Fix regression when X509_V_FLAG_CRL_CHECK_ALL is set#28797
Fix regression when X509_V_FLAG_CRL_CHECK_ALL is set#28797carter-thaxton wants to merge 1 commit intoopenssl:openssl-3.6from
Conversation
|
CLA: trivial |
shahsb
left a comment
There was a problem hiding this comment.
LGTM. Okay with CLA: Trivial
shahsb
left a comment
There was a problem hiding this comment.
The author has to add CLA: trivial in the commit message separated by an empty line from the rest of the message. and also, obviously you'll have to sign the CLA if not done yet. Thanks!
…AG_CRL_CHECK is clear This fixes openssl#28758 When X509_V_FLAG_CRL_CHECK is not set, the man pages document that X509_V_FLAG_CRL_CHECK_ALL is ignored. Prior to 3.6.0, this was indeed the case. In 3.6.0, the behavior changed, and setting X509_V_FLAG_CRL_CHECK_ALL began to imply X509_V_FLAG_CRL_CHECK. This unfortunately breaks the majority of ruby installations, which relied on the documented behavior. For consistency, this commit applies the same logic to the new X509_V_FLAG_OCSP_RESP_CHECK and X509_V_FLAG_OCSP_RESP_CHECK_ALL flags, which are still undocumented as of 3.6.0. All existing tests continue to pass. They also make the assumption that the xxx_CHECK_ALL flags are irrelevant unless xxx_CHECK is set. We could add a new test for this regression. I'll leave that to another commit. CLA: trivial
f775206 to
243f9d3
Compare
|
BTW, this pull request was made directly to the |
|
Any time line about this one here? :-) |
|
ping @openssl/committers for second review |
|
This pull request is ready to merge |
…AG_CRL_CHECK is clear Fixes #28758 When X509_V_FLAG_CRL_CHECK is not set, the man pages document that X509_V_FLAG_CRL_CHECK_ALL is ignored. Prior to 3.6.0, this was indeed the case. In 3.6.0, the behavior changed, and setting X509_V_FLAG_CRL_CHECK_ALL began to imply X509_V_FLAG_CRL_CHECK. This unfortunately breaks the majority of ruby installations, which relied on the documented behavior. For consistency, this commit applies the same logic to the new X509_V_FLAG_OCSP_RESP_CHECK and X509_V_FLAG_OCSP_RESP_CHECK_ALL flags, which are still undocumented as of 3.6.0. All existing tests continue to pass. They also make the assumption that the xxx_CHECK_ALL flags are irrelevant unless xxx_CHECK is set. We could add a new test for this regression. I'll leave that to another commit. CLA: trivial Reviewed-by: Nikola Pajkovsky <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from #28797)
…AG_CRL_CHECK is clear Fixes #28758 When X509_V_FLAG_CRL_CHECK is not set, the man pages document that X509_V_FLAG_CRL_CHECK_ALL is ignored. Prior to 3.6.0, this was indeed the case. In 3.6.0, the behavior changed, and setting X509_V_FLAG_CRL_CHECK_ALL began to imply X509_V_FLAG_CRL_CHECK. This unfortunately breaks the majority of ruby installations, which relied on the documented behavior. For consistency, this commit applies the same logic to the new X509_V_FLAG_OCSP_RESP_CHECK and X509_V_FLAG_OCSP_RESP_CHECK_ALL flags, which are still undocumented as of 3.6.0. All existing tests continue to pass. They also make the assumption that the xxx_CHECK_ALL flags are irrelevant unless xxx_CHECK is set. We could add a new test for this regression. I'll leave that to another commit. CLA: trivial Reviewed-by: Nikola Pajkovsky <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from #28797) (cherry picked from commit cbaf28c)
|
Merged (after reformatting with clang-format) to the master and 3.6 branches. Thank you for your contribution. |
…AG_CRL_CHECK is clear Fixes openssl#28758 When X509_V_FLAG_CRL_CHECK is not set, the man pages document that X509_V_FLAG_CRL_CHECK_ALL is ignored. Prior to 3.6.0, this was indeed the case. In 3.6.0, the behavior changed, and setting X509_V_FLAG_CRL_CHECK_ALL began to imply X509_V_FLAG_CRL_CHECK. This unfortunately breaks the majority of ruby installations, which relied on the documented behavior. For consistency, this commit applies the same logic to the new X509_V_FLAG_OCSP_RESP_CHECK and X509_V_FLAG_OCSP_RESP_CHECK_ALL flags, which are still undocumented as of 3.6.0. All existing tests continue to pass. They also make the assumption that the xxx_CHECK_ALL flags are irrelevant unless xxx_CHECK is set. We could add a new test for this regression. I'll leave that to another commit. CLA: trivial Reviewed-by: Nikola Pajkovsky <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#28797) (cherry picked from commit cbaf28c)
3.6.1 CHANGES.md includes the following: * #28760 "Improve the CPUINFO display for RISC-V" * #28797 "Fix regression when X509_V_FLAG_CRL_CHECK_ALL is set" * #28955 "Fix for TLS handshake issue with GnuTLS #28902" * #29155 "fix(x509.c): fixed -checkend return values" * #29214 "s390x: Check and fail on invalid malformed ECDSA signatures" * #29245 "Clang format 3.6" * #29251 "Fix change of behavior of the single stapled OCSP response API" 3.6.1 NEWS.md includes the following: * #28797 "Fix regression when X509_V_FLAG_CRL_CHECK_ALL is set" * #28955 "Fix for TLS handshake issue with GnuTLS #28902" Co-Authored-by: Tomáš Mráz <[email protected]> Signed-off-by: Eugene Syromiatnikov <[email protected]> Reviewed-by: Nikola Pajkovsky <[email protected]> Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Saša Nedvědický <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> MergeDate: Mon Jan 26 20:01:30 2026
Fixes #28758
When X509_V_FLAG_CRL_CHECK is not set, the man pages document that X509_V_FLAG_CRL_CHECK_ALL is ignored. Prior to 3.6.0, this was indeed the case.
In 3.6.0, the behavior changed, and setting X509_V_FLAG_CRL_CHECK_ALL began to imply X509_V_FLAG_CRL_CHECK. This unfortunately breaks the majority of ruby installations, which relied on the documented behavior.
For consistency, this commit applies the same logic to the new X509_V_FLAG_OCSP_RESP_CHECK and X509_V_FLAG_OCSP_RESP_CHECK_ALL flags, which are still undocumented as of 3.6.0.
All existing tests continue to pass. They also make the assumption that the xxx_CHECK_ALL flags are irrelevant unless xxx_CHECK is set. We could add a new test for this regression. I'll leave that to another commit.
CLA: trivial