d256..98152b1f 100644 + +[FixedPcd] + gEfiNetworkPkgTokenSpaceGuid.PcdEnforceSecureRngAlgorithms ## CONSUMES -diff --git a/NetworkPkg/NetworkPkg.dec b/NetworkPkg/NetworkPkg.dec -index e06f35e7..6957890e 100644 ---- a/NetworkPkg/NetworkPkg.dec -+++ b/NetworkPkg/NetworkPkg.dec -@@ -130,6 +130,12 @@ ++ ++[Depex] ++ gEfiRngProtocolGuid +diff --git a/NetworkPkg/NetworkPkg.dec b/NetworkPkg/NetworkPkg.dec +index e06f35e7747c..7c4289b77b21 100644 +--- a/NetworkPkg/NetworkPkg.dec ++++ b/NetworkPkg/NetworkPkg.dec +@@ -5,6 +5,7 @@ + # + # Copyright (c) 2009 - 2021, Intel Corporation. All rights reserved.
+ # (C) Copyright 2015-2020 Hewlett Packard Enterprise Development LP
++# Copyright (c) Microsoft Corporation + # + # SPDX-License-Identifier: BSD-2-Clause-Patent + # +@@ -130,6 +131,12 @@ # @Prompt Indicates whether SnpDxe creates event for ExitBootServices() call. gEfiNetworkPkgTokenSpaceGuid.PcdSnpCreateExitBootServicesEvent|TRUE|BOOLEAN|0x1000000C @@ -767,11 +998,67 @@ index e06f35e7..6957890e 100644 [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx] ## IPv6 DHCP Unique Identifier (DUID) Type configuration (From RFCs 3315 and 6355). # 01 = DUID Based on Link-layer Address Plus Time [DUID-LLT] -diff --git a/NetworkPkg/TcpDxe/TcpDriver.c b/NetworkPkg/TcpDxe/TcpDriver.c -index 98a90e02..3ad6bd4e 100644 ---- a/NetworkPkg/TcpDxe/TcpDriver.c -+++ b/NetworkPkg/TcpDxe/TcpDriver.c -@@ -163,7 +163,13 @@ TcpDriverEntryPoint ( +diff --git a/NetworkPkg/SecurityFixes.yaml b/NetworkPkg/SecurityFixes.yaml +index fa42025e0d82..20a4555019d9 100644 +--- a/NetworkPkg/SecurityFixes.yaml ++++ b/NetworkPkg/SecurityFixes.yaml +@@ -122,3 +122,42 @@ CVE_2023_45235: + - http://www.openwall.com/lists/oss-security/2024/01/16/2 + - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html + - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html ++CVE_2023_45237: ++ commit_titles: ++ - "NetworkPkg:: SECURITY PATCH CVE 2023-45237" ++ cve: CVE-2023-45237 ++ date_reported: 2023-08-28 13:56 UTC ++ description: "Bug 09 - Use of a Weak PseudoRandom Number Generator" ++ note: ++ files_impacted: ++ - NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c ++ - NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c ++ - NetworkPkg/DnsDxe/DnsDhcp.c ++ - NetworkPkg/DnsDxe/DnsImpl.c ++ - NetworkPkg/HttpBootDxe/HttpBootDhcp6.c ++ - NetworkPkg/IScsiDxe/IScsiCHAP.c ++ - NetworkPkg/IScsiDxe/IScsiMisc.c ++ - NetworkPkg/IScsiDxe/IScsiMisc.h ++ - NetworkPkg/Include/Library/NetLib.h ++ - NetworkPkg/Ip4Dxe/Ip4Driver.c ++ - NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c ++ - NetworkPkg/Ip6Dxe/Ip6Driver.c ++ - NetworkPkg/Ip6Dxe/Ip6If.c ++ - NetworkPkg/Ip6Dxe/Ip6Mld.c ++ - NetworkPkg/Ip6Dxe/Ip6Nd.c ++ - NetworkPkg/Ip6Dxe/Ip6Nd.h ++ - NetworkPkg/Library/DxeNetLib/DxeNetLib.c ++ - NetworkPkg/Library/DxeNetLib/DxeNetLib.inf ++ - NetworkPkg/NetworkPkg.dec ++ - NetworkPkg/TcpDxe/TcpDriver.c ++ - NetworkPkg/Udp4Dxe/Udp4Driver.c ++ - NetworkPkg/Udp6Dxe/Udp6Driver.c ++ - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c ++ - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c ++ - NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c ++ links: ++ - https://bugzilla.tianocore.org/show_bug.cgi?id=4542 ++ - https://nvd.nist.gov/vuln/detail/CVE-2023-45237 ++ - http://www.openwall.com/lists/oss-security/2024/01/16/2 ++ - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html ++ - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html +diff --git a/NetworkPkg/TcpDxe/TcpDriver.c b/NetworkPkg/TcpDxe/TcpDriver.c +index 98a90e02109b..8fe6badd687c 100644 +--- a/NetworkPkg/TcpDxe/TcpDriver.c ++++ b/NetworkPkg/TcpDxe/TcpDriver.c +@@ -2,7 +2,7 @@ + The driver binding and service binding protocol for the TCP driver. + + Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
+- ++ Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent + + **/ +@@ -163,7 +163,13 @@ TcpDriverEntryPoint ( ) { EFI_STATUS Status; @@ -780,13 +1067,13 @@ index 98a90e02..3ad6bd4e 100644 + + Status = PseudoRandomU32 (&Random); + if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "Failed to generate random number: %r\n", Status)); ++ DEBUG ((DEBUG_ERROR, "%a Failed to generate random number: %r\n", __func__, Status)); + return Status; + } // // Install the TCP Driver Binding Protocol -@@ -203,9 +209,8 @@ TcpDriverEntryPoint ( +@@ -203,9 +209,8 @@ TcpDriverEntryPoint ( // // Initialize ISS and random port. // @@ -798,11 +1085,32 @@ index 98a90e02..3ad6bd4e 100644 mTcp6RandomPort = mTcp4RandomPort; return EFI_SUCCESS; -diff --git a/NetworkPkg/Udp4Dxe/Udp4Driver.c b/NetworkPkg/Udp4Dxe/Udp4Driver.c -index cb917fcf..1062d751 100644 ---- a/NetworkPkg/Udp4Dxe/Udp4Driver.c -+++ b/NetworkPkg/Udp4Dxe/Udp4Driver.c -@@ -555,6 +555,13 @@ Udp4DriverEntryPoint ( +diff --git a/NetworkPkg/TcpDxe/TcpDxe.inf b/NetworkPkg/TcpDxe/TcpDxe.inf +index c0acbdca5700..cf5423f4c537 100644 +--- a/NetworkPkg/TcpDxe/TcpDxe.inf ++++ b/NetworkPkg/TcpDxe/TcpDxe.inf +@@ -82,5 +82,8 @@ + gEfiTcp6ProtocolGuid ## BY_START + gEfiTcp6ServiceBindingProtocolGuid ## BY_START + ++[Depex] ++ gEfiHash2ServiceBindingProtocolGuid ++ + [UserExtensions.TianoCore."ExtraFiles"] + TcpDxeExtra.uni +diff --git a/NetworkPkg/Udp4Dxe/Udp4Driver.c b/NetworkPkg/Udp4Dxe/Udp4Driver.c +index cb917fcfc90f..c7ea16f4cd6f 100644 +--- a/NetworkPkg/Udp4Dxe/Udp4Driver.c ++++ b/NetworkPkg/Udp4Dxe/Udp4Driver.c +@@ -1,6 +1,7 @@ + /** @file + + Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
++Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent + + **/ +@@ -555,6 +556,13 @@ Udp4DriverEntryPoint ( ) { EFI_STATUS Status; @@ -810,13 +1118,13 @@ index cb917fcf..1062d751 100644 + + Status = PseudoRandomU32 (&Random); + if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "Failed to generate random number: %r\n", Status)); ++ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); + return Status; + } // // Install the Udp4DriverBinding and Udp4ComponentName protocols. -@@ -571,7 +578,7 @@ Udp4DriverEntryPoint ( +@@ -571,7 +579,7 @@ Udp4DriverEntryPoint ( // // Initialize the UDP random port. // @@ -825,11 +1133,20 @@ index cb917fcf..1062d751 100644 } return Status; -diff --git a/NetworkPkg/Udp6Dxe/Udp6Driver.c b/NetworkPkg/Udp6Dxe/Udp6Driver.c -index ae96fb99..434139ce 100644 ---- a/NetworkPkg/Udp6Dxe/Udp6Driver.c -+++ b/NetworkPkg/Udp6Dxe/Udp6Driver.c -@@ -596,6 +596,13 @@ Udp6DriverEntryPoint ( +diff --git a/NetworkPkg/Udp6Dxe/Udp6Driver.c b/NetworkPkg/Udp6Dxe/Udp6Driver.c +index ae96fb996627..edb758d57ca4 100644 +--- a/NetworkPkg/Udp6Dxe/Udp6Driver.c ++++ b/NetworkPkg/Udp6Dxe/Udp6Driver.c +@@ -2,7 +2,7 @@ + Driver Binding functions and Service Binding functions for the Network driver module. + + Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
+- ++ Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent + + **/ +@@ -596,6 +596,13 @@ Udp6DriverEntryPoint ( ) { EFI_STATUS Status; @@ -837,13 +1154,13 @@ index ae96fb99..434139ce 100644 + + Status = PseudoRandomU32 (&Random); + if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "Failed to generate random number: %r\n", Status)); ++ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); + return Status; + } // // Install the Udp6DriverBinding and Udp6ComponentName protocols. -@@ -614,7 +621,7 @@ Udp6DriverEntryPoint ( +@@ -614,7 +621,7 @@ Udp6DriverEntryPoint ( // Initialize the UDP random port. // mUdp6RandomPort = (UINT16)( @@ -852,24 +1169,33 @@ index ae96fb99..434139ce 100644 UDP6_PORT_KNOWN + UDP6_PORT_KNOWN ); -diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c -index 91146b78..9afcebf4 100644 ---- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c -+++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c -@@ -1381,6 +1381,12 @@ PxeBcDhcp4Discover ( +diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c +index 91146b78cb1e..452038c2194c 100644 +--- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c ++++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c +@@ -2,7 +2,7 @@ + Functions implementation related with DHCPv4 for UefiPxeBc Driver. + + Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
+- ++ Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent + + **/ +@@ -1381,6 +1381,12 @@ PxeBcDhcp4Discover ( UINT8 VendorOptLen; UINT32 Xid; + Status = PseudoRandomU32 (&Xid); + if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "Failed to generate random number: %r\n", Status)); ++ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); + return Status; + } + Mode = Private->PxeBc.Mode; Dhcp4 = Private->Dhcp4; Status = EFI_SUCCESS; -@@ -1471,7 +1477,6 @@ PxeBcDhcp4Discover ( +@@ -1471,7 +1477,6 @@ PxeBcDhcp4Discover ( // // Set fields of the token for the request packet. // @@ -877,23 +1203,55 @@ index 91146b78..9afcebf4 100644 Token.Packet->Dhcp4.Header.Xid = HTONL (Xid); Token.Packet->Dhcp4.Header.Reserved = HTONS ((UINT16)((IsBCast) ? 0x8000 : 0x0)); CopyMem (&Token.Packet->Dhcp4.Header.ClientAddr, &Private->StationIp, sizeof (EFI_IPv4_ADDRESS)); -diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c -index 7fd1281c..dcdd3228 100644 ---- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c -+++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c -@@ -2207,7 +2207,6 @@ PxeBcDhcp6Discover ( +diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c +index 7fd1281c1184..bcabbd221983 100644 +--- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c ++++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c +@@ -2180,7 +2180,7 @@ PxeBcDhcp6Discover ( + UINTN ReadSize; + UINT16 OpCode; + UINT16 OpLen; +- UINT32 Xid; ++ UINT32 Random; + EFI_STATUS Status; + UINTN DiscoverLenNeeded; + +@@ -2198,6 +2198,12 @@ PxeBcDhcp6Discover ( + return EFI_DEVICE_ERROR; + } + ++ Status = PseudoRandomU32 (&Random); ++ if (EFI_ERROR (Status)) { ++ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); ++ return Status; ++ } ++ + DiscoverLenNeeded = sizeof (EFI_PXE_BASE_CODE_DHCPV6_PACKET); + Discover = AllocateZeroPool (DiscoverLenNeeded); + if (Discover == NULL) { +@@ -2207,8 +2213,7 @@ PxeBcDhcp6Discover ( // // Build the discover packet by the cached request packet before. // - Xid = NET_RANDOM (NetRandomInitSeed ()); - Discover->TransactionId = HTONL (Xid); +- Discover->TransactionId = HTONL (Xid); ++ Discover->TransactionId = HTONL (Random); Discover->MessageType = Request->Dhcp6.Header.MessageType; RequestOpt = Request->Dhcp6.Option; -diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c b/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c -index d84aca7e..dc923a26 100644 ---- a/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c -+++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c -@@ -892,6 +892,13 @@ PxeBcCreateIp6Children ( + DiscoverOpt = Discover->DhcpOptions; +diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c b/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c +index d84aca7e85ab..4cd915b41157 100644 +--- a/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c ++++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c +@@ -3,6 +3,7 @@ + + (C) Copyright 2014 Hewlett-Packard Development Company, L.P.
