On 10/16/19 11:40, David Woodhouse wrote: > On Tue, 2019-10-15 at 19:34 +0200, Laszlo Ersek wrote: >> Ehh, I failed to ask the actual question. >> >> Is it OK to call X509_VERIFY_PARAM_set1*() multiple times -- basically, >> every time just before we call X509_verify_cert()? >> >> My concern is not with the crypto functionality, but whether we could be >> leaking memory allocations. > > You had to ask yourself that before approving the original version of > TlsSetVerifyHost(), didn't you? Because the TlsLib API hasn't imposed > any restriction on calling TlsSetVerifyHost() more than once...
You are correct, of course. I seem to recall that I hand-waved that question away, seeing that TlsSetVerifyHost() simply passed the hostname (the pointer to the char array) into an OpenSSL API. I guess when I first looked at that call with any kind of focus, I wasn't *that* concerned about the life-cycle yet... > > The answer is yes, btw — it's fine. Thanks! > > Note also my observation that we should insist on TlsSetVerifyHost > being called at *least* once, or the connection should fail. > I wonder if we could make this an implementation detail in edk2 *first*, while a matching USWG Mantis ticket were in progress. Thanks Laszlo -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#49087): https://edk2.groups.io/g/devel/message/49087 Mute This Topic: https://groups.io/mt/34307578/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
