summaryrefslogtreecommitdiffstats
path: root/NetworkPkg
Commit message (Collapse)AuthorAgeFilesLines
* NetworkPkg/DxeHttpLib: Support HTTP CONNECT message in Tx path.Saloni Kasbekar2024-08-071-0/+5
| | | | | | Add HTTP CONNECT message support in HttpGenRequestMessage() Signed-off-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
* NetworkPkg/HttpDxe: Track HttpInstance URL buffer length.Saloni Kasbekar2024-07-113-7/+14
| | | | | | | | | In EfiHttpRequest(), length of target URLs was always compared to fixed-size value, even after allocating a larger URL buffer. Added UrlLen to HTTP_PROTOCOL to store the size and reallocate if the size changes. Signed-off-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
* NetworkPkg/DxeNetLib: adjust PseudoRandom error loggingGerd Hoffmann2024-06-271-1/+2
| | | | | | | | | | | | There is a list of allowed rng algorithms, if /one/ of them is not supported this is not a problem, only /all/ of them failing is an error condition. Downgrade the message for a single unsupported algorithm from ERROR to VERBOSE. Add an error message in case we finish the loop without finding a supported algorithm. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
* NetworkPkg TcpDxe: Fixed system stuck on PXE boot flow in iPXE environmentSam2024-05-301-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This bug fix is based on the following commit "NetworkPkg TcpDxe: SECURITY PATCH" REF: 1904a64 Issue Description: An "Invalid handle" error was detected during runtime when attempting to destroy a child instance of the hashing protocol. The problematic code segment was: NetworkPkg\TcpDxe\TcpDriver.c Status = Hash2ServiceBinding->DestroyChild(Hash2ServiceBinding, ​&mHash2ServiceHandle); Root Cause Analysis: The root cause of the error was the passing of an incorrect parameter type, a pointer to an EFI_HANDLE instead of an EFI_HANDLE itself, to the DestroyChild function. This mismatch resulted in the function receiving an invalid handle. Implemented Solution: To resolve this issue, the function call was corrected to pass mHash2ServiceHandle directly: NetworkPkg\TcpDxe\TcpDriver.c Status = Hash2ServiceBinding->DestroyChild(Hash2ServiceBinding, mHash2ServiceHandle); This modification ensures the correct handle type is used, effectively rectifying the "Invalid handle" error. Verification: Testing has been conducted, confirming the efficacy of the fix. Additionally, the BIOS can boot into the OS in an iPXE environment. Cc: Doug Flick [MSFT] <doug.edk2@gmail.com> Signed-off-by: Sam Tsai [Wiwynn] <sam_tsai@wiwynn.com> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
* NetworkPkg: Update the PxeBcDhcp6GoogleTest due to underlying changesDoug Flick2024-05-243-6/+100
| | | | | | | | | | | | | This patch updates the PxeBcDhcp6GoogleTest due to the changes in the underlying code. The changes are as follows: - Random now comes from the RngLib Protocol - The TCP ISN is now generated by the hash function Cc: Saloni Kasbekar <saloni.kasbekar@intel.com> Cc: Zachary Clark-williams <zachary.clark-williams@intel.com> Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
* NetworkPkg TcpDxe: SECURITY PATCH CVE-2023-45236Doug Flick2024-05-248-49/+415
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4541 REF: https://www.rfc-editor.org/rfc/rfc1948.txt REF: https://www.rfc-editor.org/rfc/rfc6528.txt REF: https://www.rfc-editor.org/rfc/rfc9293.txt Bug Overview: PixieFail Bug #8 CVE-2023-45236 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Updates TCP ISN generation to use a cryptographic hash of the connection's identifying parameters and a secret key. This prevents an attacker from guessing the ISN used for some other connection. This is follows the guidance in RFC 1948, RFC 6528, and RFC 9293. RFC: 9293 Section 3.4.1. Initial Sequence Number Selection A TCP implementation MUST use the above type of "clock" for clock- driven selection of initial sequence numbers (MUST-8), and SHOULD generate its initial sequence numbers with the expression: ISN = M + F(localip, localport, remoteip, remoteport, secretkey) where M is the 4 microsecond timer, and F() is a pseudorandom function (PRF) of the connection's identifying parameters ("localip, localport, remoteip, remoteport") and