packages/edk2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:da4a29c76695898b2530b2f5fe4be46a7eb271e8
Branches Tags
packages:main
...
compare: packages:474c9092dcd5e37e33da726c436ca89973ce62a9
Branches Tags
packages:main

10 Commits
da4a29c766 ... 474c9092dc

Author SHA1 Message Date
openeuler-ci-bot
474c9092dc
!238 [sync] PR-230: Fix CVE-2024-1298 
From: @openeuler-sync-bot 
Reviewed-by: @caojinhuahw 
Signed-off-by: @caojinhuahw
 2024-06-13 02:48:43 +00:00
ShenYage
4cc4878d42 Fix CVE-2024-1298 
Signed-off-by: ShenYage <shenyage1@huawei.com>
(cherry picked from commit 1d9264d6f99c7f50bdc37bdfc118bd87598adee4)
 2024-06-13 09:38:25 +08:00
openeuler-ci-bot
ef6d71c654
!207 openEuler-22.03-LTS-Next分支 修复CVE-2024-2511 
From: @jacob1996 
Reviewed-by: @caojinhuahw 
Signed-off-by: @caojinhuahw
 2024-04-17 01:43:15 +00:00
ShenYage
9aaafd9bf8 fix CVE-2024-2511 
Signed-off-by: ShenYage <shenyage1@huawei.com>
 2024-04-16 00:32:29 +08:00
openeuler-ci-bot
7f28dc628e
!188 (依赖前置补丁)openEuler-22.03-LTS-Next分支 修复CVE: CVE-2023-45229、CVE-2023-45230、CVE-2023-45231、CVE-2023-45232、CVE-2023-45233、CVE-2023-45234、CVE-2023-45235 
From: @Ye-Xiao12 
Reviewed-by: @caojinhuahw 
Signed-off-by: @caojinhuahw
 2024-03-08 06:46:04 +00:00
openeuler-ci-bot
4048b62760
!184 openEuler-22.03-LTS-Next分支 修复CVE: CVE-2022-36763、CVE-2022-36764、CVE-2022-36765 
From: @Ye-Xiao12 
Reviewed-by: @caojinhuahw 
Signed-off-by: @caojinhuahw
 2024-03-08 06:38:08 +00:00
yexiao
9fe974a680 Fix some CVE 
Fix CVE-2023-45229、CVE-2023-45230、CVE-2023-45231、
CVE-2023-45232、CVE-2023-45233、CVE-2023-45234、CVE-2023-45235

Signed-off-by: yexiao <yexiao7@huawei.com>
 2024-03-03 17:53:43 +08:00
yexiao
f0577bd245 Fix some CVE 
fix CVE-2022-36763、CVE-2022-36764、CVE-2022-36765

Signed-off-by: yexiao <yexiao7@huawei.com>
 2024-03-02 10:03:05 +08:00
openeuler-ci-bot
c49b79dfc1
!175 Fix some cve for openEuler-22.03-LTS-Next 
From: @Ye-Xiao12 
Reviewed-by: @caojinhuahw 
Signed-off-by: @caojinhuahw
 2024-02-22 13:41:27 +00:00
yexiao
d3b0038b60 Fix some CVE 
Fix CVE-2023-0464、CVE-2023-0465、CVE-2023-0466
CVE-2023-2650、CVE-2023-3446、CVE-2023-3817、
CVE-2024-0727

Signed-off-by: yexiao <yexiao7@huawei.com>
 2024-01-25 02:14:17 +08:00
44 changed files with 14660 additions and 1 deletions
Show Stats Expand all files Collapse all files

225
0035-x509-excessive-resource-use-verifying-policy-constra.patch Normal file
View File

@ -0,0 +1,225 @@
From acb340dfc303ce31bd2577e727f5e56544118054 Mon Sep 17 00:00:00 2001
From: Pauli <pauli@openssl.org>
Date: Wed, 8 Mar 2023 15:28:20 +1100
Subject: [PATCH 01/11] x509: excessive resource use verifying policy
constraints
A security vulnerability has been identified in all supported versions
of OpenSSL related to the verification of X.509 certificate chains
that include policy constraints. Attackers may be able to exploit this
vulnerability by creating a malicious certificate chain that triggers
exponential use of computational resources, leading to a denial-of-service
(DoS) attack on affected systems.
Fixes CVE-2023-0464
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
reference: https://github.com/openssl/openssl/pull/20569
Signed-off-by: yexiao <yexiao7@huawei.com>
---
.../openssl/crypto/x509v3/pcy_local.h | 8 +++-
.../openssl/crypto/x509v3/pcy_node.c | 12 ++++--
.../openssl/crypto/x509v3/pcy_tree.c | 37 ++++++++++++++-----
3 files changed, 43 insertions(+), 14 deletions(-)
diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/pcy_local.h b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/pcy_local.h
index 5daf78de..344aa067 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/pcy_local.h
+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/pcy_local.h
@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st {
};
struct X509_POLICY_TREE_st {
+ /* The number of nodes in the tree */
+ size_t node_count;
+ /* The maximum number of nodes in the tree */
+ size_t node_maximum;
+
/* This is the tree 'level' data */
X509_POLICY_LEVEL *levels;
int nlevel;
@@ -159,7 +164,8 @@ X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk,
X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
X509_POLICY_DATA *data,
X509_POLICY_NODE *parent,
- X509_POLICY_TREE *tree);
+ X509_POLICY_TREE *tree,
+ int extra_data);
void policy_node_free(X509_POLICY_NODE *node);
int policy_node_match(const X509_POLICY_LEVEL *lvl,
const X509_POLICY_NODE *node, const ASN1_OBJECT *oid);
diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/pcy_node.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/pcy_node.c
index e2d7b153..d574fb9d 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/pcy_node.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/pcy_node.c
@@ -59,10 +59,15 @@ X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level,
X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
X509_POLICY_DATA *data,
X509_POLICY_NODE *parent,
- X509_POLICY_TREE *tree)
+ X509_POLICY_TREE *tree,
+ int extra_data)
{
X509_POLICY_NODE *node;
+ /* Verify that the tree isn't too large. This mitigates CVE-2023-0464 */
+ if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum)
+ return NULL;
+
node = OPENSSL_zalloc(sizeof(*node));
if (node == NULL) {
X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE);
@@ -70,7 +75,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
}
node->data = data;
node->parent = parent;
- if (level) {
+ if (level != NULL) {
if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
if (level->anyPolicy)
goto node_error;
@@ -90,7 +95,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
}
}
- if (tree) {
+ if (extra_data) {
if (tree->extra_data == NULL)
tree->extra_data = sk_X509_POLICY_DATA_new_null();
if (tree->extra_data == NULL){
@@ -103,6 +108,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
}
}
+ tree->node_count++;
if (parent)
parent->nchild++;
diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/pcy_tree.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/pcy_tree.c
index 6e8322cb..6c7fd354 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/pcy_tree.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/pcy_tree.c
@@ -13,6 +13,18 @@
#include "pcy_local.h"
+/*
+ * If the maximum number of nodes in the policy tree isn't defined, set it to
+ * a generous default of 1000 nodes.
+ *
+ * Defining this to be zero means unlimited policy tree growth which opens the
+ * door on CVE-2023-0464.
+ */
+
+#ifndef OPENSSL_POLICY_TREE_NODES_MAX
+# define OPENSSL_POLICY_TREE_NODES_MAX 1000
+#endif
+
/*
* Enable this to print out the complete policy tree at various point during
* evaluation.
@@ -168,6 +180,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
return X509_PCY_TREE_INTERNAL;
}
+ /* Limit the growth of the tree to mitigate CVE-2023-0464 */
+ tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX;
+
/*
* http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3.
*
@@ -184,7 +199,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
level = tree->levels;
if ((data = policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0)) == NULL)
goto bad_tree;
- if (level_add_node(level, data, NULL, tree) == NULL) {
+ if (level_add_node(level, data, NULL, tree, 1) == NULL) {
policy_data_free(data);
goto bad_tree;
}
@@ -243,7 +258,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
* Return value: 1 on success, 0 otherwise
*/
static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
- X509_POLICY_DATA *data)
+ X509_POLICY_DATA *data,
+ X509_POLICY_TREE *tree)
{
X509_POLICY_LEVEL *last = curr - 1;
int i, matched = 0;
@@ -253,13 +269,13 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i);
if (policy_node_match(last, node, data->valid_policy)) {
- if (level_add_node(curr, data, node, NULL) == NULL)
+ if (level_add_node(curr, data, node, tree, 0) == NULL)
return 0;
matched = 1;
}
}
if (!matched && last->anyPolicy) {
- if (level_add_node(curr, data, last->anyPolicy, NULL) == NULL)
+ if (level_add_node(curr, data, last->anyPolicy, tree, 0) == NULL)
return 0;
}
return 1;
@@ -272,7 +288,8 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
* Return value: 1 on success, 0 otherwise.
*/
static int tree_link_nodes(X509_POLICY_LEVEL *curr,
- const X509_POLICY_CACHE *cache)
+ const X509_POLICY_CACHE *cache,
+ X509_POLICY_TREE *tree)
{
int i;
@@ -280,7 +297,7 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr,
X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i);
/* Look for matching nodes in previous level */
- if (!tree_link_matching_nodes(curr, data))
+ if (!tree_link_matching_nodes(curr, data, tree))
return 0;
}
return 1;
@@ -311,7 +328,7 @@ static int tree_add_unmatched(X509_POLICY_LEVEL *curr,
/* Curr may not have anyPolicy */
data->qualifier_set = cache->anyPolicy->qualifier_set;
data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
- if (level_add_node(curr, data, node, tree) == NULL) {
+ if (level_add_node(curr, data, node, tree, 1) == NULL) {
policy_data_free(data);
return 0;
}
@@ -373,7 +390,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
}
/* Finally add link to anyPolicy */
if (last->anyPolicy &&
- level_add_node(curr, cache->anyPolicy, last->anyPolicy, NULL) == NULL)
+ level_add_node(curr, cache->anyPolicy, last->anyPolicy, tree, 0) == NULL)
return 0;
return 1;
}
@@ -555,7 +572,7 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree,
extra->qualifier_set = anyPolicy->data->qualifier_set;
extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS
| POLICY_DATA_FLAG_EXTRA_NODE;
- node = level_add_node(NULL, extra, anyPolicy->parent, tree);
+ node = level_add_node(NULL, extra, anyPolicy->parent, tree, 1);
}
if (!tree->user_policies) {
tree->user_policies = sk_X509_POLICY_NODE_new_null();
@@ -582,7 +599,7 @@ static int tree_evaluate(X509_POLICY_TREE *tree)
for (i = 1; i < tree->nlevel; i++, curr++) {
cache = policy_cache_set(curr->cert);
- if (!tree_link_nodes(curr, cache))
+ if (!tree_link_nodes(curr, cache, tree))
return X509_PCY_TREE_INTERNAL;
if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY)
--
2.33.0

628
0036-test-add-test-cases-for-the-policy-resource-overuse.patch Normal file
View File

@ -0,0 +1,628 @@
From 29c7751baf59ee8e210102df5d4107b709161024 Mon Sep 17 00:00:00 2001
From: Pauli <pauli@openssl.org>
Date: Wed, 8 Mar 2023 14:39:25 +1100
Subject: [PATCH 02/11] test: add test cases for the policy resource overuse
These trees have pathological properties with respect to building. The small
tree stays within the imposed limit, the large tree doesn't.
The large tree would consume over 150Gb of RAM to process.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
reference: https://github.com/openssl/openssl/pull/20569
Signed-off-by: yexiao <yexiao7@huawei.com>
---
.../test/recipes/80-test_policy_tree.t | 41 ++
.../80-test_policy_tree_data/large_leaf.pem | 11 +
.../large_policy_tree.pem | 434 ++++++++++++++++++
.../80-test_policy_tree_data/small_leaf.pem | 11 +
.../small_policy_tree.pem | 70 +++
5 files changed, 567 insertions(+)
create mode 100644 CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_policy_tree.t
create mode 100644 CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_policy_tree_data/large_leaf.pem
create mode 100644 CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_policy_tree_data/large_policy_tree.pem
create mode 100644 CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_policy_tree_data/small_leaf.pem
create mode 100644 CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_policy_tree_data/small_policy_tree.pem
diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_policy_tree.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_policy_tree.t
new file mode 100644
index 00000000..606ad05e
--- /dev/null
+++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_policy_tree.t
@@ -0,0 +1,41 @@
+#! /usr/bin/env perl
+# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+
+use strict;
+use warnings;
+
+use POSIX;
+use OpenSSL::Test qw/:DEFAULT srctop_file with data_file/;
+
+use OpenSSL::Test::Utils;
+use OpenSSL::Glob;
+
+setup("test_policy_tree");
+
+plan tests => 2;
+
+# The small pathological tree is expected to work
+my $small_chain = srctop_file("test", "recipes", "80-test_policy_tree_data",
+ "small_policy_tree.pem");
+my $small_leaf = srctop_file("test", "recipes", "80-test_policy_tree_data",
+ "small_leaf.pem");
+
+ok(run(app(["openssl", "verify", "-CAfile", $small_chain,
+ "-policy_check", $small_leaf])),
+ "test small policy tree");
+
+# The large pathological tree is expected to fail
+my $large_chain = srctop_file("test", "recipes", "80-test_policy_tree_data",
+ "large_policy_tree.pem");
+my $large_leaf = srctop_file("test", "recipes", "80-test_policy_tree_data",
+ "large_leaf.pem");
+
+ok(!run(app(["openssl", "verify", "-CAfile", $large_chain,
+ "-policy_check", $large_leaf])),
+ "test large policy tree");
diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_policy_tree_data/large_leaf.pem b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_policy_tree_data/large_leaf.pem
new file mode 100644
index 00000000..39ed6a7f
--- /dev/null
+++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_policy_tree_data/large_leaf.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBmTCCAT+gAwIBAgIBADAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
+Q0EgMTAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowGjEYMBYGA1UE
+AxMPd3d3LmV4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEp6Qe
+jrN6A0ZjqaFbX/zO01aVYXH5kthBDTEO/fU4H0CdwqrfyMsFrObwssrTJcsmSFKP
+x1FYr8wT2wCACs19lqN4MHYwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsG
+AQUFBwMBMAwGA1UdEwEB/wQCMAAwGgYDVR0RBBMwEYIPd3d3LmV4YW1wbGUuY29t
+MCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMAoGCCqGSM49
+BAMCA0gAMEUCIDGT8SVBkWJEZ2EzXm8M895NrNRmfc8uoheP0KKv+ndHAiEA2Onr
+20J+zTaR7vONY/1DleMm7fGY3UxTobSHSvOKbfY=
+-----END CERTIFICATE-----
diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_policy_tree_data/large_policy_tree.pem b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_policy_tree_data/large_policy_tree.pem
new file mode 100644
index 00000000..5cd31c35
--- /dev/null
+++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_policy_tree_data/large_policy_tree.pem
@@ -0,0 +1,434 @@
+-----BEGIN CERTIFICATE-----
+MIICEDCCAbagAwIBAgIBATAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
+Q0EgMjAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE
+AxMLUG9saWN5IENBIDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATgyLz1C0dD
+ib5J/QmoE4d+Nf5yvvlzjVZHWIu7iCMEqK67cnA1RtMp1d0xdiNQS6si3ExNPBF+
+ELdkP0E6x26Jo4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF
+BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSs+ml5upH1h25oUB0Ep4vd
+SUdZ/DAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV
+HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK
+YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB
+MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDSAAwRQIhAOME8j1/cMogNnuNCb0O
+RIOE9pLP4je78KJiP8CZm0iOAiALr8NI67orD/VpfRptkjCmOd7rTWMVOOJfBr6N
+VJFLjw==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICDzCCAbagAwIBAgIBAjAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
+Q0EgMzAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE
+AxMLUG9saWN5IENBIDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASIdzU/FF3Y
+rTsTX04fRIN2yrZwxvOAfZ6DuEgKRxEimJx1nCyETuMmfDowm52mx/Cyk08xorp8
+PhGEbacMd9kio4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF
+BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSwok/8RfJbVGTzyF5jhWLc
+hO7pcDAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV
+HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK
+YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB
+MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDRwAwRAIgYVF7bXxUuOzAZF6SmeIJ
+s+iL15bLSQ2rW7QDc6QYp9MCIAup6YokIcr8JaGttHmLaKbASQLxYDGHhfFIVZuI
+BDvT
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICEDCCAbagAwIBAgIBAzAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
+Q0EgNDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE
+AxMLUG9saWN5IENBIDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ38Llxxj32
+H3NN4Z1V8IuRKXLNhdU4z+NbT1rahusEyAHF+z9VTjim+HHfqFKV1QyNOJZ4rMA9
+J/gODWsNCT4po4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF
+BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBS11YgFNKTx3a6kssIijnA9
+DiOhoTAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV
+HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK
+YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB
+MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDSAAwRQIhAJXNZHMpvlnMfxhcG6EF
+Vw1pEXJ+iZnWT+Yu02a2zhamAiAiOKNhALBw/iKhQrwLo0cdx6UEfUKbaqTSGiax
+tHUylA==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICEDCCAbagAwIBAgIBBDAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
+Q0EgNTAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE
+AxMLUG9saWN5IENBIDQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATo81HWQ/we
+egmoO/LMntQK1VQ9YzU627nblv/XWoOjEd/tBeE8+Un4jUnhZqNrP2TAzy48jEaT
+1DShCQNQGek7o4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF
+BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBS6/F38QgbZSHib0W1XtMfs
+4O5DTDAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV
+HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK
+YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB
+MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDSAAwRQIgXMYCQWi5/6iQw+zqyEav
+CE7kOfTpm9GN4bZX5Eau5AACIQD0rDZwsjWf6hI2Hn8IlpwYVVC9bpxrAM/JmYuu
+79V/uw==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICEDCCAbagAwIBAgIBBTAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
+Q0EgNjAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE
+AxMLUG9saWN5IENBIDUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARsPMjOkmzJ
+2jwT30mKUvAFYVgOlgcoXxYr61p54mbQMmmH49ABmJQMu5rjwjwYlYA3UzbEN9ki
+hMsJz/4JIrJGo4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF
+BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQeflZRWUze+7jne9MkYYy5
+iWFgJDAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV
+HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK
+YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB
+MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDSAAwRQIhAIN6BjMnPlixl3i6Z1Xa
+pZQt52MOCHPm0XzXDn2XlC9+AiAn146u8rbppdEGMFr21vfFZaktwEb0cZkC9fBp
+S1uKwQ==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICEDCCAbagAwIBAgIBBjAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
+Q0EgNzAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE
+AxMLUG9saWN5IENBIDYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASVmpozZzxX
+f6rFinkqS0y8sfbOwcM0gNuR0x83mmZH5+a8W4ug5W80QiBaS3rHtwTsFHpCeQKq
+eJvfb/esgJu8o4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF
+BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQPuF2sXR0vOHJynh57qefK
++h7RGDAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV
+HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK
+YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB
+MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDSAAwRQIgDX0jHPq1alZoMbPDmbZp
+QYuM9UQagQ5KJgVU1B0Mh2ECIQCtdyfT2h5jZvz3lLKkQ9a6LddIuqsyNKDAxbpb
+PlBOOA==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICEDCCAbagAwIBAgIBBzAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
+Q0EgODAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE
+AxMLUG9saWN5IENBIDcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASb+9fN9RLe
+SHGynsKXhLWGhIS/kZ6Yl97+h23xpjLaZUOzhn5VafXdmLrQ4BmqSMHqIKzcc8IB
+STV3NwO4NxPBo4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF
+BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTBF9x+MrsyqoCaTQ2kB7Bn
+tpK2qDAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV
+HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK
+YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB
+MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDSAAwRQIhAI37Di/5MrSj2clr+2pX
+iXzeDIvlaxzVetyH3ibUZZBSAiA41aPIssHi9evv2mZonEvXY8g+DKbh/3L2mSub
+/AyLoA==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICETCCAbagAwIBAgIBCDAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
+Q0EgOTAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE
+AxMLUG9saWN5IENBIDgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASrRS12/zEP
+RUNye9SLadN4xK+xfTwyXfxeC+jam+J98lOMcHz6abnLpk5tJ7wab4Pkygsbj1V2
+STxeW+YH23dto4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF
+BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQYpYFLhosbir7KoyYdehsQ
+6DdLfzAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV
+HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK
+YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB
+MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDSQAwRgIhAPTCN+zWFG2cFzJ+nlfg
+JMY4U2e3vqTQmFeBXYlBASb9AiEA0KvsyNwloF1YeeaYcP5iHoRGRo8UMD3QWKEE
+vWI14Uk=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICEDCCAbegAwIBAgIBCTAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
+Q0EgMTAwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBYxFDASBgNV
+BAMTC1BvbGljeSBDQSA5MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoR4udEgt
+usb9f946+Xznm7Q3OaW4DTZjO7wqX1I+27zDp0JrUbCZwtm0Cw+pYkG5kPpNcFTK
+7yG3YgqM1sT+6aOB8jCB7zAOBgNVHQ8BAf8EBAMCAgQwEwYDVR0lBAwwCgYIKwYB
+BQUHAwEwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUjgtOHvFBcUQ03AKUbvuJ
+IWO5lzUwJQYDVR0gBB4wHDAMBgpghkgBZQMCATABMAwGCmCGSAFlAwIBMAIwcQYD
+VR0hBGowaDAYBgpghkgBZQMCATABBgpghkgBZQMCATABMBgGCmCGSAFlAwIBMAEG
+CmCGSAFlAwIBMAIwGAYKYIZIAWUDAgEwAgYKYIZIAWUDAgEwATAYBgpghkgBZQMC
+ATACBgpghkgBZQMCATACMAoGCCqGSM49BAMCA0cAMEQCICIboTAzG1DvCY/0tA/o
+l18zrW9qKVnt4mxih5JQe4fOAiBOF2ZeUT2/ZtdFhZmg+zl/fGrQ1xEx09/S956k
+Ig4S9Q==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICEjCCAbigAwIBAgIBCjAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
+Q0EgMTEwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
+BAMTDFBvbGljeSBDQSAxMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLxetqJp
+VR6apJytboxFCCooQ7jVcc7yoHhjlH8HsaJS3GrWpyMgiqOfyWt4KFMynKkgCU1K
+1QcU9aC5BfRQpyWjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFD6etMtD6Qpa7TjVQBgV
+/4PhZP4DMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
+A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
+BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
+AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNIADBFAiEA+5uiOjJoq5nU7lKN
+rZtBdYNqUKvHuYB+jiNEfWvxx2cCIFZEJCGw8fzqkAyGWkLe10w8PUzPM64nh757
+pEtxCzZh
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICEjCCAbigAwIBAgIBCzAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
+Q0EgMTIwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
+BAMTDFBvbGljeSBDQSAxMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPQuXEeo
+BrbyENdz9HqAoWMSQx1BErsUcQaneq3L0/VHHJBPKihb8s4nB/2yZaEarr8LFAvi
+ofx+4egydkP0mJ+jgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFIoC4qL79Uy3+m26Y+ch
++sE6gCOMMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
+A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
+BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
+AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNIADBFAiEAx/vMDhaH4EYTM2v9
+GeM1xTP9pNRgak69JQLKLu1VM1YCIF1RYC8Fma5Bc0cZAYY+Gj7dEf9qHj1TODA5
+C9es2CPY
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICETCCAbigAwIBAgIBDDAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
+Q0EgMTMwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
+BAMTDFBvbGljeSBDQSAxMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDlEv73o
+ej8Xvc3UodhSHkech80DbuBKdeldOTrRp6ZaVUP3vMgjNUJkh4WkvP3UVTe5SV4D
+zQXDIiwAEJu+zdmjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFCAn0wYXyRdliJOBFvvJ
+eZoGTiyOMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
+A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
+BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
+AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNHADBEAiAo2PPmLBZpcT0bst/C
+SXvnl3gztIZu89O1MKsNwFcM9QIgIzqZx/o9MF/fP7zbLWErVcUQViOGiCRBLVh7
+ppb7CoA=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICEzCCAbigAwIBAgIBDTAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
+Q0EgMTQwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
+BAMTDFBvbGljeSBDQSAxMzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABB8mgAoN
+rmFo937IBKXKuxHedUjOL7y3cpDYD1H3C4HRDBQDVOL31lC5kJUhS4HBLvJQwebR
+2kW35E3AnhbY/oKjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFBGbO20Xp/q0fPChjLHL
+WuJwSNc1MCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
+A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
+BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
+AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNJADBGAiEA3qGzdevdYfmiSBj9
+t9oE8hfEP+APqGiStlOLKD6xVK0CIQDq9cVa2KXMEz7YwmMO3lxoQFDPEXftbRaC
+edFB7q/YXg==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICEzCCAbigAwIBAgIBDjAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
+Q0EgMTUwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
+BAMTDFBvbGljeSBDQSAxNDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHDiOMtx
+5sfJs/WDnw0xS5NYlkbgy2eOZHAmC/jhRp6cjShZrr2/S4IJsH8B2VMcYAHgum6a
+eMjqWFIMxIjN5xyjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFOWtYUeAPk66m0o6Z7ax
+1RN42wmkMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
+A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
+BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
+AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNJADBGAiEA+AcazVKKPfqkpcJw
+rkXWIyZrTe+1PNETQzaJCooGNGkCIQDdfHf1I78e+ogaDcjkDe0s3R9VhkvjCty6
+uKKFtNGHMQ==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICEjCCAbigAwIBAgIBDzAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
+Q0EgMTYwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
+BAMTDFBvbGljeSBDQSAxNTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABKCkdSYz
++zyHItG2rQSyCh018b4bu9Zrw8nzkCBgkT2IyycNtpabYkWhxcEL29ZFqBnB+l7N
+5fYmHl5CmflJPh+jgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNanrmjMEN3PndPGeucm
+mST9ucNWMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
+A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
+BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
+AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNIADBFAiAFt48yhTTv0rP29N8H
+yRhAQGfnV4t1b8JucixLSfe32QIhAOef6iiwLxbBOMUn5ZN/WAK5TERem6DLSzWN
+/PTXHAAt
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICETCCAbigAwIBAgIBEDAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
+Q0EgMTcwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
+BAMTDFBvbGljeSBDQSAxNjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABH5txyDp
+DfRsIyYPTAQ+fuxk08E3/tpChVWoog4XQvod61wcUO1/nhoTGNKZZOhN5uhKWJWb
+1futz+XxV2QxTCyjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFHSlcxgh3gxgVag1JvAk
+zbHlgMbEMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
+A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
+BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
+AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNHADBEAiA9Ee47PnxqW0QmELB+
+dd90Fz8wcQFZlNmkPW4Oq2xr/wIgGlxfutQq7l3TU5hyyO0Lh01AHn2DC5KPFPwE
+l8S9VeY=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICEzCCAbigAwIBAgIBETAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
+Q0EgMTgwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
+BAMTDFBvbGljeSBDQSAxNzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAJvlQKB
+gJZ+Tysa6iwhllPXCeJrkan6WUm+oqOIY02/SpI5Mba1Kwg73Fsswx3Eywt8sxA2
+4fiaqwg+xZoil06jgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFM/udZ1ib8qDfShdfdfX
+8gL6w7VMMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
+A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
+BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
+AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNJADBGAiEA6kK7vAYF2TPXzywn
++SDLsiGbU6Sj8aTtsJZf9DmhKr4CIQCt4FfI7IWinqNlURXe4HSBPsekcQkOpwjK
+PuJRx3fuFw==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICEzCCAbigAwIBAgIBEjAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
+Q0EgMTkwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
+BAMTDFBvbGljeSBDQSAxODBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEerejCw
+gAy7GecLVbQw6eL8k1cGWwLt+wl3sn8he8fA0I+KoFfcOCgtvOF59RMXnjZ1+7OC
+kz3mNDVSbKY6KO2jgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFM0OUOtOKTcTMRXGQwbw
+GOoLCOEYMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
+A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
+BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
+AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNJADBGAiEAziPsm2dArB/3ILqm
+04mZl8/DX6dB4EmU+FPF2UpAeLwCIQCofc27tisg3L1mPNeiwZ26+rDe5SdixiUc
+S3KWOJ1cTg==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICEjCCAbigAwIBAgIBEzAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
+Q0EgMjAwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
+BAMTDFBvbGljeSBDQSAxOTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPmB5spr
+C64/21ssufcbshGnQtAWbk2o2l+ej6pMMPIZhmNyvM450L3dFX12UBNcaERCABmr
+BEJL7IubGWE9CVOjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJCh/1mh0Hl2+LE0osUv
+OJCmV3IYMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
+A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
+BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
+AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNIADBFAiEAtxMIkO4xCRSQCU6d
+0jt+Go4xj/R4bQFWbZrlS9+fYUECICuWAgT3evhoo34o04pU84UaYOvO5V0GJsTt
+hrS1v3hT
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICEzCCAbigAwIBAgIBFDAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
+Q0EgMjEwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
+BAMTDFBvbGljeSBDQSAyMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHdvTDYo
+M/padIV3LdTnrzwMy1HSTeJ2aTUalkVV17uL2i3C51rWM2pl+qlRordq6W2GboMz
+/+78HhKMcCrMWKCjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFAbZN0eSPw3MyvWIEix6
+GnYRIiFkMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
+A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
+BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
+AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNJADBGAiEAlaapLXHwGNkeEwc0
+jsY2XhuR3RlVhD4T2k/QyJRQ0s0CIQD5E+e+5QTe5s+534Lwcxe2iFb3oFm+8g81
+OBVtfmSMGg==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICEjCCAbigAwIBAgIBFTAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
+Q0EgMjIwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
+BAMTDFBvbGljeSBDQSAyMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLTu8R5Y
+7Po4W05hWperfod6mXezwWgAVk2RW2EG2vy4NeZeML2EFhg2geNc6N5Goep9t7pn
+d+BtORRvR75oCDijgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNs0d2vXsRj3YYsBrWDo
+jrvcEA+eMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
+A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
+BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
+AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNIADBFAiBB603Ui+L60FcUWPrB
+Ch06hmgle2u0P07Go/XjTk00ZQIhALGhNArJFEY0gu+XUtyKEZt7BZ0/sh5dtLDP
+xkRgR6Wh
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICEzCCAbigAwIBAgIBFjAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
+Q0EgMjMwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
+BAMTDFBvbGljeSBDQSAyMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPXpzC9/
+KGblQyjhdcS0a8KBPAiS7c0n+V0i9JItbyze38Ncrctp0wIGHZLjRoB4DZYX1I8e
+K5C7KVeUPEE9eOGjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFISsw9orkX/cBVWcK5KA
+//kldz8HMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
+A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
+BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
+AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNJADBGAiEA1gazdApLS91ql8Am
+4gb4Ku7Lgll4jV+BrLkbABE2cI0CIQCEH1GUJ6ARJB1GdcHrPyaLgeZ5jV2p63UW
+UV2QL6aETA==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICEjCCAbigAwIBAgIBFzAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
+Q0EgMjQwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
+BAMTDFBvbGljeSBDQSAyMzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABKdweprb
+RZmuUk4og1Xa9Skb1vu7jsLozlm9CtDhKLbJ+cDX/VeKj/b8FuvakBO3L1QV5XU0
+iFswsIVBVZ3m+TyjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFPgcEbHfKHt0o/PCS0kD
+XWW9XkqMMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
+A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
+BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
+AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNIADBFAiEA9XDj0w5qMS/tLlr9
+Z2j8JtVR4M7pF/Wx2U43vmPFJEACIBAlAiUnCm1Nfj16t2cojrW+m2t1cU80ihmj
+Ld1U+dRD
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICETCCAbigAwIBAgIBGDAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
+Q0EgMjUwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
+BAMTDFBvbGljeSBDQSAyNDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAq2PphK
+4oVsc+ml3zskBLiMa+dz64k+PrrfKIGSG2Ri5Du/orj0dO9639LeCkkMwWpXAfSx
+wxHHQX0I1KwsudGjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEqcfkso+ynKq2eFaJy8
+mzNBdN2PMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
+A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
+BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
+AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNHADBEAiBZ71jDD33HFFqMkLAW
+gTAGMmzh9b/vZ8jAclPDKHRghQIgf2GBOF1eEF8Ino9F1n1ia5c3EryvXnvVoklw
+cjMIQ5g=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICEjCCAbigAwIBAgIBGTAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
+Q0EgMjYwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
+BAMTDFBvbGljeSBDQSAyNTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJRoDkj7
+iDlIygt4YmMgw4pizu2sx4436MGtw5fFHhjy7T+pPMGjYFg3dixxUOu1NHORpdJq
+8Y7SN8p8Y0XsDpijgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFOutMoKSOv5lEGZaqYZM
+zNFwpX3KMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
+A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
+BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
+AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNIADBFAiEAks62lsAHmN6xkZsF
+6ocGONpH/XmHLpoO6RfMoRCnWkICIFNFD+W6pSSvdDB96sn8jnZ7W/Y0hyLzscBO
+WtkzqqJJ
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICEzCCAbigAwIBAgIBGjAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
+Q0EgMjcwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
+BAMTDFBvbGljeSBDQSAyNjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE3seRj5
+LVNKi9sZk7qv5cBVUG8BLXXfDRUhCUzT10YAU1J0yd2wmLTbwPyYm65GaecvAHSR
+SExOzX6bC35nNt6jgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNx5XhDdoflDgPrW/HyU
+tCokuJ0AMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
+A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
+BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
+AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNJADBGAiEApAQVb0KQedyAw1SJ
+J8At4uxxm2b8W13s6ENapxw+lwwCIQC7326NFPsDjbfBKhFDQhCIMkAkYq2wzRJ7
+ubTwkdT19g==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICEzCCAbigAwIBAgIBGzAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
+Q0EgMjgwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
+BAMTDFBvbGljeSBDQSAyNzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABC+FQF2E
+TrZ4YGNyxFxzpTQBjlu9QUrwgHzabAn47toqRkWUGAS68jBfSdR+j2c7/oehQHhO
+relHcbQilhZnh4ijgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFIOlwsa4FjZWhzQYTAY3
+c2TSYhsEMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
+A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
+BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
+AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNJADBGAiEAwxNBi+8baAU76yng
++XvMpY62aqPO4bAe/uedaxBb2jMCIQDJHXqibgIAm1T4/YHimllVlLQudQL5OkbF
+Krj3uVHtBg==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICEjCCAbigAwIBAgIBHDAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
+Q0EgMjkwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
+BAMTDFBvbGljeSBDQSAyODBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBmhjGvk
+C3QfSVdY5zuHEY4Rf3eKVro6vcKymgdBPFjjDggZNktR3OMnayCabJB51g2VL7Fg
+MegdwzJWzPvQreyjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEvevGIfitXek0IStYIR
+5ne2SkJwMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
+A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
+BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
+AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNIADBFAiBzlv0TggDJWUWx0UHl
+cqxuMpoNdy+ifizQIlcjWcrzvgIhAJdQfkPaZdc4/j/HfGaVNN9InJuBWGrPYU6A
+iwsSB0jY
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICEzCCAbigAwIBAgIBHTAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
+Q0EgMzAwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
+BAMTDFBvbGljeSBDQSAyOTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCrC5p+Z
+ywMukm1LRuXeJ5V1M6V+8A8PjqB3tgHVeEn973HOfia8lt2/7EoKaLKzP8A7D3eC
+aBJUmTgHauaolYOjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFGG5D5h1FRA+aZMbSXfZ
+Mp8pjYUEMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
+A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
+BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
+AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNJADBGAiEAnI2IhyXtBCRiv+Xs
+EzsO497oVf1U8SJiVR8SaEx0gzgCIQC0+un/Hcb0OWvpvoeHKcRi7e8SZkX+vn2i
+u+KsPqlfzA==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICEjCCAbigAwIBAgIBHjAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
+Q0EgMzEwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
+BAMTDFBvbGljeSBDQSAzMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHg1qbhT
+bpV0agLQkk6di7EdwrrqIn7yCiBCfPwoDI7czY1bHwkR2E8EdrG4ZLBHHFXYNHau
+kEo9nueljxbA6MGjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFGXSqDk/Zov8a62kkXDr
+8YhtqdkTMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
+A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
+BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
+AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNIADBFAiEA1D2Fm3D8REQtj8o4
+ZrnDyWam0Rx6cEMsvmeoafOBUeUCIBW0IoUYmF46faRQWKN7R8wnvbjUw0bxztzy
+okUR5Pma
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICEjCCAbigAwIBAgIBHzAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
+Q0EgMzEwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
+BAMTDFBvbGljeSBDQSAzMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABIwGMmHl
+/QJSpu6KHakSe4gkf3L+NpsrtQpxu6sNfmSjO++dGv6sj2v3+DZNeyagVUJRVHaD
+IZzpoyVVrBBO6vijgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFA+f9g1sP2kM5sOT/8Ge
+IDKq5FcUMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
+A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
+BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
+AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNIADBFAiEAvQlbAmF3pS041Zo2
+eHrxMO3j8thB+XqHU8RatCZ60WACIG1vUFPH7UwzTTann7Sgp4s+Gd/jLOkrJnEk
+W3De9dSX
+-----END CERTIFICATE-----
diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_policy_tree_data/small_leaf.pem b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_policy_tree_data/small_leaf.pem
new file mode 100644
index 00000000..c40ddff9
--- /dev/null
+++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_policy_tree_data/small_leaf.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBmjCCAT+gAwIBAgIBADAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
+Q0EgMTAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowGjEYMBYGA1UE
+AxMPd3d3LmV4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAER7oh
+z+MnwilNhyEB2bZTuYBpeiwW4QlpYZU6b/8uWOldyMXCaPmaXwY60nrMznfFJX6F
+h8dC6XIzvQmjUMdSoqN4MHYwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsG
+AQUFBwMBMAwGA1UdEwEB/wQCMAAwGgYDVR0RBBMwEYIPd3d3LmV4YW1wbGUuY29t
+MCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMAoGCCqGSM49
+BAMCA0kAMEYCIQC2km5juUULIRYsRgHuLFEiABBR0pDAyTbl9LRjlkSeEQIhAO9b
+ye60dMNbhY1OOzrr4mDRv0tuNmbGBErcFs61YZkC
+-----END CERTIFICATE-----
diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_policy_tree_data/small_policy_tree.pem b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_policy_tree_data/small_policy_tree.pem
new file mode 100644
index 00000000..040542d1
--- /dev/null
+++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_policy_tree_data/small_policy_tree.pem
@@ -0,0 +1,70 @@
+-----BEGIN CERTIFICATE-----
+MIICETCCAbagAwIBAgIBATAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
+Q0EgMjAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE
+AxMLUG9saWN5IENBIDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQu7GyNFjN6
+Sqwk1CZAt+lzTC/Us6ZkO5nsmb8yAuPb6RJ0A2LvUbsmZea+UyBFq3VuEbbuCoeE
+KRbKkS6wefAzo4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF
+BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSQkJvfn8gFHIXVTBJ4hrtP
+ypA9QTAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV
+HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK
+YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB
+MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDSQAwRgIhALn6/b3H+jLusJE5QiaS
+PiwrLcl+NDguWCnxo0c6AfduAiEApkXUN+7vRfXeFFd9CfA1BnTW3eUzBOsukZoN
+zaj+utk=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICDzCCAbagAwIBAgIBAjAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
+Q0EgMzAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE
+AxMLUG9saWN5IENBIDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT+p+A+K6MI
+R3eVP/+2O7lam32HU10frEKpyQslZAabYJwkc9iq5WatMbTMPQibuOIWHFl02uJ8
+cxGKy/Hke8P5o4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF
+BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSSOt6HCXw+L/4uzJsInqqA
+XrWt8DAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV
+HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK
+YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB
+MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDRwAwRAIgS/vh3osFy+q1MLuVnAdg
+gMINfiIJw1+3zbYsJYlNhWgCICu6Qgzee4NwIrJagcdVA0RAfnCOo6wfvikpl0ts
+EepA
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICEDCCAbagAwIBAgIBAzAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
+Q0EgNDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE
+AxMLUG9saWN5IENBIDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQONHKgpAJ6
+vE41FYBekpLzybpBQp/gUmgRPKrcL0z4lLTDjCG3j6yIbZma8u2bPM1MBXw5otZ7
+xVFhQ1AkZIOco4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF
+BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQ69465BL89BXORf4sSnneU
+exkm0jAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV
+HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK
+YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB
+MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDSAAwRQIhAPK9PqPxgme9x6TPFh2z
+vv+qVEM2WxOTdRKOPgUYzCp9AiBl8qO3szv5jNDzb0fRIqVp37v9yBjWcgO9Wl02
+QDCpGw==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICETCCAbagAwIBAgIBBDAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
+Q0EgNTAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE
+AxMLUG9saWN5IENBIDQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASLrUP7BFi7
++LE2uDVCZ2Z2HK6BpL/kjBbwKkLxlJe+LqNolzu53b8+WtHwrvPPVkD9t3KMdWXU
+K7NtHYgXUz07o4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF
+BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBS0kaY2oJVEBLtjkqI8pXsv
+eqm3VDAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV
+HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK
+YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB
+MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDSQAwRgIhAJuTMvMUda4Y29V1Tm5O
+jCqBThR2NwdQfnET1sjch3Q7AiEA7nEudfXKMljjz608aWtafTkw5V5I2/SbuUKr
+vjprfIo=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICEDCCAbagAwIBAgIBBTAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
+Q0EgNTAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE
+AxMLUG9saWN5IENBIDUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ9RuYVzUGB
+FkAEM9kHe9xynDo/NcsiaAO3+E2u7jJQQN50d6hVEDHf9961omldhKhP4HTNfhqj
+VMIHKGMhXCgKo4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF
+BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTVrjWaVjkfMpilq5tGZ4zZ
+iJtaSDAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV
+HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK
+YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB
+MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDSAAwRQIhAPVgPpACX2ylQMEMSntw
+izxKHTSPhXuF6IHhNHRz7KFnAiB8y/QcF7N2iXNZEqffWSkVted/XOw3Xrck0sJ6
+4eXNcw==
+-----END CERTIFICATE-----
--
2.33.0

56
0037-Ensure-that-EXFLAG_INVALID_POLICY-is-checked-even-in.patch Normal file
View File

@ -0,0 +1,56 @@
From 03afa0dfe07fc58931780105d2f1010cd9df26e2 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Tue, 7 Mar 2023 16:52:55 +0000
Subject: [PATCH 03/11] Ensure that EXFLAG_INVALID_POLICY is checked even in
leaf certs
Even though we check the leaf cert to confirm it is valid, we
later ignored the invalid flag and did not notice that the leaf
cert was bad.
Fixes: CVE-2023-0465
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
reference: https://github.com/openssl/openssl/pull/20588
Signed-off-by: yexiao <yexiao7@huawei.com>
---
.../Library/OpensslLib/openssl/crypto/x509/x509_vfy.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509/x509_vfy.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509/x509_vfy.c
index f28f2d26..0c6ebb45 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509/x509_vfy.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509/x509_vfy.c
@@ -1615,18 +1615,25 @@ static int check_policy(X509_STORE_CTX *ctx)
}
/* Invalid or inconsistent extensions */
if (ret == X509_PCY_TREE_INVALID) {
- int i;
+ int i, cbcalled = 0;
/* Locate certificates with bad extensions and notify callback. */
- for (i = 1; i < sk_X509_num(ctx->chain); i++) {
+ for (i = 0; i < sk_X509_num(ctx->chain); i++) {
X509 *x = sk_X509_value(ctx->chain, i);
if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
continue;
+ cbcalled = 1;
if (!verify_cb_cert(ctx, x, i,
X509_V_ERR_INVALID_POLICY_EXTENSION))
return 0;
}
+ if (!cbcalled) {
+ /* Should not be able to get here */
+ X509err(X509_F_CHECK_POLICY, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ /* The callback ignored the error so we return success */
return 1;
}
if (ret == X509_PCY_TREE_FAILURE) {
--
2.33.0

48
0038-Fix-documentation-of-X509_VERIFY_PARAM_add0_policy.patch Normal file
View File

@ -0,0 +1,48 @@
From 751d202d04dc900154b25fbaf52d7d47b14f221d Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Tue, 21 Mar 2023 16:15:47 +0100
Subject: [PATCH 04/11] Fix documentation of X509_VERIFY_PARAM_add0_policy()
The function was incorrectly documented as enabling policy checking.
Fixes: CVE-2023-0466
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
reference: https://github.com/openssl/openssl/pull/20564
Signed-off-by: yexiao <yexiao7@huawei.com>
---
.../openssl/doc/man3/X509_VERIFY_PARAM_set_flags.pod | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/CryptoPkg/Library/OpensslLib/openssl/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/CryptoPkg/Library/OpensslLib/openssl/doc/man3/X509_VERIFY_PARAM_set_flags.pod
index 7593dea7..102f0c08 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/doc/man3/X509_VERIFY_PARAM_set_flags.pod
+++ b/CryptoPkg/Library/OpensslLib/openssl/doc/man3/X509_VERIFY_PARAM_set_flags.pod
@@ -92,8 +92,9 @@ B<trust>.
X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to
B<t>. Normally the current time is used.
-X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled
-by default) and adds B<policy> to the acceptable policy set.
+X509_VERIFY_PARAM_add0_policy() adds B<policy> to the acceptable policy set.
+Contrary to preexisting documentation of this function it does not enable
+policy checking.
X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled
by default) and sets the acceptable policy set to B<policies>. Any existing
@@ -374,6 +375,10 @@ and has no effect.
The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i.
+The function X509_VERIFY_PARAM_add0_policy() was historically documented as
+enabling policy checking however the implementation has never done this.
+The documentation was changed to align with the implementation.
+
=head1 COPYRIGHT
Copyright 2009-2019 The OpenSSL Project Authors. All Rights Reserved.
--
2.33.0

67
0039-Restrict-the-size-of-OBJECT-IDENTIFIERs-that-OBJ_obj.patch Normal file
View File

@ -0,0 +1,67 @@
From 65c0eaad449b809f827a177558a880522d18dd88 Mon Sep 17 00:00:00 2001
From: Richard Levitte <levitte@openssl.org>
Date: Fri, 12 May 2023 10:00:13 +0200
Subject: [PATCH 05/11] Restrict the size of OBJECT IDENTIFIERs that
OBJ_obj2txt will translate
OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical
numeric text form. For gigantic sub-identifiers, this would take a very
long time, the time complexity being O(n^2) where n is the size of that
sub-identifier.
To mitigate this, a restriction on the size that OBJ_obj2txt() will
translate to canonical numeric text form is added, based on RFC 2578
(STD 58), which says this:
> 3.5. OBJECT IDENTIFIER values
>
> An OBJECT IDENTIFIER value is an ordered list of non-negative numbers.
> For the SMIv2, each number in the list is referred to as a sub-identifier,
> there are at most 128 sub-identifiers in a value, and each sub-identifier
> has a maximum value of 2^32-1 (4294967295 decimal).
Fixes otc/security#96
Fixes CVE-2023-2650
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
reference: https://github.com/openssl/openssl/commit/9e209944b35cf82368071f160a744b6178f9b098
Signed-off-by: yexiao <yexiao7@huawei.com>
---
.../openssl/crypto/objects/obj_dat.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/objects/obj_dat.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/objects/obj_dat.c
index 46006fe6..14206390 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/objects/obj_dat.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/objects/obj_dat.c
@@ -427,6 +427,25 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
first = 1;
bl = NULL;
+ /*
+ * RFC 2578 (STD 58) says this about OBJECT IDENTIFIERs:
+ *
+ * > 3.5. OBJECT IDENTIFIER values
+ * >
+ * > An OBJECT IDENTIFIER value is an ordered list of non-negative
+ * > numbers. For the SMIv2, each number in the list is referred to as a
+ * > sub-identifier, there are at most 128 sub-identifiers in a value,
+ * > and each sub-identifier has a maximum value of 2^32-1 (4294967295
+ * > decimal).
+ *
+ * So a legitimate OID according to this RFC is at most (32 * 128 / 7),
+ * i.e. 586 bytes long.
+ *
+ * Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
+ */
+ if (len > 586)
+ goto err;
+
while (len > 0) {
l = 0;
use_bn = 0;
--
2.33.0

63
0040-Add-a-test-for-CVE-2023-3446.patch Normal file
View File

@ -0,0 +1,63 @@
From 608d30d14e125a8b8352f864aa0a529418125697 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 7 Jul 2023 14:39:48 +0100
Subject: [PATCH 06/11] Add a test for CVE-2023-3446
Confirm that the only errors DH_check() finds with DH parameters with an
excessively long modulus is that the modulus is too large. We should not
be performing time consuming checks using that modulus.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
reference: https://github.com/openssl/openssl/pull/21452
Signed-off-by: yexiao <yexiao7@huawei.com>
---
.../Library/OpensslLib/openssl/test/dhtest.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/dhtest.c b/CryptoPkg/Library/OpensslLib/openssl/test/dhtest.c
index 9d5609b9..00b3c471 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/test/dhtest.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/test/dhtest.c
@@ -63,7 +63,7 @@ static int dh_test(void)
|| !TEST_true(DH_set0_pqg(dh, p, q, g)))
goto err1;
- if (!DH_check(dh, &i))
+ if (!TEST_true(DH_check(dh, &i)))
goto err2;
if (!TEST_false(i & DH_CHECK_P_NOT_PRIME)
|| !TEST_false(i & DH_CHECK_P_NOT_SAFE_PRIME)
@@ -123,6 +123,17 @@ static int dh_test(void)
/* check whether the public key was calculated correctly */
TEST_uint_eq(BN_get_word(pub_key2), 3331L);
+ /* Modulus of size: dh check max modulus bits + 1 */
+ if (!TEST_true(BN_set_word(p, 1))
+ || !TEST_true(BN_lshift(p, p, OPENSSL_DH_CHECK_MAX_MODULUS_BITS)))
+ goto err3;
+
+ /*
+ * We expect no checks at all for an excessively large modulus
+ */
+ if (!TEST_false(DH_check(dh, &i)))
+ goto err3;
+
/*
* II) key generation
*/
@@ -137,7 +148,7 @@ static int dh_test(void)
goto err3;
/* ... and check whether it is valid */
- if (!DH_check(a, &i))
+ if (!TEST_true(DH_check(a, &i)))
goto err3;
if (!TEST_false(i & DH_CHECK_P_NOT_PRIME)
|| !TEST_false(i & DH_CHECK_P_NOT_SAFE_PRIME)
--
2.33.0

127
0041-Fix-DH_check-excessive-time-with-over-sized-modulus.patch Normal file
View File

@ -0,0 +1,127 @@
From 01fae0d95d961c14a7819e02ec16e43c1225dfa9 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Thu, 6 Jul 2023 16:36:35 +0100
Subject: [PATCH 07/11] Fix DH_check() excessive time with over sized modulus
The DH_check() function checks numerous aspects of the key or parameters
that have been supplied. Some of those checks use the supplied modulus
value even if it is excessively large.
There is already a maximum DH modulus size (10,000 bits) over which
OpenSSL will not generate or derive keys. DH_check() will however still
perform various tests for validity on such a large modulus. We introduce a
new maximum (32,768) over which DH_check() will just fail.
An application that calls DH_check() and supplies a key or parameters
obtained from an untrusted source could be vulnerable to a Denial of
Service attack.
The function DH_check() is itself called by a number of other OpenSSL
functions. An application calling any of those other functions may
similarly be affected. The other functions affected by this are
DH_check_ex() and EVP_PKEY_param_check().
CVE-2023-3446
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
reference: https://github.com/openssl/openssl/pull/21452
Signed-off-by: yexiao <yexiao7@huawei.com>
---
CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_check.c | 6 ++++++
CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_err.c | 3 ++-
CryptoPkg/Library/OpensslLib/openssl/crypto/err/openssl.txt | 1 +
CryptoPkg/Library/OpensslLib/openssl/include/openssl/dh.h | 4 ++++
.../Library/OpensslLib/openssl/include/openssl/dherr.h | 3 ++-
5 files changed, 15 insertions(+), 2 deletions(-)
diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_check.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_check.c
index 4ac169e7..e5f9dd50 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_check.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_check.c
@@ -101,6 +101,12 @@ int DH_check(const DH *dh, int *ret)
BN_CTX *ctx = NULL;
BIGNUM *t1 = NULL, *t2 = NULL;
+ /* Don't do any checks at all with an excessively large modulus */
+ if (BN_num_bits(dh->p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
+ DHerr(DH_F_DH_CHECK, DH_R_MODULUS_TOO_LARGE);
+ return 0;
+ }
+
if (!DH_check_params(dh, ret))
return 0;
diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_err.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_err.c
index 7285587b..92800d3f 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_err.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_err.c
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -18,6 +18,7 @@ static const ERR_STRING_DATA DH_str_functs[] = {
{ERR_PACK(ERR_LIB_DH, DH_F_DHPARAMS_PRINT_FP, 0), "DHparams_print_fp"},
{ERR_PACK(ERR_LIB_DH, DH_F_DH_BUILTIN_GENPARAMS, 0),
"dh_builtin_genparams"},
+ {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK, 0), "DH_check"},
{ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_EX, 0), "DH_check_ex"},
{ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PARAMS_EX, 0), "DH_check_params_ex"},
{ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PUB_KEY_EX, 0), "DH_check_pub_key_ex"},
diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/err/openssl.txt b/CryptoPkg/Library/OpensslLib/openssl/crypto/err/openssl.txt
index 03d16406..a07f1a1b 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/err/openssl.txt
+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/err/openssl.txt
@@ -401,6 +401,7 @@ CT_F_SCT_SET_VERSION:104:SCT_set_version
DH_F_COMPUTE_KEY:102:compute_key
DH_F_DHPARAMS_PRINT_FP:101:DHparams_print_fp
DH_F_DH_BUILTIN_GENPARAMS:106:dh_builtin_genparams
+DH_F_DH_CHECK:126:DH_check
DH_F_DH_CHECK_EX:121:DH_check_ex
DH_F_DH_CHECK_PARAMS_EX:122:DH_check_params_ex
DH_F_DH_CHECK_PUB_KEY_EX:123:DH_check_pub_key_ex
diff --git a/CryptoPkg/Library/OpensslLib/openssl/include/openssl/dh.h b/CryptoPkg/Library/OpensslLib/openssl/include/openssl/dh.h
index 3527540c..ff00397c 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/include/openssl/dh.h
+++ b/CryptoPkg/Library/OpensslLib/openssl/include/openssl/dh.h
@@ -30,6 +30,10 @@ extern "C" {
# define OPENSSL_DH_MAX_MODULUS_BITS 10000
# endif
+# ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS
+# define OPENSSL_DH_CHECK_MAX_MODULUS_BITS 32768
+# endif
+
# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
# define DH_FLAG_CACHE_MONT_P 0x01
diff --git a/CryptoPkg/Library/OpensslLib/openssl/include/openssl/dherr.h b/CryptoPkg/Library/OpensslLib/openssl/include/openssl/dherr.h
index 916b3bed..528c8198 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/include/openssl/dherr.h
+++ b/CryptoPkg/Library/OpensslLib/openssl/include/openssl/dherr.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -30,6 +30,7 @@ int ERR_load_DH_strings(void);
# define DH_F_COMPUTE_KEY 102
# define DH_F_DHPARAMS_PRINT_FP 101
# define DH_F_DH_BUILTIN_GENPARAMS 106
+# define DH_F_DH_CHECK 126
# define DH_F_DH_CHECK_EX 121
# define DH_F_DH_CHECK_PARAMS_EX 122
# define DH_F_DH_CHECK_PUB_KEY_EX 123
--
2.33.0

965
0042-Update-further-expiring-certificates-that-affect-tes.patch Normal file
View File

