Add a test to verify that an SSL inherits the hostflags from the SSL_CTX

This is currently an expected failure that will be fixed shortly.

2 files changed, 105 insertions, 1 deletions

diff --git a/regress/lib/libssl/unit/Makefile b/regress/lib/libssl/unit/Makefile
index 191aadf2bb4..413307b7a01 100644
--- a/regress/lib/libssl/unit/Makefile
+++ b/regress/lib/libssl/unit/Makefile
@@ -1,9 +1,10 @@
-#	$OpenBSD: Makefile,v 1.14 2022/12/02 01:15:11 tb Exp $
+#	$OpenBSD: Makefile,v 1.15 2023/05/24 08:54:59 tb Exp $
 
 PROGS += cipher_list
 PROGS += ssl_get_shared_ciphers
 PROGS += ssl_methods
 PROGS += ssl_set_alpn_protos
+PROGS += ssl_verify_param
 PROGS += ssl_versions
 PROGS += tls_ext_alpn
 PROGS += tls_prf
@@ -15,4 +16,8 @@ CFLAGS+=	-DLIBRESSL_INTERNAL -Wall -Wundef -Werror
 CFLAGS+=	-DCERTSDIR=\"${.CURDIR}/../certs\"
 CFLAGS+=	-I${.CURDIR}/../../../../lib/libssl
 
+LDADD_ssl_verify_param = ${LIBSSL} ${CRYPTO_INT}
+
+REGRESS_EXPECTED_FAILURES+=	run-regress-ssl_verify_param
+
 .include <bsd.regress.mk>
diff --git a/regress/lib/libssl/unit/ssl_verify_param.c b/regress/lib/libssl/unit/ssl_verify_param.c
new file mode 100644
index 00000000000..cdb52c56a88
--- /dev/null
+++ b/regress/lib/libssl/unit/ssl_verify_param.c
@@ -0,0 +1,99 @@
+/*	$OpenBSD: ssl_verify_param.c,v 1.1 2023/05/24 08:54:59 tb Exp $ */
+
+/*
+ * Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <err.h>
+#include <stdio.h>
+
+#include <openssl/ssl.h>
+#include <openssl/x509v3.h>
+
+unsigned int X509_VERIFY_PARAM_get_hostflags(X509_VERIFY_PARAM *param);
+
+static int
+ssl_verify_param_flags_inherited(void)
+{
+	SSL_CTX *ssl_ctx = NULL;
+	SSL *ssl = NULL;
+	X509_VERIFY_PARAM *param;
+	unsigned int defaultflags = 0;
+	unsigned int newflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
+	unsigned int flags;
+	int failed = 1;
+
+	if ((ssl_ctx = SSL_CTX_new(TLS_method())) == NULL)
+		errx(1, "SSL_CTX_new");
+
+	if ((param = SSL_CTX_get0_param(ssl_ctx)) == NULL) {
+		fprintf(stderr, "FAIL: no verify param on ssl_ctx\n");
+		goto failure;
+	}
+
+	if ((flags = X509_VERIFY_PARAM_get_hostflags(param)) != defaultflags) {
+		fprintf(stderr, "FAIL: SSL_CTX default hostflags, "
+		    "want: %x, got: %x\n", defaultflags, flags);
+		goto failure;
+	}
+
+	X509_VERIFY_PARAM_set_hostflags(param, newflags);
+
+	if ((flags = X509_VERIFY_PARAM_get_hostflags(param)) != newflags) {
+		fprintf(stderr, "FAIL: SSL_CTX new hostflags, "
+		    "want: %x, got: %x\n", newflags, flags);
+		goto failure;
+	}
+
+	if ((ssl = SSL_new(ssl_ctx)) == NULL)
+		errx(1, "SSL_new");
+
+	if ((param = SSL_get0_param(ssl)) == NULL) {
+		fprintf(stderr, "FAIL: no verify param on ssl\n");
+		goto failure;
+	}
+
+	if ((flags = X509_VERIFY_PARAM_get_hostflags(param)) != newflags) {
+		fprintf(stderr, "FAIL: SSL inherited hostflags, "
+		    "want: %x, got: %x\n", newflags, flags);
+		goto failure;
+	}
+
+	SSL_set_hostflags(ssl, defaultflags);
+
+	if ((flags = X509_VERIFY_PARAM_get_hostflags(param)) != defaultflags) {
+		fprintf(stderr, "FAIL: SSL set hostflags, "
+		    "want: %x, got: %x\n", defaultflags, flags);
+		goto failure;
+	}
+
+	failed = 0;
+
+ failure:
+	SSL_CTX_free(ssl_ctx);
+	SSL_free(ssl);
+
+	return failed;
+}
+
+int
+main(void)
+{
+	int failed = 0;
+
+	failed |= ssl_verify_param_flags_inherited();
+
+	return failed;
+}