From 830bf16fe424b1e273f9d6c244d56398e713c1dd Mon Sep 17 00:00:00 2001
From: daurnimator <quae@daurnimator.com>
Date: Wed, 9 Nov 2016 17:56:31 +1100
Subject: openssl.x509.verify_param: Start work on binding X509_VERIFY_PARAM

---
 src/GNUmakefile                   |   1 +
 src/openssl.c                     | 187 ++++++++++++++++++++++++++++++++++++++
 src/openssl.x509.verify_param.lua |   1 +
 3 files changed, 189 insertions(+)
 create mode 100644 src/openssl.x509.verify_param.lua

diff --git a/src/GNUmakefile b/src/GNUmakefile
index e7cb54d..015a93c 100644
--- a/src/GNUmakefile
+++ b/src/GNUmakefile
@@ -102,6 +102,7 @@ MODS$(1)_$(d) = \
 	$$(DESTDIR)$(3)/openssl/x509/csr.lua \
 	$$(DESTDIR)$(3)/openssl/x509/extension.lua \
 	$$(DESTDIR)$(3)/openssl/x509/store.lua \
+	$$(DESTDIR)$(3)/openssl/x509/verify_param.lua \
 	$$(DESTDIR)$(3)/openssl/pkcs12.lua \
 	$$(DESTDIR)$(3)/openssl/ssl/context.lua \
 	$$(DESTDIR)$(3)/openssl/ssl.lua \
diff --git a/src/openssl.c b/src/openssl.c
index 38c9888..8d513e6 100644
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -60,6 +60,7 @@
 #include <openssl/bn.h>
 #include <openssl/asn1.h>
 #include <openssl/x509.h>
+#include <openssl/x509_vfy.h>
 #include <openssl/x509v3.h>
 #include <openssl/pkcs12.h>
 #include <openssl/evp.h>
@@ -335,6 +336,7 @@
 #define X509_CSR_CLASS   "X509_REQ*"
 #define X509_CRL_CLASS   "X509_CRL*"
 #define X509_STORE_CLASS "X509_STORE*"
+#define X509_VERIFY_PARAM_CLASS "X509_VERIFY_PARAM*"
 #define X509_STCTX_CLASS "X509_STORE_CTX*"
 #define PKCS12_CLASS     "PKCS12*"
 #define SSL_CTX_CLASS    "SSL_CTX*"
@@ -8183,6 +8185,190 @@ int luaopen__openssl_ssl(lua_State *L) {
 } /* luaopen__openssl_ssl() */
 
