Merge e420ab7515 into b8c46cba5f

http_lib.c: fix parsing 'scheme' part in OSSL_parse_url()
fixup! apps/cmp.c: fix use of SSL_set_tlsext_host_name() for SNI and X509_VERIFY_PARAM_set1_host()
2025-07-31 17:14:10 +02:00 · 2025-07-31 17:13:58 +02:00 · 2025-07-31 17:10:16 +02:00 · 2025-07-31 11:54:28 +02:00 · 2025-07-19 10:01:11 +02:00 · 2025-07-19 09:42:35 +02:00
11 changed files with 209 additions and 131 deletions
--- a/apps/cmp.c
+++ b/apps/cmp.c
@ -528,7 +528,7 @@ const OPTIONS cmp_options[] = {
     "Trusted certificates to use for verifying the TLS server certificate;"},
    {OPT_MORE_STR, 0, 0, "this implies hostname validation"},
    {"tls_host", OPT_TLS_HOST, 's',
-     "Address to be checked (rather than -server) during TLS hostname validation"},
+     "Name (or address) to use in SNI and verify in the TLS server certificate"},
 #endif

    OPT_SECTION("Client-side debugging"),
@ -787,7 +787,11 @@ static X509 *load_cert_pwd(const char *uri, const char *pass, const char *desc)
    return cert;
 }

-/* set expected hostname/IP addr and clears the email addr in the given ts */
+/*
+ * Set expected hostname/IP address and clears any email address in the given ts.
+ * If the host is NULL, host name/address verification is disabled.
+ * Otherwise, it is interpreted as an IP address if possible, otherwise as a domain name.
+ */
 static int truststore_set_host_etc(X509_STORE *ts, const char *host)
 {
    X509_VERIFY_PARAM *ts_vpm = X509_STORE_get0_param(ts);
@ -797,10 +801,13 @@ static int truststore_set_host_etc(X509_STORE *ts, const char *host)
            || !X509_VERIFY_PARAM_set1_ip(ts_vpm, NULL, 0)
            || !X509_VERIFY_PARAM_set1_email(ts_vpm, NULL, 0))
        return 0;
+    if (host == NULL)
+        return 1;
+
    X509_VERIFY_PARAM_set_hostflags(ts_vpm,
                                    X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT |
                                    X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
-    return (host != NULL && X509_VERIFY_PARAM_set1_ip_asc(ts_vpm, host))
+    return X509_VERIFY_PARAM_set1_ip_asc(ts_vpm, host)
        || X509_VERIFY_PARAM_set1_host(ts_vpm, host, 0);
 }

@ -1510,8 +1517,7 @@ static SSL_CTX *setup_ssl_ctx(OSSL_CMP_CTX *ctx, const char *host,
         * If we did this before checking our own TLS cert
         * the expected hostname would mislead the check.
         */
-        if (!truststore_set_host_etc(trust_store,
-                                     opt_tls_host != NULL ? opt_tls_host : host))
+        if (!truststore_set_host_etc(trust_store, host))
            goto err;
    }
    return ssl_ctx;
@ -2283,6 +2289,7 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
    if (opt_tls_used) {
        APP_HTTP_TLS_INFO *info;
+        const char *hostaddr;

        if (opt_tls_cert != NULL
            || opt_tls_key != NULL || opt_tls_keypass != NULL) {
@ -2299,9 +2306,16 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
            goto err;
        APP_HTTP_TLS_INFO_free(OSSL_CMP_CTX_get_http_cb_arg(ctx));
        (void)OSSL_CMP_CTX_set_http_cb_arg(ctx, info);
-        info->ssl_ctx = setup_ssl_ctx(ctx, host, engine);
+        hostaddr = opt_tls_host != NULL ? opt_tls_host : host;
+        info->ssl_ctx = setup_ssl_ctx(ctx, hostaddr, engine);
+        if (!APP_is_IP_address(hostaddr)) {
+            if (hostaddr == NULL)
+                info->sni_hostname = NULL;
+            else if ((info->sni_hostname = OPENSSL_strdup(hostaddr)) == NULL)
+                goto err;
+        }
        info->server = host;
-        host = NULL; /* prevent deallocation */
+        host = NULL; /* ownership has been transferred to info structure */
        if ((info->port = OPENSSL_strdup(server_port)) == NULL)
            goto err;
        /* workaround for callback design flaw, see #17088: */
@ -3919,11 +3933,7 @@ int cmp_main(int argc, char **argv)
        /* cannot free info already here, as it may be used indirectly by: */
        OSSL_CMP_CTX_free(cmp_ctx);
 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
-        if (info != NULL) {
-            OPENSSL_free((char *)info->server);
-            OPENSSL_free((char *)info->port);
-            APP_HTTP_TLS_INFO_free(info);
-        }
+        APP_HTTP_TLS_INFO_free(info);
 #endif
    }
    X509_VERIFY_PARAM_free(vpm);
--- a/apps/include/apps.h
+++ b/apps/include/apps.h
@ -48,7 +48,6 @@
 void app_RAND_load_conf(CONF *c, const char *section);
 int app_RAND_write(void);
 int app_RAND_load(void);
-
 extern char *default_config_file; /* may be "" */
 extern BIO *bio_in;
 extern BIO *bio_out;
@ -284,7 +283,12 @@ int check_cert_attributes(BIO *bio, X509 *x,

 void store_setup_crl_download(X509_STORE *st);

