sravan/system76-edk2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
32,241 Commits 13 Branches 33 Tags
ef4d35d4ed45c41dc1e56c313bf6ea0f43b7c241
Commit Graph

697 Commits

Author SHA1 Message Date
Doug Flick via groups.io
1d0b95f645 NetworkPkg: : Adds a SecurityFix.yaml file 
This creates / adds a security file that tracks the security fixes
found in this package and can be used to find the fixes that were
applied.

Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
 2024-02-06 19:24:26 +00:00
Doug Flick
ff2986358f NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45235 Unit Tests 
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4540

Unit tests to confirm that the bug..

Buffer overflow when handling Server ID option from a DHCPv6 proxy
Advertise message

..has been patched.

This patch contains unit tests for the following functions:
PxeBcRequestBootService
PxeBcDhcp6Discover

Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
 2024-02-06 19:24:26 +00:00
Doug Flick
fac297724e NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45235 Patch 
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4540

Bug Details:
PixieFail Bug #7
CVE-2023-45235
CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
CWE-119 Improper Restriction of Operations within the Bounds of
 a Memory Buffer

Buffer overflow when handling Server ID option from a DHCPv6 proxy
Advertise message

Change Overview:

Performs two checks

1. Checks that the length of the duid is accurate
> + //
> + // Check that the minimum and maximum requirements are met
> + //
> + if ((OpLen < PXEBC_MIN_SIZE_OF_DUID) ||
(OpLen > PXEBC_MAX_SIZE_OF_DUID)) {
> +  Status = EFI_INVALID_PARAMETER;
> +  goto ON_ERROR;
> + }

2. Ensures that the amount of data written to the buffer is tracked and
never exceeds that
> + //
> + // Check that the option length is valid.
> + //
> + if ((DiscoverLen + OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN)
 > DiscoverLenNeeded) {
> +     Status = EFI_OUT_OF_RESOURCES;
> +     goto ON_ERROR;
> + }

Additional code clean up and fix for memory leak in case Option was NULL

Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
 2024-02-06 19:24:26 +00:00
Doug Flick
458c582685 NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45234 Unit Tests 
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4539

Unit tests to that the bug..

Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise
message

..has been patched

This contains tests for the following functions:
PxeBcHandleDhcp6Offer
PxeBcCacheDnsServerAddresses

Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
 2024-02-06 19:24:26 +00:00
Doug Flick
1b53515d53 NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45234 Patch 
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4539

Bug Details:
PixieFail Bug #6
CVE-2023-45234
CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
CWE-119 Improper Restriction of Operations within the Bounds of
 a Memory Buffer

Buffer overflow when processing DNS Servers option in a DHCPv6
Advertise message

Change Overview:

Introduces a function to cache the Dns Server and perform sanitizing
on the incoming DnsServerLen to ensure that the length is valid

> + EFI_STATUS
> + PxeBcCacheDnsServerAddresses (
> +  IN PXEBC_PRIVATE_DATA        *Private,
> +  IN PXEBC_DHCP6_PACKET_CACHE  *Cache6
> +  )

Additional code cleanup

Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
 2024-02-06 19:24:26 +00:00
Doug Flick
c9c87f08dd NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45232 Unit Tests 
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4537
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4538

Unit tests to confirm that..

Infinite loop when parsing unknown options in the Destination Options
header

and

Infinite loop when parsing a PadN option in the Destination Options
header

... have been patched

This patch tests the following functions:
Ip6IsOptionValid

Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
 2024-02-06 19:24:26 +00:00
Doug Flick
4df0229ef9 NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45232 Patch 
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4537
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4538

Bug Details:
PixieFail Bug #4
CVE-2023-45232
CVSS 7.5 : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

Infinite loop when parsing unknown options in the Destination Options
header

PixieFail Bug #5
CVE-2023-45233
CVSS 7.5 : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

Infinite loop when parsing a PadN option in the Destination Options
header

Change Overview:

Most importantly this change corrects the following incorrect math
and cleans up the code.

