Add a test to verify that an SSL inherits the hostflags from the SSL_CTX

This is currently an expected failure that will be fixed shortly.

diff --git a/regress/lib/libssl/unit/Makefile b/regress/lib/libssl/unit/Makefile
index 191aadf..413307b 100644 (file)
--- a/regress/lib/libssl/unit/Makefile
+++ b/regress/lib/libssl/unit/Makefile
@@ -1,9 +1,10 @@
-#      $OpenBSD: Makefile,v 1.14 2022/12/02 01:15:11 tb Exp $
+#      $OpenBSD: Makefile,v 1.15 2023/05/24 08:54:59 tb Exp $
 
 PROGS += cipher_list
 PROGS += ssl_get_shared_ciphers
 PROGS += ssl_methods
 PROGS += ssl_set_alpn_protos
+PROGS += ssl_verify_param
 PROGS += ssl_versions
 PROGS += tls_ext_alpn
 PROGS += tls_prf
@@ -15,4 +16,8 @@ CFLAGS+=      -DLIBRESSL_INTERNAL -Wall -Wundef -Werror
 CFLAGS+=       -DCERTSDIR=\"${.CURDIR}/../certs\"
 CFLAGS+=       -I${.CURDIR}/../../../../lib/libssl
 
+LDADD_ssl_verify_param = ${LIBSSL} ${CRYPTO_INT}
+
+REGRESS_EXPECTED_FAILURES+=    run-regress-ssl_verify_param
+
 .include <bsd.regress.mk>

diff --git a/regress/lib/libssl/unit/ssl_verify_param.c b/regress/lib/libssl/unit/ssl_verify_param.c
new file mode 100644 (file)
index 0000000..cdb52c5
--- /dev/null
+++ b/regress/lib/libssl/unit/ssl_verify_param.c
@@ -0,0 +1,99 @@
+/*     $OpenBSD: ssl_verify_param.c,v 1.1 2023/05/24 08:54:59 tb Exp $ */
+
+/*
+ * Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <err.h>
+#include <stdio.h>
+
+#include <openssl/ssl.h>
+#include <openssl/x509v3.h>
+
+unsigned int X509_VERIFY_PARAM_get_hostflags(X509_VERIFY_PARAM *param);
+
+static int
+ssl_verify_param_flags_inherited(void)
+{
+       SSL_CTX *ssl_ctx = NULL;
+       SSL *ssl = NULL;
+       X509_VERIFY_PARAM *param;
+       unsigned int defaultflags = 0;
+       unsigned int newflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
+       unsigned int flags;
+       int failed = 1;
+
+       if ((ssl_ctx = SSL_CTX_new(TLS_method())) == NULL)
+               errx(1, "SSL_CTX_new");
+
+       if ((param = SSL_CTX_get0_param(ssl_ctx)) == NULL) {
+               fprintf(stderr, "FAIL: no verify param on ssl_ctx\n");
+               goto failure;
+       }
+
+       if ((flags = X509_VERIFY_PARAM_get_hostflags(param)) != defaultflags) {
+               fprintf(stderr, "FAIL: SSL_CTX default hostflags, "
+                   "want: %x, got: %x\n", defaultflags, flags);
+               goto failure;
+       }
+
+       X509_VERIFY_PARAM_set_hostflags(param, newflags);
+
+       if ((flags = X509_VERIFY_PARAM_get_hostflags(param)) != newflags) {
+               fprintf(stderr, "FAIL: SSL_CTX new hostflags, "
+                   "want: %x, got: %x\n", newflags, flags);
+               goto failure;
+       }
+
+       if ((ssl = SSL_new(ssl_ctx)) == NULL)
+               errx(1, "SSL_new");
+
+       if ((param = SSL_get0_param(ssl)) == NULL) {
+               fprintf(stderr, "FAIL: no verify param on ssl\n");
+               goto failure;
+       }
+
+       if ((flags = X509_VERIFY_PARAM_get_hostflags(param)) != newflags) {
+               fprintf(stderr, "FAIL: SSL inherited hostflags, "
+                   "want: %x, got: %x\n", newflags, flags);
+               goto failure;
+       }
+
+       SSL_set_hostflags(ssl, defaultflags);
+
+       if ((flags = X509_VERIFY_PARAM_get_hostflags(param)) != defaultflags) {
+               fprintf(stderr, "FAIL: SSL set hostflags, "
+                   "want: %x, got: %x\n", defaultflags, flags);
+               goto failure;
+       }
+
+       failed = 0;
+
+ failure:
+       SSL_CTX_free(ssl_ctx);
+       SSL_free(ssl);
+
+       return failed;
+}
+
+int
+main(void)
+{
+       int failed = 0;
+
+       failed |= ssl_verify_param_flags_inherited();
+
+       return failed;
+}