a secret key ("secretkey") (SHLD-1). F() MUST NOT be computable from the outside (MUST-9), or an attacker could still guess at sequence numbers from the ISN used for some other connection. The PRF could be implemented as a cryptographic hash of the concatenation of the TCP connection parameters and some secret data. For discussion of the selection of a specific hash algorithm and management of the secret key data, please see Section 3 of [42]. For each connection there is a send sequence number and a receive sequence number. The initial send sequence number (ISS) is chosen by the data sending TCP peer, and the initial receive sequence number (IRS) is learned during the connection-establishing procedure. For a connection to be established or initialized, the two TCP peers must synchronize on each other's initial sequence numbers. This is done in an exchange of connection-establishing segments carrying a control bit called "SYN" (for synchronize) and the initial sequence numbers. As a shorthand, segments carrying the SYN bit are also called "SYNs". Hence, the solution requires a suitable mechanism for picking an initial sequence number and a slightly involved handshake to exchange the ISNs. Cc: Saloni Kasbekar <saloni.kasbekar@intel.com> Cc: Zachary Clark-williams <zachary.clark-williams@intel.com> Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
* NetworkPkg: SECURITY PATCH CVE-2023-45237Doug Flick2024-05-2427-83/+410
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4542 Bug Overview: PixieFail Bug #9 CVE-2023-45237 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) Use of a Weak PseudoRandom Number Generator Change Overview: Updates all Instances of NET_RANDOM (NetRandomInitSeed ()) to either > > EFI_STATUS > EFIAPI > PseudoRandomU32 ( > OUT UINT32 *Output > ); > or (depending on the use case) > > EFI_STATUS > EFIAPI > PseudoRandom ( > OUT VOID *Output, > IN UINTN OutputLength > ); > This is because the use of Example: The following code snippet PseudoRandomU32 () function is used: > > UINT32 Random; > > Status = PseudoRandomU32 (&Random); > if (EFI_ERROR (Status)) { > DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); > return Status; > } > This also introduces a new PCD to enable/disable the use of the secure implementation of algorithms for PseudoRandom () and instead depend on the default implementation. This may be required for some platforms where the UEFI Spec defined algorithms are not available. > > PcdEnforceSecureRngAlgorithms > If the platform does not have any one of the UEFI defined secure RNG algorithms then the driver will assert. Cc: Saloni Kasbekar <saloni.kasbekar@intel.com> Cc: Zachary Clark-williams <zachary.clark-williams@intel.com> Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
* NetworkPkg/WifiConnectionManagerDxe: Update UI according to UEFI specLiqi Liu2024-04-161-39/+74
| | | | | | | | | | | | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4736 In UEFI_Spec_2_10_Aug29.pdf page 1694 section 35.5.4 for EFI_BROWSER_ACTION_FORM_OPEN: NOTE: EFI_FORM_BROWSER2_PROTOCOL.BrowserCallback() cannot be used with this browser action because question values have not been retrieved yet. So should not call HiiGetBrowserData() and HiiSetBrowserData() in FORM_OPEN call back function. Now use wifi list key and enroll cert key instead of the connect action key, move wifi info display from open action to close action. Cc: Saloni Kasbekar <saloni.kasbekar@intel.com> Cc: Zachary Clark-williams <zachary.clark-williams@intel.com> Cc: Dandan Bi <dandan.bi@intel.com> Cc: Felix Polyudov <Felixp@ami.com> Signed-off-by: Liqi Liu <liqi.liu@intel.com> Reviewed-by: Zachary Clark-williams <zachary.clark-williams@intel.com> Acked-by: Michael D Kinney <michael.d.kinney@intel.com>
* NetworkPkg: : Updating SecurityFixes.yamlDoug Flick2024-02-141-0/+1
| | | | | | | | | | | This captures the related security change for Dhcp6Dxe that is related to CVE-2023-45229 Cc: Saloni Kasbekar <saloni.kasbekar@intel.com> Cc: Zachary Clark-williams <zachary.clark-williams@intel.com> Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com> Reviewed-by: Leif Lindholm <quic_llindhol@quicinc.com>
* NetworkPkg: Dhcp6Dxe: Packet-Length is not updated before appendingDoug Flick2024-02-141-5/+5