 
+/*
+ * X509_VERIFY_PARAM
+ *
+ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+
+static int xp_new(lua_State *L) {
+	X509_VERIFY_PARAM **ud = prepsimple(L, X509_VERIFY_PARAM_CLASS);
+
+	if (!(*ud = X509_VERIFY_PARAM_new()))
+		return auxL_error(L, auxL_EOPENSSL, "x509.verify_param.new");
+
+	return 1;
+} /* xp_new() */
+
+
+static int xp_interpose(lua_State *L) {
+	return interpose(L, X509_VERIFY_PARAM_CLASS);
+} /* xp_interpose() */
+
+
+static const X509_PURPOSE *purpose_checktype(lua_State *L, int index) {
+	const char *purpose_name;
+	int purpose_id;
+	int purpose_idx;
+	const X509_PURPOSE *purpose;
+
+	if (lua_isnumber(L, index)) {
+		purpose_id = luaL_checkinteger(L, index);
+		purpose_idx = X509_PURPOSE_get_by_id(purpose_id);
+		if (purpose_idx < 0)
+			luaL_argerror(L, index, lua_pushfstring(L, "%d: invalid purpose", purpose_id));
+	} else {
+		purpose_name = luaL_checkstring(L, index);
+		purpose_idx = X509_PURPOSE_get_by_sname((char*)purpose_name);
+		if (purpose_idx < 0)
+			luaL_argerror(L, index, lua_pushfstring(L, "%s: invalid purpose", purpose_name));
+	}
+
+	purpose = X509_PURPOSE_get0(purpose_idx);
+	return purpose;
+} /* purpose_checktype() */
+
+
+static int xp_setPurpose(lua_State *L) {
+	X509_VERIFY_PARAM *xp = checksimple(L, 1, X509_VERIFY_PARAM_CLASS);
+	const X509_PURPOSE *purpose = purpose_checktype(L, 2);
+
+	if (!X509_VERIFY_PARAM_set_purpose(xp, X509_PURPOSE_get_id((X509_PURPOSE*)purpose)))
+		return auxL_error(L, auxL_EOPENSSL, "x509.verify_param:setPurpose");
+
+	lua_pushboolean(L, 1);
+	return 1;
+} /* xp_setPurpose() */
+
+
+static int xp_setTime(lua_State *L) {
+	X509_VERIFY_PARAM *xp = checksimple(L, 1, X509_VERIFY_PARAM_CLASS);
+	time_t t = luaL_checkinteger(L, 2);
+
+	X509_VERIFY_PARAM_set_time(xp, t);
+
+	lua_pushboolean(L, 1);
+	return 1;
+} /* xp_setTime() */
+
+
+static int xp_setDepth(lua_State *L) {
+	X509_VERIFY_PARAM *xp = checksimple(L, 1, X509_VERIFY_PARAM_CLASS);
+	int depth = luaL_checkinteger(L, 2);
+
+	X509_VERIFY_PARAM_set_depth(xp, depth);
+
+	lua_pushboolean(L, 1);
+	return 1;
+} /* xp_setDepth() */
+
+
+static int xp_getDepth(lua_State *L) {
+	X509_VERIFY_PARAM *xp = checksimple(L, 1, X509_VERIFY_PARAM_CLASS);
+
+	int depth = X509_VERIFY_PARAM_get_depth(xp);
+
+	lua_pushinteger(L, depth);
+	return 1;
+} /* xp_getDepth() */
+
+
+static int xp_setHost(lua_State *L) {
+	X509_VERIFY_PARAM *xp = checksimple(L, 1, X509_VERIFY_PARAM_CLASS);
+	size_t len;
+	const char *str = luaL_optlstring(L, 2, NULL, &len); /* NULL = clear hosts */
+
+	if (!X509_VERIFY_PARAM_set1_host(xp, str, len))
+		/* Note: openssl doesn't set an error as it should for some cases */
+		return auxL_error(L, auxL_EOPENSSL, "x509.verify_param:setHost");
+
+	lua_pushboolean(L, 1);
+	return 1;
+} /* xp_setHost() */
+
+
+static int xp_addHost(lua_State *L) {
+	X509_VERIFY_PARAM *xp = checksimple(L, 1, X509_VERIFY_PARAM_CLASS);
+	size_t len;
+	const char *str = luaL_checklstring(L, 2, &len);
+
+	if (!X509_VERIFY_PARAM_add1_host(xp, str, len))
+		/* Note: openssl doesn't set an error as it should for some cases */
+		return auxL_error(L, auxL_EOPENSSL, "x509.verify_param:addHost");
+
+	lua_pushboolean(L, 1);
+	return 1;
+} /* xp_addHost() */
+
+
+static int xp_setEmail(lua_State *L) {
+	X509_VERIFY_PARAM *xp = checksimple(L, 1, X509_VERIFY_PARAM_CLASS);
+	size_t len;
+	const char *str = luaL_checklstring(L, 2, &len);
+
+	if (!X509_VERIFY_PARAM_set1_email(xp, str, len))
+		/* Note: openssl doesn't set an error as it should for some cases */
+		return auxL_error(L, auxL_EOPENSSL, "x509.verify_param:setEmail");
+
+	lua_pushboolean(L, 1);
+	return 1;
+} /* xp_setEmail() */
+
+
+static int xp_setIP(lua_State *L) {
+	X509_VERIFY_PARAM *xp = checksimple(L, 1, X509_VERIFY_PARAM_CLASS);
+	const char *str = luaL_checkstring(L, 2);
+
+	if (!X509_VERIFY_PARAM_set1_ip_asc(xp, str))
+		/* Note: openssl doesn't set an error as it should for some cases */
+		return auxL_error(L, auxL_EOPENSSL, "x509.verify_param:setIP");
+
+	lua_pushboolean(L, 1);
+	return 1;
+} /* xp_setIP() */
+
+
+static int xp__gc(lua_State *L) {
+	X509_VERIFY_PARAM **ud = luaL_checkudata(L, 1, X509_VERIFY_PARAM_CLASS);
+
+	X509_VERIFY_PARAM_free(*ud);
+	*ud = NULL;
+
+	return 0;
+} /* xp__gc() */
+
+
+static const auxL_Reg xp_methods[] = {
+	{ "setPurpose", &xp_setPurpose },
+	{ "setTime", &xp_setTime },
+	{ "setDepth", &xp_setDepth },
+	{ "getDepth", &xp_getDepth },
+	{ "setHost", &xp_setHost },
+	{ "addHost", &xp_addHost },
+	{ "setEmail", &xp_setEmail },
+	{ "setIP", &xp_setIP },
+	{ NULL, NULL },
+};
+
+static const auxL_Reg xp_metatable[] = {
+	{ "__gc", &xp__gc },
+	{ NULL, NULL },
+};
+
+static const auxL_Reg xp_globals[] = {
+	{ "new", &xp_new },
+	{ "interpose", &xp_interpose },
+	{ NULL, NULL },
+};
+
+int luaopen__openssl_x509_verify_param(lua_State *L) {
+	initall(L);
+
+	auxL_newlib(L, xp_globals, 0);
+
+	return 1;
+} /* luaopen__openssl_x509_verify_param() */
+
+
 /*
  * Digest - openssl.digest
  *
@@ -9171,6 +9357,7 @@ static void initall(lua_State *L) {
 	auxL_addclass(L, X509_CRL_CLASS, xx_methods, xx_metatable, 0);
 	auxL_addclass(L, X509_CHAIN_CLASS, xl_methods, xl_metatable, 0);
 	auxL_addclass(L, X509_STORE_CLASS, xs_methods, xs_metatable, 0);
+	auxL_addclass(L, X509_VERIFY_PARAM_CLASS, xp_methods, xp_metatable, 0);
 	auxL_addclass(L, PKCS12_CLASS, p12_methods, p12_metatable, 0);
 	auxL_addclass(L, SSL_CTX_CLASS, sx_methods, sx_metatable, 0);
 	auxL_addclass(L, SSL_CLASS, ssl_methods, ssl_metatable, 0);
diff --git a/src/openssl.x509.verify_param.lua b/src/openssl.x509.verify_param.lua
new file mode 100644
index 0000000..a3148e6
--- /dev/null
+++ b/src/openssl.x509.verify_param.lua
@@ -0,0 +1 @@
+return require('_openssl.x509.verify_param')
-- 
cgit v1.2.3-59-g8ed1b


