projects / openssl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 259c7f6)
CMP app and app_http_tls_cb(): pick the right TLS hostname (also without port)
authorDr. David von Oheimb <David.von.Oheimb@siemens.com>
Thu, 12 Jan 2023 09:54:50 +0000 (10:54 +0100)
committerHugo Landau <hlandau@openssl.org>
Wed, 10 May 2023 17:36:59 +0000 (18:36 +0100)
Fixes #20031

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20034)

(cherry picked from commit 30b9a6ec89d97152b5a564b3acf3a94ee57185a7)

apps/cmp.c patch | blob | history
apps/lib/apps.c patch | blob | history

diff --git a/apps/cmp.c b/apps/cmp.c
index e5b2a62cc26eef71b4e9413468fb911f66dc84da..8dc44ea50f00ec5de7e684b809676f5e949b1ee8 100644 (file)
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -1956,7 +1956,7 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
         if ((info = OPENSSL_zalloc(sizeof(*info))) == NULL)
             goto err;
         (void)OSSL_CMP_CTX_set_http_cb_arg(ctx, info);
-        info->server = opt_server;
+        info->server = host;
         info->port = server_port;
         /* workaround for callback design flaw, see #17088: */
         info->use_proxy = proxy_host != NULL;
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index 0d7a20b52afc28d0e45f867962a5eccddfe3be4a..cfab72ae91ecfe101a4711f929032e913fea0c64 100644 (file)
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -2474,6 +2474,10 @@ BIO *app_http_tls_cb(BIO *bio, void *arg, int connect, int detail)
     if (connect) {
         SSL *ssl;
         BIO *sbio = NULL;
+        X509_STORE *ts = SSL_CTX_get_cert_store(ssl_ctx);
+        X509_VERIFY_PARAM *vpm = X509_STORE_get0_param(ts);
+        const char *host = vpm == NULL ? NULL :
+            X509_VERIFY_PARAM_get0_host(vpm, 0 /* first hostname */);
 
         /* adapt after fixing callback design flaw, see #17088 */
         if ((info->use_proxy
@@ -2488,8 +2492,8 @@ BIO *app_http_tls_cb(BIO *bio, void *arg, int connect, int detail)
             return NULL;
         }
 
-        /* adapt after fixing callback design flaw, see #17088 */
-        SSL_set_tlsext_host_name(ssl, info->server); /* not critical to do */
+        if (vpm != NULL)
+            SSL_set_tlsext_host_name(ssl, host /* may be NULL */);
 
         SSL_set_connect_state(ssl);
         BIO_set_ssl(sbio, ssl, BIO_CLOSE);
Unnamed repository; edit this file 'description' to name the repository.