sravan/system76-edk2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

NetworkPkg TcpDxe: SECURITY PATCH CVE-2023-45236

Browse Source 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4541
REF: https://www.rfc-editor.org/rfc/rfc1948.txt
REF: https://www.rfc-editor.org/rfc/rfc6528.txt
REF: https://www.rfc-editor.org/rfc/rfc9293.txt

Bug Overview:
PixieFail Bug #8
CVE-2023-45236
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

Updates TCP ISN generation to use a cryptographic hash of the
connection's identifying parameters and a secret key.
This prevents an attacker from guessing the ISN used for some other
connection.

This is follows the guidance in RFC 1948, RFC 6528, and RFC 9293.

RFC: 9293 Section 3.4.1.  Initial Sequence Number Selection

   A TCP implementation MUST use the above type of "clock" for clock-
   driven selection of initial sequence numbers (MUST-8), and SHOULD
   generate its initial sequence numbers with the expression:

   ISN = M + F(localip, localport, remoteip, remoteport, secretkey)

   where M is the 4 microsecond timer, and F() is a pseudorandom
   function (PRF) of the connection's identifying parameters ("localip,
   localport, remoteip, remoteport") and a secret key ("secretkey")
   (SHLD-1).  F() MUST NOT be computable from the outside (MUST-9), or
   an attacker could still guess at sequence numbers from the ISN used
   for some other connection.  The PRF could be implemented as a
   cryptographic hash of the concatenation of the TCP connection
   parameters and some secret data.  For discussion of the selection of
   a specific hash algorithm and management of the secret key data,
   please see Section 3 of [42].

   For each connection there is a send sequence number and a receive
   sequence number.  The initial send sequence number (ISS) is chosen by
   the data sending TCP peer, and the initial receive sequence number
   (IRS) is learned during the connection-establishing procedure.

   For a connection to be established or initialized, the two TCP peers
   must synchronize on each other's initial sequence numbers.  This is
   done in an exchange of connection-establishing segments carrying a
   control bit called "SYN" (for synchronize) and the initial sequence
   numbers.  As a shorthand, segments carrying the SYN bit are also
   called "SYNs".  Hence, the solution requires a suitable mechanism for
   picking an initial sequence number and a slightly involved handshake
   to exchange the ISNs.

Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
This commit is contained in:
Doug Flick
2024-05-08 22:56:29 -07:00
committed by mergify[bot]
parent 4c4ceb2ceb
commit 1904a64bcc
8 changed files with 414 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
NetworkPkg/TcpDxe/TcpMain.h
View File

@@ -3,7 +3,7 @@
It is the common head file for all Tcp*.c in TCP driver.
Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>
Copyright (c) Microsoft Corporation
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
@@ -13,6 +13,7 @@
#include <Protocol/ServiceBinding.h>
#include <Protocol/DriverBinding.h>
#include <Protocol/Hash2.h>
#include <Library/IpIoLib.h>
#include <Library/DevicePathLib.h>
#include <Library/PrintLib.h>
@@ -31,7 +32,7 @@ extern EFI_UNICODE_STRING_TABLE *gTcpControllerNameTable;
extern LIST_ENTRY mTcpRunQue;
extern LIST_ENTRY mTcpListenQue;
extern TCP_SEQNO mTcpGlobalIss;
extern TCP_SEQNO mTcpGlobalSecret;
extern UINT32 mTcpTick;
///
@@ -45,14 +46,6 @@ extern UINT32 mTcpTick;
#define TCP_EXPIRE_TIME 65535
///
/// The implementation selects the initial send sequence number and the unit to
/// be added when it is increased.
///
#define TCP_BASE_ISS 0x4d7e980b
#define TCP_ISS_INCREMENT_1 2048
#define TCP_ISS_INCREMENT_2 100
typedef union {
EFI_TCP4_CONFIG_DATA Tcp4CfgData;
EFI_TCP6_CONFIG_DATA Tcp6CfgData;
@@ -774,4 +767,50 @@ Tcp6Poll (
IN EFI_TCP6_PROTOCOL *This
);
/**
Retrieves the Initial Sequence Number (ISN) for a TCP connection identified by local
and remote IP addresses and ports.
This method is based on https://datatracker.ietf.org/doc/html/rfc9293#section-3.4.1
Where the ISN is computed as follows:
ISN = TimeStamp + MD5(LocalIP, LocalPort, RemoteIP, RemotePort, Secret)
Otherwise:
ISN = M + F(localip, localport, remoteip, remoteport, secretkey)
"Here M is the 4 microsecond timer, and F() is a pseudorandom function (PRF) of the
connection's identifying parameters ("localip, localport, remoteip, remoteport")
and a secret key ("secretkey") (SHLD-1). F() MUST NOT be computable from the
outside (MUST-9), or an attacker could still guess at sequence numbers from the
ISN used for some other connection. The PRF could be implemented as a
cryptographic hash of the concatenation of the TCP connection parameters and some
secret data. For discussion of the selection of a specific hash algorithm and
management of the secret key data."
@param[in] LocalIp A pointer to the local IP address of the TCP connection.
@param[in] LocalIpSize The size, in bytes, of the LocalIp buffer.
@param[in] LocalPort The local port number of the TCP connection.
@param[in] RemoteIp A pointer to the remote IP address of the TCP connection.
@param[in] RemoteIpSize The size, in bytes, of the RemoteIp buffer.
@param[in] RemotePort The remote port number of the TCP connection.
@param[out] Isn A pointer to the variable that will receive the Initial
Sequence Number (ISN).
@retval EFI_SUCCESS The operation completed successfully, and the ISN was
retrieved.
@retval EFI_INVALID_PARAMETER One or more of the input parameters are invalid.
@retval EFI_UNSUPPORTED The operation is not supported.
**/
EFI_STATUS
TcpGetIsn (
IN UINT8 *LocalIp,
IN UINTN LocalIpSize,
IN UINT16 LocalPort,
IN UINT8 *RemoteIp,
IN UINTN RemoteIpSize,
IN UINT16 RemotePort,
OUT TCP_SEQNO *Isn
);
#endif