From 569d057d3e26b5a19c5808edd47e221acc9ed61f Mon Sep 17 00:00:00 2001
From: daurnimator <quae@daurnimator.com>
Date: Wed, 9 Nov 2016 18:47:24 +1100
Subject: openssl.ssl.context: Bind SSL_CTX_set1_param and SSL_CTX_get0_param

---
 src/openssl.c | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/src/openssl.c b/src/openssl.c
index 8d513e6..e6ae71d 100644
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -7532,6 +7532,38 @@ static int sx_getStore(lua_State *L) {
 } /* sx_getStore() */
 
 
+static int sx_setParam(lua_State *L) {
+	SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS);
+	X509_VERIFY_PARAM *xp = checksimple(L, 2, X509_VERIFY_PARAM_CLASS);
+
+	if (!SSL_CTX_set1_param(ctx, xp))
+		return auxL_error(L, auxL_EOPENSSL, "ssl.context:setParam");
+
+	lua_pushboolean(L, 1);
+
+	return 1;
+} /* sx_setParam() */
+
+
+static int sx_getParam(lua_State *L) {
+	SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS);
+	X509_VERIFY_PARAM **ud, *from;
+
+	/* X509_VERIFY_PARAM is not refcounted; create a new object and copy into it. */
+	ud = prepsimple(L, X509_VERIFY_PARAM_CLASS);
+	if (!(*ud = X509_VERIFY_PARAM_new()))
+		return auxL_error(L, auxL_EOPENSSL, "ssl.context:getParam");
+
+	from = SSL_CTX_get0_param(ctx);
+
+	if (!(X509_VERIFY_PARAM_set1(*ud, from)))
+		/* Note: openssl doesn't set an error as it should for some cases */
+		return auxL_error(L, auxL_EOPENSSL, "ssl.context:getParam");
+
+	return 1;
+} /* sx_getParam() */
+
+
 static int sx_setVerify(lua_State *L) {
 	SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS);
 	int mode = luaL_optint(L, 2, -1);
@@ -7799,6 +7831,8 @@ static const auxL_Reg sx_methods[] = {
 	{ "clearOptions",     &sx_clearOptions },
 	{ "setStore",         &sx_setStore },
 	{ "getStore",         &sx_getStore },
+	{ "setParam",         &sx_setParam },
+	{ "getParam",         &sx_getParam },
 	{ "setVerify",        &sx_setVerify },
 	{ "getVerify",        &sx_getVerify },
 	{ "setCertificate",   &sx_setCertificate },
-- 
cgit v1.2.3-59-g8ed1b