+ Copyright (c) 2007 - 2019, Intel Corporation. All rights reserved.
++ Copyright (c) Microsoft Corporation + + SPDX-License-Identifier: BSD-2-Clause-Patent + +@@ -892,6 +893,13 @@ PxeBcCreateIp6Children ( PXEBC_PRIVATE_PROTOCOL *Id; EFI_SIMPLE_NETWORK_PROTOCOL *Snp; UINTN Index; @@ -907,7 +1265,7 @@ index d84aca7e..dc923a26 100644 if (Private->Ip6Nic != NULL) { // -@@ -935,9 +942,9 @@ PxeBcCreateIp6Children ( +@@ -935,9 +943,9 @@ PxeBcCreateIp6Children ( } // @@ -919,6 +1277,3 @@ index d84aca7e..dc923a26 100644 if (Private->Snp != NULL) { for (Index = 0; Index < Private->Snp->Mode->HwAddressSize; Index++) { Private->IaId |= (Private->Snp->Mode->CurrentAddress.Addr[Index] << ((Index << 3) & 31)); --- -2.27.0 - diff --git a/1002-Bugfix-for-CVE-2023-45236.patch b/1002-Bugfix-for-CVE-2023-45236.patch new file mode 100644 index 0000000000000000000000000000000000000000..542abf643a5980de52f5158d177c2473acdde0e7 --- /dev/null +++ b/1002-Bugfix-for-CVE-2023-45236.patch @@ -0,0 +1,820 @@ +From e7226314bf8e00164e536626a9f813343ca8440e Mon Sep 17 00:00:00 2001 +From: Doug Flick +Date: Wed, 8 May 2024 22:56:29 -0700 +Subject: [PATCH] NetworkPkg TcpDxe: SECURITY PATCH CVE-2023-45236 + +REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4541 +REF: https://www.rfc-editor.org/rfc/rfc1948.txt +REF: https://www.rfc-editor.org/rfc/rfc6528.txt +REF: https://www.rfc-editor.org/rfc/rfc9293.txt + +Bug Overview: +PixieFail Bug #8 +CVE-2023-45236 +CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N +CWE-200 Exposure of Sensitive Information to an Unauthorized Actor + +Updates TCP ISN generation to use a cryptographic hash of the +connection's identifying parameters and a secret key. +This prevents an attacker from guessing the ISN used for some other +connection. + +This is follows the guidance in RFC 1948, RFC 6528, and RFC 9293. + +RFC: 9293 Section 3.4.1. Initial Sequence Number Selection + + A TCP implementation MUST use the above type of "clock" for clock- + driven selection of initial sequence numbers (MUST-8), and SHOULD + generate its initial sequence numbers with the expression: + + ISN = M + F(localip, localport, remoteip, remoteport, secretkey) + + where M is the 4 microsecond timer, and F() is a pseudorandom + function (PRF) of the connection's identifying parameters ("localip, + localport, remoteip, remoteport") and a secret key ("secretkey") + (SHLD-1). F() MUST NOT be computable from the outside (MUST-9), or + an attacker could still guess at sequence numbers from the ISN used + for some other connection. The PRF could be implemented as a + cryptographic hash of the concatenation of the TCP connection + parameters and some secret data. For discussion of the selection of + a specific hash algorithm and management of the secret key data, + please see Section 3 of [42]. + + For each connection there is a send sequence number and a receive + sequence number. The initial send sequence number (ISS) is chosen by + the data sending TCP peer, and the initial receive sequence number + (IRS) is learned during the connection-establishing procedure. + + For a connection to be established or initialized, the two TCP peers + must synchronize on each other's initial sequence numbers. This is + done in an exchange of connection-establishing segments carrying a + control bit called "SYN" (for synchronize) and the initial sequence + numbers. As a shorthand, segments carrying the SYN bit are also + called "SYNs". Hence, the solution requires a suitable mechanism for + picking an initial sequence number and a slightly involved handshake + to exchange the ISNs. + +Cc: Saloni Kasbekar +Cc: Zachary Clark-williams + +Signed-off-by: Doug Flick [MSFT] +Reviewed-by: Saloni Kasbekar +--- + NetworkPkg/SecurityFixes.yaml | 22 +++ + NetworkPkg/TcpDxe/TcpDriver.c | 92 ++++++++++++- + NetworkPkg/TcpDxe/TcpDxe.inf | 8 +- + NetworkPkg/TcpDxe/TcpFunc.h | 23 ++-- + NetworkPkg/TcpDxe/TcpInput.c | 13 +- + NetworkPkg/TcpDxe/TcpMain.h | 59 ++++++-- + NetworkPkg/TcpDxe/TcpMisc.c | 244 ++++++++++++++++++++++++++++++++-- + NetworkPkg/TcpDxe/TcpTimer.c | 3 +- + 8 files changed, 415 insertions(+), 49 deletions(-) + +diff --git a/NetworkPkg/SecurityFixes.yaml b/NetworkPkg/SecurityFixes.yaml +index 20a4555019d9..4305328425d0 100644 +--- a/NetworkPkg/SecurityFixes.yaml ++++ b/NetworkPkg/SecurityFixes.yaml +@@ -122,6 +122,28 @@ CVE_2023_45235: + - http://www.openwall.com/lists/oss-security/2024/01/16/2 + - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html + - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html ++CVE_2023_45236: ++ commit_titles: ++ - "NetworkPkg: TcpDxe: SECURITY PATCH CVE-2023-45236 Patch" ++ cve: CVE-2023-45236 ++ date_reported: 2023-08-28 13:56 UTC ++ description: "Bug 08 - edk2/NetworkPkg: Predictable TCP Initial Sequence Numbers" ++ note: ++ files_impacted: ++ - NetworkPkg/Include/Library/NetLib.h ++ - NetworkPkg/TcpDxe/TcpDriver.c ++ - NetworkPkg/TcpDxe/TcpDxe.inf ++ - NetworkPkg/TcpDxe/TcpFunc.h ++ - NetworkPkg/TcpDxe/TcpInput.c ++ - NetworkPkg/TcpDxe/TcpMain.h ++ - NetworkPkg/TcpDxe/TcpMisc.c ++ - NetworkPkg/TcpDxe/TcpTimer.c ++ links: ++ - https://bugzilla.tianocore.org/show_bug.cgi?id=4541 ++ - https://nvd.nist.gov/vuln/detail/CVE-2023-45236 ++ - http://www.openwall.com/lists/oss-security/2024/01/16/2 ++ - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html ++ - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html + CVE_2023_45237: + commit_titles: + - "NetworkPkg:: SECURITY PATCH CVE 2023-45237" +diff --git a/NetworkPkg/TcpDxe/TcpDriver.c b/NetworkPkg/TcpDxe/TcpDriver.c +index 8fe6badd687c..40bba4080c87 100644 +--- a/NetworkPkg/TcpDxe/TcpDriver.c ++++ b/NetworkPkg/TcpDxe/TcpDriver.c +@@ -83,6 +83,12 @@ EFI_SERVICE_BINDING_PROTOCOL gTcpServiceBinding = { + TcpServiceBindingDestroyChild + }; + ++// ++// This is the handle for the Hash2ServiceBinding Protocol instance this driver produces ++// if the platform does not provide one. ++// ++EFI_HANDLE mHash2ServiceHandle = NULL; ++ + /** + Create and start the heartbeat timer for the TCP driver. + +@@ -165,6 +171,23 @@ TcpDriverEntryPoint ( + EFI_STATUS Status; + UINT32 Random; + ++ // ++ // Initialize the Secret used for hashing TCP sequence numbers ++ // ++ // Normally this should be regenerated periodically, but since ++ // this is only used for UEFI networking and not a general purpose ++ // operating system, it is not necessary to regenerate it. ++ // ++ Status = PseudoRandomU32 (&mTcpGlobalSecret); ++ if (EFI_ERROR (Status)) { ++ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); ++ return Status; ++ } ++ ++ // ++ // Get a random number used to generate a random port number ++ // Intentionally not linking this to mTcpGlobalSecret to avoid leaking information about the secret ++ // + Status = PseudoRandomU32 (&Random); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a Failed to generate random number: %r\n", __func__, Status)); +@@ -207,9 +230,8 @@ TcpDriverEntryPoint ( + } + + // +- // Initialize ISS and random port. ++ // Initialize the random port. + // +- mTcpGlobalIss = Random % mTcpGlobalIss; + mTcp4RandomPort = (UINT16)(TCP_PORT_KNOWN + (Random % TCP_PORT_KNOWN)); + mTcp6RandomPort = mTcp4RandomPort; + +@@ -224,6 +246,8 @@ TcpDriverEntryPoint ( + @param[in] IpVersion IP_VERSION_4 or IP_VERSION_6. + + @retval EFI_OUT_OF_RESOURCES Failed to allocate some resources. ++ @retval EFI_UNSUPPORTED Service Binding Protocols are unavailable. ++ @retval EFI_ALREADY_STARTED The TCP driver is already started on the controller. + @retval EFI_SUCCESS A new IP6 service binding private was created. + + **/ +@@ -234,11 +258,13 @@ TcpCreateService ( + IN UINT8 IpVersion + ) + { +- EFI_STATUS Status; +- EFI_GUID *IpServiceBindingGuid; +- EFI_GUID *TcpServiceBindingGuid; +- TCP_SERVICE_DATA *TcpServiceData; +- IP_IO_OPEN_DATA OpenData; ++ EFI_STATUS Status; ++ EFI_GUID *IpServiceBindingGuid; ++ EFI_GUID *TcpServiceBindingGuid; ++ TCP_SERVICE_DATA *TcpServiceData; ++ IP_IO_OPEN_DATA OpenData; ++ EFI_SERVICE_BINDING_PROTOCOL *Hash2ServiceBinding; ++ EFI_HASH2_PROTOCOL *Hash2Protocol; + + if (IpVersion == IP_VERSION_4) { + IpServiceBindingGuid = &gEfiIp4ServiceBindingProtocolGuid; +@@ -272,6 +298,33 @@ TcpCreateService ( + return EFI_UNSUPPORTED; + } + ++ Status = gBS->LocateProtocol (&gEfiHash2ProtocolGuid, NULL, (VOID **)&Hash2Protocol); ++ if (EFI_ERROR (Status)) { ++ // ++ // If we can't find the Hashing protocol, then we need to create one. ++ // ++ ++ // ++ // Platform is expected to publish the hash service binding protocol to support TCP. ++ // ++ Status = gBS->LocateProtocol ( ++ &gEfiHash2ServiceBindingProtocolGuid, ++ NULL, ++ (VOID **)&Hash2ServiceBinding ++ ); ++ if (EFI_ERROR (Status) || (Hash2ServiceBinding == NULL) || (Hash2ServiceBinding->CreateChild == NULL)) { ++ return EFI_UNSUPPORTED; ++ } ++ ++ // ++ // Create an instance of the hash protocol for this controller. ++ // ++ Status = Hash2ServiceBinding->CreateChild (Hash2ServiceBinding, &mHash2ServiceHandle); ++ if (EFI_ERROR (Status)) { ++ return EFI_UNSUPPORTED; ++ } ++ } ++ + // + // Create the TCP service data. + // +@@ -423,6 +476,7 @@ TcpDestroyService ( + EFI_STATUS Status; + LIST_ENTRY *List; + TCP_DESTROY_CHILD_IN_HANDLE_BUF_CONTEXT Context; ++ EFI_SERVICE_BINDING_PROTOCOL *Hash2ServiceBinding; + + ASSERT ((IpVersion == IP_VERSION_4) || (IpVersion == IP_VERSION_6)); + +@@ -439,6 +493,30 @@ TcpDestroyService ( + return EFI_SUCCESS; + } + ++ // ++ // Destroy the Hash2ServiceBinding instance if it is created by Tcp driver. ++ // ++ if (mHash2ServiceHandle != NULL) { ++ Status = gBS->LocateProtocol ( ++ &gEfiHash2ServiceBindingProtocolGuid, ++ NULL, ++ (VOID **)&Hash2ServiceBinding ++ ); ++ if (EFI_ERROR (Status) || (Hash2ServiceBinding == NULL) || (Hash2ServiceBinding->DestroyChild == NULL)) { ++ return EFI_UNSUPPORTED; ++ } ++ ++ // ++ // Destroy the instance of the hashing protocol for this controller. ++ // ++ Status = Hash2ServiceBinding->DestroyChild (Hash2ServiceBinding, &mHash2ServiceHandle); ++ if (EFI_ERROR (Status)) { ++ return EFI_UNSUPPORTED; ++ } ++ ++ mHash2ServiceHandle = NULL; ++ } ++ + Status = gBS->OpenProtocol ( + NicHandle, + ServiceBindingGuid, +diff --git a/NetworkPkg/TcpDxe/TcpDxe.inf b/NetworkPkg/TcpDxe/TcpDxe.inf +index cf5423f4c537..76de4cf9ec3d 100644 +--- a/NetworkPkg/TcpDxe/TcpDxe.inf ++++ b/NetworkPkg/TcpDxe/TcpDxe.inf +@@ -6,6 +6,7 @@ + # stack has been loaded in system. This driver supports both IPv4 and IPv6 network stack. + # + # Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
++# Copyright (c) Microsoft Corporation + # + # SPDX-License-Identifier: BSD-2-Clause-Patent + # +@@ -68,7 +69,6 @@ + NetLib + IpIoLib + +- + [Protocols] + ## SOMETIMES_CONSUMES + ## SOMETIMES_PRODUCES +@@ -81,6 +81,12 @@ + gEfiIp6ServiceBindingProtocolGuid ## TO_START + gEfiTcp6ProtocolGuid ## BY_START + gEfiTcp6ServiceBindingProtocolGuid ## BY_START ++ gEfiHash2ProtocolGuid ## BY_START ++ gEfiHash2ServiceBindingProtocolGuid ## BY_START ++ ++[Guids] ++ gEfiHashAlgorithmMD5Guid ## CONSUMES ++ gEfiHashAlgorithmSha256Guid ## CONSUMES + + [Depex] + gEfiHash2ServiceBindingProtocolGuid +diff --git a/NetworkPkg/TcpDxe/TcpFunc.h b/NetworkPkg/TcpDxe/TcpFunc.h +index a7af01fff246..c707bee3e548 100644 +--- a/NetworkPkg/TcpDxe/TcpFunc.h ++++ b/NetworkPkg/TcpDxe/TcpFunc.h +@@ -2,7 +2,7 @@ + Declaration of external functions shared in TCP driver. + + Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.
+- ++ Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent + + **/ +@@ -36,8 +36,11 @@ VOID + + @param[in, out] Tcb Pointer to the TCP_CB of this TCP instance. + ++ @retval EFI_SUCCESS The operation completed successfully ++ @retval others The underlying functions failed and could not complete the operation ++ + **/ +-VOID ++EFI_STATUS + TcpInitTcbLocal ( + IN OUT TCP_CB *Tcb + ); +@@ -128,17 +131,6 @@ TcpCloneTcb ( + IN TCP_CB *Tcb + ); + +-/** +- Compute an ISS to be used by a new connection. +- +- @return The result ISS. +- +-**/ +-TCP_SEQNO +-TcpGetIss ( +- VOID +- ); +- + /** + Get the local mss. + +@@ -202,8 +194,11 @@ TcpFormatNetbuf ( + @param[in, out] Tcb Pointer to the TCP_CB that wants to initiate a + connection. + ++ @retval EFI_SUCCESS The operation completed successfully ++ @retval others The underlying functions failed and could not complete the operation ++ + **/ +-VOID ++EFI_STATUS + TcpOnAppConnect ( + IN OUT TCP_CB *Tcb + ); +diff --git a/NetworkPkg/TcpDxe/TcpInput.c b/NetworkPkg/TcpDxe/TcpInput.c +index 97633a3908be..a5d575ccafeb 100644 +--- a/NetworkPkg/TcpDxe/TcpInput.c ++++ b/NetworkPkg/TcpDxe/TcpInput.c +@@ -724,6 +724,7 @@ TcpInput ( + TCP_SEQNO Urg; + UINT16 Checksum; + INT32 Usable; ++ EFI_STATUS Status; + + ASSERT ((Version == IP_VERSION_4) || (Version == IP_VERSION_6)); + +@@ -872,7 +873,17 @@ TcpInput ( + Tcb->LocalEnd.Port = Head->DstPort; + Tcb->RemoteEnd.Port = Head->SrcPort; + +- TcpInitTcbLocal (Tcb); ++ Status = TcpInitTcbLocal (Tcb); ++ if (EFI_ERROR (Status)) { ++ DEBUG ( ++ (DEBUG_ERROR, ++ "TcpInput: discard a segment because failed to init local end for TCB %p\n", ++ Tcb) ++ ); ++ ++ goto DISCARD; ++ } ++ + TcpInitTcbPeer (Tcb, Seg, &Option); + + TcpSetState (Tcb, TCP_SYN_RCVD); +diff --git a/NetworkPkg/TcpDxe/TcpMain.h b/NetworkPkg/TcpDxe/TcpMain.h +index c0c9b7f46ebe..4d5566ab9379 100644 +--- a/NetworkPkg/TcpDxe/TcpMain.h ++++ b/NetworkPkg/TcpDxe/TcpMain.h +@@ -3,7 +3,7 @@ + It is the common head file for all Tcp*.c in TCP driver. + + Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.