@ -0,0 +1,965 @@
From 23b5325a3a8ebd268eab4b6df2df057d5c2c87aa Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Thu, 2 Jun 2022 18:12:05 +0200
Subject: [PATCH 08/11] Update further expiring certificates that affect tests
Namely the smime certificates used in test_cms
will expire soon and affect tests.
Fixes #15179
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
reference: https://github.com/openssl/openssl/pull/18481)
Signed-off-by: yexiao <yexiao7@huawei.com>
---
.../openssl/test/smime-certs/mksmime-certs.sh | 22 ++---
.../openssl/test/smime-certs/smdh.pem | 72 +++++++++------
.../openssl/test/smime-certs/smdsa1.pem | 86 +++++++++---------
.../openssl/test/smime-certs/smdsa2.pem | 86 +++++++++---------
.../openssl/test/smime-certs/smdsa3.pem | 86 +++++++++---------
.../openssl/test/smime-certs/smec1.pem | 36 ++++----
.../openssl/test/smime-certs/smec2.pem | 38 ++++----
.../openssl/test/smime-certs/smroot.pem | 90 +++++++++----------
.../openssl/test/smime-certs/smrsa1.pem | 90 +++++++++----------
.../openssl/test/smime-certs/smrsa2.pem | 90 +++++++++----------
.../openssl/test/smime-certs/smrsa3.pem | 90 +++++++++----------
11 files changed, 400 insertions(+), 386 deletions(-)
diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/mksmime-certs.sh b/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/mksmime-certs.sh
index c98e164b..caa191ed 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/mksmime-certs.sh
+++ b/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/mksmime-certs.sh
@@ -15,23 +15,23 @@ export OPENSSL_CONF
# Root CA: create certificate directly
CN="Test S/MIME RSA Root" $OPENSSL req -config ca.cnf -x509 -nodes \
- -keyout smroot.pem -out smroot.pem -newkey rsa:2048 -days 3650
+ -keyout smroot.pem -out smroot.pem -newkey rsa:2048 -days 36501
# EE RSA certificates: create request first
CN="Test S/MIME EE RSA #1" $OPENSSL req -config ca.cnf -nodes \
-keyout smrsa1.pem -out req.pem -newkey rsa:2048
# Sign request: end entity extensions
-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa1.pem
CN="Test S/MIME EE RSA #2" $OPENSSL req -config ca.cnf -nodes \
-keyout smrsa2.pem -out req.pem -newkey rsa:2048
-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa2.pem
CN="Test S/MIME EE RSA #3" $OPENSSL req -config ca.cnf -nodes \
-keyout smrsa3.pem -out req.pem -newkey rsa:2048
-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa3.pem
# Create DSA parameters
@@ -40,15 +40,15 @@ $OPENSSL dsaparam -out dsap.pem 2048
CN="Test S/MIME EE DSA #1" $OPENSSL req -config ca.cnf -nodes \
-keyout smdsa1.pem -out req.pem -newkey dsa:dsap.pem
-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa1.pem
CN="Test S/MIME EE DSA #2" $OPENSSL req -config ca.cnf -nodes \
-keyout smdsa2.pem -out req.pem -newkey dsa:dsap.pem
-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa2.pem
CN="Test S/MIME EE DSA #3" $OPENSSL req -config ca.cnf -nodes \
-keyout smdsa3.pem -out req.pem -newkey dsa:dsap.pem
-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa3.pem
# Create EC parameters
@@ -58,15 +58,15 @@ $OPENSSL ecparam -out ecp2.pem -name K-283
CN="Test S/MIME EE EC #1" $OPENSSL req -config ca.cnf -nodes \
-keyout smec1.pem -out req.pem -newkey ec:ecp.pem
-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec1.pem
CN="Test S/MIME EE EC #2" $OPENSSL req -config ca.cnf -nodes \
-keyout smec2.pem -out req.pem -newkey ec:ecp2.pem
-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec2.pem
CN="Test S/MIME EE EC #3" $OPENSSL req -config ca.cnf -nodes \
-keyout smec3.pem -out req.pem -newkey ec:ecp.pem
-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec3.pem
# Create X9.42 DH parameters.
$OPENSSL genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_type:2 \
@@ -78,7 +78,7 @@ $OPENSSL pkey -pubout -in smdh.pem -out dhpub.pem
CN="Test S/MIME EE DH #1" $OPENSSL req -config ca.cnf -nodes \
-keyout smtmp.pem -out req.pem -newkey rsa:2048
# Sign request but force public key to DH
-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
-force_pubkey dhpub.pem \
-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdh.pem
# Remove temp files.
diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/smdh.pem b/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/smdh.pem
index f831b071..273dfca5 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/smdh.pem
+++ b/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/smdh.pem
@@ -1,33 +1,47 @@
-----BEGIN PRIVATE KEY-----
-MIIBSgIBADCCASsGByqGSM4+AgEwggEeAoGBANQMSgwEcnEZ31kZxa9Ef8qOK/AJ
-9dMlsXMWVYnf/QevGdN/0Aei/j9a8QHG+CvvTm0DOEKhN9QUtABKsYZag865CA7B
-mSdHjQuFqILtzA25sDJ+3+jk9vbss+56ETRll/wasJVLGbmmHNkBMvc1fC1d/sGF
-cEn4zJnQvvFaeMgDAoGAaQD9ZvL8FYsJuNxN6qp5VfnfRqYvyi2PWSqtRKPGGC+V
-thYg49PRjwPOcXzvOsdEOQ7iH9jTiSvnUdwSSEwYTZkSBuQXAgOMJAWOpoXyaRvh
-atziBDoBnWS+/kX5RBhxvS0+em9yfRqAQleuGG+R1mEDihyJc8dWQQPT+O1l4oUC
-FQCJlKsQZ0VBrWPGcUCNa54ZW6TH9QQWAhRR2NMZrQSfWthXDO8Lj5WZ34zQrA==
+MIICXAIBADCCAjUGByqGSM4+AgEwggIoAoIBAQCB6AUA/1eXRh+iLWHXe+lUl6e+
++460tAIIpsQ1jw1ZaTmlH9SlrWSBNVRVHwDuBW7vA+lKgBvDpCIjmhRbgrZIGwcZ
+6ruCYy5KF/B3AW5MApC9QCDaVrG6Hb7NfpMgwuUIKvvvOMrrvn4r5Oxtsx9rORTE
+bdS33MuZCOIbodjs5u+e/2hhssOwgUTMASDwXppJTyeMwAAZ+p78ByrSULP6yYdP
+PTh8sK1begDG6YTSKE3VqYNg1yaE5tQvCQ0U2L4qZ8JqexAVHbR8LA8MNhtA1pma
+Zj4q2WNAEevpprIIRXgJEZY278nPlvVeoKfOef9RBHgQ6ZTnZ1Et5iLMCwYHAoIB
+AFVgJaHfnBVJYfaQh1NyoVZJ5xX6UvvL5xEKUwwEMgs8JSOzp2UI+KRDpy9KbNH7
+93Kwa2d8Q7ynciDiCmd1ygF4CJKb4ZOwjWjpZ4DedHr0XokGhyBCyjaBxOi3i4tP
+EFO8YHs5B/yOZHzcpTfs2VxJqIm3KF8q0Ify9PWDAsgo+d21/+eye60FHjF9o2/D
+l3NRlOhUhHNGykfqFgKEEEof3/3c6r5BS0oRXdsu6dx/y2/v8j9aJoHfyGHkswxr
+ULSBxJENOBB89C+GET6yhbxV1e4SFwzHnXgG8bWXwk7bea6ZqXbHq0pT3kUiQeKe
+assXKqRBAG9NLbQ3mmx8RFkCHQDIVBWPf6VwBa2s1CAcsIziVJ8qr/KAKx9DZ3h5
+BB4CHAF3VZBAC/TB85J4PzsLJ+VrOWr0c8kQlYUR9rw=
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-MIID/zCCAuegAwIBAgIJANv1TSKgememMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
-BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
-TUlNRSBSU0EgUm9vdDAeFw0xMzA4MDIxNDQ5MjlaFw0yMzA2MTExNDQ5MjlaMEQx
-CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRU
-ZXN0IFMvTUlNRSBFRSBESCAjMTCCAbYwggErBgcqhkjOPgIBMIIBHgKBgQDUDEoM
-BHJxGd9ZGcWvRH/KjivwCfXTJbFzFlWJ3/0HrxnTf9AHov4/WvEBxvgr705tAzhC
-oTfUFLQASrGGWoPOuQgOwZknR40LhaiC7cwNubAyft/o5Pb27LPuehE0ZZf8GrCV
-Sxm5phzZATL3NXwtXf7BhXBJ+MyZ0L7xWnjIAwKBgGkA/Wby/BWLCbjcTeqqeVX5
-30amL8otj1kqrUSjxhgvlbYWIOPT0Y8DznF87zrHRDkO4h/Y04kr51HcEkhMGE2Z
-EgbkFwIDjCQFjqaF8mkb4Wrc4gQ6AZ1kvv5F+UQYcb0tPnpvcn0agEJXrhhvkdZh
-A4ociXPHVkED0/jtZeKFAhUAiZSrEGdFQa1jxnFAjWueGVukx/UDgYQAAoGAL1ve
-cgI2awBeJH8ULBhSQpdL224VUDxFPiXzt8Vu5VLnxPv0pfA5En+8VByTuV7u6RSw
-3/78NuTyr/sTyN8YlB1AuXHdTJynA1ICte1xgD4j2ijlq+dv8goOAFt9xkvXx7LD
-umJ/cCignXETcNGfMi8+0s0bpMZyoHRdce8DQ26jYDBeMAwGA1UdEwEB/wQCMAAw
-DgYDVR0PAQH/BAQDAgXgMB0GA1UdDgQWBBQLWk1ffSXH8p3Bqrdjgi/6jzLnwDAf
-BgNVHSMEGDAWgBTffl6IBSQzCN0igQKXzJq3sTMnMDANBgkqhkiG9w0BAQUFAAOC
-AQEAWvJj79MW1/Wq3RIANgAhonsI1jufYqxTH+1M0RU0ZXHulgem77Le2Ls1bizi
-0SbvfpTiiFGkbKonKtO2wvfqwwuptSg3omMI5IjAGxYbyv2KBzIpp1O1LTDk9RbD
-48JMMF01gByi2+NLUQ1MYF+5RqyoRqcyp5x2+Om1GeIM4Q/GRuI4p4dybWy8iC+d
-LeXQfR7HXfh+tAum+WzjfLJwbnWbHmPhTbKB01U4lBp6+r8BGHAtNdPjEHqap4/z
-vVZVXti9ThZ20EhM+VFU3y2wyapeQjhQvw/A2YRES0Ik7BSj3hHfWH/CTbLVQnhu
-Uj6tw18ExOYxqoEGixNLPA5qsQ==
+MIIFmDCCBICgAwIBAgIUWlJkHZZ2eZgkGCHFtcMAjlLdDH8wDQYJKoZIhvcNAQEL
+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV
+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxNFoYDzIxMjIw
+NTA5MTUzMzE0WjBEMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91
+cDEdMBsGA1UEAwwUVGVzdCBTL01JTUUgRUUgREggIzEwggNCMIICNQYHKoZIzj4C
+ATCCAigCggEBAIHoBQD/V5dGH6ItYdd76VSXp777jrS0AgimxDWPDVlpOaUf1KWt
+ZIE1VFUfAO4Fbu8D6UqAG8OkIiOaFFuCtkgbBxnqu4JjLkoX8HcBbkwCkL1AINpW
+sbodvs1+kyDC5Qgq++84yuu+fivk7G2zH2s5FMRt1Lfcy5kI4huh2Ozm757/aGGy
+w7CBRMwBIPBemklPJ4zAABn6nvwHKtJQs/rJh089OHywrVt6AMbphNIoTdWpg2DX
+JoTm1C8JDRTYvipnwmp7EBUdtHwsDww2G0DWmZpmPirZY0AR6+mmsghFeAkRljbv
+yc+W9V6gp855/1EEeBDplOdnUS3mIswLBgcCggEAVWAlod+cFUlh9pCHU3KhVknn
+FfpS+8vnEQpTDAQyCzwlI7OnZQj4pEOnL0ps0fv3crBrZ3xDvKdyIOIKZ3XKAXgI
+kpvhk7CNaOlngN50evReiQaHIELKNoHE6LeLi08QU7xgezkH/I5kfNylN+zZXEmo
+ibcoXyrQh/L09YMCyCj53bX/57J7rQUeMX2jb8OXc1GU6FSEc0bKR+oWAoQQSh/f
+/dzqvkFLShFd2y7p3H/Lb+/yP1omgd/IYeSzDGtQtIHEkQ04EHz0L4YRPrKFvFXV
+7hIXDMedeAbxtZfCTtt5rpmpdserSlPeRSJB4p5qyxcqpEEAb00ttDeabHxEWQId
+AMhUFY9/pXAFrazUIBywjOJUnyqv8oArH0NneHkDggEFAAKCAQBigH0Mp4jUMSfK
+yOhKlEfyZ/hj/EImsUYW4+u8xjBN+ruOJUTJ06Mtgw3g2iLkhQoO9NROqvC9rdLj
++j3e+1QWm9EDNKQAa4nUp8/W+XZ5KkQWudmtaojEXD1+kd44ieNLtPGuVnPtDGO4
+zPf04IUq7tDGbMDMMn6YXvW6f28lR3gF5vvVIsnjsd/Lau6orzmNSrymXegsEsFR
+Q7hT+/tPoAtro6Hx9rBrYb/0OCiRe4YuYrFKkC0aaJfUQepVyuVMSTxxKTzq8T06
+M8SBITlmkPFZJHyGzV/+a72hpJsAa0BaDnpxH3cFpEMzeYG1XQK461zexoIYN3ub
+i3xNPUzPo2AwXjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF4DAdBgNVHQ4E
+FgQULayIqKcWHtUH4pFolI6dKxycIG8wHwYDVR0jBBgwFoAUFcETIWviVV+nah1X
+INbP86lzZFkwDQYJKoZIhvcNAQELBQADggEBAKjKvvJ6Vc9HiQXACqqRZnekz2gO
+ue71nsXXDr2+y4PPpgcDzgtO3vhQc7Akv6Uyca9LY7w/X+temP63yxdLpKXTV19w
+Or0p4VEvTZ8AttMjFh4Hl8caVYk/J4TIudSXLIfKROP6sFu5GOw7W3xpBkL5Zio6
+3dqe6xAYK0woNQPDfj5yOAlqj1Ohth81JywW5h2g8GfLtNe62coAqwjMJT+ExHfU
+EkF/beSqRGOvXwyhSxFpe7HVjUMgrgdfoZnNsoPmpH3eTiF4BjamGWI1+Z0o+RHa
+oPwN+cCzbDsi9uTQJO1D5S697heX00zzzU/KSW7djNzKv55vm24znuFkXTM=
-----END CERTIFICATE-----
diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/smdsa1.pem b/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/smdsa1.pem
index b424f670..0104e207 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/smdsa1.pem
+++ b/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/smdsa1.pem
@@ -1,47 +1,47 @@
-----BEGIN PRIVATE KEY-----
-MIICZQIBADCCAjkGByqGSM44BAEwggIsAoIBAQCQfLlNdehPnTrGIMhw4rk0uua6
-k1nCG3zcyfXli17BdB2k0HBPaTA3a3ZHfOt1Awy0Uu0wZ3gdPr9z0I64hnJXIGou
-zIanZ7nYRImHtX5JMFbXeyxo1Owd2Zs3oEk9nQUoUsMxvmYC/ghPL5Zx1pPxcHCO
-wzWxoG4yZMjimXOc1/W7zvK/4/g/Cz9fItD3zdcydfgM/hK0/CeYQ21xfhqf4mjK
-v9plnCcWgToGI+7H8VK80MFbkO2QKRz3vP1/TjK6PRm9sEeB5b10+SvGv2j2w+CC
-0fXL4s6n7PtBlm/bww8xL1/Az8kwejUcII1Dc8uNwwISwGbwaGBvl7IHpm21AiEA
-rodZi+nCKZdTL8IgCjX3n0DuhPRkVQPjz/B6VweLW9MCggEAfimkUNwnsGFp7mKM
-zJKhHoQkMB1qJzyIHjDzQ/J1xjfoF6i27afw1/WKboND5eseZhlhA2TO5ZJB6nGx
-DOE9lVQxYVml++cQj6foHh1TVJAgGl4mWuveW/Rz+NEhpK4zVeEsfMrbkBypPByy
-xzF1Z49t568xdIo+e8jLI8FjEdXOIUg4ehB3NY6SL8r4oJ49j/sJWfHcDoWH/LK9
-ZaBF8NpflJe3F40S8RDvM8j2HC+y2Q4QyKk1DXGiH+7yQLGWzr3M73kC3UBnnH0h
-Hxb7ISDCT7dCw/lH1nCbVFBOM0ASI26SSsFSXQrvD2kryRcTZ0KkyyhhoPODWpU+
-TQMsxQQjAiEAkolGvb/76X3vm5Ov09ezqyBYt9cdj/FLH7DyMkxO7X0=
+MIICXQIBADCCAjYGByqGSM44BAEwggIpAoIBAQCg5xGADjdINCKODDX6yq3w8vQ1
+i0SuHnFvPc5gHMLIxJhDp3cLJ5eJmcHZ07WflsMgSxD2Wd5lX5Q9uxtv78/erv5t
+4INbA4D+QSkxb4SWNurRBQj5LuoGhFMpCubDYSxiKkTJ4pmOEbsjnlGLiN5R1jAa
+kOxI+l/rPAQlIUMCHSF6xXgd62fUdEAnRYj46Lgw+FWKAKNhcH7rOLA7k4JnYCLg
+c9HnYvwxlpoV+SHi+QXSrcrtMBNCmIgIONI5uNuBnZq6jjHE/Wg1+D4wGxOZl+/S
+8EP8eXSDD+1Sni2Jk38etU+laS0pVV9lh6sV3zV28YXVZl01CHUfwH+3w/XJAh0A
+mkjrU1XrCahV9d78Rklpd4fK3K53+X5MeTgNLQKCAQEAoA32HKvIhx6wvmT9huaw
+V6wj7hT99kjzQjZqbvLENW9bbAgOdPzZzusqZmZMgGdDr94oYz1/MhmAKNY4lQv7
+ioJmtded5hhS6GDg3Oj4IYiJ9trAQ/ATrDrSi3sQAZ3Pvip7j4oljvsQBmAj3KKR
+CnZ2/FeRyjSS3cUey89GE2N2DQbHEmuG/F8aDmUhLNusZm6nXs2Y1W7+kQRwswBL
+5H4Oo6NaSUc8dl7HWEeWoS8BE7G4JFCXBQwwgInOJINyQlknxMSpv7dwxp32SgdL
+QldkaQkHAEg0QqYb2Hv/xHfVhn9vTpGJQyWvnT5RvbXSGdTk1CTlZTrUAGmbHOwX
+ygQeAhwE9yuqObvNXzUTN+PY2rg00PzdyJw3XJAUrmlY
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-MIIFkDCCBHigAwIBAgIJANk5lu6mSyBDMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
-BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
-TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEUx
-CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
-ZXN0IFMvTUlNRSBFRSBEU0EgIzEwggNGMIICOQYHKoZIzjgEATCCAiwCggEBAJB8
-uU116E+dOsYgyHDiuTS65rqTWcIbfNzJ9eWLXsF0HaTQcE9pMDdrdkd863UDDLRS
-7TBneB0+v3PQjriGclcgai7MhqdnudhEiYe1fkkwVtd7LGjU7B3ZmzegST2dBShS
-wzG+ZgL+CE8vlnHWk/FwcI7DNbGgbjJkyOKZc5zX9bvO8r/j+D8LP18i0PfN1zJ1
-+Az+ErT8J5hDbXF+Gp/iaMq/2mWcJxaBOgYj7sfxUrzQwVuQ7ZApHPe8/X9OMro9
-Gb2wR4HlvXT5K8a/aPbD4ILR9cvizqfs+0GWb9vDDzEvX8DPyTB6NRwgjUNzy43D
-AhLAZvBoYG+XsgembbUCIQCuh1mL6cIpl1MvwiAKNfefQO6E9GRVA+PP8HpXB4tb
-0wKCAQB+KaRQ3CewYWnuYozMkqEehCQwHWonPIgeMPND8nXGN+gXqLbtp/DX9Ypu
-g0Pl6x5mGWEDZM7lkkHqcbEM4T2VVDFhWaX75xCPp+geHVNUkCAaXiZa695b9HP4
-0SGkrjNV4Sx8ytuQHKk8HLLHMXVnj23nrzF0ij57yMsjwWMR1c4hSDh6EHc1jpIv
-yvignj2P+wlZ8dwOhYf8sr1loEXw2l+Ul7cXjRLxEO8zyPYcL7LZDhDIqTUNcaIf
-7vJAsZbOvczveQLdQGecfSEfFvshIMJPt0LD+UfWcJtUUE4zQBIjbpJKwVJdCu8P
-aSvJFxNnQqTLKGGg84NalT5NAyzFA4IBBQACggEAGXSQADbuRIZBjiQ6NikwZl+x
-EDEffIE0RWbvwf1tfWxw4ZvanO/djyz5FePO0AIJDBCLUjr9D32nkmIG1Hu3dWgV
-86knQsM6uFiMSzY9nkJGZOlH3w4NHLE78pk75xR1sg1MEZr4x/t+a/ea9Y4AXklE
-DCcaHtpMGeAx3ZAqSKec+zQOOA73JWP1/gYHGdYyTQpQtwRTsh0Gi5mOOdpoJ0vp
-O83xYbFCZ+ZZKX1RWOjJe2OQBRtw739q1nRga1VMLAT/LFSQsSE3IOp8hiWbjnit
-1SE6q3II2a/aHZH/x4OzszfmtQfmerty3eQSq3bgajfxCsccnRjSbLeNiazRSKNg
-MF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0OBBYEFNHQYTOO
-xaZ/N68OpxqjHKuatw6sMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZs
-MA0GCSqGSIb3DQEBBQUAA4IBAQAAiLociMMXcLkO/uKjAjCIQMrsghrOrxn4ZGBx
-d/mCTeqPxhcrX2UorwxVCKI2+Dmz5dTC2xKprtvkiIadJamJmxYYzeF1pgRriFN3
-MkmMMkTbe/ekSvSeMtHQ2nHDCAJIaA/k9akWfA0+26Ec25/JKMrl3LttllsJMK1z
-Xj7TcQpAIWORKWSNxY/ezM34+9ABHDZB2waubFqS+irlZsn38aZRuUI0K67fuuIt
-17vMUBqQpe2hfNAjpZ8dIpEdAGjQ6izV2uwP1lXbiaK9U4dvUqmwyCIPniX7Hpaf
-0VnX0mEViXMT6vWZTjLBUv0oKmO7xBkWHIaaX6oyF32pK5AO
+MIIFmjCCBIKgAwIBAgIUUoOmJmXAY29/2rWY0wJphQ5/pzUwDQYJKoZIhvcNAQEL
+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV
+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxNFoYDzIxMjIw
+NTA5MTUzMzE0WjBFMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91
+cDEeMBwGA1UEAwwVVGVzdCBTL01JTUUgRUUgRFNBICMxMIIDQzCCAjYGByqGSM44
+BAEwggIpAoIBAQCg5xGADjdINCKODDX6yq3w8vQ1i0SuHnFvPc5gHMLIxJhDp3cL
+J5eJmcHZ07WflsMgSxD2Wd5lX5Q9uxtv78/erv5t4INbA4D+QSkxb4SWNurRBQj5
+LuoGhFMpCubDYSxiKkTJ4pmOEbsjnlGLiN5R1jAakOxI+l/rPAQlIUMCHSF6xXgd
+62fUdEAnRYj46Lgw+FWKAKNhcH7rOLA7k4JnYCLgc9HnYvwxlpoV+SHi+QXSrcrt
+MBNCmIgIONI5uNuBnZq6jjHE/Wg1+D4wGxOZl+/S8EP8eXSDD+1Sni2Jk38etU+l
+aS0pVV9lh6sV3zV28YXVZl01CHUfwH+3w/XJAh0AmkjrU1XrCahV9d78Rklpd4fK
+3K53+X5MeTgNLQKCAQEAoA32HKvIhx6wvmT9huawV6wj7hT99kjzQjZqbvLENW9b
+bAgOdPzZzusqZmZMgGdDr94oYz1/MhmAKNY4lQv7ioJmtded5hhS6GDg3Oj4IYiJ
+9trAQ/ATrDrSi3sQAZ3Pvip7j4oljvsQBmAj3KKRCnZ2/FeRyjSS3cUey89GE2N2
+DQbHEmuG/F8aDmUhLNusZm6nXs2Y1W7+kQRwswBL5H4Oo6NaSUc8dl7HWEeWoS8B
+E7G4JFCXBQwwgInOJINyQlknxMSpv7dwxp32SgdLQldkaQkHAEg0QqYb2Hv/xHfV
+hn9vTpGJQyWvnT5RvbXSGdTk1CTlZTrUAGmbHOwXygOCAQUAAoIBACGS7hCpTL0g
+lx9C1Bwz5xfVd0mwCqx9UGiH8Bf4lRsSagL0Irwvnjz++WH1vecZa2bWsYsPhQ+D
+KDzaCo20CYln4IFEPgY0fSE+KTF1icFj/mD+MgxWgsgKoTI120ENPGHqHpKkv0Uv
+OlwTImU4BxxkctZ5273XEv3VPQE8COGnXgqt7NBazU/O7vibFm0iaEsVjHFHYcoo
++sMcm3F2E/gvR9IJGaGPeCk0sMW8qloPzErWIugx/OGqM7fni2cIcZwGdju52O+l
+cLV0tZdgC7eTbVDMLspyuiYME+zvEzRwCQF/GqcCDSn68zxJv/zSNZ9XxOgZaBfs
+Na7e8YGATiujYDBeMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXgMB0GA1Ud
+DgQWBBSFVrWPZrHzhHUg0MMEAAKwQIfsazAfBgNVHSMEGDAWgBQVwRMha+JVX6dq
+HVcg1s/zqXNkWTANBgkqhkiG9w0BAQsFAAOCAQEAbm49FB+eyeX7OBUC/akhnkFw
+cDXqw7Fl2OibRK+g/08zp4CruwJdb72j5+pTmG+9SF7tGyQBfHFf1+epa3ZiIc+0
+UzFf2xQBMyHjesL19cTe4i176dHz8pCxx9OEow0GlZVV85+Anev101NskKVNNVA7
+YnB2xKQWgf8HORh66XVCk54xMcd99ng8xQ8vhZC6KckVbheQgdPp7gUAcDgxH2Yo
+JF8jHQlsWNcCGURDldP6FQ49TGWHj24IGjnjGapWxMUjvCz+kV6sGW/OIYu+MM9w
+FMIOyEdUUtKowWT6eXwrITup3T6pspPTicbK61ZCPuxMvP2JBFGZsqat+F5g+w==
-----END CERTIFICATE-----
diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/smdsa2.pem b/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/smdsa2.pem
index 648447fc..7d5b969d 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/smdsa2.pem
+++ b/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/smdsa2.pem
@@ -1,47 +1,47 @@
-----BEGIN PRIVATE KEY-----
-MIICZAIBADCCAjkGByqGSM44BAEwggIsAoIBAQCQfLlNdehPnTrGIMhw4rk0uua6
-k1nCG3zcyfXli17BdB2k0HBPaTA3a3ZHfOt1Awy0Uu0wZ3gdPr9z0I64hnJXIGou
-zIanZ7nYRImHtX5JMFbXeyxo1Owd2Zs3oEk9nQUoUsMxvmYC/ghPL5Zx1pPxcHCO
-wzWxoG4yZMjimXOc1/W7zvK/4/g/Cz9fItD3zdcydfgM/hK0/CeYQ21xfhqf4mjK
-v9plnCcWgToGI+7H8VK80MFbkO2QKRz3vP1/TjK6PRm9sEeB5b10+SvGv2j2w+CC
-0fXL4s6n7PtBlm/bww8xL1/Az8kwejUcII1Dc8uNwwISwGbwaGBvl7IHpm21AiEA
-rodZi+nCKZdTL8IgCjX3n0DuhPRkVQPjz/B6VweLW9MCggEAfimkUNwnsGFp7mKM
-zJKhHoQkMB1qJzyIHjDzQ/J1xjfoF6i27afw1/WKboND5eseZhlhA2TO5ZJB6nGx
-DOE9lVQxYVml++cQj6foHh1TVJAgGl4mWuveW/Rz+NEhpK4zVeEsfMrbkBypPByy
-xzF1Z49t568xdIo+e8jLI8FjEdXOIUg4ehB3NY6SL8r4oJ49j/sJWfHcDoWH/LK9
-ZaBF8NpflJe3F40S8RDvM8j2HC+y2Q4QyKk1DXGiH+7yQLGWzr3M73kC3UBnnH0h
-Hxb7ISDCT7dCw/lH1nCbVFBOM0ASI26SSsFSXQrvD2kryRcTZ0KkyyhhoPODWpU+
-TQMsxQQiAiAdCUJ5n2Q9hIynN8BMpnRcdfH696BKejGx+2Mr2kfnnA==
+MIICXQIBADCCAjYGByqGSM44BAEwggIpAoIBAQCg5xGADjdINCKODDX6yq3w8vQ1
+i0SuHnFvPc5gHMLIxJhDp3cLJ5eJmcHZ07WflsMgSxD2Wd5lX5Q9uxtv78/erv5t
+4INbA4D+QSkxb4SWNurRBQj5LuoGhFMpCubDYSxiKkTJ4pmOEbsjnlGLiN5R1jAa
+kOxI+l/rPAQlIUMCHSF6xXgd62fUdEAnRYj46Lgw+FWKAKNhcH7rOLA7k4JnYCLg
+c9HnYvwxlpoV+SHi+QXSrcrtMBNCmIgIONI5uNuBnZq6jjHE/Wg1+D4wGxOZl+/S
+8EP8eXSDD+1Sni2Jk38etU+laS0pVV9lh6sV3zV28YXVZl01CHUfwH+3w/XJAh0A
+mkjrU1XrCahV9d78Rklpd4fK3K53+X5MeTgNLQKCAQEAoA32HKvIhx6wvmT9huaw
+V6wj7hT99kjzQjZqbvLENW9bbAgOdPzZzusqZmZMgGdDr94oYz1/MhmAKNY4lQv7
+ioJmtded5hhS6GDg3Oj4IYiJ9trAQ/ATrDrSi3sQAZ3Pvip7j4oljvsQBmAj3KKR
+CnZ2/FeRyjSS3cUey89GE2N2DQbHEmuG/F8aDmUhLNusZm6nXs2Y1W7+kQRwswBL
+5H4Oo6NaSUc8dl7HWEeWoS8BE7G4JFCXBQwwgInOJINyQlknxMSpv7dwxp32SgdL
+QldkaQkHAEg0QqYb2Hv/xHfVhn9vTpGJQyWvnT5RvbXSGdTk1CTlZTrUAGmbHOwX
+ygQeAhwmRauZi+nQ3kQ+GSKD7JCwv8XkD9NObMGlW018
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-MIIFkDCCBHigAwIBAgIJANk5lu6mSyBEMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
-BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
-TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEUx
-CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
-ZXN0IFMvTUlNRSBFRSBEU0EgIzIwggNGMIICOQYHKoZIzjgEATCCAiwCggEBAJB8
-uU116E+dOsYgyHDiuTS65rqTWcIbfNzJ9eWLXsF0HaTQcE9pMDdrdkd863UDDLRS
-7TBneB0+v3PQjriGclcgai7MhqdnudhEiYe1fkkwVtd7LGjU7B3ZmzegST2dBShS
-wzG+ZgL+CE8vlnHWk/FwcI7DNbGgbjJkyOKZc5zX9bvO8r/j+D8LP18i0PfN1zJ1
-+Az+ErT8J5hDbXF+Gp/iaMq/2mWcJxaBOgYj7sfxUrzQwVuQ7ZApHPe8/X9OMro9
-Gb2wR4HlvXT5K8a/aPbD4ILR9cvizqfs+0GWb9vDDzEvX8DPyTB6NRwgjUNzy43D
-AhLAZvBoYG+XsgembbUCIQCuh1mL6cIpl1MvwiAKNfefQO6E9GRVA+PP8HpXB4tb
-0wKCAQB+KaRQ3CewYWnuYozMkqEehCQwHWonPIgeMPND8nXGN+gXqLbtp/DX9Ypu
-g0Pl6x5mGWEDZM7lkkHqcbEM4T2VVDFhWaX75xCPp+geHVNUkCAaXiZa695b9HP4
-0SGkrjNV4Sx8ytuQHKk8HLLHMXVnj23nrzF0ij57yMsjwWMR1c4hSDh6EHc1jpIv
-yvignj2P+wlZ8dwOhYf8sr1loEXw2l+Ul7cXjRLxEO8zyPYcL7LZDhDIqTUNcaIf
-7vJAsZbOvczveQLdQGecfSEfFvshIMJPt0LD+UfWcJtUUE4zQBIjbpJKwVJdCu8P
-aSvJFxNnQqTLKGGg84NalT5NAyzFA4IBBQACggEAItQlFu0t7Mw1HHROuuwKLS+E
-h2WNNZP96MLQTygOVlqgaJY+1mJLzvl/51LLH6YezX0t89Z2Dm/3SOJEdNrdbIEt
-tbu5rzymXxFhc8uaIYZFhST38oQwJOjM8wFitAQESe6/9HZjkexMqSqx/r5aEKTa
-LBinqA1BJRI72So1/1dv8P99FavPADdj8V7fAccReKEQKnfnwA7mrnD+OlIqFKFn
-3wCGk8Sw7tSJ9g6jgCI+zFwrKn2w+w+iot/Ogxl9yMAtKmAd689IAZr5GPPvV2y0
-KOogCiUYgSTSawZhr+rjyFavfI5dBWzMq4tKx/zAi6MJ+6hGJjJ8jHoT9JAPmaNg
-MF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0OBBYEFGaxw04k
-qpufeGZC+TTBq8oMnXyrMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZs
-MA0GCSqGSIb3DQEBBQUAA4IBAQCk2Xob1ICsdHYx/YsBzY6E1eEwcI4RZbZ3hEXp
-VA72/Mbz60gjv1OwE5Ay4j+xG7IpTio6y2A9ZNepGpzidYcsL/Lx9Sv1LlN0Ukzb
-uk6Czd2sZJp+PFMTTrgCd5rXKnZs/0D84Vci611vGMA1hnUnbAnBBmgLXe9pDNRV
-6mhmCLLjJ4GOr5Wxt/hhknr7V2e1VMx3Q47GZhc0o/gExfhxXA8+gicM0nEYNakD
-2A1F0qDhQGakjuofANHhjdUDqKJ1sxurAy80fqb0ddzJt2el89iXKN+aXx/zEX96
-GI5ON7z/bkVwIi549lUOpWb2Mved61NBzCLKVP7HSuEIsC/I
+MIIFmjCCBIKgAwIBAgIUHGKu2FMhT1wCiJTK3uAnklo55uowDQYJKoZIhvcNAQEL
+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV
+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxNFoYDzIxMjIw
+NTA5MTUzMzE0WjBFMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91
+cDEeMBwGA1UEAwwVVGVzdCBTL01JTUUgRUUgRFNBICMyMIIDQzCCAjYGByqGSM44
+BAEwggIpAoIBAQCg5xGADjdINCKODDX6yq3w8vQ1i0SuHnFvPc5gHMLIxJhDp3cL
+J5eJmcHZ07WflsMgSxD2Wd5lX5Q9uxtv78/erv5t4INbA4D+QSkxb4SWNurRBQj5
+LuoGhFMpCubDYSxiKkTJ4pmOEbsjnlGLiN5R1jAakOxI+l/rPAQlIUMCHSF6xXgd
+62fUdEAnRYj46Lgw+FWKAKNhcH7rOLA7k4JnYCLgc9HnYvwxlpoV+SHi+QXSrcrt
+MBNCmIgIONI5uNuBnZq6jjHE/Wg1+D4wGxOZl+/S8EP8eXSDD+1Sni2Jk38etU+l
+aS0pVV9lh6sV3zV28YXVZl01CHUfwH+3w/XJAh0AmkjrU1XrCahV9d78Rklpd4fK
+3K53+X5MeTgNLQKCAQEAoA32HKvIhx6wvmT9huawV6wj7hT99kjzQjZqbvLENW9b
+bAgOdPzZzusqZmZMgGdDr94oYz1/MhmAKNY4lQv7ioJmtded5hhS6GDg3Oj4IYiJ
+9trAQ/ATrDrSi3sQAZ3Pvip7j4oljvsQBmAj3KKRCnZ2/FeRyjSS3cUey89GE2N2
+DQbHEmuG/F8aDmUhLNusZm6nXs2Y1W7+kQRwswBL5H4Oo6NaSUc8dl7HWEeWoS8B
+E7G4JFCXBQwwgInOJINyQlknxMSpv7dwxp32SgdLQldkaQkHAEg0QqYb2Hv/xHfV
+hn9vTpGJQyWvnT5RvbXSGdTk1CTlZTrUAGmbHOwXygOCAQUAAoIBAE0+OYS0s8/o
+HwuuiPsBZTlRynqdwF6FHdE0Ei2uVTxnJouPYB2HvaMioG2inbISzPtEcnLF9Pyx
+4hsXz7D49yqyMFjE3G8ObBOs/Vdno6E9ZZshWiRDwPf8JmoYp551UuJDoVaOTnhx
+pEs30nuidtqd54PMdWUQPfp58kTu6bXvcRxdUj5CK/PyjavJCnGfppq/6j8jtrji
+mOjIIeLZIbWp7hTVS/ffmfqZ8Lx/ShOcUzDa0VS3lfO28XqXpeqbyHdojsYlG2oA
+shKJL7/scq3ab8cI5QuHEIGSbxinKfjCX4OEQ04CNsgUwMY9emPSaNdYDZOPqq/K
+3bGk2PLcRsyjYDBeMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXgMB0GA1Ud
+DgQWBBTQAQyUCqYWGo5RuwGCtHNgXgzEQzAfBgNVHSMEGDAWgBQVwRMha+JVX6dq
+HVcg1s/zqXNkWTANBgkqhkiG9w0BAQsFAAOCAQEAc3rayE2FGgG1RhLXAHYAs1Ky
+4fcVcrzaPaz5jjWbpBCStkx+gNcUiBf+aSxNrRvUoPOSwMDLpMhbNBj2cjJqQ0W1
+oq4RUQth11qH89uPtBqiOqRTdlWAGZJbUTtVfrlc58DsDxFCwdcktSDYZwlO2lGO
+vMCOn9N7oqEEuwRa++xVnYc8ZbY8lGwJD3bGR6iC7NkYk+2LSqPS52m8e0GO8dpf
+RUrndbhmtsYa925dj2LlI218F3XwVcAUPW67dbpeEVw5OG8OCHRHqrwBEJj2PMV3
+tHeNXDEhjTzI3wiFia4kDBAKIsrC/XQ4tEiFzq0V00BiVY0ykhy+v/qNPskTsg==
-----END CERTIFICATE-----
diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/smdsa3.pem b/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/smdsa3.pem
index 77acc5e4..6df46994 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/smdsa3.pem
+++ b/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/smdsa3.pem
@@ -1,47 +1,47 @@
-----BEGIN PRIVATE KEY-----
-MIICZQIBADCCAjkGByqGSM44BAEwggIsAoIBAQCQfLlNdehPnTrGIMhw4rk0uua6
-k1nCG3zcyfXli17BdB2k0HBPaTA3a3ZHfOt1Awy0Uu0wZ3gdPr9z0I64hnJXIGou
-zIanZ7nYRImHtX5JMFbXeyxo1Owd2Zs3oEk9nQUoUsMxvmYC/ghPL5Zx1pPxcHCO
-wzWxoG4yZMjimXOc1/W7zvK/4/g/Cz9fItD3zdcydfgM/hK0/CeYQ21xfhqf4mjK
-v9plnCcWgToGI+7H8VK80MFbkO2QKRz3vP1/TjK6PRm9sEeB5b10+SvGv2j2w+CC
-0fXL4s6n7PtBlm/bww8xL1/Az8kwejUcII1Dc8uNwwISwGbwaGBvl7IHpm21AiEA
-rodZi+nCKZdTL8IgCjX3n0DuhPRkVQPjz/B6VweLW9MCggEAfimkUNwnsGFp7mKM
-zJKhHoQkMB1qJzyIHjDzQ/J1xjfoF6i27afw1/WKboND5eseZhlhA2TO5ZJB6nGx
-DOE9lVQxYVml++cQj6foHh1TVJAgGl4mWuveW/Rz+NEhpK4zVeEsfMrbkBypPByy
-xzF1Z49t568xdIo+e8jLI8FjEdXOIUg4ehB3NY6SL8r4oJ49j/sJWfHcDoWH/LK9
-ZaBF8NpflJe3F40S8RDvM8j2HC+y2Q4QyKk1DXGiH+7yQLGWzr3M73kC3UBnnH0h
-Hxb7ISDCT7dCw/lH1nCbVFBOM0ASI26SSsFSXQrvD2kryRcTZ0KkyyhhoPODWpU+
-TQMsxQQjAiEArJr6p2zTbhRppQurHGTdmdYHqrDdZH4MCsD9tQCw1xY=
+MIICXgIBADCCAjYGByqGSM44BAEwggIpAoIBAQCg5xGADjdINCKODDX6yq3w8vQ1
+i0SuHnFvPc5gHMLIxJhDp3cLJ5eJmcHZ07WflsMgSxD2Wd5lX5Q9uxtv78/erv5t
+4INbA4D+QSkxb4SWNurRBQj5LuoGhFMpCubDYSxiKkTJ4pmOEbsjnlGLiN5R1jAa
+kOxI+l/rPAQlIUMCHSF6xXgd62fUdEAnRYj46Lgw+FWKAKNhcH7rOLA7k4JnYCLg
+c9HnYvwxlpoV+SHi+QXSrcrtMBNCmIgIONI5uNuBnZq6jjHE/Wg1+D4wGxOZl+/S
+8EP8eXSDD+1Sni2Jk38etU+laS0pVV9lh6sV3zV28YXVZl01CHUfwH+3w/XJAh0A
+mkjrU1XrCahV9d78Rklpd4fK3K53+X5MeTgNLQKCAQEAoA32HKvIhx6wvmT9huaw
+V6wj7hT99kjzQjZqbvLENW9bbAgOdPzZzusqZmZMgGdDr94oYz1/MhmAKNY4lQv7
+ioJmtded5hhS6GDg3Oj4IYiJ9trAQ/ATrDrSi3sQAZ3Pvip7j4oljvsQBmAj3KKR
+CnZ2/FeRyjSS3cUey89GE2N2DQbHEmuG/F8aDmUhLNusZm6nXs2Y1W7+kQRwswBL
+5H4Oo6NaSUc8dl7HWEeWoS8BE7G4JFCXBQwwgInOJINyQlknxMSpv7dwxp32SgdL
+QldkaQkHAEg0QqYb2Hv/xHfVhn9vTpGJQyWvnT5RvbXSGdTk1CTlZTrUAGmbHOwX
+ygQfAh0AkfI6533W5nBIVrDPcp2DCXC8u2SIwBob6OoK5A==
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-MIIFkDCCBHigAwIBAgIJANk5lu6mSyBFMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
-BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
-TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEUx
-CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
-ZXN0IFMvTUlNRSBFRSBEU0EgIzMwggNGMIICOQYHKoZIzjgEATCCAiwCggEBAJB8
-uU116E+dOsYgyHDiuTS65rqTWcIbfNzJ9eWLXsF0HaTQcE9pMDdrdkd863UDDLRS
-7TBneB0+v3PQjriGclcgai7MhqdnudhEiYe1fkkwVtd7LGjU7B3ZmzegST2dBShS
-wzG+ZgL+CE8vlnHWk/FwcI7DNbGgbjJkyOKZc5zX9bvO8r/j+D8LP18i0PfN1zJ1
-+Az+ErT8J5hDbXF+Gp/iaMq/2mWcJxaBOgYj7sfxUrzQwVuQ7ZApHPe8/X9OMro9
-Gb2wR4HlvXT5K8a/aPbD4ILR9cvizqfs+0GWb9vDDzEvX8DPyTB6NRwgjUNzy43D
-AhLAZvBoYG+XsgembbUCIQCuh1mL6cIpl1MvwiAKNfefQO6E9GRVA+PP8HpXB4tb
-0wKCAQB+KaRQ3CewYWnuYozMkqEehCQwHWonPIgeMPND8nXGN+gXqLbtp/DX9Ypu
-g0Pl6x5mGWEDZM7lkkHqcbEM4T2VVDFhWaX75xCPp+geHVNUkCAaXiZa695b9HP4
-0SGkrjNV4Sx8ytuQHKk8HLLHMXVnj23nrzF0ij57yMsjwWMR1c4hSDh6EHc1jpIv
-yvignj2P+wlZ8dwOhYf8sr1loEXw2l+Ul7cXjRLxEO8zyPYcL7LZDhDIqTUNcaIf
-7vJAsZbOvczveQLdQGecfSEfFvshIMJPt0LD+UfWcJtUUE4zQBIjbpJKwVJdCu8P
-aSvJFxNnQqTLKGGg84NalT5NAyzFA4IBBQACggEAcXvtfiJfIZ0wgGpN72ZeGrJ9
-msUXOxow7w3fDbP8r8nfVkBNbfha8rx0eY6fURFVZzIOd8EHGKypcH1gS6eZNucf
-zgsH1g5r5cRahMZmgGXBEBsWrh2IaDG7VSKt+9ghz27EKgjAQCzyHQL5FCJgR2p7
-cv0V4SRqgiAGYlJ191k2WtLOsVd8kX//jj1l8TUgE7TqpuSEpaSyQ4nzJROpZWZp
-N1RwFmCURReykABU/Nzin/+rZnvZrp8WoXSXEqxeB4mShRSaH57xFnJCpRwKJ4qS
-2uhATzJaKH7vu63k3DjftbSBVh+32YXwtHc+BGjs8S2aDtCW3FtDA7Z6J8BIxaNg
-MF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0OBBYEFMJxatDE
-FCEFGl4uoiQQ1050Ju9RMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZs
-MA0GCSqGSIb3DQEBBQUAA4IBAQBGZD1JnMep39KMOhD0iBTmyjhtcnRemckvRask
-pS/CqPwo+M+lPNdxpLU2w9b0QhPnj0yAS/BS1yBjsLGY4DP156k4Q3QOhwsrTmrK
-YOxg0w7DOpkv5g11YLJpHsjSOwg5uIMoefL8mjQK6XOFOmQXHJrUtGulu+fs6FlM
-khGJcW4xYVPK0x/mHvTT8tQaTTkgTdVHObHF5Dyx/F9NMpB3RFguQPk2kT4lJc4i
-Up8T9mLzaxz6xc4wwh8h70Zw81lkGYhX+LRk3sfd/REq9x4QXQNP9t9qU1CgrBzv
-4orzt9cda4r+rleSg2XjWnXzMydE6DuwPVPZlqnLbSYUy660
+MIIFmjCCBIKgAwIBAgIUO2QHMd9V/S6KlrFDIPd7asRP4FAwDQYJKoZIhvcNAQEL
+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV
+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxNFoYDzIxMjIw
+NTA5MTUzMzE0WjBFMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91
+cDEeMBwGA1UEAwwVVGVzdCBTL01JTUUgRUUgRFNBICMzMIIDQzCCAjYGByqGSM44
+BAEwggIpAoIBAQCg5xGADjdINCKODDX6yq3w8vQ1i0SuHnFvPc5gHMLIxJhDp3cL
+J5eJmcHZ07WflsMgSxD2Wd5lX5Q9uxtv78/erv5t4INbA4D+QSkxb4SWNurRBQj5
+LuoGhFMpCubDYSxiKkTJ4pmOEbsjnlGLiN5R1jAakOxI+l/rPAQlIUMCHSF6xXgd
+62fUdEAnRYj46Lgw+FWKAKNhcH7rOLA7k4JnYCLgc9HnYvwxlpoV+SHi+QXSrcrt
+MBNCmIgIONI5uNuBnZq6jjHE/Wg1+D4wGxOZl+/S8EP8eXSDD+1Sni2Jk38etU+l
+aS0pVV9lh6sV3zV28YXVZl01CHUfwH+3w/XJAh0AmkjrU1XrCahV9d78Rklpd4fK
+3K53+X5MeTgNLQKCAQEAoA32HKvIhx6wvmT9huawV6wj7hT99kjzQjZqbvLENW9b
+bAgOdPzZzusqZmZMgGdDr94oYz1/MhmAKNY4lQv7ioJmtded5hhS6GDg3Oj4IYiJ
+9trAQ/ATrDrSi3sQAZ3Pvip7j4oljvsQBmAj3KKRCnZ2/FeRyjSS3cUey89GE2N2
+DQbHEmuG/F8aDmUhLNusZm6nXs2Y1W7+kQRwswBL5H4Oo6NaSUc8dl7HWEeWoS8B
+E7G4JFCXBQwwgInOJINyQlknxMSpv7dwxp32SgdLQldkaQkHAEg0QqYb2Hv/xHfV
+hn9vTpGJQyWvnT5RvbXSGdTk1CTlZTrUAGmbHOwXygOCAQUAAoIBAEj25Os9f57G
+TaxsP8NzdCRBThCLqZWqLADh6S/aFOQQFpRRk3vGkvrOK/5La8KGKIDyzCEQo7Kg
+sPwI1o4N5GKx15Cer2ekDWLtP4hA2CChs4tWJzEa8VxIDTg4EUnASFCbfDUY/Yt0
+5NM4nxtBhnr6PT7XmRehEFaTAgmsQFJ29jKx4tJkr+Gmj9J4i10CPd9DvIgIEnNt
+rYMAlfbGovaZVCgKp5INVA4IkDfCcbzDeNiOGaACeV+4QuEbgIbUhMq9vbw3Vvqe
+jwozPdrTYjd7oNxx/tY7gqxFRFxdDPXPno230afsAJsHmNF7lpj9Q4vBhy8w/EI1
+jGzuiXjei9qjYDBeMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXgMB0GA1Ud
+DgQWBBTwbCT+wSR9cvTg70jA2yIWgQSDZjAfBgNVHSMEGDAWgBQVwRMha+JVX6dq
+HVcg1s/zqXNkWTANBgkqhkiG9w0BAQsFAAOCAQEAe5t9oi8K76y+wnV6I21vKgEh
+M6DEe3+XTq10kAgYbcbMm+a6n86beaID7FANGET+3bsShxFeAX9g4Qsdw+Z3PF3P
+wvqiBD8MaXczj28zP6j9TxsjGzpAsV3xo1n7aQ+hHzpopJUxAyx4hLBqSSwdj/xe
+azELeVKoXY/nlokXnONWC5AvtfR7m7mKFPOmUghbeGCJH7+FXnC58eiF7BEpSbQl
+SniAdQFis+Dne6/kwZnQQaSDg55ELfaZOLhaLcRtqqgU+kv24mXGGEBhs9bBKMz5
+ZNiKLafE3tCGRA5iMRwzdeSgrdnkQDHFiYXh3JHk5oKwGOdxusgt3DTHAFej1A==
-----END CERTIFICATE-----
diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/smec1.pem b/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/smec1.pem
index 75a86266..a94f65c6 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/smec1.pem
+++ b/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/smec1.pem
@@ -1,22 +1,22 @@
-----BEGIN PRIVATE KEY-----
-MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgXzBRX9Z5Ib4LAVAS
-DMlYvkj0SmLmYvWULe2LfyXRmpWhRANCAAS+SIj2FY2DouPRuNDp9WVpsqef58tV
-3gIwV0EOV/xyYTzZhufZi/aBcXugWR1x758x4nHus2uEuEFi3Mr3K3+x
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgdOomk0EB/oWMnTZB
+Qm5XMjlKnZNF4PMpwgov0Tj3u8OhRANCAATbG6XprSqHiD9AxWJiXRFgS+y38DGZ
+7hpSjs4bd95L+Lli+O91/lUy7Tb8aJ6VU2CoyWQjV4sQjbdVqeD+y4Ky
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-MIICoDCCAYigAwIBAgIJANk5lu6mSyBGMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
-BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
-TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEQx
-CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRU
-ZXN0IFMvTUlNRSBFRSBFQyAjMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABL5I
-iPYVjYOi49G40On1ZWmyp5/ny1XeAjBXQQ5X/HJhPNmG59mL9oFxe6BZHXHvnzHi
-ce6za4S4QWLcyvcrf7GjYDBeMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXg
-MB0GA1UdDgQWBBR/ybxC2DI+Jydhx1FMgPbMTmLzRzAfBgNVHSMEGDAWgBTJkVMK
-Y3sWW4u9RPB2iKkk5uW2bDANBgkqhkiG9w0BAQUFAAOCAQEAdk9si83JjtgHHHGy
-WcgWDfM0jzlWBsgFNQ9DwAuB7gJd/LG+5Ocajg5XdA5FXAdKkfwI6be3PdcVs3Bt
-7f/fdKfBxfr9/SvFHnK7PVAX2x1wwS4HglX1lfoyq1boSvsiJOnAX3jsqXJ9TJiV
-FlgRVnhnrw6zz3Xs/9ZDMTENUrqDHPNsDkKEi+9SqIsqDXpMCrGHP4ic+S8Rov1y
-S+0XioMxVyXDp6XcL4PQ/NgHbw5/+UcS0me0atZ6pW68C0vi6xeU5vxojyuZxMI1
-DXXwMhOXWaKff7KNhXDUN0g58iWlnyaCz4XQwFsbbFs88TQ1+e/aj3bbwTxUeyN7
-qtcHJA==
+MIICrTCCAZWgAwIBAgIUdLT4B443vbxt0B8Mzy0sR4+6AyowDQYJKoZIhvcNAQEL
+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV
+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxNFoYDzIxMjIw
+NTA5MTUzMzE0WjBEMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91
+cDEdMBsGA1UEAwwUVGVzdCBTL01JTUUgRUUgRUMgIzEwWTATBgcqhkjOPQIBBggq
+hkjOPQMBBwNCAATbG6XprSqHiD9AxWJiXRFgS+y38DGZ7hpSjs4bd95L+Lli+O91
+/lUy7Tb8aJ6VU2CoyWQjV4sQjbdVqeD+y4Kyo2AwXjAMBgNVHRMBAf8EAjAAMA4G
+A1UdDwEB/wQEAwIF4DAdBgNVHQ4EFgQUOia9H7l0qw3ftsDgEEeSBrHwQrwwHwYD
+VR0jBBgwFoAUFcETIWviVV+nah1XINbP86lzZFkwDQYJKoZIhvcNAQELBQADggEB
+AC7h/QkMocYANPqMQAO2okygG+OaE4qpKnlzHPUFMYedJGCvAWrwxu4hWL9T+hZo
+qilM7Fwaxw/P4Zaaa15SOOhXkIdn9Fu2ROmBQtEiklmWGMjiZ6F+9NCZPk0cTAXK
+2WQZOy41YNuvts+20osD4X/8x3fiARlokufj/TVyE73wG8pSSDh4KxWDfKv5Pi1F
+PC5IJh8XVELnFkeY3xjtoux5AYT+1xIQHO4eBua02Y1oPiWG7l/sK3grVlxrupd9
+pXowwFlezWZP9q12VlWkcqwNb9hF9PkZge9bpiOJipSYgyobtAnms/CRHu3e6izl
+LJRua7p4Wt/8GQENDrVkHqU=
-----END CERTIFICATE-----
diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/smec2.pem b/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/smec2.pem
index 457297a7..3fe14b3a 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/smec2.pem
+++ b/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/smec2.pem
@@ -1,23 +1,23 @@
-----BEGIN PRIVATE KEY-----
-MIGPAgEAMBAGByqGSM49AgEGBSuBBAAQBHgwdgIBAQQjhHaq507MOBznelrLG/pl
-brnnJi/iEJUUp+Pm3PEiteXqckmhTANKAAQF2zs6vobmoT+M+P2+9LZ7asvFBNi7
-uCzLYF/8j1Scn/spczoC9vNzVhNw+Lg7dnjNL4EDIyYZLl7E0v69luzbvy+q44/8
-6bQ=
+MIGQAgEAMBAGByqGSM49AgEGBSuBBAAQBHkwdwIBAQQkAEkuzLBwx5bIw3Q2PMNQ
+HzaY8yL3QLjzaJ8tCHrI/JTb9Q7VoUwDSgAEAu8b2HvLzKd0qhPtIw65Lh3OgF3X
+IN5874qHwt9zPSvokijSAH3v9tcBJPdRLD3Lweh2ZPn5hMwVwVorHqSgASk5vnjp
+HqER
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-MIICpTCCAY2gAwIBAgIJANk5lu6mSyBHMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
-BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
-TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEQx
-CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRU
-ZXN0IFMvTUlNRSBFRSBFQyAjMjBeMBAGByqGSM49AgEGBSuBBAAQA0oABAXbOzq+
-huahP4z4/b70tntqy8UE2Lu4LMtgX/yPVJyf+ylzOgL283NWE3D4uDt2eM0vgQMj
-JhkuXsTS/r2W7Nu/L6rjj/zptKNgMF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8E
-BAMCBeAwHQYDVR0OBBYEFGf+QSQlkN20PsNN7x+jmQIJBDcXMB8GA1UdIwQYMBaA
-FMmRUwpjexZbi71E8HaIqSTm5bZsMA0GCSqGSIb3DQEBBQUAA4IBAQBaBBryl2Ez
-ftBrGENXMKQP3bBEw4n9ely6HvYQi9IC7HyK0ktz7B2FcJ4z96q38JN3cLxV0DhK
-xT/72pFmQwZVJngvRaol0k1B+bdmM03llxCw/uNNZejixDjHUI9gEfbigehd7QY0
-uYDu4k4O35/z/XPQ6O5Kzw+J2vdzU8GXlMBbWeZWAmEfLGbk3Ux0ouITnSz0ty5P
-rkHTo0uprlFcZAsrsNY5v5iuomYT7ZXAR3sqGZL1zPOKBnyfXeNFUfnKsZW7Fnlq
-IlYBQIjqR1HGxxgCSy66f1oplhxSch4PUpk5tqrs6LeOqc2+xROy1T5YrB3yjVs0
-4ZdCllHZkhop
+MIICsjCCAZqgAwIBAgIUFMjrNKt+D8tzvn7jtjZ5HrLcUlswDQYJKoZIhvcNAQEL
+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV
+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxNFoYDzIxMjIw
+NTA5MTUzMzE0WjBEMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91
+cDEdMBsGA1UEAwwUVGVzdCBTL01JTUUgRUUgRUMgIzIwXjAQBgcqhkjOPQIBBgUr
+gQQAEANKAAQC7xvYe8vMp3SqE+0jDrkuHc6AXdcg3nzviofC33M9K+iSKNIAfe/2
+1wEk91EsPcvB6HZk+fmEzBXBWisepKABKTm+eOkeoRGjYDBeMAwGA1UdEwEB/wQC
+MAAwDgYDVR0PAQH/BAQDAgXgMB0GA1UdDgQWBBSqWRYUy2syIUwfSR31e19LeNXK
+9TAfBgNVHSMEGDAWgBQVwRMha+JVX6dqHVcg1s/zqXNkWTANBgkqhkiG9w0BAQsF
+AAOCAQEASbh+sI03xUMMzPT8bRbWNF5gG3ab8IUzqm05rTa54NCPRSn+ZdMXcCFz
+5fSU0T1dgEjeD+cCRVAZxskTZF7FWmRLc2weJMf7x+nPE5KaWyRAoD7FIKGP2m6m
+IMCVOmiafuzmHASBYOz6RwjgWS0AWES48DJX6o0KpuT4bsknz+H7Xo+4+NYGCRao
+enqIMZmWesGVXJ63pl32jUlXeAg59W6PpV2L9XRWLzDW1t1q2Uji7coCWtNjkojZ
+rv0yRMc1czkT+mAJRAJ8D9MoTnRXm1dH4bOxte4BGUHNQ2P1HeV01vkd1RTL0g0R
+lPyDAlBASvMn7RZ9nX8G3UOOL6gtVA==
-----END CERTIFICATE-----
diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/smroot.pem b/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/smroot.pem
index d1a253f4..9af38d31 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/smroot.pem
+++ b/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/smroot.pem
@@ -1,49 +1,49 @@
-----BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCyyQXED5HyVWwq
-nXyzmY317yMUJrIfsKvREG2C691dJNHgNg+oq5sjt/fzkyS84AvdOiicAsao4cYL
-DulthaLpbC7msEBhvwAil0FNb5g3ERupe1KuTdUV1UuD/i6S2VoaNXUBBn1rD9Wc
-BBc0lnx/4Wt92eQTI6925pt7ZHPQw2Olp7TQDElyi5qPxCem4uT0g3zbZsWqmmsI
-MXbu+K3dEprzqA1ucKXbxUmZNkMwVs2XCmlLxrRUj8C3/zENtH17HWCznhR/IVcV
-kgIuklkeiDsEhbWvUQumVXR7oPh/CPZAbjGqq5mVueHSHrp7brBVZKHZvoUka28Q
-LWitq1W5AgMBAAECggEASkRnOMKfBeOmQy2Yl6K57eeg0sYgSDnDpd0FINWJ5x9c
-b58FcjOXBodtYKlHIY6QXx3BsM0WaSEge4d+QBi7S+u8r+eXVwNYswXSArDQsk9R
-Bl5MQkvisGciL3pvLmFLpIeASyS/BLJXMbAhU58PqK+jT2wr6idwxBuXivJ3ichu
-ISdT1s2aMmnD86ulCD2DruZ4g0mmk5ffV+Cdj+WWkyvEaJW2GRYov2qdaqwSOxV4
-Yve9qStvEIWAf2cISQjbnw2Ww6Z5ebrqlOz9etkmwIly6DTbrIneBnoqJlFFWGlF
-ghuzc5RE2w1GbcKSOt0qXH44MTf/j0r86dlu7UIxgQKBgQDq0pEaiZuXHi9OQAOp
-PsDEIznCU1bcTDJewANHag5DPEnMKLltTNyLaBRulMypI+CrDbou0nDr29VOzfXx
-mNvi/c7RttOBOx7kXKvu0JUFKe2oIWRsg0KsyMX7UFMVaHFgrW+8DhQc7HK7URiw
-nitOnA7YwIHRF9BMmcWcLFEYBQKBgQDC6LPbXV8COKO0YCfGXPnE7EZGD/p0Q92Z
-8CoSefphEScSdO1IpxFXG7fOZ4x2GQb9q7D3IvaeKAqNjUjkuyxdB30lIWDBwSWw
-fFgsa2SZwD5P60G/ar50YJr6LiF333aUMDVmC9swFfZERAEmGUz2NTrPWQdIx/lu
-PyDtUR75JQKBgHaoCCJ8vl5SJl1IA5GV4Bo8IoeLTSzsY9d09zMy6BoZcMD1Ix2T
-5S2cXhayoegl9PT6bsYSGHVWFCdJ86ktMI826TcXRzDaCvYhzc9THroJQcnfdbtP
-aHWezkv7fsAmkoPjn75K7ubeo+r7Q5qbkg6a1PW58N8TRXIvkackzaVxAoGBALAq
-qh3U+AHG9dgbrPeyo6KkuCOtX39ks8/mbfCDRZYkbb9V5f5r2tVz3R93IlK/7jyr
-yWimtmde46Lrl33922w+T5OW5qBZllo9GWkUrDn3s5qClcuQjJIdmxYTSfbSCJiK
-NkmE39lHkG5FVRB9f71tgTlWS6ox7TYDYxx83NTtAoGAUJPAkGt4yGAN4Pdebv53
-bSEpAAULBHntiqDEOu3lVColHuZIucml/gbTpQDruE4ww4wE7dOhY8Q4wEBVYbRI
-vHkSiWpJUvZCuKG8Foh5pm9hU0qb+rbQV7NhLJ02qn1AMGO3F/WKrHPPY8/b9YhQ
-KfvPCYimQwBjVrEnSntLPR0=
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDZLSl8LdU54OUA
+T8ctFuKLShJul2IMzaEDkFLoL4agccajgvsRxW+8vbc2Re0y1mVMvfNz7Cg5a7Ke
+iSuFJOrQtvDt+HkU5c706YDmw15mBpDSHapkXr80G/ABFbstWafOfagVW45wv65K
+H4cnpcqwrLhagmC8QG0KfWbf+Z2efOxaGu/dTNA3Cnq/BQGTdlkQ28xbrvd+Ubzg
+cY4Y/hJ7Fw1/IeEhgr/iVJhQIUAklp9B+xqDfWuxIt5mNwWWh/Lfk+UxqE99EhQR
+0YZWyIKfKzbeJLBzDqY2hQzVL6kAvY9cR1WbBItTA0G2F5qZ9B/3EHEFWZMBvobt
++UTEkuBdAgMBAAECggEAF3Eagz7nPyIZVdlGpIVN2r8aEjng6YTglmPjrxBCNdtS
+F6AxvY9UKklIF2Gg4tXlhU0TlDWvedM4Koif2/VKK1Ez3FvvpePQXPs/YKlB7T1U
+MHnnRII9nUBOva88zv5YcJ97nyKM03q9M18H1a29nShnlc1w56EEpBc5HX/yFYMv
+kMYydvB5j0DQkJlkQNFn4yRag0wIIPeyXwwh5l98SMlr40hO10OYTOQPrrgP/ham
+AOZ//DvGo5gF8hGJYoqG4vcYbxRfTqbc2lQ4XRknOT182l9gRum52ahkBY6LKb4r
+IZXPStS6fCAR5S0lcdBb3uN/ap9SUfb9w/Dhj5DZAQKBgQDr06DcsBpoGV2dK9ib
+YL5MxC5JL7G79IBPi3ThRiOSttKXv3oDAFB0AlJvFKwYmVz8SxXqQ2JUA4BfvMGF
+TNrbhukzo0ou5boExnQW/RjLN3fWVq1JM7iLbNU9YYpPCIG5LXrt4ZDOwITeGe8f
+bmZK9zxWxc6BBJtc3mTFS5tm4QKBgQDrwRyEn6oZ9TPbR69fPgWvDqQwKs+6TtYn
+0otMG9UejbSMcyU4sI+bZouoca2CzoNi2qZVIvI9aOygUHQAP7Dyq1KhsvYtzJub
+KEua379WnzBMMjJ56Q/e4aKTq229QvOk+ZEYl6aklZX7xnYetYNZQrp4QzUyOQTG
+gfxgxKi0/QKBgQCy1esAUJ/F366JOS3rLqNBjehX4c5T7ae8KtJ433qskO4E29TI
+H93jC7u9txyHDw5f2QUGgRE5Cuq4L2lGEDFMFvQUD7l69QVrB6ATqt25hhffuB1z
+DMDfIqpXAPgk1Rui9SVq7gqlb4OS9nHLESqLoQ/l8d2XI4o6FACxSZPQoQKBgQCR
+8AvwSUoqIXDFaB22jpVEJYMb0hSfFxhYtGvIZF5MOJowa0L6UcnD//mp/xzSoXYR
+pppaj3R28VGxd7wnP0YRIl7XfAoKleMpbAtJRwKR458pO9WlQ9GwPeq/ENqw0xYx
+5M+d8pqUvYiHv/X00pYJllYKBkiS21sKawLJAFQTHQKBgQCJCwVHxvxkdQ8G0sU2
+Vtv2W38hWOSg5+cxa+g1W6My2LhX34RkgKzuaUpYMlWGHzILpxIxhPrVLk1ZIjil
+GIP969XJ1BjB/kFtLWdxXG8tH1If3JgzfSHUofPHF3CENoJYEZ1ugEfIPzWPZJDI
+DL5zP8gmBL9ZAOO/J9YacxWYMQ==
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-MIIDbjCCAlagAwIBAgIJAMc+8VKBJ/S9MA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
-BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
-TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MjlaFw0yMzA3MTUxNzI4MjlaMEQx
-CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRU
-ZXN0IFMvTUlNRSBSU0EgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
-ggEBALLJBcQPkfJVbCqdfLOZjfXvIxQmsh+wq9EQbYLr3V0k0eA2D6irmyO39/OT
-JLzgC906KJwCxqjhxgsO6W2FoulsLuawQGG/ACKXQU1vmDcRG6l7Uq5N1RXVS4P+
-LpLZWho1dQEGfWsP1ZwEFzSWfH/ha33Z5BMjr3bmm3tkc9DDY6WntNAMSXKLmo/E
-J6bi5PSDfNtmxaqaawgxdu74rd0SmvOoDW5wpdvFSZk2QzBWzZcKaUvGtFSPwLf/
-MQ20fXsdYLOeFH8hVxWSAi6SWR6IOwSFta9RC6ZVdHug+H8I9kBuMaqrmZW54dIe
-untusFVkodm+hSRrbxAtaK2rVbkCAwEAAaNjMGEwHQYDVR0OBBYEFMmRUwpjexZb
-i71E8HaIqSTm5bZsMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZsMA8G
-A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IB
-AQAwpIVWQey2u/XoQSMSu0jd0EZvU+lhLaFrDy/AHQeG3yX1+SAOM6f6w+efPvyb
-Op1NPI9UkMPb4PCg9YC7jgYokBkvAcI7J4FcuDKMVhyCD3cljp0ouuKruvEf4FBl
-zyQ9pLqA97TuG8g1hLTl8G90NzTRcmKpmhs18BmCxiqHcTfoIpb3QvPkDX8R7LVt
-9BUGgPY+8ELCgw868TuHh/Cnc67gBtRjBp0sCYVzGZmKsO5f1XdHrAZKYN5mEp0C
-7/OqcDoFqORTquLeycg1At/9GqhDEgxNrqA+YEsPbLGAfsNuXUsXs2ubpGsOZxKt
-Emsny2ah6fU2z7PztrUy/A80
+MIIDezCCAmOgAwIBAgIUBxh2L3ItsVPuBogDI0WfUX1lFnMwDQYJKoZIhvcNAQEL
+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV
+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxM1oYDzIxMjIw
+NTEwMTUzMzEzWjBEMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91
+cDEdMBsGA1UEAwwUVGVzdCBTL01JTUUgUlNBIFJvb3QwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDZLSl8LdU54OUAT8ctFuKLShJul2IMzaEDkFLoL4ag
+ccajgvsRxW+8vbc2Re0y1mVMvfNz7Cg5a7KeiSuFJOrQtvDt+HkU5c706YDmw15m
+BpDSHapkXr80G/ABFbstWafOfagVW45wv65KH4cnpcqwrLhagmC8QG0KfWbf+Z2e
+fOxaGu/dTNA3Cnq/BQGTdlkQ28xbrvd+UbzgcY4Y/hJ7Fw1/IeEhgr/iVJhQIUAk
+lp9B+xqDfWuxIt5mNwWWh/Lfk+UxqE99EhQR0YZWyIKfKzbeJLBzDqY2hQzVL6kA
+vY9cR1WbBItTA0G2F5qZ9B/3EHEFWZMBvobt+UTEkuBdAgMBAAGjYzBhMB0GA1Ud
+DgQWBBQVwRMha+JVX6dqHVcg1s/zqXNkWTAfBgNVHSMEGDAWgBQVwRMha+JVX6dq
+HVcg1s/zqXNkWTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQsFAAOCAQEAvdAmpDPi1Wt7Hk30dXKF7Ug6MUKETi+uoO1Suo9JhNko
+/cpvoi8fbo/dnWVDfHVoItEn644Svver5UJdKJY62DvhilpCtAywYfCpgxkpKoKE
+dnpjnRBSMcbVDImsqvf1YjzFKiOiD7kcVvz4V0NZY91ZWwu3vgaSvcTJQkpWN0a+
+LWanpVKqigl8nskttnBeiHDHGebxj3hawlIdtVlkbQwLLwlVkX99x1F73uS33IzB
+Y6+ZJ2is7mD839B8fOVd9pvPvBBgahIrw5tzJ/Q+gITuVQd9E6RVXh10/Aw+i/8S
+7tHpEUgP3hBk1P+wRQBWDxbHB28lE+41jvh3JObQWQ==
-----END CERTIFICATE-----
diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/smrsa1.pem b/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/smrsa1.pem
index d0d0b9e6..d32d8890 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/smrsa1.pem
+++ b/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/smrsa1.pem
@@ -1,49 +1,49 @@
-----BEGIN PRIVATE KEY-----
-MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDXr9uzB/20QXKC
-xhkfNnJvl2xl1hzdOcrQmAqo+AAAcA/D49ImuJDVQRaK2bcj54XB26i1kXuOrxID
-3/etUb8yudfx8OAVwh8G0xVA4zhr8uXW85W2tBr4v0Lt+W6lSd6Hmfrk4GmE9LTU
-/vzl9HUPW6SZShN1G0nY6oeUXvLi0vasEUKv3a51T6JFYg4c7qt5RCk/w8kwrQ0D
-orQwCdkOPEIiC4b+nPStF12SVm5bx8rbYzioxuY/PdSebvt0APeqgRxSpCxqYnHs
-CoNeHzSrGXcP0COzFeUOz2tdrhmH09JLbGZs4nbojPxMkjpJSv3/ekDG2CHYxXSH
-XxpJstxZAgMBAAECggEASY4xsJaTEPwY3zxLqPdag2/yibBBW7ivz/9p80HQTlXp
-KnbxXj8nNXLjCytAZ8A3P2t316PrrTdLP4ML5lGwkM4MNPhek00GY79syhozTa0i
-cPHVJt+5Kwee/aVI9JmCiGAczh0yHyOM3+6ttIZvvXMVaSl4BUHvJ0ikQBc5YdzL
-s6VM2gCOR6K6n+39QHDI/T7WwO9FFSNnpWFOCHwAWtyBMlleVj+xeZX8OZ/aT+35
-27yjsGNBftWKku29VDineiQC+o+fZGJs6w4JZHoBSP8TfxP8fRCFVNA281G78Xak
-cEnKXwZ54bpoSa3ThKl+56J6NHkkfRGb8Rgt/ipJYQKBgQD5DKb82mLw85iReqsT
-8bkp408nPOBGz7KYnQsZqAVNGfehM02+dcN5z+w0jOj6GMPLPg5whlEo/O+rt9ze
-j6c2+8/+B4Bt5oqCKoOCIndH68jl65+oUxFkcHYxa3zYKGC9Uvb+x2BtBmYgvDRG
-ew6I2Q3Zyd2ThZhJygUZpsjsbQKBgQDdtNiGTkgWOm+WuqBI1LT5cQfoPfgI7/da
-ZA+37NBUQRe0cM7ddEcNqx7E3uUa1JJOoOYv65VyGI33Ul+evI8h5WE5bupcCEFk
-LolzbMc4YQUlsySY9eUXM8jQtfVtaWhuQaABt97l+9oADkrhA+YNdEu2yiz3T6W+
-msI5AnvkHQKBgDEjuPMdF/aY6dqSjJzjzfgg3KZOUaZHJuML4XvPdjRPUlfhKo7Q
-55/qUZ3Qy8tFBaTderXjGrJurc+A+LiFOaYUq2ZhDosguOWUA9yydjyfnkUXZ6or
-sbvSoM+BeOGhnezdKNT+e90nLRF6cQoTD7war6vwM6L+8hxlGvqDuRNFAoGAD4K8
-d0D4yB1Uez4ZQp8m/iCLRhM3zCBFtNw1QU/fD1Xye5w8zL96zRkAsRNLAgKHLdsR
-355iuTXAkOIBcJCOjveGQsdgvAmT0Zdz5FBi663V91o+IDlryqDD1t40CnCKbtRG
-hng/ruVczg4x7OYh7SUKuwIP/UlkNh6LogNreX0CgYBQF9troLex6X94VTi1V5hu
-iCwzDT6AJj63cS3VRO2ait3ZiLdpKdSNNW2WrlZs8FZr/mVutGEcWho8BugGMWST
-1iZkYwly9Xfjnpd0I00ZIlr2/B3+ZsK8w5cOW5Lpb7frol6+BkDnBjbNZI5kQndn
-zQpuMJliRlrq/5JkIbH6SA==
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDax3T7alefZcbm
+CcdN0kEoBLwV8H25vre43RYjuPo64TBjeKUy27ayC1TXydF1eYm3HPrFYfkS0fZ6
+YK0xvwyxiQnesvcfnVe2fpXFPsl5RQvu1JKM7rJAuLC+YTRLez07IHhQnHQ25ZkR
++B4SL5mIhuOSJ9yyFJYJQ3Kdw/aX/jtnWVR8p3FyghJptWIm90ufW4xWFY0yNSW1
+KmkZuOWF7VPh5RC1C7woB/RHhyD2gOP7tF+eDJ/QbX4iki4gPRFHuNrSV8ZpvDkI
+qqyF5BW8tyJneDkoWW8IuEpmNIzfbOCHvI6y7roeAmRrwH4/o5WxaEIsnQ/3pNvj
+n6+vA+nfAgMBAAECggEAFR5MHQQYCYjDXoDoI7YdgwA+AFIoGLjKYZu5yjX4tZv3
+gJ/si7sTaMlY5cGTU1HUPirxIVeCjv4Eha31BJ3KsGJ9jj6Gm0nOuzd/O+ctKeRv
+2/HaDvpFlk4dsCrlkjmxteuS9u5l9hygniWYutcBwjY0cRnMScZcm0VO+DVVMDj0
+9yNrFzhlmqV+ckawjK/J91r0uvnCVIsGA6akhlc5K0gwvFb/CC1WuceEeGx/38k3
+4OuiHtLyJfIlgyGD8C3QfJlMOBHeQ/DCo6GMqrOAad/chtcO7JklcJ+k2qylP2gu
+e25NJCQVh+L32b9WrH3quH6fbLIg8a8MmUWl6te3FQKBgQDddu0Dp8R8fe2WnAE5
+oXdASAf2BpthRNqUdYpkkO7gOV0MXCKIEiGZ+WuWEYmNlsXZCJRABprqLw9O/5Td
+2q+rCbdG9mSW2x82t/Ia4zd3r0RSHZyKbtOLtgmWfQkwVHy+rED8Juie5bNzHbjS
+1mYtFP2KDQ5yZA95yFg8ZtXOawKBgQD85VOPnfXGOJ783JHepAn4J2x1Edi+ZDQ+
+Ml9g2LwetI46dQ0bF6V8RtcyWp0+6+ydX5U4JKhERFDivolD7Z1KFmlNLPs0cqSX
+5g5kzTD+R+zpr9FRragYKyLdHsLP0ur75Rh5FQkUl2DmeKCMvMKAkio0cduVpVXT
+SvWUBtkHXQKBgBy4VoZZ1GZcolocwx/pK6DfdoDWXIIhvsLv91GRZhkX91QqAqRo
+zYi9StF8Vr1Q5zl9HlSrRp3GGpMhG/olaRCiQu1l+KeDpSmgczo/aysPRKntgyaE
+ttRweA/XCUEGQ+MqTYcluJcarMnp+dUFztxb04F6rfvxs/wUGjVDFMkfAoGBAK+F
+wx9UtPZk6gP6Wsu58qlnQ2Flh5dtGM1qTMR86OQu0OBFyVjaaqL8z/NE7Qp02H7J
+jlmvJ5JqD/Gv6Llau+Zl86P66kcWoqJCrA7OU4jJBueSfadA7gAIQGRUK0Xuz+UQ
+tpGjRfAiuMB9TIEhqaVuzRglRhBw9kZ2KkgZEJyJAoGBANrEpEwOhCv8Vt1Yiw6o
+co96wYj+0LARJXw6rIfEuLkthBRRoHqQMKqwIGMrwjHlHXPnQmajONzIJd+u+OS4
+psCGetAIGegd3xNVpK2uZv9QBWBpQbuofOh/c2Ctmm2phL2sVwCZ0qwIeXuBwJEc
+NOlOojKDO+dELErpShJgFIaU
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-MIIDbDCCAlSgAwIBAgIJANk5lu6mSyBAMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
-BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
-TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzBaFw0yMzA1MjYxNzI4MzBaMEUx
-CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
-ZXN0IFMvTUlNRSBFRSBSU0EgIzEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
-AoIBAQDXr9uzB/20QXKCxhkfNnJvl2xl1hzdOcrQmAqo+AAAcA/D49ImuJDVQRaK
-2bcj54XB26i1kXuOrxID3/etUb8yudfx8OAVwh8G0xVA4zhr8uXW85W2tBr4v0Lt
-+W6lSd6Hmfrk4GmE9LTU/vzl9HUPW6SZShN1G0nY6oeUXvLi0vasEUKv3a51T6JF
-Yg4c7qt5RCk/w8kwrQ0DorQwCdkOPEIiC4b+nPStF12SVm5bx8rbYzioxuY/PdSe
-bvt0APeqgRxSpCxqYnHsCoNeHzSrGXcP0COzFeUOz2tdrhmH09JLbGZs4nbojPxM
-kjpJSv3/ekDG2CHYxXSHXxpJstxZAgMBAAGjYDBeMAwGA1UdEwEB/wQCMAAwDgYD
-VR0PAQH/BAQDAgXgMB0GA1UdDgQWBBTmjc+lrTQuYx/VBOBGjMvufajvhDAfBgNV
-HSMEGDAWgBTJkVMKY3sWW4u9RPB2iKkk5uW2bDANBgkqhkiG9w0BAQUFAAOCAQEA
-dr2IRXcFtlF16kKWs1VTaFIHHNQrfSVHBkhKblPX3f/0s/i3eXgwKUu7Hnb6T3/o
-E8L+e4ioQNhahTLt9ruJNHWA/QDwOfkqM3tshCs2xOD1Cpy7Bd3Dn0YBrHKyNXRK
-WelGp+HetSXJGW4IZJP7iES7Um0DGktLabhZbe25EnthRDBjNnaAmcofHECWESZp
-lEHczGZfS9tRbzOCofxvgLbF64H7wYSyjAe6R8aain0VRbIusiD4tCHX/lOMh9xT
-GNBW8zTL+tV9H1unjPMORLnT0YQ3oAyEND0jCu0ACA1qGl+rzxhF6bQcTUNEbRMu
-9Hjq6s316fk4Ne0EUF3PbA==
+MIIDeTCCAmGgAwIBAgIUM6U1Peo3wzfAJIrzINejJJfmRzkwDQYJKoZIhvcNAQEL
+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV
+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxM1oYDzIxMjIw
+NTA5MTUzMzEzWjBFMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91
+cDEeMBwGA1UEAwwVVGVzdCBTL01JTUUgRUUgUlNBICMxMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEA2sd0+2pXn2XG5gnHTdJBKAS8FfB9ub63uN0WI7j6
+OuEwY3ilMtu2sgtU18nRdXmJtxz6xWH5EtH2emCtMb8MsYkJ3rL3H51Xtn6VxT7J
+eUUL7tSSjO6yQLiwvmE0S3s9OyB4UJx0NuWZEfgeEi+ZiIbjkifcshSWCUNyncP2
+l/47Z1lUfKdxcoISabViJvdLn1uMVhWNMjUltSppGbjlhe1T4eUQtQu8KAf0R4cg
+9oDj+7Rfngyf0G1+IpIuID0RR7ja0lfGabw5CKqsheQVvLciZ3g5KFlvCLhKZjSM
+32zgh7yOsu66HgJka8B+P6OVsWhCLJ0P96Tb45+vrwPp3wIDAQABo2AwXjAMBgNV
+HRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF4DAdBgNVHQ4EFgQUHw4Us7FXwgLtZ1JB
+MOAHSkNYfEkwHwYDVR0jBBgwFoAUFcETIWviVV+nah1XINbP86lzZFkwDQYJKoZI
+hvcNAQELBQADggEBAAMAXEjTNo7evn6BvfEaG2q21q9xfFear/M0zxc5xcTj+WP+
+BKrlxXg5RlVFyvmzGhwZBERsDMJYa54aw8scDJsy/0zPdWST39dNev7xH13pP8nF
+QF4MGPKIqBzX8iDCqhz70p1w2ndLjz1dvsAqn6z9/Sh3T2kj6DfZY3jA49pMEim1
+vYd4lWa5AezU3+cLtBbo2c2iyG2W7SFpnNTjLX823f9rbVPnUb93ZI/tDXDIf5hL
+0hocZs+MWdC7Ly1Ru4PXa6+DeOM0z673me/Q27e24OBbG2eq5g7eW5euxJinGkpI
+XGGKTKrBCPxSdTtwSNHU9HsggT8a0wXL2QocZ3w=
-----END CERTIFICATE-----
diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/smrsa2.pem b/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/smrsa2.pem
index 2f17cb29..a7a21fc8 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/smrsa2.pem
+++ b/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/smrsa2.pem
@@ -1,49 +1,49 @@
-----BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDcYC4tS2Uvn1Z2
-iDgtfkJA5tAqgbN6X4yK02RtVH5xekV9+6+eTt/9S+iFAzAnwqR/UB1R67ETrsWq
-V8u9xLg5fHIwIkmu9/6P31UU9cghO7J1lcrhHvooHaFpcXepPWQacpuBq2VvcKRD
-lDfVmdM5z6eS3dSZPTOMMP/xk4nhZB8mcw27qiccPieS0PZ9EZB63T1gmwaK1Rd5
-U94Pl0+zpDqhViuXmBfiIDWjjz0BzHnHSz5Rg4S3oXF1NcojhptIWyI0r7dgn5J3
-NxC4kgKdjzysxo6iWd0nLgz7h0jUdj79EOis4fg9G4f0EFWyQf7iDxGaA93Y9ePB
-Jv5iFZVZAgMBAAECggEBAILIPX856EHb0KclbhlpfY4grFcdg9LS04grrcTISQW1
-J3p9nBpZ+snKe6I8Yx6lf5PiipPsSLlCliHiWpIzJZVQCkAQiSPiHttpEYgP2IYI
-dH8dtznkdVbLRthZs0bnnPmpHCpW+iqpcYJ9eqkz0cvUNUGOjjWmwWmoRqwp/8CW
-3S1qbkQiCh0Mk2fQeGar76R06kXQ9MKDEj14zyS3rJX+cokjEoMSlH8Sbmdh2mJz
-XlNZcvqmeGJZwQWgbVVHOMUuZaKJiFa+lqvOdppbqSx0AsCRq6vjmjEYQEoOefYK
-3IJM9IvqW5UNx0Cy4kQdjhZFFwMO/ALD3QyF21iP4gECgYEA+isQiaWdaY4UYxwK
-Dg+pnSCKD7UGZUaCUIv9ds3CbntMOONFe0FxPsgcc4jRYQYj1rpQiFB8F11+qXGa
-P/IHcnjr2+mTrNY4I9Bt1Lg+pHSS8QCgzeueFybYMLaSsXUo7tGwpvw6UUb6/YWI
-LNCzZbrCLg1KZjGODhhxtvN45ZkCgYEA4YNSe+GMZlxgsvxbLs86WOm6DzJUPvxN
-bWmni0+Oe0cbevgGEUjDVc895uMFnpvlgO49/C0AYJ+VVbStjIMgAeMnWj6OZoSX
-q49rI8KmKUxKgORZiiaMqGWQ7Rxv68+4S8WANsjFxoUrE6dNV3uYDIUsiSLbZeI8
-38KVTcLohcECgYEAiOdyWHGq0G4xl/9rPUCzCMsa4velNV09yYiiwBZgVgfhsawm
-hQpOSBZJA60XMGqkyEkT81VgY4UF4QLLcD0qeCnWoXWVHFvrQyY4RNZDacpl87/t
-QGO2E2NtolL3umesa+2TJ/8Whw46Iu2llSjtVDm9NGiPk5eA7xPPf1iEi9kCgYAb
-0EmVE91wJoaarLtGS7LDkpgrFacEWbPnAbfzW62UENIX2Y1OBm5pH/Vfi7J+vHWS
-8E9e0eIRCL2vY2hgQy/oa67H151SkZnvQ/IP6Ar8Xvd1bDSK8HQ6tMQqKm63Y9g0
-KDjHCP4znOsSMnk8h/bZ3HcAtvbeWwftBR/LBnYNQQKBgA1leIXLLHRoX0VtS/7e
-y7Xmn7gepj+gDbSuCs5wGtgw0RB/1z/S3QoS2TCbZzKPBo20+ivoRP7gcuFhduFR
-hT8V87esr/QzLVpjLedQDW8Xb7GiO3BsU/gVC9VcngenbL7JObl3NgvdreIYo6+n
-yrLyf+8hjm6H6zkjqiOkHAl+
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDkoMi4sqj2mN8j
+SaFAibXEfeYYrzBHIdCm/uaXWit81fXOSFVw1rbeAppxz7bOcSEN50lpdP2UX3/b
+FYFD3exHXjvch9NPNgQaNkCqTNTuYa2L9wrpltXnon7tH3W/zZfF+/qpUSu1f6rk
+GyxjVXxLwjIawCX0rbLcdFCVVy+EyvQkvSxXjafrDMzshWzPDbtjUv3SH6avqrPn
+4NX0fv3BdBwTfDLAw/m8nN+9B9Mg0V7UNM1IJY/Vo5pLhv+MrEf8SnAS+1Wt43rT
+3PY9iMZMMWUswdgmPY0yCN95ggwNrSMGV60yvEDxINWuJoR8s0lybDdFa+AB5v4T
+hqKpspFNAgMBAAECggEAZmWu0K5QJ7Y7Rlo9ayLicsFyk36vUESQZ6MF0ybzEEPi
+BkR2ZAX+vDuNQckm1pprlAcRZbactl35bT3Z+fQE1cgaZoC8/x6xwq2m0796pNPB
+v0zjqdBBOLAaSgjLm56wyd88GqZ8vZsTBnw3KrxIYcP13e5OcaJ0V/GOf/yfD0lg
+Tq9i7V5Iq++Fpo2KvJA8FMgqcfhvhdo40rRykoBfzEZpBk4Ia/Yijsbx5sE15pFZ
+DfmsMbD+vViuM8IavHo61mBNyYeydwlgIMqUgP/6xbYUov/XSUojrLG+IQuvDx9D
+xzTHGM+IBJxQZMza/mDVcjUAcDEjWt/Mve8ibTQCbwKBgQDyaiGsURtlf/8xmmvT
+RQQFFFsJ8SXHNYmnceNULIjfDxpLk1yC4kBNUD+liAJscoVlOcByHmXQRtnY1PHq
+AwyrwplGd82773mtriDVFSjhD+GB7I0Hv2j+uiFZury0jR/6/AsWKCtTqd0opyuB
+8rGZjguiwZIjeyxd8mL1dncUHwKBgQDxcNxHUvIeDBvAmtK65xWUuLcqtK9BblBH
+YVA7p93RqX4E+w3J0OCvQRQ3r1GCMMzFEO0oOvNfMucU4rbQmx1pbzF8aQU+8iEW
+kYpaWUbPUQ2hmBblhjGYHsigt/BrzaW0QveVIWcGiyVVX9wiCzJH5moJlCRK2oHR
+B36hdlmNEwKBgQCSlWSpOx4y4RQiHXtn9Eq6+5UVTPGIJTKIwxAwnQFiyFIhMwl0
+x3UUixsBcF3uz80j6akaGJF+QOmH+TQTSibGUdS3TMhmBSfxwuJtlu7yMNUu6Chb
+b/4AUfLKvGVRVCjrbq8Rhda1L3jhFTz0xhlofgFBOIWy2M96O5BlV24oBwKBgQDs
+cf93ZfawkGEZVUXsPeQ3mlHe48YCCPtbfCSr13B3JErCq+5L52AyoUQgaHQlUI8o
+qrPmQx0V7O662G/6iP3bxEYtNVgq1cqrpGpeorGi1BjKWPyLWMj21abbJmev21xc
+1XxLMsQHd3tfSZp2SIq8OR09NjP4jla1k2Ziz1lRuwKBgQCUJXjhW4dPoOzC7DJK
+u4PsxcKkJDwwtfNudVDaHcbvvaHELTAkE2639vawH0TRwP6TDwmlbTQJP4EW+/0q
+13VcNXVAZSruA9dvxlh4vNUH3PzTDdFIJzGVbYbV9p5t++EQ7gRLuLZqs99BOzM9
+k6W9F60mEFz1Owh+lQv7WfSIVA==
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-MIIDbDCCAlSgAwIBAgIJANk5lu6mSyBBMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
-BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
-TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzBaFw0yMzA1MjYxNzI4MzBaMEUx
-CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
-ZXN0IFMvTUlNRSBFRSBSU0EgIzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
-AoIBAQDcYC4tS2Uvn1Z2iDgtfkJA5tAqgbN6X4yK02RtVH5xekV9+6+eTt/9S+iF
-AzAnwqR/UB1R67ETrsWqV8u9xLg5fHIwIkmu9/6P31UU9cghO7J1lcrhHvooHaFp
-cXepPWQacpuBq2VvcKRDlDfVmdM5z6eS3dSZPTOMMP/xk4nhZB8mcw27qiccPieS
-0PZ9EZB63T1gmwaK1Rd5U94Pl0+zpDqhViuXmBfiIDWjjz0BzHnHSz5Rg4S3oXF1
-NcojhptIWyI0r7dgn5J3NxC4kgKdjzysxo6iWd0nLgz7h0jUdj79EOis4fg9G4f0
-EFWyQf7iDxGaA93Y9ePBJv5iFZVZAgMBAAGjYDBeMAwGA1UdEwEB/wQCMAAwDgYD
-VR0PAQH/BAQDAgXgMB0GA1UdDgQWBBT0arpyYMHXDPVL7MvzE+lx71L7sjAfBgNV
-HSMEGDAWgBTJkVMKY3sWW4u9RPB2iKkk5uW2bDANBgkqhkiG9w0BAQUFAAOCAQEA
-I8nM42am3aImkZyrw8iGkaGhKyi/dfajSWx6B9izBUh+3FleBnUxxOA+mn7M8C47
-Ne18iaaWK8vEux9KYTIY8BzXQZL1AuZ896cXEc6bGKsME37JSsocfuB5BIGWlYLv
-/ON5/SJ0iVFj4fAp8z7Vn5qxRJj9BhZDxaO1Raa6cz6pm0imJy9v8y01TI6HsK8c
-XJQLs7/U4Qb91K+IDNX/lgW3hzWjifNpIpT5JyY3DUgbkD595LFV5DDMZd0UOqcv
-6cyN42zkX8a0TWr3i5wu7pw4k1oD19RbUyljyleEp0DBauIct4GARdBGgi5y1H2i
-NzYzLAPBkHCMY0Is3KKIBw==
+MIIDeTCCAmGgAwIBAgIUTMQXiTcI/rpzqO91NyFWpjLE3KkwDQYJKoZIhvcNAQEL
+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV
+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxM1oYDzIxMjIw
+NTA5MTUzMzEzWjBFMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91
+cDEeMBwGA1UEAwwVVGVzdCBTL01JTUUgRUUgUlNBICMyMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEA5KDIuLKo9pjfI0mhQIm1xH3mGK8wRyHQpv7ml1or
+fNX1zkhVcNa23gKacc+2znEhDedJaXT9lF9/2xWBQ93sR1473IfTTzYEGjZAqkzU
+7mGti/cK6ZbV56J+7R91v82Xxfv6qVErtX+q5BssY1V8S8IyGsAl9K2y3HRQlVcv
+hMr0JL0sV42n6wzM7IVszw27Y1L90h+mr6qz5+DV9H79wXQcE3wywMP5vJzfvQfT
+INFe1DTNSCWP1aOaS4b/jKxH/EpwEvtVreN609z2PYjGTDFlLMHYJj2NMgjfeYIM
+Da0jBletMrxA8SDVriaEfLNJcmw3RWvgAeb+E4aiqbKRTQIDAQABo2AwXjAMBgNV
+HRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF4DAdBgNVHQ4EFgQUSJ0v3SKahe6eKssR
+rBvYLBprFTgwHwYDVR0jBBgwFoAUFcETIWviVV+nah1XINbP86lzZFkwDQYJKoZI
+hvcNAQELBQADggEBAKoyszyZ3DfCOIVzeJrnScXuMvRkVqO5aGmgZxtY9r6gPk8v
+gXaEFXDKqRbGqEnuwEjpew+SVZO8nrVpdIP7fydpufy7Cu91Ev4YL1ui5Vc66+IK
+7dXV7eZYcH/dDJBPZddHx9vGhcr0w8B1W9nldM3aQE/RQjOmMRDc7/Hnk0f0RzJp
+LA0adW3ry27z2s4qeCwkV9DNSh1KoGfcLwydBiXmJ1XINMFH/scD4pk9UeJpUL+5
+zvTaDzUmzLsI1gH3j/rlzJuNJ7EMfggKlfQdit9Qn6+6Gjk6T5jkZfzcq3LszuEA
+EFtkxWyBmmEgh4EmvZGAyrUvne1hIIksKe3iJ+E=
-----END CERTIFICATE-----
diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/smrsa3.pem b/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/smrsa3.pem
index 14c27f64..980d3af3 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/smrsa3.pem
+++ b/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/smrsa3.pem
@@ -1,49 +1,49 @@
-----BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCyK+BTAOJKJjji
-OhY60NeZjzGGZxEBfCm62n0mwkzusW/V/e63uwj6uOVCFoVBz5doMf3M6QIS2jL3
-Aw6Qs5+vcuLA0gHrqIwjYQz1UZ5ETLKLKbQw6YOIVfsFSTxytUVpfcByrubWiLKX
-63theG1/IVokDK/9/k52Kyt+wcCjuRb7AJQFj2OLDRuWm/gavozkK103gQ+dUq4H
-XamZMtTq1EhQOfc0IUeCOEL6xz4jzlHHfzLdkvb7Enhav2sXDfOmZp/DYf9IqS7l
-vFkkINPVbYFBTexaPZlFwmpGRjkmoyH/w+Jlcpzs+w6p1diWRpaSn62bbkRN49j6
-L2dVb+DfAgMBAAECggEAciwDl6zdVT6g/PbT/+SMA+7qgYHSN+1koEQaJpgjzGEP
-lUUfj8TewCtzXaIoyj9IepBuXryBg6snNXpT/w3bqgYon/7zFBvxkUpDj4A5tvKf
-BuY2fZFlpBvUu1Ju1eKrFCptBBBoA9mc+BUB/ze4ktrAdJFcxZoMlVScjqGB3GdR
-OHw2x9BdWGCJBhiu9VHhAAb/LVWi6xgDumYSWZwN2yovg+7J91t5bsENeBRHycK+
-i5dNFh1umIK9N0SH6bpHPnLHrCRchrQ6ZRRxL4ZBKA9jFRDeI7OOsJuCvhGyJ1se
-snsLjr/Ahg00aiHCcC1SPQ6pmXAVBCG7hf4AX82V4QKBgQDaFDE+Fcpv84mFo4s9
-wn4CZ8ymoNIaf5zPl/gpH7MGots4NT5+Ns+6zzJQ6TEpDjTPx+vDaabP7QGXwVZn
-8NAHYvCQK37b+u9HrOt256YYRDOmnJFSbsJdmqzMEzpTNmQ8GuI37cZCS9CmSMv+
-ab/plcwuv0cJRSC83NN2AFyu1QKBgQDRJzKIBQlpprF9rA0D5ZjLVW4OH18A0Mmm
-oanw7qVutBaM4taFN4M851WnNIROyYIlkk2fNgW57Y4M8LER4zLrjU5HY4lB0BMX
-LQWDbyz4Y7L4lVnnEKfQxWFt9avNZwiCxCxEKy/n/icmVCzc91j9uwKcupdzrN6E
-yzPd1s5y4wKBgQCkJvzmAdsOp9/Fg1RFWcgmIWHvrzBXl+U+ceLveZf1j9K5nYJ7
-2OBGer4iH1XM1I+2M4No5XcWHg3L4FEdDixY0wXHT6Y/CcThS+015Kqmq3fBmyrc
-RNjzQoF9X5/QkSmkAIx1kvpgXtcgw70htRIrToGSUpKzDKDW6NYXhbA+PQKBgDJK
-KH5IJ8E9kYPUMLT1Kc4KVpISvPcnPLVSPdhuqVx69MkfadFSTb4BKbkwiXegQCjk
-isFzbeEM25EE9q6EYKP+sAm+RyyJ6W0zKBY4TynSXyAiWSGUAaXTL+AOqCaVVZiL
-rtEdSUGQ/LzclIT0/HLV2oTw4KWxtTdc3LXEhpNdAoGBAM3LckiHENqtoeK2gVNw
-IPeEuruEqoN4n+XltbEEv6Ymhxrs6T6HSKsEsLhqsUiIvIzH43KMm45SNYTn5eZh
-yzYMXLmervN7c1jJe2Y2MYv6hE+Ypj1xGW4w7s8WNKmVzLv97beisD9AZrS7sXfF
-RvOAi5wVkYylDxV4238MAZIq
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQD5A/t3norj/167
+toKG1Ygtg3G+pZ4Nwl5a9flnm8JdSMW5TEEP1TSvDVIEuAVi7xqoAn6heypoaMkB
+GJ+AoSo9R7umdhhq2vnmWFNsdH6oDzynVXixyURo81YrN3sn9Xd55ivTiSpZXldi
+ECr2T0BYvOw0h497bPs6gY9LqgrBHNYVF3lFhdOmYWv+2qSdti+1gV3t24pv1CrK
+2AdX5Epdd5jR+eNnt+suZqoPC0hTcNjszJLcfDYFXHva9BcE0DfrgcYSmoSBU53M
+jt63TClK6ZoVcPJ7vXjFRHncvs1/d+nc9BdL9FsGI1ezspSwcJHqex2wgo76yDrq
+DE4s23rPAgMBAAECggEAEDi+VWD5VUpjD5zWOoPQiRDGBJBhtMAKkl6okxEmXvWb
+Xz3STFnjHgA1JFHW3bRU9BHI9k8vSHmnlnkfKb3V/ZX5IHNcKCHb/x9NBak+QLVQ
+0zLtfE9vxiTC0B/oac+MPaiD4hYFQ81pFwK6VS0Poi8ZCBJtOkRqfUvsyV8zZrgh
+/6cs4mwOVyZPFRgF9eWXYv7PJz8pNRizhII0iv9H/r2I3DzsZLPCg7c29mP+I/SG
+A7Pl82UXjtOc0KurGY2M5VheZjxJT/k/FLMkWY2GS5n6dfcyzsVSKb25HoeuvQsI
+vs1mKs+Onbobdc17hCcKVJzbi3DwXs5XDhrEzfHccQKBgQD88uBxVCRV31PsCN6I
+pKxQDGgz+1BqPqe7KMRiZI7HgDUK0eCM3/oG089/jsBtJcSxnScLSVNBjQ+xGiFi
+YCD4icQoJSzpqJyR6gDq5lTHASAe+9LWRW771MrtyACQWNXowYEyu8AjekrZkCUS
+wIKVpw57oWykzIoS7ixZsJ8gxwKBgQD8BPWqJEsLiQvOlS5E/g88eV1KTpxm9Xs+
+BbwsDXZ7m4Iw5lYaUu5CwBB/2jkGGRl8Q/EfAdUT7gXv3t6x5b1qMXaIczmRGYto
+NuI3AH2MPxAa7lg5TgBgie1r7PKwyPMfG3CtDx6n8W5sexgJpbIy5u7E+U6d8s1o
+c7EcsefduQKBgCkHJAx9v18GWFBip+W2ABUDzisQSlzRSNd8p03mTZpiWzgkDq4K
+7j0JQhDIkMGjbKH6gYi9Hfn17WOmf1+7g92MSvrP/NbxeGPadsejEIEu14zu/6Wt
+oXDLdRbYZ+8B2cBlEpWuCl42yck8Lic6fnPTou++oSah3otvglYR5d2lAoGACd8L
+3FE1m0sP6lSPjmZBJIZAcDOqDqJY5HIHD9arKGZL8CxlfPx4lqa9PrTGfQWoqORk
+YmmI9hHhq6aYJHGyPKGZWfjhbVyJyFg1/h+Hy2GA+P0S+ZOjkiR050BNtTz5wOMr
+Q6wO8FcVkywzIdWaqEHBYne9a5RiFVBKxKv3QAkCgYBxmCBKajFkMVb4Uc55WqJs
+Add0mctGgmZ1l5vq81eWe3wjM8wgfJgaD3Q3gwx2ABUX/R+OsVWSh4o5ZR86sYoz
+TviknBHF8GeDLjpT49+04fEaz336J2JOptF9zIpz7ZK1nrOEjzaZGtumReVjUP7X
+fNcb5iDYqZRzD8ixBbLxUw==
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-MIIDbDCCAlSgAwIBAgIJANk5lu6mSyBCMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
-BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
-TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzBaFw0yMzA1MjYxNzI4MzBaMEUx
-CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
-ZXN0IFMvTUlNRSBFRSBSU0EgIzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
-AoIBAQCyK+BTAOJKJjjiOhY60NeZjzGGZxEBfCm62n0mwkzusW/V/e63uwj6uOVC
-FoVBz5doMf3M6QIS2jL3Aw6Qs5+vcuLA0gHrqIwjYQz1UZ5ETLKLKbQw6YOIVfsF
-STxytUVpfcByrubWiLKX63theG1/IVokDK/9/k52Kyt+wcCjuRb7AJQFj2OLDRuW
-m/gavozkK103gQ+dUq4HXamZMtTq1EhQOfc0IUeCOEL6xz4jzlHHfzLdkvb7Enha
-v2sXDfOmZp/DYf9IqS7lvFkkINPVbYFBTexaPZlFwmpGRjkmoyH/w+Jlcpzs+w6p
-1diWRpaSn62bbkRN49j6L2dVb+DfAgMBAAGjYDBeMAwGA1UdEwEB/wQCMAAwDgYD
-VR0PAQH/BAQDAgXgMB0GA1UdDgQWBBQ6CkW5sa6HrBsWvuPOvMjyL5AnsDAfBgNV
-HSMEGDAWgBTJkVMKY3sWW4u9RPB2iKkk5uW2bDANBgkqhkiG9w0BAQUFAAOCAQEA
-JhcrD7AKafVzlncA3cZ6epAruj1xwcfiE+EbuAaeWEGjoSltmevcjgoIxvijRVcp
-sCbNmHJZ/siQlqzWjjf3yoERvLDqngJZZpQeocMIbLRQf4wgLAuiBcvT52wTE+sa
-VexeETDy5J1OW3wE4A3rkdBp6hLaymlijFNnd5z/bP6w3AcIMWm45yPm0skM8RVr
-O3UstEFYD/iy+p+Y/YZDoxYQSW5Vl+NkpGmc5bzet8gQz4JeXtH3z5zUGoDM4XK7
-tXP3yUi2eecCbyjh/wgaQiVdylr1Kv3mxXcTl+cFO22asDkh0R/y72nTCu5fSILY
-CscFo2Z2pYROGtZDmYqhRw==
+MIIDeTCCAmGgAwIBAgIUIDyc//j/LoNDesZTGbPBoVarv4EwDQYJKoZIhvcNAQEL
+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV
+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxM1oYDzIxMjIw
+NTA5MTUzMzEzWjBFMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91
+cDEeMBwGA1UEAwwVVGVzdCBTL01JTUUgRUUgUlNBICMzMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEA+QP7d56K4/9eu7aChtWILYNxvqWeDcJeWvX5Z5vC
+XUjFuUxBD9U0rw1SBLgFYu8aqAJ+oXsqaGjJARifgKEqPUe7pnYYatr55lhTbHR+
+qA88p1V4sclEaPNWKzd7J/V3eeYr04kqWV5XYhAq9k9AWLzsNIePe2z7OoGPS6oK
+wRzWFRd5RYXTpmFr/tqknbYvtYFd7duKb9QqytgHV+RKXXeY0fnjZ7frLmaqDwtI
+U3DY7MyS3Hw2BVx72vQXBNA364HGEpqEgVOdzI7et0wpSumaFXDye714xUR53L7N
+f3fp3PQXS/RbBiNXs7KUsHCR6nsdsIKO+sg66gxOLNt6zwIDAQABo2AwXjAMBgNV
+HRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF4DAdBgNVHQ4EFgQUN9pGq/UFS3o50rTi
+V+AYgAk+3R4wHwYDVR0jBBgwFoAUFcETIWviVV+nah1XINbP86lzZFkwDQYJKoZI
+hvcNAQELBQADggEBAGcOh380/6aJqMpYBssuf2CB3DX/hGKdvEF7fF8iNSfl5HHq
+112kHl3MhbL9Th/safJq9sLDJqjXRNdVCUJJbU4YI2P2gsi04paC0qxWxMLtzQLd
+CE7ki2xH94Fuu/dThbpzZBABROO1RrdI24GDGt9t4Gf0WVkobmT/zNlwGppKTIB2
+iV/Ug30iKr/C49UzwUIa+XXXujkjPTmGSnrKwVQNxQh81rb+iTL7GEnNuqDsatHW
+ZyLS2SaVdG5tMqDkITPMDGjehUzJcAbVc8Bv4m8Ukuov3uDj2Doc6MxlvrVkV0AE
+BcSCb/bWQJJ/X4LQZlx9cMk4NINxV9UeFPZOefg=
-----END CERTIFICATE-----
--
2.33.0