+# ifndef OPENSSL_NO_SOCK
+int APP_is_IP_address(const char *host);
+# endif
+
 typedef struct app_http_tls_info_st {
+    const char *sni_hostname;
    const char *server;
    const char *port;
    int use_proxy;
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@ -54,6 +54,9 @@
 #ifdef _WIN32
 static int WIN32_rename(const char *from, const char *to);
 # define rename(from, to) WIN32_rename((from), (to))
+/* for getaddrinfo() and freeaddrinfo(): */
+# include <winsock2.h>
+# include <ws2tcpip.h>
 #endif

 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
@ -2551,6 +2554,31 @@ void store_setup_crl_download(X509_STORE *st)
    X509_STORE_set_lookup_crls_cb(st, crls_http_cb);
 }

+#ifndef OPENSSL_NO_SOCK
+int APP_is_IP_address(const char *host)
+{
+    size_t len;
+    struct addrinfo hints, *res;
+    int ret;
+
+    if (host == NULL)
+        return 0;
+
+    /* presume IPv6 address literal if host has the form "[<other-chars>]" */
+    len = strlen(host);
+    if (len > 2 && *host == '[' && strchr(host + 1, '[') == NULL
+            && strchr(host + 1, ']') == host + len - 1)
+        return 1;
+
+    memset(&hints, 0, sizeof(hints));
+    hints.ai_flags = AI_NUMERICHOST;
+    ret = getaddrinfo(host, NULL, &hints, &res);
+    if (res != NULL)
+        freeaddrinfo(res);
+    return ret == 0;
+}
+#endif
+
 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
 static const char *tls_error_hint(void)
 {
@ -2600,16 +2628,12 @@ BIO *app_http_tls_cb(BIO *bio, void *arg, int connect, int detail)
 {
    APP_HTTP_TLS_INFO *info = (APP_HTTP_TLS_INFO *)arg;
    SSL_CTX *ssl_ctx = info->ssl_ctx;
+    BIO *sbio = NULL;

    if (ssl_ctx == NULL) /* not using TLS */
        return bio;
    if (connect) {
        SSL *ssl;
-        BIO *sbio = NULL;
-        X509_STORE *ts = SSL_CTX_get_cert_store(ssl_ctx);
-        X509_VERIFY_PARAM *vpm = X509_STORE_get0_param(ts);
-        const char *host = vpm == NULL ? NULL :
-            X509_VERIFY_PARAM_get0_host(vpm, 0 /* first hostname */);

        /* adapt after fixing callback design flaw, see #17088 */
        if ((info->use_proxy
@ -2619,27 +2643,31 @@ BIO *app_http_tls_cb(BIO *bio, void *arg, int connect, int detail)
                || (sbio = BIO_new(BIO_f_ssl())) == NULL) {
            return NULL;
        }
-        if ((ssl = SSL_new(ssl_ctx)) == NULL) {
-            BIO_free(sbio);
-            return NULL;
-        }
-
-        if (vpm != NULL)
-            SSL_set_tlsext_host_name(ssl, host /* may be NULL */);
+        if ((ssl = SSL_new(ssl_ctx)) == NULL)
+            goto err;

        SSL_set_connect_state(ssl);
        BIO_set_ssl(sbio, ssl, BIO_CLOSE);
+        if (!SSL_set_tlsext_host_name(ssl, info->sni_hostname /* may be NULL */))
+            goto err;

        bio = BIO_push(sbio, bio);
    } else { /* disconnect from TLS */
        bio = http_tls_shutdown(bio);
    }
    return bio;
+
+ err:
+    BIO_free(sbio);
+    return NULL;
 }

 void APP_HTTP_TLS_INFO_free(APP_HTTP_TLS_INFO *info)
 {
    if (info != NULL) {
+        OPENSSL_free((char *)info->sni_hostname);
+        OPENSSL_free((char *)info->server);
+        OPENSSL_free((char *)info->port);
        SSL_CTX_free(info->ssl_ctx);
        OPENSSL_free(info);
    }
@ -2677,6 +2705,7 @@ ASN1_VALUE *app_http_get_asn1(const char *url, const char *proxy,
        goto end;
    }

