[AUTO-CHERRYPICK] [High] patch vendored openssl code in edk2 in 2.0 - branch main (#13212)

Co-authored-by: Tobias Brick <39196763+tobiasb-ms@users.noreply.github.com>

Author: CBL-Mariner-Bot

SPECS/edk2/CVE-2023-0464.patch

@@ -16,15 +16,15 @@ Reviewed-by: Tomas Mraz <tomas@openssl.org>
 Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
 (Merged from https://github.com/openssl/openssl/pull/20569)
 ---
- crypto/x509v3/pcy_local.h |  8 +++++++-
- crypto/x509v3/pcy_node.c  | 12 +++++++++---
- crypto/x509v3/pcy_tree.c  | 37 +++++++++++++++++++++++++++----------
+ CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/pcy_local.h |  8 +++++++-
+ CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/pcy_node.c  | 12 +++++++++---
+ CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/pcy_tree.c  | 37 +++++++++++++++++++++++++++----------
  3 files changed, 43 insertions(+), 14 deletions(-)
 
-diff --git a/crypto/x509v3/pcy_local.h b/crypto/x509v3/pcy_local.h
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/pcy_local.h b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/pcy_local.h
 index 5daf78de45..344aa06765 100644
---- a/crypto/x509v3/pcy_local.h
-+++ b/crypto/x509v3/pcy_local.h
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/pcy_local.h
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/pcy_local.h
 @@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st {
  };
 
@@ -47,10 +47,10 @@ index 5daf78de45..344aa06765 100644
  void policy_node_free(X509_POLICY_NODE *node);
  int policy_node_match(const X509_POLICY_LEVEL *lvl,
                        const X509_POLICY_NODE *node, const ASN1_OBJECT *oid);
-diff --git a/crypto/x509v3/pcy_node.c b/crypto/x509v3/pcy_node.c
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/pcy_node.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/pcy_node.c
 index e2d7b15322..d574fb9d66 100644
---- a/crypto/x509v3/pcy_node.c
-+++ b/crypto/x509v3/pcy_node.c
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/pcy_node.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/pcy_node.c
 @@ -59,10 +59,15 @@ X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level,
  X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
                                   X509_POLICY_DATA *data,
@@ -94,10 +94,10 @@ index e2d7b15322..d574fb9d66 100644
      if (parent)
          parent->nchild++;
 
-diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/pcy_tree.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/pcy_tree.c
 index 6e8322cbc5..6c7fd35405 100644
---- a/crypto/x509v3/pcy_tree.c
-+++ b/crypto/x509v3/pcy_tree.c
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/pcy_tree.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/pcy_tree.c
 @@ -13,6 +13,18 @@
 
  #include "pcy_local.h"

SPECS/edk2/CVE-2023-0465.patch

@@ -17,10 +17,10 @@ Reviewed-by: Tomas Mraz <tomas@openssl.org>
 (Merged from https://github.com/openssl/openssl/pull/20588)
 ---
 
-diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509/x509_vfy.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509/x509_vfy.c
 index 925fbb5412..1dfe4f9f31 100644
---- a/crypto/x509/x509_vfy.c
-+++ b/crypto/x509/x509_vfy.c
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509/x509_vfy.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509/x509_vfy.c
 @@ -1649,18 +1649,25 @@ static int check_policy(X509_STORE_CTX *ctx)
      }
      /* Invalid or inconsistent extensions */
@@ -48,4 +48,4 @@ index 925fbb5412..1dfe4f9f31 100644
 +        /* The callback ignored the error so we return success */
          return 1;
      }
-     if (ret == X509_PCY_TREE_FAILURE) {
+     if (ret == X509_PCY_TREE_FAILURE) {

SPECS/edk2/CVE-2023-2650.patch

@@ -29,10 +29,10 @@ Reviewed-by: Matt Caswell <matt@openssl.org>
 Reviewed-by: Tomas Mraz <tomas@openssl.org>
 ---
 
-diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/objects/obj_dat.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/objects/obj_dat.c
 index 7e8de727f3..d699915b20 100644
---- a/crypto/objects/obj_dat.c
-+++ b/crypto/objects/obj_dat.c
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/objects/obj_dat.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/objects/obj_dat.c
 @@ -428,6 +428,25 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
      first = 1;
      bl = NULL;
@@ -58,4 +58,4 @@ index 7e8de727f3..d699915b20 100644
 +
      while (len > 0) {
          l = 0;
-         use_bn = 0;
+         use_bn = 0;