+- ++ Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent + + **/ +@@ -13,6 +13,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -31,7 +32,7 @@ extern EFI_UNICODE_STRING_TABLE *gTcpControllerNameTable; + + extern LIST_ENTRY mTcpRunQue; + extern LIST_ENTRY mTcpListenQue; +-extern TCP_SEQNO mTcpGlobalIss; ++extern TCP_SEQNO mTcpGlobalSecret; + extern UINT32 mTcpTick; + + /// +@@ -45,14 +46,6 @@ extern UINT32 mTcpTick; + + #define TCP_EXPIRE_TIME 65535 + +-/// +-/// The implementation selects the initial send sequence number and the unit to +-/// be added when it is increased. +-/// +-#define TCP_BASE_ISS 0x4d7e980b +-#define TCP_ISS_INCREMENT_1 2048 +-#define TCP_ISS_INCREMENT_2 100 +- + typedef union { + EFI_TCP4_CONFIG_DATA Tcp4CfgData; + EFI_TCP6_CONFIG_DATA Tcp6CfgData; +@@ -774,4 +767,50 @@ Tcp6Poll ( + IN EFI_TCP6_PROTOCOL *This + ); + ++/** ++ Retrieves the Initial Sequence Number (ISN) for a TCP connection identified by local ++ and remote IP addresses and ports. ++ ++ This method is based on https://datatracker.ietf.org/doc/html/rfc9293#section-3.4.1 ++ Where the ISN is computed as follows: ++ ISN = TimeStamp + MD5(LocalIP, LocalPort, RemoteIP, RemotePort, Secret) ++ ++ Otherwise: ++ ISN = M + F(localip, localport, remoteip, remoteport, secretkey) ++ ++ "Here M is the 4 microsecond timer, and F() is a pseudorandom function (PRF) of the ++ connection's identifying parameters ("localip, localport, remoteip, remoteport") ++ and a secret key ("secretkey") (SHLD-1). F() MUST NOT be computable from the ++ outside (MUST-9), or an attacker could still guess at sequence numbers from the ++ ISN used for some other connection. The PRF could be implemented as a ++ cryptographic hash of the concatenation of the TCP connection parameters and some ++ secret data. For discussion of the selection of a specific hash algorithm and ++ management of the secret key data." ++ ++ @param[in] LocalIp A pointer to the local IP address of the TCP connection. ++ @param[in] LocalIpSize The size, in bytes, of the LocalIp buffer. ++ @param[in] LocalPort The local port number of the TCP connection. ++ @param[in] RemoteIp A pointer to the remote IP address of the TCP connection. ++ @param[in] RemoteIpSize The size, in bytes, of the RemoteIp buffer. ++ @param[in] RemotePort The remote port number of the TCP connection. ++ @param[out] Isn A pointer to the variable that will receive the Initial ++ Sequence Number (ISN). ++ ++ @retval EFI_SUCCESS The operation completed successfully, and the ISN was ++ retrieved. ++ @retval EFI_INVALID_PARAMETER One or more of the input parameters are invalid. ++ @retval EFI_UNSUPPORTED The operation is not supported. ++ ++**/ ++EFI_STATUS ++TcpGetIsn ( ++ IN UINT8 *LocalIp, ++ IN UINTN LocalIpSize, ++ IN UINT16 LocalPort, ++ IN UINT8 *RemoteIp, ++ IN UINTN RemoteIpSize, ++ IN UINT16 RemotePort, ++ OUT TCP_SEQNO *Isn ++ ); ++ + #endif +diff --git a/NetworkPkg/TcpDxe/TcpMisc.c b/NetworkPkg/TcpDxe/TcpMisc.c +index c93212d47ded..3310306f639c 100644 +--- a/NetworkPkg/TcpDxe/TcpMisc.c ++++ b/NetworkPkg/TcpDxe/TcpMisc.c +@@ -3,7 +3,7 @@ + + (C) Copyright 2014 Hewlett-Packard Development Company, L.P.
+ Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.
+- ++ Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent + + **/ +@@ -20,7 +20,34 @@ LIST_ENTRY mTcpListenQue = { + &mTcpListenQue + }; + +-TCP_SEQNO mTcpGlobalIss = TCP_BASE_ISS; ++// ++// The Session secret ++// This must be initialized to a random value at boot time ++// ++TCP_SEQNO mTcpGlobalSecret; ++ ++// ++// Union to hold either an IPv4 or IPv6 address ++// This is used to simplify the ISN hash computation ++// ++typedef union { ++ UINT8 IPv4[4]; ++ UINT8 IPv6[16]; ++} NETWORK_ADDRESS; ++ ++// ++// The ISN is computed by hashing this structure ++// It is initialized with the local and remote IP addresses and ports ++// and the secret ++// ++// ++typedef struct { ++ UINT16 LocalPort; ++ UINT16 RemotePort; ++ NETWORK_ADDRESS LocalAddress; ++ NETWORK_ADDRESS RemoteAddress; ++ TCP_SEQNO Secret; ++} ISN_HASH_CTX; + + CHAR16 *mTcpStateName[] = { + L"TCP_CLOSED", +@@ -41,12 +68,18 @@ CHAR16 *mTcpStateName[] = { + + @param[in, out] Tcb Pointer to the TCP_CB of this TCP instance. + ++ @retval EFI_SUCCESS The operation completed successfully ++ @retval others The underlying functions failed and could not complete the operation ++ + **/ +-VOID ++EFI_STATUS + TcpInitTcbLocal ( + IN OUT