+    info.sni_hostname = server;
    info.server = server;
    info.port = port;
    info.use_proxy = /* workaround for callback design flaw, see #17088 */
@ -2714,6 +2743,7 @@ ASN1_VALUE *app_http_post_asn1(const char *host, const char *port,
    if (req_mem == NULL)
        return NULL;

+    info.sni_hostname = host;
    info.server = host;
    info.port = port;
    info.use_proxy = /* workaround for callback design flaw, see #17088 */
--- a/crypto/http/http_lib.c
+++ b/crypto/http/http_lib.c
@ -78,22 +78,27 @@ int OSSL_parse_url(const char *url, char **pscheme, char **puser, char **phost,
        return 0;
    }

-    /* check for optional prefix "<scheme>://" */
-    scheme = scheme_end = url;
-    p = strstr(url, "://");
-    if (p == NULL) {
-        p = url;
-    } else {
-        scheme_end = p;
-        if (scheme_end == scheme)
-            goto parse_err;
-        p += strlen("://");
+    /* check for optional prefix "<scheme>://" as per as per RFC 3986: */
+#define OSSL_SCHEME_POSTFIX "://"
+    scheme = scheme_end = p = url;
+    if (ossl_isalpha(*p)) {
+        while (*p != '\0'
+               && (ossl_isalpha(*p)
+                   || ossl_isdigit(*p)
+                   || strchr("+-.", *p) != NULL))
+            p++;
+        if (HAS_PREFIX(p, OSSL_SCHEME_POSTFIX)) {
+            scheme_end = p;
+            p += sizeof(OSSL_SCHEME_POSTFIX) - 1;
+        } else {
+            p = url;
+        }
    }

    /* parse optional "userinfo@" */
    user = user_end = host = p;
-    host = strchr(p, '@');
-    if (host != NULL)
+    host = strpbrk(p, "@[]/?#"); /* [ and ] delimit IPv6 addresses */
+    if (host != NULL && *host == '@')
        user_end = host++;
    else
        host = p;
--- a/doc/man1/openssl-cmp.pod.in
+++ b/doc/man1/openssl-cmp.pod.in
@ -115,7 +115,7 @@ TLS connection options:
 [B<-tls_keypass> I<arg>]
 [B<-tls_extra> I<filenames>|I<uris>]
 [B<-tls_trusted> I<filenames>|I<uris>]
-[B<-tls_host> I<name>]
+[B<-tls_host> I<host>]

 Client-side debugging options:

@ -528,6 +528,7 @@ The I<host> domain name or IP address and optionally I<port>
 of the CMP server to connect to using HTTP(S).
 IP address may be for v4 or v6, such as C<127.0.0.1> or C<[::1]> for localhost.
 If the host string is an IPv6 address, it must be enclosed in C<[> and C<]>.
+For TLS connections the host part is taken as fallback for the B<-tls_host> option.

 This option excludes I<-port> and I<-use_mock_srv>.
 It is ignored if I<-rspin> is given with enough filename arguments.
@ -1029,11 +1030,12 @@ The certificate verification options
 B<-verify_hostname>, B<-verify_ip>, and B<-verify_email>
 have no effect on the certificate verification enabled via this option.

-=item B<-tls_host> I<name>
+=item B<-tls_host> I<host>

-Address to be checked during hostname validation.
-This may be a DNS name or an IP address.
-If not given it defaults to the B<-server> address.
+Hostname or IP address to be checked in the TLS server certificate.
+Usually, this is a DNS name, which is then also used for
+Server Name Indication (SNI) according to RFC 3546 section 3.1.
+If not given it defaults to the host part of the B<-server> option URL argument.

 =back

--- a/doc/man3/SSL_CTX_set_tlsext_servername_callback.pod
+++ b/doc/man3/SSL_CTX_set_tlsext_servername_callback.pod
@ -26,9 +26,9 @@ the ClientHello callback, which can be set using SSL_CTX_set_client_hello_cb().
 However, even where the ClientHello callback is used, the servername callback is
 still necessary in order to acknowledge the servername requested by the client.

-SSL_CTX_set_tlsext_servername_callback() sets the application callback B<cb>
+SSL_CTX_set_tlsext_servername_callback() sets the application callback I<cb>
 used by a server to perform any actions or configuration required based on
-the servername extension received in the incoming connection. When B<cb>
+the servername extension received in the incoming connection. When I<cb>
 is NULL, SNI is not used.

 The servername callback should return one of the following values:
@ -45,14 +45,14 @@ up a different configuration for the selected servername in this case.

