1 /* $OpenBSD: ssl_verify_param.c,v 1.1 2023/05/24 08:54:59 tb Exp $ */ 2 3 /* 4 * Copyright (c) 2023 Theo Buehler <tb@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <err.h> 20 #include <stdio.h> 21 22 #include <openssl/ssl.h> 23 #include <openssl/x509v3.h> 24 25 unsigned int X509_VERIFY_PARAM_get_hostflags(X509_VERIFY_PARAM *param); 26 27 static int 28 ssl_verify_param_flags_inherited(void) 29 { 30 SSL_CTX *ssl_ctx = NULL; 31 SSL *ssl = NULL; 32 X509_VERIFY_PARAM *param; 33 unsigned int defaultflags = 0; 34 unsigned int newflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT; 35 unsigned int flags; 36 int failed = 1; 37 38 if ((ssl_ctx = SSL_CTX_new(TLS_method())) == NULL) 39 errx(1, "SSL_CTX_new"); 40 41 if ((param = SSL_CTX_get0_param(ssl_ctx)) == NULL) { 42 fprintf(stderr, "FAIL: no verify param on ssl_ctx\n"); 43 goto failure; 44 } 45 46 if ((flags = X509_VERIFY_PARAM_get_hostflags(param)) != defaultflags) { 47 fprintf(stderr, "FAIL: SSL_CTX default hostflags, " 48 "want: %x, got: %x\n", defaultflags, flags); 49 goto failure; 50 } 51 52 X509_VERIFY_PARAM_set_hostflags(param, newflags); 53 54 if ((flags = X509_VERIFY_PARAM_get_hostflags(param)) != newflags) { 55 fprintf(stderr, "FAIL: SSL_CTX new hostflags, " 56 "want: %x, got: %x\n", newflags, flags); 57 goto failure; 58 } 59 60 if ((ssl = SSL_new(ssl_ctx)) == NULL) 61 errx(1, "SSL_new"); 62 63 if ((param = SSL_get0_param(ssl)) == NULL) { 64 fprintf(stderr, "FAIL: no verify param on ssl\n"); 65 goto failure; 66 } 67 68 if ((flags = X509_VERIFY_PARAM_get_hostflags(param)) != newflags) { 69 fprintf(stderr, "FAIL: SSL inherited hostflags, " 70 "want: %x, got: %x\n", newflags, flags); 71 goto failure; 72 } 73 74 SSL_set_hostflags(ssl, defaultflags); 75 76 if ((flags = X509_VERIFY_PARAM_get_hostflags(param)) != defaultflags) { 77 fprintf(stderr, "FAIL: SSL set hostflags, " 78 "want: %x, got: %x\n", defaultflags, flags); 79 goto failure; 80 } 81 82 failed = 0; 83 84 failure: 85 SSL_CTX_free(ssl_ctx); 86 SSL_free(ssl); 87 88 return failed; 89 } 90 91 int 92 main(void) 93 { 94 int failed = 0; 95 96 failed |= ssl_verify_param_flags_inherited(); 97 98 return failed; 99 } 100