1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
|
/* $OpenBSD: ssl_verify_param.c,v 1.1 2023/05/24 08:54:59 tb Exp $ */
/*
* Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include <err.h>
#include <stdio.h>
#include <openssl/ssl.h>
#include <openssl/x509v3.h>
unsigned int X509_VERIFY_PARAM_get_hostflags(X509_VERIFY_PARAM *param);
static int
ssl_verify_param_flags_inherited(void)
{
SSL_CTX *ssl_ctx = NULL;
SSL *ssl = NULL;
X509_VERIFY_PARAM *param;
unsigned int defaultflags = 0;
unsigned int newflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
unsigned int flags;
int failed = 1;
if ((ssl_ctx = SSL_CTX_new(TLS_method())) == NULL)
errx(1, "SSL_CTX_new");
if ((param = SSL_CTX_get0_param(ssl_ctx)) == NULL) {
fprintf(stderr, "FAIL: no verify param on ssl_ctx\n");
goto failure;
}
if ((flags = X509_VERIFY_PARAM_get_hostflags(param)) != defaultflags) {
fprintf(stderr, "FAIL: SSL_CTX default hostflags, "
"want: %x, got: %x\n", defaultflags, flags);
goto failure;
}
X509_VERIFY_PARAM_set_hostflags(param, newflags);
if ((flags = X509_VERIFY_PARAM_get_hostflags(param)) != newflags) {
fprintf(stderr, "FAIL: SSL_CTX new hostflags, "
"want: %x, got: %x\n", newflags, flags);
goto failure;
}
if ((ssl = SSL_new(ssl_ctx)) == NULL)
errx(1, "SSL_new");
if ((param = SSL_get0_param(ssl)) == NULL) {
fprintf(stderr, "FAIL: no verify param on ssl\n");
goto failure;
}
if ((flags = X509_VERIFY_PARAM_get_hostflags(param)) != newflags) {
fprintf(stderr, "FAIL: SSL inherited hostflags, "
"want: %x, got: %x\n", newflags, flags);
goto failure;
}
SSL_set_hostflags(ssl, defaultflags);
if ((flags = X509_VERIFY_PARAM_get_hostflags(param)) != defaultflags) {
fprintf(stderr, "FAIL: SSL set hostflags, "
"want: %x, got: %x\n", defaultflags, flags);
goto failure;
}
failed = 0;
failure:
SSL_CTX_free(ssl_ctx);
SSL_free(ssl);
return failed;
}
int
main(void)
{
int failed = 0;
failed |= ssl_verify_param_flags_inherited();
return failed;
}
|