60
0043-DH_check-Do-not-try-checking-q-properties-if-it-is-o.patch Normal file
View File

@ -0,0 +1,60 @@
From 6b25764750b0e484d3fc09f27a75ff2428c46cd6 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Fri, 21 Jul 2023 11:39:41 +0200
Subject: [PATCH 09/11] DH_check(): Do not try checking q properties if it is
obviously invalid
If |q| >= |p| then the q value is obviously wrong as q
is supposed to be a prime divisor of p-1.
We check if p is overly large so this added test implies that
q is not large either when performing subsequent tests using that
q value.
Otherwise if it is too large these additional checks of the q value
such as the primality test can then trigger DoS by doing overly long
computations.
Fixes CVE-2023-3817
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
reference: https://github.com/openssl/openssl/pull/21551
Signed-off-by: yexiao <yexiao7@huawei.com>
---
.../Library/OpensslLib/openssl/crypto/dh/dh_check.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_check.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_check.c
index e5f9dd50..28543412 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_check.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_check.c
@@ -97,7 +97,7 @@ int DH_check_ex(const DH *dh)
int DH_check(const DH *dh, int *ret)
{
- int ok = 0, r;
+ int ok = 0, r, q_good = 0;
BN_CTX *ctx = NULL;
BIGNUM *t1 = NULL, *t2 = NULL;
@@ -119,7 +119,14 @@ int DH_check(const DH *dh, int *ret)
if (t2 == NULL)
goto err;
- if (dh->q) {
+ if (dh->q != NULL) {
+ if (BN_ucmp(dh->p, dh->q) > 0)
+ q_good = 1;
+ else
+ *ret |= DH_CHECK_INVALID_Q_VALUE;
+ }
+
+ if (q_good) {
if (BN_cmp(dh->g, BN_value_one()) <= 0)
*ret |= DH_NOT_SUITABLE_GENERATOR;
else if (BN_cmp(dh->g, dh->p) >= 0)
--
2.33.0

50
0044-dhtest.c-Add-test-of-DH_check-with-q-p-1.patch Normal file
View File

@ -0,0 +1,50 @@
From 105313716572d888f9b3ed0472f4ce9e15352407 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Tue, 25 Jul 2023 15:56:53 +0200
Subject: [PATCH 10/11] dhtest.c: Add test of DH_check() with q = p + 1
This must fail with DH_CHECK_INVALID_Q_VALUE and
with DH_CHECK_Q_NOT_PRIME unset.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
reference: https://github.com/openssl/openssl/pull/21551
Signed-off-by: yexiao <yexiao7@huawei.com>
---
CryptoPkg/Library/OpensslLib/openssl/test/dhtest.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/dhtest.c b/CryptoPkg/Library/OpensslLib/openssl/test/dhtest.c
index 00b3c471..d7e10ebd 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/test/dhtest.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/test/dhtest.c
@@ -123,6 +123,15 @@ static int dh_test(void)
/* check whether the public key was calculated correctly */
TEST_uint_eq(BN_get_word(pub_key2), 3331L);
+ if (!TEST_ptr(BN_copy(q, p)) || !TEST_true(BN_add(q, q, BN_value_one())))
+ goto err3;
+
+ if (!TEST_true(DH_check(dh, &i)))
+ goto err3;
+ if (!TEST_true(i & DH_CHECK_INVALID_Q_VALUE)
+ || !TEST_false(i & DH_CHECK_Q_NOT_PRIME))
+ goto err3;
+
/* Modulus of size: dh check max modulus bits + 1 */
if (!TEST_true(BN_set_word(p, 1))
|| !TEST_true(BN_lshift(p, p, OPENSSL_DH_CHECK_MAX_MODULUS_BITS)))
@@ -134,6 +143,9 @@ static int dh_test(void)
if (!TEST_false(DH_check(dh, &i)))
goto err3;
+ /* We'll have a stale error on the queue from the above test so clear it */
+ ERR_clear_error();
+
/*
* II) key generation
*/
--
2.33.0

118
0045-Add-NULL-checks-where-ContentInfo-data-can-be-NULL.patch Normal file
View File

@ -0,0 +1,118 @@
From e4ee767dec6079c8c48ebacea19afdf2856dd755 Mon Sep 17 00:00:00 2001
From: liwei <liwei3013@126.com>
Date: Fri, 26 Jan 2024 18:45:28 +0800
Subject: [PATCH 11/11] Add NULL checks where ContentInfo data can be NULL
PKCS12 structures contain PKCS7 ContentInfo fields. These fields are
optional and can be NULL even if the "type" is a valid value. OpenSSL
was not properly accounting for this and a NULL dereference can occur
causing a crash.
fix CVE-2024-0727
reference: https://github.com/openssl/openssl/pull/23361
Signed-off-by: yexiao <yexiao7@huawei.com>
---
.../OpensslLib/openssl/crypto/pkcs12/p12_add.c | 16 ++++++++++++++++
.../OpensslLib/openssl/crypto/pkcs12/p12_mutl.c | 5 +++++
.../OpensslLib/openssl/crypto/pkcs12/p12_npas.c | 5 +++--
.../OpensslLib/openssl/crypto/pkcs7/pk7_mime.c | 8 ++++++--
4 files changed, 30 insertions(+), 4 deletions(-)
diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_add.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_add.c
index af184c86..9b40e538 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_add.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_add.c
@@ -76,6 +76,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7)
PKCS12_R_CONTENT_TYPE_NOT_DATA);
return NULL;
}
+
+ if (p7->d.data == NULL) {
+ PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA, PKCS12_R_DECODE_ERROR);
+ return NULL;
+ }
+
return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS));
}
@@ -132,6 +138,11 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass,
{
if (!PKCS7_type_is_encrypted(p7))
return NULL;
+
+ if (p7->d.encrypted == NULL) {
+ return NULL;
+ }
+
return PKCS12_item_decrypt_d2i(p7->d.encrypted->enc_data->algorithm,
ASN1_ITEM_rptr(PKCS12_SAFEBAGS),
pass, passlen,
@@ -159,6 +170,11 @@ STACK_OF(PKCS7) *PKCS12_unpack_authsafes(const PKCS12 *p12)
PKCS12_R_CONTENT_TYPE_NOT_DATA);
return NULL;
}
+ if (p12->authsafes->d.data == NULL) {
+ PKCS12err(PKCS12_F_PKCS12_UNPACK_AUTHSAFES, PKCS12_R_DECODE_ERROR);
+ return NULL;
+ }
+
return ASN1_item_unpack(p12->authsafes->d.data,
ASN1_ITEM_rptr(PKCS12_AUTHSAFES));
}
diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_mutl.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_mutl.c
index 3658003f..766c9c1e 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_mutl.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_mutl.c
@@ -93,6 +93,11 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
return 0;
}
+ if (p12->authsafes->d.data == NULL) {
+ PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_DECODE_ERROR);
+ return 0;
+ }
+
salt = p12->mac->salt->data;
saltlen = p12->mac->salt->length;
if (!p12->mac->iter)
diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_npas.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_npas.c
index 0334289a..13033763 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_npas.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_npas.c
@@ -78,8 +78,9 @@ static int newpass_p12(PKCS12 *p12, const char *oldpass, const char *newpass)
bags = PKCS12_unpack_p7data(p7);
} else if (bagnid == NID_pkcs7_encrypted) {
bags = PKCS12_unpack_p7encdata(p7, oldpass, -1);
- if (!alg_get(p7->d.encrypted->enc_data->algorithm,
- &pbe_nid, &pbe_iter, &pbe_saltlen))
+ if (p7->d.encrypted == NULL
+ || !alg_get(p7->d.encrypted->enc_data->algorithm,
+ &pbe_nid, &pbe_iter, &pbe_saltlen))
goto err;
} else {
continue;
diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_mime.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_mime.c
index 19e68681..b457108c 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_mime.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_mime.c
@@ -30,10 +30,14 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags)
{
STACK_OF(X509_ALGOR) *mdalgs;
int ctype_nid = OBJ_obj2nid(p7->type);
- if (ctype_nid == NID_pkcs7_signed)
+
+ if (ctype_nid == NID_pkcs7_signed) {
+ if (p7->d.sign == NULL)
+ return 0;
mdalgs = p7->d.sign->md_algs;
- else
+ } else {
mdalgs = NULL;
+ }
flags ^= SMIME_OLDMIME;
--
2.33.0

920
0046-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411.patch Normal file
View File

@ -0,0 +1,920 @@
From ab159257aac77fb718dedbac0c55ab179d1cfcb2 Mon Sep 17 00:00:00 2001
From: "Douglas Flick [MSFT]" <doug.edk2@gmail.com>
Date: Fri, 12 Jan 2024 02:16:01 +0800
Subject: [PATCH 01/10] SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4117
- CVE 2022-36763
This commit contains the patch files and tests for DxeTpm2MeasureBootLib
CVE 2022-36763.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
ref: https://github.com/tianocore/edk2/pull/5264
Signed-off-by: yexiao <yexiao7@huawei.com>
---
.../DxeTpm2MeasureBootLib.c | 48 ++-
.../DxeTpm2MeasureBootLib.inf | 4 +-
.../DxeTpm2MeasureBootLibSanitization.c | 275 ++++++++++++++++
.../DxeTpm2MeasureBootLibSanitization.h | 113 +++++++
.../DxeTpm2MeasureBootLibSanitizationTest.c | 303 ++++++++++++++++++
...Tpm2MeasureBootLibSanitizationTestHost.inf | 28 ++
6 files changed, 755 insertions(+), 16 deletions(-)
create mode 100644 SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
create mode 100644 SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
create mode 100644 SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
create mode 100644 SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTestHost.inf
diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
index 92eac715..72e9f5d3 100644
--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
@@ -19,6 +19,8 @@ Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>
(C) Copyright 2015 Hewlett Packard Enterprise Development LP<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
+Copyright (c) Microsoft Corporation.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include <PiDxe.h>
@@ -42,6 +44,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <Library/SecurityManagementLib.h>
#include <Library/HobLib.h>
+#include "DxeTpm2MeasureBootLibSanitization.h"
+
//
// Flag to check GPT partition. It only need be measured once.
//
@@ -135,7 +139,8 @@ Tcg2MeasureGptTable (
UINT32 Index;
EFI_TCG2_EVENT *Tcg2Event;
EFI_GPT_DATA *GptData;
- UINT32 EventSize;
+ UINT32 TcgEventSize;
+ UINT32 AllocSize;
if (mTcg2MeasureGptCount > 0) {
return EFI_SUCCESS;
@@ -163,15 +168,21 @@ Tcg2MeasureGptTable (
BlockIo->Media->BlockSize,
(UINT8 *)PrimaryHeader
);
- if (EFI_ERROR (Status)) {
- DEBUG ((EFI_D_ERROR, "Failed to Read Partition Table Header!\n"));
+ if (EFI_ERROR (Status) || EFI_ERROR (SanitizeEfiPartitionTableHeader (PrimaryHeader, BlockIo))) {
+ DEBUG ((DEBUG_ERROR, "Failed to read Partition Table Header or invalid Partition Table Header!\n"));
FreePool (PrimaryHeader);
return EFI_DEVICE_ERROR;
}
//
// Read the partition entry.
//
- EntryPtr = (UINT8 *)AllocatePool (PrimaryHeader->NumberOfPartitionEntries * PrimaryHeader->SizeOfPartitionEntry);
+ Status = SanitizePrimaryHeaderAllocationSize (PrimaryHeader, &AllocSize);
+ if (EFI_ERROR (Status)) {
+ FreePool (PrimaryHeader);
+ return EFI_BAD_BUFFER_SIZE;
+ }
+
+ EntryPtr = (UINT8 *)AllocatePool (AllocSize);
if (EntryPtr == NULL) {
FreePool (PrimaryHeader);
return EFI_OUT_OF_RESOURCES;
@@ -180,7 +191,7 @@ Tcg2MeasureGptTable (
DiskIo,
BlockIo->Media->MediaId,
MultU64x32(PrimaryHeader->PartitionEntryLBA, BlockIo->Media->BlockSize),
- PrimaryHeader->NumberOfPartitionEntries * PrimaryHeader->SizeOfPartitionEntry,
+ AllocSize,
EntryPtr
);
if (EFI_ERROR (Status)) {
@@ -204,16 +215,21 @@ Tcg2MeasureGptTable (
//
// Prepare Data for Measurement
//
- EventSize = (UINT32)(sizeof (EFI_GPT_DATA) - sizeof (GptData->Partitions)
- + NumberOfPartition * PrimaryHeader->SizeOfPartitionEntry);
- Tcg2Event = (EFI_TCG2_EVENT *) AllocateZeroPool (EventSize + sizeof (EFI_TCG2_EVENT) - sizeof(Tcg2Event->Event));
+ Status = SanitizePrimaryHeaderGptEventSize (PrimaryHeader, NumberOfPartition, &TcgEventSize);
+ if (EFI_ERROR (Status)) {
+ FreePool (PrimaryHeader);
+ FreePool (EntryPtr);
+ return EFI_DEVICE_ERROR;
+ }
+
+ Tcg2Event = (EFI_TCG2_EVENT *) AllocateZeroPool (TcgEventSize);
if (Tcg2Event == NULL) {
FreePool (PrimaryHeader);
FreePool (EntryPtr);
return EFI_OUT_OF_RESOURCES;
}
- Tcg2Event->Size = EventSize + sizeof (EFI_TCG2_EVENT) - sizeof(Tcg2Event->Event);
+ Tcg2Event->Size = TcgEventSize;
Tcg2Event->Header.HeaderSize = sizeof(EFI_TCG2_EVENT_HEADER);
Tcg2Event->Header.HeaderVersion = EFI_TCG2_EVENT_HEADER_VERSION;
Tcg2Event->Header.PCRIndex = 5;
@@ -249,7 +265,7 @@ Tcg2MeasureGptTable (
Tcg2Protocol,
0,
(EFI_PHYSICAL_ADDRESS) (UINTN) (VOID *) GptData,
- (UINT64) EventSize,
+ (UINT64)TcgEventSize - OFFSET_OF (EFI_TCG2_EVENT, Event),
Tcg2Event
);
if (!EFI_ERROR (Status)) {
@@ -333,11 +349,13 @@ Tcg2MeasurePeImage (
Tcg2Event->Header.PCRIndex = 2;
break;
default:
- DEBUG ((
- EFI_D_ERROR,
- "Tcg2MeasurePeImage: Unknown subsystem type %d",
- ImageType
- ));
+ DEBUG (
+ (
+ DEBUG_ERROR,
+ "Tcg2MeasurePeImage: Unknown subsystem type %d",
+ ImageType
+ )
+ );
goto Finish;
}
diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
index 2506abbe..30583cf1 100644
--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
@@ -37,6 +37,8 @@
[Sources]
DxeTpm2MeasureBootLib.c
+ DxeTpm2MeasureBootLibSanitization.c
+ DxeTpm2MeasureBootLibSanitization.h
[Packages]
MdePkg/MdePkg.dec
@@ -46,6 +48,7 @@
[LibraryClasses]
BaseMemoryLib
+ SafeIntLib
DebugLib
MemoryAllocationLib
DevicePathLib
@@ -64,4 +67,3 @@
gEfiFirmwareVolumeBlockProtocolGuid ## SOMETIMES_CONSUMES
gEfiBlockIoProtocolGuid ## SOMETIMES_CONSUMES
gEfiDiskIoProtocolGuid ## SOMETIMES_CONSUMES
-
diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
new file mode 100644
index 00000000..ef3b77b4
--- /dev/null
+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
@@ -0,0 +1,275 @@
+/** @file
+ The library instance provides security service of TPM2 measure boot and
+ Confidential Computing (CC) measure boot.
+
+ Caution: This file requires additional review when modified.
+ This library will have external input - PE/COFF image and GPT partition.
+ This external input must be validated carefully to avoid security issue like
+ buffer overflow, integer overflow.
+
+ This file will pull out the validation logic from the following functions, in an
+ attempt to validate the untrusted input in the form of unit tests
+
+ These are those functions:
+
+ DxeTpm2MeasureBootLibImageRead() function will make sure the PE/COFF image content
+ read is within the image buffer.
+
+ Tcg2MeasureGptTable() function will receive untrusted GPT partition table, and parse
+ partition data carefully.
+
+ Copyright (c) Microsoft Corporation.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+#include <Uefi.h>
+#include <Uefi/UefiSpec.h>
+#include <Library/SafeIntLib.h>
+#include <Library/UefiLib.h>
+#include <Library/DebugLib.h>
+#include <Library/BaseLib.h>
+#include <IndustryStandard/UefiTcgPlatform.h>
+#include <Protocol/BlockIo.h>
+#include <Library/MemoryAllocationLib.h>
+
+#include "DxeTpm2MeasureBootLibSanitization.h"
+
+#define GPT_HEADER_REVISION_V1 0x00010000
+
+/**
+ This function will validate the EFI_PARTITION_TABLE_HEADER structure is safe to parse
+ However this function will not attempt to verify the validity of the GPT partition
+ It will check the following:
+ - Signature
+ - Revision
+ - AlternateLBA
+ - FirstUsableLBA
+ - LastUsableLBA
+ - PartitionEntryLBA
+ - NumberOfPartitionEntries
+ - SizeOfPartitionEntry
+ - BlockIo
+
+ @param[in] PrimaryHeader
+ Pointer to the EFI_PARTITION_TABLE_HEADER structure.
+
+ @param[in] BlockIo
+ Pointer to the EFI_BLOCK_IO_PROTOCOL structure.
+
+ @retval EFI_SUCCESS
+ The EFI_PARTITION_TABLE_HEADER structure is valid.
+
+ @retval EFI_INVALID_PARAMETER
+ The EFI_PARTITION_TABLE_HEADER structure is invalid.
+**/
+EFI_STATUS
+EFIAPI
+SanitizeEfiPartitionTableHeader (
+ IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
+ IN CONST EFI_BLOCK_IO_PROTOCOL *BlockIo
+ )
+{
+ //
+ // Verify that the input parameters are safe to use
+ //
+ if (PrimaryHeader == NULL) {
+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header!\n"));
+ return EFI_INVALID_PARAMETER;
+ }
+
+ if ((BlockIo == NULL) || (BlockIo->Media == NULL)) {
+ DEBUG ((DEBUG_ERROR, "Invalid BlockIo!\n"));
+ return EFI_INVALID_PARAMETER;
+ }
+
+ //
+ // The signature must be EFI_PTAB_HEADER_ID ("EFI PART" in ASCII)
+ //
+ if (PrimaryHeader->Header.Signature != EFI_PTAB_HEADER_ID) {
+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header!\n"));
+ return EFI_DEVICE_ERROR;
+ }
+
+ //
+ // The version must be GPT_HEADER_REVISION_V1 (0x00010000)
+ //
+ if (PrimaryHeader->Header.Revision != GPT_HEADER_REVISION_V1) {
+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header Revision!\n"));
+ return EFI_DEVICE_ERROR;
+ }
+
+ //
+ // The HeaderSize must be greater than or equal to 92 and must be less than or equal to the logical block size
+ //
+ if ((PrimaryHeader->Header.HeaderSize < sizeof (EFI_PARTITION_TABLE_HEADER)) || (PrimaryHeader->Header.HeaderSize > BlockIo->Media->BlockSize)) {
+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header HeaderSize!\n"));
+ return EFI_DEVICE_ERROR;
+ }
+
+ //
+ // The partition entries should all be before the first usable block
+ //
+ if (PrimaryHeader->FirstUsableLBA <= PrimaryHeader->PartitionEntryLBA) {
+ DEBUG ((DEBUG_ERROR, "GPT PartitionEntryLBA is not less than FirstUsableLBA!\n"));
+ return EFI_DEVICE_ERROR;
+ }
+
+ //
+ // Check that the PartitionEntryLBA greater than the Max LBA
+ // This will be used later for multiplication
+ //
+ if (PrimaryHeader->PartitionEntryLBA > DivU64x32 (MAX_UINT64, BlockIo->Media->BlockSize)) {
+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header PartitionEntryLBA!\n"));
+ return EFI_DEVICE_ERROR;
+ }
+
+ //
+ // Check that the number of partition entries is greater than zero
+ //
+ if (PrimaryHeader->NumberOfPartitionEntries == 0) {
+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header NumberOfPartitionEntries!\n"));
+ return EFI_DEVICE_ERROR;
+ }
+
+ //
+ // SizeOfPartitionEntry must be 128, 256, 512... improper size may lead to accessing uninitialized memory
+ //
+ if ((PrimaryHeader->SizeOfPartitionEntry < 128) || ((PrimaryHeader->SizeOfPartitionEntry & (PrimaryHeader->SizeOfPartitionEntry - 1)) != 0)) {
+ DEBUG ((DEBUG_ERROR, "SizeOfPartitionEntry shall be set to a value of 128 x 2^n where n is an integer greater than or equal to zero (e.g., 128, 256, 512, etc.)!\n"));
+ return EFI_DEVICE_ERROR;
+ }
+
+ //
+ // This check is to prevent overflow when calculating the allocation size for the partition entries
+ // This check will be used later for multiplication
+ //
+ if (PrimaryHeader->NumberOfPartitionEntries > DivU64x32 (MAX_UINT64, PrimaryHeader->SizeOfPartitionEntry)) {
+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header NumberOfPartitionEntries!\n"));
+ return EFI_DEVICE_ERROR;
+ }
+
+ return EFI_SUCCESS;
+}
+
+/**
+ This function will validate that the allocation size from the primary header is sane
+ It will check the following:
+ - AllocationSize does not overflow
+
+ @param[in] PrimaryHeader
+ Pointer to the EFI_PARTITION_TABLE_HEADER structure.
+
+ @param[out] AllocationSize
+ Pointer to the allocation size.
+
+ @retval EFI_SUCCESS
+ The allocation size is valid.
+
+ @retval EFI_OUT_OF_RESOURCES
+ The allocation size is invalid.
+**/
+EFI_STATUS
+EFIAPI
+SanitizePrimaryHeaderAllocationSize (
+ IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
+ OUT UINT32 *AllocationSize
+ )
+{
+ EFI_STATUS Status;
+
+ if (PrimaryHeader == NULL) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ if (AllocationSize == NULL) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ //
+ // Replacing logic:
+ // PrimaryHeader->NumberOfPartitionEntries * PrimaryHeader->SizeOfPartitionEntry;
+ //
+ Status = SafeUint32Mult (PrimaryHeader->NumberOfPartitionEntries, PrimaryHeader->SizeOfPartitionEntry, AllocationSize);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Allocation Size would have overflowed!\n"));
+ return EFI_BAD_BUFFER_SIZE;
+ }
+
+ return EFI_SUCCESS;
+}
+
+/**
+ This function will validate that the Gpt Event Size calculated from the primary header is sane
+ It will check the following:
+ - EventSize does not overflow
+
+ Important: This function includes the entire length of the allocated space, including
+ (sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event)) . When hashing the buffer allocated with this
+ size, the caller must subtract the size of the (sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event))
+ from the size of the buffer before hashing.
+
+ @param[in] PrimaryHeader - Pointer to the EFI_PARTITION_TABLE_HEADER structure.
+ @param[in] NumberOfPartition - Number of partitions.
+ @param[out] EventSize - Pointer to the event size.
+
+ @retval EFI_SUCCESS
+ The event size is valid.
+
+ @retval EFI_OUT_OF_RESOURCES
+ Overflow would have occurred.
+
+ @retval EFI_INVALID_PARAMETER
+ One of the passed parameters was invalid.
+**/
+EFI_STATUS
+SanitizePrimaryHeaderGptEventSize (
+ IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
+ IN UINTN NumberOfPartition,
+ OUT UINT32 *EventSize
+ )
+{
+ EFI_STATUS Status;
+ UINT32 SafeNumberOfPartitions;
+
+ if (PrimaryHeader == NULL) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ if (EventSize == NULL) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ //
+ // We shouldn't even attempt to perform the multiplication if the number of partitions is greater than the maximum value of UINT32
+ //
+ Status = SafeUintnToUint32 (NumberOfPartition, &SafeNumberOfPartitions);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "NumberOfPartition would have overflowed!\n"));
+ return EFI_INVALID_PARAMETER;
+ }
+
+ //
+ // Replacing logic:
+ // (UINT32)(sizeof (EFI_GPT_DATA) - sizeof (GptData->Partitions) + NumberOfPartition * PrimaryHeader.SizeOfPartitionEntry);
+ //
+ Status = SafeUint32Mult (SafeNumberOfPartitions, PrimaryHeader->SizeOfPartitionEntry, EventSize);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Event Size would have overflowed!\n"));
+ return EFI_BAD_BUFFER_SIZE;
+ }
+
+ //
+ // Replacing logic:
+ // *EventSize + sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event);
+ //
+ Status = SafeUint32Add (
+ OFFSET_OF (EFI_TCG2_EVENT, Event) + OFFSET_OF (EFI_GPT_DATA, Partitions),
+ *EventSize,
+ EventSize
+ );
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Event Size would have overflowed because of GPTData!\n"));
+ return EFI_BAD_BUFFER_SIZE;
+ }
+
+ return EFI_SUCCESS;
+}
diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
new file mode 100644
index 00000000..74af8c8b
--- /dev/null
+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
@@ -0,0 +1,113 @@
+/** @file
+ This file includes the function prototypes for the sanitization functions.
+
+ These are those functions:
+
+ DxeTpm2MeasureBootLibImageRead() function will make sure the PE/COFF image content
+ read is within the image buffer.
+
+ Tcg2MeasureGptTable() function will receive untrusted GPT partition table, and parse
+ partition data carefully.
+
+ Copyright (c) Microsoft Corporation.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef DXE_TPM2_MEASURE_BOOT_LIB_SANITATION_
+#define DXE_TPM2_MEASURE_BOOT_LIB_SANITATION_
+
+#include <Uefi.h>
+#include <Uefi/UefiSpec.h>
+#include <Protocol/BlockIo.h>
+#include <IndustryStandard/UefiTcgPlatform.h>
+#include <Protocol/Tcg2Protocol.h>
+
+/**
+ This function will validate the EFI_PARTITION_TABLE_HEADER structure is safe to parse
+ However this function will not attempt to verify the validity of the GPT partition
+ It will check the following:
+ - Signature
+ - Revision
+ - AlternateLBA
+ - FirstUsableLBA
+ - LastUsableLBA
+ - PartitionEntryLBA
+ - NumberOfPartitionEntries
+ - SizeOfPartitionEntry
+ - BlockIo
+
+ @param[in] PrimaryHeader
+ Pointer to the EFI_PARTITION_TABLE_HEADER structure.
+
+ @param[in] BlockIo
+ Pointer to the EFI_BLOCK_IO_PROTOCOL structure.
+
+ @retval EFI_SUCCESS
+ The EFI_PARTITION_TABLE_HEADER structure is valid.
+
+ @retval EFI_INVALID_PARAMETER
+ The EFI_PARTITION_TABLE_HEADER structure is invalid.
+**/
+EFI_STATUS
+EFIAPI
+SanitizeEfiPartitionTableHeader (
+ IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
+ IN CONST EFI_BLOCK_IO_PROTOCOL *BlockIo
+ );
+
+/**
+ This function will validate that the allocation size from the primary header is sane
+ It will check the following:
+ - AllocationSize does not overflow
+
+ @param[in] PrimaryHeader
+ Pointer to the EFI_PARTITION_TABLE_HEADER structure.
+
+ @param[out] AllocationSize
+ Pointer to the allocation size.
+
+ @retval EFI_SUCCESS
+ The allocation size is valid.
+
+ @retval EFI_OUT_OF_RESOURCES
+ The allocation size is invalid.
+**/
+EFI_STATUS
+EFIAPI
+SanitizePrimaryHeaderAllocationSize (
+ IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
+ OUT UINT32 *AllocationSize
+ );
+
+/**
+ This function will validate that the Gpt Event Size calculated from the primary header is sane
+ It will check the following:
+ - EventSize does not overflow
+
+ Important: This function includes the entire length of the allocated space, including
+ (sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event)) . When hashing the buffer allocated with this
+ size, the caller must subtract the size of the (sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event))
+ from the size of the buffer before hashing.
+
+ @param[in] PrimaryHeader - Pointer to the EFI_PARTITION_TABLE_HEADER structure.
+ @param[in] NumberOfPartition - Number of partitions.
+ @param[out] EventSize - Pointer to the event size.
+
+ @retval EFI_SUCCESS
+ The event size is valid.
+
+ @retval EFI_OUT_OF_RESOURCES
+ Overflow would have occurred.
+
+ @retval EFI_INVALID_PARAMETER
+ One of the passed parameters was invalid.
+**/
+EFI_STATUS
+SanitizePrimaryHeaderGptEventSize (
+ IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
+ IN UINTN NumberOfPartition,
+ OUT UINT32 *EventSize
+ );
+
+#endif // DXE_TPM2_MEASURE_BOOT_LIB_SANITATION_
diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
new file mode 100644
index 00000000..701d1b46
--- /dev/null
+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
@@ -0,0 +1,303 @@
+/** @file
+ This file includes the unit test cases for the DxeTpm2MeasureBootLibSanitizationTest.c.
+
+ Copyright (c) Microsoft Corporation.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#include <Uefi.h>
+#include <Library/UefiLib.h>
+#include <Library/DebugLib.h>
+#include <Library/UnitTestLib.h>
+#include <Protocol/BlockIo.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <IndustryStandard/UefiTcgPlatform.h>
+#include <Protocol/Tcg2Protocol.h>
+
+#include "../DxeTpm2MeasureBootLibSanitization.h"
+
+#define UNIT_TEST_NAME "DxeTpm2MeasureBootLibSanitizationTest"
+#define UNIT_TEST_VERSION "1.0"
+
+#define DEFAULT_PRIMARY_TABLE_HEADER_REVISION 0x00010000
+#define DEFAULT_PRIMARY_TABLE_HEADER_NUMBER_OF_PARTITION_ENTRIES 1
+#define DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY 128
+
+/**
+ This function tests the SanitizeEfiPartitionTableHeader function.
+ It's intent is to test that a malicious EFI_PARTITION_TABLE_HEADER
+ structure will not cause undefined or unexpected behavior.
+
+ In general the TPM should still be able to measure the data, but
+ be the header should be sanitized to prevent any unexpected behavior.
+
+ @param[in] Context The unit test context.
+
+ @retval UNIT_TEST_PASSED The test passed.
+ @retval UNIT_TEST_ERROR_TEST_FAILED The test failed.
+**/
+UNIT_TEST_STATUS
+EFIAPI
+TestSanitizeEfiPartitionTableHeader (
+ IN UNIT_TEST_CONTEXT Context
+ )
+{
+ EFI_STATUS Status;
+ EFI_PARTITION_TABLE_HEADER PrimaryHeader;
+ EFI_BLOCK_IO_PROTOCOL BlockIo;
+ EFI_BLOCK_IO_MEDIA BlockMedia;
+
+ // Generate EFI_BLOCK_IO_MEDIA test data
+ BlockMedia.MediaId = 1;
+ BlockMedia.RemovableMedia = FALSE;
+ BlockMedia.MediaPresent = TRUE;
+ BlockMedia.LogicalPartition = FALSE;
+ BlockMedia.ReadOnly = FALSE;
+ BlockMedia.WriteCaching = FALSE;
+ BlockMedia.BlockSize = 512;
+ BlockMedia.IoAlign = 1;
+ BlockMedia.LastBlock = 0;
+
+ // Generate EFI_BLOCK_IO_PROTOCOL test data
+ BlockIo.Revision = 1;
+ BlockIo.Media = &BlockMedia;
+ BlockIo.Reset = NULL;
+ BlockIo.ReadBlocks = NULL;
+ BlockIo.WriteBlocks = NULL;
+ BlockIo.FlushBlocks = NULL;
+
+ // Geneate EFI_PARTITION_TABLE_HEADER test data
+ PrimaryHeader.Header.Signature = EFI_PTAB_HEADER_ID;
+ PrimaryHeader.Header.Revision = DEFAULT_PRIMARY_TABLE_HEADER_REVISION;
+ PrimaryHeader.Header.HeaderSize = sizeof (EFI_PARTITION_TABLE_HEADER);
+ PrimaryHeader.MyLBA = 1;
+ PrimaryHeader.AlternateLBA = 2;
+ PrimaryHeader.FirstUsableLBA = 3;
+ PrimaryHeader.LastUsableLBA = 4;
+ PrimaryHeader.PartitionEntryLBA = 5;
+ PrimaryHeader.NumberOfPartitionEntries = DEFAULT_PRIMARY_TABLE_HEADER_NUMBER_OF_PARTITION_ENTRIES;
+ PrimaryHeader.SizeOfPartitionEntry = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
+ PrimaryHeader.PartitionEntryArrayCRC32 = 0; // Purposely invalid
+
+ // Calculate the CRC32 of the PrimaryHeader
+ PrimaryHeader.Header.CRC32 = CalculateCrc32 ((UINT8 *)&PrimaryHeader, PrimaryHeader.Header.HeaderSize);
+
+ // Test that a normal PrimaryHeader passes validation
+ Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+ UT_ASSERT_NOT_EFI_ERROR (Status);
+
+ // Test that when number of partition entries is 0, the function returns EFI_DEVICE_ERROR
+ // Should print "Invalid Partition Table Header NumberOfPartitionEntries!""
+ PrimaryHeader.NumberOfPartitionEntries = 0;
+ Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+ UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
+ PrimaryHeader.NumberOfPartitionEntries = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
+
+ // Test that when the header size is too small, the function returns EFI_DEVICE_ERROR
+ // Should print "Invalid Partition Table Header Size!"
+ PrimaryHeader.Header.HeaderSize = 0;
+ Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+ UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
+ PrimaryHeader.Header.HeaderSize = sizeof (EFI_PARTITION_TABLE_HEADER);
+
+ // Test that when the SizeOfPartitionEntry is too small, the function returns EFI_DEVICE_ERROR
+ // should print: "SizeOfPartitionEntry shall be set to a value of 128 x 2^n where n is an integer greater than or equal to zero (e.g., 128, 256, 512, etc.)!"
+ PrimaryHeader.SizeOfPartitionEntry = 1;
+ Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+ UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
+
+ DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
+
+ return UNIT_TEST_PASSED;
+}
+
+/**
+ This function tests the SanitizePrimaryHeaderAllocationSize function.
+ It's intent is to test that the untrusted input from a EFI_PARTITION_TABLE_HEADER
+ structure will not cause an overflow when calculating the allocation size.
+
+ @param[in] Context The unit test context.
+
+ @retval UNIT_TEST_PASSED The test passed.
+ @retval UNIT_TEST_ERROR_TEST_FAILED The test failed.
+**/
+UNIT_TEST_STATUS
+EFIAPI
+TestSanitizePrimaryHeaderAllocationSize (
+ IN UNIT_TEST_CONTEXT Context
+ )
+{
+ UINT32 AllocationSize;
+
+ EFI_STATUS Status;
+ EFI_PARTITION_TABLE_HEADER PrimaryHeader;
+
+ // Test that a normal PrimaryHeader passes validation
+ PrimaryHeader.NumberOfPartitionEntries = 5;
+ PrimaryHeader.SizeOfPartitionEntry = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
+
+ Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+ UT_ASSERT_NOT_EFI_ERROR (Status);
+
+ // Test that the allocation size is correct compared to the existing logic
+ UT_ASSERT_EQUAL (AllocationSize, PrimaryHeader.NumberOfPartitionEntries * PrimaryHeader.SizeOfPartitionEntry);
+
+ // Test that an overflow is detected
+ PrimaryHeader.NumberOfPartitionEntries = MAX_UINT32;
+ PrimaryHeader.SizeOfPartitionEntry = 5;
+ Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+ UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
+
+ // Test the inverse
+ PrimaryHeader.NumberOfPartitionEntries = 5;
+ PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32;
+ Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+ UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
+
+ // Test the worst case scenario
+ PrimaryHeader.NumberOfPartitionEntries = MAX_UINT32;
+ PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32;
+ Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+ UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
+
+ DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
+
+ return UNIT_TEST_PASSED;
+}
+
+/**
+ This function tests the SanitizePrimaryHeaderGptEventSize function.
+ It's intent is to test that the untrusted input from a EFI_GPT_DATA structure
+ will not cause an overflow when calculating the event size.
+
+ @param[in] Context The unit test context.
+
+ @retval UNIT_TEST_PASSED The test passed.
+ @retval UNIT_TEST_ERROR_TEST_FAILED The test failed.
+**/
+UNIT_TEST_STATUS
+EFIAPI
+TestSanitizePrimaryHeaderGptEventSize (
+ IN UNIT_TEST_CONTEXT Context
+ )
+{
+ UINT32 EventSize;
+ UINT32 ExistingLogicEventSize;
+ EFI_STATUS Status;
+ EFI_PARTITION_TABLE_HEADER PrimaryHeader;
+ UINTN NumberOfPartition;
+ EFI_GPT_DATA *GptData;
+ EFI_TCG2_EVENT *Tcg2Event;
+
+ Tcg2Event = NULL;
+ GptData = NULL;
+
+ // Test that a normal PrimaryHeader passes validation
+ PrimaryHeader.NumberOfPartitionEntries = 5;
+ PrimaryHeader.SizeOfPartitionEntry = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
+
+ // set the number of partitions
+ NumberOfPartition = 13;
+
+ // that the primary event size is correct
+ Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
+ UT_ASSERT_NOT_EFI_ERROR (Status);
+
+ // Calculate the existing logic event size
+ ExistingLogicEventSize = (UINT32)(OFFSET_OF (EFI_TCG2_EVENT, Event) + OFFSET_OF (EFI_GPT_DATA, Partitions)
+ + NumberOfPartition * PrimaryHeader.SizeOfPartitionEntry);
+
+ // Check that the event size is correct
+ UT_ASSERT_EQUAL (EventSize, ExistingLogicEventSize);
+
+ // Tests that the primary event size may not overflow
+ Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, MAX_UINT32, &EventSize);
+ UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
+
+ // Test that the size of partition entries may not overflow
+ PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32;
+ Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
+ UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
+
+ DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
+
+ return UNIT_TEST_PASSED;
+}
+
+// *--------------------------------------------------------------------*
+// * Unit Test Code Main Function
+// *--------------------------------------------------------------------*
+
+/**
+ This function acts as the entry point for the unit tests.
+
+ @retval UNIT_TEST_PASSED The test passed.
+ @retval UNIT_TEST_ERROR_TEST_FAILED The test failed.
+ @retval others The test failed.
+**/
+EFI_STATUS
+EFIAPI
+UefiTestMain (
+ VOID
+ )
+{
+ EFI_STATUS Status;
+ UNIT_TEST_FRAMEWORK_HANDLE Framework;
+ UNIT_TEST_SUITE_HANDLE Tcg2MeasureBootLibValidationTestSuite;
+
+ Framework = NULL;
+
+ DEBUG ((DEBUG_INFO, "%a: TestMain() - Start\n", UNIT_TEST_NAME));
+
+ Status = InitUnitTestFramework (&Framework, UNIT_TEST_NAME, gEfiCallerBaseName, UNIT_TEST_VERSION);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "%a: Failed in InitUnitTestFramework. Status = %r\n", UNIT_TEST_NAME, Status));
+ goto EXIT;
+ }
+
+ Status = CreateUnitTestSuite (&Tcg2MeasureBootLibValidationTestSuite, Framework, "Tcg2MeasureBootLibValidationTestSuite", "Common.Tcg2MeasureBootLibValidation", NULL, NULL);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "%s: Failed in CreateUnitTestSuite for Tcg2MeasureBootLibValidationTestSuite\n", UNIT_TEST_NAME));
+ Status = EFI_OUT_OF_RESOURCES;
+ goto EXIT;
+ }
+
+ // -----------Suite---------------------------------Description----------------------------Class----------------------------------Test Function------------------------Pre---Clean-Context
+ AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests Validating EFI Partition Table", "Common.Tcg2MeasureBootLibValidation", TestSanitizeEfiPartitionTableHeader, NULL, NULL, NULL);
+ AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests Primary header gpt event checks for overflow", "Common.Tcg2MeasureBootLibValidation", TestSanitizePrimaryHeaderAllocationSize, NULL, NULL, NULL);
+ AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests Primary header allocation size checks for overflow", "Common.Tcg2MeasureBootLibValidation", TestSanitizePrimaryHeaderGptEventSize, NULL, NULL, NULL);
+
+ Status = RunAllTestSuites (Framework);
+
+EXIT:
+ if (Framework != NULL) {
+ FreeUnitTestFramework (Framework);
+ }
+
+ DEBUG ((DEBUG_INFO, "%a: TestMain() - End\n", UNIT_TEST_NAME));
+ return Status;
+}
+
+///
+/// Avoid ECC error for function name that starts with lower case letter
+///
+#define DxeTpm2MeasureBootLibUnitTestMain main
+
+/**
+ Standard POSIX C entry point for host based unit test execution.
+
+ @param[in] Argc Number of arguments
+ @param[in] Argv Array of pointers to arguments
+
+ @retval 0 Success
+ @retval other Error
+**/
+INT32
+DxeTpm2MeasureBootLibUnitTestMain (
+ IN INT32 Argc,
+ IN CHAR8 *Argv[]
+ )
+{
+ return (INT32)UefiTestMain ();
+}
diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTestHost.inf b/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTestHost.inf
new file mode 100644
index 00000000..4ea55787
--- /dev/null
+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTestHost.inf
@@ -0,0 +1,28 @@
+## @file
+# This file builds the unit tests for DxeTpm2MeasureBootLib
+#
+# Copyright (C) Microsoft Corporation.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+[Defines]
+ INF_VERSION = 0x00010006
+ BASE_NAME = DxeTpm2MeasuredBootLibTest
+ FILE_GUID = 144d757f-d423-484e-9309-a23695fad5bd
+ MODULE_TYPE = HOST_APPLICATION
+ VERSION_STRING = 1.0
+ ENTRY_POINT = main
+
+[Sources]
+ DxeTpm2MeasureBootLibSanitizationTest.c
+ ../DxeTpm2MeasureBootLibSanitization.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+
+[LibraryClasses]
+ BaseLib
+ DebugLib
+ UnitTestLib
+ PrintLib
+ SafeIntLib
--
2.33.0

