1*90fab139Stb /* $OpenBSD: ssl_verify_param.c,v 1.1 2023/05/24 08:54:59 tb Exp $ */
2*90fab139Stb
3*90fab139Stb /*
4*90fab139Stb * Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
5*90fab139Stb *
6*90fab139Stb * Permission to use, copy, modify, and distribute this software for any
7*90fab139Stb * purpose with or without fee is hereby granted, provided that the above
8*90fab139Stb * copyright notice and this permission notice appear in all copies.
9*90fab139Stb *
10*90fab139Stb * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11*90fab139Stb * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12*90fab139Stb * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13*90fab139Stb * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14*90fab139Stb * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15*90fab139Stb * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16*90fab139Stb * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17*90fab139Stb */
18*90fab139Stb
19*90fab139Stb #include <err.h>
20*90fab139Stb #include <stdio.h>
21*90fab139Stb
22*90fab139Stb #include <openssl/ssl.h>
23*90fab139Stb #include <openssl/x509v3.h>
24*90fab139Stb
25*90fab139Stb unsigned int X509_VERIFY_PARAM_get_hostflags(X509_VERIFY_PARAM *param);
26*90fab139Stb
27*90fab139Stb static int
ssl_verify_param_flags_inherited(void)28*90fab139Stb ssl_verify_param_flags_inherited(void)
29*90fab139Stb {
30*90fab139Stb SSL_CTX *ssl_ctx = NULL;
31*90fab139Stb SSL *ssl = NULL;
32*90fab139Stb X509_VERIFY_PARAM *param;
33*90fab139Stb unsigned int defaultflags = 0;
34*90fab139Stb unsigned int newflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
35*90fab139Stb unsigned int flags;
36*90fab139Stb int failed = 1;
37*90fab139Stb
38*90fab139Stb if ((ssl_ctx = SSL_CTX_new(TLS_method())) == NULL)
39*90fab139Stb errx(1, "SSL_CTX_new");
40*90fab139Stb
41*90fab139Stb if ((param = SSL_CTX_get0_param(ssl_ctx)) == NULL) {
42*90fab139Stb fprintf(stderr, "FAIL: no verify param on ssl_ctx\n");
43*90fab139Stb goto failure;
44*90fab139Stb }
45*90fab139Stb
46*90fab139Stb if ((flags = X509_VERIFY_PARAM_get_hostflags(param)) != defaultflags) {
47*90fab139Stb fprintf(stderr, "FAIL: SSL_CTX default hostflags, "
48*90fab139Stb "want: %x, got: %x\n", defaultflags, flags);
49*90fab139Stb goto failure;
50*90fab139Stb }
51*90fab139Stb
52*90fab139Stb X509_VERIFY_PARAM_set_hostflags(param, newflags);
53*90fab139Stb
54*90fab139Stb if ((flags = X509_VERIFY_PARAM_get_hostflags(param)) != newflags) {
55*90fab139Stb fprintf(stderr, "FAIL: SSL_CTX new hostflags, "
56*90fab139Stb "want: %x, got: %x\n", newflags, flags);
57*90fab139Stb goto failure;
58*90fab139Stb }
59*90fab139Stb
60*90fab139Stb if ((ssl = SSL_new(ssl_ctx)) == NULL)
61*90fab139Stb errx(1, "SSL_new");
62*90fab139Stb
63*90fab139Stb if ((param = SSL_get0_param(ssl)) == NULL) {
64*90fab139Stb fprintf(stderr, "FAIL: no verify param on ssl\n");
65*90fab139Stb goto failure;
66*90fab139Stb }
67*90fab139Stb
68*90fab139Stb if ((flags = X509_VERIFY_PARAM_get_hostflags(param)) != newflags) {
69*90fab139Stb fprintf(stderr, "FAIL: SSL inherited hostflags, "
70*90fab139Stb "want: %x, got: %x\n", newflags, flags);
71*90fab139Stb goto failure;
72*90fab139Stb }
73*90fab139Stb
74*90fab139Stb SSL_set_hostflags(ssl, defaultflags);
75*90fab139Stb
76*90fab139Stb if ((flags = X509_VERIFY_PARAM_get_hostflags(param)) != defaultflags) {
77*90fab139Stb fprintf(stderr, "FAIL: SSL set hostflags, "
78*90fab139Stb "want: %x, got: %x\n", defaultflags, flags);
79*90fab139Stb goto failure;
80*90fab139Stb }
81*90fab139Stb
82*90fab139Stb failed = 0;
83*90fab139Stb
84*90fab139Stb failure:
85*90fab139Stb SSL_CTX_free(ssl_ctx);
86*90fab139Stb SSL_free(ssl);
87*90fab139Stb
88*90fab139Stb return failed;
89*90fab139Stb }
90*90fab139Stb
91*90fab139Stb int
main(void)92*90fab139Stb main(void)
93*90fab139Stb {
94*90fab139Stb int failed = 0;
95*90fab139Stb
96*90fab139Stb failed |= ssl_verify_param_flags_inherited();
97*90fab139Stb
98*90fab139Stb return failed;
99*90fab139Stb }
100