 In this case the servername requested by the client is not accepted and the
 handshake will be aborted. The value of the alert to be used should be stored in
-the location pointed to by the B<al> parameter to the callback. By default this
+the location pointed to by the I<al> parameter to the callback. By default this
 value is initialised to SSL_AD_UNRECOGNIZED_NAME.

 =item SSL_TLSEXT_ERR_ALERT_WARNING

 If this value is returned then the servername is not accepted by the server.
 However, the handshake will continue and send a warning alert instead. The value
-of the alert should be stored in the location pointed to by the B<al> parameter
+of the alert should be stored in the location pointed to by the I<al> parameter
 as for SSL_TLSEXT_ERR_ALERT_FATAL above. Note that TLSv1.3 does not support
 warning alerts, so if TLSv1.3 has been negotiated then this return value is
 treated the same way as SSL_TLSEXT_ERR_NOACK.
@ -65,7 +65,7 @@ No alerts are sent and the server will not acknowledge the requested servername.
 =back

 SSL_CTX_set_tlsext_servername_arg() sets a context-specific argument to be
-passed into the callback (via the B<arg> parameter) for this B<SSL_CTX>.
+passed into the callback (via the I<arg> parameter) for this B<SSL_CTX>.

 The behaviour of SSL_get_servername() depends on a number of different factors.
 In particular note that in TLSv1.3 the servername is negotiated in every
@ -123,12 +123,21 @@ client is processed. The servername, certificate and ALPN callbacks occur after
 a servername extension from the client is processed.

 SSL_get_servername_type() returns the servername type or -1 if no servername
-is present. Currently the only supported type (defined in RFC3546) is
-B<TLSEXT_NAMETYPE_host_name>.
+is present.
+The only type defined in RFC 3546 and supported here is B<TLSEXT_NAMETYPE_host_name>.

-SSL_set_tlsext_host_name() sets the server name indication ClientHello extension
-to contain the value B<name>. The type of server name indication extension is set
-to B<TLSEXT_NAMETYPE_host_name> (defined in RFC3546).
+SSL_set_tlsext_host_name() sets the Server Name Indication (SNI)
+ClientHello extension defined in RFC 3546 section 3.1
+to contain the value I<name> of type B<TLSEXT_NAMETYPE_host_name>.
+If I<name> is NULL it clears the SNI extension.
+
+Using this function may be crucial also for correct routing of connection requests.
+TLS clients are recommended to use this function as well as L<SSL_set1_host(3)>
+or L<SSL_add1_host(3)> for validation of server hostname(s) and/or IP address.
+
+The SSL_set_tlsext_host_name() function should only be called on SSL objects
+that will act as clients; otherwise the configured I<name> will be ignored.
+In the future, calling this function on the server side may result in an error.

 =head1 NOTES

@ -136,9 +145,6 @@ Several callbacks are executed during ClientHello processing, including
 the ClientHello, ALPN, and servername callbacks.  The ClientHello callback is
 executed first, then the servername callback, followed by the ALPN callback.

-The SSL_set_tlsext_host_name() function should only be called on SSL objects
-that will act as clients; otherwise the configured B<name> will be ignored.
-
 =head1 RETURN VALUES

 SSL_CTX_set_tlsext_servername_callback() and
@ -148,7 +154,8 @@ SSL_set_tlsext_host_name() returns 1 on success, 0 in case of error.
 =head1 SEE ALSO

 L<ssl(7)>, L<SSL_CTX_set_alpn_select_cb(3)>,
-L<SSL_get0_alpn_selected(3)>, L<SSL_CTX_set_client_hello_cb(3)>
+L<SSL_get0_alpn_selected(3)>, L<SSL_CTX_set_client_hello_cb(3)>,
+L<X509_VERIFY_PARAM_set1_host(3)>, L<X509_VERIFY_PARAM_add1_host(3)>

 =head1 HISTORY

--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod
+++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
@ -76,54 +76,54 @@ X509_VERIFY_PARAM_set1_ip_asc
 These functions manipulate the B<X509_VERIFY_PARAM> structure associated with
 a certificate verification operation.

-The X509_VERIFY_PARAM_set_flags() function sets the flags in B<param> by oring
-it with B<flags>. See L</VERIFICATION FLAGS> for a complete
-description of values the B<flags> parameter can take.
+The X509_VERIFY_PARAM_set_flags() function sets the flags in I<param> by oring
+it with I<flags>. See L</VERIFICATION FLAGS> for a complete
+description of values the I<flags> parameter can take.

-X509_VERIFY_PARAM_get_flags() returns the flags in B<param>.
+X509_VERIFY_PARAM_get_flags() returns the flags in I<param>.

