Reviewed-by: Saloni Kasbekar <saloni.kasbe...@intel.com> -----Original Message----- From: Doug Flick <doug.e...@gmail.com> Sent: Wednesday, May 8, 2024 10:56 PM To: devel@edk2.groups.io Cc: Kasbekar, Saloni <saloni.kasbe...@intel.com>; Clark-williams, Zachary <zachary.clark-willi...@intel.com> Subject: [PATCH v2 08/13] NetworkPkg:: SECURITY PATCH CVE-2023-45237
From: Doug Flick <dougfl...@microsoft.com> REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4542 Bug Overview: PixieFail Bug #9 CVE-2023-45237 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) Use of a Weak PseudoRandom Number Generator Change Overview: Updates all Instances of NET_RANDOM (NetRandomInitSeed ()) to either > > EFI_STATUS > EFIAPI > PseudoRandomU32 ( > OUT UINT32 *Output > ); > or (depending on the use case) > > EFI_STATUS > EFIAPI > PseudoRandom ( > OUT VOID *Output, > IN UINTN OutputLength > ); > This is because the use of Example: The following code snippet PseudoRandomU32 () function is used: > > UINT32 Random; > > Status = PseudoRandomU32 (&Random); > if (EFI_ERROR (Status)) { > DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); > return Status; > } > This also introduces a new PCD to enable/disable the use of the secure implementation of algorithms for PseudoRandom () and instead depend on the default implementation. This may be required for some platforms where the UEFI Spec defined algorithms are not available. > > PcdEnforceSecureRngAlgorithms > If the platform does not have any one of the UEFI defined secure RNG algorithms then the driver will assert. Cc: Saloni Kasbekar <saloni.kasbe...@intel.com> Cc: Zachary Clark-williams <zachary.clark-willi...@intel.com> Signed-off-by: Doug Flick [MSFT] <doug.e...@gmail.com> --- NetworkPkg/NetworkPkg.dec | 7 ++ NetworkPkg/Library/DxeNetLib/DxeNetLib.inf | 13 +- NetworkPkg/TcpDxe/TcpDxe.inf | 3 + NetworkPkg/IScsiDxe/IScsiMisc.h | 6 +- NetworkPkg/Include/Library/NetLib.h | 40 ++++-- NetworkPkg/Ip6Dxe/Ip6Nd.h | 8 +- NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c | 10 +- NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c | 11 +- NetworkPkg/DnsDxe/DnsDhcp.c | 10 +- NetworkPkg/DnsDxe/DnsImpl.c | 11 +- NetworkPkg/HttpBootDxe/HttpBootDhcp6.c | 10 +- NetworkPkg/IScsiDxe/IScsiCHAP.c | 19 ++- NetworkPkg/IScsiDxe/IScsiMisc.c | 14 +-- NetworkPkg/Ip4Dxe/Ip4Driver.c | 10 +- NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c | 9 +- NetworkPkg/Ip6Dxe/Ip6Driver.c | 17 ++- NetworkPkg/Ip6Dxe/Ip6If.c | 12 +- NetworkPkg/Ip6Dxe/Ip6Mld.c | 12 +- NetworkPkg/Ip6Dxe/Ip6Nd.c | 33 ++++- NetworkPkg/Library/DxeNetLib/DxeNetLib.c | 129 +++++++++++++++++--- NetworkPkg/TcpDxe/TcpDriver.c | 15 ++- NetworkPkg/Udp4Dxe/Udp4Driver.c | 10 +- NetworkPkg/Udp6Dxe/Udp6Driver.c | 11 +- NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c | 9 +- NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c | 11 +- NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c | 12 +- NetworkPkg/SecurityFixes.yaml | 39 ++++++ 27 files changed, 408 insertions(+), 83 deletions(-) diff --git a/NetworkPkg/NetworkPkg.dec b/NetworkPkg/NetworkPkg.dec index e06f35e7747c..7c4289b77b21 100644 --- a/NetworkPkg/NetworkPkg.dec +++ b/NetworkPkg/NetworkPkg.dec @@ -5,6 +5,7 @@ # # Copyright (c) 2009 - 2021, Intel Corporation. All rights reserved.<BR> # (C) Copyright 2015-2020 Hewlett Packard Enterprise Development LP<BR>+# Copyright (c) Microsoft Corporation # # SPDX-License-Identifier: BSD-2-Clause-Patent #@@ -130,6 +131,12 @@ [PcdsFixedAtBuild, PcdsPatchableInModule] # @Prompt Indicates whether SnpDxe creates event for ExitBootServices() call. gEfiNetworkPkgTokenSpaceGuid.PcdSnpCreateExitBootServicesEvent|TRUE|BOOLEAN|0x1000000C + ## Enforces the use of Secure UEFI spec defined RNG algorithms for all network connections.+ # TRUE - Enforce the use of Secure UEFI spec defined RNG algorithms.+ # FALSE - Do not enforce and depend on the default implementation of RNG algorithm from the provider.+ # @Prompt Enforce the use of Secure UEFI spec defined RNG algorithms.+ gEfiNetworkPkgTokenSpaceGuid.PcdEnforceSecureRngAlgorithms|TRUE|BOOLEAN|0x1000000D+ [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx] ## IPv6 DHCP Unique Identifier (DUID) Type configuration (From RFCs 3315 and 6355). # 01 = DUID Based on Link-layer Address Plus Time [DUID-LLT]diff --git a/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf b/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf index 8145d256ec10..236ccd362efe 100644 --- a/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf +++ b/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf @@ -3,6 +3,7 @@ # # Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.