>   // It is a PadN option
>   //
> - Offset = (UINT8)(Offset + *(Option + Offset + 1) + 2);
> + OptDataLen = ((EFI_IP6_OPTION *)(Option + Offset))->Length;
> + Offset     = IP6_NEXT_OPTION_OFFSET (Offset, OptDataLen);

> case Ip6OptionSkip:
> - Offset = (UINT8)(Offset + *(Option + Offset + 1));
>   OptDataLen = ((EFI_IP6_OPTION *)(Option + Offset))->Length;
>   Offset     = IP6_NEXT_OPTION_OFFSET (Offset, OptDataLen);

Additionally, this change also corrects incorrect math where the calling
function was calculating the HDR EXT optionLen as a uint8 instead of a
uint16

> - OptionLen = (UINT8)((*Option + 1) * 8 - 2);
> + OptionLen = IP6_HDR_EXT_LEN (*Option) -
IP6_COMBINED_SIZE_OF_NEXT_HDR_AND_LEN;

Additionally this check adds additional logic to santize the incoming
data

Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
 2024-02-06 19:24:26 +00:00
Doug Flick
6f77463d72 NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 Unit Tests 
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4536

Validates that the patch for...

Out-of-bounds read when handling a ND Redirect message with truncated
options

.. has been fixed

Tests the following function to ensure that an out of bounds read does
not occur
Ip6OptionValidation

Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
 2024-02-06 19:24:26 +00:00
Doug Flick
bbfee34f41 NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 Patch 
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4536

Bug Overview:
PixieFail Bug #3
CVE-2023-45231
CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-125 Out-of-bounds Read

Out-of-bounds read when handling a ND Redirect message with truncated
options

Change Overview:

Adds a check to prevent truncated options from being parsed
+  //
+  // Cannot process truncated options.
+  // Cannot process options with a length of 0 as there is no Type
field.
+  //
+  if (OptionLen < sizeof (IP6_OPTION_HEADER)) {
+    return FALSE;
+  }

Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
 2024-02-06 19:24:26 +00:00
Doug Flick via groups.io
07362769ab NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Unit Tests 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4534

These tests confirm that the report bug...

"Out-of-bounds read when processing IA_NA/IA_TA options in a
DHCPv6 Advertise message"

..has been patched.

The following functions are tested to confirm an out of bounds read is
patched and that the correct statuses are returned:

Dhcp6SeekInnerOptionSafe
Dhcp6SeekStsOption

TCBZ4534
CVE-2023-45229
CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-125 Out-of-bounds Read

Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
 2024-02-06 19:24:26 +00:00
Doug Flick via groups.io
1dbb10cc52 NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Patch 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4534

Bug Details:
PixieFail Bug #1
CVE-2023-45229
CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-125 Out-of-bounds Read

Change Overview:

Introduce Dhcp6SeekInnerOptionSafe which performs checks before seeking
the Inner Option from a DHCP6 Option.

>
> EFI_STATUS
> Dhcp6SeekInnerOptionSafe (
>  IN  UINT16  IaType,
>  IN  UINT8   *Option,
>  IN  UINT32  OptionLen,
>  OUT UINT8   **IaInnerOpt,
>  OUT UINT16  *IaInnerLen
>  );
>

Lots of code cleanup to improve code readability.

Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
 2024-02-06 19:24:26 +00:00
Doug Flick via groups.io
5f3658197b NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Unit Tests 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4535

Confirms that reported issue...

"Buffer overflow in the DHCPv6 client via a long Server ID option"

..has been corrected by the provided patch.