872
0047-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4117.patch Normal file
View File

@ -0,0 +1,872 @@
From bde26e1b8957121e956e80b08ac59bfcfb52ffa9 Mon Sep 17 00:00:00 2001
From: "Douglas Flick [MSFT]" <doug.edk2@gmail.com>
Date: Fri, 12 Jan 2024 02:16:02 +0800
Subject: [PATCH 02/10] SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4117
- CVE 2022-36763
This commit contains the patch files and tests for DxeTpmMeasureBootLib
CVE 2022-36763.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
ref: https://github.com/tianocore/edk2/pull/5264
Signed-off-by: yexiao <yexiao7@huawei.com>
---
.../DxeTpmMeasureBootLib.c | 40 ++-
.../DxeTpmMeasureBootLib.inf | 4 +-
.../DxeTpmMeasureBootLibSanitization.c | 241 ++++++++++++++
.../DxeTpmMeasureBootLibSanitization.h | 114 +++++++
.../DxeTpmMeasureBootLibSanitizationTest.c | 301 ++++++++++++++++++
...eTpmMeasureBootLibSanitizationTestHost.inf | 28 ++
6 files changed, 714 insertions(+), 14 deletions(-)
create mode 100644 SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
create mode 100644 SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
create mode 100644 SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
create mode 100644 SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTestHost.inf
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
index d990eb2a..8314d019 100644
--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
@@ -18,6 +18,8 @@
Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
+Copyright (c) Microsoft Corporation.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include <PiDxe.h>
@@ -40,6 +42,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <Library/SecurityManagementLib.h>
#include <Library/HobLib.h>
+#include "DxeTpmMeasureBootLibSanitization.h"
+
//
// Flag to check GPT partition. It only need be measured once.
//
@@ -136,6 +140,9 @@ TcgMeasureGptTable (
UINT32 EventSize;
UINT32 EventNumber;
EFI_PHYSICAL_ADDRESS EventLogLastEntry;
+ UINT32 AllocSize;
+
+ GptData = NULL;
if (mMeasureGptCount > 0) {
return EFI_SUCCESS;
@@ -163,15 +170,21 @@ TcgMeasureGptTable (
BlockIo->Media->BlockSize,
(UINT8 *)PrimaryHeader
);
- if (EFI_ERROR (Status)) {
- DEBUG ((EFI_D_ERROR, "Failed to Read Partition Table Header!\n"));
+ if (EFI_ERROR (Status) || EFI_ERROR (SanitizeEfiPartitionTableHeader (PrimaryHeader, BlockIo))) {
+ DEBUG ((DEBUG_ERROR, "Failed to read Partition Table Header or invalid Partition Table Header!\n"));
FreePool (PrimaryHeader);
return EFI_DEVICE_ERROR;
}
//
// Read the partition entry.
//
- EntryPtr = (UINT8 *)AllocatePool (PrimaryHeader->NumberOfPartitionEntries * PrimaryHeader->SizeOfPartitionEntry);
+ Status = SanitizePrimaryHeaderAllocationSize (PrimaryHeader, &AllocSize);
+ if (EFI_ERROR (Status)) {
+ FreePool (PrimaryHeader);
+ return EFI_DEVICE_ERROR;
+ }
+
+ EntryPtr = (UINT8 *)AllocatePool (AllocSize);
if (EntryPtr == NULL) {
FreePool (PrimaryHeader);
return EFI_OUT_OF_RESOURCES;
@@ -180,7 +193,7 @@ TcgMeasureGptTable (
DiskIo,
BlockIo->Media->MediaId,
MultU64x32(PrimaryHeader->PartitionEntryLBA, BlockIo->Media->BlockSize),
- PrimaryHeader->NumberOfPartitionEntries * PrimaryHeader->SizeOfPartitionEntry,
+ AllocSize,
EntryPtr
);
if (EFI_ERROR (Status)) {
@@ -204,9 +217,8 @@ TcgMeasureGptTable (
//
// Prepare Data for Measurement
//
- EventSize = (UINT32)(sizeof (EFI_GPT_DATA) - sizeof (GptData->Partitions)
- + NumberOfPartition * PrimaryHeader->SizeOfPartitionEntry);
- TcgEvent = (TCG_PCR_EVENT *) AllocateZeroPool (EventSize + sizeof (TCG_PCR_EVENT_HDR));
+ Status = SanitizePrimaryHeaderGptEventSize (PrimaryHeader, NumberOfPartition, &EventSize);
+ TcgEvent = (TCG_PCR_EVENT *)AllocateZeroPool (EventSize);
if (TcgEvent == NULL) {
FreePool (PrimaryHeader);
FreePool (EntryPtr);
@@ -215,7 +227,7 @@ TcgMeasureGptTable (
TcgEvent->PCRIndex = 5;
TcgEvent->EventType = EV_EFI_GPT_EVENT;
- TcgEvent->EventSize = EventSize;
+ TcgEvent->EventSize = EventSize - sizeof (TCG_PCR_EVENT_HDR);
GptData = (EFI_GPT_DATA *) TcgEvent->Event;
//
@@ -354,11 +366,13 @@ TcgMeasurePeImage (
TcgEvent->PCRIndex = 2;
break;
default:
- DEBUG ((
- EFI_D_ERROR,
- "TcgMeasurePeImage: Unknown subsystem type %d",
- ImageType
- ));
+ DEBUG (
+ (
+ DEBUG_ERROR,
+ "TcgMeasurePeImage: Unknown subsystem type %d",
+ ImageType
+ )
+ );
goto Finish;
}
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
index ebab6f7c..21bfd570 100644
--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
@@ -32,6 +32,8 @@
[Sources]
DxeTpmMeasureBootLib.c
+ DxeTpmMeasureBootLibSanitization.c
+ DxeTpmMeasureBootLibSanitization.h
[Packages]
MdePkg/MdePkg.dec
@@ -41,6 +43,7 @@
[LibraryClasses]
BaseMemoryLib
+ SafeIntLib
DebugLib
MemoryAllocationLib
DevicePathLib
@@ -59,4 +62,3 @@
gEfiFirmwareVolumeBlockProtocolGuid ## SOMETIMES_CONSUMES
gEfiBlockIoProtocolGuid ## SOMETIMES_CONSUMES
gEfiDiskIoProtocolGuid ## SOMETIMES_CONSUMES
-
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
new file mode 100644
index 00000000..e009ce46
--- /dev/null
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
@@ -0,0 +1,241 @@
+/** @file
+ The library instance provides security service of TPM2 measure boot and
+ Confidential Computing (CC) measure boot.
+
+ Caution: This file requires additional review when modified.
+ This library will have external input - PE/COFF image and GPT partition.
+ This external input must be validated carefully to avoid security issue like
+ buffer overflow, integer overflow.
+
+ This file will pull out the validation logic from the following functions, in an
+ attempt to validate the untrusted input in the form of unit tests
+
+ These are those functions:
+
+ DxeTpmMeasureBootLibImageRead() function will make sure the PE/COFF image content
+ read is within the image buffer.
+
+ Tcg2MeasureGptTable() function will receive untrusted GPT partition table, and parse
+ partition data carefully.
+
+ Copyright (c) Microsoft Corporation.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+#include <Uefi.h>
+#include <Uefi/UefiSpec.h>
+#include <Library/SafeIntLib.h>
+#include <Library/UefiLib.h>
+#include <Library/DebugLib.h>
+#include <Library/BaseLib.h>
+#include <IndustryStandard/UefiTcgPlatform.h>
+#include <Protocol/BlockIo.h>
+#include <Library/MemoryAllocationLib.h>
+
+#include "DxeTpmMeasureBootLibSanitization.h"
+
+#define GPT_HEADER_REVISION_V1 0x00010000
+
+/**
+ This function will validate the EFI_PARTITION_TABLE_HEADER structure is safe to parse
+ However this function will not attempt to verify the validity of the GPT partition
+ It will check the following:
+ - Signature
+ - Revision
+ - AlternateLBA
+ - FirstUsableLBA
+ - LastUsableLBA
+ - PartitionEntryLBA
+ - NumberOfPartitionEntries
+ - SizeOfPartitionEntry
+ - BlockIo
+
+ @param[in] PrimaryHeader
+ Pointer to the EFI_PARTITION_TABLE_HEADER structure.
+
+ @param[in] BlockIo
+ Pointer to the EFI_BLOCK_IO_PROTOCOL structure.
+
+ @retval EFI_SUCCESS
+ The EFI_PARTITION_TABLE_HEADER structure is valid.
+
+ @retval EFI_INVALID_PARAMETER
+ The EFI_PARTITION_TABLE_HEADER structure is invalid.
+**/
+EFI_STATUS
+EFIAPI
+SanitizeEfiPartitionTableHeader (
+ IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
+ IN CONST EFI_BLOCK_IO_PROTOCOL *BlockIo
+ )
+{
+ // Verify that the input parameters are safe to use
+ if (PrimaryHeader == NULL) {
+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header!\n"));
+ return EFI_INVALID_PARAMETER;
+ }
+
+ if ((BlockIo == NULL) || (BlockIo->Media == NULL)) {
+ DEBUG ((DEBUG_ERROR, "Invalid BlockIo!\n"));
+ return EFI_INVALID_PARAMETER;
+ }
+
+ // The signature must be EFI_PTAB_HEADER_ID ("EFI PART" in ASCII)
+ if (PrimaryHeader->Header.Signature != EFI_PTAB_HEADER_ID) {
+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header!\n"));
+ return EFI_DEVICE_ERROR;
+ }
+
+ // The version must be GPT_HEADER_REVISION_V1 (0x00010000)
+ if (PrimaryHeader->Header.Revision != GPT_HEADER_REVISION_V1) {
+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header Revision!\n"));
+ return EFI_DEVICE_ERROR;
+ }
+
+ // The HeaderSize must be greater than or equal to 92 and must be less than or equal to the logical block size
+ if ((PrimaryHeader->Header.HeaderSize < sizeof (EFI_PARTITION_TABLE_HEADER)) || (PrimaryHeader->Header.HeaderSize > BlockIo->Media->BlockSize)) {
+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header HeaderSize!\n"));
+ return EFI_DEVICE_ERROR;
+ }
+
+ // check that the PartitionEntryLBA greater than the Max LBA
+ // This will be used later for multiplication
+ if (PrimaryHeader->PartitionEntryLBA > DivU64x32 (MAX_UINT64, BlockIo->Media->BlockSize)) {
+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header PartitionEntryLBA!\n"));
+ return EFI_DEVICE_ERROR;
+ }
+
+ // Check that the number of partition entries is greater than zero
+ if (PrimaryHeader->NumberOfPartitionEntries == 0) {
+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header NumberOfPartitionEntries!\n"));
+ return EFI_DEVICE_ERROR;
+ }
+
+ // SizeOfPartitionEntry must be 128, 256, 512... improper size may lead to accessing uninitialized memory
+ if ((PrimaryHeader->SizeOfPartitionEntry < 128) || ((PrimaryHeader->SizeOfPartitionEntry & (PrimaryHeader->SizeOfPartitionEntry - 1)) != 0)) {
+ DEBUG ((DEBUG_ERROR, "SizeOfPartitionEntry shall be set to a value of 128 x 2^n where n is an integer greater than or equal to zero (e.g., 128, 256, 512, etc.)!\n"));
+ return EFI_DEVICE_ERROR;
+ }
+
+ // This check is to prevent overflow when calculating the allocation size for the partition entries
+ // This check will be used later for multiplication
+ if (PrimaryHeader->NumberOfPartitionEntries > DivU64x32 (MAX_UINT64, PrimaryHeader->SizeOfPartitionEntry)) {
+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header NumberOfPartitionEntries!\n"));
+ return EFI_DEVICE_ERROR;
+ }
+
+ return EFI_SUCCESS;
+}
+
+/**
+ This function will validate that the allocation size from the primary header is sane
+ It will check the following:
+ - AllocationSize does not overflow
+
+ @param[in] PrimaryHeader
+ Pointer to the EFI_PARTITION_TABLE_HEADER structure.
+
+ @param[out] AllocationSize
+ Pointer to the allocation size.
+
+ @retval EFI_SUCCESS
+ The allocation size is valid.
+
+ @retval EFI_OUT_OF_RESOURCES
+ The allocation size is invalid.
+**/
+EFI_STATUS
+EFIAPI
+SanitizePrimaryHeaderAllocationSize (
+ IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
+ OUT UINT32 *AllocationSize
+ )
+{
+ EFI_STATUS Status;
+
+ if (PrimaryHeader == NULL) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ if (AllocationSize == NULL) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ // Replacing logic:
+ // PrimaryHeader->NumberOfPartitionEntries * PrimaryHeader->SizeOfPartitionEntry;
+ Status = SafeUint32Mult (PrimaryHeader->NumberOfPartitionEntries, PrimaryHeader->SizeOfPartitionEntry, AllocationSize);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Allocation Size would have overflowed!\n"));
+ return EFI_BAD_BUFFER_SIZE;
+ }
+
+ return EFI_SUCCESS;
+}
+
+/**
+ This function will validate that the Gpt Event Size calculated from the primary header is sane
+ It will check the following:
+ - EventSize does not overflow
+
+ Important: This function includes the entire length of the allocated space, including the
+ TCG_PCR_EVENT_HDR. When hashing the buffer allocated with this size, the caller must subtract
+ the size of the TCG_PCR_EVENT_HDR from the size of the buffer before hashing.
+
+ @param[in] PrimaryHeader - Pointer to the EFI_PARTITION_TABLE_HEADER structure.
+ @param[in] NumberOfPartition - Number of partitions.
+ @param[out] EventSize - Pointer to the event size.
+
+ @retval EFI_SUCCESS
+ The event size is valid.
+
+ @retval EFI_OUT_OF_RESOURCES
+ Overflow would have occurred.
+
+ @retval EFI_INVALID_PARAMETER
+ One of the passed parameters was invalid.
+**/
+EFI_STATUS
+SanitizePrimaryHeaderGptEventSize (
+ IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
+ IN UINTN NumberOfPartition,
+ OUT UINT32 *EventSize
+ )
+{
+ EFI_STATUS Status;
+ UINT32 SafeNumberOfPartitions;
+
+ if (PrimaryHeader == NULL) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ if (EventSize == NULL) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ // We shouldn't even attempt to perform the multiplication if the number of partitions is greater than the maximum value of UINT32
+ Status = SafeUintnToUint32 (NumberOfPartition, &SafeNumberOfPartitions);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "NumberOfPartition would have overflowed!\n"));
+ return EFI_INVALID_PARAMETER;
+ }
+
+ // Replacing logic:
+ // (UINT32)(sizeof (EFI_GPT_DATA) - sizeof (GptData->Partitions) + NumberOfPartition * PrimaryHeader.SizeOfPartitionEntry + sizeof (TCG_PCR_EVENT_HDR));
+ Status = SafeUint32Mult (SafeNumberOfPartitions, PrimaryHeader->SizeOfPartitionEntry, EventSize);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Event Size would have overflowed!\n"));
+ return EFI_BAD_BUFFER_SIZE;
+ }
+
+ Status = SafeUint32Add (
+ sizeof (TCG_PCR_EVENT_HDR) +
+ OFFSET_OF (EFI_GPT_DATA, Partitions),
+ *EventSize,
+ EventSize
+ );
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Event Size would have overflowed because of GPTData!\n"));
+ return EFI_BAD_BUFFER_SIZE;
+ }
+
+ return EFI_SUCCESS;
+}
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
new file mode 100644
index 00000000..57e05e48
--- /dev/null
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
@@ -0,0 +1,114 @@
+/** @file
+ This file includes the function prototypes for the sanitization functions.
+
+ These are those functions:
+
+ DxeTpmMeasureBootLibImageRead() function will make sure the PE/COFF image content
+ read is within the image buffer.
+
+ TcgMeasurePeImage() function will accept untrusted PE/COFF image and validate its
+ data structure within this image buffer before use.
+
+ TcgMeasureGptTable() function will receive untrusted GPT partition table, and parse
+ partition data carefully.
+
+ Copyright (c) Microsoft Corporation.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef DXE_TPM_MEASURE_BOOT_LIB_VALIDATION_
+#define DXE_TPM_MEASURE_BOOT_LIB_VALIDATION_
+
+#include <Uefi.h>
+#include <Uefi/UefiSpec.h>
+#include <Protocol/BlockIo.h>
+#include <IndustryStandard/UefiTcgPlatform.h>
+
+/**
+ This function will validate the EFI_PARTITION_TABLE_HEADER structure is safe to parse
+ However this function will not attempt to verify the validity of the GPT partition
+ It will check the following:
+ - Signature
+ - Revision
+ - AlternateLBA
+ - FirstUsableLBA
+ - LastUsableLBA
+ - PartitionEntryLBA
+ - NumberOfPartitionEntries
+ - SizeOfPartitionEntry
+ - BlockIo
+
+ @param[in] PrimaryHeader
+ Pointer to the EFI_PARTITION_TABLE_HEADER structure.
+
+ @param[in] BlockIo
+ Pointer to the EFI_BLOCK_IO_PROTOCOL structure.
+
+ @retval EFI_SUCCESS
+ The EFI_PARTITION_TABLE_HEADER structure is valid.
+
+ @retval EFI_INVALID_PARAMETER
+ The EFI_PARTITION_TABLE_HEADER structure is invalid.
+**/
+EFI_STATUS
+EFIAPI
+SanitizeEfiPartitionTableHeader (
+ IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
+ IN CONST EFI_BLOCK_IO_PROTOCOL *BlockIo
+ );
+
+/**
+ This function will validate that the allocation size from the primary header is sane
+ It will check the following:
+ - AllocationSize does not overflow
+
+ @param[in] PrimaryHeader
+ Pointer to the EFI_PARTITION_TABLE_HEADER structure.
+
+ @param[out] AllocationSize
+ Pointer to the allocation size.
+
+ @retval EFI_SUCCESS
+ The allocation size is valid.
+
+ @retval EFI_OUT_OF_RESOURCES
+ The allocation size is invalid.
+**/
+EFI_STATUS
+EFIAPI
+SanitizePrimaryHeaderAllocationSize (
+ IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
+ OUT UINT32 *AllocationSize
+ );
+
+/**
+ This function will validate that the Gpt Event Size calculated from the primary header is sane
+ It will check the following:
+ - EventSize does not overflow
+
+ Important: This function includes the entire length of the allocated space, including the
+ TCG_PCR_EVENT_HDR. When hashing the buffer allocated with this size, the caller must subtract
+ the size of the TCG_PCR_EVENT_HDR from the size of the buffer before hashing.
+
+ @param[in] PrimaryHeader - Pointer to the EFI_PARTITION_TABLE_HEADER structure.
+ @param[in] NumberOfPartition - Number of partitions.
+ @param[out] EventSize - Pointer to the event size.
+
+ @retval EFI_SUCCESS
+ The event size is valid.
+
+ @retval EFI_OUT_OF_RESOURCES
+ Overflow would have occurred.
+
+ @retval EFI_INVALID_PARAMETER
+ One of the passed parameters was invalid.
+**/
+EFI_STATUS
+SanitizePrimaryHeaderGptEventSize (
+ IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
+ IN UINTN NumberOfPartition,
+ OUT UINT32 *EventSize
+ );
+
+#endif // DXE_TPM_MEASURE_BOOT_LIB_VALIDATION_
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
new file mode 100644
index 00000000..8cd97480
--- /dev/null
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
@@ -0,0 +1,301 @@
+/** @file
+This file includes the unit test cases for the DxeTpmMeasureBootLibSanitizationTest.c.
+
+Copyright (c) Microsoft Corporation.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#include <Uefi.h>
+#include <Library/UefiLib.h>
+#include <Library/DebugLib.h>
+#include <Library/UnitTestLib.h>
+#include <Protocol/BlockIo.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <IndustryStandard/UefiTcgPlatform.h>
+
+#include "../DxeTpmMeasureBootLibSanitization.h"
+
+#define UNIT_TEST_NAME "DxeTpmMeasureBootLibSanitizationTest"
+#define UNIT_TEST_VERSION "1.0"
+
+#define DEFAULT_PRIMARY_TABLE_HEADER_REVISION 0x00010000
+#define DEFAULT_PRIMARY_TABLE_HEADER_NUMBER_OF_PARTITION_ENTRIES 1
+#define DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY 128
+
+/**
+ This function tests the SanitizeEfiPartitionTableHeader function.
+ It's intent is to test that a malicious EFI_PARTITION_TABLE_HEADER
+ structure will not cause undefined or unexpected behavior.
+
+ In general the TPM should still be able to measure the data, but
+ be the header should be sanitized to prevent any unexpected behavior.
+
+ @param[in] Context The unit test context.
+
+ @retval UNIT_TEST_PASSED The test passed.
+ @retval UNIT_TEST_ERROR_TEST_FAILED The test failed.
+**/
+UNIT_TEST_STATUS
+EFIAPI
+TestSanitizeEfiPartitionTableHeader (
+ IN UNIT_TEST_CONTEXT Context
+ )
+{
+ EFI_STATUS Status;
+ EFI_PARTITION_TABLE_HEADER PrimaryHeader;
+ EFI_BLOCK_IO_PROTOCOL BlockIo;
+ EFI_BLOCK_IO_MEDIA BlockMedia;
+
+ // Generate EFI_BLOCK_IO_MEDIA test data
+ BlockMedia.MediaId = 1;
+ BlockMedia.RemovableMedia = FALSE;
+ BlockMedia.MediaPresent = TRUE;
+ BlockMedia.LogicalPartition = FALSE;
+ BlockMedia.ReadOnly = FALSE;
+ BlockMedia.WriteCaching = FALSE;
+ BlockMedia.BlockSize = 512;
+ BlockMedia.IoAlign = 1;
+ BlockMedia.LastBlock = 0;
+
+ // Generate EFI_BLOCK_IO_PROTOCOL test data
+ BlockIo.Revision = 1;
+ BlockIo.Media = &BlockMedia;
+ BlockIo.Reset = NULL;
+ BlockIo.ReadBlocks = NULL;
+ BlockIo.WriteBlocks = NULL;
+ BlockIo.FlushBlocks = NULL;
+
+ // Geneate EFI_PARTITION_TABLE_HEADER test data
+ PrimaryHeader.Header.Signature = EFI_PTAB_HEADER_ID;
+ PrimaryHeader.Header.Revision = DEFAULT_PRIMARY_TABLE_HEADER_REVISION;
+ PrimaryHeader.Header.HeaderSize = sizeof (EFI_PARTITION_TABLE_HEADER);
+ PrimaryHeader.MyLBA = 1;
+ PrimaryHeader.AlternateLBA = 2;
+ PrimaryHeader.FirstUsableLBA = 3;
+ PrimaryHeader.LastUsableLBA = 4;
+ PrimaryHeader.PartitionEntryLBA = 5;
+ PrimaryHeader.NumberOfPartitionEntries = DEFAULT_PRIMARY_TABLE_HEADER_NUMBER_OF_PARTITION_ENTRIES;
+ PrimaryHeader.SizeOfPartitionEntry = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
+ PrimaryHeader.PartitionEntryArrayCRC32 = 0; // Purposely invalid
+
+ // Calculate the CRC32 of the PrimaryHeader
+ PrimaryHeader.Header.CRC32 = CalculateCrc32 ((UINT8 *)&PrimaryHeader, PrimaryHeader.Header.HeaderSize);
+
+ // Test that a normal PrimaryHeader passes validation
+ Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+ UT_ASSERT_NOT_EFI_ERROR (Status);
+
+ // Test that when number of partition entries is 0, the function returns EFI_DEVICE_ERROR
+ // Should print "Invalid Partition Table Header NumberOfPartitionEntries!""
+ PrimaryHeader.NumberOfPartitionEntries = 0;
+ Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+ UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
+ PrimaryHeader.NumberOfPartitionEntries = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
+
+ // Test that when the header size is too small, the function returns EFI_DEVICE_ERROR
+ // Should print "Invalid Partition Table Header Size!"
+ PrimaryHeader.Header.HeaderSize = 0;
+ Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+ UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
+ PrimaryHeader.Header.HeaderSize = sizeof (EFI_PARTITION_TABLE_HEADER);
+
+ // Test that when the SizeOfPartitionEntry is too small, the function returns EFI_DEVICE_ERROR
+ // should print: "SizeOfPartitionEntry shall be set to a value of 128 x 2^n where n is an integer greater than or equal to zero (e.g., 128, 256, 512, etc.)!"
+ PrimaryHeader.SizeOfPartitionEntry = 1;
+ Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+ UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
+
+ DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
+
+ return UNIT_TEST_PASSED;
+}
+
+/**
+ This function tests the SanitizePrimaryHeaderAllocationSize function.
+ It's intent is to test that the untrusted input from a EFI_PARTITION_TABLE_HEADER
+ structure will not cause an overflow when calculating the allocation size.
+
+ @param[in] Context The unit test context.
+
+ @retval UNIT_TEST_PASSED The test passed.
+ @retval UNIT_TEST_ERROR_TEST_FAILED The test failed.
+**/
+UNIT_TEST_STATUS
+EFIAPI
+TestSanitizePrimaryHeaderAllocationSize (
+ IN UNIT_TEST_CONTEXT Context
+ )
+{
+ UINT32 AllocationSize;
+
+ EFI_STATUS Status;
+ EFI_PARTITION_TABLE_HEADER PrimaryHeader;
+
+ // Test that a normal PrimaryHeader passes validation
+ PrimaryHeader.NumberOfPartitionEntries = 5;
+ PrimaryHeader.SizeOfPartitionEntry = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
+
+ Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+ UT_ASSERT_NOT_EFI_ERROR (Status);
+
+ // Test that the allocation size is correct compared to the existing logic
+ UT_ASSERT_EQUAL (AllocationSize, PrimaryHeader.NumberOfPartitionEntries * PrimaryHeader.SizeOfPartitionEntry);
+
+ // Test that an overflow is detected
+ PrimaryHeader.NumberOfPartitionEntries = MAX_UINT32;
+ PrimaryHeader.SizeOfPartitionEntry = 5;
+ Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+ UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
+
+ // Test the inverse
+ PrimaryHeader.NumberOfPartitionEntries = 5;
+ PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32;
+ Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+ UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
+
+ // Test the worst case scenario
+ PrimaryHeader.NumberOfPartitionEntries = MAX_UINT32;
+ PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32;
+ Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+ UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
+
+ DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
+
+ return UNIT_TEST_PASSED;
+}
+
+/**
+ This function tests the SanitizePrimaryHeaderGptEventSize function.
+ It's intent is to test that the untrusted input from a EFI_GPT_DATA structure
+ will not cause an overflow when calculating the event size.
+
+ @param[in] Context The unit test context.
+
+ @retval UNIT_TEST_PASSED The test passed.
+ @retval UNIT_TEST_ERROR_TEST_FAILED The test failed.
+**/
+UNIT_TEST_STATUS
+EFIAPI
+TestSanitizePrimaryHeaderGptEventSize (
+ IN UNIT_TEST_CONTEXT Context
+ )
+{
+ UINT32 EventSize;
+ UINT32 ExistingLogicEventSize;
+ EFI_STATUS Status;
+ EFI_PARTITION_TABLE_HEADER PrimaryHeader;
+ UINTN NumberOfPartition;
+ EFI_GPT_DATA *GptData;
+
+ GptData = NULL;
+
+ // Test that a normal PrimaryHeader passes validation
+ PrimaryHeader.NumberOfPartitionEntries = 5;
+ PrimaryHeader.SizeOfPartitionEntry = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
+
+ // set the number of partitions
+ NumberOfPartition = 13;
+
+ // that the primary event size is correct
+ Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
+ UT_ASSERT_NOT_EFI_ERROR (Status);
+
+ // Calculate the existing logic event size
+ ExistingLogicEventSize = (UINT32)(sizeof (TCG_PCR_EVENT_HDR) + OFFSET_OF (EFI_GPT_DATA, Partitions)
+ + NumberOfPartition * PrimaryHeader.SizeOfPartitionEntry);
+
+ // Check that the event size is correct
+ UT_ASSERT_EQUAL (EventSize, ExistingLogicEventSize);
+
+ // Tests that the primary event size may not overflow
+ Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, MAX_UINT32, &EventSize);
+ UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
+
+ // Test that the size of partition entries may not overflow
+ PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32;
+ Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
+ UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
+
+ DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
+
+ return UNIT_TEST_PASSED;
+}
+
+// *--------------------------------------------------------------------*
+// * Unit Test Code Main Function
+// *--------------------------------------------------------------------*
+
+/**
+ This function acts as the entry point for the unit tests.
+
+ @param argc - The number of command line arguments
+ @param argv - The command line arguments
+
+ @return int - The status of the test
+**/
+EFI_STATUS
+EFIAPI
+UefiTestMain (
+ VOID
+ )
+{
+ EFI_STATUS Status;
+ UNIT_TEST_FRAMEWORK_HANDLE Framework;
+ UNIT_TEST_SUITE_HANDLE TcgMeasureBootLibValidationTestSuite;
+
+ Framework = NULL;
+
+ DEBUG ((DEBUG_INFO, "%a: TestMain() - Start\n", UNIT_TEST_NAME));
+
+ Status = InitUnitTestFramework (&Framework, UNIT_TEST_NAME, gEfiCallerBaseName, UNIT_TEST_VERSION);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "%a: Failed in InitUnitTestFramework. Status = %r\n", UNIT_TEST_NAME, Status));
+ goto EXIT;
+ }
+
+ Status = CreateUnitTestSuite (&TcgMeasureBootLibValidationTestSuite, Framework, "TcgMeasureBootLibValidationTestSuite", "Common.TcgMeasureBootLibValidation", NULL, NULL);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "%s: Failed in CreateUnitTestSuite for TcgMeasureBootLibValidationTestSuite\n", UNIT_TEST_NAME));
+ Status = EFI_OUT_OF_RESOURCES;
+ goto EXIT;
+ }
+
+ // -----------Suite---------------------------------Description----------------------------Class----------------------------------Test Function------------------------Pre---Clean-Context
+ AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Validating EFI Partition Table", "Common.TcgMeasureBootLibValidation", TestSanitizeEfiPartitionTableHeader, NULL, NULL, NULL);
+ AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Primary header gpt event checks for overflow", "Common.TcgMeasureBootLibValidation", TestSanitizePrimaryHeaderAllocationSize, NULL, NULL, NULL);
+ AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Primary header allocation size checks for overflow", "Common.TcgMeasureBootLibValidation", TestSanitizePrimaryHeaderGptEventSize, NULL, NULL, NULL);
+
+ Status = RunAllTestSuites (Framework);
+
+EXIT:
+ if (Framework != NULL) {
+ FreeUnitTestFramework (Framework);
+ }
+
+ DEBUG ((DEBUG_INFO, "%a: TestMain() - End\n", UNIT_TEST_NAME));
+ return Status;
+}
+
+///
+/// Avoid ECC error for function name that starts with lower case letter
+///
+#define DxeTpmMeasureBootLibUnitTestMain main
+
+/**
+ Standard POSIX C entry point for host based unit test execution.
+
+ @param[in] Argc Number of arguments
+ @param[in] Argv Array of pointers to arguments
+
+ @retval 0 Success
+ @retval other Error
+**/
+INT32
+DxeTpmMeasureBootLibUnitTestMain (
+ IN INT32 Argc,
+ IN CHAR8 *Argv[]
+ )
+{
+ return (INT32)UefiTestMain ();
+}
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTestHost.inf b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTestHost.inf
new file mode 100644
index 00000000..ba4c58cb
--- /dev/null
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTestHost.inf
@@ -0,0 +1,28 @@
+## @file
+# This file builds the unit tests for DxeTpmMeasureBootLib
+#
+# Copyright (C) Microsoft Corporation.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+[Defines]
+ INF_VERSION = 0x00010006
+ BASE_NAME = DxeTpmMeasuredBootLibTest
+ FILE_GUID = eb01bc38-309c-4d3e-967e-9f078c90772f
+ MODULE_TYPE = HOST_APPLICATION
+ VERSION_STRING = 1.0
+ ENTRY_POINT = main
+
+[Sources]
+ DxeTpmMeasureBootLibSanitizationTest.c
+ ../DxeTpmMeasureBootLibSanitization.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+
+[LibraryClasses]
+ BaseLib
+ DebugLib
+ UnitTestLib
+ PrintLib
+ SafeIntLib
--
2.33.0

53
0048-SecurityPkg-Adding-CVE-2022-36763-to-SecurityFixes.y.patch Normal file
View File

@ -0,0 +1,53 @@
From e8c20e52c9e7cc55eb3aad1229ec196d39cf119f Mon Sep 17 00:00:00 2001
From: "Douglas Flick [MSFT]" <doug.edk2@gmail.com>
Date: Fri, 12 Jan 2024 02:16:03 +0800
Subject: [PATCH 03/10] SecurityPkg: : Adding CVE 2022-36763 to
SecurityFixes.yaml
This creates / adds a security file that tracks the security fixes
found in this package and can be used to find the fixes that were
applied.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
reference: https://github.com/tianocore/edk2/pull/5264
Signed-off-by: yexiao <yexiao7@huawei.com>
---
SecurityPkg/SecurityFixes.yaml | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
create mode 100644 SecurityPkg/SecurityFixes.yaml
diff --git a/SecurityPkg/SecurityFixes.yaml b/SecurityPkg/SecurityFixes.yaml
new file mode 100644
index 00000000..36ac267e
--- /dev/null
+++ b/SecurityPkg/SecurityFixes.yaml
@@ -0,0 +1,22 @@
+## @file
+# Security Fixes for SecurityPkg
+#
+# Copyright (c) Microsoft Corporation
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+CVE_2022_36763:
+ commit_titles:
+ - "SecurityPkg: DxeTpm2Measurement: SECURITY PATCH 4117 - CVE 2022-36763"
+ - "SecurityPkg: DxeTpmMeasurement: SECURITY PATCH 4117 - CVE 2022-36763"
+ - "SecurityPkg: : Adding CVE 2022-36763 to SecurityFixes.yaml"
+ cve: CVE-2022-36763
+ date_reported: 2022-10-25 11:31 UTC
+ description: (CVE-2022-36763) - Heap Buffer Overflow in Tcg2MeasureGptTable()
+ note: This patch is related to and supersedes TCBZ2168
+ files_impacted:
+ - Library\DxeTpm2MeasureBootLib\DxeTpm2MeasureBootLib.c
+ - Library\DxeTpmMeasureBootLib\DxeTpmMeasureBootLib.c
+ links:
+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4117
+ - https://bugzilla.tianocore.org/show_bug.cgi?id=2168
+ - https://bugzilla.tianocore.org/show_bug.cgi?id=1990
--
2.33.0

264
0049-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411.patch Normal file
View File

@ -0,0 +1,264 @@
From 5317710f9c26c80bb10de6e0ed13b246c0e5a107 Mon Sep 17 00:00:00 2001
From: "Douglas Flick [MSFT]" <doug.edk2@gmail.com>
Date: Fri, 12 Jan 2024 02:16:04 +0800
Subject: [PATCH 04/10] SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118
- CVE 2022-36764
This commit contains the patch files and tests for DxeTpm2MeasureBootLib
CVE 2022-36764.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
reference: https://github.com/tianocore/edk2/pull/5264
Signed-off-by: yexiao <yexiao7@huawei.com>
---
.../DxeTpm2MeasureBootLib.c | 13 ++--
.../DxeTpm2MeasureBootLibSanitization.c | 46 +++++++++++++-
.../DxeTpm2MeasureBootLibSanitization.h | 28 ++++++++-
.../DxeTpm2MeasureBootLibSanitizationTest.c | 60 ++++++++++++++++---
4 files changed, 132 insertions(+), 15 deletions(-)
diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
index 1a7233e6..0121e1ef 100644
--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
@@ -298,7 +298,6 @@ Tcg2MeasureGptTable (
@retval EFI_OUT_OF_RESOURCES No enough resource to measure image.
@retval EFI_UNSUPPORTED ImageType is unsupported or PE image is mal-format.
@retval other error value
-
**/
EFI_STATUS
EFIAPI
@@ -317,20 +316,26 @@ Tcg2MeasurePeImage (
UINT32 FilePathSize;
UINT32 EventSize;
+ Tcg2Event = NULL;
+
Status = EFI_UNSUPPORTED;
ImageLoad = NULL;
FilePathSize = (UINT32) GetDevicePathSize (FilePath);
+ Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
+ if (EFI_ERROR (Status)) {
+ return EFI_UNSUPPORTED;
+ }
//
// Determine destination PCR by BootPolicy
//
- EventSize = sizeof (*ImageLoad) - sizeof (ImageLoad->DevicePath) + FilePathSize;
- Tcg2Event = AllocateZeroPool (EventSize + sizeof (EFI_TCG2_EVENT) - sizeof(Tcg2Event->Event));
+ // from a malicious GPT disk partition
+ Tcg2Event = AllocateZeroPool (EventSize);
if (Tcg2Event == NULL) {
return EFI_OUT_OF_RESOURCES;
}
- Tcg2Event->Size = EventSize + sizeof (EFI_TCG2_EVENT) - sizeof(Tcg2Event->Event);
+ Tcg2Event->Size = EventSize;
Tcg2Event->Header.HeaderSize = sizeof(EFI_TCG2_EVENT_HEADER);
Tcg2Event->Header.HeaderVersion = EFI_TCG2_EVENT_HEADER_VERSION;
ImageLoad = (EFI_IMAGE_LOAD_EVENT *) Tcg2Event->Event;
diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
index ef3b77b4..bc583c97 100644
--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
@@ -151,7 +151,7 @@ SanitizeEfiPartitionTableHeader (
}
/**
- This function will validate that the allocation size from the primary header is sane
+ This function will validate that the allocation size from the primary header is sane
It will check the following:
- AllocationSize does not overflow
@@ -273,3 +273,47 @@ SanitizePrimaryHeaderGptEventSize (
return EFI_SUCCESS;
}
+
+/**
+ This function will validate that the PeImage Event Size from the loaded image is sane
+ It will check the following:
+ - EventSize does not overflow
+
+ @param[in] FilePathSize - Size of the file path.
+ @param[out] EventSize - Pointer to the event size.
+
+ @retval EFI_SUCCESS
+ The event size is valid.
+
+ @retval EFI_OUT_OF_RESOURCES
+ Overflow would have occurred.
+
+ @retval EFI_INVALID_PARAMETER
+ One of the passed parameters was invalid.
+**/
+EFI_STATUS
+SanitizePeImageEventSize (
+ IN UINT32 FilePathSize,
+ OUT UINT32 *EventSize
+ )
+{
+ EFI_STATUS Status;
+
+ // Replacing logic:
+ // sizeof (*ImageLoad) - sizeof (ImageLoad->DevicePath) + FilePathSize;
+ Status = SafeUint32Add (OFFSET_OF (EFI_IMAGE_LOAD_EVENT, DevicePath), FilePathSize, EventSize);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "EventSize would overflow!\n"));
+ return EFI_BAD_BUFFER_SIZE;
+ }
+
+ // Replacing logic:
+ // EventSize + sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event)
+ Status = SafeUint32Add (*EventSize, OFFSET_OF (EFI_TCG2_EVENT, Event), EventSize);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "EventSize would overflow!\n"));
+ return EFI_BAD_BUFFER_SIZE;
+ }
+
+ return EFI_SUCCESS;
+}
diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
index 74af8c8b..bfbfb589 100644
--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
@@ -9,6 +9,9 @@
Tcg2MeasureGptTable() function will receive untrusted GPT partition table, and parse
partition data carefully.
+ Tcg2MeasurePeImage() function will accept untrusted PE/COFF image and validate its
+ data structure within this image buffer before use.
+
Copyright (c) Microsoft Corporation.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
@@ -110,4 +113,27 @@ SanitizePrimaryHeaderGptEventSize (
OUT UINT32 *EventSize
);
-#endif // DXE_TPM2_MEASURE_BOOT_LIB_SANITATION_
+/**
+ This function will validate that the PeImage Event Size from the loaded image is sane
+ It will check the following:
+ - EventSize does not overflow
+
+ @param[in] FilePathSize - Size of the file path.
+ @param[out] EventSize - Pointer to the event size.
+
+ @retval EFI_SUCCESS
+ The event size is valid.
+
+ @retval EFI_OUT_OF_RESOURCES
+ Overflow would have occurred.
+
+ @retval EFI_INVALID_PARAMETER
+ One of the passed parameters was invalid.
+**/
+EFI_STATUS
+SanitizePeImageEventSize (
+ IN UINT32 FilePathSize,
+ OUT UINT32 *EventSize
+ );
+
+#endif // DXE_TPM2_MEASURE_BOOT_LIB_VALIDATION_
diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
index 701d1b46..8d8c0b26 100644
--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
@@ -72,10 +72,10 @@ TestSanitizeEfiPartitionTableHeader (
PrimaryHeader.Header.Revision = DEFAULT_PRIMARY_TABLE_HEADER_REVISION;
PrimaryHeader.Header.HeaderSize = sizeof (EFI_PARTITION_TABLE_HEADER);
PrimaryHeader.MyLBA = 1;
- PrimaryHeader.AlternateLBA = 2;
- PrimaryHeader.FirstUsableLBA = 3;
- PrimaryHeader.LastUsableLBA = 4;
- PrimaryHeader.PartitionEntryLBA = 5;
+ PrimaryHeader.PartitionEntryLBA = 2;
+ PrimaryHeader.AlternateLBA = 3;
+ PrimaryHeader.FirstUsableLBA = 4;
+ PrimaryHeader.LastUsableLBA = 5;
PrimaryHeader.NumberOfPartitionEntries = DEFAULT_PRIMARY_TABLE_HEADER_NUMBER_OF_PARTITION_ENTRIES;
PrimaryHeader.SizeOfPartitionEntry = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
PrimaryHeader.PartitionEntryArrayCRC32 = 0; // Purposely invalid
@@ -187,11 +187,6 @@ TestSanitizePrimaryHeaderGptEventSize (
EFI_STATUS Status;
EFI_PARTITION_TABLE_HEADER PrimaryHeader;
UINTN NumberOfPartition;
- EFI_GPT_DATA *GptData;
- EFI_TCG2_EVENT *Tcg2Event;
-
- Tcg2Event = NULL;
- GptData = NULL;
// Test that a normal PrimaryHeader passes validation
PrimaryHeader.NumberOfPartitionEntries = 5;
@@ -225,6 +220,52 @@ TestSanitizePrimaryHeaderGptEventSize (
return UNIT_TEST_PASSED;
}
+/**
+ This function tests the SanitizePeImageEventSize function.
+ It's intent is to test that the untrusted input from a file path when generating a
+ EFI_IMAGE_LOAD_EVENT structure will not cause an overflow when calculating
+ the event size when allocating space
+
+ @param[in] Context The unit test context.
+
+ @retval UNIT_TEST_PASSED The test passed.
+ @retval UNIT_TEST_ERROR_TEST_FAILED The test failed.
+**/
+UNIT_TEST_STATUS
+EFIAPI
+TestSanitizePeImageEventSize (
+ IN UNIT_TEST_CONTEXT Context
+ )
+{
+ UINT32 EventSize;
+ UINTN ExistingLogicEventSize;
+ UINT32 FilePathSize;
+ EFI_STATUS Status;
+
+ FilePathSize = 255;
+
+ // Test that a normal PE image passes validation
+ Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
+ UT_ASSERT_EQUAL (Status, EFI_SUCCESS);
+
+ // Test that the event size is correct compared to the existing logic
+ ExistingLogicEventSize = OFFSET_OF (EFI_IMAGE_LOAD_EVENT, DevicePath) + FilePathSize;
+ ExistingLogicEventSize += OFFSET_OF (EFI_TCG2_EVENT, Event);
+
+ if (EventSize != ExistingLogicEventSize) {
+ UT_LOG_ERROR ("SanitizePeImageEventSize returned an incorrect event size. Expected %u, got %u\n", ExistingLogicEventSize, EventSize);
+ return UNIT_TEST_ERROR_TEST_FAILED;
+ }
+
+ // Test that the event size may not overflow
+ Status = SanitizePeImageEventSize (MAX_UINT32, &EventSize);
+ UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
+
+ DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
+
+ return UNIT_TEST_PASSED;
+}
+
// *--------------------------------------------------------------------*
// * Unit Test Code Main Function
// *--------------------------------------------------------------------*
@@ -267,6 +308,7 @@ UefiTestMain (
AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests Validating EFI Partition Table", "Common.Tcg2MeasureBootLibValidation", TestSanitizeEfiPartitionTableHeader, NULL, NULL, NULL);
AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests Primary header gpt event checks for overflow", "Common.Tcg2MeasureBootLibValidation", TestSanitizePrimaryHeaderAllocationSize, NULL, NULL, NULL);
AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests Primary header allocation size checks for overflow", "Common.Tcg2MeasureBootLibValidation", TestSanitizePrimaryHeaderGptEventSize, NULL, NULL, NULL);
+ AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests PE Image and FileSize checks for overflow", "Common.Tcg2MeasureBootLibValidation", TestSanitizePeImageEventSize, NULL, NULL, NULL);
Status = RunAllTestSuites (Framework);
--
2.33.0

278
0050-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4118.patch Normal file
View File