<BR> # (C) Copyright 2015 Hewlett Packard Enterprise Development LP<BR>+# Copyright (c) Microsoft Corporation # SPDX-License-Identifier: BSD-2-Clause-Patent # ##@@ -49,7 +50,10 @@ [Guids] gEfiSmbiosTableGuid ## SOMETIMES_CONSUMES ## SystemTable gEfiSmbios3TableGuid ## SOMETIMES_CONSUMES ## SystemTable gEfiAdapterInfoMediaStateGuid ## SOMETIMES_CONSUMES-+ gEfiRngAlgorithmRaw ## CONSUMES+ gEfiRngAlgorithmSp80090Ctr256Guid ## CONSUMES+ gEfiRngAlgorithmSp80090Hmac256Guid ## CONSUMES+ gEfiRngAlgorithmSp80090Hash256Guid ## CONSUMES [Protocols] gEfiSimpleNetworkProtocolGuid ## SOMETIMES_CONSUMES@@ -59,3 +63,10 @@ [Protocols] gEfiComponentNameProtocolGuid ## SOMETIMES_CONSUMES gEfiComponentName2ProtocolGuid ## SOMETIMES_CONSUMES gEfiAdapterInformationProtocolGuid ## SOMETIMES_CONSUMES+ gEfiRngProtocolGuid ## CONSUMES++[FixedPcd]+ gEfiNetworkPkgTokenSpaceGuid.PcdEnforceSecureRngAlgorithms ## CONSUMES++[Depex]+ gEfiRngProtocolGuiddiff --git a/NetworkPkg/TcpDxe/TcpDxe.inf b/NetworkPkg/TcpDxe/TcpDxe.inf index c0acbdca5700..cf5423f4c537 100644 --- a/NetworkPkg/TcpDxe/TcpDxe.inf +++ b/NetworkPkg/TcpDxe/TcpDxe.inf @@ -82,5 +82,8 @@ [Protocols] gEfiTcp6ProtocolGuid ## BY_START gEfiTcp6ServiceBindingProtocolGuid ## BY_START +[Depex]+ gEfiHash2ServiceBindingProtocolGuid+ [UserExtensions.TianoCore."ExtraFiles"] TcpDxeExtra.unidiff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h index a951eee70ec9..91b2cd22613d 100644 --- a/NetworkPkg/IScsiDxe/IScsiMisc.h +++ b/NetworkPkg/IScsiDxe/IScsiMisc.h @@ -2,6 +2,7 @@ Miscellaneous definitions for iSCSI driver. Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.<BR>+Copyright (c) Microsoft Corporation SPDX-License-Identifier: BSD-2-Clause-Patent **/@@ -202,8 +203,11 @@ IScsiNetNtoi ( @param[in, out] Rand The buffer to contain random numbers. @param[in] RandLength The length of the Rand buffer. + @retval EFI_SUCCESS on success+ @retval others on error+ **/-VOID+EFI_STATUS IScsiGenRandom ( IN OUT UINT8 *Rand, IN UINTN RandLengthdiff --git a/NetworkPkg/Include/Library/NetLib.h b/NetworkPkg/Include/Library/NetLib.h index 8c0e62b3889c..e8108b79db8f 100644 --- a/NetworkPkg/Include/Library/NetLib.h +++ b/NetworkPkg/Include/Library/NetLib.h @@ -3,6 +3,7 @@ It provides basic functions for the UEFI network stack. Copyright (c) 2005 - 2018, Intel Corporation. All rights reserved.<BR>+Copyright (c) Microsoft Corporation SPDX-License-Identifier: BSD-2-Clause-Patent **/@@ -539,8 +540,6 @@ extern EFI_IPv4_ADDRESS mZeroIp4Addr; #define TICKS_PER_MS 10000U #define TICKS_PER_SECOND 10000000U -#define NET_RANDOM(Seed) ((UINT32) ((UINT32) (Seed) * 1103515245UL + 12345) % 4294967295UL)- /** Extract a UINT32 from a byte stream. @@ -580,19 +579,40 @@ NetPutUint32 ( ); /**- Initialize a random seed using current time and monotonic count.+ Generate a Random output data given a length. - Get current time and monotonic count first. Then initialize a random seed- based on some basic mathematics operation on the hour, day, minute, second,- nanosecond and year of the current time and the monotonic count value.+ @param[out] Output - The buffer to store the generated random data.+ @param[in] OutputLength - The length of the output buffer. - @return The random seed initialized with current time.+ @retval EFI_SUCCESS On Success+ @retval EFI_INVALID_PARAMETER Pointer is null or size is zero+ @retval EFI_NOT_FOUND RNG protocol not found+ @retval Others Error from RngProtocol->GetRNG() + @return Status code **/-UINT32+EFI_STATUS EFIAPI-NetRandomInitSeed (- VOID+PseudoRandom (+ OUT VOID *Output,+ IN UINTN OutputLength+ );++/**+ Generate a 32-bit pseudo-random number.++ @param[out] Output - The buffer to store the generated random number.++ @retval EFI_SUCCESS On Success+ @retval EFI_NOT_FOUND RNG protocol not found+ @retval Others Error from RngProtocol->GetRNG()++ @return Status code+**/+EFI_STATUS+EFIAPI+PseudoRandomU32 (+ OUT UINT32 *Output ); #define NET_LIST_USER_STRUCT(Entry, Type, Field) \diff --git a/NetworkPkg/Ip6Dxe/Ip6Nd.h b/NetworkPkg/Ip6Dxe/Ip6Nd.h index bf64e9114e13..5795e23c7d71 100644 --- a/NetworkPkg/Ip6Dxe/Ip6Nd.h +++ b/NetworkPkg/Ip6Dxe/Ip6Nd.h @@ -2,7 +2,7 @@ Definition of Neighbor Discovery support routines. Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.<BR>-+ Copyright (c) Microsoft Corporation SPDX-License-Identifier: BSD-2-Clause-Patent **/@@ -780,10 +780,10 @@ Ip6OnArpResolved ( /** Update the ReachableTime in IP6 service binding instance data, in milliseconds. - @param[in, out] IpSb Points to the IP6_SERVICE.-+ @retval EFI_SUCCESS ReachableTime Updated+ @retval others Failed to update ReachableTime **/-VOID+EFI_STATUS Ip6UpdateReachableTime ( IN OUT IP6_SERVICE *IpSb );diff --git a/NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c b/NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c index 8c37e93be3a8..892caee36846 100644 --- a/NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c +++ b/NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c @@ -1,6 +1,7 @@ /** @file Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.