From 043257dd0c0b7ebd7a577a9fceaecb1c2910f144 Mon Sep 17 00:00:00 2001
From: daurnimator <quae@daurnimator.com>
Date: Tue, 15 Nov 2016 11:15:24 +1100
Subject: openssl.ssl: Add ssl:setParam() and ssl:getParam()

---
 src/openssl.c | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/src/openssl.c b/src/openssl.c
index e6ae71d..f0b75ae 100644
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -7979,6 +7979,38 @@ static int ssl_clearOptions(lua_State *L) {
 } /* ssl_clearOptions() */
 
 
+static int ssl_setParam(lua_State *L) {
+	SSL *ssl = checksimple(L, 1, SSL_CLASS);
+	X509_VERIFY_PARAM *xp = checksimple(L, 2, X509_VERIFY_PARAM_CLASS);
+
+	if (!SSL_set1_param(ssl, xp))
+		return auxL_error(L, auxL_EOPENSSL, "ssl:setParam");
+
+	lua_pushboolean(L, 1);
+
+	return 1;
+} /* ssl_setParam() */
+
+
+static int ssl_getParam(lua_State *L) {
+	SSL *ssl = checksimple(L, 1, SSL_CLASS);
+	X509_VERIFY_PARAM **ud, *from;
+
+	/* X509_VERIFY_PARAM is not refcounted; create a new object and copy into it. */
+	ud = prepsimple(L, X509_VERIFY_PARAM_CLASS);
+	if (!(*ud = X509_VERIFY_PARAM_new()))
+		return auxL_error(L, auxL_EOPENSSL, "ssl:getParam");
+
+	from = SSL_get0_param(ssl);
+
+	if (!(X509_VERIFY_PARAM_set1(*ud, from)))
+		/* Note: openssl doesn't set an error as it should for some cases */
+		return auxL_error(L, auxL_EOPENSSL, "ssl:getParam");
+
+	return 1;
+} /* ssl_getParam() */
+
+
 static int ssl_getPeerCertificate(lua_State *L) {
 	SSL *ssl = checksimple(L, 1, SSL_CLASS);
 	X509 **x509 = prepsimple(L, X509_CERT_CLASS);
@@ -8166,6 +8198,8 @@ static const auxL_Reg ssl_methods[] = {
 	{ "setOptions",       &ssl_setOptions },
 	{ "getOptions",       &ssl_getOptions },
 	{ "clearOptions",     &ssl_clearOptions },
+	{ "setParam",         &ssl_setParam },
+	{ "getParam",         &ssl_getParam },
 	{ "getPeerCertificate", &ssl_getPeerCertificate },
 	{ "getPeerChain",     &ssl_getPeerChain },
 	{ "getCipherInfo",    &ssl_getCipherInfo },
-- 
cgit v1.2.3-59-g8ed1b


From aea81904d89a13311f4bb1ab0c19dffb7eecad16 Mon Sep 17 00:00:00 2001
From: daurnimator <quae@daurnimator.com>
Date: Tue, 15 Nov 2016 20:38:24 +1100
Subject: openssl.x509.verify_param: Bind X509_VERIFY_PARAM_set_auth_level and
 X509_VERIFY_PARAM_get_auth_level

---
 src/openssl.c | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/src/openssl.c b/src/openssl.c
index f0b75ae..5e16e56 100644
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -286,6 +286,10 @@
 #define HAVE_SSLV2_SERVER_METHOD (!OPENSSL_PREREQ(1,1,0) && !defined OPENSSL_NO_SSL2)
 #endif
 
+#ifndef HAVE_X509_AUTH_LEVEL
+#define HAVE_X509_AUTH_LEVEL OPENSSL_PREREQ(1,1,0)
+#endif
+
 #ifndef HAVE_X509_STORE_REFERENCES
 #define HAVE_X509_STORE_REFERENCES (!OPENSSL_PREREQ(1,1,0))
 #endif
@@ -8340,6 +8344,29 @@ static int xp_getDepth(lua_State *L) {
 } /* xp_getDepth() */
 
