From db0efd1fa424ecdb42d2ea54ecfdfcfaf17c991c Mon Sep 17 00:00:00 2001 From: zhihang Date: Thu, 6 Mar 2025 08:18:07 +0000 Subject: [PATCH 01/10] Fixes CVE-2024-12797 --- ...PEER-client-RPK-should-abort-on-X509.patch | 178 ++++++++++++++++++ 1 file changed, 178 insertions(+) create mode 100644 0086-With-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch diff --git a/0086-With-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch b/0086-With-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch new file mode 100644 index 0000000..a8d3249 --- /dev/null +++ b/0086-With-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch @@ -0,0 +1,178 @@ +From 6ae8e947d8e3f3f03eeb7d9ad993e341791900bc Mon Sep 17 00:00:00 2001 +From: Viktor Dukhovni +Date: Fri, 20 Dec 2024 04:25:15 +1100 +Subject: [PATCH] With SSL_VERIFY_PEER client RPK should abort on X509 error + +While RPK performs X.509 checks correctly, at the SSL layer the +SSL_VERIFY_PEER flag was not honoured and connections were allowed to +complete even when the server was not verified. The client can of +course determine this by calling SSL_get_verify_result(), but some +may not know to do this. + +Added tests to make sure this does not regress. + +Fixes CVE-2024-12797 + +Reviewed-by: Tomas Mraz +Reviewed-by: Matt Caswell +Reviewed-by: Neil Horman +--- + ssl/statem/statem_clnt.c | 15 +++++++++++-- + test/rpktest.c | 48 ++++++++++++++++++++++++++++++++++------ + 2 files changed, 54 insertions(+), 9 deletions(-) + +diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c +index 436b397346..8716ed669f 100644 +--- a/ssl/statem/statem_clnt.c ++++ b/ssl/statem/statem_clnt.c +@@ -1910,6 +1910,7 @@ static WORK_STATE tls_post_process_server_rpk(SSL_CONNECTION *sc, + { + size_t certidx; + const SSL_CERT_LOOKUP *clu; ++ int v_ok; + + if (sc->session->peer_rpk == NULL) { + SSLfatal(sc, SSL_AD_ILLEGAL_PARAMETER, +@@ -1919,9 +1920,19 @@ static WORK_STATE tls_post_process_server_rpk(SSL_CONNECTION *sc, + + if (sc->rwstate == SSL_RETRY_VERIFY) + sc->rwstate = SSL_NOTHING; +- if (ssl_verify_rpk(sc, sc->session->peer_rpk) > 0 +- && sc->rwstate == SSL_RETRY_VERIFY) ++ ++ ERR_set_mark(); ++ v_ok = ssl_verify_rpk(sc, sc->session->peer_rpk); ++ if (v_ok <= 0 && sc->verify_mode != SSL_VERIFY_NONE) { ++ ERR_clear_last_mark(); ++ SSLfatal(sc, ssl_x509err2alert(sc->verify_result), ++ SSL_R_CERTIFICATE_VERIFY_FAILED); ++ return WORK_ERROR; ++ } ++ ERR_pop_to_mark(); /* but we keep s->verify_result */ ++ if (v_ok > 0 && sc->rwstate == SSL_RETRY_VERIFY) { + return WORK_MORE_A; ++ } + + if ((clu = ssl_cert_lookup_by_pkey(sc->session->peer_rpk, &certidx, + SSL_CONNECTION_GET_CTX(sc))) == NULL) { +diff --git a/test/rpktest.c b/test/rpktest.c +index ac824798f1..0be8461f77 100644 +--- a/test/rpktest.c ++++ b/test/rpktest.c +@@ -89,12 +89,14 @@ static int rpk_verify_server_cb(int ok, X509_STORE_CTX *ctx) + * idx = 13 - resumption with client authentication + * idx = 14 - resumption with client authentication, no ticket + * idx = 15 - like 0, but use non-default libctx ++ * idx = 16 - like 7, but with SSL_VERIFY_PEER connection should fail ++ * idx = 17 - like 8, but with SSL_VERIFY_PEER connection should fail + * +- * 16 * 2 * 4 * 2 * 2 * 2 * 2 = 2048 tests ++ * 18 * 2 * 4 * 2 * 2 * 2 * 2 = 2048 tests + */ + static int test_rpk(int idx) + { +-# define RPK_TESTS 16 ++# define RPK_TESTS 18 + # define RPK_DIMS (2 * 4 * 2 * 2 * 2 * 2) + SSL_CTX *cctx = NULL, *sctx = NULL; + SSL *clientssl = NULL, *serverssl = NULL; +@@ -114,6 +116,7 @@ static int test_rpk(int idx) + int idx_cert, idx_prot; + int client_auth = 0; + int resumption = 0; ++ int want_error = SSL_ERROR_NONE; + long server_verify_result = 0; + long client_verify_result = 0; + OSSL_LIB_CTX *test_libctx = NULL; +@@ -188,7 +191,7 @@ static int test_rpk(int idx) + #ifdef OPENSSL_NO_ECDSA + /* Can't get other_key if it's ECDSA */ + if (other_pkey == NULL && idx_cert == 0 +- && (idx == 4 || idx == 6 || idx == 7)) { ++ && (idx == 4 || idx == 6 || idx == 7 || idx == 16)) { + testresult = TEST_skip("EDCSA disabled"); + goto end; + } +@@ -266,8 +269,10 @@ static int test_rpk(int idx) + goto end; + /* Only a private key */ + if (idx == 1) { +- if (idx_server_server_rpk == 0 || idx_client_server_rpk == 0) ++ if (idx_server_server_rpk == 0 || idx_client_server_rpk == 0) { + expected = 0; ++ want_error = SSL_ERROR_SSL; ++ } + } else { + /* Add certificate */ + if (!TEST_int_eq(SSL_use_certificate_file(serverssl, cert_file, SSL_FILETYPE_PEM), 1)) +@@ -333,12 +338,14 @@ static int test_rpk(int idx) + client_expected = -1; + if (!TEST_true(SSL_add_expected_rpk(clientssl, other_pkey))) + goto end; ++ SSL_set_verify(clientssl, SSL_VERIFY_NONE, rpk_verify_client_cb); + client_verify_result = X509_V_ERR_DANE_NO_MATCH; + break; + case 8: + if (idx_server_server_rpk == 1 && idx_client_server_rpk == 1) + client_expected = -1; + /* no peer keys */ ++ SSL_set_verify(clientssl, SSL_VERIFY_NONE, rpk_verify_client_cb); + client_verify_result = X509_V_ERR_RPK_UNTRUSTED; + break; + case 9: +@@ -370,9 +377,13 @@ static int test_rpk(int idx) + if (!TEST_int_eq(SSL_use_PrivateKey_file(clientssl, privkey_file, SSL_FILETYPE_PEM), 1)) + goto end; + /* Since there's no cert, this is expected to fail without RPK support */ +- if (!idx_server_client_rpk || !idx_client_client_rpk) ++ if (!idx_server_client_rpk || !idx_client_client_rpk) { + expected = 0; +- SSL_set_verify(serverssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, rpk_verify_server_cb); ++ want_error = SSL_ERROR_SSL; ++ SSL_set_verify(serverssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); ++ } else { ++ SSL_set_verify(serverssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, rpk_verify_server_cb); ++ } + client_auth = 1; + break; + case 11: +@@ -449,12 +460,35 @@ static int test_rpk(int idx) + if (!TEST_true(SSL_add_expected_rpk(clientssl, pkey))) + goto end; + break; ++ case 16: ++ if (idx_server_server_rpk == 1 && idx_client_server_rpk == 1) { ++ /* wrong expected server key */ ++ expected = 0; ++ want_error = SSL_ERROR_SSL; ++ SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL); ++ } ++ if (!TEST_true(SSL_add_expected_rpk(clientssl, other_pkey))) ++ goto end; ++ break; ++ case 17: ++ if (idx_server_server_rpk == 1 && idx_client_server_rpk == 1) { ++ /* no expected server keys */ ++ expected = 0; ++ want_error = SSL_ERROR_SSL; ++ SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL); ++ } ++ break; + } + +- ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE); ++ ret = create_ssl_connection(serverssl, clientssl, want_error); + if (!TEST_int_eq(expected, ret)) + goto end; + ++ if (expected <= 0) { ++ testresult = 1; ++ goto end; ++ } ++ + /* Make sure client gets RPK or