diff options
| author | Theo Buehler <tb@cvs.openbsd.org> | 2023-05-24 09:15:15 +0000 |
|---|---|---|
| committer | Theo Buehler <tb@cvs.openbsd.org> | 2023-05-24 09:15:15 +0000 |
| commit | f0a0977ebee88561b3bfb07186db1c77fc628e48 (patch) | |
| tree | ca12fccb6665240ebddd3e9045f7ec39665d8a02 | |
| parent | 2ebbae1407160af0251921f74ed8433d6ebe8e14 (diff) | |
Copy the verify param hostflags independently of the host list
Without this, hostflags set on the SSL_CTX would not propagate to newly
created SSL. This is surprising behavior that was changed in OpenSSL 1.1
by Christian Heimes after the issue was flagged by Quentin Pradet:
https://bugs.python.org/issue43522
This is a version of the fix that landed in OpenSSL.
There used to be a workaround in place in urllib3, but that was removed at
some point. We haven't fixed this earlier since it wasn't reported. It only
showed up after recent fallout of extraordinarily strict library checking
in urllib3 coming from their own interpretation of the implications of
PEP 644.
ok jsing
| -rw-r--r-- | lib/libcrypto/x509/x509_vpm.c | 7 | ||||
| -rw-r--r-- | regress/lib/libssl/unit/Makefile | 4 |
2 files changed, 5 insertions, 6 deletions
diff --git a/lib/libcrypto/x509/x509_vpm.c b/lib/libcrypto/x509/x509_vpm.c index 2110787a5f6..5c8c09e9fc9 100644 --- a/lib/libcrypto/x509/x509_vpm.c +++ b/lib/libcrypto/x509/x509_vpm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vpm.c,v 1.38 2023/05/24 08:46:01 tb Exp $ */ +/* $OpenBSD: x509_vpm.c,v 1.39 2023/05/24 09:15:14 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2004. */ @@ -326,7 +326,9 @@ X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, const X509_VERIFY_PARAM *src) return 0; } - /* Copy the host flags if and only if we're copying the host list */ + if (test_x509_verify_param_copy_id(hostflags, 0)) + dest->id->hostflags = id->hostflags; + if (test_x509_verify_param_copy_id(hosts, NULL)) { if (dest->id->hosts) { sk_OPENSSL_STRING_pop_free(dest->id->hosts, str_free); @@ -337,7 +339,6 @@ X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, const X509_VERIFY_PARAM *src) sk_deep_copy(id->hosts, strdup, str_free); if (dest->id->hosts == NULL) return 0; - dest->id->hostflags = id->hostflags; } } diff --git a/regress/lib/libssl/unit/Makefile b/regress/lib/libssl/unit/Makefile index 413307b7a01..6a925069ca0 100644 --- a/regress/lib/libssl/unit/Makefile +++ b/regress/lib/libssl/unit/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.15 2023/05/24 08:54:59 tb Exp $ +# $OpenBSD: Makefile,v 1.16 2023/05/24 09:15:14 tb Exp $ PROGS += cipher_list PROGS += ssl_get_shared_ciphers @@ -18,6 +18,4 @@ CFLAGS+= -I${.CURDIR}/../../../../lib/libssl LDADD_ssl_verify_param = ${LIBSSL} ${CRYPTO_INT} -REGRESS_EXPECTED_FAILURES+= run-regress-ssl_verify_param - .include <bsd.regress.mk> |