From: Matt Caswell <matt@openssl.org>
Date: Mon, 16 Jun 2025 15:00:13 +0000 (+0100)
Subject: Ensure we pass the user SSL object for the SSL_set_verify callback
X-Git-Tag: openssl-3.5.1~20
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1e91337729fca981a5dce8b1120959141fb7379a;p=thirdparty%2Fopenssl.git

Ensure we pass the user SSL object for the SSL_set_verify callback

When calling the verify callback we need to ensure we supply the user SSL
object, and not any internal SSL object.

Fixes #27830

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27838)

(cherry picked from commit 4b148ebb66cdac8a095f22cbdfa475d68c947f7a)
---

diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index ae0f9804492..1be6cd7dbc9 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -478,9 +478,9 @@ static int ssl_verify_internal(SSL_CONNECTION *s, STACK_OF(X509) *sk, EVP_PKEY *
     /* Set suite B flags if needed */
     X509_STORE_CTX_set_flags(ctx, tls1_suiteb(s));
     if (!X509_STORE_CTX_set_ex_data(ctx,
-            SSL_get_ex_data_X509_STORE_CTX_idx(), s)) {
+            SSL_get_ex_data_X509_STORE_CTX_idx(),
+            SSL_CONNECTION_GET_USER_SSL(s)))
         goto end;
-    }
 
     /* Verify via DANE if enabled */
     if (DANETLS_ENABLED(&s->dane))