regress/lib/libssl/unit/ssl_verify_param.c

root/regress/lib/libssl/unit/ssl_verify_param.c
/*      $OpenBSD: ssl_verify_param.c,v 1.3 2025/10/24 11:43:34 tb Exp $ */

/*
 * Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

#include <err.h>
#include <stdio.h>

#include <openssl/ssl.h>
#include <openssl/x509_vfy.h>
#include <openssl/x509v3.h>

static int
ssl_verify_param_flags_inherited(void)
{
        SSL_CTX *ssl_ctx = NULL;
        SSL *ssl = NULL;
        X509_VERIFY_PARAM *param;
        unsigned int defaultflags = 0;
        unsigned int newflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
        unsigned int flags;
        int failed = 1;

        if ((ssl_ctx = SSL_CTX_new(TLS_method())) == NULL)
                errx(1, "SSL_CTX_new");

        if ((param = SSL_CTX_get0_param(ssl_ctx)) == NULL) {
                fprintf(stderr, "FAIL: no verify param on ssl_ctx\n");
                goto failure;
        }

        if ((flags = X509_VERIFY_PARAM_get_hostflags(param)) != defaultflags) {
                fprintf(stderr, "FAIL: SSL_CTX default hostflags, "
                    "want: %x, got: %x\n", defaultflags, flags);
                goto failure;
        }

        X509_VERIFY_PARAM_set_hostflags(param, newflags);

        if ((flags = X509_VERIFY_PARAM_get_hostflags(param)) != newflags) {
                fprintf(stderr, "FAIL: SSL_CTX new hostflags, "
                    "want: %x, got: %x\n", newflags, flags);
                goto failure;
        }

        if ((ssl = SSL_new(ssl_ctx)) == NULL)
                errx(1, "SSL_new");

        if ((param = SSL_get0_param(ssl)) == NULL) {
                fprintf(stderr, "FAIL: no verify param on ssl\n");
                goto failure;
        }

        if ((flags = X509_VERIFY_PARAM_get_hostflags(param)) != newflags) {
                fprintf(stderr, "FAIL: SSL inherited hostflags, "
                    "want: %x, got: %x\n", newflags, flags);
                goto failure;
        }

        SSL_set_hostflags(ssl, defaultflags);

        if ((flags = X509_VERIFY_PARAM_get_hostflags(param)) != defaultflags) {
                fprintf(stderr, "FAIL: SSL set hostflags, "
                    "want: %x, got: %x\n", defaultflags, flags);
                goto failure;
        }

        failed = 0;

 failure:
        SSL_CTX_free(ssl_ctx);
        SSL_free(ssl);

        return failed;
}

int
main(void)
{
        int failed = 0;

        failed |= ssl_verify_param_flags_inherited();

        return failed;
}