CMP app and app_http_tls_cb(): pick the right TLS hostname (also without port)

Fixes #20031 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20034)
2024-11-21 01:15:20 +08:00 · 2023-01-12 10:54:50 +01:00 · 2023-01-12 10:54:50 +01:00 · 30b9a6ec89
commit 30b9a6ec89
parent e5a054b7fc
2 changed files with 7 additions and 3 deletions
--- a/apps/cmp.c
+++ b/apps/cmp.c
@ -1952,7 +1952,7 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
        if ((info = OPENSSL_zalloc(sizeof(*info))) == NULL)
            goto err;
        (void)OSSL_CMP_CTX_set_http_cb_arg(ctx, info);
-        info->server = opt_server;
+        info->server = host;
        info->port = server_port;
        /* workaround for callback design flaw, see #17088: */
        info->use_proxy = proxy_host != NULL;
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@ -2529,6 +2529,10 @@ BIO *app_http_tls_cb(BIO *bio, void *arg, int connect, int detail)
    if (connect) {
        SSL *ssl;
        BIO *sbio = NULL;
+        X509_STORE *ts = SSL_CTX_get_cert_store(ssl_ctx);
+        X509_VERIFY_PARAM *vpm = X509_STORE_get0_param(ts);
+        const char *host = vpm == NULL ? NULL :
+            X509_VERIFY_PARAM_get0_host(vpm, 0 /* first hostname */);

        /* adapt after fixing callback design flaw, see #17088 */
        if ((info->use_proxy
@ -2543,8 +2547,8 @@ BIO *app_http_tls_cb(BIO *bio, void *arg, int connect, int detail)
            return NULL;
        }

-        /* adapt after fixing callback design flaw, see #17088 */
-        SSL_set_tlsext_host_name(ssl, info->server); /* not critical to do */
+        if (vpm != NULL)
+            SSL_set_tlsext_host_name(ssl, host /* may be NULL */);

        SSL_set_connect_state(ssl);
        BIO_set_ssl(sbio, ssl, BIO_CLOSE);