From: tb Date: Wed, 24 May 2023 08:54:59 +0000 (+0000) Subject: Add a test to verify that an SSL inherits the hostflags from the SSL_CTX X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=90fab13908184395bb9f495c0ebcceb96ec05c2d;p=openbsd Add a test to verify that an SSL inherits the hostflags from the SSL_CTX This is currently an expected failure that will be fixed shortly. --- diff --git a/regress/lib/libssl/unit/Makefile b/regress/lib/libssl/unit/Makefile index 191aadf2bb4..413307b7a01 100644 --- a/regress/lib/libssl/unit/Makefile +++ b/regress/lib/libssl/unit/Makefile @@ -1,9 +1,10 @@ -# $OpenBSD: Makefile,v 1.14 2022/12/02 01:15:11 tb Exp $ +# $OpenBSD: Makefile,v 1.15 2023/05/24 08:54:59 tb Exp $ PROGS += cipher_list PROGS += ssl_get_shared_ciphers PROGS += ssl_methods PROGS += ssl_set_alpn_protos +PROGS += ssl_verify_param PROGS += ssl_versions PROGS += tls_ext_alpn PROGS += tls_prf @@ -15,4 +16,8 @@ CFLAGS+= -DLIBRESSL_INTERNAL -Wall -Wundef -Werror CFLAGS+= -DCERTSDIR=\"${.CURDIR}/../certs\" CFLAGS+= -I${.CURDIR}/../../../../lib/libssl +LDADD_ssl_verify_param = ${LIBSSL} ${CRYPTO_INT} + +REGRESS_EXPECTED_FAILURES+= run-regress-ssl_verify_param + .include diff --git a/regress/lib/libssl/unit/ssl_verify_param.c b/regress/lib/libssl/unit/ssl_verify_param.c new file mode 100644 index 00000000000..cdb52c56a88 --- /dev/null +++ b/regress/lib/libssl/unit/ssl_verify_param.c @@ -0,0 +1,99 @@ +/* $OpenBSD: ssl_verify_param.c,v 1.1 2023/05/24 08:54:59 tb Exp $ */ + +/* + * Copyright (c) 2023 Theo Buehler + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include +#include + +#include +#include + +unsigned int X509_VERIFY_PARAM_get_hostflags(X509_VERIFY_PARAM *param); + +static int +ssl_verify_param_flags_inherited(void) +{ + SSL_CTX *ssl_ctx = NULL; + SSL *ssl = NULL; + X509_VERIFY_PARAM *param; + unsigned int defaultflags = 0; + unsigned int newflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT; + unsigned int flags; + int failed = 1; + + if ((ssl_ctx = SSL_CTX_new(TLS_method())) == NULL) + errx(1, "SSL_CTX_new"); + + if ((param = SSL_CTX_get0_param(ssl_ctx)) == NULL) { + fprintf(stderr, "FAIL: no verify param on ssl_ctx\n"); + goto failure; + } + + if ((flags = X509_VERIFY_PARAM_get_hostflags(param)) != defaultflags) { + fprintf(stderr, "FAIL: SSL_CTX default hostflags, " + "want: %x, got: %x\n", defaultflags, flags); + goto failure; + } + + X509_VERIFY_PARAM_set_hostflags(param, newflags); + + if ((flags = X509_VERIFY_PARAM_get_hostflags(param)) != newflags) { + fprintf(stderr, "FAIL: SSL_CTX new hostflags, " + "want: %x, got: %x\n", newflags, flags); + goto failure; + } + + if ((ssl = SSL_new(ssl_ctx)) == NULL) + errx(1, "SSL_new"); + + if ((param = SSL_get0_param(ssl)) == NULL) { + fprintf(stderr, "FAIL: no verify param on ssl\n"); + goto failure; + } + + if ((flags = X509_VERIFY_PARAM_get_hostflags(param)) != newflags) { + fprintf(stderr, "FAIL: SSL inherited hostflags, " + "want: %x, got: %x\n", newflags, flags); + goto failure; + } + + SSL_set_hostflags(ssl, defaultflags); + + if ((flags = X509_VERIFY_PARAM_get_hostflags(param)) != defaultflags) { + fprintf(stderr, "FAIL: SSL set hostflags, " + "want: %x, got: %x\n", defaultflags, flags); + goto failure; + } + + failed = 0; + + failure: + SSL_CTX_free(ssl_ctx); + SSL_free(ssl); + + return failed; +} + +int +main(void) +{ + int failed = 0; + + failed |= ssl_verify_param_flags_inherited(); + + return failed; +}