| | | | | | | | | | | | In order for Dhcp6AppendIaAddrOption (..) to safely append the IA Address option, the Packet-Length field must be updated before appending the option. Cc: Saloni Kasbekar <saloni.kasbekar@intel.com> Cc: Zachary Clark-williams <zachary.clark-williams@intel.com> Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com> Reviewed-by: Leif Lindholm <quic_llindhol@quicinc.com>
* NetworkPkg: Dhcp6Dxe: Removes duplicate check and replaces with macroDoug Flick2024-02-141-25/+19
| | | | | | | | | | | | | | | | | | | | | | | | | Removes duplicate check after merge > > // > // Verify the PacketCursor is within the packet > // > if ( (*PacketCursor < Packet->Dhcp6.Option) > || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER)))) > { > return EFI_INVALID_PARAMETER; > } > Converts the check to a macro and replaces all instances of the check with the macro Cc: Saloni Kasbekar <saloni.kasbekar@intel.com> Cc: Zachary Clark-williams <zachary.clark-williams@intel.com> Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com> Reviewed-by: Leif Lindholm <quic_llindhol@quicinc.com>
* NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Related PatchDoug Flick2024-02-142-17/+75
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4673 REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4534 This was not part of the Quarkslab bugs however the same pattern as CVE-2023-45229 exists in Dhcp6UpdateIaInfo. This patch replaces the code in question with the safe function created to patch CVE-2023-45229 > > if (EFI_ERROR ( > Dhcp6SeekInnerOptionSafe ( > Instance->Config->IaDescriptor.Type, > Option, > OptionLen, > &IaInnerOpt, > &IaInnerLen > ) > )) > { > return EFI_DEVICE_ERROR; > } > Additionally corrects incorrect usage of macro to read the status > - StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)DHCP6_OFFSET_OF_OPT_LEN (Option))); > + StsCode = NTOHS (ReadUnaligned16 ((UINT16 *) DHCP6_OFFSET_OF_STATUS_CODE (Option)); Cc: Saloni Kasbekar <saloni.kasbekar@intel.com> Cc: Zachary Clark-williams <zachary.clark-williams@intel.com> Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com> Reviewed-by: Leif Lindholm <quic_llindhol@quicinc.com>
* NetworkPkg: : Adds a SecurityFix.yaml fileDoug Flick via groups.io2024-02-061-0/+123
| | | | | | | | | | | | This creates / adds a security file that tracks the security fixes found in this package and can be used to find the fixes that were applied. Cc: Saloni Kasbekar <saloni.kasbekar@intel.com> Cc: Zachary Clark-williams <zachary.clark-williams@intel.com> Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
* NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45235 Unit TestsDoug Flick2024-02-063-3/+298
| | | | | | | | | | | | | | | | | | | | | REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4540 Unit tests to confirm that the bug.. Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message ..has been patched. This patch contains unit tests for the following functions: PxeBcRequestBootService PxeBcDhcp6Discover Cc: Saloni Kasbekar <saloni.kasbekar@intel.com> Cc: Zachary Clark-williams <zachary.clark-williams@intel.com> Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
* NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45235 PatchDoug Flick2024-02-062-16/+78
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4540 Bug Details: PixieFail Bug #7 CVE-2023-45235 CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message Change Overview: Performs two checks 1. Checks that the length of the duid is accurate > + // > + // Check that the minimum and maximum requirements are met > + // > + if ((OpLen < PXEBC_MIN_SIZE_OF_DUID) || (OpLen > PXEBC_MAX_SIZE_OF_DUID)) { > + Status = EFI_INVALID_PARAMETER; > + goto ON_ERROR; > + } 2. Ensures that the amount of data written to the buffer is tracked and never exceeds that > + // > + // Check that the option length is valid. > + // > + if ((DiscoverLen + OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN) > DiscoverLenNeeded) { > + Status = EFI_OUT_OF_RESOURCES; > + goto ON_ERROR; > + } Additional code clean up and fix for memory leak in case Option was NULL Cc: Saloni Kasbekar <saloni.kasbekar@intel.com> Cc: Zachary Clark-williams <zachary.clark-williams@intel.com> Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
* NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45234 Unit TestsDoug Flick2024-02-065-0/+418
| | | | | | | | | | | | | | | | | | | | | REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4539 Unit tests to that the bug.. Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message ..has been patched This contains tests for the following functions: PxeBcHandleDhcp6Offer PxeBcCacheDnsServerAddresses Cc: Saloni Kasbekar <saloni.kasbekar@intel.com> Cc: Zachary Clark-williams <zachary.clark-williams@intel.com> Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
* NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45234 PatchDoug Flick2024-02-061-6/+65
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4539 Bug Details: PixieFail Bug #6 CVE-2023-45234 CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message Change Overview: Introduces a function to cache the Dns Server and perform sanitizing on the incoming DnsServerLen to ensure that the length is valid > + EFI_STATUS > + PxeBcCacheDnsServerAddresses ( > + IN PXEBC_PRIVATE_DATA *Private, > + IN PXEBC_DHCP6_PACKET_CACHE *Cache6 > + ) Additional code cleanup Cc: Saloni Kasbekar <saloni.kasbekar@intel.com> Cc: Zachary Clark-williams <zachary.clark-williams@intel.com> Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
* NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45232 Unit TestsDoug Flick2024-02-063-4/+324
| | | | | | | | | | | | | | | | | | | | | | | | | | REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4537 REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4538 Unit tests to confirm that.. Infinite loop when parsing unknown options in the Destination Options header and Infinite loop when parsing a PadN option in the Destination Options header ... have been patched This patch tests the following functions: Ip6IsOptionValid Cc: Saloni Kasbekar <saloni.kasbekar@intel.com> Cc: Zachary Clark-williams <zachary.clark-williams@intel.com> Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
* NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45232 PatchDoug Flick2024-02-063-11/+171
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4537 REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4538 Bug Details: PixieFail Bug #4 CVE-2023-45232 CVSS 7.5 : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop') Infinite loop when parsing unknown options in the Destination Options header PixieFail Bug #5 CVE-2023-45233 CVSS 7.5 : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop') Infinite loop when parsing a PadN option in the Destination Options header Change Overview: Most importantly this change corrects the following incorrect math and cleans up the code. > // It is a PadN option > // > - Offset = (UINT8)(Offset + *(Option + Offset + 1) + 2); > + OptDataLen = ((EFI_IP6_OPTION *)(Option + Offset))->Length; > + Offset = IP6_NEXT_OPTION_OFFSET (Offset, OptDataLen); > case Ip6OptionSkip: > - Offset = (UINT8)(Offset + *(Option + Offset + 1)); > OptDataLen = ((EFI_IP6_OPTION *)(Option + Offset))->Length; > Offset = IP6_NEXT_OPTION_OFFSET (Offset, OptDataLen); Additionally, this change also corrects incorrect math where the calling function was calculating the HDR EXT optionLen as a uint8 instead of a uint16 > - OptionLen = (UINT8)((*Option + 1) * 8 - 2); > + OptionLen = IP6_HDR_EXT_LEN (*Option) - IP6_COMBINED_SIZE_OF_NEXT_HDR_AND_LEN; Additionally this check adds additional logic to santize the incoming data Cc: Saloni Kasbekar <saloni.kasbekar@intel.com> Cc: Zachary Clark-williams <zachary.clark-williams@intel.com> Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
* NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 Unit TestsDoug Flick2024-02-064-0/+192
| | | | | | | | | | | | | | | | | | | | | REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4536 Validates that the patch for... Out-of-bounds read when handling a ND Redirect message with truncated options .. has been fixed Tests the following function to ensure that an out of bounds read does not occur Ip6OptionValidation Cc: Saloni Kasbekar <saloni.kasbekar@intel.com> Cc: Zachary Clark-williams <zachary.clark-williams@intel.com> Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
* NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 PatchDoug Flick2024-02-061-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4536 Bug Overview: PixieFail Bug #3 CVE-2023-45231 CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CWE-125 Out-of-bounds Read Out-of-bounds read when handling a ND Redirect message with truncated options Change Overview: Adds a check to prevent truncated options from being parsed + // + // Cannot process truncated options. + // Cannot process options with a length of 0 as there is no Type field. + // + if (OptionLen < sizeof (IP6_OPTION_HEADER)) { + return FALSE; + } Cc: Saloni Kasbekar <saloni.kasbekar@intel.com> Cc: Zachary Clark-williams <zachary.clark-williams@intel.com> Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
* NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Unit TestsDoug Flick via groups.io2024-02-065-3/+424
| | | | | | | | | | | | | | | | | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4534 These tests confirm that the report bug... "Out-of-bounds read when processing IA_NA/IA_TA options in a DHCPv6 Advertise message" ..has been patched. The following functions are tested to confirm an out of bounds read is patched and that the correct statuses are returned: Dhcp6SeekInnerOptionSafe Dhcp6SeekStsOption TCBZ4534 CVE-2023-45229 CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CWE-125 Out-of-bounds Read Cc: Saloni Kasbekar <saloni.kasbekar@intel.com> Cc: Zachary Clark-williams <zachary.clark-williams@intel.com> Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
* NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 PatchDoug Flick via groups.io2024-02-062-85/+256
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4534 Bug Details: PixieFail Bug #1 CVE-2023-45229 CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CWE-125 Out-of-bounds Read Change Overview: Introduce Dhcp6SeekInnerOptionSafe which performs checks before seeking the Inner Option from a DHCP6 Option. > > EFI_STATUS > Dhcp6SeekInnerOptionSafe ( > IN UINT16 IaType, > IN UINT8 *Option, > IN UINT32 OptionLen, > OUT UINT8 **IaInnerOpt, > OUT UINT16 *IaInnerLen > ); > Lots of code cleanup to improve code readability. Cc: Saloni Kasbekar <saloni.kasbekar@intel.com> Cc: Zachary Clark-williams <zachary.clark-williams@intel.com> Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
* NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Unit TestsDoug Flick via groups.io2024-02-064-0/+542
| | | | | | | | | | | | | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4535 Confirms that reported issue... "Buffer overflow in the DHCPv6 client via a long Server ID option" ..has been corrected by the provided patch. Tests the following functions to ensure they appropriately handle untrusted data (either too long or too small) to prevent a buffer overflow: Dhcp6AppendOption Dhcp6AppendETOption Dhcp6AppendIaOption Cc: Saloni Kasbekar <saloni.kasbekar@intel.com> Cc: Zachary Clark-williams <zachary.clark-williams@intel.com> Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
* NetworkPkg: : Add Unit tests to CI and create Host Test DSCDoug Flick via groups.io2024-02-062-1/+104
| | | | | | | | | | Adds Host Based testing to the NetworkPkg Cc: Saloni Kasbekar <saloni.kasbekar@intel.com> Cc: Zachary Clark-williams <zachary.clark-williams@intel.com> Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
* NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 PatchDoug Flick via groups.io2024-02-064-239/+668
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4535 Bug Details: PixieFail Bug #2 CVE-2023-45230 CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Changes Overview: > -UINT8 * > +EFI_STATUS > Dhcp6AppendOption ( > - IN OUT UINT8 *Buf, > - IN UINT16 OptType, > - IN UINT16 OptLen, > - IN UINT8 *Data > + IN OUT EFI_DHCP6_PACKET *Packet, > + IN OUT UINT8 **PacketCursor, > + IN UINT16 OptType, > + IN UINT16 OptLen, > + IN UINT8 *Data > ); Dhcp6AppendOption() and variants can return errors now. All callsites are adapted accordingly. It gets passed in EFI_DHCP6_PACKET as additional parameter ... > + // > + // Verify the PacketCursor is within the packet > + // > + if ( (*PacketCursor < Packet->Dhcp6.Option) > + || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER)))) > + { > + return EFI_INVALID_PARAMETER; > + } ... so it can look at Packet->Size when checking buffer space. Also to allow Packet->Length updates. Lots of checks added. Cc: Saloni Kasbekar <saloni.kasbekar@intel.com> Cc: Zachary Clark-williams <zachary.clark-williams@intel.com> Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
