Copy the verify param hostflags independently of the host list

Without this, hostflags set on the SSL_CTX would not propagate to newly
created SSL. This is surprising behavior that was changed in OpenSSL 1.1
by Christian Heimes after the issue was flagged by Quentin Pradet:
https://bugs.python.org/issue43522
This is a version of the fix that landed in OpenSSL.

There used to be a workaround in place in urllib3, but that was removed at
some point. We haven't fixed this earlier since it wasn't reported. It only
showed up after recent fallout of extraordinarily strict library checking
in urllib3 coming from their own interpretation of the implications of
PEP 644.

ok jsing

diff --git a/lib/libcrypto/x509/x509_vpm.c b/lib/libcrypto/x509/x509_vpm.c
index 2110787..5c8c09e 100644 (file)
--- a/lib/libcrypto/x509/x509_vpm.c
+++ b/lib/libcrypto/x509/x509_vpm.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vpm.c,v 1.38 2023/05/24 08:46:01 tb Exp $ */
+/* $OpenBSD: x509_vpm.c,v 1.39 2023/05/24 09:15:14 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2004.
  */
@@ -326,7 +326,9 @@ X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, const X509_VERIFY_PARAM *src)
                        return 0;
        }
 
-       /* Copy the host flags if and only if we're copying the host list */
+       if (test_x509_verify_param_copy_id(hostflags, 0))
+               dest->id->hostflags = id->hostflags;
+
        if (test_x509_verify_param_copy_id(hosts, NULL)) {
                if (dest->id->hosts) {
                        sk_OPENSSL_STRING_pop_free(dest->id->hosts, str_free);
@@ -337,7 +339,6 @@ X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, const X509_VERIFY_PARAM *src)
                            sk_deep_copy(id->hosts, strdup, str_free);
                        if (dest->id->hosts == NULL)
                                return 0;
-                       dest->id->hostflags = id->hostflags;
                }
        }
 

diff --git a/regress/lib/libssl/unit/Makefile b/regress/lib/libssl/unit/Makefile
index 413307b..6a92506 100644 (file)
--- a/regress/lib/libssl/unit/Makefile
+++ b/regress/lib/libssl/unit/Makefile
@@ -1,4 +1,4 @@
-#      $OpenBSD: Makefile,v 1.15 2023/05/24 08:54:59 tb Exp $
+#      $OpenBSD: Makefile,v 1.16 2023/05/24 09:15:14 tb Exp $
 
 PROGS += cipher_list
 PROGS += ssl_get_shared_ciphers
@@ -18,6 +18,4 @@ CFLAGS+=      -I${.CURDIR}/../../../../lib/libssl
 
 LDADD_ssl_verify_param = ${LIBSSL} ${CRYPTO_INT}
 
-REGRESS_EXPECTED_FAILURES+=    run-regress-ssl_verify_param
-
 .include <bsd.regress.mk>