<BR>+Copyright (c) Microsoft Corporation SPDX-License-Identifier: BSD-2-Clause-Patent **/@@ -189,6 +190,13 @@ Dhcp4CreateService ( { DHCP_SERVICE *DhcpSb; EFI_STATUS Status;+ UINT32 Random;++ Status = PseudoRandomU32 (&Random);+ if (EFI_ERROR (Status)) {+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));+ return Status;+ } *Service = NULL; DhcpSb = AllocateZeroPool (sizeof (DHCP_SERVICE));@@ -203,7 +211,7 @@ Dhcp4CreateService ( DhcpSb->Image = ImageHandle; InitializeListHead (&DhcpSb->Children); DhcpSb->DhcpState = Dhcp4Stopped;- DhcpSb->Xid = NET_RANDOM (NetRandomInitSeed ());+ DhcpSb->Xid = Random; CopyMem ( &DhcpSb->ServiceBinding, &mDhcp4ServiceBindingTemplate,diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c index b591a4605bc9..e7f2787a98ba 100644 --- a/NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c +++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c @@ -3,7 +3,7 @@ implementation for Dhcp6 Driver. Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>-+ Copyright (c) Microsoft Corporation SPDX-License-Identifier: BSD-2-Clause-Patent **/@@ -123,6 +123,13 @@ Dhcp6CreateService ( { DHCP6_SERVICE *Dhcp6Srv; EFI_STATUS Status;+ UINT32 Random;++ Status = PseudoRandomU32 (&Random);+ if (EFI_ERROR (Status)) {+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));+ return Status;+ } *Service = NULL; Dhcp6Srv = AllocateZeroPool (sizeof (DHCP6_SERVICE));@@ -147,7 +154,7 @@ Dhcp6CreateService ( Dhcp6Srv->Signature = DHCP6_SERVICE_SIGNATURE; Dhcp6Srv->Controller = Controller; Dhcp6Srv->Image = ImageHandle;- Dhcp6Srv->Xid = (0xffffff & NET_RANDOM (NetRandomInitSeed ()));+ Dhcp6Srv->Xid = (0xffffff & Random); CopyMem ( &Dhcp6Srv->ServiceBinding,diff --git a/NetworkPkg/DnsDxe/DnsDhcp.c b/NetworkPkg/DnsDxe/DnsDhcp.c index 933565a32df1..9eb3c1d2d81d 100644 --- a/NetworkPkg/DnsDxe/DnsDhcp.c +++ b/NetworkPkg/DnsDxe/DnsDhcp.c @@ -2,6 +2,7 @@ Functions implementation related with DHCPv4/v6 for DNS driver. Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.<BR>+Copyright (c) Microsoft Corporation SPDX-License-Identifier: BSD-2-Clause-Patent **/@@ -277,6 +278,7 @@ GetDns4ServerFromDhcp4 ( EFI_DHCP4_TRANSMIT_RECEIVE_TOKEN Token; BOOLEAN IsDone; UINTN Index;+ UINT32 Random; Image = Instance->Service->ImageHandle; Controller = Instance->Service->ControllerHandle;@@ -292,6 +294,12 @@ GetDns4ServerFromDhcp4 ( Data = NULL; InterfaceInfo = NULL; + Status = PseudoRandomU32 (&Random);+ if (EFI_ERROR (Status)) {+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));+ return Status;+ }+ ZeroMem ((UINT8 *)ParaList, sizeof (ParaList)); ZeroMem (&MnpConfigData, sizeof (EFI_MANAGED_NETWORK_CONFIG_DATA));@@ -467,7 +475,7 @@ GetDns4ServerFromDhcp4 ( Status = Dhcp4->Build (Dhcp4, &SeedPacket, 0, NULL, 2, ParaList, &Token.Packet); - Token.Packet->Dhcp4.Header.Xid = HTONL (NET_RANDOM (NetRandomInitSeed ()));+ Token.Packet->Dhcp4.Header.Xid = Random; Token.Packet->Dhcp4.Header.Reserved = HTONS ((UINT16)0x8000); diff --git a/NetworkPkg/DnsDxe/DnsImpl.c b/NetworkPkg/DnsDxe/DnsImpl.c index d311812800fd..c2629bb8df1f 100644 --- a/NetworkPkg/DnsDxe/DnsImpl.c +++ b/NetworkPkg/DnsDxe/DnsImpl.c @@ -2,6 +2,7 @@ DnsDxe support functions implementation. Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>+Copyright (c) Microsoft Corporation SPDX-License-Identifier: BSD-2-Clause-Patent **/@@ -1963,6 +1964,14 @@ ConstructDNSQuery ( NET_FRAGMENT Frag; DNS_HEADER *DnsHeader; DNS_QUERY_SECTION *DnsQuery;+ EFI_STATUS Status;+ UINT32 Random;++ Status = PseudoRandomU32 (&Random);+ if (EFI_ERROR (Status)) {+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));+ return Status;+ } // // Messages carried by UDP are restricted to 512 bytes (not counting the IP@@ -1977,7 +1986,7 @@ ConstructDNSQuery ( // Fill header // DnsHeader = (DNS_HEADER *)Frag.Bulk;- DnsHeader->Identification = (UINT16)NET_RANDOM (NetRandomInitSeed ());+ DnsHeader->Identification = (UINT16)Random; DnsHeader->Flags.Uint16 = 0x0000; DnsHeader->Flags.Bits.RD = 1; DnsHeader->Flags.Bits.OpCode = DNS_FLAGS_OPCODE_STANDARD;diff --git a/NetworkPkg/HttpBootDxe/HttpBootDhcp6.c b/NetworkPkg/HttpBootDxe/HttpBootDhcp6.c index b22cef4ff587..f964515b0fa6 100644 --- a/NetworkPkg/HttpBootDxe/HttpBootDhcp6.c +++ b/NetworkPkg/HttpBootDxe/HttpBootDhcp6.c @@ -2,6 +2,7 @@ Functions implementation related with DHCPv6 for HTTP boot driver. Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.