* NetworkPkg/Ip4Dxe: Fix Reset To DefaultAshish Singhal2024-01-191-0/+25
| | | | | | | | | | Exercising reset to default does not reset the settings. Add handler code for the case where configuration is disabled. Signed-off-by: Ashish Singhal <ashishsingha@nvidia.com> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com> Acked-by: Michael D Kinney <michael.d.kinney@intel.com>
* NetworkPkg: RFC1323 definition changed to RFC7323Suqiang Ren2024-01-162-2/+2
| | | | | | | | | | | | | According to UEFI spec 2.10, the definition of RFC1323 has changed to RFC7323 on EFI_TCP6_OPTION. So align this change on NetworkPkg. REF: UEFI spec 2.10 section 28.2.5 Signed-off-by: Suqiang Ren <suqiangx.ren@intel.com> Cc: Saloni Kasbekar <saloni.kasbekar@intel.com> Cc: Zachary Clark-williams <zachary.clark-williams@intel.com> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
* NetworkPkg: Triger regularly scan only if not connect to APHeng Luo2024-01-151-2/+2
| | | | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4605 When UEFI Wi-Fi is in BSS connected state, the platform is considered as a static and Wi-Fi roaming support is not needed. Wifi connection manager should not initiate Scan requests in this state affect BSS client connectivity and must be avoided. Triger regularly scan only if not connect to AP. Signed-off-by: Heng Luo <heng.luo@intel.com> Cc: Saloni Kasbekar <saloni.kasbekar@intel.com> Cc: Zachary Clark-williams <zachary.clark-williams@intel.com> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
* NetworkPkg/HttpDxe: Add HttpEventTlsConfigured HTTP callback eventAbner Chang2024-01-103-3/+16
| | | | | | | | | | | | | | Add HttpEventTlsConfigured HTTP callback event and notify callback functions when TlsConfigureSession () returns. Signed-off-by: Abner Chang <abner.chang@amd.com> Cc: Saloni Kasbekar <saloni.kasbekar@intel.com> Cc: Zachary Clark-williams <zachary.clark-williams@intel.com> Cc: Michael Brown <mcb30@ipxe.org> Cc: Nickle Wang <nicklew@nvidia.com> Cc: Igor Kulchytskyy <igork@ami.com> Reviewed-by: Michael Brown <mcb30@ipxe.org> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
* NetworkPkg/HttpDxe: Consider TLS certificate not found as a success caseAbner Chang2024-01-101-2/+15
| | | | | | | | | | | | | | | | | | We still return EFI_SUCCESS to the caller when TlsConfigCertificate returns error, for the use case the platform doesn't require certificate for the specific HTTP session. This ensures HttpInitSession function still initiated and returns EFI_SUCCESS to the caller. The failure is pushed back to TLS DXE driver if the HTTP communication actually requires certificate. Signed-off-by: Abner Chang <abner.chang@amd.com> Cc: Saloni Kasbekar <saloni.kasbekar@intel.com> Cc: Zachary Clark-williams <zachary.clark-williams@intel.com> Cc: Michael Brown <mcb30@ipxe.org> Cc: Nickle Wang <nicklew@nvidia.com> Cc: Igor Kulchytskyy <igork@ami.com> Reviewed-by: Michael Brown <mcb30@ipxe.org> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
* NetworkPkg/HttpDxe: Refactor TlsCreateChildAbner Chang2024-01-105-65/+64
| | | | | | | | | | | | | | - Use HTTP instance as the parameter for TlsCreateChild function. - Install TLS protocol on the HTTP instance thats create TLS child. Signed-off-by: Abner Chang <abner.chang@amd.com> Cc: Saloni Kasbekar <saloni.kasbekar@intel.com> Cc: Zachary Clark-williams <zachary.clark-williams@intel.com> Cc: Michael Brown <mcb30@ipxe.org> Cc: Nickle Wang <nicklew@nvidia.com> Cc: Igor Kulchytskyy <igork@ami.com> Reviewed-by: Michael Brown <mcb30@ipxe.org> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
* NetworkPkg: Increase HTTP buffer size and enable TCP window scalingAndrei Otcheretianski2023-09-083-25/+27
| | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4505 This gives something like ~3 fold throughput boost. Cc: Saloni Kasbekar <saloni.kasbekar@intel.com> Cc: Zachary Clark-williams <zachary.clark-williams@intel.com> Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com> Acked-by: Michael D Kinney <michael.d.kinney@intel.com>
* MdeModulePkg: Duplicate BaseRngLibTimerLib to MdeModulePkgPierre Gondois2023-09-081-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4504 The BaseRngLibTimerLib allows to generate number based on a timer. This mechanism allows to have a basic non-secure implementation for non-production platforms. To bind and identify Random Number Generators implementations with a GUID, an unsafe GUID should be added. This GUID cannot be added to the MdePkg unless it is also added to a specification. To keep the MdePkg self-contained, copy the BaseRngLibTimerLib to the MdeModulePkg. This will allow to define an unsafe Rng GUID in a later patch in the MdeModulePkg. The MdePkg implementation will be removed later. This allows to give some time to platform owners to switch to the MdeModulePkg implementation. Signed-off-by: Pierre Gondois <pierre.gondois@arm.com> Reviewed-by: Sami Mujawar <sami.mujawar@arm.com> Acked-by: Ard Biesheuvel <ardb@kernel.org> Tested-by: Kun Qin <kun.qin@microsoft.com>
* NetworkPkg/HttpDxe: fix driver binding start issue.devel@edk2.groups.io2023-07-201-2/+11
| | | | | | | | | | | | | | | | | When failure happens in HttpDxeStart, the error handling code release the memory buffer but it does not uninstall HTTP service binding protocol. As the result, application can still locate this protocol and invoke service binding functions in released memory pool. Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Cc: Abner Chang <abner.chang@amd.com> Cc: Igor Kulchytskyy <igork@ami.com> Cc: Nick Ramirez <nramirez@nvidia.com> Signed-off-by: Nickle Wang <nicklew@nvidia.com> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com> Acked-by: Michael D Kinney <michael.d.kinney@intel.com>
* NetworkPkg: Correct the length of EAP Identity when in ASCII formatdevel@edk2.groups.io2023-06-281-4/+17
| | | | | | | | | | | | | | FIX: https://bugzilla.tianocore.org/show_bug.cgi?id=4477 Tls connection fail over WiFi in AMT OCR flow due to invalid identity. This was due to missing conversion between unicode and ascii string which resulted in invalid strlen. Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Zachary Clark-Williams <zachary.clark-williams@intel.com> Signed-off-by: Yi Li <yi1.li@intel.com> Reviewed-by: Zachary Clark-Williams <zachary.clark-williams@intel.com>
* NetworkPkg: Update code to be more C11 compliant by using __func__Rebecca Cran2023-04-102-10/+10
| | | | | | | | | | | | __FUNCTION__ is a pre-standard extension that gcc and Visual C++ among others support, while __func__ was standardized in C99. Since it's more standard, replace __FUNCTION__ with __func__ throughout NetworkPkg. Signed-off-by: Rebecca Cran <rebecca@bsdio.com> Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
* NetworkPkg: Fix conditionally uninitialized variablesMichael Kubacki2023-04-032-1/+4
| | | | | | | | | | | | | | | | Fixes CodeQL alerts for CWE-457: https://cwe.mitre.org/data/definitions/457.html Cc: Erich McMillan <emcmillan@microsoft.com> Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Cc: Michael Kubacki <mikuback@linux.microsoft.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Co-authored-by: Erich McMillan <emcmillan@microsoft.com> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com> Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Oliver Smith-Denny <osd@smith-denny.com>
* NetworkPkg: Add WiFi profile sync protocol supportZachary Clark-Williams2023-01-108-73/+390
| | | | | | | | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3845 Enables KVM and One Click Recovery WLAN capability with WiFi Profile Sync feature and protocol. Adding WiFiProfileSyncProtocol, which supports the profilesync driver operations for transferring WiFi profiles from AMT to the Supplicant. WiFiConnectionManager will check for the WifiProfileSyncProtocol and if found will operate on the premise of a One Click Recovery, or KVM flow with a Wifi profile provided by AMT. Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Wu Jiaxin <jiaxin.wu@intel.com> Cc: Andrei Otcheretianski <andrei.otcheretianski@intel.com> Signed-off-by: Zachary Clark-Williams <zachary.clark-williams@intel.com> Acked-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
* NetworkPkg: Add LoongArch64 architecture.Chao Li2022-10-141-1/+2
| | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4053 Add LoongArch64 architecture in to NetworkPkg. Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Signed-off-by: Chao Li <lichao@loongson.cn> Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
* NetworkPkg/HttpBootDxe: Add LOONGARCH64 architecture for EDK2 CI.Chao Li2022-10-141-0/+3
| | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4053 Add LOONGARCH architecture for EDK2 CI testing. Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Signed-off-by: Chao Li <lichao@loongson.cn> Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
* NetworkPkg: Add LOONGARCH64 architecture for EDK2 CI.Chao Li2022-10-141-1/+2
| | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4053 Add LOONGARCH64 architecture for EDK2 CI testing. Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Signed-off-by: Chao Li <lichao@loongson.cn> Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
* NetworkPkg/TcpDxe: Fix debug macro argumentsMichael Kubacki2022-09-091-10/+2
| | | | | | | | | | Removes Status argument that is not needed from DEBUG macros. Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
* NetworkPkg/HttpBootDxe: Add Support for HTTP Boot Basic AuthenticationSaloni Kasbekar2022-07-194-4/+130
| | | | | | | | | | | | | REF:https://bugzilla.tianocore.org/show_bug.cgi?id=2504 Add support for TLS Client Authentication using Basic Authentication for HTTP Boot Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Wu Jiaxin <jiaxin.wu@intel.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Signed-off-by: Saloni Kasbekar <saloni.kasbekar@intel.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
* NetworkPkg: Add Wi-Fi Wpa3 support in WifiConnectManagerHeng Luo2022-07-016-33/+119
| | | | | | | | | | | | | | | | | | https://bugzilla.tianocore.org/show_bug.cgi?id=3961 Add below Wpa3 support: WPA3-Personal: Ieee80211AkmSuiteSAE = 8 WPA3-Enterprise: Ieee80211AkmSuite8021XSuiteB = 11 Ieee80211AkmSuite8021XSuiteB192 = 12 Wi-Fi CERTIFIED Enhanced Open: Ieee80211AkmSuiteOWE = 18 Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Fu Siyuan <siyuan.fu@intel.com> Cc: Wu Jiaxin <jiaxin.wu@intel.com> Signed-off-by: Heng Luo <heng.luo@intel.com>
* NetworkPkg: Remove RVCT supportRebecca Cran2022-05-131-2/+1
| | | | | | | | RVCT is obsolete and no longer used. Remove support for it. Signed-off-by: Rebecca Cran <quic_rcran@quicinc.com> Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
* NetworkPkg/HttpDxe: Detect HTTP/1.0 serversOliver Steffen2022-04-111-0/+8
| | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2720 Force connection close before the next request if the server identifies as version 1.0. Signed-off-by: Oliver Steffen <osteffen@redhat.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
* NetworkPkg/HttpDxe: Detect 'Connection: close' headerOliver Steffen2022-04-111-0/+11
| | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2720 Force connection close before the next request if the server sends the 'Connection: close' header. Signed-off-by: Oliver Steffen <osteffen@redhat.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
* NetworkPkg/HttpDxe: Add ConnectionClose flag fo HTTP_PROTOCOLOliver Steffen2022-04-112-1/+7
| | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2720 Add ConnectionClose flag to HTTP_PROTOCOL. This boolean is FALSE by default. If set to TRUE, a reconfigure of the Http instance is forced on the next request. The flag is then reset. Signed-off-by: Oliver Steffen <osteffen@redhat.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
* NetworkPkg/HttpDxe: Decofigure Tcp6 before reconfiguringOliver Steffen2022-04-111-0/+12
| | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2720 Check if the state of the HTTP instance is HTTP_STATE_TCP_CONNECTED, or HTTP_STATE_TCP_CLOSED and de-configure the Tcp6 instance before configuring it again. Signed-off-by: Oliver Steffen <osteffen@redhat.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>