[AUTO-CHERRYPICK] [High] patch vendored openssl code in edk2 in 3.0 - branch 3.0-dev (#13224)

Co-authored-by: Tobias Brick <39196763+tobiasb-ms@users.noreply.github.com>

Author: CBL-Mariner-Bot

SPECS-SIGNED/edk2-hvloader-signed/edk2-hvloader-signed.spec

@@ -11,7 +11,7 @@
 Summary:        Signed HvLoader.efi for %{buildarch} systems
 Name:           edk2-hvloader-signed-%{buildarch}
 Version:        %{GITDATE}git%{GITCOMMIT}
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -74,6 +74,9 @@ popd
 /boot/efi/HvLoader.efi
 
 %changelog
+* Wed Mar 26 2025 Tobias Brick <tobiasb@microsoft.com> - 20240524git3e722403cd16-5
+- Bump release for consistency with edk2 spec.
+
 * Fri Jan 24 2025 Cameron Baird <cameronbaird@microsoft.com> - 20240524git3e722403cd16-4
 - Original version for Azure Linux.
 - License verified

SPECS/edk2/CVE-2022-3996.patch

@@ -16,13 +16,13 @@ Reviewed-by: Tomas Mraz <tomas@openssl.org>
 
 (cherry picked from commit 4d0340a6d2f327700a059f0b8f954d6160f8eef5)
 ---
- crypto/x509/pcy_map.c | 4 ----
+ CryptoPkg/Library/OpensslLib/openssl/crypto/x509/pcy_map.c | 4 ----
  1 file changed, 4 deletions(-)
 
-diff --git a/crypto/x509/pcy_map.c b/crypto/x509/pcy_map.c
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509/pcy_map.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509/pcy_map.c
 index 05406c6493fce..60dfd1e3203b0 100644
---- a/crypto/x509/pcy_map.c
-+++ b/crypto/x509/pcy_map.c
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509/pcy_map.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509/pcy_map.c
 @@ -73,10 +73,6 @@ int ossl_policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
 
      ret = 1;
@@ -33,4 +33,4 @@ index 05406c6493fce..60dfd1e3203b0 100644
 -    }
      sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free);
      return ret;
- 
+ 

SPECS/edk2/CVE-2024-6119.patch

@@ -21,20 +21,20 @@ Reviewed-by: Richard Levitte <levitte@openssl.org>
 Reviewed-by: Tomas Mraz <tomas@openssl.org>
 (cherry picked from commit 0890cd13d40fbc98f655f3974f466769caa83680)
 ---
- crypto/x509/v3_utl.c                          | 78 +++++++++++++------
- test/recipes/25-test_eai_data.t               | 12 ++-
- test/recipes/25-test_eai_data/kdc-cert.pem    | 21 +++++
- .../25-test_eai_data/kdc-root-cert.pem        | 16 ++++
- test/recipes/25-test_eai_data/kdc.sh          | 41 ++++++++++
+ CryptoPkg/Library/OpensslLib/openssl/crypto/x509/v3_utl.c                          | 78 +++++++++++++------
+ CryptoPkg/Library/OpensslLib/openssl/test/recipes/25-test_eai_data.t               | 12 ++-
+ CryptoPkg/Library/OpensslLib/openssl/test/recipes/25-test_eai_data/kdc-cert.pem    | 21 +++++
+ .../25-test_eai_data/kdc-root-cert.pem                                     | 16 ++++
+ CryptoPkg/Library/OpensslLib/openssl/test/recipes/25-test_eai_data/kdc.sh          | 41 ++++++++++
  5 files changed, 142 insertions(+), 26 deletions(-)
  create mode 100644 test/recipes/25-test_eai_data/kdc-cert.pem
  create mode 100644 test/recipes/25-test_eai_data/kdc-root-cert.pem
  create mode 100755 test/recipes/25-test_eai_data/kdc.sh
 
-diff --git a/crypto/x509/v3_utl.c b/crypto/x509/v3_utl.c
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509/v3_utl.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509/v3_utl.c
 index 1a18174995196..a09414c972fa8 100644
---- a/crypto/x509/v3_utl.c
-+++ b/crypto/x509/v3_utl.c
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509/v3_utl.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509/v3_utl.c
 @@ -916,36 +916,64 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,
              ASN1_STRING *cstr;
 