certificate as configured */ + if (expected == 1) { + if (idx_server_server_rpk && idx_client_server_rpk) { +-- +2.43.0 + -- Gitee From ae7272f66949fb1da417bec83b2a8f23d5a1bdce Mon Sep 17 00:00:00 2001 From: zhihang Date: Thu, 6 Mar 2025 08:23:32 +0000 Subject: [PATCH 02/10] update edk2.spec. Signed-off-by: zhihang --- edk2.spec | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/edk2.spec b/edk2.spec index 0fa6b76..5028b65 100644 --- a/edk2.spec +++ b/edk2.spec @@ -7,7 +7,7 @@ Name: edk2 Version: %{stable_date} -Release: 18 +Release: 19 Summary: EFI Development Kit II License: BSD-2-Clause-Patent and OpenSSL and MIT URL: https://github.com/tianocore/edk2 @@ -135,6 +135,9 @@ patch83: 0083-Fix-timing-side-channel-CVE-2024-13176.patch patch84: 0084-Free-the-read-buffers-CVE-2024-4741.patch patch85: 0085-Process-key-length-CVE-2023-5363.patch +# Fix CVE-2024-12797 +patch86: 0086-With-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch + BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python3-unversioned-command isl %description @@ -404,6 +407,9 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys %endif %changelog +* Sun Mar 06 2025 zhihang - 202308-19 +- fix CVE-2024-12797 + * Sun Feb 23 2025 huyu - 202308-18 - fix CVE-2024-13176、CVE-2024-4741、CVE-2023-5363 -- Gitee From f01fcbf38143d9b443bc2666389005ca622671a7 Mon Sep 17 00:00:00 2001 From: zhihang Date: Thu, 6 Mar 2025 08:38:42 +0000 Subject: [PATCH 03/10] update edk2.spec. Signed-off-by: zhihang --- edk2.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/edk2.spec b/edk2.spec index 5028b65..3f7d55e 100644 --- a/edk2.spec +++ b/edk2.spec @@ -407,7 +407,7 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys %endif %changelog -* Sun Mar 06 2025 zhihang - 202308-19 +* Sun Mar 06 2025 zhihang - 202308-19 - fix CVE-2024-12797 * Sun Feb 23 2025 huyu - 202308-18 -- Gitee From 27b4e60f1ac1d82dc860ff599c457f5932ee0674 Mon Sep 17 00:00:00 2001 From: zhihang Date: Thu, 6 Mar 2025 08:42:59 +0000 Subject: [PATCH 04/10] update 0086-With-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch. Signed-off-by: zhihang --- ...-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/0086-With-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch b/0086-With-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch index a8d3249..eef313a 100644 --- a/0086-With-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch +++ b/0086-With-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch @@ -169,10 +169,4 @@ index ac824798f1..0be8461f77 100644 + testresult = 1; + goto end; + } -+ - /* Make sure client gets RPK or certificate as configured */ - if (expected == 1) { - if (idx_server_server_rpk && idx_client_server_rpk) { --- -2.43.0 - ++ \ No newline at end of file -- Gitee From 9be2c7c248b8cd22a7396dbf0dd6fa156d8a936b Mon Sep 17 00:00:00 2001 From: zhihang Date: Thu, 6 Mar 2025 09:11:19 +0000 Subject: [PATCH 05/10] update 0086-With-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch. Signed-off-by: zhihang --- ...h-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/0086-With-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch b/0086-With-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch index eef313a..ea37393 100644 --- a/0086-With-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch +++ b/0086-With-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch @@ -169,4 +169,9 @@ index ac824798f1..0be8461f77 100644 + testresult = 1; + goto end; + } -+ \ No newline at end of file ++ + /* Make sure client gets RPK or certificate as configured */ + if (expected == 1) { + if (idx_server_server_rpk && idx_client_server_rpk) { +-- +2.43.0 -- Gitee From bd38f77f0c2e6cce8ea524a6beb3fac37ac4cc30 Mon Sep 17 00:00:00 2001 From: zhihang Date: Thu, 6 Mar 2025 09:33:22 +0000 Subject: [PATCH 06/10] update 0086-With-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch. Signed-off-by: zhihang --- ...VERIFY_PEER-client-RPK-should-abort-on-X509.patch | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/0086-With-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch b/0086-With-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch index ea37393..5443754 100644 --- a/0086-With-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch +++ b/0086-With-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch @@ -21,10 +21,10 @@ Reviewed-by: Neil Horman test/rpktest.c | 48 ++++++++++++++++++++++++++++++++++------ 2 files changed, 54 insertions(+), 9 deletions(-) -diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c +diff --git a/CryptoPkg/Library/OpensslLib/openssl/ssl/statem/statem_clnt.c b/CryptoPkg/Library/OpensslLib/openssl/ssl/statem/statem_clnt.c index 436b397346..8716ed669f 100644 ---- a/ssl/statem/statem_clnt.c -+++ b/ssl/statem/statem_clnt.c +--- a/CryptoPkg/Library/OpensslLib/openssl/ssl/statem/statem_clnt.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/statem/statem_clnt.c @@ -1910,6 +1910,7 @@ static WORK_STATE tls_post_process_server_rpk(SSL_CONNECTION *sc, { size_t certidx; @@ -55,10 +55,10 @@ index 436b397346..8716ed669f 100644 if ((clu = ssl_cert_lookup_by_pkey(sc->session->peer_rpk, &certidx, SSL_CONNECTION_GET_CTX(sc))) == NULL) { -diff --git a/test/rpktest.c b/test/rpktest.c +diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/rpktest.c b/CryptoPkg/Library/OpensslLib/openssl/test/rpktest.c index ac824798f1..0be8461f77 100644 ---- a/test/rpktest.c -+++ b/test/rpktest.c +--- a/CryptoPkg/Library/OpensslLib/openssl/test/rpktest.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/test/rpktest.c @@ -89,12 +89,14 @@ static int rpk_verify_server_cb(int ok, X509_STORE_CTX *ctx) * idx = 13 - resumption with client authentication * idx = 14 - resumption with client authentication, no ticket -- Gitee From 0448c94f236bb4b84f8a004bc64bf1774842dc07 Mon Sep 17 00:00:00 2001 From: zhihang Date: Thu, 6 Mar 2025 09:56:30 +0000 Subject: [PATCH 07/10] update 0086-With-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch. Signed-off-by: zhihang --- ...PEER-client-RPK-should-abort-on-X509.patch | 119 +----------------- 1 file changed, 1 insertion(+), 118 deletions(-) diff --git a/0086-With-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch b/0086-With-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch index 5443754..0ef98f6 100644 --- a/0086-With-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch +++ b/0086-With-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch @@ -55,123 +55,6 @@ index 436b397346..8716ed669f 100644 if ((clu = ssl_cert_lookup_by_pkey(sc->session->peer_rpk, &certidx, SSL_CONNECTION_GET_CTX(sc))) == NULL) { -diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/rpktest.c b/CryptoPkg/Library/OpensslLib/openssl/test/rpktest.c -index ac824798f1..0be8461f77 100644 ---- a/CryptoPkg/Library/OpensslLib/openssl/test/rpktest.c -+++ b/CryptoPkg/Library/OpensslLib/openssl/test/rpktest.c -@@ -89,12 +89,14 @@ static int rpk_verify_server_cb(int ok, X509_STORE_CTX *ctx) - * idx = 13 - resumption with client authentication - * idx = 14 - resumption with client authentication, no ticket - * idx = 15 - like 0, but use non-default libctx -+ * idx = 16 - like 7, but with SSL_VERIFY_PEER connection should fail -+ * idx = 17 - like 8, but with SSL_VERIFY_PEER connection should fail - * -- * 16 * 2 * 4 * 2 * 2 * 2 * 2 = 2048 tests -+ * 18 * 2 * 4 * 2 * 2 * 2 * 2 = 2048 tests - */ - static int test_rpk(int idx) - { --# define RPK_TESTS 16 -+# define RPK_TESTS 18 - # define RPK_DIMS (2 * 4 * 2 * 2 * 2 * 2) - SSL_CTX *cctx = NULL, *sctx = NULL; - SSL *clientssl = NULL, *serverssl = NULL; -@@ -114,6 +116,7 @@ static int test_rpk(int idx) - int idx_cert, idx_prot; - int client_auth = 0; - int resumption = 0; -+ int want_error = SSL_ERROR_NONE; - long server_verify_result = 0; - long client_verify_result = 0; - OSSL_LIB_CTX *test_libctx = NULL; -@@ -188,7 +191,7 @@ static int test_rpk(int idx) - #ifdef OPENSSL_NO_ECDSA - /* Can't get other_key if it's ECDSA */ - if (other_pkey == NULL && idx_cert == 0 -- && (idx == 4 || idx == 6 || idx == 7)) { -+ && (idx == 4 || idx == 6 || idx == 7 || idx == 16)) { - testresult = TEST_skip("EDCSA disabled"); - goto end; - } -@@ -266,8 +269,10 @@ static int test_rpk(int idx) - goto end; - /* Only a private key */ - if (idx == 1) { -- if (idx_server_server_rpk == 0 || idx_client_server_rpk == 0) -+ if (idx_server_server_rpk == 0 || idx_client_server_rpk == 0) { - expected = 0; -+ want_error = SSL_ERROR_SSL; -+ } - } else { - /* Add certificate */ - if (!TEST_int_eq(SSL_use_certificate_file(serverssl, cert_file, SSL_FILETYPE_PEM), 1)) -@@ -333,12 +338,14 @@ static int test_rpk(int idx) - client_expected = -1; - if (!TEST_true(SSL_add_expected_rpk(clientssl, other_pkey))) - goto end; -+ SSL_set_verify(clientssl, SSL_VERIFY_NONE, rpk_verify_client_cb); - client_verify_result = X509_V_ERR_DANE_NO_MATCH; - break; - case 8: - if (idx_server_server_rpk == 1 && idx_client_server_rpk == 1) - client_expected = -1; - /* no peer keys */ -+ SSL_set_verify(clientssl, SSL_VERIFY_NONE, rpk_verify_client_cb); - client_verify_result = X509_V_ERR_RPK_UNTRUSTED; - break; - case 9: -@@ -370,9 +377,13 @@ static int test_rpk(int idx) - if (!TEST_int_eq(SSL_use_PrivateKey_file(clientssl, privkey_file, SSL_FILETYPE_PEM), 1)) - goto end; - /* Since there's no cert, this is expected to fail without RPK support */ -- if (!idx_server_client_rpk || !idx_client_client_rpk) -+ if (!idx_server_client_rpk || !idx_client_client_rpk) { - expected = 0; -- SSL_set_verify(serverssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, rpk_verify_server_cb); -+ want_error = SSL_ERROR_SSL; -+ SSL_set_verify(serverssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); -+ } else { -+ SSL_set_verify(serverssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, rpk_verify_server_cb); -+ } - client_auth = 1; - break; - case 11: -@@ -449,12 +460,35 @@ static int test_rpk(int idx) - if (!TEST_true(SSL_add_expected_rpk(clientssl, pkey))) - goto end; - break; -+ case 16: -+ if (idx_server_server_rpk == 1 && idx_client_server_rpk == 1) { -+ /* wrong expected