-X509_VERIFY_PARAM_get_inh_flags() returns the inheritance flags in B<param>
+X509_VERIFY_PARAM_get_inh_flags() returns the inheritance flags in I<param>
 which specifies how verification flags are copied from one structure to
 another. X509_VERIFY_PARAM_set_inh_flags() sets the inheritance flags.
-See the B<INHERITANCE FLAGS> section for a description of these bits.
+See the L</INHERITANCE FLAGS> section for a description of these bits.

-X509_VERIFY_PARAM_clear_flags() clears the flags B<flags> in B<param>.
+X509_VERIFY_PARAM_clear_flags() clears the flags I<flags> in I<param>.

-X509_VERIFY_PARAM_set_purpose() sets the verification purpose in B<param>
+X509_VERIFY_PARAM_set_purpose() sets the verification purpose in I<param>
 to B<purpose>. This determines the acceptable purpose of the certificate
 chain, for example B<X509_PURPOSE_SSL_CLIENT>.
 The purpose requirement is cleared if B<purpose> is X509_PURPOSE_DEFAULT_ANY.

 X509_VERIFY_PARAM_get_purpose() returns the purpose in B<param>.

-X509_VERIFY_PARAM_set_trust() sets the trust setting in B<param> to
-B<trust>.
+X509_VERIFY_PARAM_set_trust() sets the trust setting in I<param> to
+I<trust>.

-X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to
-B<t>. Normally the current time is used.
+X509_VERIFY_PARAM_set_time() sets the verification time in I<param> to
+I<t>. Normally the current time is used.

-X509_VERIFY_PARAM_add0_policy() adds B<policy> to the acceptable policy set.
+X509_VERIFY_PARAM_add0_policy() adds I<policy> to the acceptable policy set.
 Contrary to preexisting documentation of this function it does not enable
 policy checking.

 X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled
-by default) and sets the acceptable policy set to B<policies>. Any existing
-policy set is cleared. The B<policies> parameter can be B<NULL> to clear
+by default) and sets the acceptable policy set to I<policies>. Any existing
+policy set is cleared. The I<policies> parameter can be NULL to clear
 an existing policy set.

-X509_VERIFY_PARAM_set_depth() sets the maximum verification depth to B<depth>.
+X509_VERIFY_PARAM_set_depth() sets the maximum verification depth to I<depth>.
 That is the maximum number of intermediate CA certificates that can appear in a
 chain.
 A maximal depth chain contains 2 more certificates than the limit, since
 neither the end-entity certificate nor the trust-anchor count against this
 limit.
-Thus a B<depth> limit of 0 only allows the end-entity certificate to be signed
-directly by the trust anchor, while with a B<depth> limit of 1 there can be one
+Thus a I<depth> limit of 0 only allows the end-entity certificate to be signed
+directly by the trust anchor, while with a I<depth> limit of 1 there can be one
 intermediate CA certificate between the trust anchor and the end-entity
 certificate.

 X509_VERIFY_PARAM_set_auth_level() sets the authentication security level to
-B<auth_level>.
+I<auth_level>.
 The authentication security level determines the acceptable signature and public
 key strength when verifying certificate chains.
 For a certificate chain to validate, the public keys of all the certificates
@ -139,21 +139,21 @@ Security level 1 requires at least 80-bit-equivalent security and is broadly
 interoperable, though it will, for example, reject MD5 signatures or RSA keys
 shorter than 1024 bits.

-X509_VERIFY_PARAM_get0_host() returns the B<n>th expected DNS hostname that has
+X509_VERIFY_PARAM_get0_host() returns the I<n>th expected DNS hostname that has
 been set using X509_VERIFY_PARAM_set1_host() or X509_VERIFY_PARAM_add1_host().
-To obtain all names start with B<n> = 0 and increment B<n> as long as no NULL
+To obtain all names start with I<n> = 0 and increment I<n> as long as no NULL
 pointer is returned.

-X509_VERIFY_PARAM_set1_host() sets the expected DNS hostname to
-B<name> clearing any previously specified hostname.  If
-B<name> is NULL, or empty the list of hostnames is cleared, and
-name checks are not performed on the peer certificate.  If B<name>
-is NUL-terminated, B<namelen> may be zero, otherwise B<namelen>
-must be set to the length of B<name>.
+X509_VERIFY_PARAM_set1_host() sets in I<param> the expected
+DNS hostname to I<name>, clearing any previously specified hostname.
+If I<name> is NULL or the empty string, the list of hostnames is cleared
+and hostname checks are not performed on the peer certificate.
+If I<name> is NUL-terminated, I<namelen> may be zero,
+otherwise I<namelen> must be set to the length of I<name>.

 When a hostname is specified,
 certificate verification automatically invokes L<X509_check_host(3)>
-with flags equal to the B<flags> argument given to
+with flags equal to the I<flags> argument given to
 X509_VERIFY_PARAM_set_hostflags() (default zero).  Applications
 are strongly advised to use this interface in preference to explicitly
 calling L<X509_check_host(3)>, hostname checks may be out of scope
@ -176,10 +176,10 @@ flag takes precedence over the B<X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT> flag.
 X509_VERIFY_PARAM_get_hostflags() returns any host flags previously set via a
 call to X509_VERIFY_PARAM_set_hostflags().

-X509_VERIFY_PARAM_add1_host() adds B<name> as an additional reference
+X509_VERIFY_PARAM_add1_host() adds I<name> as an additional reference
 identifier that can match the peer's certificate.  Any previous names
 set via X509_VERIFY_PARAM_set1_host() or X509_VERIFY_PARAM_add1_host()
-are retained, no change is made if B<name> is NULL or empty.  When
+are retained, no change is made if I<name> is NULL or the empty string.  When
 multiple names are configured, the peer is considered verified when
 any name matches.

@ -190,28 +190,32 @@ reference identifier specifies a parent domain (starts with ".")
 rather than a hostname, the peer name may be a wildcard name or a
 sub-domain of the reference identifier respectively.  The return
 string is allocated by the library and is no longer valid once the
-associated B<param> argument is freed.  Applications must not free
+associated I<param> argument is freed.  Applications must not free
 the return value.

 X509_VERIFY_PARAM_get0_email() returns the expected RFC822 email address.

 X509_VERIFY_PARAM_set1_email() sets the expected RFC822 email address to
-B<email>.  If B<email> is NUL-terminated, B<emaillen> may be zero, otherwise
-B<emaillen> must be set to the length of B<email>.  When an email address
+I<email>.
+If I<email> is NULL or the empty string, email checking is disabled.
+If I<email> is NUL-terminated, I<emaillen> may be zero, otherwise
+I<emaillen> must be set to the length of I<email>.  When an email address
 is specified, certificate verification automatically invokes
 L<X509_check_email(3)>.

 X509_VERIFY_PARAM_get1_ip_asc() returns the expected IP address as a string.
 The caller is responsible for freeing it.

-X509_VERIFY_PARAM_set1_ip() sets the expected IP address to B<ip>.
-The B<ip> argument is in binary format, in network byte-order and
-B<iplen> must be set to 4 for IPv4 and 16 for IPv6.  When an IP
+X509_VERIFY_PARAM_set1_ip() sets the expected IP address to I<ip>.
+If I<ip> is NULL or the empty string, IP address checking is disabled. Otherwise,
+the I<ip> argument must be in binary format, in network byte-order and
+I<iplen> must be set to 4 for IPv4 and 16 for IPv6.  When an IP
 address is specified, certificate verification automatically invokes
 L<X509_check_ip(3)>.

-X509_VERIFY_PARAM_set1_ip_asc() sets the expected IP address to
-B<ipasc>.  The B<ipasc> argument is a NUL-terminal ASCII string:
+X509_VERIFY_PARAM_set1_ip_asc() sets the expected IP address to I<ipasc>.
+If I<ifascp> is NULL or the empty string, IP address checking is disabled. Otherwise,
+the I<ipasc> argument must be a NUL-terminated ASCII string:
 dotted decimal quad for IPv4 and colon-separated hexadecimal for
 IPv6.  The condensed "::" notation is supported for IPv6 addresses.

@ -275,9 +279,9 @@ no policy checking is performed. Additional information is sent to the
 verification callback relating to policy checking.

 B<X509_V_FLAG_EXPLICIT_POLICY>, B<X509_V_FLAG_INHIBIT_ANY> and
-B<X509_V_FLAG_INHIBIT_MAP> set the B<require explicit policy>, B<inhibit any
-policy> and B<inhibit policy mapping> flags respectively as defined in
-B<RFC3280>. Policy checking is automatically enabled if any of these flags
+B<X509_V_FLAG_INHIBIT_MAP> set the C<require explicit policy>, C<inhibit any
+policy> and C<inhibit policy mapping> flags respectively as defined in
+RFC 5280. Policy checking is automatically enabled if any of these flags
 are set.

 If B<X509_V_FLAG_NOTIFY_POLICY> is set and the policy checking is successful
@ -311,6 +315,8 @@ requirements and lead to a locally trusted root.
 This is especially important when some certificates in the trust store have
 explicit trust settings (see "TRUST SETTINGS" in L<openssl-x509(1)>).

+=begin comment
+
 The B<X509_V_FLAG_NO_ALT_CHAINS> flag could have been used before OpenSSL 1.1.0
 to suppress checking for alternative chains.
 By default, unless B<X509_V_FLAG_TRUSTED_FIRST> is set, when building a
@ -321,12 +327,14 @@ found that is trusted.
 As of OpenSSL 1.1.0, with B<X509_V_FLAG_TRUSTED_FIRST> always set, this option
 has no effect.

+=end comment
+
 The B<X509_V_FLAG_PARTIAL_CHAIN> flag causes non-self-signed certificates in the
 trust store to be treated as trust anchors, in the same way as self-signed
 root CA certificates.
 This makes it possible to trust self-issued certificates as well as certificates
 issued by an intermediate CA without having to trust their ancestor root CA.
-With OpenSSL 1.1.0 and later and B<X509_V_FLAG_PARTIAL_CHAIN> set, chain
+With B<X509_V_FLAG_PARTIAL_CHAIN> set, chain
 construction stops as soon as the first certificate contained in the trust store
 is added to the chain, whether that certificate is a self-signed "root"
 certificate or a not self-signed "intermediate" or self-issued certificate.
@ -367,6 +375,12 @@ instead of functions which work in specific structures such as
 X509_STORE_CTX_set_flags() which are likely to be deprecated in a future
 release.

+TLS clients are recommended to set up validation of server hostname(s) and/or
+IP address (directly using the above functions
+or more conveniently using L<SSL_set1_host(3)> or L<SSL_add1_host(3)>)
+and to use L<SSL_set_tlsext_host_name(3)> for Server Name Indication (SNI),
+which may be crucial also for correct routing of the connection request.
+
 =head1 BUGS

 Delta CRL checking is currently primitive. Only a single delta can be used and
@ -380,7 +394,7 @@ CRLs from the CRL distribution points extension.
 =head1 EXAMPLES

 Enable CRL checking when performing certificate verification during SSL
-connections associated with an B<SSL_CTX> structure B<ctx>:
+connections associated with an B<SSL_CTX> structure I<ctx>:

 X509_VERIFY_PARAM *param;

@ -391,10 +405,12 @@ connections associated with an B<SSL_CTX> structure B<ctx>:

 =head1 SEE ALSO

+L<SSL_CTX_set_security_level(3)>,
 L<X509_verify_cert(3)>,
 L<X509_check_host(3)>,
 L<X509_check_email(3)>,
 L<X509_check_ip(3)>,
+L<SSL_set_tlsext_host_name(3)>,
 L<openssl-x509(1)>

 =head1 HISTORY
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@ -3610,8 +3610,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
         * from the server, but we currently allow it to be used on servers
         * as well, which is a programming error.  Currently we just clear
         * the field in SSL_do_handshake() for server SSLs, but when we can
-         * make ABI-breaking changes, we may want to make use of this API
-         * an error on server SSLs.
+         * make ABI-breaking changes, we may want to return an error in this case.
         */
        if (larg == TLSEXT_NAMETYPE_host_name) {
            size_t len;
--- a/test/http_test.c
+++ b/test/http_test.c
@ -283,7 +283,7 @@ static int test_http_keep_alive(char version, int keep_alive, int kept_alive)
 }

 static int test_http_url_ok(const char *url, int exp_ssl, const char *exp_host,
-                            const char *exp_port, const char *exp_path)
+                            const char *exp_port, const char *exp_path, const char *exp_query)
 {
    char *user, *host, *port, *path, *query, *frag;
    int exp_num, num, ssl;
@ -302,8 +302,8 @@ static int test_http_url_ok(const char *url, int exp_ssl, const char *exp_host,
        res = TEST_str_eq(user, "user:pass");
    if (res && *frag != '\0')
        res = TEST_str_eq(frag, "fr");
-    if (res && *query != '\0')
-        res = TEST_str_eq(query, "q");
+    if (res)
+        res = TEST_str_eq(query, exp_query);
    OPENSSL_free(user);
    OPENSSL_free(host);
    OPENSSL_free(port);
@ -329,17 +329,17 @@ static int test_http_url_path_query_ok(const char *url, const char *exp_path_qu)

 static int test_http_url_dns(void)
 {
-    return test_http_url_ok("host:65535/path", 0, "host", "65535", "/path");
+    return test_http_url_ok("host:65535/path", 0, "host", "65535", "/path", "");
 }

 static int test_http_url_timestamp(void)
 {
    return test_http_url_ok("host/p/2017-01-03T00:00:00", 0, "host", "80",
-                            "/p/2017-01-03T00:00:00")
+                            "/p/2017-01-03T00:00:00", "")
        && test_http_url_ok("http://host/p/2017-01-03T00:00:00", 0, "host",
-                            "80", "/p/2017-01-03T00:00:00")
+                            "80", "/p/2017-01-03T00:00:00", "")
        && test_http_url_ok("https://host/p/2017-01-03T00:00:00", 1, "host",
-                            "443", "/p/2017-01-03T00:00:00");
+                            "443", "/p/2017-01-03T00:00:00", "");
 }

 static int test_http_url_path_query(void)
@ -351,17 +351,22 @@ static int test_http_url_path_query(void)

 static int test_http_url_userinfo_query_fragment(void)
 {
-    return test_http_url_ok("user:pass@host/p?q#fr", 0, "host", "80", "/p");
+    return test_http_url_ok("user:pass@host/p?q#fr", 0, "host", "80", "/p", "q");
+}
+
+static int test_http_url_query_including_at(void)
+{
+    return test_http_url_ok("https://host/p?q@z#fr", 1, "host", "443", "/p", "q@z");
 }

 static int test_http_url_ipv4(void)
 {
-    return test_http_url_ok("https://1.2.3.4/p/q", 1, "1.2.3.4", "443", "/p/q");
+    return test_http_url_ok("https://1.2.3.4/p/q", 1, "1.2.3.4", "443", "/p/q", "");
 }

 static int test_http_url_ipv6(void)
 {
-    return test_http_url_ok("http://[FF01::101]:6", 0, "[FF01::101]", "6", "/");
+    return test_http_url_ok("http://[FF01::101]:6", 0, "[FF01::101]", "6", "/", "");
 }

 static int test_http_url_invalid(const char *url)
@ -572,6 +577,7 @@ int setup_tests(void)
    ADD_TEST(test_http_url_timestamp);
    ADD_TEST(test_http_url_path_query);
    ADD_TEST(test_http_url_userinfo_query_fragment);
+    ADD_TEST(test_http_url_query_including_at);
    ADD_TEST(test_http_url_ipv4);
    ADD_TEST(test_http_url_ipv6);
    ADD_TEST(test_http_url_invalid_prefix);
--- a/test/recipes/80-test_cms.t
+++ b/test/recipes/80-test_cms.t
@ -43,6 +43,7 @@ my @config = ( );
 my $provname = 'default';
 my $dsaallow = '1';
 my $no_pqc = 0;
+my $no_hkdf_fixed = 0;

 my $datadir = srctop_dir("test", "recipes", "80-test_cms_data");
 my $smdir    = srctop_dir("test", "smime-certs");
@ -68,6 +69,8 @@ unless ($no_fips) {
    $old_fips = 1 if $dsaallow != '0';
    run(test(["fips_version_test", "-config", $provconf, "<3.5.0"]),
        capture => 1, statusvar => \$no_pqc);
+    run(test(["fips_version_test", "-config", $provconf, "<3.6.0"]),
+        capture => 1, statusvar => \$no_hkdf_fixed);
 }

 $ENV{OPENSSL_TEST_LIBCTX} = "1";
@ -1534,7 +1537,7 @@ subtest "ML-KEM KEMRecipientInfo tests for CMS" => sub {

    SKIP: {
        skip "ML-KEM is not supported in this build", 5
-            if disabled("ml-kem") || $no_pqc;
+            if disabled("ml-kem") || $no_hkdf_fixed;

        ok(run(app(["openssl", "cms", @prov, "-encrypt", "-in", $smcont,
                    "-out", "mlkem512.cms",
--- a/util/platform_symbols/windows-symbols.txt
+++ b/util/platform_symbols/windows-symbols.txt
@ -86,11 +86,7 @@ __current_exception
 __C_specific_handler
 wcsstr
 __current_exception_context
-strlen
-strstr
-strchr
 memmove
-strrchr
 memcmp
 memset
 memcpy
@ -119,22 +115,27 @@ __stdio_common_vsprintf_s
 fwrite
 fgets
 _setmode
-strtoul
 atoi
-strtol
 tolower
-strspn
-strcspn
-strncpy
-strpbrk
-strncmp
-strcmp
 strcat_s
+strchr
+strcmp
+strcpy_s
+strcspn
+strerror_s
+strlen
+strncmp
+strncpy
+strncpy_s
+strpbrk
+strrchr
+strspn
+strstr
+strtol
+strtoul
 isspace
 _strdup
 isdigit
-strncpy_s
-strcpy_s
 _gmtime64_s
 __timezone
 _mktime64
@ -150,7 +151,6 @@ _initialize_narrow_environment
 _beginthreadex
 _endthreadex
 _register_onexit_function
-strerror_s
 _execute_onexit_table
 raise
 _crt_atexit
@ -202,10 +202,8 @@ GetModuleHandleW
 memcpy
 memset
 __current_exception_context
-strchr
 memcmp
 memchr
-strstr
 memmove
 __std_type_info_destroy_list
 __current_exception
@ -226,8 +224,6 @@ _crt_at_quick_exit
 _cexit
 _beginthreadex
 _time64
-strncmp
-strcmp
 qsort
 _stat64i32
 atoi