<BR>+Copyright (c) Microsoft Corporation SPDX-License-Identifier: BSD-2-Clause-Patent **/@@ -951,6 +952,7 @@ HttpBootDhcp6Sarr ( UINT32 OptCount; UINT8 Buffer[HTTP_BOOT_DHCP6_OPTION_MAX_SIZE]; EFI_STATUS Status;+ UINT32 Random; Dhcp6 = Private->Dhcp6; ASSERT (Dhcp6 != NULL);@@ -961,6 +963,12 @@ HttpBootDhcp6Sarr ( OptCount = HttpBootBuildDhcp6Options (Private, OptList, Buffer); ASSERT (OptCount > 0); + Status = PseudoRandomU32 (&Random);+ if (EFI_ERROR (Status)) {+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));+ return Status;+ }+ Retransmit = AllocateZeroPool (sizeof (EFI_DHCP6_RETRANSMISSION)); if (Retransmit == NULL) { return EFI_OUT_OF_RESOURCES;@@ -976,7 +984,7 @@ HttpBootDhcp6Sarr ( Config.IaInfoEvent = NULL; Config.RapidCommit = FALSE; Config.ReconfigureAccept = FALSE;- Config.IaDescriptor.IaId = NET_RANDOM (NetRandomInitSeed ());+ Config.IaDescriptor.IaId = Random; Config.IaDescriptor.Type = EFI_DHCP6_IA_TYPE_NA; Config.SolicitRetransmission = Retransmit; Retransmit->Irt = 4;diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c index b507f11cd45e..bebb1ac29b9c 100644 --- a/NetworkPkg/IScsiDxe/IScsiCHAP.c +++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c @@ -3,6 +3,7 @@ Configuration. Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.<BR>+Copyright (c) Microsoft Corporation SPDX-License-Identifier: BSD-2-Clause-Patent **/@@ -576,16 +577,24 @@ IScsiCHAPToSendReq ( // // CHAP_I=<I> //- IScsiGenRandom ((UINT8 *)&AuthData->OutIdentifier, 1);+ Status = IScsiGenRandom ((UINT8 *)&AuthData->OutIdentifier, 1);+ if (EFI_ERROR (Status)) {+ break;+ }+ AsciiSPrint (ValueStr, sizeof (ValueStr), "%d", AuthData->OutIdentifier); IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_IDENTIFIER, ValueStr); // // CHAP_C=<C> //- IScsiGenRandom (- (UINT8 *)AuthData->OutChallenge,- AuthData->Hash->DigestSize- );+ Status = IScsiGenRandom (+ (UINT8 *)AuthData->OutChallenge,+ AuthData->Hash->DigestSize+ );+ if (EFI_ERROR (Status)) {+ break;+ }+ BinToHexStatus = IScsiBinToHex ( (UINT8 *)AuthData->OutChallenge, AuthData->Hash->DigestSize,diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c index 78dc5c73d35a..2159b8494963 100644 --- a/NetworkPkg/IScsiDxe/IScsiMisc.c +++ b/NetworkPkg/IScsiDxe/IScsiMisc.c @@ -2,6 +2,7 @@ Miscellaneous routines for iSCSI driver. Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.<BR>+Copyright (c) Microsoft Corporation SPDX-License-Identifier: BSD-2-Clause-Patent **/@@ -474,20 +475,17 @@ IScsiNetNtoi ( @param[in, out] Rand The buffer to contain random numbers. @param[in] RandLength The length of the Rand buffer. + @retval EFI_SUCCESS on success+ @retval others on error+ **/-VOID+EFI_STATUS IScsiGenRandom ( IN OUT UINT8 *Rand, IN UINTN RandLength ) {- UINT32 Random;-- while (RandLength > 0) {- Random = NET_RANDOM (NetRandomInitSeed ());- *Rand++ = (UINT8)(Random);- RandLength--;- }+ return PseudoRandom (Rand, RandLength); } /**diff --git a/NetworkPkg/Ip4Dxe/Ip4Driver.c b/NetworkPkg/Ip4Dxe/Ip4Driver.c index ec483ff01fa9..683423f38dc7 100644 --- a/NetworkPkg/Ip4Dxe/Ip4Driver.c +++ b/NetworkPkg/Ip4Dxe/Ip4Driver.c @@ -2,6 +2,7 @@ The driver binding and service binding protocol for IP4 driver. Copyright (c) 2005 - 2019, Intel Corporation. All rights reserved.<BR>+Copyright (c) Microsoft Corporation (C) Copyright 2015 Hewlett-Packard Development Company, L.P.<BR> SPDX-License-Identifier: BSD-2-Clause-Patent@@ -549,11 +550,18 @@ Ip4DriverBindingStart ( EFI_IP4_CONFIG2_PROTOCOL *Ip4Cfg2; UINTN Index; IP4_CONFIG2_DATA_ITEM *DataItem;+ UINT32 Random; IpSb = NULL; Ip4Cfg2 = NULL; DataItem = NULL; + Status = PseudoRandomU32 (&Random);+ if (EFI_ERROR (Status)) {+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));+ return Status;+ }+ // // Test for the Ip4 service binding protocol //@@ -653,7 +661,7 @@ Ip4DriverBindingStart ( // // Initialize the IP4 ID //- mIp4Id = (UINT16)NET_RANDOM (NetRandomInitSeed ());+ mIp4Id = (UINT16)Random; return Status; diff --git a/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c b/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c index 70e232ce6c4d..4c1354d26cc1 100644 --- a/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c +++ b/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c @@ -2276,6 +2276,13 @@ Ip6ConfigInitInstance ( UINTN Index; UINT16 IfIndex; IP6_CONFIG_DATA_ITEM *DataItem;+ UINT32 Random;++ Status = PseudoRandomU32 (&Random);+ if (EFI_ERROR (Status)) {+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));+ return Status;+ } IpSb = IP6_SERVICE_FROM_IP6_CONFIG_INSTANCE (Instance); @@ -2381,7 +2388,7 @@ Ip6ConfigInitInstance ( // The NV variable is not set, so generate a random IAID, and write down the // fresh new configuration as the NV variable now. //- Instance->IaId = NET_RANDOM (NetRandomInitSeed ());+ Instance->IaId = Random; for (Index = 0; Index < IpSb->SnpMode.HwAddressSize; Index++) { Instance->IaId |= (IpSb->SnpMode.CurrentAddress.Addr[Index] << ((Index << 3) & 31));diff --git a/NetworkPkg/Ip6Dxe/Ip6Driver.c b/NetworkPkg/Ip6Dxe/Ip6Driver.c index b483a7d136d9..cbe011dad472 100644 --- a/NetworkPkg/Ip6Dxe/Ip6Driver.c +++ b/NetworkPkg/Ip6Dxe/Ip6Driver.c @@ -3,7 +3,7 @@ Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR> (C) Copyright 2015 Hewlett-Packard Development Company, L.P.