SPECS/edk2/CVE-2023-3817.patch

@@ -28,13 +28,13 @@ Reviewed-by: Todd Short <todd.short@me.com>
 
 (cherry picked from commit 1c16253f3c3a8d1e25918c3f404aae6a5b0893de)
 ---
- crypto/dh/dh_check.c | 9 ++++++++-
+ CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_check.c | 9 ++++++++-
  1 file changed, 8 insertions(+), 1 deletion(-)
 
-diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_check.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_check.c
 index aeaa44a..7667297 100644
---- a/crypto/dh/dh_check.c
-+++ b/crypto/dh/dh_check.c
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_check.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_check.c
 @@ -105,7 +105,7 @@ int DH_check_ex(const DH *dh)
  /* Note: according to documentation - this only checks the params */
  int DH_check(const DH *dh, int *ret)

SPECS/edk2/edk2.spec

@@ -45,7 +45,7 @@ ExclusiveArch: x86_64
 
 Name:       edk2
 Version:    %{GITDATE}git%{GITCOMMIT}
-Release:    40%{?dist}
+Release:    41%{?dist}
 Summary:    UEFI firmware for 64-bit virtual machines
 License:    BSD-2-Clause-Patent and OpenSSL and MIT
 URL:        http://www.tianocore.org
@@ -121,11 +121,13 @@ Patch0025: CVE-2023-45235.patch
 Patch0026: CVE-2023-45237.patch
 Patch0027: CVE-2023-45236.patch
 
+# Patches for the vendored OpenSSL are in the range from 1000 to 1999 (inclusive).
 Patch1000: CVE-2023-0464.patch
 Patch1001: CVE-2023-3817.patch
 Patch1002: CVE-2023-0465.patch
 Patch1003: CVE-2023-2650.patch
 Patch1004: improve-safety-of-DH.patch
+Patch1005: vendored-openssl-1.1.1-Only-free-the-read-buffers-if-we-re-not-using-them.patch
 
 # python3-devel and libuuid-devel are required for building tools.
 # python3-devel is also needed for varstore template generation and
@@ -306,18 +308,16 @@ git config am.keepcr true
 # -M Apply patches up to 999
 %autopatch -M 999
 
-cp -a -- %{SOURCE1} .
+# Unpack the vendored OpenSSL tarball.
+# Add it to the git index so that we can use autopatch, which
+# uses git am since we set it up that way initially.
+# Only apply patches between 1000 and 1999 (inclusive).
 tar -C CryptoPkg/Library/OpensslLib -a -f %{SOURCE2} -x
-# Need to patch CVE-2023-0464 in the bundled openssl
-(cd CryptoPkg/Library/OpensslLib/openssl && patch -p1 ) < %{PATCH1000}
-# Need to patch CVE-2023-3817 in the bundled openssl
-(cd CryptoPkg/Library/OpensslLib/openssl && patch -p1 ) < %{PATCH1001}
-# Need to patch CVE-2023-0465 in the bundled openssl
-(cd CryptoPkg/Library/OpensslLib/openssl && patch -p1 ) < %{PATCH1002}
-# Need to patch CVE-2023-2650 in the bundled openssl
-(cd CryptoPkg/Library/OpensslLib/openssl && patch -p1 ) < %{PATCH1003}
-# Apply patch "improve-safety-of-DH.patch"
-(cd CryptoPkg/Library/OpensslLib/openssl && patch -p1 ) < %{PATCH1004}
+git add .
+git commit -m 'add vendored openssl'
+%autopatch -p1 -m 1000 -M 1999
+
+cp -a -- %{SOURCE1} .
 
