Fix urllib3 CN without SAN tests for LibreSSL 3.6

This is a port of a patch by Christian Heimes and fixes an issue flagged
by Quentin Pradet: https://bugs.python.org/issue43522

2 files changed, 27 insertions, 0 deletions

diff --git a/ChangeLog b/ChangeLog
index 98cc5a0..483a679 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -28,6 +28,12 @@ history is also available from Git.
 
 LibreSSL Portable Release Notes:
 
+3.6.3 - Stable release
+
+        * Bug fix
+          - Hostflags in the verify parameters would not propagate from an
+            SSL_CTX to newly created SSL.
+
 3.6.2 - Stable release
 
         * Security fix
diff --git a/patches/x509_vpm.c.patch b/patches/x509_vpm.c.patch
new file mode 100644
index 0000000..b0a3215
--- /dev/null
+++ b/patches/x509_vpm.c.patch
@@ -0,0 +1,21 @@
+--- crypto/x509/x509_vpm.c.orig Thu May 25 07:41:58 2023
++++ crypto/x509/x509_vpm.c      Thu May 25 07:47:42 2023
+@@ -328,7 +328,9 @@ X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, con
+                        return 0;
+        }
+ 
+-       /* Copy the host flags if and only if we're copying the host list */
++       if (test_x509_verify_param_copy_id(hostflags, 0))
++               dest->id->hostflags = id->hostflags;
++
+        if (test_x509_verify_param_copy_id(hosts, NULL)) {
+                if (dest->id->hosts) {
+                        string_stack_free(dest->id->hosts);
+@@ -339,7 +341,6 @@ X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, con
+                            sk_deep_copy(id->hosts, strdup, str_free);
+                        if (dest->id->hosts == NULL)
+                                return 0;
+-                       dest->id->hostflags = id->hostflags;
+                }
+        }
+