@ -0,0 +1,278 @@
From 4032c37489aecd8b0ccdfd09e0bef1587da69473 Mon Sep 17 00:00:00 2001
From: "Douglas Flick [MSFT]" <doug.edk2@gmail.com>
Date: Fri, 12 Jan 2024 02:16:05 +0800
Subject: [PATCH 05/10] SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4118
- CVE 2022-36764
This commit contains the patch files and tests for DxeTpmMeasureBootLib
CVE 2022-36764.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
reference: https://github.com/tianocore/edk2/pull/5264
Signed-off-by: yexiao <yexiao7@huawei.com>
---
.../DxeTpmMeasureBootLib.c | 13 ++-
.../DxeTpmMeasureBootLibSanitization.c | 44 +++++++++
.../DxeTpmMeasureBootLibSanitization.h | 23 +++++
.../DxeTpmMeasureBootLibSanitizationTest.c | 98 +++++++++++++++++--
4 files changed, 168 insertions(+), 10 deletions(-)
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
index 8314d019..a2c5b36f 100644
--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
@@ -17,6 +17,7 @@
Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
+Copyright (c) Microsoft Corporation.<BR>
Copyright (c) Microsoft Corporation.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
@@ -338,18 +339,22 @@ TcgMeasurePeImage (
ImageLoad = NULL;
SectionHeader = NULL;
Sha1Ctx = NULL;
+ TcgEvent = NULL;
FilePathSize = (UINT32) GetDevicePathSize (FilePath);
- //
// Determine destination PCR by BootPolicy
//
- EventSize = sizeof (*ImageLoad) - sizeof (ImageLoad->DevicePath) + FilePathSize;
- TcgEvent = AllocateZeroPool (EventSize + sizeof (TCG_PCR_EVENT));
+ Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
+ if (EFI_ERROR (Status)) {
+ return EFI_UNSUPPORTED;
+ }
+
+ TcgEvent = AllocateZeroPool (EventSize);
if (TcgEvent == NULL) {
return EFI_OUT_OF_RESOURCES;
}
- TcgEvent->EventSize = EventSize;
+ TcgEvent->EventSize = EventSize - sizeof (TCG_PCR_EVENT_HDR);
ImageLoad = (EFI_IMAGE_LOAD_EVENT *) TcgEvent->Event;
switch (ImageType) {
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
index e009ce46..33a230f8 100644
--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
@@ -239,3 +239,47 @@ SanitizePrimaryHeaderGptEventSize (
return EFI_SUCCESS;
}
+
+/**
+ This function will validate that the PeImage Event Size from the loaded image is sane
+ It will check the following:
+ - EventSize does not overflow
+
+ @param[in] FilePathSize - Size of the file path.
+ @param[out] EventSize - Pointer to the event size.
+
+ @retval EFI_SUCCESS
+ The event size is valid.
+
+ @retval EFI_OUT_OF_RESOURCES
+ Overflow would have occurred.
+
+ @retval EFI_INVALID_PARAMETER
+ One of the passed parameters was invalid.
+**/
+EFI_STATUS
+SanitizePeImageEventSize (
+ IN UINT32 FilePathSize,
+ OUT UINT32 *EventSize
+ )
+{
+ EFI_STATUS Status;
+
+ // Replacing logic:
+ // sizeof (*ImageLoad) - sizeof (ImageLoad->DevicePath) + FilePathSize;
+ Status = SafeUint32Add (OFFSET_OF (EFI_IMAGE_LOAD_EVENT, DevicePath), FilePathSize, EventSize);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "EventSize would overflow!\n"));
+ return EFI_BAD_BUFFER_SIZE;
+ }
+
+ // Replacing logic:
+ // EventSize + sizeof (TCG_PCR_EVENT_HDR)
+ Status = SafeUint32Add (*EventSize, sizeof (TCG_PCR_EVENT_HDR), EventSize);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "EventSize would overflow!\n"));
+ return EFI_BAD_BUFFER_SIZE;
+ }
+
+ return EFI_SUCCESS;
+}
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
index 57e05e48..181aba42 100644
--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
@@ -111,4 +111,27 @@ SanitizePrimaryHeaderGptEventSize (
OUT UINT32 *EventSize
);
+/**
+ This function will validate that the PeImage Event Size from the loaded image is sane
+ It will check the following:
+ - EventSize does not overflow
+
+ @param[in] FilePathSize - Size of the file path.
+ @param[out] EventSize - Pointer to the event size.
+
+ @retval EFI_SUCCESS
+ The event size is valid.
+
+ @retval EFI_OUT_OF_RESOURCES
+ Overflow would have occurred.
+
+ @retval EFI_INVALID_PARAMETER
+ One of the passed parameters was invalid.
+**/
+EFI_STATUS
+SanitizePeImageEventSize (
+ IN UINT32 FilePathSize,
+ OUT UINT32 *EventSize
+ );
+
#endif // DXE_TPM_MEASURE_BOOT_LIB_VALIDATION_
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
index 8cd97480..77a67826 100644
--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
@@ -1,8 +1,8 @@
/** @file
-This file includes the unit test cases for the DxeTpmMeasureBootLibSanitizationTest.c.
+ This file includes the unit test cases for the DxeTpmMeasureBootLibSanitizationTest.c.
-Copyright (c) Microsoft Corporation.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
+ Copyright (c) Microsoft Corporation.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include <Uefi.h>
@@ -186,9 +186,6 @@ TestSanitizePrimaryHeaderGptEventSize (
EFI_STATUS Status;
EFI_PARTITION_TABLE_HEADER PrimaryHeader;
UINTN NumberOfPartition;
- EFI_GPT_DATA *GptData;
-
- GptData = NULL;
// Test that a normal PrimaryHeader passes validation
PrimaryHeader.NumberOfPartitionEntries = 5;
@@ -222,6 +219,94 @@ TestSanitizePrimaryHeaderGptEventSize (
return UNIT_TEST_PASSED;
}
+/**
+ This function tests the SanitizePeImageEventSize function.
+ It's intent is to test that the untrusted input from a file path for an
+ EFI_IMAGE_LOAD_EVENT structure will not cause an overflow when calculating
+ the event size when allocating space.
+
+ @param[in] Context The unit test context.
+
+ @retval UNIT_TEST_PASSED The test passed.
+ @retval UNIT_TEST_ERROR_TEST_FAILED The test failed.
+**/
+UNIT_TEST_STATUS
+EFIAPI
+TestSanitizePeImageEventSize (
+ IN UNIT_TEST_CONTEXT Context
+ )
+{
+ UINT32 EventSize;
+ UINTN ExistingLogicEventSize;
+ UINT32 FilePathSize;
+ EFI_STATUS Status;
+ EFI_DEVICE_PATH_PROTOCOL DevicePath;
+ EFI_IMAGE_LOAD_EVENT *ImageLoadEvent;
+ UNIT_TEST_STATUS TestStatus;
+
+ TestStatus = UNIT_TEST_ERROR_TEST_FAILED;
+
+ // Generate EFI_DEVICE_PATH_PROTOCOL test data
+ DevicePath.Type = 0;
+ DevicePath.SubType = 0;
+ DevicePath.Length[0] = 0;
+ DevicePath.Length[1] = 0;
+
+ // Generate EFI_IMAGE_LOAD_EVENT test data
+ ImageLoadEvent = AllocateZeroPool (sizeof (EFI_IMAGE_LOAD_EVENT) + sizeof (EFI_DEVICE_PATH_PROTOCOL));
+ if (ImageLoadEvent == NULL) {
+ DEBUG ((DEBUG_ERROR, "%a: AllocateZeroPool failed\n", __func__));
+ goto Exit;
+ }
+
+ // Populate EFI_IMAGE_LOAD_EVENT54 test data
+ ImageLoadEvent->ImageLocationInMemory = (EFI_PHYSICAL_ADDRESS)0x12345678;
+ ImageLoadEvent->ImageLengthInMemory = 0x1000;
+ ImageLoadEvent->ImageLinkTimeAddress = (UINTN)ImageLoadEvent;
+ ImageLoadEvent->LengthOfDevicePath = sizeof (EFI_DEVICE_PATH_PROTOCOL);
+ CopyMem (ImageLoadEvent->DevicePath, &DevicePath, sizeof (EFI_DEVICE_PATH_PROTOCOL));
+
+ FilePathSize = 255;
+
+ // Test that a normal PE image passes validation
+ Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
+ if (EFI_ERROR (Status)) {
+ UT_LOG_ERROR ("SanitizePeImageEventSize failed with %r\n", Status);
+ goto Exit;
+ }
+
+ // Test that the event size is correct compared to the existing logic
+ ExistingLogicEventSize = OFFSET_OF (EFI_IMAGE_LOAD_EVENT, DevicePath) + FilePathSize;
+ ExistingLogicEventSize += sizeof (TCG_PCR_EVENT_HDR);
+
+ if (EventSize != ExistingLogicEventSize) {
+ UT_LOG_ERROR ("SanitizePeImageEventSize returned an incorrect event size. Expected %u, got %u\n", ExistingLogicEventSize, EventSize);
+ goto Exit;
+ }
+
+ // Test that the event size may not overflow
+ Status = SanitizePeImageEventSize (MAX_UINT32, &EventSize);
+ if (Status != EFI_BAD_BUFFER_SIZE) {
+ UT_LOG_ERROR ("SanitizePeImageEventSize succeded when it was supposed to fail with %r\n", Status);
+ goto Exit;
+ }
+
+ TestStatus = UNIT_TEST_PASSED;
+Exit:
+
+ if (ImageLoadEvent != NULL) {
+ FreePool (ImageLoadEvent);
+ }
+
+ if (TestStatus == UNIT_TEST_ERROR_TEST_FAILED) {
+ DEBUG ((DEBUG_ERROR, "%a: Test failed\n", __func__));
+ } else {
+ DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
+ }
+
+ return TestStatus;
+}
+
// *--------------------------------------------------------------------*
// * Unit Test Code Main Function
// *--------------------------------------------------------------------*
@@ -265,6 +350,7 @@ UefiTestMain (
AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Validating EFI Partition Table", "Common.TcgMeasureBootLibValidation", TestSanitizeEfiPartitionTableHeader, NULL, NULL, NULL);
AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Primary header gpt event checks for overflow", "Common.TcgMeasureBootLibValidation", TestSanitizePrimaryHeaderAllocationSize, NULL, NULL, NULL);
AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Primary header allocation size checks for overflow", "Common.TcgMeasureBootLibValidation", TestSanitizePrimaryHeaderGptEventSize, NULL, NULL, NULL);
+ AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests PE Image and FileSize checks for overflow", "Common.TcgMeasureBootLibValidation", TestSanitizePeImageEventSize, NULL, NULL, NULL);
Status = RunAllTestSuites (Framework);
--
2.33.0

46
0051-SecurityPkg-Adding-CVE-2022-36764-to-SecurityFixes.y.patch Normal file
View File

@ -0,0 +1,46 @@
From 78b9e1e994fe429f8669c89695193acdb31e3a58 Mon Sep 17 00:00:00 2001
From: "Douglas Flick [MSFT]" <doug.edk2@gmail.com>
Date: Fri, 12 Jan 2024 02:16:06 +0800
Subject: [PATCH 06/10] SecurityPkg: : Adding CVE 2022-36764 to
SecurityFixes.yaml
This creates / adds a security file that tracks the security fixes
found in this package and can be used to find the fixes that were
applied.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
reference: https://github.com/tianocore/edk2/pull/5264
Signed-off-by: yexiao <yexiao7@huawei.com>
---
SecurityPkg/SecurityFixes.yaml | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/SecurityPkg/SecurityFixes.yaml b/SecurityPkg/SecurityFixes.yaml
index 36ac267e..ceaaa256 100644
--- a/SecurityPkg/SecurityFixes.yaml
+++ b/SecurityPkg/SecurityFixes.yaml
@@ -20,3 +20,17 @@ CVE_2022_36763:
- https://bugzilla.tianocore.org/show_bug.cgi?id=4117
- https://bugzilla.tianocore.org/show_bug.cgi?id=2168
- https://bugzilla.tianocore.org/show_bug.cgi?id=1990
+CVE_2022_36764:
+ commit_titles:
+ - "SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764"
+ - "SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764"
+ - "SecurityPkg: : Adding CVE 2022-36764 to SecurityFixes.yaml"
+ cve: CVE-2022-36764
+ date_reported: 2022-10-25 12:23 UTC
+ description: Heap Buffer Overflow in Tcg2MeasurePeImage()
+ note:
+ files_impacted:
+ - Library\DxeTpm2MeasureBootLib\DxeTpm2MeasureBootLib.c
+ - Library\DxeTpmMeasureBootLib\DxeTpmMeasureBootLib.c
+ links:
+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4118
--
2.33.0

257
0052-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411.patch Normal file
View File

@ -0,0 +1,257 @@
From 72118d86cc064ce259b4ac3fb81666b4cf84d457 Mon Sep 17 00:00:00 2001
From: Doug Flick <dougflick@microsoft.com>
Date: Wed, 17 Jan 2024 14:47:20 -0800
Subject: [PATCH 07/10] SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH
4117/4118 symbol rename
Updates the sanitation function names to be lib unique names
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Message-Id: <7b18434c8a8b561654efd40ced3becb8b378c8f1.1705529990.git.doug.edk2@gmail.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
reference: https://github.com/tianocore/edk2/pull/5273
Signed-off-by: yexiao <yexiao7@huawei.com>
---
.../DxeTpm2MeasureBootLib.c | 8 +++---
.../DxeTpm2MeasureBootLibSanitization.c | 8 +++---
.../DxeTpm2MeasureBootLibSanitization.h | 8 +++---
.../DxeTpm2MeasureBootLibSanitizationTest.c | 26 +++++++++----------
4 files changed, 25 insertions(+), 25 deletions(-)
diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
index 0121e1ef..eb1da757 100644
--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
@@ -168,7 +168,7 @@ Tcg2MeasureGptTable (
BlockIo->Media->BlockSize,
(UINT8 *)PrimaryHeader
);
- if (EFI_ERROR (Status) || EFI_ERROR (SanitizeEfiPartitionTableHeader (PrimaryHeader, BlockIo))) {
+ if (EFI_ERROR (Status) || EFI_ERROR (Tpm2SanitizeEfiPartitionTableHeader (PrimaryHeader, BlockIo))) {
DEBUG ((DEBUG_ERROR, "Failed to read Partition Table Header or invalid Partition Table Header!\n"));
FreePool (PrimaryHeader);
return EFI_DEVICE_ERROR;
@@ -176,7 +176,7 @@ Tcg2MeasureGptTable (
//
// Read the partition entry.
//
- Status = SanitizePrimaryHeaderAllocationSize (PrimaryHeader, &AllocSize);
+ Status = Tpm2SanitizePrimaryHeaderAllocationSize (PrimaryHeader, &AllocSize);
if (EFI_ERROR (Status)) {
FreePool (PrimaryHeader);
return EFI_BAD_BUFFER_SIZE;
@@ -215,7 +215,7 @@ Tcg2MeasureGptTable (
//
// Prepare Data for Measurement
//
- Status = SanitizePrimaryHeaderGptEventSize (PrimaryHeader, NumberOfPartition, &TcgEventSize);
+ Status = Tpm2SanitizePrimaryHeaderGptEventSize (PrimaryHeader, NumberOfPartition, &TcgEventSize);
if (EFI_ERROR (Status)) {
FreePool (PrimaryHeader);
FreePool (EntryPtr);
@@ -321,7 +321,7 @@ Tcg2MeasurePeImage (
Status = EFI_UNSUPPORTED;
ImageLoad = NULL;
FilePathSize = (UINT32) GetDevicePathSize (FilePath);
- Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
+ Status = Tpm2SanitizePeImageEventSize (FilePathSize, &EventSize);
if (EFI_ERROR (Status)) {
return EFI_UNSUPPORTED;
}
diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
index bc583c97..d911efe6 100644
--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
@@ -63,7 +63,7 @@
**/
EFI_STATUS
EFIAPI
-SanitizeEfiPartitionTableHeader (
+Tpm2SanitizeEfiPartitionTableHeader (
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
IN CONST EFI_BLOCK_IO_PROTOCOL *BlockIo
)
@@ -169,7 +169,7 @@ SanitizeEfiPartitionTableHeader (
**/
EFI_STATUS
EFIAPI
-SanitizePrimaryHeaderAllocationSize (
+Tpm2SanitizePrimaryHeaderAllocationSize (
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
OUT UINT32 *AllocationSize
)
@@ -221,7 +221,7 @@ SanitizePrimaryHeaderAllocationSize (
One of the passed parameters was invalid.
**/
EFI_STATUS
-SanitizePrimaryHeaderGptEventSize (
+Tpm2SanitizePrimaryHeaderGptEventSize (
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
IN UINTN NumberOfPartition,
OUT UINT32 *EventSize
@@ -292,7 +292,7 @@ SanitizePrimaryHeaderGptEventSize (
One of the passed parameters was invalid.
**/
EFI_STATUS
-SanitizePeImageEventSize (
+Tpm2SanitizePeImageEventSize (
IN UINT32 FilePathSize,
OUT UINT32 *EventSize
)
diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
index bfbfb589..504958f4 100644
--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
@@ -54,7 +54,7 @@
**/
EFI_STATUS
EFIAPI
-SanitizeEfiPartitionTableHeader (
+Tpm2SanitizeEfiPartitionTableHeader (
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
IN CONST EFI_BLOCK_IO_PROTOCOL *BlockIo
);
@@ -78,7 +78,7 @@ SanitizeEfiPartitionTableHeader (
**/
EFI_STATUS
EFIAPI
-SanitizePrimaryHeaderAllocationSize (
+Tpm2SanitizePrimaryHeaderAllocationSize (
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
OUT UINT32 *AllocationSize
);
@@ -107,7 +107,7 @@ SanitizePrimaryHeaderAllocationSize (
One of the passed parameters was invalid.
**/
EFI_STATUS
-SanitizePrimaryHeaderGptEventSize (
+Tpm2SanitizePrimaryHeaderGptEventSize (
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
IN UINTN NumberOfPartition,
OUT UINT32 *EventSize
@@ -131,7 +131,7 @@ SanitizePrimaryHeaderGptEventSize (
One of the passed parameters was invalid.
**/
EFI_STATUS
-SanitizePeImageEventSize (
+Tpm2SanitizePeImageEventSize (
IN UINT32 FilePathSize,
OUT UINT32 *EventSize
);
diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
index 8d8c0b26..0e33fec5 100644
--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
@@ -84,27 +84,27 @@ TestSanitizeEfiPartitionTableHeader (
PrimaryHeader.Header.CRC32 = CalculateCrc32 ((UINT8 *)&PrimaryHeader, PrimaryHeader.Header.HeaderSize);
// Test that a normal PrimaryHeader passes validation
- Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+ Status = Tpm2SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
UT_ASSERT_NOT_EFI_ERROR (Status);
// Test that when number of partition entries is 0, the function returns EFI_DEVICE_ERROR
// Should print "Invalid Partition Table Header NumberOfPartitionEntries!""
PrimaryHeader.NumberOfPartitionEntries = 0;
- Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+ Status = Tpm2SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
PrimaryHeader.NumberOfPartitionEntries = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
// Test that when the header size is too small, the function returns EFI_DEVICE_ERROR
// Should print "Invalid Partition Table Header Size!"
PrimaryHeader.Header.HeaderSize = 0;
- Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+ Status = Tpm2SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
PrimaryHeader.Header.HeaderSize = sizeof (EFI_PARTITION_TABLE_HEADER);
// Test that when the SizeOfPartitionEntry is too small, the function returns EFI_DEVICE_ERROR
// should print: "SizeOfPartitionEntry shall be set to a value of 128 x 2^n where n is an integer greater than or equal to zero (e.g., 128, 256, 512, etc.)!"
PrimaryHeader.SizeOfPartitionEntry = 1;
- Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+ Status = Tpm2SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
@@ -137,7 +137,7 @@ TestSanitizePrimaryHeaderAllocationSize (
PrimaryHeader.NumberOfPartitionEntries = 5;
PrimaryHeader.SizeOfPartitionEntry = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
- Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+ Status = Tpm2SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
UT_ASSERT_NOT_EFI_ERROR (Status);
// Test that the allocation size is correct compared to the existing logic
@@ -146,19 +146,19 @@ TestSanitizePrimaryHeaderAllocationSize (
// Test that an overflow is detected
PrimaryHeader.NumberOfPartitionEntries = MAX_UINT32;
PrimaryHeader.SizeOfPartitionEntry = 5;
- Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+ Status = Tpm2SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
// Test the inverse
PrimaryHeader.NumberOfPartitionEntries = 5;
PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32;
- Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+ Status = Tpm2SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
// Test the worst case scenario
PrimaryHeader.NumberOfPartitionEntries = MAX_UINT32;
PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32;
- Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+ Status = Tpm2SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
@@ -196,7 +196,7 @@ TestSanitizePrimaryHeaderGptEventSize (
NumberOfPartition = 13;
// that the primary event size is correct
- Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
+ Status = Tpm2SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
UT_ASSERT_NOT_EFI_ERROR (Status);
// Calculate the existing logic event size
@@ -207,12 +207,12 @@ TestSanitizePrimaryHeaderGptEventSize (
UT_ASSERT_EQUAL (EventSize, ExistingLogicEventSize);
// Tests that the primary event size may not overflow
- Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, MAX_UINT32, &EventSize);
+ Status = Tpm2SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, MAX_UINT32, &EventSize);
UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
// Test that the size of partition entries may not overflow
PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32;
- Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
+ Status = Tpm2SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
@@ -245,7 +245,7 @@ TestSanitizePeImageEventSize (
FilePathSize = 255;
// Test that a normal PE image passes validation
- Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
+ Status = Tpm2SanitizePeImageEventSize (FilePathSize, &EventSize);
UT_ASSERT_EQUAL (Status, EFI_SUCCESS);
// Test that the event size is correct compared to the existing logic
@@ -258,7 +258,7 @@ TestSanitizePeImageEventSize (
}
// Test that the event size may not overflow
- Status = SanitizePeImageEventSize (MAX_UINT32, &EventSize);
+ Status = Tpm2SanitizePeImageEventSize (MAX_UINT32, &EventSize);
UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
--
2.33.0

264
0053-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4117.patch Normal file
View File

@ -0,0 +1,264 @@
From 693484899bab5e0fe730604fa71ad1f8cdffecb1 Mon Sep 17 00:00:00 2001
From: Doug Flick <dougflick@microsoft.com>
Date: Wed, 17 Jan 2024 14:47:21 -0800
Subject: [PATCH 08/10] SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH
4117/4118 symbol rename
Updates the sanitation function names to be lib unique names
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Message-Id: <355aa846a99ca6ac0f7574cf5982661da0d9fea6.1705529990.git.doug.edk2@gmail.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
reference: https://github.com/tianocore/edk2/pull/5273
Signed-off-by: yexiao <yexiao7@huawei.com>
---
.../DxeTpmMeasureBootLib.c | 8 +++---
.../DxeTpmMeasureBootLibSanitization.c | 10 +++----
.../DxeTpmMeasureBootLibSanitization.h | 8 +++---
.../DxeTpmMeasureBootLibSanitizationTest.c | 26 +++++++++----------
4 files changed, 26 insertions(+), 26 deletions(-)
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
index a2c5b36f..991fc04e 100644
--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
@@ -171,7 +171,7 @@ TcgMeasureGptTable (
BlockIo->Media->BlockSize,
(UINT8 *)PrimaryHeader
);
- if (EFI_ERROR (Status) || EFI_ERROR (SanitizeEfiPartitionTableHeader (PrimaryHeader, BlockIo))) {
+ if (EFI_ERROR (Status) || EFI_ERROR (TpmSanitizeEfiPartitionTableHeader (PrimaryHeader, BlockIo))) {
DEBUG ((DEBUG_ERROR, "Failed to read Partition Table Header or invalid Partition Table Header!\n"));
FreePool (PrimaryHeader);
return EFI_DEVICE_ERROR;
@@ -179,7 +179,7 @@ TcgMeasureGptTable (
//
// Read the partition entry.
//
- Status = SanitizePrimaryHeaderAllocationSize (PrimaryHeader, &AllocSize);
+ Status = TpmSanitizePrimaryHeaderAllocationSize (PrimaryHeader, &AllocSize);
if (EFI_ERROR (Status)) {
FreePool (PrimaryHeader);
return EFI_DEVICE_ERROR;
@@ -218,7 +218,7 @@ TcgMeasureGptTable (
//
// Prepare Data for Measurement
//
- Status = SanitizePrimaryHeaderGptEventSize (PrimaryHeader, NumberOfPartition, &EventSize);
+ Status = TpmSanitizePrimaryHeaderGptEventSize (PrimaryHeader, NumberOfPartition, &EventSize);
TcgEvent = (TCG_PCR_EVENT *)AllocateZeroPool (EventSize);
if (TcgEvent == NULL) {
FreePool (PrimaryHeader);
@@ -344,7 +344,7 @@ TcgMeasurePeImage (
// Determine destination PCR by BootPolicy
//
- Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
+ Status = TpmSanitizePeImageEventSize (FilePathSize, &EventSize);
if (EFI_ERROR (Status)) {
return EFI_UNSUPPORTED;
}
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
index 33a230f8..c72a3491 100644
--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
@@ -1,5 +1,5 @@
/** @file
- The library instance provides security service of TPM2 measure boot and
+ The library instance provides security service of TPM measure boot and
Confidential Computing (CC) measure boot.
Caution: This file requires additional review when modified.
@@ -63,7 +63,7 @@
**/
EFI_STATUS
EFIAPI
-SanitizeEfiPartitionTableHeader (
+TpmSanitizeEfiPartitionTableHeader (
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
IN CONST EFI_BLOCK_IO_PROTOCOL *BlockIo
)
@@ -145,7 +145,7 @@ SanitizeEfiPartitionTableHeader (
**/
EFI_STATUS
EFIAPI
-SanitizePrimaryHeaderAllocationSize (
+TpmSanitizePrimaryHeaderAllocationSize (
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
OUT UINT32 *AllocationSize
)
@@ -194,7 +194,7 @@ SanitizePrimaryHeaderAllocationSize (
One of the passed parameters was invalid.
**/
EFI_STATUS
-SanitizePrimaryHeaderGptEventSize (
+TpmSanitizePrimaryHeaderGptEventSize (
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
IN UINTN NumberOfPartition,
OUT UINT32 *EventSize
@@ -258,7 +258,7 @@ SanitizePrimaryHeaderGptEventSize (
One of the passed parameters was invalid.
**/
EFI_STATUS
-SanitizePeImageEventSize (
+TpmSanitizePeImageEventSize (
IN UINT32 FilePathSize,
OUT UINT32 *EventSize
)
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
index 181aba42..bbde1010 100644
--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
@@ -53,7 +53,7 @@
**/
EFI_STATUS
EFIAPI
-SanitizeEfiPartitionTableHeader (
+TpmSanitizeEfiPartitionTableHeader (
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
IN CONST EFI_BLOCK_IO_PROTOCOL *BlockIo
);
@@ -77,7 +77,7 @@ SanitizeEfiPartitionTableHeader (
**/
EFI_STATUS
EFIAPI
-SanitizePrimaryHeaderAllocationSize (
+TpmSanitizePrimaryHeaderAllocationSize (
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
OUT UINT32 *AllocationSize
);
@@ -105,7 +105,7 @@ SanitizePrimaryHeaderAllocationSize (
One of the passed parameters was invalid.
**/
EFI_STATUS
-SanitizePrimaryHeaderGptEventSize (
+TpmSanitizePrimaryHeaderGptEventSize (
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
IN UINTN NumberOfPartition,
OUT UINT32 *EventSize
@@ -129,7 +129,7 @@ SanitizePrimaryHeaderGptEventSize (
One of the passed parameters was invalid.
**/
EFI_STATUS
-SanitizePeImageEventSize (
+TpmSanitizePeImageEventSize (
IN UINT32 FilePathSize,
OUT UINT32 *EventSize
);
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
index 77a67826..e00dfaba 100644
--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
@@ -83,27 +83,27 @@ TestSanitizeEfiPartitionTableHeader (
PrimaryHeader.Header.CRC32 = CalculateCrc32 ((UINT8 *)&PrimaryHeader, PrimaryHeader.Header.HeaderSize);
// Test that a normal PrimaryHeader passes validation
- Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+ Status = TpmSanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
UT_ASSERT_NOT_EFI_ERROR (Status);
// Test that when number of partition entries is 0, the function returns EFI_DEVICE_ERROR
// Should print "Invalid Partition Table Header NumberOfPartitionEntries!""
PrimaryHeader.NumberOfPartitionEntries = 0;
- Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+ Status = TpmSanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
PrimaryHeader.NumberOfPartitionEntries = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
// Test that when the header size is too small, the function returns EFI_DEVICE_ERROR
// Should print "Invalid Partition Table Header Size!"
PrimaryHeader.Header.HeaderSize = 0;
- Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+ Status = TpmSanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
PrimaryHeader.Header.HeaderSize = sizeof (EFI_PARTITION_TABLE_HEADER);
// Test that when the SizeOfPartitionEntry is too small, the function returns EFI_DEVICE_ERROR
// should print: "SizeOfPartitionEntry shall be set to a value of 128 x 2^n where n is an integer greater than or equal to zero (e.g., 128, 256, 512, etc.)!"
PrimaryHeader.SizeOfPartitionEntry = 1;
- Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+ Status = TpmSanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
@@ -136,7 +136,7 @@ TestSanitizePrimaryHeaderAllocationSize (
PrimaryHeader.NumberOfPartitionEntries = 5;
PrimaryHeader.SizeOfPartitionEntry = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
- Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+ Status = TpmSanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
UT_ASSERT_NOT_EFI_ERROR (Status);
// Test that the allocation size is correct compared to the existing logic
@@ -145,19 +145,19 @@ TestSanitizePrimaryHeaderAllocationSize (
// Test that an overflow is detected
PrimaryHeader.NumberOfPartitionEntries = MAX_UINT32;
PrimaryHeader.SizeOfPartitionEntry = 5;
- Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+ Status = TpmSanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
// Test the inverse
PrimaryHeader.NumberOfPartitionEntries = 5;
PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32;
- Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+ Status = TpmSanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
// Test the worst case scenario
PrimaryHeader.NumberOfPartitionEntries = MAX_UINT32;
PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32;
- Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+ Status = TpmSanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
@@ -195,7 +195,7 @@ TestSanitizePrimaryHeaderGptEventSize (
NumberOfPartition = 13;
// that the primary event size is correct
- Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
+ Status = TpmSanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
UT_ASSERT_NOT_EFI_ERROR (Status);
// Calculate the existing logic event size
@@ -206,12 +206,12 @@ TestSanitizePrimaryHeaderGptEventSize (
UT_ASSERT_EQUAL (EventSize, ExistingLogicEventSize);
// Tests that the primary event size may not overflow
- Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, MAX_UINT32, &EventSize);
+ Status = TpmSanitizePrimaryHeaderGptEventSize (&PrimaryHeader, MAX_UINT32, &EventSize);
UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
// Test that the size of partition entries may not overflow
PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32;
- Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
+ Status = TpmSanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
@@ -269,7 +269,7 @@ TestSanitizePeImageEventSize (
FilePathSize = 255;
// Test that a normal PE image passes validation
- Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
+ Status = TpmSanitizePeImageEventSize (FilePathSize, &EventSize);
if (EFI_ERROR (Status)) {
UT_LOG_ERROR ("SanitizePeImageEventSize failed with %r\n", Status);
goto Exit;
@@ -285,7 +285,7 @@ TestSanitizePeImageEventSize (
}
// Test that the event size may not overflow
- Status = SanitizePeImageEventSize (MAX_UINT32, &EventSize);
+ Status = TpmSanitizePeImageEventSize (MAX_UINT32, &EventSize);
if (Status != EFI_BAD_BUFFER_SIZE) {
UT_LOG_ERROR ("SanitizePeImageEventSize succeded when it was supposed to fail with %r\n", Status);
goto Exit;
--
2.33.0

154
0054-EmbeddedPkg-Hob-Integer-Overflow-in-CreateHob.patch Normal file
View File

@ -0,0 +1,154 @@
From dc1c1ab453b5b6011e317f08ecabb74d409dfe31 Mon Sep 17 00:00:00 2001
From: Gua Guo <gua.guo@intel.com>
Date: Thu, 11 Jan 2024 13:07:50 +0800
Subject: [PATCH 09/10] EmbeddedPkg/Hob: Integer Overflow in CreateHob()
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166
Fix integer overflow in various CreateHob instances.
Fixes: CVE-2022-36765
The CreateHob() function aligns the requested size to 8
performing the following operation:
```
HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
```
No checks are performed to ensure this value doesn't
overflow, and could lead to CreateHob() returning a smaller
HOB than requested, which could lead to OOB HOB accesses.
Reported-by: Marc Beatove <mbeatove@google.com>
Cc: Leif Lindholm <quic_llindhol@quicinc.com>
Reviewed-by: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Abner Chang <abner.chang@amd.com>
Cc: John Mathew <john.mathews@intel.com>
Authored-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Gua Guo <gua.guo@intel.com>
reference: https://github.com/tianocore/edk2/pull/5273
Signed-off-by: yexiao <yexiao7@huawei.com>
---
EmbeddedPkg/Library/PrePiHobLib/Hob.c | 43 +++++++++++++++++++++++++++
1 file changed, 43 insertions(+)
diff --git a/EmbeddedPkg/Library/PrePiHobLib/Hob.c b/EmbeddedPkg/Library/PrePiHobLib/Hob.c
index b5cc6c5d..2daf6f56 100644
--- a/EmbeddedPkg/Library/PrePiHobLib/Hob.c
+++ b/EmbeddedPkg/Library/PrePiHobLib/Hob.c
@@ -112,6 +112,13 @@ CreateHob (
HandOffHob = GetHobList ();
+ //
+ // Check Length to avoid data overflow.
+ //
+ if (HobLength > MAX_UINT16 - 0x7) {
+ return NULL;
+ }
+
HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
FreeMemory = HandOffHob->EfiFreeMemoryTop - HandOffHob->EfiFreeMemoryBottom;
@@ -162,6 +169,9 @@ BuildResourceDescriptorHob (
Hob = CreateHob (EFI_HOB_TYPE_RESOURCE_DESCRIPTOR, sizeof (EFI_HOB_RESOURCE_DESCRIPTOR));
ASSERT(Hob != NULL);
+ if (Hob == NULL) {
+ return;
+ }
Hob->ResourceType = ResourceType;
Hob->ResourceAttribute = ResourceAttribute;
@@ -403,6 +413,10 @@ BuildModuleHob (
((ModuleLength & (EFI_PAGE_SIZE - 1)) == 0));
Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION_MODULE));
+ ASSERT (Hob != NULL);
+ if (Hob == NULL) {
+ return;
+ }
CopyGuid (&(Hob->MemoryAllocationHeader.Name), &gEfiHobMemoryAllocModuleGuid);
Hob->MemoryAllocationHeader.MemoryBaseAddress = MemoryAllocationModule;
@@ -451,6 +465,11 @@ BuildGuidHob (
ASSERT (DataLength <= (0xffff - sizeof (EFI_HOB_GUID_TYPE)));
Hob = CreateHob (EFI_HOB_TYPE_GUID_EXTENSION, (UINT16) (sizeof (EFI_HOB_GUID_TYPE) + DataLength));
+ ASSERT (Hob != NULL);
+ if (Hob == NULL) {
+ return NULL;
+ }
+
CopyGuid (&Hob->Name, Guid);
return Hob + 1;
}
@@ -516,6 +535,10 @@ BuildFvHob (
EFI_HOB_FIRMWARE_VOLUME *Hob;
Hob = CreateHob (EFI_HOB_TYPE_FV, sizeof (EFI_HOB_FIRMWARE_VOLUME));
+ ASSERT (Hob != NULL);
+ if (Hob == NULL) {
+ return;
+ }
Hob->BaseAddress = BaseAddress;
Hob->Length = Length;
@@ -548,6 +571,10 @@ BuildFv2Hob (
EFI_HOB_FIRMWARE_VOLUME2 *Hob;
Hob = CreateHob (EFI_HOB_TYPE_FV2, sizeof (EFI_HOB_FIRMWARE_VOLUME2));
+ ASSERT (Hob != NULL);
+ if (Hob == NULL) {
+ return;
+ }
Hob->BaseAddress = BaseAddress;
Hob->Length = Length;
@@ -589,6 +616,10 @@ BuildFv3Hob (
EFI_HOB_FIRMWARE_VOLUME3 *Hob;
Hob = CreateHob (EFI_HOB_TYPE_FV3, sizeof (EFI_HOB_FIRMWARE_VOLUME3));
+ ASSERT (Hob != NULL);
+ if (Hob == NULL) {
+ return;
+ }
Hob->BaseAddress = BaseAddress;
Hob->Length = Length;
@@ -645,6 +676,10 @@ BuildCpuHob (
EFI_HOB_CPU *Hob;
Hob = CreateHob (EFI_HOB_TYPE_CPU, sizeof (EFI_HOB_CPU));
+ ASSERT (Hob != NULL);
+ if (Hob == NULL) {
+ return;
+ }
Hob->SizeOfMemorySpace = SizeOfMemorySpace;
Hob->SizeOfIoSpace = SizeOfIoSpace;
@@ -681,6 +716,10 @@ BuildStackHob (
((Length & (EFI_PAGE_SIZE - 1)) == 0));
Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION_STACK));
+ ASSERT (Hob != NULL);
+ if (Hob == NULL) {
+ return;
+ }
CopyGuid (&(Hob->AllocDescriptor.Name), &gEfiHobMemoryAllocStackGuid);
Hob->AllocDescriptor.MemoryBaseAddress = BaseAddress;
@@ -761,6 +800,10 @@ BuildMemoryAllocationHob (
((Length & (EFI_PAGE_SIZE - 1)) == 0));
Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION));
+ ASSERT (Hob != NULL);
+ if (Hob == NULL) {
+ return;
+ }
ZeroMem (&(Hob->AllocDescriptor.Name), sizeof (EFI_GUID));
Hob->AllocDescriptor.MemoryBaseAddress = BaseAddress;
--
2.33.0

132
0055-StandaloneMmPkg-Hob-Integer-Overflow-in-CreateHob.patch Normal file
View File

@ -0,0 +1,132 @@
From 94835b890180c90d8d9f76afc6aab5e7f108304e Mon Sep 17 00:00:00 2001
From: Gua Guo <gua.guo@intel.com>
Date: Thu, 11 Jan 2024 13:03:26 +0800
Subject: [PATCH 10/10] StandaloneMmPkg/Hob: Integer Overflow in CreateHob()
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166
Fix integer overflow in various CreateHob instances.
Fixes: CVE-2022-36765
The CreateHob() function aligns the requested size to 8
performing the following operation:
```
HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
```
No checks are performed to ensure this value doesn't
overflow, and could lead to CreateHob() returning a smaller
HOB than requested, which could lead to OOB HOB accesses.
Reported-by: Marc Beatove <mbeatove@google.com>
Reviewed-by: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Reviewed-by: Ray Ni <ray.ni@intel.com>
Cc: John Mathew <john.mathews@intel.com>
Authored-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Gua Guo <gua.guo@intel.com>
reference: https://github.com/tianocore/edk2/pull/5273
Signed-off-by: yexiao <yexiao7@huawei.com>
---
.../StandaloneMmCoreHobLib.c | 35 +++++++++++++++++++
1 file changed, 35 insertions(+)
diff --git a/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/StandaloneMmCoreHobLib.c b/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/StandaloneMmCoreHobLib.c
index e3d4743b..08963df8 100644
--- a/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/StandaloneMmCoreHobLib.c
+++ b/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/StandaloneMmCoreHobLib.c
@@ -216,6 +216,13 @@ CreateHob (
HandOffHob = GetHobList ();
+ //
+ // Check Length to avoid data overflow.
+ //
+ if (HobLength > MAX_UINT16 - 0x7) {
+ return NULL;
+ }
+
HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
FreeMemory = HandOffHob->EfiFreeMemoryTop - HandOffHob->EfiFreeMemoryBottom;
@@ -269,6 +276,10 @@ BuildModuleHob (
((ModuleLength & (EFI_PAGE_SIZE - 1)) == 0));
Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION_MODULE));
+ ASSERT (Hob != NULL);
+ if (Hob == NULL) {
+ return;
+ }
CopyGuid (&(Hob->MemoryAllocationHeader.Name), &gEfiHobMemoryAllocModuleGuid);
Hob->MemoryAllocationHeader.MemoryBaseAddress = MemoryAllocationModule;
@@ -309,6 +320,9 @@ BuildResourceDescriptorHob (
Hob = CreateHob (EFI_HOB_TYPE_RESOURCE_DESCRIPTOR, sizeof (EFI_HOB_RESOURCE_DESCRIPTOR));
ASSERT (Hob != NULL);
+ if (Hob == NULL) {
+ return;
+ }
Hob->ResourceType = ResourceType;
Hob->ResourceAttribute = ResourceAttribute;
@@ -347,6 +361,11 @@ BuildGuidHob (
ASSERT (DataLength <= (0xffff - sizeof (EFI_HOB_GUID_TYPE)));
Hob = CreateHob (EFI_HOB_TYPE_GUID_EXTENSION, (UINT16) (sizeof (EFI_HOB_GUID_TYPE) + DataLength));
+ ASSERT (Hob != NULL);
+ if (Hob == NULL) {
+ return NULL;
+ }
+
CopyGuid (&Hob->Name, Guid);
return Hob + 1;
}
@@ -407,6 +426,10 @@ BuildFvHob (
EFI_HOB_FIRMWARE_VOLUME *Hob;
Hob = CreateHob (EFI_HOB_TYPE_FV, sizeof (EFI_HOB_FIRMWARE_VOLUME));
+ ASSERT (Hob != NULL);
+ if (Hob == NULL) {
+ return;
+ }
Hob->BaseAddress = BaseAddress;
Hob->Length = Length;
@@ -437,6 +460,10 @@ BuildFv2Hob (
EFI_HOB_FIRMWARE_VOLUME2 *Hob;
Hob = CreateHob (EFI_HOB_TYPE_FV2, sizeof (EFI_HOB_FIRMWARE_VOLUME2));
+ ASSERT (Hob != NULL);
+ if (Hob == NULL) {
+ return;
+ }
Hob->BaseAddress = BaseAddress;
Hob->Length = Length;
@@ -465,6 +492,10 @@ BuildCpuHob (
EFI_HOB_CPU *Hob;
Hob = CreateHob (EFI_HOB_TYPE_CPU, sizeof (EFI_HOB_CPU));
+ ASSERT (Hob != NULL);
+ if (Hob == NULL) {
+ return;
+ }
Hob->SizeOfMemorySpace = SizeOfMemorySpace;
Hob->SizeOfIoSpace = SizeOfIoSpace;
@@ -500,6 +531,10 @@ BuildMemoryAllocationHob (
((Length & (EFI_PAGE_SIZE - 1)) == 0));
Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION));
+ ASSERT (Hob != NULL);
+ if (Hob == NULL) {
+ return;
+ }
ZeroMem (&(Hob->AllocDescriptor.Name), sizeof (EFI_GUID));
Hob->AllocDescriptor.MemoryBaseAddress = BaseAddress;
--
2.33.0

1591
0056-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH.patch Normal file
View File

File diff suppressed because it is too large Load Diff

150
0057-NetworkPkg-Add-Unit-tests-to-CI-and-create-Host-Test.patch Normal file
View File

@ -0,0 +1,150 @@
From 80eb751a77931e65afd37bf371d9b15345abd434 Mon Sep 17 00:00:00 2001
From: adttil <13380049+adttil@user.noreply.gitee.com>
Date: Sat, 24 Feb 2024 14:15:18 +0800
Subject: [PATCH 02/13] NetworkPkg: : Add Unit tests to CI and create Host Test
DSC
Adds Host Based testing to the NetworkPkg
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
ref: https://github.com/tianocore/edk2/commit/8014ac2d7bbbc503f5562b51af46bb20ae3d22ff
Signed-off-by: yexiao yexiao7@huawei.com
---
NetworkPkg/NetworkPkg.ci.yaml | 7 +-
NetworkPkg/Test/NetworkPkgHostTest.dsc | 98 ++++++++++++++++++++++++++
2 files changed, 104 insertions(+), 1 deletion(-)
create mode 100644 NetworkPkg/Test/NetworkPkgHostTest.dsc
diff --git a/NetworkPkg/NetworkPkg.ci.yaml b/NetworkPkg/NetworkPkg.ci.yaml
index 1a3ab717..322ae2b0 100644
--- a/NetworkPkg/NetworkPkg.ci.yaml
+++ b/NetworkPkg/NetworkPkg.ci.yaml
@@ -23,6 +23,9 @@
"CompilerPlugin": {
"DscPath": "NetworkPkg.dsc"
},
+ "HostUnitTestCompilerPlugin": {
+ "DscPath": "Test/NetworkPkgHostTest.dsc"
+ },
"CharEncodingCheck": {
"IgnoreFiles": []
},
@@ -34,7 +37,9 @@
"CryptoPkg/CryptoPkg.dec"
],
# For host based unit tests
- "AcceptableDependencies-HOST_APPLICATION":[],
+ "AcceptableDependencies-HOST_APPLICATION":[
+ UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec
+ ],
# For UEFI shell based apps
"AcceptableDependencies-UEFI_APPLICATION":[
"ShellPkg/ShellPkg.dec"
diff --git a/NetworkPkg/Test/NetworkPkgHostTest.dsc b/NetworkPkg/Test/NetworkPkgHostTest.dsc
new file mode 100644
index 00000000..b74b2048
--- /dev/null
+++ b/NetworkPkg/Test/NetworkPkgHostTest.dsc
@@ -0,0 +1,98 @@
+## @file
+# NetworkPkgHostTest DSC file used to build host-based unit tests.
+#
+# Copyright (c) Microsoft Corporation.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+[Defines]
+ PLATFORM_NAME = NetworkPkgHostTest
+ PLATFORM_GUID = 3b68324e-fc07-4d49-9520-9347ede65879
+ PLATFORM_VERSION = 0.1
+ DSC_SPECIFICATION = 0x00010005
+ OUTPUT_DIRECTORY = Build/NetworkPkg/HostTest
+ SUPPORTED_ARCHITECTURES = IA32|X64|AARCH64
+ BUILD_TARGETS = NOOPT
+ SKUID_IDENTIFIER = DEFAULT
+
+!include UnitTestFrameworkPkg/UnitTestFrameworkPkgHost.dsc.inc
+[Packages]
+ MdePkg/MdePkg.dec
+ UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec
+
+[Components]
+ #
+ # Build HOST_APPLICATION that tests NetworkPkg
+ #
+
+# Despite these library classes being listed in [LibraryClasses] below, they are not needed for the host-based unit tests.
+[LibraryClasses]
+ NetLib|NetworkPkg/Library/DxeNetLib/DxeNetLib.inf
+ DebugLib|MdePkg/Library/BaseDebugLibNull/BaseDebugLibNull.inf
+ BaseLib|MdePkg/Library/BaseLib/BaseLib.inf
+ BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf
+ DevicePathLib|MdePkg/Library/UefiDevicePathLib/UefiDevicePathLib.inf
+ HiiLib|MdeModulePkg/Library/UefiHiiLib/UefiHiiLib.inf
+ MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf
+ PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
+ PrintLib|MdePkg/Library/BasePrintLib/BasePrintLib.inf
+ UefiDriverEntryPoint|MdePkg/Library/UefiDriverEntryPoint/UefiDriverEntryPoint.inf
+ UefiApplicationEntryPoint|MdePkg/Library/UefiApplicationEntryPoint/UefiApplicationEntryPoint.inf
+ UefiBootServicesTableLib|MdePkg/Library/UefiBootServicesTableLib/UefiBootServicesTableLib.inf
+ UefiLib|MdePkg/Library/UefiLib/UefiLib.inf
+ UefiRuntimeServicesTableLib|MdePkg/Library/UefiRuntimeServicesTableLib/UefiRuntimeServicesTableLib.inf
+ UefiHiiServicesLib|MdeModulePkg/Library/UefiHiiServicesLib/UefiHiiServicesLib.inf
+ UefiBootManagerLib|MdeModulePkg/Library/UefiBootManagerLib/UefiBootManagerLib.inf
+ TimerLib|MdePkg/Library/BaseTimerLibNullTemplate/BaseTimerLibNullTemplate.inf
+ PerformanceLib|MdePkg/Library/BasePerformanceLibNull/BasePerformanceLibNull.inf
+ PeCoffGetEntryPointLib|MdePkg/Library/BasePeCoffGetEntryPointLib/BasePeCoffGetEntryPointLib.inf
+ DxeServicesLib|MdePkg/Library/DxeServicesLib/DxeServicesLib.inf
+ DxeServicesTableLib|MdePkg/Library/DxeServicesTableLib/DxeServicesTableLib.inf
+ SafeIntLib|MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf
+ RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf
+ VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf
+!ifdef CONTINUOUS_INTEGRATION
+ BaseCryptLib|CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
+ TlsLib|CryptoPkg/Library/TlsLibNull/TlsLibNull.inf
+!else
+ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+ OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
+ TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
+!endif
+ DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf
+ FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf
+ FileExplorerLib|MdeModulePkg/Library/FileExplorerLib/FileExplorerLib.inf
+ SortLib|MdeModulePkg/Library/UefiSortLib/UefiSortLib.inf
+ IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
+
+!if $(TOOL_CHAIN_TAG) == VS2019 or $(TOOL_CHAIN_TAG) == VS2022
+[LibraryClasses.X64]
+ # Provide StackCookie support lib so that we can link to /GS exports for VS builds
+ RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf
+!endif
+
+[LibraryClasses.common.UEFI_DRIVER]
+ HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
+ ReportStatusCodeLib|MdeModulePkg/Library/DxeReportStatusCodeLib/DxeReportStatusCodeLib.inf
+ DebugLib|MdePkg/Library/UefiDebugLibConOut/UefiDebugLibConOut.inf
+[LibraryClasses.common.UEFI_APPLICATION]
+ DebugLib|MdePkg/Library/UefiDebugLibStdErr/UefiDebugLibStdErr.inf
+ ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf
+[LibraryClasses.ARM, LibraryClasses.AARCH64]
+ #
+ # It is not possible to prevent ARM compiler calls to generic intrinsic functions.
+ # This library provides the instrinsic functions generated by a given compiler.
+ # [LibraryClasses.ARM] and NULL mean link this library into all ARM images.
+ #
+!if $(TOOL_CHAIN_TAG) != VS2017 and $(TOOL_CHAIN_TAG) != VS2015 and $(TOOL_CHAIN_TAG) != VS2019
+ NULL|ArmPkg/Library/CompilerIntrinsicsLib/CompilerIntrinsicsLib.inf
+!endif
+ NULL|MdePkg/Library/BaseStackCheckLib/BaseStackCheckLib.inf
+[LibraryClasses.ARM]
+ RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
+[LibraryClasses.RISCV64]
+ RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
+
+[PcdsFixedAtBuild]
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x2
+ gEfiNetworkPkgTokenSpaceGuid.PcdDhcp6UidType|0x4
--
2.33.0

608
0058-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Un.patch Normal file
View File

@ -0,0 +1,608 @@
From 820c22ca2efd5ed14ebe410a04ff6a920c6a377b Mon Sep 17 00:00:00 2001
From: adttil <13380049+adttil@user.noreply.gitee.com>
Date: Sat, 24 Feb 2024 14:16:43 +0800
Subject: [PATCH 03/13] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230
Unit Tests
Confirms that reported issue...
"Buffer overflow in the DHCPv6 client via a long Server ID option"
..has been corrected by the provided patch.
Tests the following functions to ensure they appropriately handle
untrusted data (either too long or too small) to prevent a buffer
overflow:
Dhcp6AppendOption
Dhcp6AppendETOption
Dhcp6AppendIaOption
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
ref: https://github.com/tianocore/edk2/commit/5f3658197bf29c83b3349b0ab1d99cdb0c3814bc
Signed-off-by: yexiao yexiao7@huawei.com
---
.../GoogleTest/Dhcp6DxeGoogleTest.cpp | 20 +
.../GoogleTest/Dhcp6DxeGoogleTest.inf | 43 ++
.../Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp | 478 ++++++++++++++++++
NetworkPkg/Test/NetworkPkgHostTest.dsc | 1 +
4 files changed, 542 insertions(+)
create mode 100644 NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.cpp
create mode 100644 NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf
create mode 100644 NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp
diff --git a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.cpp b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.cpp
new file mode 100644
index 00000000..311b3992
--- /dev/null
+++ b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.cpp
@@ -0,0 +1,20 @@
+/** @file
+ Acts as the main entry point for the tests for the Dhcp6Dxe module.
+
+ Copyright (c) Microsoft Corporation
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+#include <gtest/gtest.h>
+
+////////////////////////////////////////////////////////////////////////////////
+// Run the tests
+////////////////////////////////////////////////////////////////////////////////
+int
+main (
+ int argc,
+ char *argv[]
+ )
+{
+ testing::InitGoogleTest (&argc, argv);
+ return RUN_ALL_TESTS ();
+}
diff --git a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf
new file mode 100644
index 00000000..253c61e8
--- /dev/null
+++ b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf
@@ -0,0 +1,43 @@
+## @file
+# Unit test suite for the Dhcp6Dxe using Google Test
+#
+# Copyright (c) Microsoft Corporation.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+[Defines]
+ INF_VERSION = 0x00010017
+ BASE_NAME = Dhcp6DxeGoogleTest
+ FILE_GUID = 1D2A4C65-38C8-4C2F-BB60-B5FA49625AA9
+ VERSION_STRING = 1.0
+ MODULE_TYPE = HOST_APPLICATION
+#
+# The following information is for reference only and not required by the build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64 AARCH64
+#
+[Sources]
+ Dhcp6DxeGoogleTest.cpp
+ Dhcp6IoGoogleTest.cpp
+ ../Dhcp6Io.c
+ ../Dhcp6Utility.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+ UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec
+ NetworkPkg/NetworkPkg.dec
+
+[LibraryClasses]
+ GoogleTestLib
+ DebugLib
+ NetLib
+ PcdLib
+
+[Protocols]
+ gEfiDhcp6ServiceBindingProtocolGuid
+
+[Pcd]
+ gEfiNetworkPkgTokenSpaceGuid.PcdDhcp6UidType
+
+[Guids]
+ gZeroGuid
diff --git a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp
new file mode 100644
index 00000000..a2b8a9f8
--- /dev/null
+++ b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp
@@ -0,0 +1,478 @@
+/** @file
+ Tests for Dhcp6Io.c.
+
+ Copyright (c) Microsoft Corporation
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+#include <gtest/gtest.h>
+
+extern "C" {
+ #include <Uefi.h>
+ #include <Library/BaseLib.h>
+ #include <Library/DebugLib.h>
+ #include <Library/BaseMemoryLib.h>
+ #include "../Dhcp6Impl.h"
+ #include "../Dhcp6Utility.h"
+}
+
+////////////////////////////////////////////////////////////////////////
+// Defines
+////////////////////////////////////////////////////////////////////////
+
+#define DHCP6_PACKET_MAX_LEN 1500
+
+////////////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////////////
+// Symbol Definitions
+// These functions are not directly under test - but required to compile
+////////////////////////////////////////////////////////////////////////
+
+// This definition is used by this test but is also required to compile
+// by Dhcp6Io.c
+EFI_IPv6_ADDRESS mAllDhcpRelayAndServersAddress = {
+ { 0xFF, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 2 }
+};
+
+EFI_STATUS
+EFIAPI
+UdpIoSendDatagram (
+ IN UDP_IO *UdpIo,
+ IN NET_BUF *Packet,
+ IN UDP_END_POINT *EndPoint OPTIONAL,
+ IN EFI_IP_ADDRESS *Gateway OPTIONAL,
+ IN UDP_IO_CALLBACK CallBack,
+ IN VOID *Context
+ )
+{
+ return EFI_SUCCESS;
+}
+
+EFI_STATUS
+EFIAPI
+UdpIoRecvDatagram (
+ IN UDP_IO *UdpIo,
+ IN UDP_IO_CALLBACK CallBack,
+ IN VOID *Context,
+ IN UINT32 HeadLen
+ )
+{
+ return EFI_SUCCESS;
+}
+
+////////////////////////////////////////////////////////////////////////
+// Dhcp6AppendOptionTest Tests
+////////////////////////////////////////////////////////////////////////
+
+class Dhcp6AppendOptionTest : public ::testing::Test {
+public:
+ UINT8 *Buffer = NULL;
+ EFI_DHCP6_PACKET *Packet;
+
+protected:
+ // Add any setup code if needed
+ virtual void
+ SetUp (
+ )
+ {
+ // Initialize any resources or variables
+ Buffer = (UINT8 *)AllocateZeroPool (DHCP6_PACKET_MAX_LEN);
+ ASSERT_NE (Buffer, (UINT8 *)NULL);
+
+ Packet = (EFI_DHCP6_PACKET *)Buffer;
+ Packet->Size = DHCP6_PACKET_MAX_LEN;
+ }
+
+ // Add any cleanup code if needed
+ virtual void
+ TearDown (
+ )
+ {
+ // Clean up any resources or variables
+ if (Buffer != NULL) {
+ FreePool (Buffer);
+ }
+ }
+};
+
+// Test Description:
+// Attempt to append an option to a packet that is too small by a duid that is too large
+TEST_F (Dhcp6AppendOptionTest, InvalidDataExpectBufferTooSmall) {
+ UINT8 *Cursor;
+ EFI_DHCP6_DUID *UntrustedDuid;
+ EFI_STATUS Status;
+
+ UntrustedDuid = (EFI_DHCP6_DUID *)AllocateZeroPool (sizeof (EFI_DHCP6_DUID));
+ ASSERT_NE (UntrustedDuid, (EFI_DHCP6_DUID *)NULL);
+
+ UntrustedDuid->Length = NTOHS (0xFFFF);
+
+ Cursor = Dhcp6AppendOptionTest::Packet->Dhcp6.Option;
+
+ Status = Dhcp6AppendOption (
+ Dhcp6AppendOptionTest::Packet,
+ &Cursor,
+ HTONS (Dhcp6OptServerId),
+ UntrustedDuid->Length,
+ UntrustedDuid->Duid
+ );
+
+ ASSERT_EQ (Status, EFI_BUFFER_TOO_SMALL);
+}
+
+// Test Description:
+// Attempt to append an option to a packet that is large enough
+TEST_F (Dhcp6AppendOptionTest, ValidDataExpectSuccess) {
+ UINT8 *Cursor;
+ EFI_DHCP6_DUID *UntrustedDuid;
+ EFI_STATUS Status;
+ UINTN OriginalLength;
+
+ UINT8 Duid[6] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05 };
+
+ Packet->Length = sizeof (EFI_DHCP6_HEADER);
+ OriginalLength = Packet->Length;
+
+ UntrustedDuid = (EFI_DHCP6_DUID *)AllocateZeroPool (sizeof (EFI_DHCP6_DUID));
+ ASSERT_NE (UntrustedDuid, (EFI_DHCP6_DUID *)NULL);
+
+ UntrustedDuid->Length = NTOHS (sizeof (Duid));
+ CopyMem (UntrustedDuid->Duid, Duid, sizeof (Duid));
+
+ Cursor = Dhcp6AppendOptionTest::Packet->Dhcp6.Option;
+
+ Status = Dhcp6AppendOption (
+ Dhcp6AppendOptionTest::Packet,
+ &Cursor,
+ HTONS (Dhcp6OptServerId),
+ UntrustedDuid->Length,
+ UntrustedDuid->Duid
+ );
+
+ ASSERT_EQ (Status, EFI_SUCCESS);
+
+ // verify that the pointer to cursor moved by the expected amount
+ ASSERT_EQ (Cursor, (UINT8 *)Dhcp6AppendOptionTest::Packet->Dhcp6.Option + sizeof (Duid) + 4);
+
+ // verify that the length of the packet is now the expected amount
+ ASSERT_EQ (Dhcp6AppendOptionTest::Packet->Length, OriginalLength + sizeof (Duid) + 4);
+}
+
+////////////////////////////////////////////////////////////////////////
+// Dhcp6AppendETOption Tests
+////////////////////////////////////////////////////////////////////////
+
+class Dhcp6AppendETOptionTest : public ::testing::Test {
+public:
+ UINT8 *Buffer = NULL;
+ EFI_DHCP6_PACKET *Packet;
+
+protected:
+ // Add any setup code if needed
+ virtual void
+ SetUp (
+ )
+ {
+ // Initialize any resources or variables
+ Buffer = (UINT8 *)AllocateZeroPool (DHCP6_PACKET_MAX_LEN);
+ ASSERT_NE (Buffer, (UINT8 *)NULL);
+
+ Packet = (EFI_DHCP6_PACKET *)Buffer;
+ Packet->Size = DHCP6_PACKET_MAX_LEN;
+ Packet->Length = sizeof (EFI_DHCP6_HEADER);
+ }
+
+ // Add any cleanup code if needed
+ virtual void
+ TearDown (
+ )
+ {
+ // Clean up any resources or variables
+ if (Buffer != NULL) {
+ FreePool (Buffer);
+ }
+ }
+};
+
+// Test Description:
+// Attempt to append an option to a packet that is too small by a duid that is too large
+TEST_F (Dhcp6AppendETOptionTest, InvalidDataExpectBufferTooSmall) {
+ UINT8 *Cursor;
+ EFI_STATUS Status;
+ DHCP6_INSTANCE Instance;
+ UINT16 ElapsedTimeVal;
+ UINT16 *ElapsedTime;
+
+ Cursor = Dhcp6AppendETOptionTest::Packet->Dhcp6.Option;
+ ElapsedTime = &ElapsedTimeVal;
+
+ Packet->Length = Packet->Size - 2;
+
+ Status = Dhcp6AppendETOption (
+ Dhcp6AppendETOptionTest::Packet,
+ &Cursor,
+ &Instance, // Instance is not used in this function
+ &ElapsedTime
+ );
+
+ // verify that we error out because the packet is too small for the option header
+ ASSERT_EQ (Status, EFI_BUFFER_TOO_SMALL);
+
+ // reset the length
+ Packet->Length = sizeof (EFI_DHCP6_HEADER);
+}
+
+// Test Description:
+// Attempt to append an option to a packet that is large enough
+TEST_F (Dhcp6AppendETOptionTest, ValidDataExpectSuccess) {
+ UINT8 *Cursor;
+ EFI_STATUS Status;
+ DHCP6_INSTANCE Instance;
+ UINT16 ElapsedTimeVal;
+ UINT16 *ElapsedTime;
+ UINTN ExpectedSize;
+ UINTN OriginalLength;
+
+ Cursor = Dhcp6AppendETOptionTest::Packet->Dhcp6.Option;
+ ElapsedTime = &ElapsedTimeVal;
+ ExpectedSize = 6;
+ OriginalLength = Packet->Length;
+
+ Status = Dhcp6AppendETOption (
+ Dhcp6AppendETOptionTest::Packet,
+ &Cursor,
+ &Instance, // Instance is not used in this function
+ &ElapsedTime
+ );
+
+ // verify that the status is EFI_SUCCESS
+ ASSERT_EQ (Status, EFI_SUCCESS);
+
+ // verify that the pointer to cursor moved by the expected amount
+ ASSERT_EQ (Cursor, (UINT8 *)Dhcp6AppendETOptionTest::Packet->Dhcp6.Option + ExpectedSize);
+
+ // verify that the length of the packet is now the expected amount
+ ASSERT_EQ (Dhcp6AppendETOptionTest::Packet->Length, OriginalLength + ExpectedSize);
+}
+
+////////////////////////////////////////////////////////////////////////
+// Dhcp6AppendIaOption Tests
+////////////////////////////////////////////////////////////////////////
+
+class Dhcp6AppendIaOptionTest : public ::testing::Test {
+public:
+ UINT8 *Buffer = NULL;
+ EFI_DHCP6_PACKET *Packet;
+ EFI_DHCP6_IA *Ia;
+
+protected:
+ // Add any setup code if needed
+ virtual void
+ SetUp (
+ )
+ {
+ // Initialize any resources or variables
+ Buffer = (UINT8 *)AllocateZeroPool (DHCP6_PACKET_MAX_LEN);
+ ASSERT_NE (Buffer, (UINT8 *)NULL);
+
+ Packet = (EFI_DHCP6_PACKET *)Buffer;
+ Packet->Size = DHCP6_PACKET_MAX_LEN;
+
+ Ia = (EFI_DHCP6_IA *)AllocateZeroPool (sizeof (EFI_DHCP6_IA) + sizeof (EFI_DHCP6_IA_ADDRESS) * 2);
+ ASSERT_NE (Ia, (EFI_DHCP6_IA *)NULL);
+
+ CopyMem (Ia->IaAddress, mAllDhcpRelayAndServersAddress.Addr, sizeof (EFI_IPv6_ADDRESS));
+ CopyMem (Ia->IaAddress + 1, mAllDhcpRelayAndServersAddress.Addr, sizeof (EFI_IPv6_ADDRESS));
+
+ Ia->IaAddressCount = 2;
+ }
+
+ // Add any cleanup code if needed
+ virtual void
+ TearDown (
+ )
+ {
+ // Clean up any resources or variables
+ if (Buffer != NULL) {
+ FreePool (Buffer);
+ }
+
+ if (Ia != NULL) {
+ FreePool (Ia);
+ }
+ }
+};
+
+// Test Description:
+// Attempt to append an option to a packet that doesn't have enough space
+// for the option header
+TEST_F (Dhcp6AppendIaOptionTest, IaNaInvalidDataExpectBufferTooSmall) {
+ UINT8 *Cursor;
+ EFI_STATUS Status;
+
+ Packet->Length = Packet->Size - 2;
+
+ Ia->Descriptor.Type = Dhcp6OptIana;
+ Ia->Descriptor.IaId = 0x12345678;
+
+ Cursor = Dhcp6AppendIaOptionTest::Packet->Dhcp6.Option;
+
+ Status = Dhcp6AppendIaOption (
+ Dhcp6AppendIaOptionTest::Packet,
+ &Cursor,
+ Ia,
+ 0x12345678,
+ 0x11111111,
+ Dhcp6OptIana
+ );
+
+ // verify that we error out because the packet is too small for the option header
+ ASSERT_EQ (Status, EFI_BUFFER_TOO_SMALL);
+
+ // reset the length
+ Packet->Length = sizeof (EFI_DHCP6_HEADER);
+}
+
+// Test Description:
+// Attempt to append an option to a packet that doesn't have enough space
+// for the option header
+TEST_F (Dhcp6AppendIaOptionTest, IaTaInvalidDataExpectBufferTooSmall) {
+ UINT8 *Cursor;
+ EFI_STATUS Status;
+
+ // Use up nearly all the space in the packet
+ Packet->Length = Packet->Size - 2;
+
+ Ia->Descriptor.Type = Dhcp6OptIata;
+ Ia->Descriptor.IaId = 0x12345678;
+
+ Cursor = Dhcp6AppendIaOptionTest::Packet->Dhcp6.Option;
+
+ Status = Dhcp6AppendIaOption (
+ Dhcp6AppendIaOptionTest::Packet,
+ &Cursor,
+ Ia,
+ 0,
+ 0,
+ Dhcp6OptIata
+ );
+
+ // verify that we error out because the packet is too small for the option header
+ ASSERT_EQ (Status, EFI_BUFFER_TOO_SMALL);
+
+ // reset the length
+ Packet->Length = sizeof (EFI_DHCP6_HEADER);
+}
+
+TEST_F (Dhcp6AppendIaOptionTest, IaNaValidDataExpectSuccess) {
+ UINT8 *Cursor;
+ EFI_STATUS Status;
+ UINTN ExpectedSize;
+ UINTN OriginalLength;
+
+ //
+ // 2 bytes for the option header type
+ //
+ ExpectedSize = 2;
+ //
+ // 2 bytes for the option header length
+ //
+ ExpectedSize += 2;
+ //
+ // 4 bytes for the IAID
+ //
+ ExpectedSize += 4;
+ //
+ // + 4 bytes for the T1
+ //
+ ExpectedSize += 4;
+ //
+ // + 4 bytes for the T2
+ //
+ ExpectedSize += 4;
+ //
+ // + (4 + sizeof (EFI_DHCP6_IA_ADDRESS)) * 2;
+ // + 2 bytes for the option header type
+ // + 2 bytes for the option header length
+ // + sizeof (EFI_DHCP6_IA_ADDRESS) for the IA Address
+ //
+ ExpectedSize += (4 + sizeof (EFI_DHCP6_IA_ADDRESS)) * 2;
+
+ Cursor = Dhcp6AppendIaOptionTest::Packet->Dhcp6.Option;
+
+ Packet->Length = sizeof (EFI_DHCP6_HEADER);
+ OriginalLength = Packet->Length;
+
+ Ia->Descriptor.Type = Dhcp6OptIana;
+ Ia->Descriptor.IaId = 0x12345678;
+
+ Status = Dhcp6AppendIaOption (
+ Dhcp6AppendIaOptionTest::Packet,
+ &Cursor,
+ Ia,
+ 0x12345678,
+ 0x12345678,
+ Dhcp6OptIana
+ );
+
+ // verify that the pointer to cursor moved by the expected amount
+ ASSERT_EQ (Cursor, (UINT8 *)Dhcp6AppendIaOptionTest::Packet->Dhcp6.Option + ExpectedSize);
+
+ // verify that the length of the packet is now the expected amount
+ ASSERT_EQ (Dhcp6AppendIaOptionTest::Packet->Length, OriginalLength + ExpectedSize);
+
+ // verify that the status is EFI_SUCCESS
+ ASSERT_EQ (Status, EFI_SUCCESS);
+}
+
+TEST_F (Dhcp6AppendIaOptionTest, IaTaValidDataExpectSuccess) {
+ UINT8 *Cursor;
+ EFI_STATUS Status;
+ UINTN ExpectedSize;
+ UINTN OriginalLength;
+
+ //
+ // 2 bytes for the option header type
+ //
+ ExpectedSize = 2;
+ //
+ // 2 bytes for the option header length
+ //
+ ExpectedSize += 2;
+ //
+ // 4 bytes for the IAID
+ //
+ ExpectedSize += 4;
+ //
+ // + (4 + sizeof (EFI_DHCP6_IA_ADDRESS)) * 2;
+ // + 2 bytes for the option header type
+ // + 2 bytes for the option header length
+ // + sizeof (EFI_DHCP6_IA_ADDRESS) for the IA Address
+ //
+ ExpectedSize += (4 + sizeof (EFI_DHCP6_IA_ADDRESS)) * 2;
+
+ Cursor = Dhcp6AppendIaOptionTest::Packet->Dhcp6.Option;
+
+ Packet->Length = sizeof (EFI_DHCP6_HEADER);
+ OriginalLength = Packet->Length;
+
+ Ia->Descriptor.Type = Dhcp6OptIata;
+ Ia->Descriptor.IaId = 0x12345678;
+
+ Status = Dhcp6AppendIaOption (
+ Dhcp6AppendIaOptionTest::Packet,
+ &Cursor,
+ Ia,
+ 0,
+ 0,
+ Dhcp6OptIata
+ );
+
+ // verify that the pointer to cursor moved by the expected amount
+ ASSERT_EQ (Cursor, (UINT8 *)Dhcp6AppendIaOptionTest::Packet->Dhcp6.Option + ExpectedSize);
+
+ // verify that the length of the packet is now the expected amount
+ ASSERT_EQ (Dhcp6AppendIaOptionTest::Packet->Length, OriginalLength + ExpectedSize);
+
+ // verify that the status is EFI_SUCCESS
+ ASSERT_EQ (Status, EFI_SUCCESS);
+}
diff --git a/NetworkPkg/Test/NetworkPkgHostTest.dsc b/NetworkPkg/Test/NetworkPkgHostTest.dsc
index b74b2048..7df011c9 100644
--- a/NetworkPkg/Test/NetworkPkgHostTest.dsc
+++ b/NetworkPkg/Test/NetworkPkgHostTest.dsc
@@ -24,6 +24,7 @@
#
# Build HOST_APPLICATION that tests NetworkPkg
#
+ NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf
# Despite these library classes being listed in [LibraryClasses] below, they are not needed for the host-based unit tests.
[LibraryClasses]
--
2.33.0

