From nobody Sun May 5 01:52:48 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1521736783513878.0336619322372; Thu, 22 Mar 2018 09:39:43 -0700 (PDT) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 2211C22551B9F; Thu, 22 Mar 2018 09:33:10 -0700 (PDT) Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id ED43F22551B8D for ; Thu, 22 Mar 2018 09:33:05 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 4613A406FA03; Thu, 22 Mar 2018 16:39:37 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-114.rdu2.redhat.com [10.10.120.114]) by smtp.corp.redhat.com (Postfix) with ESMTP id 89913111CB9E; Thu, 22 Mar 2018 16:39:36 +0000 (UTC) X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=66.187.233.73; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org From: Laszlo Ersek To: edk2-devel-01 Date: Thu, 22 Mar 2018 17:39:29 +0100 Message-Id: <20180322163933.29122-2-lersek@redhat.com> In-Reply-To: <20180322163933.29122-1-lersek@redhat.com> References: <20180322163933.29122-1-lersek@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Thu, 22 Mar 2018 16:39:37 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Thu, 22 Mar 2018 16:39:37 +0000 (UTC) for IP:'10.11.54.3' DOMAIN:'int-mx03.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'lersek@redhat.com' RCPT:'' Subject: [edk2] [PATCH 1/5] NetworkPkg/HttpBootDxe: fix typo in DHCPv4 packet parsing X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Siyuan Fu , Jiaxin Wu MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" The string "HTTPClient" has 10 non-NUL characters; the value 9 is a copy-paste leftover from "PXEClient". Check for all 10 characters in the vendor-class-identifier option when determining whether the DHCP offer is an HTTP offer. Cc: Jiaxin Wu Cc: Siyuan Fu Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek Reviewed-by: Fu Siyuan --- NetworkPkg/HttpBootDxe/HttpBootDhcp4.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/NetworkPkg/HttpBootDxe/HttpBootDhcp4.c b/NetworkPkg/HttpBootDx= e/HttpBootDhcp4.c index 421ce6eda40e..229e6cb0ec6a 100644 --- a/NetworkPkg/HttpBootDxe/HttpBootDhcp4.c +++ b/NetworkPkg/HttpBootDxe/HttpBootDhcp4.c @@ -332,8 +332,8 @@ HttpBootParseDhcp4Packet ( // The offer with "HTTPClient" is a Http offer. // Option =3D Options[HTTP_BOOT_DHCP4_TAG_INDEX_CLASS_ID]; - if ((Option !=3D NULL) && (Option->Length >=3D 9) && - (CompareMem (Option->Data, DEFAULT_CLASS_ID_DATA, 9) =3D=3D 0)) { + if ((Option !=3D NULL) && (Option->Length >=3D 10) && + (CompareMem (Option->Data, DEFAULT_CLASS_ID_DATA, 10) =3D=3D 0)) { IsHttpOffer =3D TRUE; } =20 --=20 2.14.1.3.gb7cf6e02401b _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel From nobody Sun May 5 01:52:48 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1521736785665225.95630465251486; Thu, 22 Mar 2018 09:39:45 -0700 (PDT) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 937E222551BA1; Thu, 22 Mar 2018 09:33:10 -0700 (PDT) Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id D189122551B8F for ; Thu, 22 Mar 2018 09:33:06 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 447E5406FA25; Thu, 22 Mar 2018 16:39:38 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-114.rdu2.redhat.com [10.10.120.114]) by smtp.corp.redhat.com (Postfix) with ESMTP id 86572111CB9E; Thu, 22 Mar 2018 16:39:37 +0000 (UTC) X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=66.187.233.73; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org From: Laszlo Ersek To: edk2-devel-01 Date: Thu, 22 Mar 2018 17:39:30 +0100 Message-Id: <20180322163933.29122-3-lersek@redhat.com> In-Reply-To: <20180322163933.29122-1-lersek@redhat.com> References: <20180322163933.29122-1-lersek@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Thu, 22 Mar 2018 16:39:38 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Thu, 22 Mar 2018 16:39:38 +0000 (UTC) for IP:'10.11.54.3' DOMAIN:'int-mx03.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'lersek@redhat.com' RCPT:'' Subject: [edk2] [PATCH 2/5] NetworkPkg/HttpDxe: use error handler epilogue in TlsConfigCertificate() X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Siyuan Fu , Jiaxin Wu MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Introduce a FreeCACert label near the end of the function, so that we can keep the FreePool(CACert) statement centralized for error and success exits. Cc: Jiaxin Wu Cc: Siyuan Fu Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek Reviewed-by: Fu Siyuan --- NetworkPkg/HttpDxe/HttpsSupport.