 
+#if HAVE_X509_AUTH_LEVEL
+static int xp_setAuthLevel(lua_State *L) {
+	X509_VERIFY_PARAM *xp = checksimple(L, 1, X509_VERIFY_PARAM_CLASS);
+	int auth_level = luaL_checkinteger(L, 2);
+
+	X509_VERIFY_PARAM_set_auth_level(xp, auth_level);
+
+	lua_pushboolean(L, 1);
+	return 1;
+} /* xp_setAuthLevel() */
+
+
+static int xp_getAuthLevel(lua_State *L) {
+	X509_VERIFY_PARAM *xp = checksimple(L, 1, X509_VERIFY_PARAM_CLASS);
+
+	int auth_level = X509_VERIFY_PARAM_get_auth_level(xp);
+
+	lua_pushinteger(L, auth_level);
+	return 1;
+} /* xp_getAuthLevel() */
+#endif
+
+
 static int xp_setHost(lua_State *L) {
 	X509_VERIFY_PARAM *xp = checksimple(L, 1, X509_VERIFY_PARAM_CLASS);
 	size_t len;
@@ -8410,6 +8437,10 @@ static const auxL_Reg xp_methods[] = {
 	{ "setTime", &xp_setTime },
 	{ "setDepth", &xp_setDepth },
 	{ "getDepth", &xp_getDepth },
+#if HAVE_X509_AUTH_LEVEL
+	{ "setAuthLevel", &xp_setAuthLevel },
+	{ "getAuthLevel", &xp_getAuthLevel },
+#endif
 	{ "setHost", &xp_setHost },
 	{ "addHost", &xp_addHost },
 	{ "setEmail", &xp_setEmail },
-- 
cgit v1.2.3-59-g8ed1b


From db6e414d68c0f94c2497d363f6131b4de1710ba9 Mon Sep 17 00:00:00 2001
From: daurnimator <quae@daurnimator.com>
Date: Fri, 9 Dec 2016 00:06:30 +1100
Subject: openssl.x509.verify_param: Bind X509_VERIFY_PARAM_inherit

---
 src/openssl.c | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/src/openssl.c b/src/openssl.c
index 5e16e56..c5c692f 100644
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -8277,6 +8277,26 @@ static int xp_interpose(lua_State *L) {
 } /* xp_interpose() */
 
 
+static int xp_inherit(lua_State *L) {
+	X509_VERIFY_PARAM *dest = checksimple(L, 1, X509_VERIFY_PARAM_CLASS);
+	X509_VERIFY_PARAM *src = checksimple(L, 2, X509_VERIFY_PARAM_CLASS);
+	int flags = luaL_optinteger(L, 3, 0);
+	unsigned long save_flags = dest->inh_flags;
+	int ret;
+
+	dest->inh_flags |= flags;
+	ret = X509_VERIFY_PARAM_inherit(dest, src);
+	dest->inh_flags = save_flags;
+
+	if (!ret)
+		/* Note: openssl doesn't set an error as it should for some cases */
+		return auxL_error(L, auxL_EOPENSSL, "x509.verify_param:inherit");
+
+	lua_pushboolean(L, 1);
+	return 1;
+} /* xp_inherit() */
+
+
 static const X509_PURPOSE *purpose_checktype(lua_State *L, int index) {
 	const char *purpose_name;
 	int purpose_id;
@@ -8433,6 +8453,7 @@ static int xp__gc(lua_State *L) {
 
 
 static const auxL_Reg xp_methods[] = {
+	{ "inherit", &xp_inherit },
 	{ "setPurpose", &xp_setPurpose },
 	{ "setTime", &xp_setTime },
 	{ "setDepth", &xp_setDepth },
@@ -8459,10 +8480,20 @@ static const auxL_Reg xp_globals[] = {
 	{ NULL, NULL },
 };
 
+static const auxL_IntegerReg xp_inherit_flags[] = {
+	{ "DEFAULT", X509_VP_FLAG_DEFAULT },
+	{ "OVERWRITE", X509_VP_FLAG_OVERWRITE },
+	{ "RESET_FLAGS", X509_VP_FLAG_RESET_FLAGS },
+	{ "LOCKED", X509_VP_FLAG_LOCKED },
+	{ "ONCE", X509_VP_FLAG_ONCE },
+	{ NULL, 0 }
+};
+
 int luaopen__openssl_x509_verify_param(lua_State *L) {
 	initall(L);
 
 	auxL_newlib(L, xp_globals, 0);
+	auxL_setintegers(L, xp_inherit_flags);
 
 	return 1;
 } /* luaopen__openssl_x509_verify_param() */
-- 
cgit v1.2.3-59-g8ed1b