594
0059-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Pa.patch Normal file
View File

@ -0,0 +1,594 @@
From c26e6df4c87cceef2ec0675d8f319f0bb937e55f Mon Sep 17 00:00:00 2001
From: adttil <13380049+adttil@user.noreply.gitee.com>
Date: Sat, 24 Feb 2024 14:17:52 +0800
Subject: [PATCH 04/13] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229
Patch
Bug Details:
PixieFail Bug #1
CVE-2023-45229
CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-125 Out-of-bounds Read
Change Overview:
Introduce Dhcp6SeekInnerOptionSafe which performs checks before seeking
the Inner Option from a DHCP6 Option.
>
> EFI_STATUS
> Dhcp6SeekInnerOptionSafe (
> IN UINT16 IaType,
> IN UINT8 *Option,
> IN UINT32 OptionLen,
> OUT UINT8 **IaInnerOpt,
> OUT UINT16 *IaInnerLen
> );
>
Lots of code cleanup to improve code readability.
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
ref: https://github.com/tianocore/edk2/commit/1dbb10cc52dc8ef49bb700daa1cefc76b26d52e0
Signed-off-by: yexiao yexiao7@huawei.com
---
NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h | 138 +++++++++++++++++++---
NetworkPkg/Dhcp6Dxe/Dhcp6Io.c | 200 +++++++++++++++++++++-----------
2 files changed, 253 insertions(+), 85 deletions(-)
diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h b/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h
index b3c9784e..dd7afd4a 100644
--- a/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h
+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h
@@ -47,6 +47,20 @@ typedef struct _DHCP6_INSTANCE DHCP6_INSTANCE;
#define DHCP6_SERVICE_SIGNATURE SIGNATURE_32 ('D', 'H', '6', 'S')
#define DHCP6_INSTANCE_SIGNATURE SIGNATURE_32 ('D', 'H', '6', 'I')
+#define DHCP6_PACKET_ALL 0
+#define DHCP6_PACKET_STATEFUL 1
+#define DHCP6_PACKET_STATELESS 2
+
+#define DHCP6_BASE_PACKET_SIZE 1024
+
+#define DHCP6_PORT_CLIENT 546
+#define DHCP6_PORT_SERVER 547
+
+#define DHCP_CHECK_MEDIA_WAITING_TIME EFI_TIMER_PERIOD_SECONDS(20)
+
+#define DHCP6_INSTANCE_FROM_THIS(Instance) CR ((Instance), DHCP6_INSTANCE, Dhcp6, DHCP6_INSTANCE_SIGNATURE)
+#define DHCP6_SERVICE_FROM_THIS(Service) CR ((Service), DHCP6_SERVICE, ServiceBinding, DHCP6_SERVICE_SIGNATURE)
+
//
// For more information on DHCP options see RFC 8415, Section 21.1
//
@@ -61,12 +75,10 @@ typedef struct _DHCP6_INSTANCE DHCP6_INSTANCE;
// | (option-len octets) |
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
//
-#define DHCP6_SIZE_OF_OPT_CODE (sizeof(UINT16))
-#define DHCP6_SIZE_OF_OPT_LEN (sizeof(UINT16))
+#define DHCP6_SIZE_OF_OPT_CODE (sizeof (((EFI_DHCP6_PACKET_OPTION *)0)->OpCode))
+#define DHCP6_SIZE_OF_OPT_LEN (sizeof (((EFI_DHCP6_PACKET_OPTION *)0)->OpLen))
-//
// Combined size of Code and Length
-//
#define DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN (DHCP6_SIZE_OF_OPT_CODE + \
DHCP6_SIZE_OF_OPT_LEN)
@@ -75,34 +87,122 @@ STATIC_ASSERT (
"Combined size of Code and Length must be 4 per RFC 8415"
);
-//
// Offset to the length is just past the code
-//
-#define DHCP6_OPT_LEN_OFFSET(a) (a + DHCP6_SIZE_OF_OPT_CODE)
+#define DHCP6_OFFSET_OF_OPT_LEN(a) (a + DHCP6_SIZE_OF_OPT_CODE)
STATIC_ASSERT (
- DHCP6_OPT_LEN_OFFSET (0) == 2,
+ DHCP6_OFFSET_OF_OPT_LEN (0) == 2,
"Offset of length is + 2 past start of option"
);
-#define DHCP6_OPT_DATA_OFFSET(a) (a + DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN)
+#define DHCP6_OFFSET_OF_OPT_DATA(a) (a + DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN)
STATIC_ASSERT (
- DHCP6_OPT_DATA_OFFSET (0) == 4,
+ DHCP6_OFFSET_OF_OPT_DATA (0) == 4,
"Offset to option data should be +4 from start of option"
);
+//
+// Identity Association options (both NA (Non-Temporary) and TA (Temporary Association))
+// are defined in RFC 8415 and are a deriviation of a TLV stucture
+// For more information on IA_NA see Section 21.4
+// For more information on IA_TA see Section 21.5
+//
+//
+// The format of IA_NA and IA_TA option:
+//
+// 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+// | OPTION_IA_NA | option-len |
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+// | IAID (4 octets) |
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+// | T1 (only for IA_NA) |
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+// | T2 (only for IA_NA) |
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+// | |
+// . IA_NA-options/IA_TA-options .
+// . .
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+//
+#define DHCP6_SIZE_OF_IAID (sizeof(UINT32))
+#define DHCP6_SIZE_OF_TIME_INTERVAL (sizeof(UINT32))
-#define DHCP6_PACKET_ALL 0
-#define DHCP6_PACKET_STATEFUL 1
-#define DHCP6_PACKET_STATELESS 2
+// Combined size of IAID, T1, and T2
+#define DHCP6_SIZE_OF_COMBINED_IAID_T1_T2 (DHCP6_SIZE_OF_IAID + \
+ DHCP6_SIZE_OF_TIME_INTERVAL + \
+ DHCP6_SIZE_OF_TIME_INTERVAL)
+STATIC_ASSERT (
+ DHCP6_SIZE_OF_COMBINED_IAID_T1_T2 == 12,
+ "Combined size of IAID, T1, T2 must be 12 per RFC 8415"
+ );
-#define DHCP6_BASE_PACKET_SIZE 1024
+// This is the size of IA_TA without options
+#define DHCP6_MIN_SIZE_OF_IA_TA (DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN + \
+ DHCP6_SIZE_OF_IAID)
+STATIC_ASSERT (
+ DHCP6_MIN_SIZE_OF_IA_TA == 8,
+ "Minimum combined size of IA_TA per RFC 8415"
+ );
-#define DHCP6_PORT_CLIENT 546
-#define DHCP6_PORT_SERVER 547
+// Offset to a IA_TA inner option
+#define DHCP6_OFFSET_OF_IA_TA_INNER_OPT(a) (a + DHCP6_MIN_SIZE_OF_IA_TA)
+STATIC_ASSERT (
+ DHCP6_OFFSET_OF_IA_TA_INNER_OPT (0) == 8,
+ "Offset of IA_TA Inner option is + 8 past start of option"
+ );
+
+// This is the size of IA_NA without options (16)
+#define DHCP6_MIN_SIZE_OF_IA_NA DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN + \
+ DHCP6_SIZE_OF_COMBINED_IAID_T1_T2
+STATIC_ASSERT (
+ DHCP6_MIN_SIZE_OF_IA_NA == 16,
+ "Minimum combined size of IA_TA per RFC 8415"
+ );
+
+#define DHCP6_OFFSET_OF_IA_NA_INNER_OPT(a) (a + DHCP6_MIN_SIZE_OF_IA_NA)
+STATIC_ASSERT (
+ DHCP6_OFFSET_OF_IA_NA_INNER_OPT (0) == 16,
+ "Offset of IA_NA Inner option is + 16 past start of option"
+ );
+
+#define DHCP6_OFFSET_OF_IA_NA_T1(a) (a + \
+ DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN + \
+ DHCP6_SIZE_OF_IAID)
+STATIC_ASSERT (
+ DHCP6_OFFSET_OF_IA_NA_T1 (0) == 8,
+ "Offset of IA_NA Inner option is + 8 past start of option"
+ );
-#define DHCP_CHECK_MEDIA_WAITING_TIME EFI_TIMER_PERIOD_SECONDS(20)
+#define DHCP6_OFFSET_OF_IA_NA_T2(a) (a + \
+ DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN +\
+ DHCP6_SIZE_OF_IAID + \
+ DHCP6_SIZE_OF_TIME_INTERVAL)
+STATIC_ASSERT (
+ DHCP6_OFFSET_OF_IA_NA_T2 (0) == 12,
+ "Offset of IA_NA Inner option is + 12 past start of option"
+ );
-#define DHCP6_INSTANCE_FROM_THIS(Instance) CR ((Instance), DHCP6_INSTANCE, Dhcp6, DHCP6_INSTANCE_SIGNATURE)
-#define DHCP6_SERVICE_FROM_THIS(Service) CR ((Service), DHCP6_SERVICE, ServiceBinding, DHCP6_SERVICE_SIGNATURE)
+//
+// For more information see RFC 8415 Section 21.13
+//
+// The format of the Status Code Option:
+//
+// 0 1 2 3
+// 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+// | OPTION_STATUS_CODE | option-len |
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+// | status-code | |
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
+// . .
+// . status-message .
+// . .
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+//
+#define DHCP6_OFFSET_OF_STATUS_CODE(a) (a + DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN)
+STATIC_ASSERT (
+ DHCP6_OFFSET_OF_STATUS_CODE (0) == 4,
+ "Offset of status is + 4 past start of option"
+ );
extern EFI_IPv6_ADDRESS mAllDhcpRelayAndServersAddress;
extern EFI_DHCP6_PROTOCOL gDhcp6ProtocolTemplate;
diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
index 71201ea7..db1ee4af 100644
--- a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
@@ -611,8 +611,8 @@ Dhcp6UpdateIaInfo (
// The inner options still start with 2 bytes option-code and 2 bytes option-len.
//
if (Instance->Config->IaDescriptor.Type == Dhcp6OptIana) {
- T1 = NTOHL (ReadUnaligned32 ((UINT32 *) (Option + 8)));
- T2 = NTOHL (ReadUnaligned32 ((UINT32 *) (Option + 12)));
+ T1 = NTOHL (ReadUnaligned32 ((UINT32 *)(DHCP6_OFFSET_OF_IA_NA_T1 (Option))));
+ T2 = NTOHL (ReadUnaligned32 ((UINT32 *)(DHCP6_OFFSET_OF_IA_NA_T2 (Option))));
//
// Refer to RFC3155 Chapter 22.4. If a client receives an IA_NA with T1 greater than T2,
// and both T1 and T2 are greater than 0, the client discards the IA_NA option and processes
@@ -621,13 +621,14 @@ Dhcp6UpdateIaInfo (
if (T1 > T2 && T2 > 0) {
return EFI_DEVICE_ERROR;
}
- IaInnerOpt = Option + 16;
- IaInnerLen = (UINT16) (NTOHS (ReadUnaligned16 ((UINT16 *) (Option + 2))) - 12);
+ IaInnerOpt = DHCP6_OFFSET_OF_IA_NA_INNER_OPT (Option);
+ IaInnerLen = (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Option)))) - DHCP6_SIZE_OF_COMBINED_IAID_T1_T2);
} else {
T1 = 0;
T2 = 0;
- IaInnerOpt = Option + 8;
- IaInnerLen = (UINT16) (NTOHS (ReadUnaligned16 ((UINT16 *) (Option + 2))) - 4);
+
+ IaInnerOpt = DHCP6_OFFSET_OF_IA_TA_INNER_OPT (Option);
+ IaInnerLen = (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Option)))) - DHCP6_SIZE_OF_IAID);
}
//
@@ -653,7 +654,7 @@ Dhcp6UpdateIaInfo (
Option = Dhcp6SeekOption (IaInnerOpt, IaInnerLen, Dhcp6OptStatusCode);
if (Option != NULL) {
- StsCode = NTOHS (ReadUnaligned16 ((UINT16 *) (Option + 4)));
+ StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Option))));
if (StsCode != Dhcp6StsSuccess) {
return EFI_DEVICE_ERROR;
}
@@ -673,7 +674,86 @@ Dhcp6UpdateIaInfo (
return Status;
}
-
+/**
+ Seeks the Inner Options from a DHCP6 Option
+
+ @param[in] IaType The type of the IA option.
+ @param[in] Option The pointer to the DHCP6 Option.
+ @param[in] OptionLen The length of the DHCP6 Option.
+ @param[out] IaInnerOpt The pointer to the IA inner option.
+ @param[out] IaInnerLen The length of the IA inner option.
+
+ @retval EFI_SUCCESS Seek the inner option successfully.
+ @retval EFI_DEVICE_ERROR The OptionLen is invalid. On Error,
+ the pointers are not modified
+**/
+EFI_STATUS
+Dhcp6SeekInnerOptionSafe (
+ IN UINT16 IaType,
+ IN UINT8 *Option,
+ IN UINT32 OptionLen,
+ OUT UINT8 **IaInnerOpt,
+ OUT UINT16 *IaInnerLen
+ )
+{
+ UINT16 IaInnerLenTmp;
+ UINT8 *IaInnerOptTmp;
+
+ if (Option == NULL) {
+ ASSERT (Option != NULL);
+ return EFI_DEVICE_ERROR;
+ }
+
+ if (IaInnerOpt == NULL) {
+ ASSERT (IaInnerOpt != NULL);
+ return EFI_DEVICE_ERROR;
+ }
+
+ if (IaInnerLen == NULL) {
+ ASSERT (IaInnerLen != NULL);
+ return EFI_DEVICE_ERROR;
+ }
+
+ if (IaType == Dhcp6OptIana) {
+ // Verify we have a fully formed IA_NA
+ if (OptionLen < DHCP6_MIN_SIZE_OF_IA_NA) {
+ return EFI_DEVICE_ERROR;
+ }
+
+ //
+ IaInnerOptTmp = DHCP6_OFFSET_OF_IA_NA_INNER_OPT (Option);
+
+ // Verify the IaInnerLen is valid.
+ IaInnerLenTmp = (UINT16)NTOHS (ReadUnaligned16 ((UINT16 *)DHCP6_OFFSET_OF_OPT_LEN (Option)));
+ if (IaInnerLenTmp < DHCP6_SIZE_OF_COMBINED_IAID_T1_T2) {
+ return EFI_DEVICE_ERROR;
+ }
+
+ IaInnerLenTmp -= DHCP6_SIZE_OF_COMBINED_IAID_T1_T2;
+ } else if (IaType == Dhcp6OptIata) {
+ // Verify the OptionLen is valid.
+ if (OptionLen < DHCP6_MIN_SIZE_OF_IA_TA) {
+ return EFI_DEVICE_ERROR;
+ }
+
+ IaInnerOptTmp = DHCP6_OFFSET_OF_IA_TA_INNER_OPT (Option);
+
+ // Verify the IaInnerLen is valid.
+ IaInnerLenTmp = (UINT16)NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Option))));
+ if (IaInnerLenTmp < DHCP6_SIZE_OF_IAID) {
+ return EFI_DEVICE_ERROR;
+ }
+
+ IaInnerLenTmp -= DHCP6_SIZE_OF_IAID;
+ } else {
+ return EFI_DEVICE_ERROR;
+ }
+
+ *IaInnerOpt = IaInnerOptTmp;
+ *IaInnerLen = IaInnerLenTmp;
+
+ return EFI_SUCCESS;
+}
/**
Seek StatusCode Option in package. A Status Code option may appear in the
@@ -698,6 +778,12 @@ Dhcp6SeekStsOption (
UINT8 *IaInnerOpt;
UINT16 IaInnerLen;
UINT16 StsCode;
+ UINT32 OptionLen;
+
+ // OptionLen is the length of the Options excluding the DHCP header.
+ // Length of the EFI_DHCP6_PACKET from the first byte of the Header field to the last
+ // byte of the Option[] field.
+ OptionLen = Packet->Length - sizeof (Packet->Dhcp6.Header);
//
// Seek StatusCode option directly in DHCP message body. That is, search in
@@ -705,12 +791,12 @@ Dhcp6SeekStsOption (
//
*Option = Dhcp6SeekOption (
Packet->Dhcp6.Option,
- Packet->Length - 4,
+ OptionLen,
Dhcp6OptStatusCode
);
if (*Option != NULL) {
- StsCode = NTOHS (ReadUnaligned16 ((UINT16 *) (*Option + 4)));
+ StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_STATUS_CODE (*Option))));
if (StsCode != Dhcp6StsSuccess) {
return EFI_DEVICE_ERROR;
}
@@ -721,7 +807,7 @@ Dhcp6SeekStsOption (
//
*Option = Dhcp6SeekIaOption (
Packet->Dhcp6.Option,
- Packet->Length - sizeof (EFI_DHCP6_HEADER),
+ OptionLen,
&Instance->Config->IaDescriptor
);
if (*Option == NULL) {
@@ -729,52 +815,34 @@ Dhcp6SeekStsOption (
}
//
- // The format of the IA_NA option is:
+ // Calculate the distance from Packet->Dhcp6.Option to the IA option.
//
- // 0 1 2 3
- // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // | OPTION_IA_NA | option-len |
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // | IAID (4 octets) |
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // | T1 |
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // | T2 |
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // | |
- // . IA_NA-options .
- // . .
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- //
- // The format of the IA_TA option is:
+ // Packet->Size and Packet->Length are both UINT32 type, and Packet->Size is
+ // the size of the whole packet, including the DHCP header, and Packet->Length
+ // is the length of the DHCP message body, excluding the DHCP header.
//
- // 0 1 2 3
- // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // | OPTION_IA_TA | option-len |
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // | IAID (4 octets) |
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // | |
- // . IA_TA-options .
- // . .
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ // (*Option - Packet->Dhcp6.Option) is the number of bytes from the start of
+ // DHCP6 option area to the start of the IA option.
//
-
+ // Dhcp6SeekInnerOptionSafe() is searching starting from the start of the
+ // IA option to the end of the DHCP6 option area, thus subtract the space
+ // up until this option
//
- // sizeof (option-code + option-len + IaId) = 8
- // sizeof (option-code + option-len + IaId + T1) = 12
- // sizeof (option-code + option-len + IaId + T1 + T2) = 16
+ OptionLen = OptionLen - (*Option - Packet->Dhcp6.Option);
//
- // The inner options still start with 2 bytes option-code and 2 bytes option-len.
+ // Seek the inner option
//
- if (Instance->Config->IaDescriptor.Type == Dhcp6OptIana) {
- IaInnerOpt = *Option + 16;
- IaInnerLen = (UINT16) (NTOHS (ReadUnaligned16 ((UINT16 *) (*Option + 2))) - 12);
- } else {
- IaInnerOpt = *Option + 8;
- IaInnerLen = (UINT16) (NTOHS (ReadUnaligned16 ((UINT16 *) (*Option + 2))) - 4);
+ if (EFI_ERROR (
+ Dhcp6SeekInnerOptionSafe (
+ Instance->Config->IaDescriptor.Type,
+ *Option,
+ OptionLen,
+ &IaInnerOpt,
+ &IaInnerLen
+ )
+ ))
+ {
+ return EFI_DEVICE_ERROR;
}
//
@@ -798,7 +866,7 @@ Dhcp6SeekStsOption (
//
*Option = Dhcp6SeekOption (IaInnerOpt, IaInnerLen, Dhcp6OptStatusCode);
if (*Option != NULL) {
- StsCode = NTOHS (ReadUnaligned16 ((UINT16 *) (*Option + 4)));
+ StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)((DHCP6_OFFSET_OF_STATUS_CODE (*Option)))));
if (StsCode != Dhcp6StsSuccess) {
return EFI_DEVICE_ERROR;
}
@@ -1124,7 +1192,7 @@ Dhcp6SendRequestMsg (
//
Option = Dhcp6SeekOption (
Instance->AdSelect->Dhcp6.Option,
- Instance->AdSelect->Length - 4,
+ Instance->AdSelect->Length - sizeof (EFI_DHCP6_HEADER),
Dhcp6OptServerId
);
if (Option == NULL) {
@@ -1310,7 +1378,7 @@ Dhcp6SendDeclineMsg (
//
Option = Dhcp6SeekOption (
LastReply->Dhcp6.Option,
- LastReply->Length - 4,
+ LastReply->Length - sizeof (EFI_DHCP6_HEADER),
Dhcp6OptServerId
);
if (Option == NULL) {
@@ -1472,7 +1540,7 @@ Dhcp6SendReleaseMsg (
//
Option = Dhcp6SeekOption (
LastReply->Dhcp6.Option,
- LastReply->Length - 4,
+ LastReply->Length - sizeof (EFI_DHCP6_HEADER),
Dhcp6OptServerId
);
if (Option == NULL) {
@@ -1700,7 +1768,7 @@ Dhcp6SendRenewRebindMsg (
Option = Dhcp6SeekOption (
LastReply->Dhcp6.Option,
- LastReply->Length - 4,
+ LastReply->Length - sizeof (EFI_DHCP6_HEADER),
Dhcp6OptServerId
);
if (Option == NULL) {
@@ -2245,7 +2313,7 @@ Dhcp6HandleReplyMsg (
//
Option = Dhcp6SeekOption (
Packet->Dhcp6.Option,
- Packet->Length - 4,
+ Packet->Length - sizeof (EFI_DHCP6_HEADER),
Dhcp6OptRapidCommit
);
@@ -2393,7 +2461,7 @@ Dhcp6HandleReplyMsg (
//
// Any error status code option is found.
//
- StsCode = NTOHS (ReadUnaligned16 ((UINT16 *) (Option + 4)));
+ StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)((DHCP6_OFFSET_OF_STATUS_CODE (Option)))));
switch (StsCode) {
case Dhcp6StsUnspecFail:
//
@@ -2524,7 +2592,7 @@ Dhcp6SelectAdvertiseMsg (
//
Option = Dhcp6SeekOption(
AdSelect->Dhcp6.Option,
- AdSelect->Length - 4,
+ AdSelect->Length - sizeof (EFI_DHCP6_HEADER),
Dhcp6OptServerUnicast
);
@@ -2536,7 +2604,7 @@ Dhcp6SelectAdvertiseMsg (
return EFI_OUT_OF_RESOURCES;
}
- CopyMem (Instance->Unicast, Option + 4, sizeof(EFI_IPv6_ADDRESS));
+ CopyMem (Instance->Unicast, DHCP6_OFFSET_OF_OPT_DATA (Option), sizeof (EFI_IPv6_ADDRESS));
}
//
@@ -2590,7 +2658,7 @@ Dhcp6HandleAdvertiseMsg (
//
Option = Dhcp6SeekOption(
Packet->Dhcp6.Option,
- Packet->Length - 4,
+ Packet->Length - sizeof (EFI_DHCP6_HEADER),
Dhcp6OptRapidCommit
);
@@ -2686,7 +2754,7 @@ Dhcp6HandleAdvertiseMsg (
CopyMem (Instance->AdSelect, Packet, Packet->Size);
if (Option != NULL) {
- Instance->AdPref = *(Option + 4);
+ Instance->AdPref = *(DHCP6_OFFSET_OF_OPT_DATA (Option));
}
} else {
//
@@ -2757,11 +2825,11 @@ Dhcp6HandleStateful (
//
Option = Dhcp6SeekOption(
Packet->Dhcp6.Option,
- Packet->Length - 4,
+ Packet->Length - DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN,
Dhcp6OptClientId
);
- if (Option == NULL || CompareMem (Option + 4, ClientId->Duid, ClientId->Length) != 0) {
+ if ((Option == NULL) || (CompareMem (DHCP6_OFFSET_OF_OPT_DATA (Option), ClientId->Duid, ClientId->Length) != 0)) {
goto ON_CONTINUE;
}
@@ -2770,7 +2838,7 @@ Dhcp6HandleStateful (
//
Option = Dhcp6SeekOption(
Packet->Dhcp6.Option,
- Packet->Length - 4,
+ Packet->Length - DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN,
Dhcp6OptServerId
);
@@ -2875,7 +2943,7 @@ Dhcp6HandleStateless (
//
Option = Dhcp6SeekOption (
Packet->Dhcp6.Option,
- Packet->Length - 4,
+ Packet->Length - sizeof (EFI_DHCP6_HEADER),
Dhcp6OptServerId
);
--
2.33.0

530
0060-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Un.patch Normal file
View File

@ -0,0 +1,530 @@
From 5dcddb05474ca2cbf4f22141da39aedac62314fc Mon Sep 17 00:00:00 2001
From: adttil <13380049+adttil@user.noreply.gitee.com>
Date: Sat, 24 Feb 2024 14:19:24 +0800
Subject: [PATCH 05/13] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229
Unit Tests
These tests confirm that the report bug...
"Out-of-bounds read when processing IA_NA/IA_TA options in a
DHCPv6 Advertise message"
..has been patched.
The following functions are tested to confirm an out of bounds read is
patched and that the correct statuses are returned:
Dhcp6SeekInnerOptionSafe
Dhcp6SeekStsOption
TCBZ4534
CVE-2023-45229
CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-125 Out-of-bounds Read
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
ref: https://github.com/tianocore/edk2/commit/07362769ab7a7d74dbea1c7a7a3662c7b5d1f097
Signed-off-by: yexiao yexiao7@huawei.com
---
NetworkPkg/Dhcp6Dxe/Dhcp6Io.c | 2 +-
.../GoogleTest/Dhcp6DxeGoogleTest.inf | 1 +
.../Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp | 365 +++++++++++++++++-
.../Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.h | 58 +++
4 files changed, 423 insertions(+), 3 deletions(-)
create mode 100644 NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.h
diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
index db1ee4af..9a31c118 100644
--- a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
@@ -828,7 +828,7 @@ Dhcp6SeekStsOption (
// IA option to the end of the DHCP6 option area, thus subtract the space
// up until this option
//
- OptionLen = OptionLen - (*Option - Packet->Dhcp6.Option);
+ OptionLen = OptionLen - (UINT32)(*Option - Packet->Dhcp6.Option);
//
// Seek the inner option
//
diff --git a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf
index 253c61e8..94ebdf63 100644
--- a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf
+++ b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf
@@ -18,6 +18,7 @@
[Sources]
Dhcp6DxeGoogleTest.cpp
Dhcp6IoGoogleTest.cpp
+ Dhcp6IoGoogleTest.h
../Dhcp6Io.c
../Dhcp6Utility.c
diff --git a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp
index a2b8a9f8..3bb70371 100644
--- a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp
+++ b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp
@@ -13,6 +13,7 @@ extern "C" {
#include <Library/BaseMemoryLib.h>
#include "../Dhcp6Impl.h"
#include "../Dhcp6Utility.h"
+ #include "Dhcp6IoGoogleTest.h"
}
////////////////////////////////////////////////////////////////////////
@@ -21,7 +22,35 @@ extern "C" {
#define DHCP6_PACKET_MAX_LEN 1500
+// This definition is used by this test but is also required to compile
+// by Dhcp6Io.c
+#define DHCPV6_OPTION_IA_NA 3
+#define DHCPV6_OPTION_IA_TA 4
+
+#define SEARCH_PATTERN 0xDEADC0DE
+#define SEARCH_PATTERN_LEN sizeof(SEARCH_PATTERN)
+
////////////////////////////////////////////////////////////////////////
+// Test structures for IA_NA and IA_TA options
+////////////////////////////////////////////////////////////////////////
+typedef struct {
+ UINT16 Code;
+ UINT16 Len;
+ UINT32 IAID;
+} DHCPv6_OPTION;
+
+typedef struct {
+ DHCPv6_OPTION Header;
+ UINT32 T1;
+ UINT32 T2;
+ UINT8 InnerOptions[0];
+} DHCPv6_OPTION_IA_NA;
+
+typedef struct {
+ DHCPv6_OPTION Header;
+ UINT8 InnerOptions[0];
+} DHCPv6_OPTION_IA_TA;
+
////////////////////////////////////////////////////////////////////////
// Symbol Definitions
// These functions are not directly under test - but required to compile
@@ -210,7 +239,7 @@ TEST_F (Dhcp6AppendETOptionTest, InvalidDataExpectBufferTooSmall) {
Status = Dhcp6AppendETOption (
Dhcp6AppendETOptionTest::Packet,
&Cursor,
- &Instance, // Instance is not used in this function
+ &Instance, // Instance is not used in this function
&ElapsedTime
);
@@ -240,7 +269,7 @@ TEST_F (Dhcp6AppendETOptionTest, ValidDataExpectSuccess) {
Status = Dhcp6AppendETOption (
Dhcp6AppendETOptionTest::Packet,
&Cursor,
- &Instance, // Instance is not used in this function
+ &Instance, // Instance is not used in this function
&ElapsedTime
);
@@ -476,3 +505,335 @@ TEST_F (Dhcp6AppendIaOptionTest, IaTaValidDataExpectSuccess) {
// verify that the status is EFI_SUCCESS
ASSERT_EQ (Status, EFI_SUCCESS);
}
+
+////////////////////////////////////////////////////////////////////////
+// Dhcp6SeekInnerOptionSafe Tests
+////////////////////////////////////////////////////////////////////////
+
+// Define a fixture for your tests if needed
+class Dhcp6SeekInnerOptionSafeTest : public ::testing::Test {
+protected:
+ // Add any setup code if needed
+ virtual void
+ SetUp (
+ )
+ {
+ // Initialize any resources or variables
+ }
+
+ // Add any cleanup code if needed
+ virtual void
+ TearDown (
+ )
+ {
+ // Clean up any resources or variables
+ }
+};
+
+// Test Description:
+// This test verifies that Dhcp6SeekInnerOptionSafe returns EFI_SUCCESS when the IANA option is found.
+TEST_F (Dhcp6SeekInnerOptionSafeTest, IANAValidOptionExpectSuccess) {
+ EFI_STATUS Result;
+ UINT8 Option[sizeof (DHCPv6_OPTION_IA_NA) + SEARCH_PATTERN_LEN] = { 0 };
+ UINT32 OptionLength = sizeof (Option);
+ DHCPv6_OPTION_IA_NA *OptionPtr = (DHCPv6_OPTION_IA_NA *)Option;
+ UINT32 SearchPattern = SEARCH_PATTERN;
+
+ UINTN SearchPatternLength = SEARCH_PATTERN_LEN;
+ UINT8 *InnerOptionPtr = NULL;
+ UINT16 InnerOptionLength = 0;
+
+ OptionPtr->Header.Code = Dhcp6OptIana;
+ OptionPtr->Header.Len = HTONS (4 + 12); // Valid length has to be more than 12
+ OptionPtr->Header.IAID = 0x12345678;
+ OptionPtr->T1 = 0x11111111;
+ OptionPtr->T2 = 0x22222222;
+ CopyMem (OptionPtr->InnerOptions, &SearchPattern, SearchPatternLength);
+
+ Result = Dhcp6SeekInnerOptionSafe (
+ Dhcp6OptIana,
+ Option,
+ OptionLength,
+ &InnerOptionPtr,
+ &InnerOptionLength
+ );
+ ASSERT_EQ (Result, EFI_SUCCESS);
+ ASSERT_EQ (InnerOptionLength, 4);
+ ASSERT_EQ (CompareMem (InnerOptionPtr, &SearchPattern, SearchPatternLength), 0);
+}
+
+// Test Description:
+// This test verifies that Dhcp6SeekInnerOptionSafe returns EFI_DEIVCE_ERROR when the IANA option size is invalid.
+TEST_F (Dhcp6SeekInnerOptionSafeTest, IANAInvalidSizeExpectFail) {
+ // Lets add an inner option of bytes we expect to find
+ EFI_STATUS Status;
+ UINT8 Option[sizeof (DHCPv6_OPTION_IA_NA) + SEARCH_PATTERN_LEN] = { 0 };
+ UINT32 OptionLength = sizeof (Option);
+ DHCPv6_OPTION_IA_NA *OptionPtr = (DHCPv6_OPTION_IA_NA *)Option;
+ UINT32 SearchPattern = SEARCH_PATTERN;
+
+ UINTN SearchPatternLength = SEARCH_PATTERN_LEN;
+ UINT8 *InnerOptionPtr = NULL;
+ UINT16 InnerOptionLength = 0;
+
+ OptionPtr->Header.Code = Dhcp6OptIana;
+ OptionPtr->Header.Len = HTONS (4); // Set the length to lower than expected (12)
+ OptionPtr->Header.IAID = 0x12345678;
+ OptionPtr->T1 = 0x11111111;
+ OptionPtr->T2 = 0x22222222;
+ CopyMem (OptionPtr->InnerOptions, &SearchPattern, SearchPatternLength);
+
+ // Set the InnerOptionLength to be less than the size of the option
+ Status = Dhcp6SeekInnerOptionSafe (
+ Dhcp6OptIana,
+ Option,
+ OptionLength,
+ &InnerOptionPtr,
+ &InnerOptionLength
+ );
+ ASSERT_EQ (Status, EFI_DEVICE_ERROR);
+
+ // Now set the OptionLength to be less than the size of the option
+ OptionLength = sizeof (DHCPv6_OPTION_IA_NA) - 1;
+ Status = Dhcp6SeekInnerOptionSafe (
+ Dhcp6OptIana,
+ Option,
+ OptionLength,
+ &InnerOptionPtr,
+ &InnerOptionLength
+ );
+ ASSERT_EQ (Status, EFI_DEVICE_ERROR);
+}
+
+// Test Description:
+// This test verifies that Dhcp6SeekInnerOptionSafe returns EFI_SUCCESS when the IATA option is found
+TEST_F (Dhcp6SeekInnerOptionSafeTest, IATAValidOptionExpectSuccess) {
+ // Lets add an inner option of bytes we expect to find
+ EFI_STATUS Status;
+ UINT8 Option[sizeof (DHCPv6_OPTION_IA_TA) + SEARCH_PATTERN_LEN] = { 0 };
+ UINT32 OptionLength = sizeof (Option);
+ DHCPv6_OPTION_IA_TA *OptionPtr = (DHCPv6_OPTION_IA_TA *)Option;
+ UINT32 SearchPattern = SEARCH_PATTERN;
+
+ UINTN SearchPatternLength = SEARCH_PATTERN_LEN;
+ UINT8 *InnerOptionPtr = NULL;
+ UINT16 InnerOptionLength = 0;
+
+ OptionPtr->Header.Code = Dhcp6OptIata;
+ OptionPtr->Header.Len = HTONS (4 + 4); // Valid length has to be more than 4
+ OptionPtr->Header.IAID = 0x12345678;
+ CopyMem (OptionPtr->InnerOptions, &SearchPattern, SearchPatternLength);
+
+ Status = Dhcp6SeekInnerOptionSafe (
+ Dhcp6OptIata,
+ Option,
+ OptionLength,
+ &InnerOptionPtr,
+ &InnerOptionLength
+ );
+ ASSERT_EQ (Status, EFI_SUCCESS);
+ ASSERT_EQ (InnerOptionLength, 4);
+ ASSERT_EQ (CompareMem (InnerOptionPtr, &SearchPattern, SearchPatternLength), 0);
+}
+
+// Test Description:
+// This test verifies that Dhcp6SeekInnerOptionSafe returns EFI_SUCCESS when the IATA option size is invalid.
+TEST_F (Dhcp6SeekInnerOptionSafeTest, IATAInvalidSizeExpectFail) {
+ // Lets add an inner option of bytes we expect to find
+ EFI_STATUS Status;
+ UINT8 Option[sizeof (DHCPv6_OPTION_IA_TA) + SEARCH_PATTERN_LEN] = { 0 };
+ UINT32 OptionLength = sizeof (Option);
+ DHCPv6_OPTION_IA_TA *OptionPtr = (DHCPv6_OPTION_IA_TA *)Option;
+ UINT32 SearchPattern = SEARCH_PATTERN;
+
+ UINTN SearchPatternLength = SEARCH_PATTERN_LEN;
+ UINT8 *InnerOptionPtr = NULL;
+ UINT16 InnerOptionLength = 0;
+
+ OptionPtr->Header.Code = Dhcp6OptIata;
+ OptionPtr->Header.Len = HTONS (2); // Set the length to lower than expected (4)
+ OptionPtr->Header.IAID = 0x12345678;
+ CopyMem (OptionPtr->InnerOptions, &SearchPattern, SearchPatternLength);
+
+ Status = Dhcp6SeekInnerOptionSafe (
+ Dhcp6OptIata,
+ Option,
+ OptionLength,
+ &InnerOptionPtr,
+ &InnerOptionLength
+ );
+ ASSERT_EQ (Status, EFI_DEVICE_ERROR);
+
+ // Now lets try modifying the OptionLength to be less than the size of the option
+ OptionLength = sizeof (DHCPv6_OPTION_IA_TA) - 1;
+ Status = Dhcp6SeekInnerOptionSafe (
+ Dhcp6OptIata,
+ Option,
+ OptionLength,
+ &InnerOptionPtr,
+ &InnerOptionLength
+ );
+ ASSERT_EQ (Status, EFI_DEVICE_ERROR);
+}
+
+// Test Description:
+// This test verifies that any other Option Type fails
+TEST_F (Dhcp6SeekInnerOptionSafeTest, InvalidOption) {
+ // Lets add an inner option of bytes we expect to find
+ EFI_STATUS Result;
+ UINT8 Option[sizeof (DHCPv6_OPTION_IA_TA) + SEARCH_PATTERN_LEN] = { 0 };
+ UINT32 OptionLength = sizeof (Option);
+ DHCPv6_OPTION_IA_TA *OptionPtr = (DHCPv6_OPTION_IA_TA *)Option;
+ UINT32 SearchPattern = SEARCH_PATTERN;
+
+ UINTN SearchPatternLength = SEARCH_PATTERN_LEN;
+ UINT8 *InnerOptionPtr = NULL;
+ UINT16 InnerOptionLength = 0;
+
+ OptionPtr->Header.Code = 0xC0DE;
+ OptionPtr->Header.Len = HTONS (2); // Set the length to lower than expected (4)
+ OptionPtr->Header.IAID = 0x12345678;
+ CopyMem (OptionPtr->InnerOptions, &SearchPattern, SearchPatternLength);
+
+ Result = Dhcp6SeekInnerOptionSafe (0xC0DE, Option, OptionLength, &InnerOptionPtr, &InnerOptionLength);
+ ASSERT_EQ (Result, EFI_DEVICE_ERROR);
+}
+
+////////////////////////////////////////////////////////////////////////
+// Dhcp6SeekStsOption Tests
+////////////////////////////////////////////////////////////////////////
+
+#define PACKET_SIZE (1500)
+
+class Dhcp6SeekStsOptionTest : public ::testing::Test {
+public:
+ DHCP6_INSTANCE Instance = { 0 };
+ EFI_DHCP6_PACKET *Packet = NULL;
+ EFI_DHCP6_CONFIG_DATA Config = { 0 };
+
+protected:
+ // Add any setup code if needed
+ virtual void
+ SetUp (
+ )
+ {
+ // Allocate a packet
+ Packet = (EFI_DHCP6_PACKET *)AllocateZeroPool (PACKET_SIZE);
+ ASSERT_NE (Packet, nullptr);
+
+ // Initialize the packet
+ Packet->Size = PACKET_SIZE;
+
+ Instance.Config = &Config;
+ }
+
+ // Add any cleanup code if needed
+ virtual void
+ TearDown (
+ )
+ {
+ // Clean up any resources or variables
+ FreePool (Packet);
+ }
+};
+
+// Test Description:
+// This test verifies that Dhcp6SeekStsOption returns EFI_DEVICE_ERROR when the option is invalid
+// This verifies that the calling function is working as expected
+TEST_F (Dhcp6SeekStsOptionTest, SeekIATAOptionExpectFail) {
+ EFI_STATUS Status;
+ UINT8 *Option = NULL;
+ UINT32 SearchPattern = SEARCH_PATTERN;
+ UINT16 SearchPatternLength = SEARCH_PATTERN_LEN;
+ UINT16 *Len = NULL;
+ EFI_DHCP6_IA Ia = { 0 };
+
+ Ia.Descriptor.Type = DHCPV6_OPTION_IA_TA;
+ Ia.IaAddressCount = 1;
+ Ia.IaAddress[0].PreferredLifetime = 0xDEADBEEF;
+ Ia.IaAddress[0].ValidLifetime = 0xDEADAAAA;
+ Ia.IaAddress[0].IpAddress = mAllDhcpRelayAndServersAddress;
+
+ Packet->Length = sizeof (EFI_DHCP6_HEADER);
+
+ Option = Dhcp6SeekStsOptionTest::Packet->Dhcp6.Option;
+
+ // Let's append the option to the packet
+ Status = Dhcp6AppendOption (
+ Dhcp6SeekStsOptionTest::Packet,
+ &Option,
+ Dhcp6OptStatusCode,
+ SearchPatternLength,
+ (UINT8 *)&SearchPattern
+ );
+ ASSERT_EQ (Status, EFI_SUCCESS);
+
+ // Inner option length - this will be overwritten later
+ Len = (UINT16 *)(Option + 2);
+
+ // Fill in the inner IA option
+ Status = Dhcp6AppendIaOption (
+ Dhcp6SeekStsOptionTest::Packet,
+ &Option,
+ &Ia,
+ 0x12345678,
+ 0x11111111,
+ 0x22222222
+ );
+ ASSERT_EQ (Status, EFI_SUCCESS);
+
+ // overwrite the len of inner Ia option
+ *Len = HTONS (3);
+
+ Dhcp6SeekStsOptionTest::Instance.Config->IaDescriptor.Type = DHCPV6_OPTION_IA_TA;
+
+ Option = NULL;
+ Status = Dhcp6SeekStsOption (&(Dhcp6SeekStsOptionTest::Instance), Dhcp6SeekStsOptionTest::Packet, &Option);
+
+ ASSERT_EQ (Status, EFI_DEVICE_ERROR);
+}
+
+// Test Description:
+// This test verifies that Dhcp6SeekInnerOptionSafe returns EFI_SUCCESS when the IATA option size is invalid.
+TEST_F (Dhcp6SeekStsOptionTest, SeekIANAOptionExpectSuccess) {
+ EFI_STATUS Status = EFI_NOT_FOUND;
+ UINT8 *Option = NULL;
+ UINT32 SearchPattern = SEARCH_PATTERN;
+ UINT16 SearchPatternLength = SEARCH_PATTERN_LEN;
+ EFI_DHCP6_IA Ia = { 0 };
+
+ Ia.Descriptor.Type = DHCPV6_OPTION_IA_NA;
+ Ia.IaAddressCount = 1;
+ Ia.IaAddress[0].PreferredLifetime = 0x11111111;
+ Ia.IaAddress[0].ValidLifetime = 0x22222222;
+ Ia.IaAddress[0].IpAddress = mAllDhcpRelayAndServersAddress;
+ Packet->Length = sizeof (EFI_DHCP6_HEADER);
+
+ Option = Dhcp6SeekStsOptionTest::Packet->Dhcp6.Option;
+
+ Status = Dhcp6AppendOption (
+ Dhcp6SeekStsOptionTest::Packet,
+ &Option,
+ Dhcp6OptStatusCode,
+ SearchPatternLength,
+ (UINT8 *)&SearchPattern
+ );
+ ASSERT_EQ (Status, EFI_SUCCESS);
+
+ Status = Dhcp6AppendIaOption (
+ Dhcp6SeekStsOptionTest::Packet,
+ &Option,
+ &Ia,
+ 0x12345678,
+ 0x11111111,
+ 0x22222222
+ );
+ ASSERT_EQ (Status, EFI_SUCCESS);
+
+ Dhcp6SeekStsOptionTest::Instance.Config->IaDescriptor.Type = DHCPV6_OPTION_IA_NA;
+
+ Option = NULL;
+ Status = Dhcp6SeekStsOption (&(Dhcp6SeekStsOptionTest::Instance), Dhcp6SeekStsOptionTest::Packet, &Option);
+
+ ASSERT_EQ (Status, EFI_SUCCESS);
+}
diff --git a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.h b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.h
new file mode 100644
index 00000000..6801106a
--- /dev/null
+++ b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.h
@@ -0,0 +1,58 @@
+/** @file
+ Acts as header for private functions under test in Dhcp6Io.c
+
+ Copyright (c) Microsoft Corporation
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#ifndef DHCP6_IO_GOOGLE_TEST_H_
+#define DHCP6_IO_GOOGLE_TEST_H_
+
+////////////////////////////////////////////////////////////////////////////////
+// These are the functions that are being unit tested
+////////////////////////////////////////////////////////////////////////////////
+
+#include <Uefi.h>
+
+/**
+ Seeks the Inner Options from a DHCP6 Option
+
+ @param[in] IaType The type of the IA option.
+ @param[in] Option The pointer to the DHCP6 Option.
+ @param[in] OptionLen The length of the DHCP6 Option.
+ @param[out] IaInnerOpt The pointer to the IA inner option.
+ @param[out] IaInnerLen The length of the IA inner option.
+
+ @retval EFI_SUCCESS Seek the inner option successfully.
+ @retval EFI_DEVICE_ERROR The OptionLen is invalid.
+*/
+EFI_STATUS
+Dhcp6SeekInnerOptionSafe (
+ UINT16 IaType,
+ UINT8 *Option,
+ UINT32 OptionLen,
+ UINT8 **IaInnerOpt,
+ UINT16 *IaInnerLen
+ );
+
+/**
+ Seek StatusCode Option in package. A Status Code option may appear in the
+ options field of a DHCP message and/or in the options field of another option.
+ See details in section 22.13, RFC3315.
+
+ @param[in] Instance The pointer to the Dhcp6 instance.
+ @param[in] Packet The pointer to reply messages.
+ @param[out] Option The pointer to status code option.
+
+ @retval EFI_SUCCESS Seek status code option successfully.
+ @retval EFI_DEVICE_ERROR An unexpected error.
+
+**/
+EFI_STATUS
+Dhcp6SeekStsOption (
+ IN DHCP6_INSTANCE *Instance,
+ IN EFI_DHCP6_PACKET *Packet,
+ OUT UINT8 **Option
+ );
+
+#endif // DHCP6_IO_GOOGLE_TEST_H
--
2.33.0

56
0061-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45231-Patc.patch Normal file
View File

@ -0,0 +1,56 @@
From 816a19fcd3a2b9a4b32de4613a9e6dc60814ee4f Mon Sep 17 00:00:00 2001
From: adttil <13380049+adttil@user.noreply.gitee.com>
Date: Sat, 24 Feb 2024 14:20:27 +0800
Subject: [PATCH 06/13] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 Patch
Bug Overview:
PixieFail Bug #3
CVE-2023-45231
CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-125 Out-of-bounds Read
Out-of-bounds read when handling a ND Redirect message with truncated
options
Change Overview:
Adds a check to prevent truncated options from being parsed
+ //
+ // Cannot process truncated options.
+ // Cannot process options with a length of 0 as there is no Type
field.
+ //
+ if (OptionLen < sizeof (IP6_OPTION_HEADER)) {
+ return FALSE;
+ }
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
ref: https://github.com/tianocore/edk2/commit/bbfee34f4188ac00371abe1389ae9c9fb989a0cd
Signed-off-by: yexiao yexiao7@huawei.com
---
NetworkPkg/Ip6Dxe/Ip6Option.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/NetworkPkg/Ip6Dxe/Ip6Option.c b/NetworkPkg/Ip6Dxe/Ip6Option.c
index 6b4b029d..5c48006f 100644
--- a/NetworkPkg/Ip6Dxe/Ip6Option.c
+++ b/NetworkPkg/Ip6Dxe/Ip6Option.c
@@ -138,6 +138,14 @@ Ip6IsNDOptionValid (
return FALSE;
}
+ //
+ // Cannot process truncated options.
+ // Cannot process options with a length of 0 as there is no Type field.
+ //
+ if (OptionLen < sizeof (IP6_OPTION_HEADER)) {
+ return FALSE;
+ }
+
Offset = 0;
//
--
2.33.0

255
0062-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45231-Unit.patch Normal file
View File

@ -0,0 +1,255 @@
From 126878401f5f90c4fe8880bf5145106a3241f70f Mon Sep 17 00:00:00 2001
From: adttil <13380049+adttil@user.noreply.gitee.com>
Date: Sat, 24 Feb 2024 14:22:35 +0800
Subject: [PATCH 07/13] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 Unit
Tests
Validates that the patch for...
Out-of-bounds read when handling a ND Redirect message with truncated
options
.. has been fixed
Tests the following function to ensure that an out of bounds read does
not occur
Ip6OptionValidation
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
ref: https://github.com/tianocore/edk2/commit/6f77463d72807ec7f4ed6518c3dac29a1040df9f
Signed-off-by: yexiao yexiao7@huawei.com
---
.../Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.cpp | 20 +++
.../Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf | 42 ++++++
.../Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp | 129 ++++++++++++++++++
NetworkPkg/Test/NetworkPkgHostTest.dsc | 1 +
4 files changed, 192 insertions(+)
create mode 100644 NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.cpp
create mode 100644 NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf
create mode 100644 NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp
diff --git a/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.cpp b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.cpp
new file mode 100644
index 00000000..9fd81d9c
--- /dev/null
+++ b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.cpp
@@ -0,0 +1,20 @@
+/** @file
+ Acts as the main entry point for the tests for the Ip6Dxe module.
+
+ Copyright (c) Microsoft Corporation
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+#include <gtest/gtest.h>
+
+////////////////////////////////////////////////////////////////////////////////
+// Run the tests
+////////////////////////////////////////////////////////////////////////////////
+int
+main (
+ int argc,
+ char *argv[]
+ )
+{
+ testing::InitGoogleTest (&argc, argv);
+ return RUN_ALL_TESTS ();
+}
diff --git a/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf
new file mode 100644
index 00000000..60396b05
--- /dev/null
+++ b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf
@@ -0,0 +1,42 @@
+## @file
+# Unit test suite for the Ip6Dxe using Google Test
+#
+# Copyright (c) Microsoft Corporation.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+[Defines]
+ INF_VERSION = 0x00010017
+ BASE_NAME = Ip6DxeUnitTest
+ FILE_GUID = 4F05D17D-D3E7-4AAE-820C-576D46D2D34A
+ VERSION_STRING = 1.0
+ MODULE_TYPE = HOST_APPLICATION
+#
+# The following information is for reference only and not required by the build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64 AARCH64
+#
+[Sources]
+ Ip6DxeGoogleTest.cpp
+ Ip6OptionGoogleTest.cpp
+ ../Ip6Option.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+ UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec
+ NetworkPkg/NetworkPkg.dec
+
+[LibraryClasses]
+ GoogleTestLib
+ DebugLib
+ NetLib
+ PcdLib
+
+[Protocols]
+ gEfiDhcp6ServiceBindingProtocolGuid
+
+[Pcd]
+ gEfiNetworkPkgTokenSpaceGuid.PcdDhcp6UidType
+
+[Guids]
+ gZeroGuid
diff --git a/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp
new file mode 100644
index 00000000..874400eb
--- /dev/null
+++ b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp
@@ -0,0 +1,129 @@
+/** @file
+ Tests for Ip6Option.c.
+
+ Copyright (c) Microsoft Corporation
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+#include <gtest/gtest.h>
+
+extern "C" {
+ #include <Uefi.h>
+ #include <Library/BaseLib.h>
+ #include <Library/DebugLib.h>
+ #include "../Ip6Impl.h"
+ #include "../Ip6Option.h"
+}
+
+/////////////////////////////////////////////////////////////////////////
+// Defines
+///////////////////////////////////////////////////////////////////////
+
+#define IP6_PREFIX_INFO_OPTION_DATA_LEN 32
+#define OPTION_HEADER_IP6_PREFIX_DATA_LEN (sizeof (IP6_OPTION_HEADER) + IP6_PREFIX_INFO_OPTION_DATA_LEN)
+
+////////////////////////////////////////////////////////////////////////
+// Symbol Definitions
+// These functions are not directly under test - but required to compile
+////////////////////////////////////////////////////////////////////////
+UINT32 mIp6Id;
+
+EFI_STATUS
+Ip6SendIcmpError (
+ IN IP6_SERVICE *IpSb,
+ IN NET_BUF *Packet,
+ IN EFI_IPv6_ADDRESS *SourceAddress OPTIONAL,
+ IN EFI_IPv6_ADDRESS *DestinationAddress,
+ IN UINT8 Type,
+ IN UINT8 Code,
+ IN UINT32 *Pointer OPTIONAL
+ )
+{
+ // ..
+ return EFI_SUCCESS;
+}
+
+////////////////////////////////////////////////////////////////////////
+// Ip6OptionValidation Tests
+////////////////////////////////////////////////////////////////////////
+
+// Define a fixture for your tests if needed
+class Ip6OptionValidationTest : public ::testing::Test {
+protected:
+ // Add any setup code if needed
+ virtual void
+ SetUp (
+ )
+ {
+ // Initialize any resources or variables
+ }
+
+ // Add any cleanup code if needed
+ virtual void
+ TearDown (
+ )
+ {
+ // Clean up any resources or variables
+ }
+};
+
+// Test Description:
+// Null option should return false
+TEST_F (Ip6OptionValidationTest, NullOptionShouldReturnFalse) {
+ UINT8 *option = nullptr;
+ UINT16 optionLen = 10; // Provide a suitable length
+
+ EXPECT_FALSE (Ip6IsNDOptionValid (option, optionLen));
+}
+
+// Test Description:
+// Truncated option should return false
+TEST_F (Ip6OptionValidationTest, TruncatedOptionShouldReturnFalse) {
+ UINT8 option[] = { 0x01 }; // Provide a truncated option
+ UINT16 optionLen = 1;
+
+ EXPECT_FALSE (Ip6IsNDOptionValid (option, optionLen));
+}
+
+// Test Description:
+// Ip6OptionPrefixInfo Option with zero length should return false
+TEST_F (Ip6OptionValidationTest, OptionWithZeroLengthShouldReturnFalse) {
+ IP6_OPTION_HEADER optionHeader;
+
+ optionHeader.Type = Ip6OptionPrefixInfo;
+ optionHeader.Length = 0;
+ UINT8 option[sizeof (IP6_OPTION_HEADER)];
+
+ CopyMem (option, &optionHeader, sizeof (IP6_OPTION_HEADER));
+ UINT16 optionLen = sizeof (IP6_OPTION_HEADER);
+
+ EXPECT_FALSE (Ip6IsNDOptionValid (option, optionLen));
+}
+
+// Test Description:
+// Ip6OptionPrefixInfo Option with valid length should return true
+TEST_F (Ip6OptionValidationTest, ValidPrefixInfoOptionShouldReturnTrue) {
+ IP6_OPTION_HEADER optionHeader;
+
+ optionHeader.Type = Ip6OptionPrefixInfo;
+ optionHeader.Length = 4; // Length 4 * 8 = 32
+ UINT8 option[OPTION_HEADER_IP6_PREFIX_DATA_LEN];
+
+ CopyMem (option, &optionHeader, sizeof (IP6_OPTION_HEADER));
+
+ EXPECT_TRUE (Ip6IsNDOptionValid (option, IP6_PREFIX_INFO_OPTION_DATA_LEN));
+}
+
+// Test Description:
+// Ip6OptionPrefixInfo Option with invalid length should return false
+TEST_F (Ip6OptionValidationTest, InvalidPrefixInfoOptionLengthShouldReturnFalse) {
+ IP6_OPTION_HEADER optionHeader;
+
+ optionHeader.Type = Ip6OptionPrefixInfo;
+ optionHeader.Length = 3; // Length 3 * 8 = 24 (Invalid)
+ UINT8 option[sizeof (IP6_OPTION_HEADER)];
+
+ CopyMem (option, &optionHeader, sizeof (IP6_OPTION_HEADER));
+ UINT16 optionLen = sizeof (IP6_OPTION_HEADER);
+
+ EXPECT_FALSE (Ip6IsNDOptionValid (option, optionLen));
+}
diff --git a/NetworkPkg/Test/NetworkPkgHostTest.dsc b/NetworkPkg/Test/NetworkPkgHostTest.dsc
index 7df011c9..97370120 100644
--- a/NetworkPkg/Test/NetworkPkgHostTest.dsc
+++ b/NetworkPkg/Test/NetworkPkgHostTest.dsc
@@ -25,6 +25,7 @@
# Build HOST_APPLICATION that tests NetworkPkg
#
NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf
+ NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf
# Despite these library classes being listed in [LibraryClasses] below, they are not needed for the host-based unit tests.
[LibraryClasses]
--
2.33.0

351
0063-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45232-Patc.patch Normal file
View File