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c b/NetworkPkg/HttpDxe/HttpsSu= pport.c index 5105a2014c25..9103987a0e4c 100644 --- a/NetworkPkg/HttpDxe/HttpsSupport.c +++ b/NetworkPkg/HttpDxe/HttpsSupport.c @@ -425,9 +425,8 @@ TlsConfigCertificate ( // GetVariable still error or the variable is corrupted. // Fall back to the default value. // - FreePool (CACert); - - return EFI_NOT_FOUND; + Status =3D EFI_NOT_FOUND; + goto FreeCACert; } =20 ASSERT (CACert !=3D NULL); @@ -451,8 +450,7 @@ TlsConfigCertificate ( CertList->SignatureSize -= sizeof (Cert->SignatureOwner) ); if (EFI_ERROR (Status)) { - FreePool (CACert); - return Status; + goto FreeCACert; } =20 Cert =3D (EFI_SIGNATURE_DATA *) ((UINT8 *) Cert + CertList->Signatur= eSize); @@ -462,6 +460,7 @@ TlsConfigCertificate ( CertList =3D (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->Si= gnatureListSize); } =20 +FreeCACert: FreePool (CACert); return Status; } --=20 2.14.1.3.gb7cf6e02401b _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel From nobody Sun May 5 01:52:48 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 152173678827299.60442211287364; Thu, 22 Mar 2018 09:39:48 -0700 (PDT) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 0B2BE22551BBB; Thu, 22 Mar 2018 09:33:11 -0700 (PDT) Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id C27B722551B8F for ; Thu, 22 Mar 2018 09:33:07 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 410B8406FA03; Thu, 22 Mar 2018 16:39:39 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-114.rdu2.redhat.com [10.10.120.114]) by smtp.corp.redhat.com (Postfix) with ESMTP id 841F2111CB9E; Thu, 22 Mar 2018 16:39:38 +0000 (UTC) X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=66.187.233.73; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org From: Laszlo Ersek To: edk2-devel-01 Date: Thu, 22 Mar 2018 17:39:31 +0100 Message-Id: <20180322163933.29122-4-lersek@redhat.com> In-Reply-To: <20180322163933.29122-1-lersek@redhat.com> References: <20180322163933.29122-1-lersek@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Thu, 22 Mar 2018 16:39:39 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Thu, 22 Mar 2018 16:39:39 +0000 (UTC) for IP:'10.11.54.3' DOMAIN:'int-mx03.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'lersek@redhat.com' RCPT:'' Subject: [edk2] [PATCH 3/5] NetworkPkg/HttpDxe: drop misleading comment / status code in cert config X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Siyuan Fu , Jiaxin Wu MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" For TlsConfigureSession(), it makes sense to exempt EFI_NOT_FOUND from TlsConfigCipherList() / gRT->GetVariable(), because there is a default cipher list (SSL_DEFAULT_CIPHER_LIST) we can fall back to. The same is not true of TlsConfigCertificate(), because there is no default CA cert list. The platform (or the user of the Setup utility) is required to configure a CA cert list first. Remove the misleading comment and status code mapping in TlsConfigCertificate(). Cc: Jiaxin Wu Cc: Siyuan Fu Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek Reviewed-by: Fu Siyuan --- NetworkPkg/HttpDxe/HttpsSupport.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c b/NetworkPkg/HttpDxe/HttpsSu= pport.c index 9103987a0e4c..baab77225fdf 100644 --- a/NetworkPkg/HttpDxe/HttpsSupport.c +++ b/NetworkPkg/HttpDxe/HttpsSupport.c @@ -423,9 +423,7 @@ TlsConfigCertificate ( if (EFI_ERROR (Status)) { // // GetVariable still error or the variable is corrupted. - // Fall back to the default value. // - Status =3D EFI_NOT_FOUND; goto FreeCACert; } =20 --=20 2.14.1.3.gb7cf6e02401b _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel From nobody Sun May 5 01:52:48 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 152173679099325.57638164686989; Thu, 22 Mar 2018 09:39:50 -0700 (PDT) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 77E5B22571B3A; Thu, 22 Mar 2018 09:33:11 -0700 (PDT) Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id BC41722551B8F for ; Thu, 22 Mar 2018 09:33:08 