TCP_CB *Tcb + ) + { ++ TCP_SEQNO Isn; ++ EFI_STATUS Status; ++ + // + // Compute the checksum of the fixed parts of pseudo header + // +@@ -57,6 +90,16 @@ TcpInitTcbLocal ( + 0x06, + 0 + ); ++ ++ Status = TcpGetIsn ( ++ Tcb->LocalEnd.Ip.v4.Addr, ++ sizeof (IPv4_ADDRESS), ++ Tcb->LocalEnd.Port, ++ Tcb->RemoteEnd.Ip.v4.Addr, ++ sizeof (IPv4_ADDRESS), ++ Tcb->RemoteEnd.Port, ++ &Isn ++ ); + } else { + Tcb->HeadSum = NetIp6PseudoHeadChecksum ( + &Tcb->LocalEnd.Ip.v6, +@@ -64,9 +107,25 @@ TcpInitTcbLocal ( + 0x06, + 0 + ); ++ ++ Status = TcpGetIsn ( ++ Tcb->LocalEnd.Ip.v6.Addr, ++ sizeof (IPv6_ADDRESS), ++ Tcb->LocalEnd.Port, ++ Tcb->RemoteEnd.Ip.v6.Addr, ++ sizeof (IPv6_ADDRESS), ++ Tcb->RemoteEnd.Port, ++ &Isn ++ ); ++ } ++ ++ if (EFI_ERROR (Status)) { ++ DEBUG ((DEBUG_ERROR, "TcpInitTcbLocal: failed to get isn\n")); ++ ASSERT (FALSE); ++ return Status; + } + +- Tcb->Iss = TcpGetIss (); ++ Tcb->Iss = Isn; + Tcb->SndUna = Tcb->Iss; + Tcb->SndNxt = Tcb->Iss; + +@@ -82,6 +141,8 @@ TcpInitTcbLocal ( + Tcb->RetxmitSeqMax = 0; + + Tcb->ProbeTimerOn = FALSE; ++ ++ return EFI_SUCCESS; + } + + /** +@@ -506,18 +567,162 @@ TcpCloneTcb ( + } + + /** +- Compute an ISS to be used by a new connection. +- +- @return The resulting ISS. ++ Retrieves the Initial Sequence Number (ISN) for a TCP connection identified by local ++ and remote IP addresses and ports. ++ ++ This method is based on https://datatracker.ietf.org/doc/html/rfc9293#section-3.4.1 ++ Where the ISN is computed as follows: ++ ISN = TimeStamp + MD5(LocalIP, LocalPort, RemoteIP, RemotePort, Secret) ++ ++ Otherwise: ++ ISN = M + F(localip, localport, remoteip, remoteport, secretkey) ++ ++ "Here M is the 4 microsecond timer, and F() is a pseudorandom function (PRF) of the ++ connection's identifying parameters ("localip, localport, remoteip, remoteport") ++ and a secret key ("secretkey") (SHLD-1). F() MUST NOT be computable from the ++ outside (MUST-9), or an attacker could still guess at sequence numbers from the ++ ISN used for some other connection. The PRF could be implemented as a ++ cryptographic hash of the concatenation of the TCP connection parameters and some ++ secret data. For discussion of the selection of a specific hash algorithm and ++ management of the secret key data." ++ ++ @param[in] LocalIp A pointer to the local IP address of the TCP connection. ++ @param[in] LocalIpSize The size, in bytes, of the LocalIp buffer. ++ @param[in] LocalPort The local port number of the TCP connection. ++ @param[in] RemoteIp A pointer to the remote IP address of the TCP connection. ++ @param[in] RemoteIpSize The size, in bytes, of the RemoteIp buffer. ++ @param[in] RemotePort The remote port number of the TCP connection. ++ @param[out] Isn A pointer to the variable that will receive the Initial ++ Sequence Number (ISN). ++ ++ @retval EFI_SUCCESS The operation completed successfully, and the ISN was ++ retrieved. ++ @retval EFI_INVALID_PARAMETER One or more of the input parameters are invalid. ++ @retval EFI_UNSUPPORTED The operation is not supported. + + **/ +-TCP_SEQNO +-TcpGetIss ( +- VOID ++EFI_STATUS ++TcpGetIsn ( ++ IN UINT8 *LocalIp, ++ IN UINTN LocalIpSize, ++ IN UINT16 LocalPort, ++ IN UINT8 *RemoteIp, ++ IN UINTN RemoteIpSize, ++ IN UINT16 RemotePort, ++ OUT TCP_SEQNO *Isn + ) + { +- mTcpGlobalIss += TCP_ISS_INCREMENT_1; +- return mTcpGlobalIss; ++ EFI_STATUS Status; ++ EFI_HASH2_PROTOCOL *Hash2Protocol; ++ EFI_HASH2_OUTPUT HashResult; ++ ISN_HASH_CTX IsnHashCtx; ++ EFI_TIME TimeStamp; ++ ++ // ++ // Check that the ISN pointer is valid ++ // ++ if (Isn == NULL) { ++ return EFI_INVALID_PARAMETER; ++ } ++ ++ // ++ // The local ip may be a v4 or v6 address and may not be NULL ++ // ++ if ((LocalIp == NULL) || (LocalIpSize == 0) || (RemoteIp == NULL) || (RemoteIpSize == 0)) { ++ return EFI_INVALID_PARAMETER; ++ } ++ ++ // ++ // the local ip may be a v4 or v6 address ++ // ++ if ((LocalIpSize != sizeof (EFI_IPv4_ADDRESS)) && (LocalIpSize != sizeof (EFI_IPv6_ADDRESS))) { ++ return EFI_INVALID_PARAMETER; ++ } ++ ++ // ++ // Locate the Hash Protocol ++ // ++ Status = gBS->LocateProtocol (&gEfiHash2ProtocolGuid, NULL, (VOID **)&Hash2Protocol); ++ if (EFI_ERROR (Status)) { ++ DEBUG ((DEBUG_NET, "Failed to locate Hash Protocol: %r\n", Status)); ++ ++ // ++ // TcpCreateService(..) is expected to be called prior to this function ++ // ++ ASSERT_EFI_ERROR (Status); ++ return Status; ++ } ++ ++ // ++ // Initialize the hash algorithm ++ // ++ Status = Hash2Protocol->HashInit (Hash2Protocol, &gEfiHashAlgorithmSha256Guid); ++ if (EFI_ERROR (Status)) { ++ DEBUG ((DEBUG_NET, "Failed to initialize sha256 hash algorithm: %r\n", Status)); ++ return Status; ++ } ++ ++ IsnHashCtx.LocalPort = LocalPort; ++ IsnHashCtx.RemotePort = RemotePort; ++ IsnHashCtx.Secret = mTcpGlobalSecret; ++ ++ // ++ // Check the IP address family and copy accordingly ++ // ++ if (LocalIpSize == sizeof (EFI_IPv4_ADDRESS)) { ++ CopyMem (&IsnHashCtx.LocalAddress.IPv4, LocalIp, LocalIpSize); ++ } else if (LocalIpSize == sizeof (EFI_IPv6_ADDRESS)) { ++ CopyMem (&IsnHashCtx.LocalAddress.IPv6, LocalIp, LocalIpSize); ++ } else { ++ return EFI_INVALID_PARAMETER; // Unsupported address size ++ } ++ ++ // ++ // Repeat the process for the remote IP address ++ // ++ if (RemoteIpSize == sizeof (EFI_IPv4_ADDRESS)) { ++ CopyMem (&IsnHashCtx.RemoteAddress.IPv4, RemoteIp, RemoteIpSize); ++ } else if (RemoteIpSize == sizeof (EFI_IPv6_ADDRESS)) { ++ CopyMem (&IsnHashCtx.RemoteAddress.IPv6, RemoteIp, RemoteIpSize); ++ } else { ++ return EFI_INVALID_PARAMETER; // Unsupported address size ++ } ++ ++ // ++ // Compute the hash ++ // Update the hash with the data ++ // ++ Status = Hash2Protocol->HashUpdate (Hash2Protocol, (UINT8 *)&IsnHashCtx, sizeof (IsnHashCtx)); ++ if (EFI_ERROR (Status)) { ++ DEBUG ((DEBUG_NET, "Failed to update hash: %r\n", Status)); ++ return Status; ++ } ++ ++ // ++ // Finalize the hash and retrieve the result ++ // ++ Status = Hash2Protocol->HashFinal (Hash2Protocol, &HashResult); ++ if (EFI_ERROR (Status)) { ++ DEBUG ((DEBUG_NET, "Failed to finalize hash: %r\n", Status)); ++ return Status; ++ } ++ ++ Status = gRT->GetTime (&TimeStamp, NULL); ++ if (EFI_ERROR (Status)) { ++ return Status; ++ } ++ ++ // ++ // copy the first 4 bytes of the hash result into the ISN ++ // ++ CopyMem (Isn, HashResult.Md5Hash, sizeof (*Isn)); ++ ++ // ++ // now add the timestamp to the ISN as 4 microseconds units (1000 / 4 = 250) ++ // ++ *Isn += (TCP_SEQNO)TimeStamp.Nanosecond * 250; ++ ++ return Status; + } + + /** +@@ -721,17 +926,28 @@ TcpFormatNetbuf ( + @param[in, out] Tcb Pointer to the TCP_CB that wants to initiate a + connection. + ++ @retval EFI_SUCCESS The operation completed successfully ++ @retval others The underlying functions failed and could not complete the operation ++ + **/ +-VOID ++EFI_STATUS + TcpOnAppConnect ( + IN OUT TCP_CB *Tcb + ) + { +- TcpInitTcbLocal (Tcb); ++ EFI_STATUS Status; ++ ++ Status = TcpInitTcbLocal (Tcb); ++ if (EFI_ERROR (Status)) { ++ return Status; ++ } ++ + TcpSetState (Tcb, TCP_SYN_SENT); + + TcpSetTimer (Tcb, TCP_TIMER_CONNECT, Tcb->ConnectTimeout); + TcpToSendData (Tcb, 1); ++ ++ return EFI_SUCCESS; + } + + /** +diff --git a/NetworkPkg/TcpDxe/TcpTimer.c b/NetworkPkg/TcpDxe/TcpTimer.c +index 5d2e124977d9..065b1bdf5feb 100644 +--- a/NetworkPkg/TcpDxe/TcpTimer.c ++++ b/NetworkPkg/TcpDxe/TcpTimer.c +@@ -2,7 +2,7 @@ + TCP timer related functions. + + Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.
+- ++ Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent + + **/ +@@ -483,7 +483,6 @@ TcpTickingDpc ( + INT16 Index; + + mTcpTick++; +- mTcpGlobalIss += TCP_ISS_INCREMENT_2; + + // + // Don't use LIST_FOR_EACH, which isn't delete safe. diff --git a/edk2.spec b/edk2.spec index 8d73034723d32c10f24ed3857be0a3fe935b26ff..18efcbc22cd0ed34ffdd938ab6759bcb90623cd0 100644 --- a/edk2.spec +++ b/edk2.spec @@ -1,4 +1,4 @@ -%define anolis_release 5 +%define anolis_release 6 %undefine _auto_set_build_flags ExclusiveArch: x86_64 aarch64 loongarch64 @@ -85,7 +85,8 @@ Patch0021: 0021-OvmfPkg-IoMmuDxe-Implement-SetAttribute-of-CsvIoMmu.patch # CVE-2023-45236 & CVE-2023-45237 # Upstream fix: https://github.com/tianocore/edk2/security/advisories/GHSA-hc6x-cw6p-gj7h # 漏洞 8-9 的补丁文件现在通过 https://bugzilla.tianocore.org/show_bug.cgi?id=4541 和 https://bugzilla.tianocore.org/show_bug.cgi?id=4542 提供。这些修补程序已集成到 2024 年 5 月的 EDK2 版本 (edk2-stable202405) 中。 -Patch0022: 0022-Bugfix-for-CVE-2023-45236-CVE-2023-45237.patch +Patch1001: 1001-Bugfix-for-CVE-2023-45237.patch +Patch1002: 1002-Bugfix-for-CVE-2023-45236.patch BuildRequires: python3-devel BuildRequires: libuuid-devel @@ -485,6 +486,9 @@ install -m 0644 \ %changelog +* Thu Nov 21 2024 gaochang - 202402-6 +- fix CVE-2023-45236/CVE-2023-45237 regression + * Fri Aug 02 2024 lidongyue - 202402-5 - fix CVE-2023-45236 - fix CVE-2023-45237