Tests the following functions to ensure they appropriately handle
untrusted data (either too long or too small) to prevent a buffer
overflow:

Dhcp6AppendOption
Dhcp6AppendETOption
Dhcp6AppendIaOption

Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
 2024-02-06 19:24:26 +00:00
Doug Flick via groups.io
8014ac2d7b NetworkPkg: : Add Unit tests to CI and create Host Test DSC 
Adds Host Based testing to the NetworkPkg

Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
 2024-02-06 19:24:26 +00:00
Doug Flick via groups.io
f31453e8d6 NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch 
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4535

Bug Details:
PixieFail Bug #2
CVE-2023-45230
CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
CWE-119 Improper Restriction of Operations within the Bounds
 of a Memory Buffer

Changes Overview:
> -UINT8 *
> +EFI_STATUS
>  Dhcp6AppendOption (
> -  IN OUT UINT8   *Buf,
> -  IN     UINT16  OptType,
> -  IN     UINT16  OptLen,
> -  IN     UINT8   *Data
> +  IN OUT EFI_DHCP6_PACKET  *Packet,
> +  IN OUT UINT8             **PacketCursor,
> +  IN     UINT16            OptType,
> +  IN     UINT16            OptLen,
> +  IN     UINT8             *Data
>    );

Dhcp6AppendOption() and variants can return errors now.  All callsites
are adapted accordingly.

It gets passed in EFI_DHCP6_PACKET as additional parameter ...

> +  //
> +  // Verify the PacketCursor is within the packet
> +  //
> +  if (  (*PacketCursor < Packet->Dhcp6.Option)
> +     || (*PacketCursor >= Packet->Dhcp6.Option +
 (Packet->Size - sizeof (EFI_DHCP6_HEADER))))
> +  {
> +    return EFI_INVALID_PARAMETER;
> +  }

... so it can look at Packet->Size when checking buffer space.
Also to allow Packet->Length updates.

Lots of checks added.

Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
 2024-02-06 19:24:26 +00:00
Ashish Singhal
9d3fe85fcc NetworkPkg/Ip4Dxe: Fix Reset To Default 
Exercising reset to default does not reset the settings.
Add handler code for the case where configuration is
disabled.

Signed-off-by: Ashish Singhal <ashishsingha@nvidia.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
Acked-by: Michael D Kinney <michael.d.kinney@intel.com>
 2024-01-19 03:30:22 +00:00
Suqiang Ren
682a5ed1a2 NetworkPkg: RFC1323 definition changed to RFC7323 
According to UEFI spec 2.10, the definition of RFC1323
has changed to RFC7323 on EFI_TCP6_OPTION. So align this
change on NetworkPkg.

REF: UEFI spec 2.10 section 28.2.5

Signed-off-by: Suqiang Ren <suqiangx.ren@intel.com>
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
 2024-01-16 01:17:34 +00:00
Heng Luo
c15a899d83 NetworkPkg: Triger regularly scan only if not connect to AP 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4605

When UEFI Wi-Fi is in BSS connected state, the platform is
considered as a static and Wi-Fi roaming support is not needed.
Wifi connection manager should not initiate Scan requests
in this state affect BSS client connectivity and must be avoided.
Triger regularly scan only if not connect to AP.

Signed-off-by: Heng Luo <heng.luo@intel.com>
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
 2024-01-15 03:49:30 +00:00
Abner Chang
8466480965 NetworkPkg/HttpDxe: Add HttpEventTlsConfigured HTTP callback event 
Add HttpEventTlsConfigured HTTP callback event and notify
callback functions when TlsConfigureSession () returns.

Signed-off-by: Abner Chang <abner.chang@amd.com>
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Cc: Michael Brown <mcb30@ipxe.org>
Cc: Nickle Wang <nicklew@nvidia.com>
Cc: Igor Kulchytskyy <igork@ami.com>
Reviewed-by: Michael Brown <mcb30@ipxe.org>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
 2024-01-10 03:19:31 +00:00
Abner Chang
43ab6622a8 NetworkPkg/HttpDxe: Consider TLS certificate not found as a success case 
We still return EFI_SUCCESS to the caller when TlsConfigCertificate
returns error, for the use case the platform doesn't require
certificate for the specific HTTP session. This ensures
HttpInitSession function still initiated and returns EFI_SUCCESS to
the caller. The failure is pushed back to TLS DXE driver if the
HTTP communication actually requires certificate.