@@ -125,10 +125,10 @@ index 1a18174995196..a09414c972fa8 100644
              /* Positive on success, negative on error! */
              if ((rv = do_check_string(cstr, alt_type, equal, flags,
                                        chk, chklen, peername)) != 0)
-diff --git a/test/recipes/25-test_eai_data.t b/test/recipes/25-test_eai_data.t
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/25-test_eai_data.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/25-test_eai_data.t
 index 522982ddfb802..e18735d89aadf 100644
---- a/test/recipes/25-test_eai_data.t
-+++ b/test/recipes/25-test_eai_data.t
+--- a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/25-test_eai_data.t
++++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/25-test_eai_data.t
 @@ -21,16 +21,18 @@ setup("test_eai_data");
  #./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile test/recipes/25-test_eai_data/utf8_chain.pem test/recipes/25-test_eai_data/ascii_leaf.pem
  #./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile test/recipes/25-test_eai_data/ascii_chain.pem test/recipes/25-test_eai_data/utf8_leaf.pem
@@ -168,11 +168,11 @@ index 522982ddfb802..e18735d89aadf 100644
  #Check that we get the expected failure return code
  with({ exit_checker => sub { return shift == 2; } },
       sub {
-diff --git a/test/recipes/25-test_eai_data/kdc-cert.pem b/test/recipes/25-test_eai_data/kdc-cert.pem
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/25-test_eai_data/kdc-cert.pem b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/25-test_eai_data/kdc-cert.pem
 new file mode 100644
 index 0000000000000..e8a2c6f55d459
 --- /dev/null
-+++ b/test/recipes/25-test_eai_data/kdc-cert.pem
++++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/25-test_eai_data/kdc-cert.pem
 @@ -0,0 +1,21 @@
 +-----BEGIN CERTIFICATE-----
 +MIIDbDCCAlSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARSb290
@@ -195,11 +195,11 @@ index 0000000000000..e8a2c6f55d459
 +0fTCOBEMjIETDsrA70OxAMu4V16nrWZdJdvzblS2qrt97Omkj+2kiPAJFB76RpwI
 +oDQ9fKfUOAmUFth2/R/eGA==
 +-----END CERTIFICATE-----
-diff --git a/test/recipes/25-test_eai_data/kdc-root-cert.pem b/test/recipes/25-test_eai_data/kdc-root-cert.pem
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/25-test_eai_data/kdc-root-cert.pem b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/25-test_eai_data/kdc-root-cert.pem
 new file mode 100644
 index 0000000000000..a74c96bf31469
 --- /dev/null
-+++ b/test/recipes/25-test_eai_data/kdc-root-cert.pem
++++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/25-test_eai_data/kdc-root-cert.pem
 @@ -0,0 +1,16 @@
 +-----BEGIN CERTIFICATE-----
 +MIICnDCCAYQCCQCBswYcrlZSHjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARS
@@ -217,11 +217,11 @@ index 0000000000000..a74c96bf31469
 +7rFGM5AOevb4U8ddop8A3D/kX0wcCAIBF6jCNk3uEJ57jVcagL04kPnVfdRiedTS
 +vfq1DRNcD29d1H/9u0fHdSn1/+8Ep3X+afQ3C6//5NvOEaXcIGO4QSwkprQydfv8
 +-----END CERTIFICATE-----
-diff --git a/test/recipes/25-test_eai_data/kdc.sh b/test/recipes/25-test_eai_data/kdc.sh
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/25-test_eai_data/kdc.sh b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/25-test_eai_data/kdc.sh
 new file mode 100755
 index 0000000000000..7a8dbc719fb71
 --- /dev/null
-+++ b/test/recipes/25-test_eai_data/kdc.sh
++++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/25-test_eai_data/kdc.sh
 @@ -0,0 +1,41 @@
 +#! /usr/bin/env bash
 +

SPECS/edk2/edk2.spec

@@ -55,7 +55,7 @@ ExclusiveArch: x86_64
 
 Name:       edk2
 Version:    %{GITDATE}git%{GITCOMMIT}
-Release:    4%{?dist}
+Release:    5%{?dist}
 Summary:    UEFI firmware for 64-bit virtual machines
 License:    Apache-2.0 AND (BSD-2-Clause OR GPL-2.0-or-later) AND BSD-2-Clause-Patent AND BSD-3-Clause AND BSD-4-Clause AND ISC AND MIT AND LicenseRef-Fedora-Public-Domain
 URL:        http://www.tianocore.org
@@ -129,8 +129,11 @@ Patch0017: 0017-silence-.-has-a-LOAD-segment-with-RWX-permissions-wa.patch
 %endif
 Patch0018: 0018-NetworkPkg-TcpDxe-Fixed-system-stuck-on-PXE-boot-flo.patch
 Patch0019: 0019-NetworkPkg-DxeNetLib-adjust-PseudoRandom-error-loggi.patch
+
+# Patches for the vendored OpenSSL are in the range from 1000 to 1999 (inclusive).
 Patch1000: CVE-2022-3996.patch
 Patch1001: CVE-2024-6119.patch
+Patch1002: vendored-openssl-1.1.1-Only-free-the-read-buffers-if-we-re-not-using-them.patch
 
