[edk2-devel] [PATCH v1 0/4] Support HTTPS HostName validation feature(CVE-2019-14553)
Laszlo Ersek
lersek at redhat.com
Wed Oct 16 10:27:18 UTC 2019
On 10/16/19 11:40, David Woodhouse wrote:
> On Tue, 2019-10-15 at 19:34 +0200, Laszlo Ersek wrote:
>> Ehh, I failed to ask the actual question.
>>
>> Is it OK to call X509_VERIFY_PARAM_set1*() multiple times -- basically,
>> every time just before we call X509_verify_cert()?
>>
>> My concern is not with the crypto functionality, but whether we could be
>> leaking memory allocations.
>
> You had to ask yourself that before approving the original version of
> TlsSetVerifyHost(), didn't you? Because the TlsLib API hasn't imposed
> any restriction on calling TlsSetVerifyHost() more than once...
You are correct, of course. I seem to recall that I hand-waved that
question away, seeing that TlsSetVerifyHost() simply passed the hostname
(the pointer to the char array) into an OpenSSL API. I guess when I
first looked at that call with any kind of focus, I wasn't *that*
concerned about the life-cycle yet...
>
> The answer is yes, btw — it's fine.
Thanks!
>
> Note also my observation that we should insist on TlsSetVerifyHost
> being called at *least* once, or the connection should fail.
>
I wonder if we could make this an implementation detail in edk2 *first*,
while a matching USWG Mantis ticket were in progress.
Thanks
Laszlo
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#49087): https://edk2.groups.io/g/devel/message/49087
Mute This Topic: https://groups.io/mt/34307578/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list