[edk2-devel] [PATCH v1 0/4] Support HTTPS HostName validation feature(CVE-2019-14553)
David Woodhouse
dwmw2 at infradead.org
Wed Oct 16 09:40:51 UTC 2019
On Tue, 2019-10-15 at 19:34 +0200, Laszlo Ersek wrote:
> Ehh, I failed to ask the actual question.
>
> Is it OK to call X509_VERIFY_PARAM_set1*() multiple times -- basically,
> every time just before we call X509_verify_cert()?
>
> My concern is not with the crypto functionality, but whether we could be
> leaking memory allocations.
You had to ask yourself that before approving the original version of
TlsSetVerifyHost(), didn't you? Because the TlsLib API hasn't imposed
any restriction on calling TlsSetVerifyHost() more than once...
The answer is yes, btw — it's fine.
Note also my observation that we should insist on TlsSetVerifyHost
being called at *least* once, or the connection should fail.
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#49085): https://edk2.groups.io/g/devel/message/49085
Mute This Topic: https://groups.io/mt/34307578/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5174 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/edk2-devel-archive/attachments/20191016/49bea595/attachment.bin>
More information about the edk2-devel-archive
mailing list