 # python3-devel and libuuid-devel are required for building tools.
 # python3-devel is also needed for varstore template generation and
@@ -338,11 +341,17 @@ git config am.keepcr true
 # -M Apply patches up to 999
 %autopatch -M 999
 
+# Unpack the vendored OpenSSL tarball. This tarball has a '.git' directory
+# which will confuse the git repo we unpack it into, so exclude that.
+# Then add it to the git index so that we can use autopatch, which
+# uses git am since we set it up that way initially.
+# Only apply patches between 1000 and 1999 (inclusive).
+tar -C CryptoPkg/Library/OpensslLib -a -f %{SOURCE2} -x --exclude '.git'
+git add .
+git commit -m 'add vendored openssl'
+%autopatch -p1 -m 1000 -M 1999
+
 cp -a -- %{SOURCE1} .
-tar -C CryptoPkg/Library/OpensslLib -a -f %{SOURCE2} -x
-# Need to patch CVE-2022-3996 in the bundled openssl
-(cd CryptoPkg/Library/OpensslLib/openssl && patch -p1 ) < %{PATCH1000}
-(cd CryptoPkg/Library/OpensslLib/openssl && patch -p1 ) < %{PATCH1001}
 
 # extract softfloat into place
 tar -xf %{SOURCE3} --strip-components=1 --directory ArmPkg/Library/ArmSoftFloatLib/berkeley-softfloat-3/
@@ -786,6 +795,9 @@ done
 /boot/efi/HvLoader.efi
 
 %changelog
+* Tue Mar 25 2025 Tobias Brick <tobiasb@microsoft.com> - 20240524git3e722403cd16-5
+- Patch vendored openssl to only free read buffers if not in use.
+
 * Wed Sep 25 2024 Cameron Baird <cameronbaird@microsoft.com> - 20240524git3e722403cd16-4
 - Package license for edk2-hvloader
 

SPECS/edk2/vendored-openssl-1.1.1-Only-free-the-read-buffers-if-we-re-not-using-them.patch

@@ -0,0 +1,67 @@
+From f7a045f3143fc6da2ee66bf52d8df04829590dd4 Mon Sep 17 00:00:00 2001
+From: Watson Ladd <watsonbladd@gmail.com>
+Date: Wed, 24 Apr 2024 11:26:56 +0100
+Subject: [PATCH] Only free the read buffers if we're not using them
+
+If we're part way through processing a record, or the application has
+not released all the records then we should not free our buffer because
+they are still needed.
+
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+---
+ CryptoPkg/Library/OpensslLib/openssl/ssl/record/rec_layer_s3.c | 9 +++++++++
+ CryptoPkg/Library/OpensslLib/openssl/ssl/record/record.h       | 1 +
+ CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c             | 3 +++
+ 3 files changed, 13 insertions(+)
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/ssl/record/rec_layer_s3.c b/CryptoPkg/Library/OpensslLib/openssl/ssl/record/rec_layer_s3.c
+index 1db1712a0..525c3abf4 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/ssl/record/rec_layer_s3.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/record/rec_layer_s3.c
+@@ -81,6 +81,15 @@ int RECORD_LAYER_read_pending(const RECORD_LAYER *rl)
+     return SSL3_BUFFER_get_left(&rl->rbuf) != 0;
+ }
+ 
++int RECORD_LAYER_data_present(const RECORD_LAYER *rl)
++{
++    if (rl->rstate == SSL_ST_READ_BODY)
++        return 1;
++    if (RECORD_LAYER_processed_read_pending(rl))
++        return 1;
++    return 0;
++}
++
+ /* Checks if we have decrypted unread record data pending */
+ int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl)
+ {
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/ssl/record/record.h b/CryptoPkg/Library/OpensslLib/openssl/ssl/record/record.h
+index af56206e0..513ab3988 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/ssl/record/record.h
++++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/record/record.h
+@@ -197,6 +197,7 @@ void RECORD_LAYER_release(RECORD_LAYER *rl);
+ int RECORD_LAYER_read_pending(const RECORD_LAYER *rl);
+ int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl);
+ int RECORD_LAYER_write_pending(const RECORD_LAYER *rl);
++int RECORD_LAYER_data_present(const RECORD_LAYER *rl);
+ void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl);
+ void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl);
+ int RECORD_LAYER_is_sslv2_record(RECORD_LAYER *rl);
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c
+index c01ad8291..356d65cb6 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c
+@@ -5248,6 +5248,9 @@ int SSL_free_buffers(SSL *ssl)
+     if (RECORD_LAYER_read_pending(rl) || RECORD_LAYER_write_pending(rl))
+         return 0;
+ 
++    if (RECORD_LAYER_data_present(rl))
++        return 0;
++
+     RECORD_LAYER_release(rl);
+     return 1;
+ }
+-- 
+2.33.8
+