<BR>-+ Copyright (c) Microsoft Corporation SPDX-License-Identifier: BSD-2-Clause-Patent **/@@ -316,7 +316,11 @@ Ip6CreateService ( IpSb->CurHopLimit = IP6_HOP_LIMIT; IpSb->LinkMTU = IP6_MIN_LINK_MTU; IpSb->BaseReachableTime = IP6_REACHABLE_TIME;- Ip6UpdateReachableTime (IpSb);+ Status = Ip6UpdateReachableTime (IpSb);+ if (EFI_ERROR (Status)) {+ goto ON_ERROR;+ }+ // // RFC4861 RETRANS_TIMER: 1,000 milliseconds //@@ -516,11 +520,18 @@ Ip6DriverBindingStart ( EFI_STATUS Status; EFI_IP6_CONFIG_PROTOCOL *Ip6Cfg; IP6_CONFIG_DATA_ITEM *DataItem;+ UINT32 Random; IpSb = NULL; Ip6Cfg = NULL; DataItem = NULL; + Status = PseudoRandomU32 (&Random);+ if (EFI_ERROR (Status)) {+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));+ return Status;+ }+ // // Test for the Ip6 service binding protocol //@@ -656,7 +667,7 @@ Ip6DriverBindingStart ( // // Initialize the IP6 ID //- mIp6Id = NET_RANDOM (NetRandomInitSeed ());+ mIp6Id = Random; return EFI_SUCCESS; diff --git a/NetworkPkg/Ip6Dxe/Ip6If.c b/NetworkPkg/Ip6Dxe/Ip6If.c index 4629c05f25a0..f3d11c4d2155 100644 --- a/NetworkPkg/Ip6Dxe/Ip6If.c +++ b/NetworkPkg/Ip6Dxe/Ip6If.c @@ -2,7 +2,7 @@ Implement IP6 pseudo interface. Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>-+ Copyright (c) Microsoft Corporation SPDX-License-Identifier: BSD-2-Clause-Patent **/@@ -89,6 +89,14 @@ Ip6SetAddress ( IP6_PREFIX_LIST_ENTRY *PrefixEntry; UINT64 Delay; IP6_DELAY_JOIN_LIST *DelayNode;+ EFI_STATUS Status;+ UINT32 Random;++ Status = PseudoRandomU32 (&Random);+ if (EFI_ERROR (Status)) {+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));+ return Status;+ } NET_CHECK_SIGNATURE (Interface, IP6_INTERFACE_SIGNATURE); @@ -164,7 +172,7 @@ Ip6SetAddress ( // Thus queue the address to be processed in Duplicate Address Detection module // after the delay time (in milliseconds). //- Delay = (UINT64)NET_RANDOM (NetRandomInitSeed ());+ Delay = (UINT64)Random; Delay = MultU64x32 (Delay, IP6_ONE_SECOND_IN_MS); Delay = RShiftU64 (Delay, 32); diff --git a/NetworkPkg/Ip6Dxe/Ip6Mld.c b/NetworkPkg/Ip6Dxe/Ip6Mld.c index e6b2b653e295..498a11854305 100644 --- a/NetworkPkg/Ip6Dxe/Ip6Mld.c +++ b/NetworkPkg/Ip6Dxe/Ip6Mld.c @@ -696,7 +696,15 @@ Ip6UpdateDelayTimer ( IN OUT IP6_MLD_GROUP *Group ) {- UINT32 Delay;+ UINT32 Delay;+ EFI_STATUS Status;+ UINT32 Random;++ Status = PseudoRandomU32 (&Random);+ if (EFI_ERROR (Status)) {+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));+ return Status;+ } // // If the Query packet specifies a Maximum Response Delay of zero, perform timer@@ -715,7 +723,7 @@ Ip6UpdateDelayTimer ( // is less than the remaining value of the running timer. // if ((Group->DelayTimer == 0) || (Delay < Group->DelayTimer)) {- Group->DelayTimer = Delay / 4294967295UL * NET_RANDOM (NetRandomInitSeed ());+ Group->DelayTimer = Delay / 4294967295UL * Random; } return EFI_SUCCESS;diff --git a/NetworkPkg/Ip6Dxe/Ip6Nd.c b/NetworkPkg/Ip6Dxe/Ip6Nd.c index c10c7017f88d..72aa45c10f3f 100644 --- a/NetworkPkg/Ip6Dxe/Ip6Nd.c +++ b/NetworkPkg/Ip6Dxe/Ip6Nd.c @@ -2,7 +2,7 @@ Implementation of Neighbor Discovery support routines. Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>-+ Copyright (c) Microsoft Corporation SPDX-License-Identifier: BSD-2-Clause-Patent **/@@ -16,17 +16,28 @@ EFI_MAC_ADDRESS mZeroMacAddress; @param[in, out] IpSb Points to the IP6_SERVICE. + @retval EFI_SUCCESS ReachableTime Updated+ @retval others Failed to update ReachableTime **/-VOID+EFI_STATUS Ip6UpdateReachableTime ( IN OUT IP6_SERVICE *IpSb ) {- UINT32 Random;+ UINT32 Random;+ EFI_STATUS Status; - Random = (NetRandomInitSeed () / 4294967295UL) * IP6_RANDOM_FACTOR_SCALE;+ Status = PseudoRandomU32 (&Random);+ if (EFI_ERROR (Status)) {+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));+ return Status;+ }++ Random = (Random / 4294967295UL) * IP6_RANDOM_FACTOR_SCALE; Random = Random + IP6_MIN_RANDOM_FACTOR_SCALED; IpSb->ReachableTime = (IpSb->BaseReachableTime * Random) / IP6_RANDOM_FACTOR_SCALE;++ return EFI_SUCCESS; } /**@@ -972,10 +983,17 @@ Ip6InitDADProcess ( IP6_SERVICE *IpSb; EFI_STATUS Status; UINT32 MaxDelayTick;+ UINT32 Random; NET_CHECK_SIGNATURE (IpIf, IP6_INTERFACE_SIGNATURE); ASSERT (AddressInfo != NULL); + Status = PseudoRandomU32 (&Random);+ if (EFI_ERROR (Status)) {+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));+ return Status;+ }+ // // Do nothing if we have already started DAD on the address. //@@ -1014,7 +1032,7 @@ Ip6InitDADProcess ( Entry->Transmit = 0; Entry->Receive = 0; MaxDelayTick = IP6_MAX_RTR_SOLICITATION_DELAY / IP6_TIMER_INTERVAL_IN_MS;- Entry->RetransTick = (MaxDelayTick * ((NET_RANDOM (NetRandomInitSeed ()) % 5) + 1)) / 5;+ Entry->RetransTick = (MaxDelayTick * ((Random % 5) + 1)) / 5; Entry->AddressInfo = AddressInfo; Entry->Callback = Callback; Entry->Context = Context;@@ -2078,7 +2096,10 @@ Ip6ProcessRouterAdvertise ( // in BaseReachableTime and recompute a ReachableTime. // IpSb->BaseReachableTime = ReachableTime;- Ip6UpdateReachableTime (IpSb);+ Status = Ip6UpdateReachableTime (IpSb);+ if (EFI_ERROR (Status)) {+ goto Exit;+ } } if (RetransTimer != 0) {diff --git a/NetworkPkg/Library/DxeNetLib/DxeNetLib.c b/NetworkPkg/Library/DxeNetLib/DxeNetLib.c index fd4a9e15a892..b13853b23c7e 100644 --- a/NetworkPkg/Library/DxeNetLib/DxeNetLib.c +++ b/NetworkPkg/Library/DxeNetLib/DxeNetLib.c @@ -3,6 +3,7 @@ Copyright (c) 2005 - 2018, Intel Corporation. All rights reserved.<BR> (C) Copyright 2015 Hewlett Packard Enterprise Development LP<BR>+Copyright (c) Microsoft Corporation SPDX-License-Identifier: BSD-2-Clause-Patent **/ @@ -31,6 +32,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include <Library/DevicePathLib.h> #include <Library/PrintLib.h> #include <Library/UefiLib.h>+#include <Protocol/Rng.h> #define NIC_ITEM_CONFIG_SIZE (sizeof (NIC_IP4_CONFIG_INFO) + sizeof (EFI_IP4_ROUTE_TABLE) * MAX_IP4_CONFIG_IN_VARIABLE) #define DEFAULT_ZERO_START ((UINTN) ~0)@@ -127,6 +129,24 @@ GLOBAL_REMOVE_IF_UNREFERENCED VLAN_DEVICE_PATH mNetVlanDevicePathTemplate = { 0 }; +//+// These represent UEFI SPEC defined algorithms that should be supported by+// the RNG protocol and are generally considered secure.+//+// The order of the algorithms in this array is important. This order is the order+// in which the algorithms will be tried by the RNG protocol.+// If your platform needs to use a specific algorithm for the random number generator,+// then you should place that algorithm first in the array.+//+GLOBAL_REMOVE_IF_UNREFERENCED EFI_GUID *mSecureHashAlgorithms[] = {+ &gEfiRngAlgorithmSp80090Ctr256Guid, // SP800-90A DRBG CTR using AES-256+ &gEfiRngAlgorithmSp80090Hmac256Guid, // SP800-90A DRBG HMAC using SHA-256+ &gEfiRngAlgorithmSp80090Hash256Guid, // SP800-90A DRBG Hash using SHA-256+ &gEfiRngAlgorithmRaw, // Raw data from NRBG (or TRNG)+};++#define SECURE_HASH_ALGORITHMS_SIZE (sizeof (mSecureHashAlgorithms) / sizeof (EFI_GUID *))+ /** Locate the handles that support SNP, then open one of them to send the syslog packets. The caller isn't required to close@@ -884,34 +904,107 @@ Ip6Swap128 ( } /**- Initialize a random seed using current time and monotonic count.+ Generate a Random output data given a length. - Get current time and monotonic count first. Then initialize a random seed- based on some basic mathematics operation on the hour, day, minute, second,- nanosecond and year of the current time and the monotonic count value.+ @param[out] Output - The buffer to store the generated random data.+ @param[in] OutputLength - The length of the output buffer. - @return The random seed initialized with current time.+ @retval EFI_SUCCESS On Success+ @retval EFI_INVALID_PARAMETER Pointer is null or size is zero+ @retval EFI_NOT_FOUND RNG protocol not found+ @retval Others Error from RngProtocol->GetRNG() + @return Status code **/-UINT32+EFI_STATUS EFIAPI-NetRandomInitSeed (- VOID+PseudoRandom (+ OUT VOID *Output,+ IN UINTN OutputLength ) {- EFI_TIME Time;- UINT32 Seed;- UINT64 MonotonicCount;+ EFI_RNG_PROTOCOL *RngProtocol;+ EFI_STATUS Status;+ UINTN AlgorithmIndex; - gRT->GetTime (&Time, NULL);- Seed = (Time.Hour << 24 | Time.Day << 16 | Time.Minute << 8 | Time.Second);- Seed ^= Time.Nanosecond;- Seed ^= Time.Year << 7;+ if ((Output == NULL) || (OutputLength == 0)) {+ return EFI_INVALID_PARAMETER;+ } - gBS->GetNextMonotonicCount (&MonotonicCount);- Seed += (UINT32)MonotonicCount;+ Status = gBS->LocateProtocol (&gEfiRngProtocolGuid, NULL, (VOID **)&RngProtocol);+ if (EFI_ERROR (Status)) {+ DEBUG ((DEBUG_ERROR, "Failed to locate EFI_RNG_PROTOCOL: %r\n", Status));+ ASSERT_EFI_ERROR (Status);+ return Status;+ } - return Seed;+ if (PcdGetBool (PcdEnforceSecureRngAlgorithms)) {+ for (AlgorithmIndex = 0; AlgorithmIndex < SECURE_HASH_ALGORITHMS_SIZE; AlgorithmIndex++) {+ Status = RngProtocol->GetRNG (RngProtocol, mSecureHashAlgorithms[AlgorithmIndex], OutputLength, (UINT8 *)Output);+ if (!EFI_ERROR (Status)) {+ //+ // Secure Algorithm was supported on this platform+ //+ return EFI_SUCCESS;+ } else if (Status == EFI_UNSUPPORTED) {+ //+ // Secure Algorithm was not supported on this platform+ //+ DEBUG ((DEBUG_ERROR, "Failed to generate random data using secure algorithm %d: %r\n", AlgorithmIndex, Status));++ //+ // Try the next secure algorithm+ //+ continue;+ } else {+ //+ // Some other error occurred+ //+ DEBUG ((DEBUG_ERROR, "Failed to generate random data using secure algorithm %d: %r\n", AlgorithmIndex, Status));+ ASSERT_EFI_ERROR (Status);+ return Status;+ }+ }++ //+ // If we get here, we failed to generate random data using any secure algorithm+ // Platform owner should ensure that at least one secure algorithm is supported+ //+ ASSERT_EFI_ERROR (Status);+ return Status;+ }++ //+ // Lets try using the default algorithm (which may not be secure)+ //+ Status = RngProtocol->GetRNG (RngProtocol, NULL, OutputLength, (UINT8 *)Output);+ if (EFI_ERROR (Status)) {+ DEBUG ((DEBUG_ERROR, "%a failed to generate random data: %r\n", __func__, Status));+ ASSERT_EFI_ERROR (Status);+ return Status;+ }++ return EFI_SUCCESS;+}++/**+ Generate a 32-bit pseudo-random number.