root
/
openssl
mirror of https://github.com/openssl/openssl.git
1
0
Fork 0
Code Issues Actions 7 Packages Projects Releases Wiki Activity

Inherit hostflags verify params even without hosts 

X509_VERIFY_PARAM_inherit() now copies hostflags independently of hosts.

Previously hostflags were only copied when at least one host was set.
Typically applications don't configure hosts on SSL_CTX. The change
enables applications to configure hostflags on SSL_CTX and have OpenSSL
copy the flags from SSL_CTX to SSL.

Fixes: https://github.com/openssl/openssl/issues/14579
Signed-off-by: Christian Heimes <christian@python.org>

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14856)
This commit is contained in:
Christian Heimes 2021-03-30 12:02:42 +02:00 committed by Tomas Mraz
parent 7e12c2b3d9
commit fdb4cbd20f
2 changed files with 45 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
crypto/x509/x509_vpm.c
View File

@ -199,7 +199,8 @@ int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest,
return 0; return 0;
} }
/* Copy the host flags if and only if we're copying the host list */ x509_verify_param_copy(hostflags, 0);
if (test_x509_verify_param_copy(hosts, NULL)) { if (test_x509_verify_param_copy(hosts, NULL)) {
sk_OPENSSL_STRING_pop_free(dest->hosts, str_free); sk_OPENSSL_STRING_pop_free(dest->hosts, str_free);
dest->hosts = NULL; dest->hosts = NULL;
@ -208,7 +209,6 @@ int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest,
sk_OPENSSL_STRING_deep_copy(src->hosts, str_copy, str_free); sk_OPENSSL_STRING_deep_copy(src->hosts, str_copy, str_free);
if (dest->hosts == NULL) if (dest->hosts == NULL)
return 0; return 0;
dest->hostflags = src->hostflags;
} }
} }

43
test/sslapitest.c
View File

@ -17,6 +17,7 @@
#include <openssl/srp.h> #include <openssl/srp.h>
#include <openssl/txt_db.h> #include <openssl/txt_db.h>
#include <openssl/aes.h> #include <openssl/aes.h>
#include <openssl/x509v3.h>
#include "ssltestlib.h" #include "ssltestlib.h"
#include "testutil.h" #include "testutil.h"
@ -6787,6 +6788,47 @@ end:
return testresult; return testresult;
} }
static int test_inherit_verify_param(void)
{
int testresult = 0;
SSL_CTX *ctx = NULL;
X509_VERIFY_PARAM *cp = NULL;
SSL *ssl = NULL;
X509_VERIFY_PARAM *sp = NULL;
int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
ctx = SSL_CTX_new(TLS_server_method());
if (!TEST_ptr(ctx))
goto end;
cp = SSL_CTX_get0_param(ctx);
if (!TEST_ptr(cp))
goto end;
if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
goto end;
X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
ssl = SSL_new(ctx);
if (!TEST_ptr(ssl))
goto end;
sp = SSL_get0_param(ssl);
if (!TEST_ptr(sp))
goto end;
if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
goto end;
testresult = 1;
end:
SSL_free(ssl);
SSL_CTX_free(ctx);
return testresult;
}
int setup_tests(void) int setup_tests(void)
{ {
if (!TEST_ptr(certsdir = test_get_argument(0)) if (!TEST_ptr(certsdir = test_get_argument(0))
@ -6914,6 +6956,7 @@ int setup_tests(void)
ADD_TEST(test_sni_tls13); ADD_TEST(test_sni_tls13);
#endif #endif
ADD_TEST(test_set_alpn); ADD_TEST(test_set_alpn);
ADD_TEST(test_inherit_verify_param);
return 1; return 1;
} }