@ -0,0 +1,351 @@
From fd09edfe7d4717ce3670ba7b289510fd7bf2f86c Mon Sep 17 00:00:00 2001
From: adttil <13380049+adttil@user.noreply.gitee.com>
Date: Sat, 24 Feb 2024 14:24:07 +0800
Subject: [PATCH 08/13] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45232 Patch
Bug Details:
PixieFail Bug #4
CVE-2023-45232
CVSS 7.5 : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
Infinite loop when parsing unknown options in the Destination Options
header
PixieFail Bug #5
CVE-2023-45233
CVSS 7.5 : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
Infinite loop when parsing a PadN option in the Destination Options
header
Change Overview:
Most importantly this change corrects the following incorrect math
and cleans up the code.
> // It is a PadN option
> //
> - Offset = (UINT8)(Offset + *(Option + Offset + 1) + 2);
> + OptDataLen = ((EFI_IP6_OPTION *)(Option + Offset))->Length;
> + Offset = IP6_NEXT_OPTION_OFFSET (Offset, OptDataLen);
> case Ip6OptionSkip:
> - Offset = (UINT8)(Offset + *(Option + Offset + 1));
> OptDataLen = ((EFI_IP6_OPTION *)(Option + Offset))->Length;
> Offset = IP6_NEXT_OPTION_OFFSET (Offset, OptDataLen);
Additionally, this change also corrects incorrect math where the calling
function was calculating the HDR EXT optionLen as a uint8 instead of a
uint16
> - OptionLen = (UINT8)((*Option + 1) * 8 - 2);
> + OptionLen = IP6_HDR_EXT_LEN (*Option) -
IP6_COMBINED_SIZE_OF_NEXT_HDR_AND_LEN;
Additionally this check adds additional logic to santize the incoming
data
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
ref: https://github.com/tianocore/edk2/commit/4df0229ef992d4f2721a8508787ebf9dc81fbd6e
Signed-off-by: yexiao yexiao7@huawei.com
---
NetworkPkg/Ip6Dxe/Ip6Nd.h | 35 ++++++++++++++++
NetworkPkg/Ip6Dxe/Ip6Option.c | 76 ++++++++++++++++++++++++++++++-----
NetworkPkg/Ip6Dxe/Ip6Option.h | 72 +++++++++++++++++++++++++++++++++
3 files changed, 172 insertions(+), 11 deletions(-)
diff --git a/NetworkPkg/Ip6Dxe/Ip6Nd.h b/NetworkPkg/Ip6Dxe/Ip6Nd.h
index 5f1bd6fb..7ece8522 100644
--- a/NetworkPkg/Ip6Dxe/Ip6Nd.h
+++ b/NetworkPkg/Ip6Dxe/Ip6Nd.h
@@ -56,13 +56,48 @@ VOID
VOID *Context
);
+//
+// Per RFC8200 Section 4.2
+//
+// Two of the currently-defined extension headers -- the Hop-by-Hop
+// Options header and the Destination Options header -- carry a variable
+// number of type-length-value (TLV) encoded "options", of the following
+// format:
+//
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- - - - - - - - -
+// | Option Type | Opt Data Len | Option Data
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- - - - - - - - -
+//
+// Option Type 8-bit identifier of the type of option.
+//
+// Opt Data Len 8-bit unsigned integer. Length of the Option
+// Data field of this option, in octets.
+//
+// Option Data Variable-length field. Option-Type-specific
+// data.
+//
typedef struct _IP6_OPTION_HEADER {
+ ///
+ /// identifier of the type of option.
+ ///
UINT8 Type;
+ ///
+ /// Length of the Option Data field of this option, in octets.
+ ///
UINT8 Length;
+ ///
+ /// Option-Type-specific data.
+ ///
} IP6_OPTION_HEADER;
STATIC_ASSERT (sizeof (IP6_OPTION_HEADER) == 2, "IP6_OPTION_HEADER is expected to be exactly 2 bytes long.");
+#define IP6_NEXT_OPTION_OFFSET(offset, length) (offset + sizeof(IP6_OPTION_HEADER) + length)
+STATIC_ASSERT (
+ IP6_NEXT_OPTION_OFFSET (0, 0) == 2,
+ "The next option is minimally the combined size of the option tag and length"
+ );
+
typedef struct _IP6_ETHE_ADDR_OPTION {
UINT8 Type;
UINT8 Length;
diff --git a/NetworkPkg/Ip6Dxe/Ip6Option.c b/NetworkPkg/Ip6Dxe/Ip6Option.c
index 5c48006f..36e28c8b 100644
--- a/NetworkPkg/Ip6Dxe/Ip6Option.c
+++ b/NetworkPkg/Ip6Dxe/Ip6Option.c
@@ -17,7 +17,8 @@
@param[in] IpSb The IP6 service data.
@param[in] Packet The to be validated packet.
@param[in] Option The first byte of the option.
- @param[in] OptionLen The length of the whole option.
+ @param[in] OptionLen The length of all options, expressed in byte length of octets.
+ Maximum length is 2046 bytes or ((n + 1) * 8) - 2 where n is 255.
@param[in] Pointer Identifies the octet offset within
the invoking packet where the error was detected.
@@ -31,12 +32,33 @@ Ip6IsOptionValid (
IN IP6_SERVICE *IpSb,
IN NET_BUF *Packet,
IN UINT8 *Option,
- IN UINT8 OptionLen,
+ IN UINT16 OptionLen,
IN UINT32 Pointer
)
{
- UINT8 Offset;
- UINT8 OptionType;
+ UINT16 Offset;
+ UINT8 OptionType;
+ UINT8 OptDataLen;
+
+ if (Option == NULL) {
+ ASSERT (Option != NULL);
+ return FALSE;
+ }
+
+ if ((OptionLen <= 0) || (OptionLen > IP6_MAX_EXT_DATA_LENGTH)) {
+ ASSERT (OptionLen > 0 && OptionLen <= IP6_MAX_EXT_DATA_LENGTH);
+ return FALSE;
+ }
+
+ if (Packet == NULL) {
+ ASSERT (Packet != NULL);
+ return FALSE;
+ }
+
+ if (IpSb == NULL) {
+ ASSERT (IpSb != NULL);
+ return FALSE;
+ }
Offset = 0;
@@ -54,7 +76,8 @@ Ip6IsOptionValid (
//
// It is a PadN option
//
- Offset = (UINT8) (Offset + *(Option + Offset + 1) + 2);
+ OptDataLen = ((IP6_OPTION_HEADER *)(Option + Offset))->Length;
+ Offset = IP6_NEXT_OPTION_OFFSET (Offset, OptDataLen);
break;
case Ip6OptionRouterAlert:
//
@@ -69,7 +92,8 @@ Ip6IsOptionValid (
//
switch (OptionType & Ip6OptionMask) {
case Ip6OptionSkip:
- Offset = (UINT8) (Offset + *(Option + Offset + 1));
+ OptDataLen = ((IP6_OPTION_HEADER *)(Option + Offset))->Length;
+ Offset = IP6_NEXT_OPTION_OFFSET (Offset, OptDataLen);
break;
case Ip6OptionDiscard:
return FALSE;
@@ -305,7 +329,7 @@ Ip6IsExtsValid (
UINT32 Pointer;
UINT32 Offset;
UINT8 *Option;
- UINT8 OptionLen;
+ UINT16 OptionLen;
BOOLEAN Flag;
UINT8 CountD;
UINT8 CountA;
@@ -380,6 +404,36 @@ Ip6IsExtsValid (
// Fall through
//
case IP6_DESTINATION:
+ //
+ // See https://www.rfc-editor.org/rfc/rfc2460#section-4.2 page 23
+ //
+ // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ // | Next Header | Hdr Ext Len | |
+ // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
+ // | |
+ // . .
+ // . Options .
+ // . .
+ // | |
+ // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ //
+ //
+ // Next Header 8-bit selector. Identifies the type of header
+ // immediately following the Destination Options
+ // header. Uses the same values as the IPv4
+ // Protocol field [RFC-1700 et seq.].
+ //
+ // Hdr Ext Len 8-bit unsigned integer. Length of the
+ // Destination Options header in 8-octet units, not
+ // including the first 8 octets.
+ //
+ // Options Variable-length field, of length such that the
+ // complete Destination Options header is an
+ // integer multiple of 8 octets long. Contains one
+ // or more TLV-encoded options, as described in
+ // section 4.2.
+ //
+
if (*NextHeader == IP6_DESTINATION) {
CountD++;
}
@@ -393,7 +447,7 @@ Ip6IsExtsValid (
Offset++;
Option = ExtHdrs + Offset;
- OptionLen = (UINT8) ((*Option + 1) * 8 - 2);
+ OptionLen = IP6_HDR_EXT_LEN (*Option) - sizeof (IP6_EXT_HDR);
Option++;
Offset++;
@@ -425,7 +479,7 @@ Ip6IsExtsValid (
//
// Ignore the routing header and proceed to process the next header.
//
- Offset = Offset + (RoutingHead->HeaderLen + 1) * 8;
+ Offset = Offset + IP6_HDR_EXT_LEN (RoutingHead->HeaderLen);
if (UnFragmentLen != NULL) {
*UnFragmentLen = Offset;
@@ -437,7 +491,7 @@ Ip6IsExtsValid (
// to the packet's source address, pointing to the unrecognized routing
// type.
//
- Pointer = Offset + 2 + sizeof (EFI_IP6_HEADER);
+ Pointer = Offset + sizeof (IP6_EXT_HDR) + sizeof (EFI_IP6_HEADER);
if ((IpSb != NULL) && (Packet != NULL) &&
!IP6_IS_MULTICAST (&Packet->Ip.Ip6->DestinationAddress)) {
Ip6SendIcmpError (
@@ -521,7 +575,7 @@ Ip6IsExtsValid (
//
// RFC2402, Payload length is specified in 32-bit words, minus "2".
//
- OptionLen = (UINT8) ((*Option + 2) * 4);
+ OptionLen = ((UINT16)(*Option + 2) * 4);
Offset = Offset + OptionLen;
break;
diff --git a/NetworkPkg/Ip6Dxe/Ip6Option.h b/NetworkPkg/Ip6Dxe/Ip6Option.h
index c81b3fda..4201bcd4 100644
--- a/NetworkPkg/Ip6Dxe/Ip6Option.h
+++ b/NetworkPkg/Ip6Dxe/Ip6Option.h
@@ -12,6 +12,78 @@
#define IP6_FRAGMENT_OFFSET_MASK (~0x3)
+//
+// For more information see RFC 8200, Section 4.3, 4.4, and 4.6
+//
+// This example format is from section 4.6
+// This does not apply to fragment headers
+//
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+// | Next Header | Hdr Ext Len | |
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
+// | |
+// . .
+// . Header-Specific Data .
+// . .
+// | |
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+//
+// Next Header 8-bit selector. Identifies the type of
+// header immediately following the extension
+// header. Uses the same values as the IPv4
+// Protocol field [IANA-PN].
+//
+// Hdr Ext Len 8-bit unsigned integer. Length of the
+// Destination Options header in 8-octet units,
+// not including the first 8 octets.
+
+//
+// These defines apply to the following:
+// 1. Hop by Hop
+// 2. Routing
+// 3. Destination
+//
+typedef struct _IP6_EXT_HDR {
+ ///
+ /// The Next Header field identifies the type of header immediately
+ ///
+ UINT8 NextHeader;
+ ///
+ /// The Hdr Ext Len field specifies the length of the Hop-by-Hop Options
+ ///
+ UINT8 HdrExtLen;
+ ///
+ /// Header-Specific Data
+ ///
+} IP6_EXT_HDR;
+
+STATIC_ASSERT (
+ sizeof (IP6_EXT_HDR) == 2,
+ "The combined size of Next Header and Len is two 8 bit fields"
+ );
+
+//
+// IPv6 extension headers contain an 8-bit length field which describes the size of
+// the header. However, the length field only includes the size of the extension
+// header options, not the size of the first 8 bytes of the header. Therefore, in
+// order to calculate the full size of the extension header, we add 1 (to account
+// for the first 8 bytes omitted by the length field reporting) and then multiply
+// by 8 (since the size is represented in 8-byte units).
+//
+// a is the length field of the extension header (UINT8)
+// The result may be up to 2046 octets (UINT16)
+//
+#define IP6_HDR_EXT_LEN(a) (((UINT16)((UINT8)(a)) + 1) * 8)
+
+// This is the maxmimum length permissible by a extension header
+// Length is UINT8 of 8 octets not including the first 8 octets
+#define IP6_MAX_EXT_DATA_LENGTH (IP6_HDR_EXT_LEN (MAX_UINT8) - sizeof(IP6_EXT_HDR))
+STATIC_ASSERT (
+ IP6_MAX_EXT_DATA_LENGTH == 2046,
+ "Maximum data length is ((MAX_UINT8 + 1) * 8) - 2"
+ );
+
+
typedef struct _IP6_FRAGMENT_HEADER {
UINT8 NextHeader;
UINT8 Reserved;
--
2.33.0

408
0064-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45232-Unit.patch Normal file
View File

@ -0,0 +1,408 @@
From 7bff8451cd7374c912cf79e13b0a496483252de5 Mon Sep 17 00:00:00 2001
From: adttil <13380049+adttil@user.noreply.gitee.com>
Date: Sat, 24 Feb 2024 14:25:22 +0800
Subject: [PATCH 09/13] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45232 Unit
Tests
Unit tests to confirm that..
Infinite loop when parsing unknown options in the Destination Options
header
and
Infinite loop when parsing a PadN option in the Destination Options
header
... have been patched
This patch tests the following functions:
Ip6IsOptionValid
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
ref: https://github.com/tianocore/edk2/commit/c9c87f08dd6ace36fa843424522c3558a8374cac
Signed-off-by: yexiao yexiao7@huawei.com
---
.../Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf | 10 +-
.../Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp | 278 ++++++++++++++++++
.../Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.h | 40 +++
3 files changed, 324 insertions(+), 4 deletions(-)
create mode 100644 NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.h
diff --git a/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf
index 60396b05..489a45f1 100644
--- a/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf
+++ b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf
@@ -1,13 +1,13 @@
## @file
-# Unit test suite for the Ip6Dxe using Google Test
+# Unit test suite for the Ip6DxeGoogleTest using Google Test
#
# Copyright (c) Microsoft Corporation.<BR>
# SPDX-License-Identifier: BSD-2-Clause-Patent
##
[Defines]
INF_VERSION = 0x00010017
- BASE_NAME = Ip6DxeUnitTest
- FILE_GUID = 4F05D17D-D3E7-4AAE-820C-576D46D2D34A
+ BASE_NAME = Ip6DxeGoogleTest
+ FILE_GUID = AE39981C-B7FE-41A8-A9C2-F41910477CA3
VERSION_STRING = 1.0
MODULE_TYPE = HOST_APPLICATION
#
@@ -16,9 +16,11 @@
# VALID_ARCHITECTURES = IA32 X64 AARCH64
#
[Sources]
+ ../Ip6Option.c
+ Ip6OptionGoogleTest.h
Ip6DxeGoogleTest.cpp
Ip6OptionGoogleTest.cpp
- ../Ip6Option.c
+ Ip6OptionGoogleTest.h
[Packages]
MdePkg/MdePkg.dec
diff --git a/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp
index 874400eb..c12cbc0d 100644
--- a/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp
+++ b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp
@@ -12,6 +12,7 @@ extern "C" {
#include <Library/DebugLib.h>
#include "../Ip6Impl.h"
#include "../Ip6Option.h"
+ #include "Ip6OptionGoogleTest.h"
}
/////////////////////////////////////////////////////////////////////////
@@ -127,3 +128,280 @@ TEST_F (Ip6OptionValidationTest, InvalidPrefixInfoOptionLengthShouldReturnFalse)
EXPECT_FALSE (Ip6IsNDOptionValid (option, optionLen));
}
+
+////////////////////////////////////////////////////////////////////////
+// Ip6IsOptionValid Tests
+////////////////////////////////////////////////////////////////////////
+
+// Define a fixture for your tests if needed
+class Ip6IsOptionValidTest : public ::testing::Test {
+protected:
+ // Add any setup code if needed
+ virtual void
+ SetUp (
+ )
+ {
+ // Initialize any resources or variables
+ }
+
+ // Add any cleanup code if needed
+ virtual void
+ TearDown (
+ )
+ {
+ // Clean up any resources or variables
+ }
+};
+
+// Test Description
+// Verify that a NULL option is Invalid
+TEST_F (Ip6IsOptionValidTest, NullOptionShouldReturnTrue) {
+ NET_BUF Packet = { 0 };
+ // we need to define enough of the packet to make the function work
+ // The function being tested will pass IpSb to Ip6SendIcmpError which is defined above
+ IP6_SERVICE *IpSb = NULL;
+
+ EFI_IPv6_ADDRESS SourceAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
+ EFI_IPv6_ADDRESS DestinationAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
+ EFI_IP6_HEADER Ip6Header = { 0 };
+
+ Ip6Header.SourceAddress = SourceAddress;
+ Ip6Header.DestinationAddress = DestinationAddress;
+ Packet.Ip.Ip6 = &Ip6Header;
+
+ EXPECT_FALSE (Ip6IsOptionValid (IpSb, &Packet, NULL, 0, 0));
+}
+
+// Test Description
+// Verify that an unknown option with a length of 0 and type of <unknown> does not cause an infinite loop
+TEST_F (Ip6IsOptionValidTest, VerifyNoInfiniteLoopOnUnknownOptionLength0) {
+ NET_BUF Packet = { 0 };
+ // we need to define enough of the packet to make the function work
+ // The function being tested will pass IpSb to Ip6SendIcmpError which is defined above
+ UINT32 DeadCode = 0xDeadC0de;
+ // Don't actually use this pointer, just pass it to the function, nothing will be done with it
+ IP6_SERVICE *IpSb = (IP6_SERVICE *)&DeadCode;
+
+ EFI_IPv6_ADDRESS SourceAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
+ EFI_IPv6_ADDRESS DestinationAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
+ EFI_IP6_HEADER Ip6Header = { 0 };
+
+ Ip6Header.SourceAddress = SourceAddress;
+ Ip6Header.DestinationAddress = DestinationAddress;
+ Packet.Ip.Ip6 = &Ip6Header;
+
+ IP6_OPTION_HEADER optionHeader;
+
+ optionHeader.Type = 23; // Unknown Option
+ optionHeader.Length = 0; // This will cause an infinite loop if the function is not working correctly
+
+ // This should be a valid option even though the length is 0
+ EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0));
+}
+
+// Test Description
+// Verify that an unknown option with a length of 1 and type of <unknown> does not cause an infinite loop
+TEST_F (Ip6IsOptionValidTest, VerifyNoInfiniteLoopOnUnknownOptionLength1) {
+ NET_BUF Packet = { 0 };
+ // we need to define enough of the packet to make the function work
+ // The function being tested will pass IpSb to Ip6SendIcmpError which is defined above
+ UINT32 DeadCode = 0xDeadC0de;
+ // Don't actually use this pointer, just pass it to the function, nothing will be done with it
+ IP6_SERVICE *IpSb = (IP6_SERVICE *)&DeadCode;
+
+ EFI_IPv6_ADDRESS SourceAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
+ EFI_IPv6_ADDRESS DestinationAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
+ EFI_IP6_HEADER Ip6Header = { 0 };
+
+ Ip6Header.SourceAddress = SourceAddress;
+ Ip6Header.DestinationAddress = DestinationAddress;
+ Packet.Ip.Ip6 = &Ip6Header;
+
+ IP6_OPTION_HEADER optionHeader;
+
+ optionHeader.Type = 23; // Unknown Option
+ optionHeader.Length = 1; // This will cause an infinite loop if the function is not working correctly
+
+ EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0));
+}
+
+// Test Description
+// Verify that an unknown option with a length of 2 and type of <unknown> does not cause an infinite loop
+TEST_F (Ip6IsOptionValidTest, VerifyIpSkipUnknownOption) {
+ NET_BUF Packet = { 0 };
+ // we need to define enough of the packet to make the function work
+ // The function being tested will pass IpSb to Ip6SendIcmpError which is defined above
+ UINT32 DeadCode = 0xDeadC0de;
+ // Don't actually use this pointer, just pass it to the function, nothing will be done with it
+ IP6_SERVICE *IpSb = (IP6_SERVICE *)&DeadCode;
+
+ EFI_IPv6_ADDRESS SourceAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
+ EFI_IPv6_ADDRESS DestinationAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
+ EFI_IP6_HEADER Ip6Header = { 0 };
+
+ Ip6Header.SourceAddress = SourceAddress;
+ Ip6Header.DestinationAddress = DestinationAddress;
+ Packet.Ip.Ip6 = &Ip6Header;
+
+ IP6_OPTION_HEADER optionHeader;
+
+ optionHeader.Type = 23; // Unknown Option
+ optionHeader.Length = 2; // Valid length for an unknown option
+
+ EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0));
+}
+
+// Test Description
+// Verify that Ip6OptionPad1 is valid with a length of 0
+TEST_F (Ip6IsOptionValidTest, VerifyIp6OptionPad1) {
+ NET_BUF Packet = { 0 };
+ // we need to define enough of the packet to make the function work
+ // The function being tested will pass IpSb to Ip6SendIcmpError which is defined above
+ UINT32 DeadCode = 0xDeadC0de;
+ // Don't actually use this pointer, just pass it to the function, nothing will be done with it
+ IP6_SERVICE *IpSb = (IP6_SERVICE *)&DeadCode;
+
+ EFI_IPv6_ADDRESS SourceAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
+ EFI_IPv6_ADDRESS DestinationAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
+ EFI_IP6_HEADER Ip6Header = { 0 };
+
+ Ip6Header.SourceAddress = SourceAddress;
+ Ip6Header.DestinationAddress = DestinationAddress;
+ Packet.Ip.Ip6 = &Ip6Header;
+
+ IP6_OPTION_HEADER optionHeader;
+
+ optionHeader.Type = Ip6OptionPad1;
+ optionHeader.Length = 0;
+
+ EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0));
+}
+
+// Test Description
+// Verify that Ip6OptionPadN doesn't overflow with various lengths
+TEST_F (Ip6IsOptionValidTest, VerifyIp6OptionPadN) {
+ NET_BUF Packet = { 0 };
+ // we need to define enough of the packet to make the function work
+ // The function being tested will pass IpSb to Ip6SendIcmpError which is defined above
+ UINT32 DeadCode = 0xDeadC0de;
+ // Don't actually use this pointer, just pass it to the function, nothing will be done with it
+ IP6_SERVICE *IpSb = (IP6_SERVICE *)&DeadCode;
+
+ EFI_IPv6_ADDRESS SourceAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
+ EFI_IPv6_ADDRESS DestinationAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
+ EFI_IP6_HEADER Ip6Header = { 0 };
+
+ Ip6Header.SourceAddress = SourceAddress;
+ Ip6Header.DestinationAddress = DestinationAddress;
+ Packet.Ip.Ip6 = &Ip6Header;
+
+ IP6_OPTION_HEADER optionHeader;
+
+ optionHeader.Type = Ip6OptionPadN;
+ optionHeader.Length = 0xFF;
+ EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0));
+
+ optionHeader.Length = 0xFE;
+ EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0));
+
+ optionHeader.Length = 0xFD;
+ EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0));
+
+ optionHeader.Length = 0xFC;
+ EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0));
+}
+
+// Test Description
+// Verify an unknown option doesn't cause an infinite loop with various lengths
+TEST_F (Ip6IsOptionValidTest, VerifyNoInfiniteLoopOnUnknownOptionLengthAttemptOverflow) {
+ NET_BUF Packet = { 0 };
+ // we need to define enough of the packet to make the function work
+ // The function being tested will pass IpSb to Ip6SendIcmpError which is defined above
+ UINT32 DeadCode = 0xDeadC0de;
+ // Don't actually use this pointer, just pass it to the function, nothing will be done with it
+ IP6_SERVICE *IpSb = (IP6_SERVICE *)&DeadCode;
+
+ EFI_IPv6_ADDRESS SourceAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
+ EFI_IPv6_ADDRESS DestinationAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
+ EFI_IP6_HEADER Ip6Header = { 0 };
+
+ Ip6Header.SourceAddress = SourceAddress;
+ Ip6Header.DestinationAddress = DestinationAddress;
+ Packet.Ip.Ip6 = &Ip6Header;
+
+ IP6_OPTION_HEADER optionHeader;
+
+ optionHeader.Type = 23; // Unknown Option
+ optionHeader.Length = 0xFF;
+ EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0));
+
+ optionHeader.Length = 0xFE;
+ EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0));
+
+ optionHeader.Length = 0xFD;
+ EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0));
+
+ optionHeader.Length = 0xFC;
+ EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0));
+}
+
+// Test Description
+// Verify that the function supports multiple options
+TEST_F (Ip6IsOptionValidTest, MultiOptionSupport) {
+ UINT16 HdrLen;
+ NET_BUF Packet = { 0 };
+ // we need to define enough of the packet to make the function work
+ // The function being tested will pass IpSb to Ip6SendIcmpError which is defined above
+ UINT32 DeadCode = 0xDeadC0de;
+ // Don't actually use this pointer, just pass it to the function, nothing will be done with it
+ IP6_SERVICE *IpSb = (IP6_SERVICE *)&DeadCode;
+
+ EFI_IPv6_ADDRESS SourceAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
+ EFI_IPv6_ADDRESS DestinationAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
+ EFI_IP6_HEADER Ip6Header = { 0 };
+
+ Ip6Header.SourceAddress = SourceAddress;
+ Ip6Header.DestinationAddress = DestinationAddress;
+ Packet.Ip.Ip6 = &Ip6Header;
+
+ UINT8 ExtHdr[1024] = { 0 };
+ UINT8 *Cursor = ExtHdr;
+ IP6_OPTION_HEADER *Option = (IP6_OPTION_HEADER *)ExtHdr;
+
+ // Let's start chaining options
+
+ Option->Type = 23; // Unknown Option
+ Option->Length = 0xFC;
+
+ Cursor += sizeof (IP6_OPTION_HEADER) + 0xFC;
+
+ Option = (IP6_OPTION_HEADER *)Cursor;
+ Option->Type = Ip6OptionPad1;
+
+ Cursor += sizeof (1);
+
+ // Type and length aren't processed, instead it just moves the pointer forward by 4 bytes
+ Option = (IP6_OPTION_HEADER *)Cursor;
+ Option->Type = Ip6OptionRouterAlert;
+ Option->Length = 4;
+
+ Cursor += sizeof (IP6_OPTION_HEADER) + 4;
+
+ Option = (IP6_OPTION_HEADER *)Cursor;
+ Option->Type = Ip6OptionPadN;
+ Option->Length = 0xFC;
+
+ Cursor += sizeof (IP6_OPTION_HEADER) + 0xFC;
+
+ Option = (IP6_OPTION_HEADER *)Cursor;
+ Option->Type = Ip6OptionRouterAlert;
+ Option->Length = 4;
+
+ Cursor += sizeof (IP6_OPTION_HEADER) + 4;
+
+ // Total 524
+
+ HdrLen = (UINT16)(Cursor - ExtHdr);
+
+ EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, ExtHdr, HdrLen, 0));
+}
diff --git a/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.h b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.h
new file mode 100644
index 00000000..af61f608
--- /dev/null
+++ b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.h
@@ -0,0 +1,40 @@
+/** @file
+ Exposes the functions needed to test the Ip6Option module.
+
+ Copyright (c) Microsoft Corporation
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#ifndef IP6_OPTION_HEADER_GOOGLE_TEST_H_
+#define IP6_OPTION_HEADER_GOOGLE_TEST_H_
+
+#include <Uefi.h>
+#include "../Ip6Impl.h"
+
+/**
+ Validate the IP6 option format for both the packets we received
+ and that we will transmit. It will compute the ICMPv6 error message fields
+ if the option is malformatted.
+
+ @param[in] IpSb The IP6 service data.
+ @param[in] Packet The to be validated packet.
+ @param[in] Option The first byte of the option.
+ @param[in] OptionLen The length of the whole option.
+ @param[in] Pointer Identifies the octet offset within
+ the invoking packet where the error was detected.
+
+
+ @retval TRUE The option is properly formatted.
+ @retval FALSE The option is malformatted.
+
+**/
+BOOLEAN
+Ip6IsOptionValid (
+ IN IP6_SERVICE *IpSb,
+ IN NET_BUF *Packet,
+ IN UINT8 *Option,
+ IN UINT16 OptionLen,
+ IN UINT32 Pointer
+ );
+
+#endif // __IP6_OPTION_HEADER_GOOGLE_TEST_H__
--
2.33.0

144
0065-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523.patch Normal file
View File

@ -0,0 +1,144 @@
From 8b92628f5c3b8e3fd6d3cef0e5060255f936b3e9 Mon Sep 17 00:00:00 2001
From: adttil <13380049+adttil@user.noreply.gitee.com>
Date: Sat, 24 Feb 2024 14:26:27 +0800
Subject: [PATCH 10/13] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45234
Patch
Bug Details:
PixieFail Bug #6
CVE-2023-45234
CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
CWE-119 Improper Restriction of Operations within the Bounds of
a Memory Buffer
Buffer overflow when processing DNS Servers option in a DHCPv6
Advertise message
Change Overview:
Introduces a function to cache the Dns Server and perform sanitizing
on the incoming DnsServerLen to ensure that the length is valid
> + EFI_STATUS
> + PxeBcCacheDnsServerAddresses (
> + IN PXEBC_PRIVATE_DATA *Private,
> + IN PXEBC_DHCP6_PACKET_CACHE *Cache6
> + )
Additional code cleanup
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
ref: https://github.com/tianocore/edk2/commit/1b53515d53d303166b2bbd31e2cc7f16fd0aecd7
Signed-off-by: yexiao yexiao7@huawei.com
---
NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c | 69 ++++++++++++++++++++++++++--
1 file changed, 64 insertions(+), 5 deletions(-)
diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
index 8d71143b..7a20ba56 100644
--- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
+++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
@@ -3,6 +3,7 @@
(C) Copyright 2014 Hewlett-Packard Development Company, L.P.<BR>
Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) Microsoft Corporation
SPDX-License-Identifier: BSD-2-Clause-Patent
@@ -1308,6 +1309,64 @@ PxeBcSelectDhcp6Offer (
}
}
+/**
+ Cache the DHCPv6 DNS Server addresses
+
+ @param[in] Private The pointer to PXEBC_PRIVATE_DATA.
+ @param[in] Cache6 The pointer to PXEBC_DHCP6_PACKET_CACHE.
+
+ @retval EFI_SUCCESS Cache the DHCPv6 DNS Server address successfully.
+ @retval EFI_OUT_OF_RESOURCES Failed to allocate resources.
+ @retval EFI_DEVICE_ERROR The DNS Server Address Length provided by a untrusted
+ option is not a multiple of 16 bytes (sizeof (EFI_IPv6_ADDRESS)).
+**/
+EFI_STATUS
+PxeBcCacheDnsServerAddresses (
+ IN PXEBC_PRIVATE_DATA *Private,
+ IN PXEBC_DHCP6_PACKET_CACHE *Cache6
+ )
+{
+ UINT16 DnsServerLen;
+
+ DnsServerLen = NTOHS (Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpLen);
+ //
+ // Make sure that the number is nonzero
+ //
+ if (DnsServerLen == 0) {
+ return EFI_DEVICE_ERROR;
+ }
+
+ //
+ // Make sure the DnsServerlen is a multiple of EFI_IPv6_ADDRESS (16)
+ //
+ if (DnsServerLen % sizeof (EFI_IPv6_ADDRESS) != 0) {
+ return EFI_DEVICE_ERROR;
+ }
+
+ //
+ // This code is currently written to only support a single DNS Server instead
+ // of multiple such as is spec defined (RFC3646, Section 3). The proper behavior
+ // would be to allocate the full space requested, CopyMem all of the data,
+ // and then add a DnsServerCount field to Private and update additional code
+ // that depends on this.
+ //
+ // To support multiple DNS servers the `AllocationSize` would need to be changed to DnsServerLen
+ //
+ // This is tracked in https://bugzilla.tianocore.org/show_bug.cgi?id=1886
+ //
+ Private->DnsServer = AllocateZeroPool (sizeof (EFI_IPv6_ADDRESS));
+ if (Private->DnsServer == NULL) {
+ return EFI_OUT_OF_RESOURCES;
+ }
+
+ //
+ // Intentionally only copy over the first server address.
+ // To support multiple DNS servers, the `Length` would need to be changed to DnsServerLen
+ //
+ CopyMem (Private->DnsServer, Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->Data, sizeof (EFI_IPv6_ADDRESS));
+
+ return EFI_SUCCESS;
+}
/**
Handle the DHCPv6 offer packet.
@@ -1332,6 +1391,7 @@ PxeBcHandleDhcp6Offer (
UINT32 SelectIndex;
UINT32 Index;
+ ASSERT (Private != NULL);
ASSERT (Private->SelectIndex > 0);
SelectIndex = (UINT32) (Private->SelectIndex - 1);
ASSERT (SelectIndex < PXEBC_OFFER_MAX_NUM);
@@ -1339,14 +1399,13 @@ PxeBcHandleDhcp6Offer (
Status = EFI_SUCCESS;
//
- // First try to cache DNS server address if DHCP6 offer provides.
+ // First try to cache DNS server addresses if DHCP6 offer provides.
//
if (Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER] != NULL) {
- Private->DnsServer = AllocateZeroPool (NTOHS (Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpLen));
- if (Private->DnsServer == NULL) {
- return EFI_OUT_OF_RESOURCES;
+ Status = PxeBcCacheDnsServerAddresses (Private, Cache6);
+ if (EFI_ERROR (Status)) {
+ return Status;
}
- CopyMem (Private->DnsServer, Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->Data, sizeof (EFI_IPv6_ADDRESS));
}
if (Cache6->OfferType == PxeOfferTypeDhcpBinl) {
--
2.33.0

489
0066-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523.patch Normal file
View File

@ -0,0 +1,489 @@
From dd655085bf631eea1dd8c2ab189dece526d82994 Mon Sep 17 00:00:00 2001
From: adttil <13380049+adttil@user.noreply.gitee.com>
Date: Sat, 24 Feb 2024 14:27:33 +0800
Subject: [PATCH 11/13] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45234
Unit Tests
Unit tests to that the bug..
Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise
message
..has been patched
This contains tests for the following functions:
PxeBcHandleDhcp6Offer
PxeBcCacheDnsServerAddresses
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
ref: https://github.com/tianocore/edk2/commit/458c582685fc0e8057d2511c5a0394078d988c17
Signed-off-by: yexiao yexiao7@huawei.com
---
NetworkPkg/Test/NetworkPkgHostTest.dsc | 1 +
.../GoogleTest/PxeBcDhcp6GoogleTest.cpp | 300 ++++++++++++++++++
.../GoogleTest/PxeBcDhcp6GoogleTest.h | 50 +++
.../GoogleTest/UefiPxeBcDxeGoogleTest.cpp | 19 ++
.../GoogleTest/UefiPxeBcDxeGoogleTest.inf | 48 +++
5 files changed, 418 insertions(+)
create mode 100644 NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp
create mode 100644 NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.h
create mode 100644 NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.cpp
create mode 100644 NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.inf
diff --git a/NetworkPkg/Test/NetworkPkgHostTest.dsc b/NetworkPkg/Test/NetworkPkgHostTest.dsc
index 97370120..ad164c9d 100644
--- a/NetworkPkg/Test/NetworkPkgHostTest.dsc
+++ b/NetworkPkg/Test/NetworkPkgHostTest.dsc
@@ -26,6 +26,7 @@
#
NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf
NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf
+ NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.inf
# Despite these library classes being listed in [LibraryClasses] below, they are not needed for the host-based unit tests.
[LibraryClasses]
diff --git a/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp b/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp
new file mode 100644
index 00000000..c66a60bc
--- /dev/null
+++ b/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp
@@ -0,0 +1,300 @@
+/** @file
+ Host based unit test for PxeBcDhcp6.c.
+
+ Copyright (c) Microsoft Corporation
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+#include <gtest/gtest.h>
+
+extern "C" {
+ #include <Uefi.h>
+ #include <Library/BaseLib.h>
+ #include <Library/DebugLib.h>
+ #include "../PxeBcImpl.h"
+ #include "../PxeBcDhcp6.h"
+ #include "PxeBcDhcp6GoogleTest.h"
+}
+
+///////////////////////////////////////////////////////////////////////////////
+// Definitions
+///////////////////////////////////////////////////////////////////////////////
+
+#define PACKET_SIZE (1500)
+
+typedef struct {
+ UINT16 OptionCode; // The option code for DHCP6_OPT_SERVER_ID (e.g., 0x03)
+ UINT16 OptionLen; // The length of the option (e.g., 16 bytes)
+ UINT8 ServerId[16]; // The 16-byte DHCPv6 Server Identifier
+} DHCP6_OPTION_SERVER_ID;
+
+///////////////////////////////////////////////////////////////////////////////
+/// Symbol Definitions
+///////////////////////////////////////////////////////////////////////////////
+
+EFI_STATUS
+MockUdpWrite (
+ IN EFI_PXE_BASE_CODE_PROTOCOL *This,
+ IN UINT16 OpFlags,
+ IN EFI_IP_ADDRESS *DestIp,
+ IN EFI_PXE_BASE_CODE_UDP_PORT *DestPort,
+ IN EFI_IP_ADDRESS *GatewayIp OPTIONAL,
+ IN EFI_IP_ADDRESS *SrcIp OPTIONAL,
+ IN OUT EFI_PXE_BASE_CODE_UDP_PORT *SrcPort OPTIONAL,
+ IN UINTN *HeaderSize OPTIONAL,
+ IN VOID *HeaderPtr OPTIONAL,
+ IN UINTN *BufferSize,
+ IN VOID *BufferPtr
+ )
+{
+ return EFI_SUCCESS;
+}
+
+EFI_STATUS
+MockUdpRead (
+ IN EFI_PXE_BASE_CODE_PROTOCOL *This,
+ IN UINT16 OpFlags,
+ IN OUT EFI_IP_ADDRESS *DestIp OPTIONAL,
+ IN OUT EFI_PXE_BASE_CODE_UDP_PORT *DestPort OPTIONAL,
+ IN OUT EFI_IP_ADDRESS *SrcIp OPTIONAL,
+ IN OUT EFI_PXE_BASE_CODE_UDP_PORT *SrcPort OPTIONAL,
+ IN UINTN *HeaderSize OPTIONAL,
+ IN VOID *HeaderPtr OPTIONAL,
+ IN OUT UINTN *BufferSize,
+ IN VOID *BufferPtr
+ )
+{
+ return EFI_SUCCESS;
+}
+
+EFI_STATUS
+MockConfigure (
+ IN EFI_UDP6_PROTOCOL *This,
+ IN EFI_UDP6_CONFIG_DATA *UdpConfigData OPTIONAL
+ )
+{
+ return EFI_SUCCESS;
+}
+
+// Needed by PxeBcSupport
+EFI_STATUS
+EFIAPI
+QueueDpc (
+ IN EFI_TPL DpcTpl,
+ IN EFI_DPC_PROCEDURE DpcProcedure,
+ IN VOID *DpcContext OPTIONAL
+ )
+{
+ return EFI_SUCCESS;
+}
+
+///////////////////////////////////////////////////////////////////////////////
+// PxeBcHandleDhcp6OfferTest Tests
+///////////////////////////////////////////////////////////////////////////////
+
+class PxeBcHandleDhcp6OfferTest : public ::testing::Test {
+public:
+ PXEBC_PRIVATE_DATA Private = { 0 };
+ EFI_UDP6_PROTOCOL Udp6Read;
+ EFI_PXE_BASE_CODE_MODE Mode = { 0 };
+
+protected:
+ // Add any setup code if needed
+ virtual void
+ SetUp (
+ )
+ {
+ Private.Dhcp6Request = (EFI_DHCP6_PACKET *)AllocateZeroPool (PACKET_SIZE);
+
+ // Need to setup the EFI_PXE_BASE_CODE_PROTOCOL
+ // The function under test really only needs the following:
+ // UdpWrite
+ // UdpRead
+
+ Private.PxeBc.UdpWrite = (EFI_PXE_BASE_CODE_UDP_WRITE)MockUdpWrite;
+ Private.PxeBc.UdpRead = (EFI_PXE_BASE_CODE_UDP_READ)MockUdpRead;
+
+ // Need to setup EFI_UDP6_PROTOCOL
+ // The function under test really only needs the following:
+ // Configure
+
+ Udp6Read.Configure = (EFI_UDP6_CONFIGURE)MockConfigure;
+ Private.Udp6Read = &Udp6Read;
+
+ // Need to setup the EFI_PXE_BASE_CODE_MODE
+ Private.PxeBc.Mode = &Mode;
+
+ // for this test it doesn't really matter what the Dhcpv6 ack is set to
+ }
+
+ // Add any cleanup code if needed
+ virtual void
+ TearDown (
+ )
+ {
+ if (Private.Dhcp6Request != NULL) {
+ FreePool (Private.Dhcp6Request);
+ }
+
+ // Clean up any resources or variables
+ }
+};
+
+// Note:
+// Testing PxeBcHandleDhcp6Offer() is difficult because it depends on a
+// properly setup Private structure. Attempting to properly test this function
+// without a signficant refactor is a fools errand. Instead, we will test
+// that we can prevent an overflow in the function.
+TEST_F (PxeBcHandleDhcp6OfferTest, BasicUsageTest) {
+ PXEBC_DHCP6_PACKET_CACHE *Cache6 = NULL;
+ EFI_DHCP6_PACKET_OPTION Option = { 0 };
+
+ Private.SelectIndex = 1; // SelectIndex is 1-based
+ Cache6 = &Private.OfferBuffer[Private.SelectIndex - 1].Dhcp6;
+
+ Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER] = &Option;
+ // Setup the DHCPv6 offer packet
+ Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpCode = DHCP6_OPT_SERVER_ID;
+ Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpLen = NTOHS (1337);
+
+ ASSERT_EQ (PxeBcHandleDhcp6Offer (&(PxeBcHandleDhcp6OfferTest::Private)), EFI_DEVICE_ERROR);
+}
+
+class PxeBcCacheDnsServerAddressesTest : public ::testing::Test {
+public:
+ PXEBC_PRIVATE_DATA Private = { 0 };
+
+protected:
+ // Add any setup code if needed
+ virtual void
+ SetUp (
+ )
+ {
+ }
+
+ // Add any cleanup code if needed
+ virtual void
+ TearDown (
+ )
+ {
+ }
+};
+
+// Test Description
+// Test that we cache the DNS server address from the DHCPv6 offer packet
+TEST_F (PxeBcCacheDnsServerAddressesTest, BasicUsageTest) {
+ UINT8 SearchPattern[16] = { 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF };
+ EFI_DHCP6_PACKET_OPTION *Option;
+ PXEBC_DHCP6_PACKET_CACHE *Cache6 = NULL;
+
+ Option = (EFI_DHCP6_PACKET_OPTION *)AllocateZeroPool (sizeof (EFI_DHCP6_PACKET_OPTION) + sizeof (SearchPattern));
+ ASSERT_NE (Option, nullptr);
+
+ Option->OpCode = DHCP6_OPT_SERVER_ID;
+ Option->OpLen = NTOHS (sizeof (SearchPattern));
+ CopyMem (Option->Data, SearchPattern, sizeof (SearchPattern));
+
+ Private.SelectIndex = 1; // SelectIndex is 1-based
+ Cache6 = &Private.OfferBuffer[Private.SelectIndex - 1].Dhcp6;
+ Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER] = Option;
+
+ Private.DnsServer = nullptr;
+
+ ASSERT_EQ (PxeBcCacheDnsServerAddresses (&(PxeBcCacheDnsServerAddressesTest::Private), Cache6), EFI_SUCCESS);
+ ASSERT_NE (Private.DnsServer, nullptr);
+ ASSERT_EQ (CompareMem (Private.DnsServer, SearchPattern, sizeof (SearchPattern)), 0);
+
+ if (Private.DnsServer) {
+ FreePool (Private.DnsServer);
+ }
+
+ if (Option) {
+ FreePool (Option);
+ }
+}
+// Test Description
+// Test that we can prevent an overflow in the function
+TEST_F (PxeBcCacheDnsServerAddressesTest, AttemptOverflowTest) {
+ EFI_DHCP6_PACKET_OPTION Option = { 0 };
+ PXEBC_DHCP6_PACKET_CACHE *Cache6 = NULL;
+
+ Private.SelectIndex = 1; // SelectIndex is 1-based
+ Cache6 = &Private.OfferBuffer[Private.SelectIndex - 1].Dhcp6;
+ Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER] = &Option;
+ // Setup the DHCPv6 offer packet
+ Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpCode = DHCP6_OPT_SERVER_ID;
+ Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpLen = NTOHS (1337);
+
+ Private.DnsServer = NULL;
+
+ ASSERT_EQ (PxeBcCacheDnsServerAddresses (&(PxeBcCacheDnsServerAddressesTest::Private), Cache6), EFI_DEVICE_ERROR);
+ ASSERT_EQ (Private.DnsServer, nullptr);
+
+ if (Private.DnsServer) {
+ FreePool (Private.DnsServer);
+ }
+}
+
+// Test Description
+// Test that we can prevent an underflow in the function
+TEST_F (PxeBcCacheDnsServerAddressesTest, AttemptUnderflowTest) {
+ EFI_DHCP6_PACKET_OPTION Option = { 0 };
+ PXEBC_DHCP6_PACKET_CACHE *Cache6 = NULL;
+
+ Private.SelectIndex = 1; // SelectIndex is 1-based
+ Cache6 = &Private.OfferBuffer[Private.SelectIndex - 1].Dhcp6;
+ Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER] = &Option;
+ // Setup the DHCPv6 offer packet
+ Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpCode = DHCP6_OPT_SERVER_ID;
+ Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpLen = NTOHS (2);
+
+ Private.DnsServer = NULL;
+
+ ASSERT_EQ (PxeBcCacheDnsServerAddresses (&(PxeBcCacheDnsServerAddressesTest::Private), Cache6), EFI_DEVICE_ERROR);
+ ASSERT_EQ (Private.DnsServer, nullptr);
+
+ if (Private.DnsServer) {
+ FreePool (Private.DnsServer);
+ }
+}
+
+// Test Description
+// Test that we can handle recursive dns (multiple dns entries)
+TEST_F (PxeBcCacheDnsServerAddressesTest, MultipleDnsEntries) {
+ EFI_DHCP6_PACKET_OPTION Option = { 0 };
+ PXEBC_DHCP6_PACKET_CACHE *Cache6 = NULL;
+
+ Private.SelectIndex = 1; // SelectIndex is 1-based
+ Cache6 = &Private.OfferBuffer[Private.SelectIndex - 1].Dhcp6;
+ Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER] = &Option;
+ // Setup the DHCPv6 offer packet
+ Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpCode = DHCP6_OPT_SERVER_ID;
+
+ EFI_IPv6_ADDRESS addresses[2] = {
+ // 2001:db8:85a3::8a2e:370:7334
+ { 0x20, 0x01, 0x0d, 0xb8, 0x85, 0xa3, 0x00, 0x00, 0x00, 0x00, 0x8a, 0x2e, 0x03, 0x70, 0x73, 0x34 },
+ // fe80::d478:91c3:ecd7:4ff9
+ { 0xfe, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xd4, 0x78, 0x91, 0xc3, 0xec, 0xd7, 0x4f, 0xf9 }
+ };
+
+ CopyMem (Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->Data, &addresses, sizeof (addresses));
+
+ Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpLen = NTOHS (sizeof (addresses));
+
+ Private.DnsServer = NULL;
+
+ ASSERT_EQ (PxeBcCacheDnsServerAddresses (&(PxeBcCacheDnsServerAddressesTest::Private), Cache6), EFI_SUCCESS);
+
+ ASSERT_NE (Private.DnsServer, nullptr);
+
+ //
+ // This is expected to fail until DnsServer supports multiple DNS servers
+ //
+ // This is tracked in https://bugzilla.tianocore.org/show_bug.cgi?id=1886
+ //
+ // Disabling:
+ // ASSERT_EQ (CompareMem(Private.DnsServer, &addresses, sizeof(addresses)), 0);
+
+ if (Private.DnsServer) {
+ FreePool (Private.DnsServer);
+ }
+}
diff --git a/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.h b/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.h
new file mode 100644
index 00000000..48ab238d
--- /dev/null
+++ b/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.h
@@ -0,0 +1,50 @@
+/** @file
+ This file exposes the internal interfaces which may be unit tested
+ for the PxeBcDhcp6Dxe driver.
+
+ Copyright (c) Microsoft Corporation.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#ifndef PXE_BC_DHCP6_GOOGLE_TEST_H_
+#define PXE_BC_DHCP6_GOOGLE_TEST_H_
+
+//
+// Minimal includes needed to compile
+//
+#include <Uefi.h>
+#include "../PxeBcImpl.h"
+
+/**
+ Handle the DHCPv6 offer packet.
+
+ @param[in] Private The pointer to PXEBC_PRIVATE_DATA.
+
+ @retval EFI_SUCCESS Handled the DHCPv6 offer packet successfully.
+ @retval EFI_NO_RESPONSE No response to the following request packet.
+ @retval EFI_OUT_OF_RESOURCES Failed to allocate resources.
+ @retval EFI_BUFFER_TOO_SMALL Can't cache the offer pacet.
+
+**/
+EFI_STATUS
+PxeBcHandleDhcp6Offer (
+ IN PXEBC_PRIVATE_DATA *Private
+ );
+
+/**
+ Cache the DHCPv6 Server address
+
+ @param[in] Private The pointer to PXEBC_PRIVATE_DATA.
+ @param[in] Cache6 The pointer to PXEBC_DHCP6_PACKET_CACHE.
+
+ @retval EFI_SUCCESS Cache the DHCPv6 Server address successfully.
+ @retval EFI_OUT_OF_RESOURCES Failed to allocate resources.
+ @retval EFI_DEVICE_ERROR Failed to cache the DHCPv6 Server address.
+**/
+EFI_STATUS
+PxeBcCacheDnsServerAddresses (
+ IN PXEBC_PRIVATE_DATA *Private,
+ IN PXEBC_DHCP6_PACKET_CACHE *Cache6
+ );
+
+#endif // PXE_BC_DHCP6_GOOGLE_TEST_H_
diff --git a/NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.cpp b/NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.cpp
new file mode 100644
index 00000000..ff159e45
--- /dev/null
+++ b/NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.cpp
@@ -0,0 +1,19 @@
+/** @file
+ Acts as the main entry point for the tests for the UefiPxeBcDxe module.
+ Copyright (c) Microsoft Corporation
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+#include <gtest/gtest.h>
+
+////////////////////////////////////////////////////////////////////////////////
+// Run the tests
+////////////////////////////////////////////////////////////////////////////////
+int
+main (
+ int argc,
+ char *argv[]
+ )
+{
+ testing::InitGoogleTest (&argc, argv);
+ return RUN_ALL_TESTS ();
+}
diff --git a/NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.inf b/NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.inf
new file mode 100644
index 00000000..0097142b
--- /dev/null
+++ b/NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.inf
@@ -0,0 +1,48 @@
+## @file
+# Unit test suite for the UefiPxeBcDxe using Google Test
+#
+# Copyright (c) Microsoft Corporation.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+[Defines]
+INF_VERSION = 0x00010005
+BASE_NAME = UefiPxeBcDxeGoogleTest
+FILE_GUID = 77D45C64-EC1E-4174-887B-886E89FD1EDF
+MODULE_TYPE = HOST_APPLICATION
+VERSION_STRING = 1.0
+
+#
+# The following information is for reference only and not required by the build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64
+#
+
+[Sources]
+ UefiPxeBcDxeGoogleTest.cpp
+ PxeBcDhcp6GoogleTest.cpp
+ PxeBcDhcp6GoogleTest.h
+ ../PxeBcDhcp6.c
+ ../PxeBcSupport.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+ UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec
+ NetworkPkg/NetworkPkg.dec
+
+[LibraryClasses]
+ GoogleTestLib
+ DebugLib
+ NetLib
+ PcdLib
+
+[Protocols]
+ gEfiDhcp6ServiceBindingProtocolGuid
+ gEfiDns6ServiceBindingProtocolGuid
+ gEfiDns6ProtocolGuid
+
+[Pcd]
+ gEfiNetworkPkgTokenSpaceGuid.PcdDhcp6UidType
+
+[Guids]
+ gZeroGuid
--
2.33.0

231
0067-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523.patch Normal file
View File

@ -0,0 +1,231 @@
From 0c7c03ee087f10d9ddda8f38d816763211f8b925 Mon Sep 17 00:00:00 2001
From: adttil <13380049+adttil@user.noreply.gitee.com>
Date: Sat, 24 Feb 2024 14:28:35 +0800
Subject: [PATCH 12/13] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45235
Patch
Bug Details:
PixieFail Bug #7
CVE-2023-45235
CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
CWE-119 Improper Restriction of Operations within the Bounds of
a Memory Buffer
Buffer overflow when handling Server ID option from a DHCPv6 proxy
Advertise message
Change Overview:
Performs two checks
1. Checks that the length of the duid is accurate
> + //
> + // Check that the minimum and maximum requirements are met
> + //
> + if ((OpLen < PXEBC_MIN_SIZE_OF_DUID) ||
(OpLen > PXEBC_MAX_SIZE_OF_DUID)) {
> + Status = EFI_INVALID_PARAMETER;
> + goto ON_ERROR;
> + }
2. Ensures that the amount of data written to the buffer is tracked and
never exceeds that
> + //
> + // Check that the option length is valid.
> + //
> + if ((DiscoverLen + OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN)
> DiscoverLenNeeded) {
> + Status = EFI_OUT_OF_RESOURCES;
> + goto ON_ERROR;
> + }
Additional code clean up and fix for memory leak in case Option was NULL
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
ref: https://github.com/tianocore/edk2/commit/fac297724e6cc343430cd0104e55cd7a96d1151e
Signed-off-by: yexiao yexiao7@huawei.com
---
NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c | 76 ++++++++++++++++++++++------
NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.h | 17 +++++++
2 files changed, 77 insertions(+), 16 deletions(-)
diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
index 7a20ba56..578a2615 100644
--- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
+++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
@@ -883,6 +883,7 @@ PxeBcRequestBootService (
EFI_STATUS Status;
EFI_DHCP6_PACKET *IndexOffer;
UINT8 *Option;
+ UINTN DiscoverLenNeeded;
PxeBc = &Private->PxeBc;
Request = Private->Dhcp6Request;
@@ -895,7 +896,8 @@ PxeBcRequestBootService (
return EFI_DEVICE_ERROR;
}
- Discover = AllocateZeroPool (sizeof (EFI_PXE_BASE_CODE_DHCPV6_PACKET));
+ DiscoverLenNeeded = sizeof (EFI_PXE_BASE_CODE_DHCPV6_PACKET);
+ Discover = AllocateZeroPool (DiscoverLenNeeded);
if (Discover == NULL) {
return EFI_OUT_OF_RESOURCES;
}
@@ -920,16 +922,33 @@ PxeBcRequestBootService (
DHCP6_OPT_SERVER_ID
);
if (Option == NULL) {
- return EFI_NOT_FOUND;
+ Status = EFI_NOT_FOUND;
+ goto ON_ERROR;
}
//
// Add Server ID Option.
//
OpLen = NTOHS (((EFI_DHCP6_PACKET_OPTION *) Option)->OpLen);
- CopyMem (DiscoverOpt, Option, OpLen + 4);
- DiscoverOpt += (OpLen + 4);
- DiscoverLen += (OpLen + 4);
+ //
+ // Check that the minimum and maximum requirements are met
+ //
+ if ((OpLen < PXEBC_MIN_SIZE_OF_DUID) || (OpLen > PXEBC_MAX_SIZE_OF_DUID)) {
+ Status = EFI_INVALID_PARAMETER;
+ goto ON_ERROR;
+ }
+
+ //
+ // Check that the option length is valid.
+ //
+ if ((DiscoverLen + OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN) > DiscoverLenNeeded) {
+ Status = EFI_OUT_OF_RESOURCES;
+ goto ON_ERROR;
+ }
+
+ CopyMem (DiscoverOpt, Option, OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN);
+ DiscoverOpt += (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN);
+ DiscoverLen += (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN);
}
while (RequestLen < Request->Length) {
@@ -939,15 +958,23 @@ PxeBcRequestBootService (
OpCode != EFI_DHCP6_IA_TYPE_TA &&
OpCode != DHCP6_OPT_SERVER_ID
) {
+ //
+ // Check that the option length is valid.
+ //
+ if (DiscoverLen + OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN > DiscoverLenNeeded) {
+ Status = EFI_OUT_OF_RESOURCES;
+ goto ON_ERROR;
+ }
+
//
// Copy all the options except IA option and Server ID
//
- CopyMem (DiscoverOpt, RequestOpt, OpLen + 4);
- DiscoverOpt += (OpLen + 4);
- DiscoverLen += (OpLen + 4);
+ CopyMem (DiscoverOpt, RequestOpt, OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN);
+ DiscoverOpt += (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN);
+ DiscoverLen += (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN);
}
- RequestOpt += (OpLen + 4);
- RequestLen += (OpLen + 4);
+ RequestOpt += (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN);
+ RequestLen += (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN);
}
//
@@ -2135,6 +2162,7 @@ PxeBcDhcp6Discover (
UINT16 OpLen;
UINT32 Xid;
EFI_STATUS Status;
+ UINTN DiscoverLenNeeded;
PxeBc = &Private->PxeBc;
Mode = PxeBc->Mode;
@@ -2150,7 +2178,8 @@ PxeBcDhcp6Discover (
return EFI_DEVICE_ERROR;
}
- Discover = AllocateZeroPool (sizeof (EFI_PXE_BASE_CODE_DHCPV6_PACKET));
+ DiscoverLenNeeded = sizeof (EFI_PXE_BASE_CODE_DHCPV6_PACKET);
+ Discover = AllocateZeroPool (DiscoverLenNeeded);
if (Discover == NULL) {
return EFI_OUT_OF_RESOURCES;
}
@@ -2166,20 +2195,35 @@ PxeBcDhcp6Discover (
DiscoverLen = sizeof (EFI_DHCP6_HEADER);
RequestLen = DiscoverLen;
+ //
+ // The request packet is generated by the UEFI network stack. In the DHCP4 DORA and DHCP6 SARR sequence,
+ // the first (discover in DHCP4 and solicit in DHCP6) and third (request in both DHCP4 and DHCP6) are
+ // generated by the DHCP client (the UEFI network stack in this case). By the time this function executes,
+ // the DHCP sequence already has been executed once (see UEFI Specification Figures 24.2 and 24.3), with
+ // Private->Dhcp6Request being a cached copy of the DHCP6 request packet that UEFI network stack previously
+ // generated and sent.
+ //
+ // Therefore while this code looks like it could overflow, in practice it's not possible.
+ //
while (RequestLen < Request->Length) {
OpCode = NTOHS (((EFI_DHCP6_PACKET_OPTION *) RequestOpt)->OpCode);
OpLen = NTOHS (((EFI_DHCP6_PACKET_OPTION *) RequestOpt)->OpLen);
if (OpCode != EFI_DHCP6_IA_TYPE_NA &&
OpCode != EFI_DHCP6_IA_TYPE_TA) {
+ if (DiscoverLen + OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN > DiscoverLenNeeded) {
+ Status = EFI_OUT_OF_RESOURCES;
+ goto ON_ERROR;
+ }
+
//
// Copy all the options except IA option.
//
- CopyMem (DiscoverOpt, RequestOpt, OpLen + 4);
- DiscoverOpt += (OpLen + 4);
- DiscoverLen += (OpLen + 4);
+ CopyMem (DiscoverOpt, RequestOpt, OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN);
+ DiscoverOpt += (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN);
+ DiscoverLen += (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN);
}
- RequestOpt += (OpLen + 4);
- RequestLen += (OpLen + 4);
+ RequestOpt += (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN);
+ RequestLen += (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN);
}
Status = PxeBc->UdpWrite (
diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.h b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.h
index ae4be775..fda5f502 100644
--- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.h
+++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.h
@@ -35,6 +35,23 @@
#define PXEBC_ADDR_START_DELIMITER '['
#define PXEBC_ADDR_END_DELIMITER ']'
+//
+// A DUID consists of a 2-octet type code represented in network byte
+// order, followed by a variable number of octets that make up the
+// actual identifier. The length of the DUID (not including the type
+// code) is at least 1 octet and at most 128 octets.
+//
+#define PXEBC_MIN_SIZE_OF_DUID (sizeof(UINT16) + 1)
+#define PXEBC_MAX_SIZE_OF_DUID (sizeof(UINT16) + 128)
+
+//
+// This define represents the combineds code and length field from
+// https://datatracker.ietf.org/doc/html/rfc3315#section-22.1
+//
+#define PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN \
+ (sizeof (((EFI_DHCP6_PACKET_OPTION *)0)->OpCode) + \
+ sizeof (((EFI_DHCP6_PACKET_OPTION *)0)->OpLen))
+
#define GET_NEXT_DHCP6_OPTION(Opt) \
(EFI_DHCP6_PACKET_OPTION *) ((UINT8 *) (Opt) + \
sizeof (EFI_DHCP6_PACKET_OPTION) + (NTOHS ((Opt)->OpLen)) - 1)
--
2.33.0

387
0068-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523.patch Normal file
View File

@ -0,0 +1,387 @@
From ca4fc18dc7b5441236fdf3387703c9162c4ec80c Mon Sep 17 00:00:00 2001
From: adttil <13380049+adttil@user.noreply.gitee.com>
Date: Sat, 24 Feb 2024 14:30:11 +0800
Subject: [PATCH 13/13] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45235
Unit Tests
Unit tests to confirm that the bug..
Buffer overflow when handling Server ID option from a DHCPv6 proxy
Advertise message
..has been patched.
This patch contains unit tests for the following functions:
PxeBcRequestBootService
PxeBcDhcp6Discover
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
ref: https://github.com/tianocore/edk2/commit/ff2986358f75d8f58ef08a66fe673539c9c48f41
Signed-off-by: yexiao yexiao7@huawei.com
---
NetworkPkg/Test/NetworkPkgHostTest.dsc | 5 +-
.../GoogleTest/PxeBcDhcp6GoogleTest.cpp | 278 +++++++++++++++++-
.../GoogleTest/PxeBcDhcp6GoogleTest.h | 18 ++
3 files changed, 298 insertions(+), 3 deletions(-)
diff --git a/NetworkPkg/Test/NetworkPkgHostTest.dsc b/NetworkPkg/Test/NetworkPkgHostTest.dsc
index ad164c9d..d58f54cb 100644
--- a/NetworkPkg/Test/NetworkPkgHostTest.dsc
+++ b/NetworkPkg/Test/NetworkPkgHostTest.dsc
@@ -26,7 +26,10 @@
#
NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf
NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf
- NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.inf
+ NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.inf {
+ <LibraryClasses>
+ UefiRuntimeServicesTableLib|MdePkg/Test/Mock/Library/GoogleTest/MockUefiRuntimeServicesTableLib/MockUefiRuntimeServicesTableLib.inf
+ }
# Despite these library classes being listed in [LibraryClasses] below, they are not needed for the host-based unit tests.
[LibraryClasses]
diff --git a/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp b/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp
index c66a60bc..d447ac02 100644
--- a/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp
+++ b/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp
@@ -4,7 +4,9 @@
Copyright (c) Microsoft Corporation
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
-#include <gtest/gtest.h>
+#include <Library/GoogleTestLib.h>
+#include <GoogleTest/Library/MockUefiLib.h>
+#include <GoogleTest/Library/MockUefiRuntimeServicesTableLib.h>
extern "C" {
#include <Uefi.h>
@@ -19,7 +21,8 @@ extern "C" {
// Definitions
///////////////////////////////////////////////////////////////////////////////
-#define PACKET_SIZE (1500)
+#define PACKET_SIZE (1500)
+#define REQUEST_OPTION_LENGTH (120)
typedef struct {
UINT16 OptionCode; // The option code for DHCP6_OPT_SERVER_ID (e.g., 0x03)
@@ -76,6 +79,26 @@ MockConfigure (
}
// Needed by PxeBcSupport
+EFI_STATUS
+PxeBcDns6 (
+ IN PXEBC_PRIVATE_DATA *Private,
+ IN CHAR16 *HostName,
+ OUT EFI_IPv6_ADDRESS *IpAddress
+ )
+{
+ return EFI_SUCCESS;
+}
+
+UINT32
+PxeBcBuildDhcp6Options (
+ IN PXEBC_PRIVATE_DATA *Private,
+ OUT EFI_DHCP6_PACKET_OPTION **OptList,
+ IN UINT8 *Buffer
+ )
+{
+ return EFI_SUCCESS;
+}
+
EFI_STATUS
EFIAPI
QueueDpc (
@@ -159,6 +182,10 @@ TEST_F (PxeBcHandleDhcp6OfferTest, BasicUsageTest) {
ASSERT_EQ (PxeBcHandleDhcp6Offer (&(PxeBcHandleDhcp6OfferTest::Private)), EFI_DEVICE_ERROR);
}
+///////////////////////////////////////////////////////////////////////////////
+// PxeBcCacheDnsServerAddresses Tests
+///////////////////////////////////////////////////////////////////////////////
+
class PxeBcCacheDnsServerAddressesTest : public ::testing::Test {
public:
PXEBC_PRIVATE_DATA Private = { 0 };
@@ -298,3 +325,250 @@ TEST_F (PxeBcCacheDnsServerAddressesTest, MultipleDnsEntries) {
FreePool (Private.DnsServer);
}
}
+
+///////////////////////////////////////////////////////////////////////////////
+// PxeBcRequestBootServiceTest Test Cases
+///////////////////////////////////////////////////////////////////////////////
+
+class PxeBcRequestBootServiceTest : public ::testing::Test {
+public:
+ PXEBC_PRIVATE_DATA Private = { 0 };
+ EFI_UDP6_PROTOCOL Udp6Read;
+
+protected:
+ // Add any setup code if needed
+ virtual void
+ SetUp (
+ )
+ {
+ Private.Dhcp6Request = (EFI_DHCP6_PACKET *)AllocateZeroPool (PACKET_SIZE);
+
+ // Need to setup the EFI_PXE_BASE_CODE_PROTOCOL
+ // The function under test really only needs the following:
+ // UdpWrite
+ // UdpRead
+
+ Private.PxeBc.UdpWrite = (EFI_PXE_BASE_CODE_UDP_WRITE)MockUdpWrite;
+ Private.PxeBc.UdpRead = (EFI_PXE_BASE_CODE_UDP_READ)MockUdpRead;
+
+ // Need to setup EFI_UDP6_PROTOCOL
+ // The function under test really only needs the following:
+ // Configure
+
+ Udp6Read.Configure = (EFI_UDP6_CONFIGURE)MockConfigure;
+ Private.Udp6Read = &Udp6Read;
+ }
+
+ // Add any cleanup code if needed
+ virtual void
+ TearDown (
+ )
+ {
+ if (Private.Dhcp6Request != NULL) {
+ FreePool (Private.Dhcp6Request);
+ }
+
+ // Clean up any resources or variables
+ }
+};
+
+TEST_F (PxeBcRequestBootServiceTest, ServerDiscoverBasicUsageTest) {
+ PxeBcRequestBootServiceTest::Private.OfferBuffer[0].Dhcp6.OfferType = PxeOfferTypeProxyBinl;
+
+ DHCP6_OPTION_SERVER_ID Server = { 0 };
+
+ Server.OptionCode = HTONS (DHCP6_OPT_SERVER_ID);
+ Server.OptionLen = HTONS (16); // valid length
+ UINT8 Index = 0;
+
+ EFI_DHCP6_PACKET *Packet = (EFI_DHCP6_PACKET *)&Private.OfferBuffer[Index].Dhcp6.Packet.Offer;
+
+ UINT8 *Cursor = (UINT8 *)(Packet->Dhcp6.Option);
+
+ CopyMem (Cursor, &Server, sizeof (Server));
+ Cursor += sizeof (Server);
+
+ // Update the packet length
+ Packet->Length = (UINT16)(Cursor - (UINT8 *)Packet);
+ Packet->Size = PACKET_SIZE;
+
+ ASSERT_EQ (PxeBcRequestBootService (&(PxeBcRequestBootServiceTest::Private), Index), EFI_SUCCESS);
+}
+
+TEST_F (PxeBcRequestBootServiceTest, AttemptDiscoverOverFlowExpectFailure) {
+ PxeBcRequestBootServiceTest::Private.OfferBuffer[0].Dhcp6.OfferType = PxeOfferTypeProxyBinl;
+
+ DHCP6_OPTION_SERVER_ID Server = { 0 };
+
+ Server.OptionCode = HTONS (DHCP6_OPT_SERVER_ID);
+ Server.OptionLen = HTONS (1500); // This length would overflow without a check
+ UINT8 Index = 0;
+
+ EFI_DHCP6_PACKET *Packet = (EFI_DHCP6_PACKET *)&Private.OfferBuffer[Index].Dhcp6.Packet.Offer;
+
+ UINT8 *Cursor = (UINT8 *)(Packet->Dhcp6.Option);
+
+ CopyMem (Cursor, &Server, sizeof (Server));
+ Cursor += sizeof (Server);
+
+ // Update the packet length
+ Packet->Length = (UINT16)(Cursor - (UINT8 *)Packet);
+ Packet->Size = PACKET_SIZE;
+
+ // This is going to be stopped by the duid overflow check
+ ASSERT_EQ (PxeBcRequestBootService (&(PxeBcRequestBootServiceTest::Private), Index), EFI_INVALID_PARAMETER);
+}
+
+TEST_F (PxeBcRequestBootServiceTest, RequestBasicUsageTest) {
+ EFI_DHCP6_PACKET_OPTION RequestOpt = { 0 }; // the data section doesn't really matter
+
+ RequestOpt.OpCode = HTONS (0x1337);
+ RequestOpt.OpLen = 0; // valid length
+
+ UINT8 Index = 0;
+
+ EFI_DHCP6_PACKET *Packet = (EFI_DHCP6_PACKET *)&Private.Dhcp6Request[Index];
+
+ UINT8 *Cursor = (UINT8 *)(Packet->Dhcp6.Option);
+
+ CopyMem (Cursor, &RequestOpt, sizeof (RequestOpt));
+ Cursor += sizeof (RequestOpt);
+
+ // Update the packet length
+ Packet->Length = (UINT16)(Cursor - (UINT8 *)Packet);
+ Packet->Size = PACKET_SIZE;
+
+ ASSERT_EQ (PxeBcRequestBootService (&(PxeBcRequestBootServiceTest::Private), Index), EFI_SUCCESS);
+}
+
+TEST_F (PxeBcRequestBootServiceTest, AttemptRequestOverFlowExpectFailure) {
+ EFI_DHCP6_PACKET_OPTION RequestOpt = { 0 }; // the data section doesn't really matter
+
+ RequestOpt.OpCode = HTONS (0x1337);
+ RequestOpt.OpLen = 1500; // this length would overflow without a check
+
+ UINT8 Index = 0;
+
+ EFI_DHCP6_PACKET *Packet = (EFI_DHCP6_PACKET *)&Private.Dhcp6Request[Index];
+
+ UINT8 *Cursor = (UINT8 *)(Packet->Dhcp6.Option);
+
+ CopyMem (Cursor, &RequestOpt, sizeof (RequestOpt));
+ Cursor += sizeof (RequestOpt);
+
+ // Update the packet length
+ Packet->Length = (UINT16)(Cursor - (UINT8 *)Packet);
+ Packet->Size = PACKET_SIZE;
+
+ ASSERT_EQ (PxeBcRequestBootService (&(PxeBcRequestBootServiceTest::Private), Index), EFI_OUT_OF_RESOURCES);
+}
+
+///////////////////////////////////////////////////////////////////////////////
+// PxeBcDhcp6Discover Test
+///////////////////////////////////////////////////////////////////////////////
+
+class PxeBcDhcp6DiscoverTest : public ::testing::Test {
+public:
+ PXEBC_PRIVATE_DATA Private = { 0 };
+ EFI_UDP6_PROTOCOL Udp6Read;
+
+protected:
+ MockUefiRuntimeServicesTableLib RtServicesMock;
+
+ // Add any setup code if needed
+ virtual void
+ SetUp (
+ )
+ {
+ Private.Dhcp6Request = (EFI_DHCP6_PACKET *)AllocateZeroPool (PACKET_SIZE);
+
+ // Need to setup the EFI_PXE_BASE_CODE_PROTOCOL
+ // The function under test really only needs the following:
+ // UdpWrite
+ // UdpRead
+
+ Private.PxeBc.UdpWrite = (EFI_PXE_BASE_CODE_UDP_WRITE)MockUdpWrite;
+ Private.PxeBc.UdpRead = (EFI_PXE_BASE_CODE_UDP_READ)MockUdpRead;
+
+ // Need to setup EFI_UDP6_PROTOCOL
+ // The function under test really only needs the following:
+ // Configure
+
+ Udp6Read.Configure = (EFI_UDP6_CONFIGURE)MockConfigure;
+ Private.Udp6Read = &Udp6Read;
+ }
+
+ // Add any cleanup code if needed
+ virtual void
+ TearDown (
+ )
+ {
+ if (Private.Dhcp6Request != NULL) {
+ FreePool (Private.Dhcp6Request);
+ }
+
+ // Clean up any resources or variables
+ }
+};
+
+// Test Description
+// This will cause an overflow by an untrusted packet during the option parsing
+TEST_F (PxeBcDhcp6DiscoverTest, BasicOverflowTest) {
+ EFI_IPv6_ADDRESS DestIp = { 0 };
+ EFI_DHCP6_PACKET_OPTION RequestOpt = { 0 }; // the data section doesn't really matter
+
+ RequestOpt.OpCode = HTONS (0x1337);
+ RequestOpt.OpLen = HTONS (0xFFFF); // overflow
+
+ UINT8 *Cursor = (UINT8 *)(Private.Dhcp6Request->Dhcp6.Option);
+
+ CopyMem (Cursor, &RequestOpt, sizeof (RequestOpt));
+ Cursor += sizeof (RequestOpt);
+
+ Private.Dhcp6Request->Length = (UINT16)(Cursor - (UINT8 *)Private.Dhcp6Request);
+
+ EXPECT_CALL (RtServicesMock, gRT_GetTime)
+ .WillOnce (::testing::Return (0));
+
+ ASSERT_EQ (
+ PxeBcDhcp6Discover (
+ &(PxeBcDhcp6DiscoverTest::Private),
+ 0,
+ NULL,
+ FALSE,
+ (EFI_IP_ADDRESS *)&DestIp
+ ),
+ EFI_OUT_OF_RESOURCES
+ );
+}
+
+// Test Description
+// This will test that we can handle a packet with a valid option length
+TEST_F (PxeBcDhcp6DiscoverTest, BasicUsageTest) {
+ EFI_IPv6_ADDRESS DestIp = { 0 };
+ EFI_DHCP6_PACKET_OPTION RequestOpt = { 0 }; // the data section doesn't really matter
+
+ RequestOpt.OpCode = HTONS (0x1337);
+ RequestOpt.OpLen = HTONS (0x30);
+
+ UINT8 *Cursor = (UINT8 *)(Private.Dhcp6Request->Dhcp6.Option);
+
+ CopyMem (Cursor, &RequestOpt, sizeof (RequestOpt));
+ Cursor += sizeof (RequestOpt);
+
+ Private.Dhcp6Request->Length = (UINT16)(Cursor - (UINT8 *)Private.Dhcp6Request);
+
+ EXPECT_CALL (RtServicesMock, gRT_GetTime)
+ .WillOnce (::testing::Return (0));
+
+ ASSERT_EQ (
+ PxeBcDhcp6Discover (
+ &(PxeBcDhcp6DiscoverTest::Private),
+ 0,
+ NULL,
+ FALSE,
+ (EFI_IP_ADDRESS *)&DestIp
+ ),
+ EFI_SUCCESS
+ );
+}
diff --git a/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.h b/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.h
index 48ab238d..4c6173de 100644
--- a/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.h
+++ b/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.h
@@ -47,4 +47,22 @@ PxeBcCacheDnsServerAddresses (
IN PXEBC_DHCP6_PACKET_CACHE *Cache6
);
+/**
+ Build and send out the request packet for the bootfile, and parse the reply.
+
+ @param[in] Private The pointer to PxeBc private data.
+ @param[in] Index PxeBc option boot item type.
+
+ @retval EFI_SUCCESS Successfully discovered the boot file.
+ @retval EFI_OUT_OF_RESOURCES Failed to allocate resources.
+ @retval EFI_NOT_FOUND Can't get the PXE reply packet.
+ @retval Others Failed to discover the boot file.
+
+**/
+EFI_STATUS
+PxeBcRequestBootService (
+ IN PXEBC_PRIVATE_DATA *Private,
+ IN UINT32 Index
+ );
+
#endif // PXE_BC_DHCP6_GOOGLE_TEST_H_
--
2.33.0

