From: "David Woodhouse" <dwmw2@infradead.org>
To: Laszlo Ersek <lersek@redhat.com>,
"Wu, Jiaxin" <jiaxin.wu@intel.com>,
"devel@edk2.groups.io" <devel@edk2.groups.io>
Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>,
"Wang, Jian J" <jian.j.wang@intel.com>,
Richard Levitte <levitte@openssl.org>,
Sivaraman Nainar <sivaramann@amiindia.co.in>
Subject: Re: [edk2-devel] [RFC v1 5/4] CryptoPkg/TlsLib: accept peer certs via both DNS names and IP addresses
Date: Wed, 16 Oct 2019 14:35:37 +0100 [thread overview]
Message-ID: <a83f1ff8059088de69a15edbe02cae3b4faa8173.camel@infradead.org> (raw)
In-Reply-To: <f89ddc3b-cbc8-01f7-f419-0984ad168dfb@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 2405 bytes --]
On Wed, 2019-10-16 at 13:41 +0200, Laszlo Ersek wrote:
> On 10/16/19 11:19, David Woodhouse wrote:
> > In the end you did actually solve it all for yourself -- based on the
> > pointer I'd given in bugzilla, and then ignoring my subsequent
> > misdirection about callbacks and my overly complex attempt at doing it
> > myself :)
>
> You're too kind; I followed your code closely. I only updated the coding
> style, added a bunch of comments, and supplied some error checks and
> debug messages.
Hm, I am not widely renowned for my kindness. I'm sure there are those
who would suggest to you that there really must be some other
explanation than that.
They might point out that you also threw away all of the parts from my
actual code where I'd led you in the wrong direction, going back to my
initial suggestion that had been in Bugzilla in the first place.
They might suggest that in posting poorly-formatted straw man patches
to TlsLib, all I have *actually* managed to do is what people so often
do to me — post a patch which is sufficiently incompetent that it has
provoked you into finding the time to do it properly for yourself :)
> In addition, Jiaxin suggested we should try to set the
> smart verification params in TlsSetVerifyHost() at once.
>
> Anyway: we still have the issue that X509_VERIFY_PARAM_set_ip_asc()
> appears to reject IPv4 address literals. Could you check that please?
>
> (Using a hosted (Linux userspace) program like "sconnect", it must be
> easier to debug. I tried connecting gdb to QEMU, running OVMF, but it
> crashed gdb. :)
Ah, but if you were using a hosted Linux userspace program like
sconnect, then your sscanf() implementation wouldn't look like this:
$ grep -B1 -A4 sscanf CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c
/* Read formatted data from a string */
int sscanf (const char *buffer, const char *format, ...)
{
//
// Null sscanf() function implementation to satisfy the linker, since
// no direct functionality logic dependency in present UEFI cases.
//
return 0;
}
I told you to stare hard at that, didn't I :)
I'm sure that OpenSSL upstream would welcome a patch to ditch that use
of the non-recommended sscanf() function and use inet_ntoa() where it's
available instead (although that might sensibly be guarded on
OPENSSL_NO_SOCK, which you set for the EDK2 build).
[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 5174 bytes --]
next prev parent reply other threads:[~2019-10-16 13:35 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-27 3:44 [PATCH v1 0/4] Support HTTPS HostName validation feature(CVE-2019-14553) Wu, Jiaxin
2019-09-27 3:44 ` [PATCH v1 1/4] MdePkg/Include/Protocol/Tls.h: Add the data type of EfiTlsVerifyHost(CVE-2019-14553) Wu, Jiaxin
2019-09-27 3:44 ` [PATCH v1 2/4] CryptoPkg/TlsLib: Add the new API "TlsSetVerifyHost"(CVE-2019-14553) Wu, Jiaxin
2019-09-27 3:44 ` [PATCH v1 3/4] NetworkPkg/TlsDxe: Add the support of host validation to TlsDxe driver(CVE-2019-14553) Wu, Jiaxin
2019-09-27 3:44 ` [PATCH v1 4/4] NetworkPkg/HttpDxe: Set the HostName for the verification(CVE-2019-14553) Wu, Jiaxin
2019-09-29 6:09 ` [edk2-devel] [PATCH v1 0/4] Support HTTPS HostName validation feature(CVE-2019-14553) Wang, Jian J
2019-09-30 23:21 ` Laszlo Ersek
2019-10-01 9:02 ` David Woodhouse
2019-10-08 6:19 ` Wu, Jiaxin
2019-10-09 7:53 ` David Woodhouse
2019-10-09 20:24 ` Laszlo Ersek
2019-10-09 20:34 ` David Woodhouse
2019-10-10 3:11 ` Wu, Jiaxin
2019-10-10 8:00 ` Laszlo Ersek
2019-10-10 15:45 ` David Woodhouse
2019-10-10 18:03 ` Laszlo Ersek
2019-10-11 2:24 ` Wu, Jiaxin
2019-10-11 6:58 ` David Woodhouse
2019-10-11 8:04 ` Wu, Jiaxin
2019-10-11 10:55 ` Laszlo Ersek
2019-10-11 11:16 ` David Woodhouse
2019-10-11 15:36 ` Laszlo Ersek
2019-10-11 16:01 ` David Woodhouse
2019-10-14 16:15 ` Laszlo Ersek
2019-10-14 16:20 ` Laszlo Ersek
2019-10-14 16:53 ` David Woodhouse
2019-10-15 11:03 ` David Woodhouse
2019-10-15 11:06 ` David Woodhouse
2019-10-15 13:54 ` Laszlo Ersek
2019-10-15 15:29 ` David Woodhouse
2019-10-15 16:56 ` Laszlo Ersek
2019-10-15 17:34 ` Laszlo Ersek
2019-10-16 9:40 ` David Woodhouse
2019-10-16 10:27 ` Laszlo Ersek
2019-10-15 15:57 ` David Woodhouse
2019-10-15 17:28 ` Laszlo Ersek
2019-10-10 2:45 ` Wu, Jiaxin
2019-10-09 15:54 ` Laszlo Ersek
2019-10-10 2:46 ` Wu, Jiaxin
2019-10-15 23:08 ` [RFC v1 5/4] CryptoPkg/TlsLib: accept peer certs via both DNS names and IP addresses Laszlo Ersek
2019-10-16 5:18 ` [edk2-devel] " Wu, Jiaxin
2019-10-16 7:36 ` Laszlo Ersek
2019-10-16 7:54 ` Laszlo Ersek
2019-10-16 7:56 ` David Woodhouse
2019-10-16 8:08 ` Laszlo Ersek
2019-10-16 9:19 ` David Woodhouse
2019-10-16 11:41 ` Laszlo Ersek
2019-10-16 13:35 ` David Woodhouse [this message]
2019-10-16 14:43 ` Laszlo Ersek
2019-10-16 15:25 ` David Woodhouse
2019-10-17 15:35 ` Laszlo Ersek
2019-10-17 15:49 ` David Woodhouse
2019-10-18 13:25 ` Laszlo Ersek
2019-10-25 2:12 ` Wu, Jiaxin
2019-10-25 8:14 ` Laszlo Ersek
2019-10-24 19:47 ` Laszlo Ersek
2019-10-25 2:13 ` Wu, Jiaxin
2019-10-25 2:12 ` Wu, Jiaxin
2019-10-25 2:12 ` Wu, Jiaxin
2019-10-16 8:45 ` David Woodhouse
2019-10-16 11:01 ` David Woodhouse
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a83f1ff8059088de69a15edbe02cae3b4faa8173.camel@infradead.org \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox