10000 Inherit hostflags verify params even without hosts · openssl/openssl@dfccfde · GitHub
[go: up one dir, main page]
Skip to content

Commit dfccfde

Browse files
tiranpaulidale
tiran
authored and
paulidale
committed
Inherit hostflags verify params even without hosts
X509_VERIFY_PARAM_inherit() now copies hostflags independently of hosts. Previously hostflags were only copied when at least one host was set. Typically applications don't configure hosts on SSL_CTX. The change enables applications to configure hostflags on SSL_CTX and have OpenSSL copy the flags from SSL_CTX to SSL. Fixes: #14579 Signed-off-by: Christian Heimes <christian@python.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from #14743)
1 parent 6d9e045 commit dfccfde

File tree

2 files changed

+45
-2
lines changed

2 files changed

+45
-2
lines changed

crypto/x509/x509_vpm.c

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -199,7 +199,8 @@ int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest,
199199
return 0;
200200
}
201201

202-
/* Copy the host flags if and only if we're copying the host list */
202+
x509_verify_param_copy(hostflags, 0);
203+
203204
if (test_x509_verify_param_copy(hosts, NULL)) {
204205
sk_OPENSSL_STRING_pop_free(dest->hosts, str_free);
205206
dest->hosts = NULL;
@@ -208,7 +209,6 @@ int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest,
208209
sk_OPENSSL_STRING_deep_copy(src->hosts, str_copy, str_free);
209210
if (dest->hosts == NULL)
210211
return 0;
211-
dest->hostflags = src->hostflags;
212212
}
213213
}
214214

test/sslapitest.c

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,7 @@
3131
#include <openssl/core_dispatch.h>
3232
#include <openssl/provider.h>
3333
#include <openssl/param_build.h>
34+
#include <openssl/x509v3.h>
3435

3536
#include "helpers/ssltestlib.h"
3637
#include "testutil.h"
@@ -8623,6 +8624,47 @@ static int test_sni_tls13(void)
86238624
}
86248625
#endif
86258626

8627+
static int test_inherit_verify_param(void)
8628+
{
8629+
int testresult = 0;
8630+
8631+
SSL_CTX *ctx = NULL;
8632+
X509_VERIFY_PARAM *cp = NULL;
8633+
SSL *ssl = NULL;
8634+
X509_VERIFY_PARAM *sp = NULL;
8635+
int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
8636+
8637+
ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
8638+
if (!TEST_ptr(ctx))
8639+
goto end;
8640+
8641+
cp = SSL_CTX_get0_param(ctx);
8642+
if (!TEST_ptr(cp))
8643+
goto end;
8644+
if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
8645+
goto end;
8646+
8647+
X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
8648+
8649+
ssl = SSL_new(ctx);
8650+
if (!TEST_ptr(ssl))
8651+
goto end;
8652+
8653+
sp = SSL_get0_param(ssl);
8654+
if (!TEST_ptr(sp))
8655+
goto end;
8656+
if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
8657+
goto end;
8658+
8659+
testresult = 1;
8660+
8661+
end:
8662+
SSL_free(ssl);
8663+
SSL_CTX_free(ctx);
8664+
8665+
return testresult;
8666+
}
8667+
86268668
OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
86278669

86288670
int setup_tests(void)
@@ -8872,6 +8914,7 @@ int setup_tests(void)
88728914
#ifndef OSSL_NO_USABLE_TLS1_3
88738915
ADD_TEST(test_sni_tls13);
88748916
#endif
8917+
ADD_TEST(test_inherit_verify_param);
88758918
return 1;
88768919

88778920
err:

0 commit comments

Comments
 (0)
0