Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

align X509_VERIFY_PARAM host and email behavior with OpenSSL #1062

Merged
merged 1 commit into from
Jun 28, 2023
Merged

align X509_VERIFY_PARAM host and email behavior with OpenSSL #1062

merged 1 commit into from
Jun 28, 2023

Conversation

samuel40791765
Copy link
Contributor

@samuel40791765 samuel40791765 commented Jun 15, 2023
edited
Loading

Issues:

Resolves CryptoAlg-1865

Description of changes:

A dig into some of the mySQL/AWS-LC test failures revealed that this was the root cause.

BoringSSL briefly made this backwards compatible, but enforced the stricter check a week later since Chrome was not effected by this.

This doesn't apply to us however, so we're reverting the strict check in an attempt to be more compatible with OpenSSL.

Call-outs:

I've reverted the check for X509_VERIFY_PARAM_set1_email while I was at it as well. X509_VERIFY_PARAM_set1_ip was using the same underlying logic as X509_VERIFY_PARAM_set1_email which made things a bit complicated.
X509_VERIFY_PARAM_set1_ip takes an unsigned char *, but changes to make it more compatible with OpenSSL required strlen to detect the length of the string. I've separated the logic for X509_VERIFY_PARAM_set1_email/ip into two functions to get around this.
X509_VERIFY_PARAM_set1_ip now maintains the original BoringSSL behavior, while X509_VERIFY_PARAM_set1_email is compatible with OpenSSL now. We can look into making X509_VERIFY_PARAM_set1_ip more compatible with OpenSSL later on if needed.

Testing:

CI

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

@samuel40791765 samuel40791765 requested a review from andrewhop June 15, 2023 22:10
@samuel40791765 samuel40791765 marked this pull request as ready for review June 15, 2023 22:39
@samuel40791765 samuel40791765 requested a review from skmcgrail June 19, 2023 23:04
andrewhop
andrewhop reviewed Jun 21, 2023
View reviewed changes
crypto/x509/x509_vpm.c Show resolved Hide resolved
crypto/x509/x509_vpm.c Show resolved Hide resolved
crypto/x509/x509_vpm.c Show resolved Hide resolved
@samuel40791765 samuel40791765 enabled auto-merge (squash) June 28, 2023 00:28
@samuel40791765 samuel40791765 merged commit 66bc075 into aws:main Jun 28, 2023
@skmcgrail skmcgrail mentioned this pull request Jul 7, 2023
Merged
@samuel40791765 samuel40791765 deleted the x509-verify-openssl branch September 12, 2023 22:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewhop andrewhop andrewhop approved these changes

@skmcgrail skmcgrail skmcgrail approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@samuel40791765 @skmcgrail @andrewhop