From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: redhat.com, ip: 209.132.183.28, mailfrom: lersek@redhat.com) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by groups.io with SMTP; Mon, 30 Sep 2019 16:21:09 -0700 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id EA5557F746; Mon, 30 Sep 2019 23:21:08 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-121-111.rdu2.redhat.com [10.10.121.111]) by smtp.corp.redhat.com (Postfix) with ESMTP id 7AA795D6D0; Mon, 30 Sep 2019 23:21:07 +0000 (UTC) Subject: Re: [edk2-devel] [PATCH v1 0/4] Support HTTPS HostName validation feature(CVE-2019-14553) To: devel@edk2.groups.io, jian.j.wang@intel.com, "Wu, Jiaxin" , David Woodhouse , Bret Barkelew References: <20190927034441.3096-1-Jiaxin.wu@intel.com> From: "Laszlo Ersek" Message-ID: <69774fe6-ea00-44b9-5468-c092dea6cd36@redhat.com> Date: Tue, 1 Oct 2019 01:21:06 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2 (mx1.redhat.com [10.5.110.71]); Mon, 30 Sep 2019 23:21:09 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 09/29/19 08:09, Wang, Jian J wrote: > For this patch series, > 1. " Contributed-under: TianoCore Contribution Agreement 1.1" is not needed any more. > Remove it at push time and no need to send a v2. > 2. Since it's security patch which had been reviewed separately, I see no reason for new r-b > required. Please raise it asap if any objections. > 3. Acked-by: Jian J Wang * Can you please confirm that these patches match those that we discussed here: https://bugzilla.tianocore.org/show_bug.cgi?id=960#c18 https://bugzilla.tianocore.org/show_bug.cgi?id=960#c19 * In the BZ, David and Bret raised some questions: https://bugzilla.tianocore.org/show_bug.cgi?id=960#c31 https://bugzilla.tianocore.org/show_bug.cgi?id=960#c32 https://bugzilla.tianocore.org/show_bug.cgi?id=960#c35 https://bugzilla.tianocore.org/show_bug.cgi?id=960#c36 and https://bugzilla.tianocore.org/show_bug.cgi?id=960#c40 The latest comment in the bug is c#41. I'm not under the impression that all concerns raised by David and Bret have been addressed (or abandoned). I'd like David and Bret to ACK the patches. Thanks, Laszlo >> -----Original Message----- >> From: devel@edk2.groups.io On Behalf Of Wu, Jiaxin >> Sent: Friday, September 27, 2019 11:45 AM >> To: devel@edk2.groups.io >> Cc: Wu, Jiaxin >> Subject: [edk2-devel] [PATCH v1 0/4] Support HTTPS HostName validation >> feature(CVE-2019-14553) >> >> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=960 >> CVE: CVE-2019-14553 >> The series patches are to support HTTPS hostname validation feature. >> It fixes the issue exposed @ >> https://bugzilla.tianocore.org/show_bug.cgi?id=960. >> In the patches, we add the new data type named "EfiTlsVerifyHost" and >> the EFI_TLS_VERIFY_HOST_FLAG for the TLS protocol consumer (HTTP) to >> enable the host name check so as to avoid the potential >> Man-In-The-Middle attack. >> >> Contributed-under: TianoCore Contribution Agreement 1.1 >> Signed-off-by: Wu Jiaxin >> Reviewed-by: Ye Ting >> Reviewed-by: Long Qin >> Reviewed-by: Fu Siyuan >> Acked-by: Laszlo Ersek >> >> Jiaxin Wu (4): >> MdePkg/Include/Protocol/Tls.h: Add the data type of EfiTlsVerifyHost(CVE- >> 2019-14553) >> CryptoPkg/TlsLib: Add the new API "TlsSetVerifyHost"(CVE-2019-14553) >> NetworkPkg/TlsDxe: Add the support of host validation to TlsDxe driver(CVE- >> 2019-14553) >> NetworkPkg/HttpDxe: Set the HostName for the verification(CVE-2019-14553) >> >> CryptoPkg/Include/Library/TlsLib.h | 20 ++++++++ >> CryptoPkg/Library/TlsLib/TlsConfig.c | 38 +++++++++++++++- >> MdePkg/Include/Protocol/Tls.h | 68 +++++++++++++++++++++++----- >> NetworkPkg/HttpDxe/HttpProto.h | 1 + >> NetworkPkg/HttpDxe/HttpsSupport.c | 21 +++++++-- >> NetworkPkg/TlsDxe/TlsProtocol.c | 44 ++++++++++++++++-- >> 6 files changed, 173 insertions(+), 19 deletions(-) >> >> -- >> 2.17.1.windows.2 >> >> >> > > > >