From 028873f1fde5b91a3b8d2f80f350ca1682146029 Mon Sep 17 00:00:00 2001
From: William Ahern <william@25thandclement.com>
Date: Thu, 8 Dec 2016 17:55:35 -0800
Subject: fix build for OpenSSL releases prior to 1.0.2

---
 src/openssl.c | 109 +++++++++++++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 101 insertions(+), 8 deletions(-)

diff --git a/src/openssl.c b/src/openssl.c
index c5c692f..7addaa1 100644
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -250,6 +250,10 @@
 #define HAVE_SSL_CLIENT_VERSION OPENSSL_PREREQ(1,1,0)
 #endif
 
+#ifndef HAVE_SSL_CTX_GET0_PARAM
+#define HAVE_SSL_CTX_GET0_PARAM OPENSSL_PREREQ(1,0,2)
+#endif
+
 #ifndef HAVE_SSL_CTX_SET_ALPN_PROTOS
 #define HAVE_SSL_CTX_SET_ALPN_PROTOS (OPENSSL_PREREQ(1,0,2) || LIBRESSL_PREREQ(2,1,3))
 #endif
@@ -262,16 +266,28 @@
 #define HAVE_SSL_CTX_SET1_CERT_STORE (HAVE_SSL_CTX_set1_cert_store || 0) /* backwards compatible with old macro name */
 #endif
 
+#ifndef HAVE_SSL_CTX_SET1_PARAM
+#define HAVE_SSL_CTX_SET1_PARAM (OPENSSL_PREREQ(1,0,2) || LIBRESSL_PREREQ(2,1,0))
+#endif
+
 #ifndef HAVE_SSL_CTX_CERT_STORE
 #define HAVE_SSL_CTX_CERT_STORE (!OPENSSL_PREREQ(1,1,0))
 #endif
 
+#ifndef HAVE_SSL_GET0_ALPN_SELECTED
+#define HAVE_SSL_GET0_ALPN_SELECTED HAVE_SSL_CTX_SET_ALPN_PROTOS
+#endif
+
+#ifndef HAVE_SSL_GET0_PARAM
+#define HAVE_SSL_GET0_PARAM OPENSSL_PREREQ(1,0,2)
+#endif
+
 #ifndef HAVE_SSL_SET_ALPN_PROTOS
 #define HAVE_SSL_SET_ALPN_PROTOS HAVE_SSL_CTX_SET_ALPN_PROTOS
 #endif
 
-#ifndef HAVE_SSL_GET0_ALPN_SELECTED
-#define HAVE_SSL_GET0_ALPN_SELECTED HAVE_SSL_CTX_SET_ALPN_PROTOS
+#ifndef HAVE_SSL_SET1_PARAM
+#define HAVE_SSL_SET1_PARAM OPENSSL_PREREQ(1,0,2)
 #endif
 
 #ifndef HAVE_SSL_UP_REF
@@ -286,10 +302,6 @@
 #define HAVE_SSLV2_SERVER_METHOD (!OPENSSL_PREREQ(1,1,0) && !defined OPENSSL_NO_SSL2)
 #endif
 
-#ifndef HAVE_X509_AUTH_LEVEL
-#define HAVE_X509_AUTH_LEVEL OPENSSL_PREREQ(1,1,0)
-#endif
-
 #ifndef HAVE_X509_STORE_REFERENCES
 #define HAVE_X509_STORE_REFERENCES (!OPENSSL_PREREQ(1,1,0))
 #endif
@@ -302,6 +314,26 @@
 #define HAVE_X509_UP_REF OPENSSL_PREREQ(1,1,0)
 #endif
 