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 3C16C406804D; Thu, 22 Mar 2018 16:39:40 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-114.rdu2.redhat.com [10.10.120.114]) by smtp.corp.redhat.com (Postfix) with ESMTP id 80B7E111CB9E; Thu, 22 Mar 2018 16:39:39 +0000 (UTC) X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=66.187.233.73; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org From: Laszlo Ersek To: edk2-devel-01 Date: Thu, 22 Mar 2018 17:39:32 +0100 Message-Id: <20180322163933.29122-5-lersek@redhat.com> In-Reply-To: <20180322163933.29122-1-lersek@redhat.com> References: <20180322163933.29122-1-lersek@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Thu, 22 Mar 2018 16:39:40 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Thu, 22 Mar 2018 16:39:40 +0000 (UTC) for IP:'10.11.54.3' DOMAIN:'int-mx03.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'lersek@redhat.com' RCPT:'' Subject: [edk2] [PATCH 4/5] NetworkPkg/HttpDxe: sanity-check the TlsCaCertificate variable before use X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Siyuan Fu , Jiaxin Wu MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" In TlsConfigCertificate(), make sure that the set of EFI_SIGNATURE_LIST objects that the platform stored to "TlsCaCertificate" is well-formed. In addition, because HttpInstance->TlsConfiguration->SetData() expects X509 certificates only, ensure that the EFI_SIGNATURE_LIST objects only report X509 certificates, as described under EFI_CERT_X509_GUID in the UEFI-2.7 spec. Cc: Jiaxin Wu Cc: Siyuan Fu Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D909 Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek Reviewed-by: Fu Siyuan --- NetworkPkg/HttpDxe/HttpDxe.inf | 3 +- NetworkPkg/HttpDxe/HttpsSupport.c | 65 ++++++++++++++++++++ 2 files changed, 67 insertions(+), 1 deletion(-) diff --git a/NetworkPkg/HttpDxe/HttpDxe.inf b/NetworkPkg/HttpDxe/HttpDxe.inf index 938e894d9f09..6c0688d1305b 100644 --- a/NetworkPkg/HttpDxe/HttpDxe.inf +++ b/NetworkPkg/HttpDxe/HttpDxe.inf @@ -75,9 +75,10 @@ [Protocols] [Guids] gEfiTlsCaCertificateGuid ## SOMETIMES_CONSUMES = ## Variable:L"TlsCaCertificate" gEdkiiHttpTlsCipherListGuid ## SOMETIMES_CONSUMES = ## Variable:L"HttpTlsCipherList" + gEfiCertX509Guid ## SOMETIMES_CONSUMES = ## GUID # Check the cert type =20 [Pcd] gEfiNetworkPkgTokenSpaceGuid.PcdAllowHttpConnections ## CONSUMES =20 =20 [UserExtensions.TianoCore."ExtraFiles"] - HttpDxeExtra.uni \ No newline at end of file + HttpDxeExtra.uni diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c b/NetworkPkg/HttpDxe/HttpsSu= pport.c index baab77225fdf..d658512f6d9f 100644 --- a/NetworkPkg/HttpDxe/HttpsSupport.c +++ b/NetworkPkg/HttpDxe/HttpsSupport.c @@ -384,6 +384,7 @@ TlsConfigCertificate ( UINT32 Index; EFI_SIGNATURE_LIST *CertList; EFI_SIGNATURE_DATA *Cert; + UINTN CertArraySizeInBytes; UINTN CertCount; UINT32 ItemDataSize; =20 @@ -429,6 +430,70 @@ TlsConfigCertificate ( =20 ASSERT (CACert !=3D NULL); =20 + // + // Sanity check + // + Status =3D EFI_INVALID_PARAMETER; + CertCount =3D 0; + ItemDataSize =3D (UINT32) CACertSize; + while (ItemDataSize > 0) { + if (ItemDataSize < sizeof (EFI_SIGNATURE_LIST)) { + DEBUG ((DEBUG_ERROR, "%a: truncated EFI_SIGNATURE_LIST header\n", + __FUNCTION__)); + goto FreeCACert; + } + + CertList =3D (EFI_SIGNATURE_LIST *) (CACert + (CACertSize - ItemDataSi= ze)); + + if (CertList->SignatureListSize < sizeof (EFI_SIGNATURE_LIST)) { + DEBUG ((DEBUG_ERROR, + "%a: SignatureListSize too small for EFI_SIGNATURE_LIST\n", + __FUNCTION__)); + goto FreeCACert; + } + + if (CertList->SignatureListSize > ItemDataSize) { + DEBUG ((DEBUG_ERROR, "%a: truncated EFI_SIGNATURE_LIST body\n", + __FUNCTION__)); + goto FreeCACert; + } + + if (!CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid)) { + DEBUG ((DEBUG_ERROR, "%a: only X509 certificates are supported\n", + __FUNCTION__)); + Status =3D EFI_UNSUPPORTED; + goto FreeCACert; + } + + if (CertList->SignatureHeaderSize !=3D 0) { + DEBUG ((DEBUG_ERROR, "%a: SignatureHeaderSize must be 0 for X509\n", + __FUNCTION__)); + goto FreeCACert; + } + + if (CertList->SignatureSize < sizeof (EFI_SIGNATURE_DATA)) { + DEBUG ((DEBUG_ERROR, + "%a: SignatureSize too small for EFI_SIGNATURE_DATA\n", __FUNCTION= __)); + goto FreeCACert; + } + + CertArraySizeInBytes =3D (CertList->SignatureListSize - + sizeof (EFI_SIGNATURE_LIST)); + if (CertArraySizeInBytes % CertList->SignatureSize !