From 21ac86adb3b23c9384895e3cfd29873023866b22 Mon Sep 17 00:00:00 2001
From: Elms <jeff@wolfssl.com>
Date: Fri, 22 Jan 2021 12:12:59 -0800
Subject: [PATCH] SSL: refactor SSL verify mode to be more compatible

This follows the bit flag pattern closer. Still doesn't support
`SSL_VERIFY_CLIENT_ONCE` and maybe other flags.
---
 src/ssl.c   | 90 ++++++++++++++++++++++++-----------------------------
 tests/api.c | 12 +++++++
 2 files changed, 53 insertions(+), 49 deletions(-)

diff --git a/src/ssl.c b/src/ssl.c
index 51256fde7..dceac0a2e 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -10637,23 +10637,18 @@ void wolfSSL_CTX_set_verify(WOLFSSL_CTX* ctx, int mode, VerifyCallback vc)
     ctx->failNoCert     = 0;
     ctx->failNoCertxPSK = 0;
 
-    if (mode & WOLFSSL_VERIFY_PEER) {
-        ctx->verifyPeer = 1;
-        ctx->verifyNone = 0;  /* in case previously set */
-    }
-
     if (mode == WOLFSSL_VERIFY_NONE) {
         ctx->verifyNone = 1;
-        ctx->verifyPeer = 0;  /* in case previously set */
-    }
-
-    if (mode & WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
-        ctx->failNoCert = 1;
-    }
-
-    if (mode & WOLFSSL_VERIFY_FAIL_EXCEPT_PSK) {
-        ctx->failNoCert    = 0; /* fail on all is set to fail on PSK */
-        ctx->failNoCertxPSK = 1;
+    } else {
+        if (mode & WOLFSSL_VERIFY_PEER) {
+            ctx->verifyPeer = 1;
+        }
+        if (mode & WOLFSSL_VERIFY_FAIL_EXCEPT_PSK) {
+            ctx->failNoCertxPSK = 1;
+        }
+        if (mode & WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
+            ctx->failNoCert = 1;
+        }
     }
 
     ctx->verifyCallback = vc;
@@ -10684,22 +10679,18 @@ void wolfSSL_set_verify(WOLFSSL* ssl, int mode, VerifyCallback vc)
     ssl->options.failNoCert     = 0;
     ssl->options.failNoCertxPSK = 0;
 
-    if (mode & WOLFSSL_VERIFY_PEER) {
-        ssl->options.verifyPeer = 1;
-        ssl->options.verifyNone = 0;  /* in case previously set */
-    }
-
     if (mode == WOLFSSL_VERIFY_NONE) {
         ssl->options.verifyNone = 1;
-        ssl->options.verifyPeer = 0;  /* in case previously set */
-    }
-
-    if (mode & WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT)
-        ssl->options.failNoCert = 1;
-
-    if (mode & WOLFSSL_VERIFY_FAIL_EXCEPT_PSK) {
-        ssl->options.failNoCert    = 0; /* fail on all is set to fail on PSK */
-        ssl->options.failNoCertxPSK = 1;
+    } else {
+        if (mode & WOLFSSL_VERIFY_PEER) {
+            ssl->options.verifyPeer = 1;
+        }
+        if (mode & WOLFSSL_VERIFY_FAIL_EXCEPT_PSK) {
+            ssl->options.failNoCertxPSK = 1;
+        }
+        if (mode & WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
+            ssl->options.failNoCert = 1;
+        }
     }
 
     ssl->verifyCallback = vc;
@@ -45687,6 +45678,7 @@ int wolfSSL_SESSION_print(WOLFSSL_BIO *bp, const WOLFSSL_SESSION *x)
 #if defined(OPENSSL_ALL) || (defined(OPENSSL_EXTRA) && defined(HAVE_STUNNEL)) \
     || defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(WOLFSSL_NGINX)
 
+/* TODO: Doesn't currently track SSL_VERIFY_CLIENT_ONCE */
 int wolfSSL_get_verify_mode(WOLFSSL* ssl) {
     int mode = 0;
     WOLFSSL_ENTER("wolfSSL_get_verify_mode");
@@ -45694,16 +45686,16 @@ int wolfSSL_get_verify_mode(WOLFSSL* ssl) {
     if(!ssl)
         return WOLFSSL_FATAL_ERROR;
 
-    if (ssl->options.verifyPeer)
-        mode |= WOLFSSL_VERIFY_PEER;
-    else if (ssl->options.verifyNone)
-        mode |= WOLFSSL_VERIFY_NONE;
-
-    if (ssl->options.failNoCert)
-        mode |= WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT;
-
-    if (ssl->options.failNoCertxPSK)
-        mode |= WOLFSSL_VERIFY_FAIL_EXCEPT_PSK;
+    if (ssl->options.verifyNone) {
+        mode = WOLFSSL_VERIFY_NONE;
+    } else {
+        if (ssl->options.verifyPeer)
+            mode |= WOLFSSL_VERIFY_PEER;
+        if (ssl->options.failNoCert)
+            mode |= WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT;
+        if (ssl->options.failNoCertxPSK)
+            mode |= WOLFSSL_VERIFY_FAIL_EXCEPT_PSK;
+    }
 
     WOLFSSL_LEAVE("wolfSSL_get_verify_mode", mode);
     return mode;
@@ -45717,16 +45709,16 @@ int wolfSSL_CTX_get_verify_mode(WOLFSSL_CTX* ctx)
     if(!ctx)
         return WOLFSSL_FATAL_ERROR;
 
-    if (ctx->verifyPeer)
-        mode |= WOLFSSL_VERIFY_PEER;
-    else if (ctx->verifyNone)
-        mode |= WOLFSSL_VERIFY_NONE;
-
-    if (ctx->failNoCert)
-        mode |= WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT;
-
-    if (ctx->failNoCertxPSK)
-        mode |= WOLFSSL_VERIFY_FAIL_EXCEPT_PSK;
+    if (ctx->verifyNone) {
+        mode = WOLFSSL_VERIFY_NONE;
+    } else {
+        if (ctx->verifyPeer)
+            mode |= WOLFSSL_VERIFY_PEER;
+        if (ctx->failNoCert)
+            mode |= WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT;
+        if (ctx->failNoCertxPSK)
+            mode |= WOLFSSL_VERIFY_FAIL_EXCEPT_PSK;
+    }
 
     WOLFSSL_LEAVE("wolfSSL_CTX_get_verify_mode", mode);
     return mode;
diff --git a/tests/api.c b/tests/api.c
index 4172dbf67..9eb57a3c4 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -32114,6 +32114,18 @@ static void test_wolfSSL_verify_mode(void)
                 WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT);
     AssertIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_PEER);
 
+    wolfSSL_set_verify(ssl, SSL_VERIFY_NONE, 0);
+    AssertIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_NONE);
+
+    wolfSSL_set_verify(ssl, SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0);
+    AssertIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_FAIL_IF_NO_PEER_CERT);
+
+    wolfSSL_set_verify(ssl, SSL_VERIFY_FAIL_EXCEPT_PSK, 0);
+    AssertIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_FAIL_EXCEPT_PSK);
+
+    AssertIntEQ(SSL_CTX_get_verify_mode(ctx),
+                WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT);
+
     SSL_free(ssl);
 
     SSL_CTX_free(ctx);