Signed-off-by: Abner Chang <abner.chang@amd.com>
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Cc: Michael Brown <mcb30@ipxe.org>
Cc: Nickle Wang <nicklew@nvidia.com>
Cc: Igor Kulchytskyy <igork@ami.com>
Reviewed-by: Michael Brown <mcb30@ipxe.org>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
 2024-01-10 03:19:31 +00:00
Abner Chang
0abd598e3f NetworkPkg/HttpDxe: Refactor TlsCreateChild 
- Use HTTP instance as the parameter for TlsCreateChild function.
- Install TLS protocol on the HTTP instance thats create TLS child.

Signed-off-by: Abner Chang <abner.chang@amd.com>
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Cc: Michael Brown <mcb30@ipxe.org>
Cc: Nickle Wang <nicklew@nvidia.com>
Cc: Igor Kulchytskyy <igork@ami.com>
Reviewed-by: Michael Brown <mcb30@ipxe.org>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
 2024-01-10 03:19:31 +00:00
Andrei Otcheretianski
b240eab035 NetworkPkg: Increase HTTP buffer size and enable TCP window scaling 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4505
This gives something like ~3 fold throughput boost.

Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
Acked-by: Michael D Kinney <michael.d.kinney@intel.com>
 2023-09-08 20:49:49 +00:00
Pierre Gondois
2f981bddcb MdeModulePkg: Duplicate BaseRngLibTimerLib to MdeModulePkg 
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4504

The BaseRngLibTimerLib allows to generate number based on a timer.
This mechanism allows to have a basic non-secure implementation
for non-production platforms.
To bind and identify Random Number Generators implementations with
a GUID, an unsafe GUID should be added. This GUID cannot be added
to the MdePkg unless it is also added to a specification.

To keep the MdePkg self-contained, copy the BaseRngLibTimerLib to
the MdeModulePkg. This will allow to define an unsafe Rng GUID
in a later patch in the MdeModulePkg.

The MdePkg implementation will be removed later. This allows to give
some time to platform owners to switch to the MdeModulePkg
implementation.

Signed-off-by: Pierre Gondois <pierre.gondois@arm.com>
Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>
Acked-by: Ard Biesheuvel <ardb@kernel.org>
Tested-by: Kun Qin <kun.qin@microsoft.com>
 2023-09-08 09:48:55 +00:00
devel@edk2.groups.io
6510dcf6f7 NetworkPkg/HttpDxe: fix driver binding start issue. 
When failure happens in HttpDxeStart, the error handling code
release the memory buffer but it does not uninstall HTTP service
binding protocol. As the result, application can still locate
this protocol and invoke service binding functions in released
memory pool.

Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Abner Chang <abner.chang@amd.com>
Cc: Igor Kulchytskyy <igork@ami.com>
Cc: Nick Ramirez <nramirez@nvidia.com>
Signed-off-by: Nickle Wang <nicklew@nvidia.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
Acked-by: Michael D Kinney <michael.d.kinney@intel.com>
 2023-07-20 01:41:02 +00:00
devel@edk2.groups.io
4416bf3383 NetworkPkg: Correct the length of EAP Identity when in ASCII format 
FIX: https://bugzilla.tianocore.org/show_bug.cgi?id=4477

Tls connection fail over WiFi in AMT OCR flow due to invalid identity.

This was due to missing conversion between unicode and ascii
string which resulted in invalid strlen.

Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Zachary Clark-Williams <zachary.clark-williams@intel.com>
Signed-off-by: Yi Li <yi1.li@intel.com>
Reviewed-by: Zachary Clark-Williams <zachary.clark-williams@intel.com>
 2023-06-28 02:56:39 +00:00
Rebecca Cran
84f553cb63 NetworkPkg: Update code to be more C11 compliant by using __func__ 
__FUNCTION__ is a pre-standard extension that gcc and Visual C++ among
others support, while __func__ was standardized in C99.

Since it's more standard, replace __FUNCTION__ with __func__ throughout
NetworkPkg.

Signed-off-by: Rebecca Cran <rebecca@bsdio.com>
Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
 2023-04-10 14:19:57 +00:00
Michael Kubacki
3fab32d41d NetworkPkg: Fix conditionally uninitialized variables 
Fixes CodeQL alerts for CWE-457:
https://cwe.mitre.org/data/definitions/457.html

Cc: Erich McMillan <emcmillan@microsoft.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Michael Kubacki <mikuback@linux.microsoft.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Co-authored-by: Erich McMillan <emcmillan@microsoft.com>
Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Oliver Smith-Denny <osd@smith-denny.com>
 2023-04-03 15:29:08 +00:00
Zachary Clark-Williams
fe405f08a0 NetworkPkg: Add WiFi profile sync protocol support 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3845

Enables KVM and One Click Recovery WLAN capability with WiFi Profile
Sync feature and protocol. Adding WiFiProfileSyncProtocol, which
supports the profilesync driver operations for transferring WiFi profiles
from AMT to the Supplicant. WiFiConnectionManager will check for the
WifiProfileSyncProtocol and if found will operate on the premise of a
One Click Recovery, or KVM flow with a Wifi profile provided by AMT.

Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Wu Jiaxin <jiaxin.wu@intel.com>
Cc: Andrei Otcheretianski <andrei.otcheretianski@intel.com>

Signed-off-by: Zachary Clark-Williams <zachary.clark-williams@intel.com>
Acked-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
 2023-01-10 21:31:29 +00:00
Chao Li
e0200cc47a NetworkPkg: Add LoongArch64 architecture. 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4053

Add LoongArch64 architecture in to NetworkPkg.

Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>

Signed-off-by: Chao Li <lichao@loongson.cn>
Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
 2022-10-14 02:16:33 +00:00
Chao Li
ee2ea7868a NetworkPkg/HttpBootDxe: Add LOONGARCH64 architecture for EDK2 CI. 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4053

Add LOONGARCH architecture for EDK2 CI testing.

Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>

Signed-off-by: Chao Li <lichao@loongson.cn>
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
 2022-10-14 02:16:33 +00:00
Chao Li
ad8f2b7251 NetworkPkg: Add LOONGARCH64 architecture for EDK2 CI. 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4053

Add LOONGARCH64 architecture for EDK2 CI testing.

Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>

Signed-off-by: Chao Li <lichao@loongson.cn>
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
 2022-10-14 02:16:33 +00:00
Michael Kubacki
8fdb4de628 NetworkPkg/TcpDxe: Fix debug macro arguments 
Removes Status argument that is not needed from DEBUG macros.

Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
 2022-09-09 01:42:39 +00:00
Saloni Kasbekar
671b0cea51 NetworkPkg/HttpBootDxe: Add Support for HTTP Boot Basic Authentication 
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=2504

Add support for TLS Client Authentication using Basic Authentication
for HTTP Boot

Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Wu Jiaxin <jiaxin.wu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Signed-off-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
 2022-07-19 17:43:07 +00:00
Heng Luo
e1eef3a8b0 NetworkPkg: Add Wi-Fi Wpa3 support in WifiConnectManager 
https://bugzilla.tianocore.org/show_bug.cgi?id=3961

Add below Wpa3 support:
    WPA3-Personal:
      Ieee80211AkmSuiteSAE                = 8
    WPA3-Enterprise:
      Ieee80211AkmSuite8021XSuiteB        = 11
      Ieee80211AkmSuite8021XSuiteB192     = 12
    Wi-Fi CERTIFIED Enhanced Open:
      Ieee80211AkmSuiteOWE                = 18

Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Wu Jiaxin <jiaxin.wu@intel.com>
Signed-off-by: Heng Luo <heng.luo@intel.com>
 2022-07-01 16:02:32 +00:00
Rebecca Cran
cc070e9e0c NetworkPkg: Remove RVCT support 
RVCT is obsolete and no longer used.
Remove support for it.