+#ifndef HAVE_X509_VERIFY_PARAM_ADD1_HOST
+#define HAVE_X509_VERIFY_PARAM_ADD1_HOST OPENSSL_PREREQ(1,0,2)
+#endif
+
+#ifndef HAVE_X509_VERIFY_PARAM_SET_AUTH_LEVEL
+#define HAVE_X509_VERIFY_PARAM_SET_AUTH_LEVEL OPENSSL_PREREQ(1,1,0)
+#endif
+
+#ifndef HAVE_X509_VERIFY_PARAM_SET1_EMAIL
+#define HAVE_X509_VERIFY_PARAM_SET1_EMAIL OPENSSL_PREREQ(1,0,2)
+#endif
+
+#ifndef HAVE_X509_VERIFY_PARAM_SET1_HOST
+#define HAVE_X509_VERIFY_PARAM_SET1_HOST OPENSSL_PREREQ(1,0,2)
+#endif
+
+#ifndef HAVE_X509_VERIFY_PARAM_SET1_IP_ASC
+#define HAVE_X509_VERIFY_PARAM_SET1_IP_ASC OPENSSL_PREREQ(1,0,2)
+#endif
+
 #ifndef HMAC_INIT_EX_INT
 #define HMAC_INIT_EX_INT OPENSSL_PREREQ(1,0,0)
 #endif
@@ -1535,6 +1567,22 @@ static int compat_SSL_client_version(const SSL *ssl) {
 } /* compat_SSL_client_version() */
 #endif
 
+#if !HAVE_SSL_GET0_PARAM
+#define SSL_get0_param(ssl) compat_SSL_get0_param((ssl))
+
+static X509_VERIFY_PARAM *compat_SSL_get0_param(SSL *ssl) {
+	return ssl->param;
+} /* compat_SSL_get0_param() */
+#endif
+
+#if !HAVE_SSL_SET1_PARAM
+#define SSL_set1_param(ssl, vpm) compat_SSL_set1_param((ssl), (vpm))
+
+static int compat_SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm) {
+	return X509_VERIFY_PARAM_set1(ssl->param, vpm);
+} /* compat_SSL_set1_param() */
+#endif
+
 #if !HAVE_SSL_UP_REF
 #define SSL_up_ref(...) compat_SSL_up_ref(__VA_ARGS__)
 
@@ -1547,6 +1595,22 @@ static int compat_SSL_up_ref(SSL *ssl) {
 } /* compat_SSL_up_ref() */
 #endif
 
+#if !HAVE_SSL_CTX_GET0_PARAM
+#define SSL_CTX_get0_param(ctx) compat_SSL_CTX_get0_param((ctx))
+
+static X509_VERIFY_PARAM *compat_SSL_CTX_get0_param(SSL_CTX *ctx) {
+	return ctx->param;
+} /* compat_SSL_CTX_get0_param() */
+#endif
+
+#if !HAVE_SSL_CTX_SET1_PARAM
+#define SSL_CTX_set1_param(ctx, vpm) compat_SSL_CTX_set1_param((ctx), (vpm))
+
+static int compat_SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm) {
+	return X509_VERIFY_PARAM_set1(ctx->param, vpm);
+} /* compat_SSL_CTX_set1_param() */
+#endif
+
 #if !HAVE_X509_GET0_EXT
 #define X509_get0_ext(crt, i) X509_get_ext((crt), (i))
 #endif
@@ -1667,6 +1731,19 @@ static int compat_X509_up_ref(X509 *crt) {
 } /* compat_X509_up_ref() */
 #endif
 
+#if !HAVE_X509_VERIFY_PARAM_SET1_EMAIL
+/*
+ * NB: Cannot emulate. Requires dereferencing X509_VERIFY_PARAM_ID objects,
+ * which were always opaque.
+ */
+#endif
+
+#if !HAVE_X509_VERIFY_PARAM_SET1_HOST
+/*
+ * NB: See HAVE_X509_VERIFY_PARAM_SET1_EMAIL.
+ */
+#endif
+
 static int compat_init(void) {
 	static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
 	static int store_index = -1, ssl_ctx_index = -1, done;
@@ -8364,7 +8441,7 @@ static int xp_getDepth(lua_State *L) {
 } /* xp_getDepth() */
 
 
-#if HAVE_X509_AUTH_LEVEL
+#if HAVE_X509_VERIFY_PARAM_SET_AUTH_LEVEL
 static int xp_setAuthLevel(lua_State *L) {
 	X509_VERIFY_PARAM *xp = checksimple(L, 1, X509_VERIFY_PARAM_CLASS);
 	int auth_level = luaL_checkinteger(L, 2);
@@ -8387,6 +8464,7 @@ static int xp_getAuthLevel(lua_State *L) {
 #endif
 
 
+#if HAVE_X509_VERIFY_PARAM_SET1_HOST
 static int xp_setHost(lua_State *L) {
 	X509_VERIFY_PARAM *xp = checksimple(L, 1, X509_VERIFY_PARAM_CLASS);
 	size_t len;
@@ -8399,8 +8477,10 @@ static int xp_setHost(lua_State *L) {
 	lua_pushboolean(L, 1);
 	return 1;
 } /* xp_setHost() */
+#endif
 