 # extract softfloat into place
 tar -xf %{SOURCE3} --strip-components=1 --directory ArmPkg/Library/ArmSoftFloatLib/berkeley-softfloat-3/
@@ -711,6 +711,9 @@ $tests_ok
 
 
 %changelog
+* Mon Mar 24 2025 Tobias Brick <tobiasb@microsoft.com> - 20230301gitf80f052277c8-41
+- Patch vendored openssl to only free read buffers if not in use.
+
 * Mon Sep 16 2024 Minghe Ren <mingheren@microsoft.com> - 20230301gitf80f052277c8-40
 - Add CVE-2022-36763, CVE-2022-36765, CVE-2023-45230, CVE-2023-45232, CVE-2023-45234, CVE-2023-45235, CVE-2023-45236, CVE-2023-45237 patch
 - Add fix-tpm-build-issue-from-CVE-2022-36763.patch 

SPECS/edk2/improve-safety-of-DH.patch

@@ -33,17 +33,17 @@ Reviewed-by: Tomas Mraz <tomas@openssl.org>
 Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
 Signed-off-by: Muhammad Falak R Wani <mwani@microsoft.com>
 ---
- crypto/dh/dh_check.c    | 6 ++++++
- crypto/dh/dh_err.c      | 3 ++-
- crypto/err/openssl.txt  | 1 +
- include/openssl/dh.h    | 3 +++
- include/openssl/dherr.h | 3 ++-
+ CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_check.c    | 6 ++++++
+ CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_err.c      | 3 ++-
+ CryptoPkg/Library/OpensslLib/openssl/crypto/err/openssl.txt  | 1 +
+ CryptoPkg/Library/OpensslLib/openssl/include/openssl/dh.h    | 3 +++
+ CryptoPkg/Library/OpensslLib/openssl/include/openssl/dherr.h | 3 ++-
  5 files changed, 14 insertions(+), 2 deletions(-)
 
-diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_check.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_check.c
 index 81957ed..e10e4e5 100644
---- a/crypto/dh/dh_check.c
-+++ b/crypto/dh/dh_check.c
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_check.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_check.c
 @@ -113,6 +113,12 @@ int DH_check(const DH *dh, int *ret)
      BN_CTX *ctx = NULL;
      BIGNUM *t1 = NULL, *t2 = NULL;
@@ -57,10 +57,10 @@ index 81957ed..e10e4e5 100644
      if (!DH_check_params(dh, ret))
          return 0;
 
-diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_err.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_err.c
 index 9778138..dd2700d 100644
---- a/crypto/dh/dh_err.c
-+++ b/crypto/dh/dh_err.c
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_err.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_err.c
 @@ -1,6 +1,6 @@
  /*
   * Generated by util/mkerr.pl DO NOT EDIT
@@ -77,10 +77,10 @@ index 9778138..dd2700d 100644
      {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_EX, 0), "DH_check_ex"},
      {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PARAMS_EX, 0), "DH_check_params_ex"},
      {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PUB_KEY_EX, 0), "DH_check_pub_key_ex"},
-diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/err/openssl.txt b/CryptoPkg/Library/OpensslLib/openssl/crypto/err/openssl.txt
 index ba0f638..5964b73 100644
---- a/crypto/err/openssl.txt
-+++ b/crypto/err/openssl.txt
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/err/openssl.txt
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/err/openssl.txt
 @@ -402,6 +402,7 @@ CT_F_SCT_SET_VERSION:104:SCT_set_version
  DH_F_COMPUTE_KEY:102:compute_key
  DH_F_DHPARAMS_PRINT_FP:101:DHparams_print_fp
@@ -89,10 +89,10 @@ index ba0f638..5964b73 100644
  DH_F_DH_CHECK_EX:121:DH_check_ex
  DH_F_DH_CHECK_PARAMS_EX:122:DH_check_params_ex
  DH_F_DH_CHECK_PUB_KEY_EX:123:DH_check_pub_key_ex
-diff --git a/include/openssl/dh.h b/include/openssl/dh.h
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/include/openssl/dh.h b/CryptoPkg/Library/OpensslLib/openssl/include/openssl/dh.h
 index ecc657b..c553df0 100644
---- a/include/openssl/dh.h
-+++ b/include/openssl/dh.h
+--- a/CryptoPkg/Library/OpensslLib/openssl/include/openssl/dh.h
++++ b/CryptoPkg/Library/OpensslLib/openssl/include/openssl/dh.h
 @@ -29,6 +29,9 @@ extern "C" {
  # ifndef OPENSSL_DH_MAX_MODULUS_BITS
  #  define OPENSSL_DH_MAX_MODULUS_BITS    10000
@@ -103,10 +103,10 @@ index ecc657b..c553df0 100644
 
  # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
  # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN 2048
-diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/include/openssl/dherr.h b/CryptoPkg/Library/OpensslLib/openssl/include/openssl/dherr.h
 index b2d62eb..5e77511 100644
---- a/include/openssl/dherr.h
-+++ b/include/openssl/dherr.h
+--- a/CryptoPkg/Library/OpensslLib/openssl/include/openssl/dherr.h
++++ b/CryptoPkg/Library/OpensslLib/openssl/include/openssl/dherr.h
 @@ -1,6 +1,6 @@
  /*
   * Generated by util/mkerr.pl DO NOT EDIT
@@ -149,17 +149,17 @@ Reviewed-by: Matt Caswell <matt@openssl.org>
 Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
 Signed-off-by: Muhammad Falak <mwani@microsoft.com>
 ---
- crypto/dh/dh_check.c    | 12 ++++++++++++
- crypto/dh/dh_err.c      |  1 +
- crypto/dh/dh_key.c      | 12 ++++++++++++
- crypto/err/openssl.txt  |  2 ++
- include/openssl/dherr.h |  2 ++
+ CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_check.c    | 12 ++++++++++++
+ CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_err.c      |  1 +
+ CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_key.c      | 12 ++++++++++++
+ CryptoPkg/Library/OpensslLib/openssl/crypto/err/openssl.txt  |  2 ++
+ CryptoPkg/Library/OpensslLib/openssl/include/openssl/dherr.h |  2 ++
  5 files changed, 29 insertions(+)
 
-diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_check.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_check.c
 index e10e4e5..760da06 100644
---- a/crypto/dh/dh_check.c
-+++ b/crypto/dh/dh_check.c
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_check.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_check.c
 @@ -211,6 +211,18 @@ static int dh_check_pub_key_int(const DH *dh, const BIGNUM *q, const BIGNUM *pub
      BIGNUM *tmp = NULL;
      BN_CTX *ctx = NULL;
@@ -179,10 +179,10 @@ index e10e4e5..760da06 100644
      *ret = 0;
      ctx = BN_CTX_new();
      if (ctx == NULL)
-diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_err.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_err.c
 index dd2700d..2a2a8a6 100644
---- a/crypto/dh/dh_err.c
-+++ b/crypto/dh/dh_err.c
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_err.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_err.c
 @@ -87,6 +87,7 @@ static const ERR_STRING_DATA DH_str_reasons[] = {
      {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR),
      "parameter encoding error"},
@@ -191,10 +191,10 @@ index dd2700d..2a2a8a6 100644
      {ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"},
      {ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR),
      "unable to check generator"},
-diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_key.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_key.c
 index 5a665d2..ee50d35 100644
---- a/crypto/dh/dh_key.c
-+++ b/crypto/dh/dh_key.c
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_key.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_key.c
 @@ -140,6 +140,12 @@ static int generate_key(DH *dh)
          return 0;
      }
@@ -221,10 +221,10 @@ index 5a665d2..ee50d35 100644
      ctx = BN_CTX_new();
      if (ctx == NULL)
          goto err;
-diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/err/openssl.txt b/CryptoPkg/Library/OpensslLib/openssl/crypto/err/openssl.txt
 index 5964b73..a311396 100644
---- a/crypto/err/openssl.txt
-+++ b/crypto/err/openssl.txt
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/err/openssl.txt
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/err/openssl.txt
 @@ -405,6 +405,7 @@ DH_F_DH_BUILTIN_GENPARAMS:106:dh_builtin_genparams
  DH_F_DH_CHECK:126:DH_check
  DH_F_DH_CHECK_EX:121:DH_check_ex
@@ -241,10 +241,10 @@ index 5964b73..a311396 100644
  DH_R_SHARED_INFO_ERROR:113:shared info error
  DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator
  DSA_R_BAD_Q_VALUE:102:bad q value
-diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/include/openssl/dherr.h b/CryptoPkg/Library/OpensslLib/openssl/include/openssl/dherr.h
 index 5e77511..b7ee69a 100644
---- a/include/openssl/dherr.h
-+++ b/include/openssl/dherr.h
+--- a/CryptoPkg/Library/OpensslLib/openssl/include/openssl/dherr.h
++++ b/CryptoPkg/Library/OpensslLib/openssl/include/openssl/dherr.h
 @@ -33,6 +33,7 @@ int ERR_load_DH_strings(void);
  #  define DH_F_DH_CHECK                                    126
  #  define DH_F_DH_CHECK_EX                                 121