On Fri, 2019-10-11 at 17:36 +0200, Laszlo Ersek wrote: > On 10/11/19 13:16, David Woodhouse wrote: > > I first started looking at this when it was > > reported as such, on the list. > > I believe you. Can you somehow find that thread? I tried, but I couldn't > find it. My mailbox (going back 9 years) is indexed, but my searches > have failed. I must be using the wrong search terms. If I try "GEN_IP" > or "Subject Alternative Name", I only get this thread.
https://www.mail-archive.com/devel@edk2.groups.io/msg03339.html In that thread you pointed me at the bug, and I immediately pointed out the error in the patch series: https://bugzilla.tianocore.org/show_bug.cgi?id=960#c31 Followed by a bit more detail on how to fix it, with examples to look at: https://bugzilla.tianocore.org/show_bug.cgi?id=960#c32 > David: it *is* hard! It is hard for me. I wouldn't know where to begin. I suspect this is false modesty on your part. Given the pointers and the examples above, I have lots of confidence that if this were the task on your plate, you would accomplish it with ease. I would, of course, be happy to provide further pointers, and even work with upstream OpenSSL to make this even easier. Crypto libraries should make it hard for application developers to get things wrong, and they often let us down in that respect. In fact, I did that last bit already: https://bugzilla.tianocore.org/show_bug.cgi?id=960#c33 > As always, I strongly favor "upstream first". Show us the code, please? It's already linked from that Bugzilla comment I referenced: https://github.com/openssl/openssl/pull/9201 Pull that into your OpenSSL tree, then make a trivial change following the example in that PR, to do if (SSL_set1_ip_asc(ssl, hostname) < 0) SSL_set1_host(ssl, hostname); instead of just the SSL_set1_host() call. That way, *if* the string happens to be a valid IPv6 or Legacy IP address, the SSL_set1_ip_asc() call will work; otherwise it's treated as a hostname. -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#48843): https://edk2.groups.io/g/devel/message/48843 Mute This Topic: https://groups.io/mt/34307578/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
smime.p7s
Description: S/MIME cryptographic signature