Signed-off-by: Rebecca Cran <quic_rcran@quicinc.com>
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
 2022-05-13 14:58:54 +00:00
Oliver Steffen
12a50c9ce1 NetworkPkg/HttpDxe: Detect HTTP/1.0 servers 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2720

Force connection close before the next request if
the server identifies as version 1.0.

Signed-off-by: Oliver Steffen <osteffen@redhat.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
 2022-04-11 15:12:46 +00:00
Oliver Steffen
753fd319e2 NetworkPkg/HttpDxe: Detect 'Connection: close' header 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2720

Force connection close before the next request if
the server sends the 'Connection: close' header.

Signed-off-by: Oliver Steffen <osteffen@redhat.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
 2022-04-11 15:12:46 +00:00
Oliver Steffen
c43ff5188d NetworkPkg/HttpDxe: Add ConnectionClose flag fo HTTP_PROTOCOL 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2720

Add ConnectionClose flag to HTTP_PROTOCOL.
This boolean is FALSE by default. If set to TRUE, a reconfigure
of the Http instance is forced on the next request. The flag
is then reset.

Signed-off-by: Oliver Steffen <osteffen@redhat.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
 2022-04-11 15:12:46 +00:00
Oliver Steffen
3974aa539e NetworkPkg/HttpDxe: Decofigure Tcp6 before reconfiguring 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2720

Check if the state of the HTTP instance is HTTP_STATE_TCP_CONNECTED, or
HTTP_STATE_TCP_CLOSED and de-configure the Tcp6 instance before
configuring it again.

Signed-off-by: Oliver Steffen <osteffen@redhat.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
 2022-04-11 15:12:46 +00:00
Oliver Steffen
38a9afd0fb NetworkPkg/HttpDxe: Decofigure Tcp4 before reconfiguring 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2720

Check if the state of the HTTP instance is HTTP_STATE_TCP_CONNECTED, or
HTTP_STATE_TCP_CLOSED and de-configure the Tcp4 instance before
configuring it again.

Signed-off-by: Oliver Steffen <osteffen@redhat.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
 2022-04-11 15:12:46 +00:00
Heng Luo
35a4b63247 NetworkPkg: Add PCDs for HTTP DNS RetryCount and RetryInterval 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3889

Currently the HTTP DNS Retry Interval is 2 second and no retry attempt.
If DNS response can't arrive in 2 second, the DNS request is failed,
and then HTTP boot is failed.
In order to resolve this issue, Add PCDs to support RetryCount
and RetryInterval configured in Platform.

Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Wu Jiaxin <jiaxin.wu@intel.com>
Signed-off-by: Heng Luo <heng.luo@intel.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
 2022-04-11 15:12:46 +00:00
Heng Luo
b24306f15d NetworkPkg: Fix incorrect unicode string of the AKM/Cipher Suite 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3813

The size of buffer should be 3 CHAR16 for Null-terminated Unicode
string.
The first char is the AKM/Cipher Suite number, the second char is ' ',
the third char is '\0'.

Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Wu Jiaxin <jiaxin.wu@intel.com>
Signed-off-by: Heng Luo <heng.luo@intel.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
 2022-02-21 15:19:40 +00:00
Liming Gao
8542fc5f95 NetworkPkg: Add the missing VariablePolicyHelperLib in NetworkPkg.dsc 
This change is required by f4b7b473b4.

Signed-off-by: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
 2022-01-29 01:37:24 +00:00
Michael Kubacki
d1050b9dff NetworkPkg: Apply uncrustify changes 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3737

Apply uncrustify changes to .c/.h files in the NetworkPkg package

Cc: Andrew Fish <afish@apple.com>
Cc: Leif Lindholm <leif@nuviainc.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
 2021-12-07 17:24:28 +00:00
Michael D Kinney
ed7f7c9168 NetworkPkg: Change complex DEBUG_CODE() to DEBUG_CODE_BEGIN/END() 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3767

Update use of DEBUG_CODE(Expression) if Expression is a complex code
block with if/while/for/case statements that use {}.

Cc: Andrew Fish <afish@apple.com>
Cc: Leif Lindholm <leif@nuviainc.com>
Cc: Michael Kubacki <michael.kubacki@microsoft.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
 2021-12-07 17:24:28 +00:00
Michael D Kinney
8874fa199d NetworkPkg: Change OPTIONAL keyword usage style 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3760

Update all use of ', OPTIONAL' to ' OPTIONAL,' for function params.

Cc: Andrew Fish <afish@apple.com>
Cc: Leif Lindholm <leif@nuviainc.com>
Cc: Michael Kubacki <michael.kubacki@microsoft.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
 2021-12-07 17:24:28 +00:00
Michael D Kinney
c49ca4a29e NetworkPkg: Change use of EFI_D_* to DEBUG_* 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3739

Update all use of EFI_D_* defines in DEBUG() macros to DEBUG_* defines.

Cc: Andrew Fish <afish@apple.com>
Cc: Leif Lindholm <leif@nuviainc.com>
Cc: Michael Kubacki <michael.kubacki@microsoft.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
 2021-12-07 17:24:28 +00:00
Liming Gao
bb1bba3d77 NetworkPkg: Fix invalid pointer for DNS response token on error 
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3719

This issue is introduced by the commit 43d7e607.
Token->RspData.H2AData is de-allocated on error but it is not
set to NULL. HTTP module attempts to free again and cause assert.

Signed-off-by: Baraneedharan Anbazhagan <anbazhagan@hp.com>
Reviewed-by: Wu Jiaxin <jiaxin.wu@intel.com>
 2021-11-26 16:54:49 +08:00
Michael D Kinney
45137bca2f NetworkPkg: Reproduce builds across source format changes 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3688

Use DEBUG_LINE_NUMBER instead of __LINE__.

Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael Kubacki <michael.kubacki@microsoft.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Tested-by: Michael Kubacki <michael.kubacki@microsoft.com>
 2021-11-08 18:01:35 +00:00
Michael D Kinney
e13e53cb2f NetworkPkg/NetworkPkg.dsc: Add RngLib mapping for ARM and RISCV64 
Fix NetworkPkg build breaks for ARM and RISCV64 by adding RngLib
mapping.

Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Abner Chang <abner.chang@hpe.com>
Cc: Daniel Schaefer <daniel.schaefer@hpe.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Daniel Schaefer <daniel.schaefer@hpe.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Acked-by: Abner Chang <abner.chang@hpe.com>
 2021-11-05 19:44:11 +00:00
Vineel Kovvuri
6f9e83f757 NetworkPkg/HttpDxe: Enable wildcard host name matching for HTTP+TLS. 
The current UEFI implementation of HTTPS during its TLS configuration
uses
EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As per the
spec
this flag does is "to disable the match of any wildcards in the host
name". So,
certificates which are issued with wildcards(*.dm.corp.net etc) in it
will fail
the TLS host name matching. On the other hand,
EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for
hostname
validation. Wildcards are supported and they match only in the left-most
label."
this behavior/definition is coming from openssl's X509_check_host() api
https://www.openssl.org/docs/man1.1.0/man3/X509_check_host.html

Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using certificates
issued
with wildcards in them would fail to match while trying to communicate
with
HTTPS endpoint.

BugZilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3691

Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
 2021-11-03 21:26:27 +00:00