1569
0069-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Re.patch Normal file
View File

File diff suppressed because it is too large Load Diff

791
0070-NetworkPkg-Dhcp6Dxe-Removes-duplicate-check-and-repl.patch Normal file
View File

@ -0,0 +1,791 @@
From 6acd7ea3c036fcd9ac60f990dca2d28a0c3c1cdc Mon Sep 17 00:00:00 2001
From: Doug Flick <dougflick@microsoft.com>
Date: Tue, 13 Feb 2024 10:46:01 -0800
Subject: [PATCH 2/3] NetworkPkg: Dhcp6Dxe: Removes duplicate check and
replaces with macro
Removes duplicate check after merge
>
> //
> // Verify the PacketCursor is within the packet
> //
> if ( (*PacketCursor < Packet->Dhcp6.Option)
> || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size -
sizeof (EFI_DHCP6_HEADER))))
> {
> return EFI_INVALID_PARAMETER;
> }
>
Converts the check to a macro and replaces all instances of the check
with the macro
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
Reviewed-by: Leif Lindholm <quic_llindhol@quicinc.com>
reference: https://github.com/tianocore/edk2/pull/5372
Signed-off-by: yexiao <yexiao7@huawei.com>
---
NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c | 598 ++++++++++++++---------------
1 file changed, 295 insertions(+), 303 deletions(-)
diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c
index 2b4005b4..eafa72eb 100644
--- a/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c
+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c
@@ -10,6 +10,14 @@
#include "Dhcp6Impl.h"
+//
+// Verifies the packet cursor is within the packet
+// otherwise it is invalid
+//
+#define IS_INVALID_PACKET_CURSOR(PacketCursor, Packet) \
+ (((*PacketCursor) < (Packet)->Dhcp6.Option) || \
+ ((*PacketCursor) >= (Packet)->Dhcp6.Option + ((Packet)->Size - sizeof(EFI_DHCP6_HEADER))) \
+ )
/**
Generate client Duid in the format of Duid-llt.
@@ -601,33 +609,33 @@ Dhcp6OnTransmitted (
/**
- Append the option to Buf, update the length of packet, and move Buf to the end.
+ Append the option to Buf, update the length of packet, and move Buf to the end.
- @param[in, out] Packet A pointer to the packet, on success Packet->Length
- will be updated.
- @param[in, out] PacketCursor The pointer in the packet, on success PacketCursor
- will be moved to the end of the option.
- @param[in] OptType The option type.
- @param[in] OptLen The length of option contents.
- @param[in] Data The pointer to the option content.
+ @param[in, out] Packet A pointer to the packet, on success Packet->Length
+ will be updated.
+ @param[in, out] PacketCursor The pointer in the packet, on success PacketCursor
+ will be moved to the end of the option.
+ @param[in] OptType The option type.
+ @param[in] OptLen The length of option contents.
+ @param[in] Data The pointer to the option content.
- @retval EFI_INVALID_PARAMETER An argument provided to the function was invalid
- @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the option.
- @retval EFI_SUCCESS The option is appended successfully.
+ @retval EFI_INVALID_PARAMETER An argument provided to the function was invalid
+ @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the option.
+ @retval EFI_SUCCESS The option is appended successfully.
**/
-EFI_STATUS
+EFI_STATUS
Dhcp6AppendOption (
- IN OUT EFI_DHCP6_PACKET *Packet,
- IN OUT UINT8 **PacketCursor,
- IN UINT16 OptType,
- IN UINT16 OptLen,
- IN UINT8 *Data
+ IN OUT EFI_DHCP6_PACKET *Packet,
+ IN OUT UINT8 **PacketCursor,
+ IN UINT16 OptType,
+ IN UINT16 OptLen,
+ IN UINT8 *Data
)
{
- UINT32 Length;
- UINT32 BytesNeeded;
-
+ UINT32 Length;
+ UINT32 BytesNeeded;
+
//
// The format of Dhcp6 option:
//
@@ -640,94 +648,83 @@ Dhcp6AppendOption (
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
//
- //
- // Verify the arguments are valid
- //
- if (Packet == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- if ((PacketCursor == NULL) || (*PacketCursor == NULL)) {
- return EFI_INVALID_PARAMETER;
- }
-
- if (Data == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- if (OptLen == 0) {
- return EFI_INVALID_PARAMETER;
- }
-
- //
- // Verify the PacketCursor is within the packet
- //
- if ( (*PacketCursor < Packet->Dhcp6.Option)
- || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER))))
- {
- return EFI_INVALID_PARAMETER;
- }
-
- //
- // Calculate the bytes needed for the option
- //
- BytesNeeded = DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN + NTOHS (OptLen);
-
- //
- // Space remaining in the packet
- //
- Length = Packet->Size - Packet->Length;
- if (Length < BytesNeeded) {
- return EFI_BUFFER_TOO_SMALL;
- }
-
- //
- // Verify the PacketCursor is within the packet
- //
- if ( (*PacketCursor < Packet->Dhcp6.Option)
- || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER))))
- {
- return EFI_INVALID_PARAMETER;
- }
-
- WriteUnaligned16 ((UINT16 *)*PacketCursor, OptType);
- *PacketCursor += DHCP6_SIZE_OF_OPT_CODE;
- WriteUnaligned16 ((UINT16 *)*PacketCursor, OptLen);
- *PacketCursor += DHCP6_SIZE_OF_OPT_LEN;
- CopyMem (*PacketCursor, Data, NTOHS (OptLen));
- *PacketCursor += NTOHS (OptLen);
-
- // Update the packet length by the length of the option + 4 bytes
- Packet->Length += BytesNeeded;
-
- return EFI_SUCCESS;
+ //
+ // Verify the arguments are valid
+ //
+ if (Packet == NULL) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ if ((PacketCursor == NULL) || (*PacketCursor == NULL)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ if (Data == NULL) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ if (OptLen == 0) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ //
+ // Verify the PacketCursor is within the packet
+ //
+ if (IS_INVALID_PACKET_CURSOR (PacketCursor, Packet)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ //
+ // Calculate the bytes needed for the option
+ //
+ BytesNeeded = DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN + NTOHS (OptLen);
+
+ //
+ // Space remaining in the packet
+ //
+ Length = Packet->Size - Packet->Length;
+ if (Length < BytesNeeded) {
+ return EFI_BUFFER_TOO_SMALL;
+ }
+
+ WriteUnaligned16 ((UINT16 *)*PacketCursor, OptType);
+ *PacketCursor += DHCP6_SIZE_OF_OPT_CODE;
+ WriteUnaligned16 ((UINT16 *)*PacketCursor, OptLen);
+ *PacketCursor += DHCP6_SIZE_OF_OPT_LEN;
+ CopyMem (*PacketCursor, Data, NTOHS (OptLen));
+ *PacketCursor += NTOHS (OptLen);
+
+ // Update the packet length by the length of the option + 4 bytes
+ Packet->Length += BytesNeeded;
+
+ return EFI_SUCCESS;
}
/**
Append the appointed IA Address option to Buf, and move Buf to the end.
- @param[in, out] Packet A pointer to the packet, on success Packet->Length
- will be updated.
- @param[in, out] PacketCursor The pointer in the packet, on success PacketCursor
- will be moved to the end of the option.
+ @param[in, out] Packet A pointer to the packet, on success Packet->Length
+ will be updated.
+ @param[in, out] PacketCursor The pointer in the packet, on success PacketCursor
+ will be moved to the end of the option.
@param[in] IaAddr The pointer to the IA Address.
@param[in] MessageType Message type of DHCP6 package.
- @retval EFI_INVALID_PARAMETER An argument provided to the function was invalid
- @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the option.
- @retval EFI_SUCCESS The option is appended successfully.
+ @retval EFI_INVALID_PARAMETER An argument provided to the function was invalid
+ @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the option.
+ @retval EFI_SUCCESS The option is appended successfully.
**/
-EFI_STATUS
+EFI_STATUS
Dhcp6AppendIaAddrOption (
- IN OUT EFI_DHCP6_PACKET *Packet,
- IN OUT UINT8 **PacketCursor,
+ IN OUT EFI_DHCP6_PACKET *Packet,
+ IN OUT UINT8 **PacketCursor,
IN EFI_DHCP6_IA_ADDRESS *IaAddr,
IN UINT32 MessageType
)
{
- UINT32 BytesNeeded;
- UINT32 Length;
+ UINT32 BytesNeeded;
+ UINT32 Length;
// The format of the IA Address option is:
//
@@ -750,60 +747,58 @@ Dhcp6AppendIaAddrOption (
// . .
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- //
- // Verify the arguments are valid
- //
- if (Packet == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- if ((PacketCursor == NULL) || (*PacketCursor == NULL)) {
- return EFI_INVALID_PARAMETER;
- }
-
- if (IaAddr == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- //
- // Verify the PacketCursor is within the packet
- //
- if ( (*PacketCursor < Packet->Dhcp6.Option)
- || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER))))
- {
- return EFI_INVALID_PARAMETER;
- }
-
- BytesNeeded = DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN;
- BytesNeeded += sizeof (EFI_IPv6_ADDRESS);
- //
- // Even if the preferred-lifetime is 0, it still needs to store it.
- //
- BytesNeeded += sizeof (IaAddr->PreferredLifetime);
- //
- // Even if the valid-lifetime is 0, it still needs to store it.
- //
- BytesNeeded += sizeof (IaAddr->ValidLifetime);
-
- //
- // Space remaining in the packet
- //
- Length = Packet->Size - Packet->Length;
- if (Length < BytesNeeded) {
- return EFI_BUFFER_TOO_SMALL;
- }
-
+ //
+ // Verify the arguments are valid
+ //
+ if (Packet == NULL) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ if ((PacketCursor == NULL) || (*PacketCursor == NULL)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ if (IaAddr == NULL) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ //
+ // Verify the PacketCursor is within the packet
+ //
+ if (IS_INVALID_PACKET_CURSOR (PacketCursor, Packet)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ BytesNeeded = DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN;
+ BytesNeeded += sizeof (EFI_IPv6_ADDRESS);
+ //
+ // Even if the preferred-lifetime is 0, it still needs to store it.
+ //
+ BytesNeeded += sizeof (IaAddr->PreferredLifetime);
+ //
+ // Even if the valid-lifetime is 0, it still needs to store it.
+ //
+ BytesNeeded += sizeof (IaAddr->ValidLifetime);
+
+ //
+ // Space remaining in the packet
+ //
+ Length = Packet->Size - Packet->Length;
+ if (Length < BytesNeeded) {
+ return EFI_BUFFER_TOO_SMALL;
+ }
+
//
// Fill the value of Ia Address option type
//
- WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (Dhcp6OptIaAddr));
- *PacketCursor += DHCP6_SIZE_OF_OPT_CODE;
+ WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (Dhcp6OptIaAddr));
+ *PacketCursor += DHCP6_SIZE_OF_OPT_CODE;
- WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (sizeof (EFI_DHCP6_IA_ADDRESS)));
- *PacketCursor += DHCP6_SIZE_OF_OPT_LEN;
+ WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (sizeof (EFI_DHCP6_IA_ADDRESS)));
+ *PacketCursor += DHCP6_SIZE_OF_OPT_LEN;
- CopyMem (*PacketCursor, &IaAddr->IpAddress, sizeof (EFI_IPv6_ADDRESS));
- *PacketCursor += sizeof (EFI_IPv6_ADDRESS);
+ CopyMem (*PacketCursor, &IaAddr->IpAddress, sizeof (EFI_IPv6_ADDRESS));
+ *PacketCursor += sizeof (EFI_IPv6_ADDRESS);
//
// Fill the value of preferred-lifetime and valid-lifetime.
@@ -811,57 +806,57 @@ Dhcp6AppendIaAddrOption (
// should set to 0 when initiate a Confirm message.
//
if (MessageType != Dhcp6MsgConfirm) {
- WriteUnaligned32 ((UINT32 *)*PacketCursor, HTONL (IaAddr->PreferredLifetime));
+ WriteUnaligned32 ((UINT32 *)*PacketCursor, HTONL (IaAddr->PreferredLifetime));
}
- *PacketCursor += sizeof (IaAddr->PreferredLifetime);
+ *PacketCursor += sizeof (IaAddr->PreferredLifetime);
if (MessageType != Dhcp6MsgConfirm) {
- WriteUnaligned32 ((UINT32 *)*PacketCursor, HTONL (IaAddr->ValidLifetime));
+ WriteUnaligned32 ((UINT32 *)*PacketCursor, HTONL (IaAddr->ValidLifetime));
}
- *PacketCursor += sizeof (IaAddr->ValidLifetime);
-
- //
- // Update the packet length
- //
- Packet->Length += BytesNeeded;
-
- return EFI_SUCCESS;
+ *PacketCursor += sizeof (IaAddr->ValidLifetime);
+
+ //
+ // Update the packet length
+ //
+ Packet->Length += BytesNeeded;
+
+ return EFI_SUCCESS;
}
/**
Append the appointed Ia option to Buf, and move Buf to the end.
- @param[in, out] Packet A pointer to the packet, on success Packet->Length
- will be updated.
- @param[in, out] PacketCursor The pointer in the packet, on success PacketCursor
- will be moved to the end of the option.
+ @param[in, out] Packet A pointer to the packet, on success Packet->Length
+ will be updated.
+ @param[in, out] PacketCursor The pointer in the packet, on success PacketCursor
+ will be moved to the end of the option.
@param[in] Ia The pointer to the Ia.
@param[in] T1 The time of T1.
@param[in] T2 The time of T2.
@param[in] MessageType Message type of DHCP6 package.
- @retval EFI_INVALID_PARAMETER An argument provided to the function was invalid
- @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the option.
- @retval EFI_SUCCESS The option is appended successfully.
+ @retval EFI_INVALID_PARAMETER An argument provided to the function was invalid
+ @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the option.
+ @retval EFI_SUCCESS The option is appended successfully.
**/
-EFI_STATUS
+EFI_STATUS
Dhcp6AppendIaOption (
- IN OUT EFI_DHCP6_PACKET *Packet,
- IN OUT UINT8 **PacketCursor,
- IN EFI_DHCP6_IA *Ia,
- IN UINT32 T1,
- IN UINT32 T2,
- IN UINT32 MessageType
+ IN OUT EFI_DHCP6_PACKET *Packet,
+ IN OUT UINT8 **PacketCursor,
+ IN EFI_DHCP6_IA *Ia,
+ IN UINT32 T1,
+ IN UINT32 T2,
+ IN UINT32 MessageType
)
{
- UINT8 *AddrOpt;
- UINT16 *Len;
- UINTN Index;
- UINT32 BytesNeeded;
- UINT32 Length;
- EFI_STATUS Status;
+ UINT8 *AddrOpt;
+ UINT16 *Len;
+ UINTN Index;
+ UINT32 BytesNeeded;
+ UINT32 Length;
+ EFI_STATUS Status;
//
// The format of IA_NA and IA_TA option:
@@ -882,75 +877,73 @@ Dhcp6AppendIaOption (
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
//
- //
- // Verify the arguments are valid
- //
- if (Packet == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- if ((PacketCursor == NULL) || (*PacketCursor == NULL)) {
- return EFI_INVALID_PARAMETER;
- }
-
- if (Ia == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- //
- // Verify the PacketCursor is within the packet
- //
- if ( (*PacketCursor < Packet->Dhcp6.Option)
- || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER))))
- {
- return EFI_INVALID_PARAMETER;
- }
-
- BytesNeeded = DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN;
- BytesNeeded += sizeof (Ia->Descriptor.IaId);
- //
- // + N for the IA_NA-options/IA_TA-options
- // Dhcp6AppendIaAddrOption will need to check the length for each address
- //
- if (Ia->Descriptor.Type == Dhcp6OptIana) {
- BytesNeeded += sizeof (T1) + sizeof (T2);
- }
-
- //
- // Space remaining in the packet
- //
- Length = (UINT16)(Packet->Size - Packet->Length);
- if (Length < BytesNeeded) {
- return EFI_BUFFER_TOO_SMALL;
- }
-
-
+ //
+ // Verify the arguments are valid
+ //
+ if (Packet == NULL) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ if ((PacketCursor == NULL) || (*PacketCursor == NULL)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ if (Ia == NULL) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ //
+ // Verify the PacketCursor is within the packet
+ //
+ if (IS_INVALID_PACKET_CURSOR (PacketCursor, Packet)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ BytesNeeded = DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN;
+ BytesNeeded += sizeof (Ia->Descriptor.IaId);
+ //
+ // + N for the IA_NA-options/IA_TA-options
+ // Dhcp6AppendIaAddrOption will need to check the length for each address
+ //
+ if (Ia->Descriptor.Type == Dhcp6OptIana) {
+ BytesNeeded += sizeof (T1) + sizeof (T2);
+ }
+
+ //
+ // Space remaining in the packet
+ //
+ Length = (UINT16)(Packet->Size - Packet->Length);
+ if (Length < BytesNeeded) {
+ return EFI_BUFFER_TOO_SMALL;
+ }
+
+
//
// Fill the value of Ia option type
//
- WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (Ia->Descriptor.Type));
- *PacketCursor += DHCP6_SIZE_OF_OPT_CODE;
+ WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (Ia->Descriptor.Type));
+ *PacketCursor += DHCP6_SIZE_OF_OPT_CODE;
//
// Fill the len of Ia option later, keep the pointer first
//
- Len = (UINT16 *)*PacketCursor;
- *PacketCursor += DHCP6_SIZE_OF_OPT_LEN;
+ Len = (UINT16 *)*PacketCursor;
+ *PacketCursor += DHCP6_SIZE_OF_OPT_LEN;
//
// Fill the value of iaid
//
- WriteUnaligned32 ((UINT32 *)*PacketCursor, HTONL (Ia->Descriptor.IaId));
- *PacketCursor += sizeof (Ia->Descriptor.IaId);
+ WriteUnaligned32 ((UINT32 *)*PacketCursor, HTONL (Ia->Descriptor.IaId));
+ *PacketCursor += sizeof (Ia->Descriptor.IaId);
//
// Fill the value of t1 and t2 if iana, keep it 0xffffffff if no specified.
//
if (Ia->Descriptor.Type == Dhcp6OptIana) {
- WriteUnaligned32 ((UINT32 *)*PacketCursor, HTONL ((T1 != 0) ? T1 : 0xffffffff));
- *PacketCursor += sizeof (T1);
- WriteUnaligned32 ((UINT32 *)*PacketCursor, HTONL ((T2 != 0) ? T2 : 0xffffffff));
- *PacketCursor += sizeof (T2);
+ WriteUnaligned32 ((UINT32 *)*PacketCursor, HTONL ((T1 != 0) ? T1 : 0xffffffff));
+ *PacketCursor += sizeof (T1);
+ WriteUnaligned32 ((UINT32 *)*PacketCursor, HTONL ((T2 != 0) ? T2 : 0xffffffff));
+ *PacketCursor += sizeof (T2);
}
//
@@ -958,51 +951,52 @@ Dhcp6AppendIaOption (
//
for (Index = 0; Index < Ia->IaAddressCount; Index++) {
AddrOpt = (UINT8 *) Ia->IaAddress + Index * sizeof (EFI_DHCP6_IA_ADDRESS);
- Status = Dhcp6AppendIaAddrOption (Packet, PacketCursor, (EFI_DHCP6_IA_ADDRESS *)AddrOpt, MessageType);
- if (EFI_ERROR (Status)) {
- return Status;
- }
+ Status = Dhcp6AppendIaAddrOption (Packet, PacketCursor, (EFI_DHCP6_IA_ADDRESS *)AddrOpt, MessageType);
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
}
+ //
+ // Update the packet length
+ //
+ Packet->Length += BytesNeeded;
+
//
// Fill the value of Ia option length
//
- *Len = HTONS ((UINT16)(*PacketCursor - (UINT8 *)Len - 2));
-
- //
- // Update the packet length
- //
- Packet->Length += BytesNeeded;
+ *Len = HTONS ((UINT16)(*PacketCursor - (UINT8 *)Len - 2));
- return EFI_SUCCESS;
+ return EFI_SUCCESS;
}
/**
Append the appointed Elapsed time option to Buf, and move Buf to the end.
- @param[in, out] Packet A pointer to the packet, on success Packet->Length
- @param[in, out] PacketCursor The pointer in the packet, on success PacketCursor
- will be moved to the end of the option.
+ @param[in, out] Packet A pointer to the packet, on success Packet->Length
+ will be updated.
+ @param[in, out] PacketCursor The pointer in the packet, on success PacketCursor
+ will be moved to the end of the option.
@param[in] Instance The pointer to the Dhcp6 instance.
@param[out] Elapsed The pointer to the elapsed time value in
- the generated packet.
+ the generated packet.
- @retval EFI_INVALID_PARAMETER An argument provided to the function was invalid
- @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the option.
- @retval EFI_SUCCESS The option is appended successfully.
+ @retval EFI_INVALID_PARAMETER An argument provided to the function was invalid
+ @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the option.
+ @retval EFI_SUCCESS The option is appended successfully.
**/
-EFI_STATUS
+EFI_STATUS
Dhcp6AppendETOption (
- IN OUT EFI_DHCP6_PACKET *Packet,
- IN OUT UINT8 **PacketCursor,
- IN DHCP6_INSTANCE *Instance,
- OUT UINT16 **Elapsed
+ IN OUT EFI_DHCP6_PACKET *Packet,
+ IN OUT UINT8 **PacketCursor,
+ IN DHCP6_INSTANCE *Instance,
+ OUT UINT16 **Elapsed
)
{
- UINT32 BytesNeeded;
- UINT32 Length;
-
+ UINT32 BytesNeeded;
+ UINT32 Length;
+
//
// The format of elapsed time option:
//
@@ -1014,70 +1008,68 @@ Dhcp6AppendETOption (
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
//
- //
- // Verify the arguments are valid
- //
- if (Packet == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- if ((PacketCursor == NULL) || (*PacketCursor == NULL)) {
- return EFI_INVALID_PARAMETER;
- }
-
- if (Instance == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- if ((Elapsed == NULL)) {
- return EFI_INVALID_PARAMETER;
- }
-
- //
- // Verify the PacketCursor is within the packet
- //
- if ( (*PacketCursor < Packet->Dhcp6.Option)
- || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER))))
- {
- return EFI_INVALID_PARAMETER;
- }
-
- BytesNeeded = DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN;
- //
- // + 2 for elapsed-time
- //
- BytesNeeded += sizeof (UINT16);
- //
- // Space remaining in the packet
- //
- Length = Packet->Size - Packet->Length;
- if (Length < BytesNeeded) {
- return EFI_BUFFER_TOO_SMALL;
- }
-
+ //
+ // Verify the arguments are valid
+ //
+ if (Packet == NULL) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ if ((PacketCursor == NULL) || (*PacketCursor == NULL)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ if (Instance == NULL) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ if ((Elapsed == NULL)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ //
+ // Verify the PacketCursor is within the packet
+ //
+ if (IS_INVALID_PACKET_CURSOR (PacketCursor, Packet)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ BytesNeeded = DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN;
+ //
+ // + 2 for elapsed-time
+ //
+ BytesNeeded += sizeof (UINT16);
+ //
+ // Space remaining in the packet
+ //
+ Length = Packet->Size - Packet->Length;
+ if (Length < BytesNeeded) {
+ return EFI_BUFFER_TOO_SMALL;
+ }
+
//
// Fill the value of elapsed-time option type.
//
- WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (Dhcp6OptElapsedTime));
- *PacketCursor += DHCP6_SIZE_OF_OPT_CODE;
+ WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (Dhcp6OptElapsedTime));
+ *PacketCursor += DHCP6_SIZE_OF_OPT_CODE;
//
// Fill the len of elapsed-time option, which is fixed.
//
- WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (2));
- *PacketCursor += DHCP6_SIZE_OF_OPT_LEN;
+ WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (2));
+ *PacketCursor += DHCP6_SIZE_OF_OPT_LEN;
//
// Fill in elapsed time value with 0 value for now. The actual value is
// filled in later just before the packet is transmitted.
//
- WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (0));
- *Elapsed = (UINT16 *)*PacketCursor;
- *PacketCursor += sizeof (UINT16);
+ WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (0));
+ *Elapsed = (UINT16 *)*PacketCursor;
+ *PacketCursor += sizeof (UINT16);
+
+ Packet->Length += BytesNeeded;
- Packet->Length += BytesNeeded;
-
- return EFI_SUCCESS;
+ return EFI_SUCCESS;
}
/**
--
2.33.0

53
0071-NetworkPkg-Dhcp6Dxe-Packet-Length-is-not-updated-bef.patch Normal file
View File

@ -0,0 +1,53 @@
From 90e12ecf3c9d8a4c13ae2dd9350f86bb47188b2b Mon Sep 17 00:00:00 2001
From: Doug Flick <dougflick@microsoft.com>
Date: Tue, 13 Feb 2024 10:46:02 -0800
Subject: [PATCH 3/3] NetworkPkg: Dhcp6Dxe: Packet-Length is not updated before
appending
In order for Dhcp6AppendIaAddrOption (..) to safely append the IA
Address option, the Packet-Length field must be updated before appending
the option.
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
Reviewed-by: Leif Lindholm <quic_llindhol@quicinc.com>
reference: https://github.com/tianocore/edk2/pull/5372
Signed-off-by: yexiao <yexiao7@huawei.com>
---
NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c
index eafa72eb..4c1ae0cc 100644
--- a/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c
+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c
@@ -946,6 +946,11 @@ Dhcp6AppendIaOption (
*PacketCursor += sizeof (T2);
}
+ //
+ // Update the packet length
+ //
+ Packet->Length += BytesNeeded;
+
//
// Fill all the addresses belong to the Ia
//
@@ -957,11 +962,6 @@ Dhcp6AppendIaOption (
}
}
- //
- // Update the packet length
- //
- Packet->Length += BytesNeeded;
-
//
// Fill the value of Ia option length
//
--
2.33.0

173
0072-Fix-unconstrained-session-cache-growth-in-TLSv1.3.patch Normal file
View File

@ -0,0 +1,173 @@
From 6891715994ab7f5df8f5a2a10d743a24265d0c53 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Tue, 5 Mar 2024 15:43:53 +0000
Subject: [PATCH 1/5] Fix unconstrained session cache growth in TLSv1.3
In TLSv1.3 we create a new session object for each ticket that we send.
We do this by duplicating the original session. If SSL_OP_NO_TICKET is in
use then the new session will be added to the session cache. However, if
early data is not in use (and therefore anti-replay protection is being
used), then multiple threads could be resuming from the same session
simultaneously. If this happens and a problem occurs on one of the threads,
then the original session object could be marked as not_resumable. When we
duplicate the session object this not_resumable status gets copied into the
new session object. The new session object is then added to the session
cache even though it is not_resumable.
Subsequently, another bug means that the session_id_length is set to 0 for
sessions that are marked as not_resumable - even though that session is
still in the cache. Once this happens the session can never be removed from
the cache. When that object gets to be the session cache tail object the
cache never shrinks again and grows indefinitely.
CVE-2024-2511
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24044)
(cherry picked from commit 7e4d731b1c07201ad9374c1cd9ac5263bdf35bce)
Signed-off-by: Liu-Ermeng <liuermeng2@huawei.com>
---
.../openssl/include/openssl/sslerr.h | 4 +--
.../Library/OpensslLib/openssl/ssl/ssl_err.c | 5 ++--
.../Library/OpensslLib/openssl/ssl/ssl_lib.c | 5 ++--
.../Library/OpensslLib/openssl/ssl/ssl_sess.c | 30 ++++++++++++++-----
.../openssl/ssl/statem/statem_srvr.c | 5 ++--
5 files changed, 33 insertions(+), 16 deletions(-)
diff --git a/CryptoPkg/Library/OpensslLib/openssl/include/openssl/sslerr.h b/CryptoPkg/Library/OpensslLib/openssl/include/openssl/sslerr.h
index 82983d3..a3a6f03 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/include/openssl/sslerr.h
+++ b/CryptoPkg/Library/OpensslLib/openssl/include/openssl/sslerr.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -219,7 +219,7 @@ int ERR_load_SSL_strings(void);
# define SSL_F_SSL_RENEGOTIATE_ABBREVIATED 546
# define SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT 320
# define SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT 321
-# define SSL_F_SSL_SESSION_DUP 348
+# define SSL_F_SSL_SESSION_DUP_INTERN 668
# define SSL_F_SSL_SESSION_NEW 189
# define SSL_F_SSL_SESSION_PRINT_FP 190
# define SSL_F_SSL_SESSION_SET1_ID 423
diff --git a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_err.c b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_err.c
index 4b12ed1..31435d6 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_err.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_err.c
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -312,7 +312,8 @@ static const ERR_STRING_DATA SSL_str_functs[] = {
"SSL_renegotiate_abbreviated"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT, 0), ""},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT, 0), ""},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SESSION_DUP, 0), "ssl_session_dup"},
+ {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SESSION_DUP_INTERN, 0),
+ "ssl_session_dup_intern"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SESSION_NEW, 0), "SSL_SESSION_new"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SESSION_PRINT_FP, 0),
"SSL_SESSION_print_fp"},
diff --git a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c
index 7c7e597..ae33d18 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c
@@ -3445,9 +3445,10 @@ void ssl_update_cache(SSL *s, int mode)
/*
* If the session_id_length is 0, we are not supposed to cache it, and it
- * would be rather hard to do anyway :-)
+ * would be rather hard to do anyway :-). Also if the session has already
+ * been marked as not_resumable we should not cache it for later reuse.
*/
- if (s->session->session_id_length == 0)
+ if (s->session->session_id_length == 0 || s->session->not_resumable)
return;
/*
diff --git a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_sess.c b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_sess.c
index 40c157b..4e87220 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_sess.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_sess.c
@@ -94,16 +94,11 @@ SSL_SESSION *SSL_SESSION_new(void)
return ss;
}
-SSL_SESSION *SSL_SESSION_dup(SSL_SESSION *src)
-{
- return ssl_session_dup(src, 1);
-}
-
/*
* Create a new SSL_SESSION and duplicate the contents of |src| into it. If
* ticket == 0 then no ticket information is duplicated, otherwise it is.
*/
-SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
+static SSL_SESSION *ssl_session_dup_intern(SSL_SESSION *src, int ticket)
{
SSL_SESSION *dest;
@@ -218,11 +213,32 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
return dest;
err:
- SSLerr(SSL_F_SSL_SESSION_DUP, ERR_R_MALLOC_FAILURE);
+ SSLerr(SSL_F_SSL_SESSION_DUP_INTERN, ERR_R_MALLOC_FAILURE);
SSL_SESSION_free(dest);
return NULL;
}
+SSL_SESSION *SSL_SESSION_dup(SSL_SESSION *src)
+{
+ return ssl_session_dup_intern(src, 1);
+}
+
+/*
+ * Used internally when duplicating a session which might be already shared.
+ * We will have resumed the original session. Subsequently we might have marked
+ * it as non-resumable (e.g. in another thread) - but this copy should be ok to
+ * resume from.
+ */
+SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
+{
+ SSL_SESSION *sess = ssl_session_dup_intern(src, ticket);
+
+ if (sess != NULL)
+ sess->not_resumable = 0;
+
+ return sess;
+}
+
const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
{
if (len)
diff --git a/CryptoPkg/Library/OpensslLib/openssl/ssl/statem/statem_srvr.c b/CryptoPkg/Library/OpensslLib/openssl/ssl/statem/statem_srvr.c
index 14cb27e..679855a 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/ssl/statem/statem_srvr.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/statem/statem_srvr.c
@@ -2402,9 +2402,8 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt)
* so the following won't overwrite an ID that we're supposed
* to send back.
*/
- if (s->session->not_resumable ||
- (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
- && !s->hit))
+ if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
+ && !s->hit)
s->session->session_id_length = 0;
if (usetls13) {
--
2.33.0

133
0073-Add-a-test-for-session-cache-handling.patch Normal file
View File

@ -0,0 +1,133 @@
From 2977116cff409b22ded747f532f7d72b2684da81 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Mon, 4 Mar 2024 13:45:23 +0000
Subject: [PATCH 2/5] Add a test for session cache handling
Repeatedly create sessions to be added to the cache and ensure we never
exceed the expected size.
Related to CVE-2024-2511
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24044)
(cherry picked from commit 5f5b9e1ca1fad0215f623b8bd4955a2e8101f306)
Signed-off-by: Liu-Ermeng <liuermeng2@huawei.com>
---
.../OpensslLib/openssl/test/sslapitest.c | 92 +++++++++++++++++++
1 file changed, 92 insertions(+)
diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/sslapitest.c b/CryptoPkg/Library/OpensslLib/openssl/test/sslapitest.c
index 5c11810..89f718f 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/test/sslapitest.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/test/sslapitest.c
@@ -6471,6 +6471,97 @@ static int test_servername(int tst)
return testresult;
}
+/*
+ * Test multiple resumptions and cache size handling
+ * Test 0: TLSv1.3 (max_early_data set)
+ * Test 1: TLSv1.3 (SSL_OP_NO_TICKET set)
+ * Test 2: TLSv1.3 (max_early_data and SSL_OP_NO_TICKET set)
+ * Test 3: TLSv1.2
+ */
+static int test_multi_resume(int idx)
+{
+ SSL_CTX *sctx = NULL, *cctx = NULL;
+ SSL *serverssl = NULL, *clientssl = NULL;
+ SSL_SESSION *sess = NULL;
+ int max_version = TLS1_3_VERSION;
+ int i, testresult = 0;
+
+ if (idx == 3)
+ max_version = TLS1_2_VERSION;
+
+ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ TLS_client_method(), TLS1_VERSION,
+ max_version, &sctx, &cctx, cert,
+ privkey)))
+ goto end;
+
+ /*
+ * TLSv1.3 only uses a session cache if either max_early_data > 0 (used for
+ * replay protection), or if SSL_OP_NO_TICKET is in use
+ */
+ if (idx == 0 || idx == 2) {
+ if (!TEST_true(SSL_CTX_set_max_early_data(sctx, 1024)))
+ goto end;
+ }
+ if (idx == 1 || idx == 2)
+ SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
+
+ SSL_CTX_sess_set_cache_size(sctx, 5);
+
+ for (i = 0; i < 30; i++) {
+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
+ NULL, NULL))
+ || !TEST_true(SSL_set_session(clientssl, sess)))
+ goto end;
+
+ /*
+ * Recreate a bug where dynamically changing the max_early_data value
+ * can cause sessions in the session cache which cannot be deleted.
+ */
+ if ((idx == 0 || idx == 2) && (i % 3) == 2)
+ SSL_set_max_early_data(serverssl, 0);
+
+ if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
+ goto end;
+
+ if (sess == NULL || (idx == 0 && (i % 3) == 2)) {
+ if (!TEST_false(SSL_session_reused(clientssl)))
+ goto end;
+ } else {
+ if (!TEST_true(SSL_session_reused(clientssl)))
+ goto end;
+ }
+ SSL_SESSION_free(sess);
+
+ /* Do a full handshake, followed by two resumptions */
+ if ((i % 3) == 2) {
+ sess = NULL;
+ } else {
+ if (!TEST_ptr((sess = SSL_get1_session(clientssl))))
+ goto end;
+ }
+
+ SSL_shutdown(clientssl);
+ SSL_shutdown(serverssl);
+ SSL_free(serverssl);
+ SSL_free(clientssl);
+ serverssl = clientssl = NULL;
+ }
+
+ /* We should never exceed the session cache size limit */
+ if (!TEST_long_le(SSL_CTX_sess_number(sctx), 5))
+ goto end;
+
+ testresult = 1;
+ end:
+ SSL_free(serverssl);
+ SSL_free(clientssl);
+ SSL_CTX_free(sctx);
+ SSL_CTX_free(cctx);
+ SSL_SESSION_free(sess);
+ return testresult;
+}
+
int setup_tests(void)
{
if (!TEST_ptr(certsdir = test_get_argument(0))
@@ -6590,6 +6681,7 @@ int setup_tests(void)
ADD_ALL_TESTS(test_client_cert_cb, 2);
ADD_ALL_TESTS(test_ca_names, 3);
ADD_ALL_TESTS(test_servername, 10);
+ ADD_ALL_TESTS(test_multi_resume, 4);
return 1;
}
--
2.33.0

161
0074-Extend-the-multi_resume-test-for-simultaneous-resump.patch Normal file
View File

@ -0,0 +1,161 @@
From 987232cacc779a7df4cf0ddb77b71814c96af16b Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Tue, 5 Mar 2024 15:35:51 +0000
Subject: [PATCH 3/5] Extend the multi_resume test for simultaneous resumptions
Test what happens if the same session gets resumed multiple times at the
same time - and one of them gets marked as not_resumable.
Related to CVE-2024-2511
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24044)
(cherry picked from commit 031b11a4054c972a5e2f07dfa81ce1842453253e)
Signed-off-by: Liu-Ermeng <liuermeng2@huawei.com>
---
.../OpensslLib/openssl/test/sslapitest.c | 89 ++++++++++++++++++-
1 file changed, 85 insertions(+), 4 deletions(-)
diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/sslapitest.c b/CryptoPkg/Library/OpensslLib/openssl/test/sslapitest.c
index 89f718f..86f746c 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/test/sslapitest.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/test/sslapitest.c
@@ -6471,12 +6471,63 @@ static int test_servername(int tst)
return testresult;
}
+struct resume_servername_cb_data {
+ int i;
+ SSL_CTX *cctx;
+ SSL_CTX *sctx;
+ SSL_SESSION *sess;
+ int recurse;
+};
+
+/*
+ * Servername callback. We use it here to run another complete handshake using
+ * the same session - and mark the session as not_resuamble at the end
+ */
+static int resume_servername_cb(SSL *s, int *ad, void *arg)
+{
+ struct resume_servername_cb_data *cbdata = arg;
+ SSL *serverssl = NULL, *clientssl = NULL;
+ int ret = SSL_TLSEXT_ERR_ALERT_FATAL;
+
+ if (cbdata->recurse)
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
+
+ if ((cbdata->i % 3) != 1)
+ return SSL_TLSEXT_ERR_OK;
+
+ cbdata->recurse = 1;
+
+ if (!TEST_true(create_ssl_objects(cbdata->sctx, cbdata->cctx, &serverssl,
+ &clientssl, NULL, NULL))
+ || !TEST_true(SSL_set_session(clientssl, cbdata->sess)))
+ goto end;
+
+ ERR_set_mark();
+ /*
+ * We expect this to fail - because the servername cb will fail. This will
+ * mark the session as not_resumable.
+ */
+ if (!TEST_false(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) {
+ ERR_clear_last_mark();
+ goto end;
+ }
+ ERR_pop_to_mark();
+
+ ret = SSL_TLSEXT_ERR_OK;
+ end:
+ SSL_free(serverssl);
+ SSL_free(clientssl);
+ cbdata->recurse = 0;
+ return ret;
+}
+
/*
* Test multiple resumptions and cache size handling
* Test 0: TLSv1.3 (max_early_data set)
* Test 1: TLSv1.3 (SSL_OP_NO_TICKET set)
* Test 2: TLSv1.3 (max_early_data and SSL_OP_NO_TICKET set)
- * Test 3: TLSv1.2
+ * Test 3: TLSv1.3 (SSL_OP_NO_TICKET, simultaneous resumes)
+ * Test 4: TLSv1.2
*/
static int test_multi_resume(int idx)
{
@@ -6485,9 +6536,19 @@ static int test_multi_resume(int idx)
SSL_SESSION *sess = NULL;
int max_version = TLS1_3_VERSION;
int i, testresult = 0;
+ struct resume_servername_cb_data cbdata;
- if (idx == 3)
+#if defined(OPENSSL_NO_TLS1_2)
+ if (idx == 4)
+ return TEST_skip("TLSv1.2 is disabled in this build");
+#else
+ if (idx == 4)
max_version = TLS1_2_VERSION;
+#endif
+#if defined(OSSL_NO_USABLE_TLS1_3)
+ if (idx != 4)
+ return TEST_skip("No usable TLSv1.3 in this build");
+#endif
if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
TLS_client_method(), TLS1_VERSION,
@@ -6503,17 +6564,37 @@ static int test_multi_resume(int idx)
if (!TEST_true(SSL_CTX_set_max_early_data(sctx, 1024)))
goto end;
}
- if (idx == 1 || idx == 2)
+ if (idx == 1 || idx == 2 || idx == 3)
SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
SSL_CTX_sess_set_cache_size(sctx, 5);
+ if (idx == 3) {
+ SSL_CTX_set_tlsext_servername_callback(sctx, resume_servername_cb);
+ SSL_CTX_set_tlsext_servername_arg(sctx, &cbdata);
+ cbdata.cctx = cctx;
+ cbdata.sctx = sctx;
+ cbdata.recurse = 0;
+ }
+
for (i = 0; i < 30; i++) {
if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
NULL, NULL))
|| !TEST_true(SSL_set_session(clientssl, sess)))
goto end;
+ /*
+ * Check simultaneous resumes. We pause the connection part way through
+ * the handshake by (mis)using the servername_cb. The pause occurs after
+ * session resumption has already occurred, but before any session
+ * tickets have been issued. While paused we run another complete
+ * handshake resuming the same session.
+ */
+ if (idx == 3) {
+ cbdata.i = i;
+ cbdata.sess = sess;
+ }
+
/*
* Recreate a bug where dynamically changing the max_early_data value
* can cause sessions in the session cache which cannot be deleted.
@@ -6681,7 +6762,7 @@ int setup_tests(void)
ADD_ALL_TESTS(test_client_cert_cb, 2);
ADD_ALL_TESTS(test_ca_names, 3);
ADD_ALL_TESTS(test_servername, 10);
- ADD_ALL_TESTS(test_multi_resume, 4);
+ ADD_ALL_TESTS(test_multi_resume, 5);
return 1;
}
--
2.33.0

39
0075-Hardening-around-not_resumable-sessions.patch Normal file
View File

@ -0,0 +1,39 @@
From 161ea825e861895c27499ae3d8f05cbd15b0926a Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 15 Mar 2024 17:58:42 +0000
Subject: [PATCH 4/5] Hardening around not_resumable sessions
Make sure we can't inadvertently use a not_resumable session
Related to CVE-2024-2511
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24044)
(cherry picked from commit c342f4b8bd2d0b375b0e22337057c2eab47d9b96)
Signed-off-by: Liu-Ermeng <liuermeng2@huawei.com>
---
CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_sess.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_sess.c b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_sess.c
index 4e87220..9a5b0b8 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_sess.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_sess.c
@@ -465,6 +465,12 @@ SSL_SESSION *lookup_sess_in_cache(SSL *s, const unsigned char *sess_id,
ret = s->session_ctx->get_session_cb(s, sess_id, sess_id_len, &copy);
if (ret != NULL) {
+ if (ret->not_resumable) {
+ /* If its not resumable then ignore this session */
+ if (!copy)
+ SSL_SESSION_free(ret);
+ return NULL;
+ }
tsan_counter(&s->session_ctx->stats.sess_cb_hit);
/*
--
2.33.0

186
0076-Add-a-test-for-session-cache-overflow.patch Normal file
View File

@ -0,0 +1,186 @@
From 472c8dbecb85705f39ad87fa07178c2cbb346ec3 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 15 Jul 2022 13:26:33 +0100
Subject: [PATCH 5/5] Add a test for session cache overflow
Test sessions behave as we expect even in the case that an overflow
occurs when adding a new session into the session cache.
Related to CVE-2024-2511
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24044)
(cherry picked from commit ddead0935d77ba9b771d632ace61b145d7153f18)
Signed-off-by: Liu-Ermeng <liuermeng2@huawei.com>
---
.../OpensslLib/openssl/test/sslapitest.c | 133 +++++++++++++++++-
1 file changed, 130 insertions(+), 3 deletions(-)
diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/sslapitest.c b/CryptoPkg/Library/OpensslLib/openssl/test/sslapitest.c
index 86f746c..74bc0af 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/test/sslapitest.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/test/sslapitest.c
@@ -6317,6 +6317,128 @@ static int test_ca_names(int tst)
return testresult;
}
+/*
+ * Test that a session cache overflow works as expected
+ * Test 0: TLSv1.3, timeout on new session later than old session
+ * Test 1: TLSv1.2, timeout on new session later than old session
+ * Test 2: TLSv1.3, timeout on new session earlier than old session
+ * Test 3: TLSv1.2, timeout on new session earlier than old session
+ */
+#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
+static int test_session_cache_overflow(int idx)
+{
+ SSL_CTX *sctx = NULL, *cctx = NULL;
+ SSL *serverssl = NULL, *clientssl = NULL;
+ int testresult = 0;
+ SSL_SESSION *sess = NULL;
+
+#ifdef OPENSSL_NO_TLS1_3
+ /* If no TLSv1.3 available then do nothing in this case */
+ if (idx % 2 == 0)
+ TEST_info("No TLSv1.3 available");
+ return 1;
+#endif
+#ifdef OPENSSL_NO_TLS1_2
+ /* If no TLSv1.2 available then do nothing in this case */
+ if (idx % 2 == 1)
+ TEST_info("No TLSv1.2 available");
+ return 1;
+#endif
+
+ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ TLS_client_method(), TLS1_VERSION,
+ (idx % 2 == 0) ? TLS1_3_VERSION
+ : TLS1_2_VERSION,
+ &sctx, &cctx, cert, privkey))
+ || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET)))
+ goto end;
+
+ SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
+ get_sess_val = NULL;
+
+ SSL_CTX_sess_set_cache_size(sctx, 1);
+
+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
+ NULL, NULL)))
+ goto end;
+
+ if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
+ goto end;
+
+ if (idx > 1) {
+ sess = SSL_get_session(serverssl);
+ if (!TEST_ptr(sess))
+ goto end;
+
+ /*
+ * Cause this session to have a longer timeout than the next session to
+ * be added.
+ */
+ if (!TEST_true(SSL_SESSION_set_timeout(sess, LONG_MAX / 2))) {
+ sess = NULL;
+ goto end;
+ }
+ sess = NULL;
+ }
+
+ SSL_shutdown(serverssl);
+ SSL_shutdown(clientssl);
+ SSL_free(serverssl);
+ SSL_free(clientssl);
+ serverssl = clientssl = NULL;
+
+ /*
+ * Session cache size is 1 and we already populated the cache with a session
+ * so the next connection should cause an overflow.
+ */
+
+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
+ NULL, NULL)))
+ goto end;
+
+ if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
+ goto end;
+
+ /*
+ * The session we just negotiated may have been already removed from the
+ * internal cache - but we will return it anyway from our external cache.
+ */
+ get_sess_val = SSL_get_session(serverssl);
+ if (!TEST_ptr(get_sess_val))
+ goto end;
+ sess = SSL_get1_session(clientssl);
+ if (!TEST_ptr(sess))
+ goto end;
+
+ SSL_shutdown(serverssl);
+ SSL_shutdown(clientssl);
+ SSL_free(serverssl);
+ SSL_free(clientssl);
+ serverssl = clientssl = NULL;
+
+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
+ NULL, NULL)))
+ goto end;
+
+ if (!TEST_true(SSL_set_session(clientssl, sess)))
+ goto end;
+
+ if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
+ goto end;
+
+ testresult = 1;
+
+ end:
+ SSL_free(serverssl);
+ SSL_free(clientssl);
+ SSL_CTX_free(sctx);
+ SSL_CTX_free(cctx);
+ SSL_SESSION_free(sess);
+
+ return testresult;
+}
+#endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
+
/*
* Test 0: Client sets servername and server acknowledges it (TLSv1.2)
* Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
@@ -6540,14 +6662,16 @@ static int test_multi_resume(int idx)
#if defined(OPENSSL_NO_TLS1_2)
if (idx == 4)
- return TEST_skip("TLSv1.2 is disabled in this build");
+ TEST_info("TLSv1.2 is disabled in this build");
+ return 1;
#else
if (idx == 4)
max_version = TLS1_2_VERSION;
#endif
-#if defined(OSSL_NO_USABLE_TLS1_3)
+#if defined(OPENSSL_NO_TLS1_3)
if (idx != 4)
- return TEST_skip("No usable TLSv1.3 in this build");
+ TEST_info("No usable TLSv1.3 in this build");
+ return 1;
#endif
if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
@@ -6752,6 +6876,9 @@ int setup_tests(void)
ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
ADD_ALL_TESTS(test_srp, 6);
+#endif
+#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
+ ADD_ALL_TESTS(test_session_cache_overflow, 4);
#endif
ADD_ALL_TESTS(test_info_callback, 6);
ADD_ALL_TESTS(test_ssl_pending, 2);
--
2.33.0

47
0077-MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch Normal file
View File

@ -0,0 +1,47 @@
From 413fa91e9a7d28732c55589a7705ae68ec824494 Mon Sep 17 00:00:00 2001
From: ShenYage <shenyage1@huawei.com>
Date: Tue, 11 Jun 2024 14:57:58 +0800
Subject: [PATCH] MdeModulePkg: Potential UINT32 overflow in S3 ResumeCount
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4677
Attacker able to modify physical memory and ResumeCount.
System will crash/DoS when ResumeCount reaches its MAX_UINT32.
Cc: Zhiguang Liu <zhiguang.liu@intel.com>
Cc: Dandan Bi <dandan.bi@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Signed-off-by: Pakkirisamy ShanmugavelX <shanmugavelx.pakkirisamy@intel.com>
Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
---
.../FirmwarePerformancePei.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTablePei/FirmwarePerformancePei.c b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTablePei/FirmwarePerformancePei.c
index 2f2b2a8..2ba9215 100644
--- a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTablePei/FirmwarePerformancePei.c
+++ b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTablePei/FirmwarePerformancePei.c
@@ -112,11 +112,15 @@ FpdtStatusCodeListenerPei (
//
S3ResumeTotal = MultU64x32 (AcpiS3ResumeRecord->AverageResume, AcpiS3ResumeRecord->ResumeCount);
AcpiS3ResumeRecord->ResumeCount++;
- AcpiS3ResumeRecord->AverageResume = DivU64x32 (S3ResumeTotal + AcpiS3ResumeRecord->FullResume, AcpiS3ResumeRecord->ResumeCount);
+ if (AcpiS3ResumeRecord->ResumeCount > 0) {
+ AcpiS3ResumeRecord->AverageResume = DivU64x32 (S3ResumeTotal + AcpiS3ResumeRecord->FullResume, AcpiS3ResumeRecord->ResumeCount);
+ DEBUG ((EFI_D_INFO, "\nFPDT: S3 Resume Performance - AverageResume = 0x%x\n", AcpiS3ResumeRecord->AverageResume));
+ } else {
+ DEBUG ((EFI_D_ERROR, "\nFPDT: S3 ResumeCount reaches the MAX_UINT32 value. S3 ResumeCount record reset to Zero."));
+ }
- DEBUG ((EFI_D_INFO, "FPDT: S3 Resume Performance - ResumeCount = %d\n", AcpiS3ResumeRecord->ResumeCount));
- DEBUG ((EFI_D_INFO, "FPDT: S3 Resume Performance - FullResume = %ld\n", AcpiS3ResumeRecord->FullResume));
- DEBUG ((EFI_D_INFO, "FPDT: S3 Resume Performance - AverageResume = %ld\n", AcpiS3ResumeRecord->AverageResume));
+ DEBUG ((EFI_D_INFO, "FPDT: S3 Resume Performance - ResumeCount = 0x%x\n", AcpiS3ResumeRecord->ResumeCount));
+ DEBUG ((EFI_D_INFO, "FPDT: S3 Resume Performance - FullResume = 0x%x\n", AcpiS3ResumeRecord->FullResume));
//
// Update S3 Suspend Performance Record.
--
2.33.0

68
edk2.spec
View File

@ -5,7 +5,7 @@
Name: edk2
Version: %{stable_date}
Release: 13
Release: 18
Summary: EFI Development Kit II
License: BSD-2-Clause-Patent
URL: https://github.com/tianocore/edk2
@ -59,6 +59,57 @@ Patch0031: 0031-MdeModulePkg-UsbBusDxe-fix-NOOPT-build-error.patch
Patch0032: 0032-BaseTools-GenEfs-GenSec-fix-gcc12-warning.patch
Patch0033: 0033-BaseTools-LzmaCompress-fix-gcc12-warning.patch
Patch0034: 0034-Basetools-turn-off-gcc12-warning.patch
Patch0035: 0035-x509-excessive-resource-use-verifying-policy-constra.patch
Patch0036: 0036-test-add-test-cases-for-the-policy-resource-overuse.patch
Patch0037: 0037-Ensure-that-EXFLAG_INVALID_POLICY-is-checked-even-in.patch
Patch0038: 0038-Fix-documentation-of-X509_VERIFY_PARAM_add0_policy.patch
Patch0039: 0039-Restrict-the-size-of-OBJECT-IDENTIFIERs-that-OBJ_obj.patch
Patch0040: 0040-Add-a-test-for-CVE-2023-3446.patch
Patch0041: 0041-Fix-DH_check-excessive-time-with-over-sized-modulus.patch
Patch0042: 0042-Update-further-expiring-certificates-that-affect-tes.patch
Patch0043: 0043-DH_check-Do-not-try-checking-q-properties-if-it-is-o.patch
Patch0044: 0044-dhtest.c-Add-test-of-DH_check-with-q-p-1.patch
Patch0045: 0045-Add-NULL-checks-where-ContentInfo-data-can-be-NULL.patch
# CVE-2022-36763、CVE-2022-36764、CVE-2022-36765
Patch0046: 0046-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411.patch
Patch0047: 0047-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4117.patch
Patch0048: 0048-SecurityPkg-Adding-CVE-2022-36763-to-SecurityFixes.y.patch
Patch0049: 0049-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411.patch
Patch0050: 0050-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4118.patch
Patch0051: 0051-SecurityPkg-Adding-CVE-2022-36764-to-SecurityFixes.y.patch
Patch0052: 0052-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411.patch
Patch0053: 0053-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4117.patch
Patch0054: 0054-EmbeddedPkg-Hob-Integer-Overflow-in-CreateHob.patch
Patch0055: 0055-StandaloneMmPkg-Hob-Integer-Overflow-in-CreateHob.patch
Patch0056: 0056-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH.patch
Patch0057: 0057-NetworkPkg-Add-Unit-tests-to-CI-and-create-Host-Test.patch
Patch0058: 0058-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Un.patch
Patch0059: 0059-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Pa.patch
Patch0060: 0060-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Un.patch
Patch0061: 0061-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45231-Patc.patch
Patch0062: 0062-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45231-Unit.patch
Patch0063: 0063-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45232-Patc.patch
Patch0064: 0064-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45232-Unit.patch
Patch0065: 0065-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523.patch
Patch0066: 0066-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523.patch
Patch0067: 0067-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523.patch
Patch0068: 0068-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523.patch
Patch0069: 0069-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Re.patch
Patch0070: 0070-NetworkPkg-Dhcp6Dxe-Removes-duplicate-check-and-repl.patch
Patch0071: 0071-NetworkPkg-Dhcp6Dxe-Packet-Length-is-not-updated-bef.patch
# fix CVE-2024-2511
Patch0072: 0072-Fix-unconstrained-session-cache-growth-in-TLSv1.3.patch
Patch0073: 0073-Add-a-test-for-session-cache-handling.patch
Patch0074: 0074-Extend-the-multi_resume-test-for-simultaneous-resump.patch
Patch0075: 0075-Hardening-around-not_resumable-sessions.patch
Patch0076: 0076-Add-a-test-for-session-cache-overflow.patch
# fix CVE-2024-1298
Patch0077: 0077-MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch
BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python3-unversioned-command
@ -260,6 +311,21 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys
%endif
%changelog
* Wed Jun 12 2024 shenyage<shenyage1@huawei.com> - 202011-17
- fix CVE-2024-1298
* Mon Apr 15 2024 shenyage<shenyage1@huawei.com> - 202011-17
- fix CVE-2024-2511
* Thu Mar 7 2024 yexiao<yexiao7@huawei.com> - 202011-16
- fix CVE-2023-45229、CVE-2023-45230、CVE-2023-45231、CVE-2023-45232、CVE-2023-45233、CVE-2023-45234、CVE-2023-45235
* Tue Mar 5 2024 yexiao<yexiao7@huawei.com> - 202011-15
- fix CVE-2022-36763、CVE-2022-36764、CVE-2022-36765
* Tue Feb 20 2024 yexiao<yexiao7@huawei.com> - 202011-14
- fix CVE-2023-0464、CVE-2023-0465、CVE-2023-0466、CVE-2023-2650、CVE-2023-3446、CVE-2023-3817、CVE-2024-0727
* Thu Jul 13 2023 Jiabo Feng<fengjiabo1@huawei.com> - 202011-13
- solving the compilation failure problem of gcc 12.3.0