From 1581cb1823377220ed1976451615a1f5e856adf0 Mon Sep 17 00:00:00 2001
From: Theo Buehler <tb@openbsd.org>
Date: Thu, 25 May 2023 09:11:58 +0200
Subject: Fix urllib3 CN without SAN tests for LibreSSL 3.7

This is a port of a patch by Christian Heimes and fixes an issue flagged
by Quentin Pradet: https://bugs.python.org/issue43522
---
 ChangeLog                |  7 +++++++
 patches/x509_vpm.c.patch | 21 +++++++++++++++++++++
 2 files changed, 28 insertions(+)
 create mode 100644 patches/x509_vpm.c.patch

diff --git a/ChangeLog b/ChangeLog
index 5babe4f..cc1bfbe 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -28,6 +28,13 @@ history is also available from Git.
 
 LibreSSL Portable Release Notes:
 
+
+3.7.3 - Stable release
+
+	* Bug fix
+	  - Hostflags in the verify parameters would not propagate from an
+	    SSL_CTX to newly created SSL.
+
 3.7.2 - Stable release
 
 	* Portable changes
diff --git a/patches/x509_vpm.c.patch b/patches/x509_vpm.c.patch
new file mode 100644
index 0000000..8809471
--- /dev/null
+++ b/patches/x509_vpm.c.patch
@@ -0,0 +1,21 @@
+--- crypto/x509/x509_vpm.c.orig	Thu May 25 09:08:38 2023
++++ crypto/x509/x509_vpm.c	Thu May 25 09:08:48 2023
+@@ -330,7 +330,9 @@ X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, con
+ 			return 0;
+ 	}
+ 
+-	/* Copy the host flags if and only if we're copying the host list */
++	if (test_x509_verify_param_copy_id(hostflags, 0))
++		dest->id->hostflags = id->hostflags;
++
+ 	if (test_x509_verify_param_copy_id(hosts, NULL)) {
+ 		if (dest->id->hosts) {
+ 			string_stack_free(dest->id->hosts);
+@@ -341,7 +343,6 @@ X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, con
+ 			    sk_deep_copy(id->hosts, strdup, str_free);
+ 			if (dest->id->hosts == NULL)
+ 				return 0;
+-			dest->id->hostflags = id->hostflags;
+ 		}
+ 	}
+ 
-- 
cgit v1.2.3-55-g6feb