=3D 0) { + DEBUG ((DEBUG_ERROR, + "%a: EFI_SIGNATURE_DATA array not a multiple of SignatureSize\n", + __FUNCTION__)); + goto FreeCACert; + } + + CertCount +=3D CertArraySizeInBytes / CertList->SignatureSize; + ItemDataSize -=3D CertList->SignatureListSize; + } + if (CertCount =3D=3D 0) { + DEBUG ((DEBUG_ERROR, "%a: no X509 certificates provided\n", __FUNCTION= __)); + goto FreeCACert; + } + // // Enumerate all data and erasing the target item. // --=20 2.14.1.3.gb7cf6e02401b _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel From nobody Sun May 5 01:52:48 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 15217367940231016.8868874839342; Thu, 22 Mar 2018 09:39:54 -0700 (PDT) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id DB389225B029D; Thu, 22 Mar 2018 09:33:12 -0700 (PDT) Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id C047922551B8F for ; Thu, 22 Mar 2018 09:33:09 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 38AFD4072458; Thu, 22 Mar 2018 16:39:41 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-114.rdu2.redhat.com [10.10.120.114]) by smtp.corp.redhat.com (Postfix) with ESMTP id 7CA35111CB9E; Thu, 22 Mar 2018 16:39:40 +0000 (UTC) X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=66.187.233.73; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org From: Laszlo Ersek To: edk2-devel-01 Date: Thu, 22 Mar 2018 17:39:33 +0100 Message-Id: <20180322163933.29122-6-lersek@redhat.com> In-Reply-To: <20180322163933.29122-1-lersek@redhat.com> References: <20180322163933.29122-1-lersek@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Thu, 22 Mar 2018 16:39:41 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Thu, 22 Mar 2018 16:39:41 +0000 (UTC) for IP:'10.11.54.3' DOMAIN:'int-mx03.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'lersek@redhat.com' RCPT:'' Subject: [edk2] [PATCH 5/5] NetworkPkg/TlsAuthConfigDxe: preserve TlsCaCertificate variable attributes X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Siyuan Fu , Jiaxin Wu MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" If the platform creates the "TlsCaCertificate" variable as volatile, then EnrollX509toVariable() shouldn't fail to extend it just because TLS_AUTH_CONFIG_VAR_BASE_ATTR contains the EFI_VARIABLE_NON_VOLATILE attribute. Thus, if the variable exists, add the EFI_VARIABLE_APPEND_WRITE attribute to the variable's current attributes. This is what DeleteCert() does already. Cc: Jiaxin Wu Cc: Siyuan Fu Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek Reviewed-by: Fu Siyuan --- NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigImpl.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigImpl.c b/NetworkPkg/T= lsAuthConfigDxe/TlsAuthConfigImpl.c index faefc72d0efa..cbdd5f0664bd 100644 --- a/NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigImpl.c +++ b/NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigImpl.c @@ -813,6 +813,7 @@ EnrollX509toVariable ( CACert =3D NULL; CACertData =3D NULL; Data =3D NULL; + Attr =3D 0; =20 Status =3D ReadFileContent ( Private->FileContext->FHandle, @@ -847,22 +848,22 @@ EnrollX509toVariable ( CopyMem ((UINT8* ) (CACertData->SignatureData), X509Data, X509DataSize); =20 // - // Check if signature database entry has been already existed. - // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the - // new signature data to original variable + // Check if the signature database entry already exists. If it does, use= the + // EFI_VARIABLE_APPEND_WRITE attribute to append the new signature data = to + // the original variable, plus preserve the original variable attributes. // - Attr =3D TLS_AUTH_CONFIG_VAR_BASE_ATTR; - Status =3D gRT->GetVariable( VariableName, &gEfiTlsCaCertificateGuid, - NULL, + &Attr, &DataSize, NULL ); if (Status =3D=3D EFI_BUFFER_TOO_SMALL) { Attr |=3D EFI_VARIABLE_APPEND_WRITE; - } else if (Status !=3D EFI_NOT_FOUND) { + } else if (Status =3D=3D EFI_NOT_FOUND) { + Attr =3D TLS_AUTH_CONFIG_VAR_BASE_ATTR; + } else { goto ON_EXIT; } =20 --=20 2.14.1.3.gb7cf6e02401b _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel