diff options
author | Christian Heimes <christian@python.org> | 2021-03-30 12:02:42 +0200 |
---|---|---|
committer | Pauli <pauli@openssl.org> | 2021-04-09 08:32:38 +1000 |
commit | dfccfde06562ac87fe5e5f9401ba86cad050d9a2 (patch) | |
tree | 3290e4012045649bc3b4d26b745d8ff7e42fcc92 | |
parent | 6d9e045ef724df0ddc8c8f66dcfdff4f8ba0bc03 (diff) |
Inherit hostflags verify params even without hosts
X509_VERIFY_PARAM_inherit() now copies hostflags independently of hosts.
Previously hostflags were only copied when at least one host was set.
Typically applications don't configure hosts on SSL_CTX. The change
enables applications to configure hostflags on SSL_CTX and have OpenSSL
copy the flags from SSL_CTX to SSL.
Fixes: https://github.com/openssl/openssl/issues/14579
Signed-off-by: Christian Heimes <christian@python.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14743)
-rw-r--r-- | crypto/x509/x509_vpm.c | 4 | ||||
-rw-r--r-- | test/sslapitest.c | 43 |
2 files changed, 45 insertions, 2 deletions
diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c index 8914a2bd6f..d11aa2341a 100644 --- a/crypto/x509/x509_vpm.c +++ b/crypto/x509/x509_vpm.c @@ -199,7 +199,8 @@ int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, return 0; } - /* Copy the host flags if and only if we're copying the host list */ + x509_verify_param_copy(hostflags, 0); + if (test_x509_verify_param_copy(hosts, NULL)) { sk_OPENSSL_STRING_pop_free(dest->hosts, str_free); dest->hosts = NULL; @@ -208,7 +209,6 @@ int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, sk_OPENSSL_STRING_deep_copy(src->hosts, str_copy, str_free); if (dest->hosts == NULL) return 0; - dest->hostflags = src->hostflags; } } diff --git a/test/sslapitest.c b/test/sslapitest.c index 31b36b23b1..2d196a155c 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -31,6 +31,7 @@ #include <openssl/core_dispatch.h> #include <openssl/provider.h> #include <openssl/param_build.h> +#include <openssl/x509v3.h> #include "helpers/ssltestlib.h" #include "testutil.h" @@ -8623,6 +8624,47 @@ end: } #endif +static int test_inherit_verify_param(void) +{ + int testresult = 0; + + SSL_CTX *ctx = NULL; + X509_VERIFY_PARAM *cp = NULL; + SSL *ssl = NULL; + X509_VERIFY_PARAM *sp = NULL; + int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT; + + ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method()); + if (!TEST_ptr(ctx)) + goto end; + + cp = SSL_CTX_get0_param(ctx); + if (!TEST_ptr(cp)) + goto end; + if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0)) + goto end; + + X509_VERIFY_PARAM_set_hostflags(cp, hostflags); + + ssl = SSL_new(ctx); + if (!TEST_ptr(ssl)) + goto end; + + sp = SSL_get0_param(ssl); + if (!TEST_ptr(sp)) + goto end; + if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags)) + goto end; + + testresult = 1; + + end: + SSL_free(ssl); + SSL_CTX_free(ctx); + + return testresult; +} + OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n") int setup_tests(void) @@ -8872,6 +8914,7 @@ int setup_tests(void) #ifndef OSSL_NO_USABLE_TLS1_3 ADD_TEST(test_sni_tls13); #endif + ADD_TEST(test_inherit_verify_param); return 1; err: |