[openssl] master update
Dr. Paul Dale
pauli at openssl.org
Thu Apr 8 22:33:01 UTC 2021
The branch master has been updated
via dfccfde06562ac87fe5e5f9401ba86cad050d9a2 (commit)
from 6d9e045ef724df0ddc8c8f66dcfdff4f8ba0bc03 (commit)
- Log -----------------------------------------------------------------
commit dfccfde06562ac87fe5e5f9401ba86cad050d9a2
Author: Christian Heimes <christian at python.org>
Date: Tue Mar 30 12:02:42 2021 +0200
Inherit hostflags verify params even without hosts
X509_VERIFY_PARAM_inherit() now copies hostflags independently of hosts.
Previously hostflags were only copied when at least one host was set.
Typically applications don't configure hosts on SSL_CTX. The change
enables applications to configure hostflags on SSL_CTX and have OpenSSL
copy the flags from SSL_CTX to SSL.
Fixes: https://github.com/openssl/openssl/issues/14579
Signed-off-by: Christian Heimes <christian at python.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14743)
-----------------------------------------------------------------------
Summary of changes:
crypto/x509/x509_vpm.c | 4 ++--
test/sslapitest.c | 43 +++++++++++++++++++++++++++++++++++++++++++
2 files changed, 45 insertions(+), 2 deletions(-)
diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c
index 8914a2bd6f..d11aa2341a 100644
--- a/crypto/x509/x509_vpm.c
+++ b/crypto/x509/x509_vpm.c
@@ -199,7 +199,8 @@ int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest,
return 0;
}
- /* Copy the host flags if and only if we're copying the host list */
+ x509_verify_param_copy(hostflags, 0);
+
if (test_x509_verify_param_copy(hosts, NULL)) {
sk_OPENSSL_STRING_pop_free(dest->hosts, str_free);
dest->hosts = NULL;
@@ -208,7 +209,6 @@ int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest,
sk_OPENSSL_STRING_deep_copy(src->hosts, str_copy, str_free);
if (dest->hosts == NULL)
return 0;
- dest->hostflags = src->hostflags;
}
}
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 31b36b23b1..2d196a155c 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -31,6 +31,7 @@
#include <openssl/core_dispatch.h>
#include <openssl/provider.h>
#include <openssl/param_build.h>
+#include <openssl/x509v3.h>
#include "helpers/ssltestlib.h"
#include "testutil.h"
@@ -8623,6 +8624,47 @@ end:
}
#endif
+static int test_inherit_verify_param(void)
+{
+ int testresult = 0;
+
+ SSL_CTX *ctx = NULL;
+ X509_VERIFY_PARAM *cp = NULL;
+ SSL *ssl = NULL;
+ X509_VERIFY_PARAM *sp = NULL;
+ int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
+
+ ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
+ if (!TEST_ptr(ctx))
+ goto end;
+
+ cp = SSL_CTX_get0_param(ctx);
+ if (!TEST_ptr(cp))
+ goto end;
+ if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
+ goto end;
+
+ X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
+
+ ssl = SSL_new(ctx);
+ if (!TEST_ptr(ssl))
+ goto end;
+
+ sp = SSL_get0_param(ssl);
+ if (!TEST_ptr(sp))
+ goto end;
+ if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
+ goto end;
+
+ testresult = 1;
+
+ end:
+ SSL_free(ssl);
+ SSL_CTX_free(ctx);
+
+ return testresult;
+}
+
OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
int setup_tests(void)
@@ -8872,6 +8914,7 @@ int setup_tests(void)
#ifndef OSSL_NO_USABLE_TLS1_3
ADD_TEST(test_sni_tls13);
#endif
+ ADD_TEST(test_inherit_verify_param);
return 1;
err:
More information about the openssl-commits
mailing list