Expose X509_VERIFY_PARAM_get_hostflags()

This is needed by Python 3.14, extending the urllib3 nonsense further.
This is a trivial getter and it is exercised by the libssl unit test
I added for urllib3 (which can now use dynamic linking for libcrypto).

Fixes https://github.com/libressl/portable/issues/1202
Thanks to @orbea for the report.

ok kenjiro

PS: X509_VERIFY_PARAM_get_flags() and X509_VERIFY_PARAM_get_peername()
aren't const correct. Fixing this will require some doing...

4 files changed, 7 insertions, 4 deletions

diff --git a/src/lib/libcrypto/Symbols.list b/src/lib/libcrypto/Symbols.list
index 33668f24c5..d85922e12e 100644
--- a/src/lib/libcrypto/Symbols.list
+++ b/src/lib/libcrypto/Symbols.list
@@ -2654,6 +2654,7 @@ X509_VERIFY_PARAM_get0_peername
 X509_VERIFY_PARAM_get_count
 X509_VERIFY_PARAM_get_depth
 X509_VERIFY_PARAM_get_flags
+X509_VERIFY_PARAM_get_hostflags
 X509_VERIFY_PARAM_get_time
 X509_VERIFY_PARAM_inherit
 X509_VERIFY_PARAM_lookup
diff --git a/src/lib/libcrypto/hidden/openssl/x509_vfy.h b/src/lib/libcrypto/hidden/openssl/x509_vfy.h
index cc0991518f..d0c46b655e 100644
--- a/src/lib/libcrypto/hidden/openssl/x509_vfy.h
+++ b/src/lib/libcrypto/hidden/openssl/x509_vfy.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.h,v 1.10 2025/03/09 15:20:20 tb Exp $ */
+/* $OpenBSD: x509_vfy.h,v 1.11 2025/10/24 11:33:38 tb Exp $ */
 /*
  * Copyright (c) 2022 Bob Beck <beck@openbsd.org>
  *
@@ -122,6 +122,7 @@ LCRYPTO_USED(X509_VERIFY_PARAM_set1_name);
 LCRYPTO_USED(X509_VERIFY_PARAM_set_flags);
 LCRYPTO_USED(X509_VERIFY_PARAM_clear_flags);
 LCRYPTO_USED(X509_VERIFY_PARAM_get_flags);
+LCRYPTO_USED(X509_VERIFY_PARAM_get_hostflags);
 LCRYPTO_USED(X509_VERIFY_PARAM_set_purpose);
 LCRYPTO_USED(X509_VERIFY_PARAM_set_trust);
 LCRYPTO_USED(X509_VERIFY_PARAM_set_depth);
diff --git a/src/lib/libcrypto/x509/x509_vfy.h b/src/lib/libcrypto/x509/x509_vfy.h
index 7058bbc5b0..04e555149a 100644
--- a/src/lib/libcrypto/x509/x509_vfy.h
+++ b/src/lib/libcrypto/x509/x509_vfy.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.h,v 1.70 2025/03/09 15:20:20 tb Exp $ */
+/* $OpenBSD: x509_vfy.h,v 1.71 2025/10/24 11:33:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -441,6 +441,7 @@ int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param, const char *name,
     size_t namelen);
 int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param, const char *name,
     size_t namelen);
+unsigned int X509_VERIFY_PARAM_get_hostflags(const X509_VERIFY_PARAM *param);
 void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param,
     unsigned int flags);
 char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *param);
diff --git a/src/lib/libcrypto/x509/x509_vpm.c b/src/lib/libcrypto/x509/x509_vpm.c
index 0789a51c13..7b4ce3b7a6 100644
--- a/src/lib/libcrypto/x509/x509_vpm.c
+++ b/src/lib/libcrypto/x509/x509_vpm.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vpm.c,v 1.57 2025/10/10 23:07:40 tb Exp $ */
+/* $OpenBSD: x509_vpm.c,v 1.58 2025/10/24 11:33:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2004.
  */
@@ -543,12 +543,12 @@ X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param,
 }
 LCRYPTO_ALIAS(X509_VERIFY_PARAM_add1_host);
 
-/* Public API in OpenSSL - nothing seems to use this. */
 unsigned int
 X509_VERIFY_PARAM_get_hostflags(const X509_VERIFY_PARAM *param)
 {
         return param->hostflags;
 }
+LCRYPTO_ALIAS(X509_VERIFY_PARAM_get_hostflags);
 
 void
 X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, unsigned int flags)