server key */ -+ expected = 0; -+ want_error = SSL_ERROR_SSL; -+ SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL); -+ } -+ if (!TEST_true(SSL_add_expected_rpk(clientssl, other_pkey))) -+ goto end; -+ break; -+ case 17: -+ if (idx_server_server_rpk == 1 && idx_client_server_rpk == 1) { -+ /* no expected server keys */ -+ expected = 0; -+ want_error = SSL_ERROR_SSL; -+ SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL); -+ } -+ break; - } - -- ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE); -+ ret = create_ssl_connection(serverssl, clientssl, want_error); - if (!TEST_int_eq(expected, ret)) - goto end; - -+ if (expected <= 0) { -+ testresult = 1; -+ goto end; -+ } -+ - /* Make sure client gets RPK or certificate as configured */ - if (expected == 1) { - if (idx_server_server_rpk && idx_client_server_rpk) { + -- 2.43.0 -- Gitee From 6e7efaaa0f375b3322c344be764cf74d4f2011e1 Mon Sep 17 00:00:00 2001 From: zhihang Date: Thu, 6 Mar 2025 09:58:09 +0000 Subject: [PATCH 08/10] update 0086-With-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch. Signed-off-by: zhihang --- 0086-With-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch | 1 - 1 file changed, 1 deletion(-) diff --git a/0086-With-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch b/0086-With-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch index 0ef98f6..86fcc45 100644 --- a/0086-With-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch +++ b/0086-With-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch @@ -55,6 +55,5 @@ index 436b397346..8716ed669f 100644 if ((clu = ssl_cert_lookup_by_pkey(sc->session->peer_rpk, &certidx, SSL_CONNECTION_GET_CTX(sc))) == NULL) { - -- 2.43.0 -- Gitee From 605c7b9b42b09eb9020366fdbdb70b084dc3c2f2 Mon Sep 17 00:00:00 2001 From: zhihang Date: Thu, 6 Mar 2025 10:14:34 +0000 Subject: [PATCH 09/10] update 0086-With-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch. Signed-off-by: zhihang --- ...-With-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/0086-With-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch b/0086-With-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch index 86fcc45..c80e606 100644 --- a/0086-With-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch +++ b/0086-With-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch @@ -18,8 +18,7 @@ Reviewed-by: Matt Caswell Reviewed-by: Neil Horman --- ssl/statem/statem_clnt.c | 15 +++++++++++-- - test/rpktest.c | 48 ++++++++++++++++++++++++++++++++++------ - 2 files changed, 54 insertions(+), 9 deletions(-) + 1 files changed, 13 insertions(+), 2 deletions(-) diff --git a/CryptoPkg/Library/OpensslLib/openssl/ssl/statem/statem_clnt.c b/CryptoPkg/Library/OpensslLib/openssl/ssl/statem/statem_clnt.c index 436b397346..8716ed669f 100644 -- Gitee From 566524828a4e01f6134eb8751492d46127c98312 Mon Sep 17 00:00:00 2001 From: zhihang Date: Thu, 6 Mar 2025 10:17:09 +0000 Subject: [PATCH 10/10] update edk2.spec. Signed-off-by: zhihang --- edk2.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/edk2.spec b/edk2.spec index 3f7d55e..e062ed4 100644 --- a/edk2.spec +++ b/edk2.spec @@ -407,7 +407,7 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys %endif %changelog -* Sun Mar 06 2025 zhihang - 202308-19 +* Thu Mar 06 2025 zhihang - 202308-19 - fix CVE-2024-12797 * Sun Feb 23 2025 huyu - 202308-18 -- Gitee