++ @param[out] Output - The buffer to store the generated random number.++ @retval EFI_SUCCESS On Success+ @retval EFI_NOT_FOUND RNG protocol not found+ @retval Others Error from RngProtocol->GetRNG()++ @return Status code+**/+EFI_STATUS+EFIAPI+PseudoRandomU32 (+ OUT UINT32 *Output+ )+{+ return PseudoRandom (Output, sizeof (*Output)); } /**diff --git a/NetworkPkg/TcpDxe/TcpDriver.c b/NetworkPkg/TcpDxe/TcpDriver.c index 98a90e02109b..8fe6badd687c 100644 --- a/NetworkPkg/TcpDxe/TcpDriver.c +++ b/NetworkPkg/TcpDxe/TcpDriver.c @@ -2,7 +2,7 @@ The driver binding and service binding protocol for the TCP driver. Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>-+ Copyright (c) Microsoft Corporation SPDX-License-Identifier: BSD-2-Clause-Patent **/@@ -163,7 +163,13 @@ TcpDriverEntryPoint ( ) { EFI_STATUS Status;- UINT32 Seed;+ UINT32 Random;++ Status = PseudoRandomU32 (&Random);+ if (EFI_ERROR (Status)) {+ DEBUG ((DEBUG_ERROR, "%a Failed to generate random number: %r\n", __func__, Status));+ return Status;+ } // // Install the TCP Driver Binding Protocol@@ -203,9 +209,8 @@ TcpDriverEntryPoint ( // // Initialize ISS and random port. //- Seed = NetRandomInitSeed ();- mTcpGlobalIss = NET_RANDOM (Seed) % mTcpGlobalIss;- mTcp4RandomPort = (UINT16)(TCP_PORT_KNOWN + (NET_RANDOM (Seed) % TCP_PORT_KNOWN));+ mTcpGlobalIss = Random % mTcpGlobalIss;+ mTcp4RandomPort = (UINT16)(TCP_PORT_KNOWN + (Random % TCP_PORT_KNOWN)); mTcp6RandomPort = mTcp4RandomPort; return EFI_SUCCESS;diff --git a/NetworkPkg/Udp4Dxe/Udp4Driver.c b/NetworkPkg/Udp4Dxe/Udp4Driver.c index cb917fcfc90f..c7ea16f4cd6f 100644 --- a/NetworkPkg/Udp4Dxe/Udp4Driver.c +++ b/NetworkPkg/Udp4Dxe/Udp4Driver.c @@ -1,6 +1,7 @@ /** @file Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.<BR>+Copyright (c) Microsoft Corporation SPDX-License-Identifier: BSD-2-Clause-Patent **/@@ -555,6 +556,13 @@ Udp4DriverEntryPoint ( ) { EFI_STATUS Status;+ UINT32 Random;++ Status = PseudoRandomU32 (&Random);+ if (EFI_ERROR (Status)) {+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));+ return Status;+ } // // Install the Udp4DriverBinding and Udp4ComponentName protocols.@@ -571,7 +579,7 @@ Udp4DriverEntryPoint ( // // Initialize the UDP random port. //- mUdp4RandomPort = (UINT16)(((UINT16)NetRandomInitSeed ()) % UDP4_PORT_KNOWN + UDP4_PORT_KNOWN);+ mUdp4RandomPort = (UINT16)(((UINT16)Random) % UDP4_PORT_KNOWN + UDP4_PORT_KNOWN); } return Status;diff --git a/NetworkPkg/Udp6Dxe/Udp6Driver.c b/NetworkPkg/Udp6Dxe/Udp6Driver.c index ae96fb996627..edb758d57ca4 100644 --- a/NetworkPkg/Udp6Dxe/Udp6Driver.c +++ b/NetworkPkg/Udp6Dxe/Udp6Driver.c @@ -2,7 +2,7 @@ Driver Binding functions and Service Binding functions for the Network driver module. Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>-+ Copyright (c) Microsoft Corporation SPDX-License-Identifier: BSD-2-Clause-Patent **/@@ -596,6 +596,13 @@ Udp6DriverEntryPoint ( ) { EFI_STATUS Status;+ UINT32 Random;++ Status = PseudoRandomU32 (&Random);+ if (EFI_ERROR (Status)) {+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));+ return Status;+ } // // Install the Udp6DriverBinding and Udp6ComponentName protocols.@@ -614,7 +621,7 @@ Udp6DriverEntryPoint ( // Initialize the UDP random port. // mUdp6RandomPort = (UINT16)(- ((UINT16)NetRandomInitSeed ()) %+ ((UINT16)Random) % UDP6_PORT_KNOWN + UDP6_PORT_KNOWN );diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c index 91146b78cb1e..452038c2194c 100644 --- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c +++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c @@ -2,7 +2,7 @@ Functions implementation related with DHCPv4 for UefiPxeBc Driver. Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>-+ Copyright (c) Microsoft Corporation SPDX-License-Identifier: BSD-2-Clause-Patent **/@@ -1381,6 +1381,12 @@ PxeBcDhcp4Discover ( UINT8 VendorOptLen; UINT32 Xid; + Status = PseudoRandomU32 (&Xid);+ if (EFI_ERROR (Status)) {+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));+ return Status;+ }+ Mode = Private->PxeBc.Mode; Dhcp4 = Private->Dhcp4; Status = EFI_SUCCESS;@@ -1471,7 +1477,6 @@ PxeBcDhcp4Discover ( // // Set fields of the token for the request packet. //- Xid = NET_RANDOM (NetRandomInitSeed ()); Token.Packet->Dhcp4.Header.Xid = HTONL (Xid); Token.Packet->Dhcp4.Header.Reserved = HTONS ((UINT16)((IsBCast) ? 