diff options
| author | tb <> | 2023-05-24 09:15:14 +0000 |
|---|---|---|
| committer | tb <> | 2023-05-24 09:15:14 +0000 |
| commit | 9c79756c47801e50fdbf7b07b7e6ea1dfad2779b (patch) | |
| tree | fcd81828bbb8b8ef794acaddd3190486bb559ad9 | |
| parent | 61c81a83de1329c6eec47a61f17e68b7c5a335f9 (diff) | |
| download | openbsd-9c79756c47801e50fdbf7b07b7e6ea1dfad2779b.tar.gz openbsd-9c79756c47801e50fdbf7b07b7e6ea1dfad2779b.tar.bz2 openbsd-9c79756c47801e50fdbf7b07b7e6ea1dfad2779b.zip | |
Copy the verify param hostflags independently of the host list
Without this, hostflags set on the SSL_CTX would not propagate to newly
created SSL. This is surprising behavior that was changed in OpenSSL 1.1
by Christian Heimes after the issue was flagged by Quentin Pradet:
https://bugs.python.org/issue43522
This is a version of the fix that landed in OpenSSL.
There used to be a workaround in place in urllib3, but that was removed at
some point. We haven't fixed this earlier since it wasn't reported. It only
showed up after recent fallout of extraordinarily strict library checking
in urllib3 coming from their own interpretation of the implications of
PEP 644.
ok jsing
| -rw-r--r-- | src/lib/libcrypto/x509/x509_vpm.c | 7 | ||||
| -rw-r--r-- | src/regress/lib/libssl/unit/Makefile | 4 |
2 files changed, 5 insertions, 6 deletions
diff --git a/src/lib/libcrypto/x509/x509_vpm.c b/src/lib/libcrypto/x509/x509_vpm.c index 2110787a5f..5c8c09e9fc 100644 --- a/src/lib/libcrypto/x509/x509_vpm.c +++ b/src/lib/libcrypto/x509/x509_vpm.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_vpm.c,v 1.38 2023/05/24 08:46:01 tb Exp $ */ | 1 | /* $OpenBSD: x509_vpm.c,v 1.39 2023/05/24 09:15:14 tb Exp $ */ |
| 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL | 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL |
| 3 | * project 2004. | 3 | * project 2004. |
| 4 | */ | 4 | */ |
| @@ -326,7 +326,9 @@ X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, const X509_VERIFY_PARAM *src) | |||
| 326 | return 0; | 326 | return 0; |
| 327 | } | 327 | } |
| 328 | 328 | ||
| 329 | /* Copy the host flags if and only if we're copying the host list */ | 329 | if (test_x509_verify_param_copy_id(hostflags, 0)) |
| 330 | dest->id->hostflags = id->hostflags; | ||
| 331 | |||
| 330 | if (test_x509_verify_param_copy_id(hosts, NULL)) { | 332 | if (test_x509_verify_param_copy_id(hosts, NULL)) { |
| 331 | if (dest->id->hosts) { | 333 | if (dest->id->hosts) { |
| 332 | sk_OPENSSL_STRING_pop_free(dest->id->hosts, str_free); | 334 | sk_OPENSSL_STRING_pop_free(dest->id->hosts, str_free); |
| @@ -337,7 +339,6 @@ X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, const X509_VERIFY_PARAM *src) | |||
| 337 | sk_deep_copy(id->hosts, strdup, str_free); | 339 | sk_deep_copy(id->hosts, strdup, str_free); |
| 338 | if (dest->id->hosts == NULL) | 340 | if (dest->id->hosts == NULL) |
| 339 | return 0; | 341 | return 0; |
| 340 | dest->id->hostflags = id->hostflags; | ||
| 341 | } | 342 | } |
| 342 | } | 343 | } |
| 343 | 344 | ||
diff --git a/src/regress/lib/libssl/unit/Makefile b/src/regress/lib/libssl/unit/Makefile index 413307b7a0..6a925069ca 100644 --- a/src/regress/lib/libssl/unit/Makefile +++ b/src/regress/lib/libssl/unit/Makefile | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: Makefile,v 1.15 2023/05/24 08:54:59 tb Exp $ | 1 | # $OpenBSD: Makefile,v 1.16 2023/05/24 09:15:14 tb Exp $ |
| 2 | 2 | ||
| 3 | PROGS += cipher_list | 3 | PROGS += cipher_list |
| 4 | PROGS += ssl_get_shared_ciphers | 4 | PROGS += ssl_get_shared_ciphers |
| @@ -18,6 +18,4 @@ CFLAGS+= -I${.CURDIR}/../../../../lib/libssl | |||
| 18 | 18 | ||
| 19 | LDADD_ssl_verify_param = ${LIBSSL} ${CRYPTO_INT} | 19 | LDADD_ssl_verify_param = ${LIBSSL} ${CRYPTO_INT} |
| 20 | 20 | ||
| 21 | REGRESS_EXPECTED_FAILURES+= run-regress-ssl_verify_param | ||
| 22 | |||
| 23 | .include <bsd.regress.mk> | 21 | .include <bsd.regress.mk> |