0x8000 : 0x0)); CopyMem (&Token.Packet->Dhcp4.Header.ClientAddr, &Private->StationIp, sizeof (EFI_IPv4_ADDRESS));diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c index 7fd1281c1184..bcabbd221983 100644 --- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c +++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c @@ -2180,7 +2180,7 @@ PxeBcDhcp6Discover ( UINTN ReadSize; UINT16 OpCode; UINT16 OpLen;- UINT32 Xid;+ UINT32 Random; EFI_STATUS Status; UINTN DiscoverLenNeeded; @@ -2198,6 +2198,12 @@ PxeBcDhcp6Discover ( return EFI_DEVICE_ERROR; } + Status = PseudoRandomU32 (&Random);+ if (EFI_ERROR (Status)) {+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));+ return Status;+ }+ DiscoverLenNeeded = sizeof (EFI_PXE_BASE_CODE_DHCPV6_PACKET); Discover = AllocateZeroPool (DiscoverLenNeeded); if (Discover == NULL) {@@ -2207,8 +2213,7 @@ PxeBcDhcp6Discover ( // // Build the discover packet by the cached request packet before. //- Xid = NET_RANDOM (NetRandomInitSeed ());- Discover->TransactionId = HTONL (Xid);+ Discover->TransactionId = HTONL (Random); Discover->MessageType = Request->Dhcp6.Header.MessageType; RequestOpt = Request->Dhcp6.Option; DiscoverOpt = Discover->DhcpOptions;diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c b/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c index d84aca7e85ab..4cd915b41157 100644 --- a/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c +++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c @@ -3,6 +3,7 @@ (C) Copyright 2014 Hewlett-Packard Development Company, L.P.<BR> Copyright (c) 2007 - 2019, Intel Corporation. All rights reserved.<BR>+ Copyright (c) Microsoft Corporation SPDX-License-Identifier: BSD-2-Clause-Patent @@ -892,6 +893,13 @@ PxeBcCreateIp6Children ( PXEBC_PRIVATE_PROTOCOL *Id; EFI_SIMPLE_NETWORK_PROTOCOL *Snp; UINTN Index;+ UINT32 Random;++ Status = PseudoRandomU32 (&Random);+ if (EFI_ERROR (Status)) {+ DEBUG ((DEBUG_ERROR, "Failed to generate random number using EFI_RNG_PROTOCOL: %r\n", Status));+ return Status;+ } if (Private->Ip6Nic != NULL) { //@@ -935,9 +943,9 @@ PxeBcCreateIp6Children ( } //- // Generate a random IAID for the Dhcp6 assigned address.+ // Set a random IAID for the Dhcp6 assigned address. //- Private->IaId = NET_RANDOM (NetRandomInitSeed ());+ Private->IaId = Random; if (Private->Snp != NULL) { for (Index = 0; Index < Private->Snp->Mode->HwAddressSize; Index++) { Private->IaId |= (Private->Snp->Mode->CurrentAddress.Addr[Index] << ((Index << 3) & 31));diff --git a/NetworkPkg/SecurityFixes.yaml b/NetworkPkg/SecurityFixes.yaml index fa42025e0d82..20a4555019d9 100644 --- a/NetworkPkg/SecurityFixes.yaml +++ b/NetworkPkg/SecurityFixes.yaml @@ -122,3 +122,42 @@ CVE_2023_45235: - http://www.openwall.com/lists/oss-security/2024/01/16/2 - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html+CVE_2023_45237:+ commit_titles:+ - "NetworkPkg:: SECURITY PATCH CVE 2023-45237"+ cve: CVE-2023-45237+ date_reported: 2023-08-28 13:56 UTC+ description: "Bug 09 - Use of a Weak PseudoRandom Number Generator"+ note:+ files_impacted:+ - NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c+ - NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c+ - NetworkPkg/DnsDxe/DnsDhcp.c+ - NetworkPkg/DnsDxe/DnsImpl.c+ - NetworkPkg/HttpBootDxe/HttpBootDhcp6.c+ - NetworkPkg/IScsiDxe/IScsiCHAP.c+ - NetworkPkg/IScsiDxe/IScsiMisc.c+ - NetworkPkg/IScsiDxe/IScsiMisc.h+ - NetworkPkg/Include/Library/NetLib.h+ - NetworkPkg/Ip4Dxe/Ip4Driver.c+ - NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c+ - NetworkPkg/Ip6Dxe/Ip6Driver.c+ - NetworkPkg/Ip6Dxe/Ip6If.c+ - NetworkPkg/Ip6Dxe/Ip6Mld.c+ - NetworkPkg/Ip6Dxe/Ip6Nd.c+ - NetworkPkg/Ip6Dxe/Ip6Nd.h+ - NetworkPkg/Library/DxeNetLib/DxeNetLib.c+ - NetworkPkg/Library/DxeNetLib/DxeNetLib.inf+ - NetworkPkg/NetworkPkg.dec+ - NetworkPkg/TcpDxe/TcpDriver.c+ - NetworkPkg/Udp4Dxe/Udp4Driver.c+ - NetworkPkg/Udp6Dxe/Udp6Driver.c+ - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c+ - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c+ - NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c+ links:+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4542+ - https://nvd.nist.gov/vuln/detail/CVE-2023-45237+ - http://www.openwall.com/lists/oss-security/2024/01/16/2+ - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html+ - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html-- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#118929): https://edk2.groups.io/g/devel/message/118929 Mute This Topic: https://groups.io/mt/105996586/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