 
+#if HAVE_X509_VERIFY_PARAM_ADD1_HOST
 static int xp_addHost(lua_State *L) {
 	X509_VERIFY_PARAM *xp = checksimple(L, 1, X509_VERIFY_PARAM_CLASS);
 	size_t len;
@@ -8413,8 +8493,10 @@ static int xp_addHost(lua_State *L) {
 	lua_pushboolean(L, 1);
 	return 1;
 } /* xp_addHost() */
+#endif
 
 
+#if HAVE_X509_VERIFY_PARAM_SET1_EMAIL
 static int xp_setEmail(lua_State *L) {
 	X509_VERIFY_PARAM *xp = checksimple(L, 1, X509_VERIFY_PARAM_CLASS);
 	size_t len;
@@ -8427,8 +8509,10 @@ static int xp_setEmail(lua_State *L) {
 	lua_pushboolean(L, 1);
 	return 1;
 } /* xp_setEmail() */
+#endif
 
 
+#if HAVE_X509_VERIFY_PARAM_SET1_IP_ASC
 static int xp_setIP(lua_State *L) {
 	X509_VERIFY_PARAM *xp = checksimple(L, 1, X509_VERIFY_PARAM_CLASS);
 	const char *str = luaL_checkstring(L, 2);
@@ -8440,6 +8524,7 @@ static int xp_setIP(lua_State *L) {
 	lua_pushboolean(L, 1);
 	return 1;
 } /* xp_setIP() */
+#endif
 
 
 static int xp__gc(lua_State *L) {
@@ -8458,14 +8543,22 @@ static const auxL_Reg xp_methods[] = {
 	{ "setTime", &xp_setTime },
 	{ "setDepth", &xp_setDepth },
 	{ "getDepth", &xp_getDepth },
-#if HAVE_X509_AUTH_LEVEL
+#if HAVE_X509_VERIFY_PARAM_SET_AUTH_LEVEL
 	{ "setAuthLevel", &xp_setAuthLevel },
 	{ "getAuthLevel", &xp_getAuthLevel },
 #endif
+#if HAVE_X509_VERIFY_PARAM_SET1_HOST
 	{ "setHost", &xp_setHost },
+#endif
+#if HAVE_X509_VERIFY_PARAM_ADD1_HOST
 	{ "addHost", &xp_addHost },
+#endif
+#if HAVE_X509_VERIFY_PARAM_SET1_EMAIL
 	{ "setEmail", &xp_setEmail },
+#endif
+#if HAVE_X509_VERIFY_PARAM_SET1_IP_ASC
 	{ "setIP", &xp_setIP },
+#endif
 	{ NULL, NULL },
 };
 
-- 
cgit v1.2.3-59-g8ed1b


From e9ecd299628b2af6a8aa74ce7956bb7ae902f69d Mon Sep 17 00:00:00 2001
From: William Ahern <william@25thandclement.com>
Date: Thu, 8 Dec 2016 18:13:22 -0800
Subject: manipulation of inh_flags isn't supported by OpenSSL 1.1 API

---
 src/openssl.c | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/src/openssl.c b/src/openssl.c
index 7addaa1..3ac0c6d 100644
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -8354,17 +8354,25 @@ static int xp_interpose(lua_State *L) {
 } /* xp_interpose() */
 
 
+/*
+ * NB: Per the OpenSSL source, "[t]he 'inh_flags' field determines how this
+ * function behaves". (Referring to X509_VERIFY_PARAM_inherit.) The way to
+ * set inh_flags prior to OpenSSL 1.1 was by OR'ing flags into the inh_flags
+ * member and restoring it after the call. The OpenSSL 1.1 API makes the
+ * X509_VERIFY_PARAM object opaque, X509_VERIFY_PARAM_inherit, and there's
+ * no other function to set the flags argument; therefore it's not possible
+ * to control the inherit behavior from OpenSSL 1.1.
+ *
+ * For more details see
+ * 	https://github.com/openssl/openssl/issues/2054 and the original
+ * 	https://github.com/wahern/luaossl/pull/76/commits/db6e414d68c0f94c2497d363f6131b4de1710ba9
+ */
 static int xp_inherit(lua_State *L) {
 	X509_VERIFY_PARAM *dest = checksimple(L, 1, X509_VERIFY_PARAM_CLASS);
 	X509_VERIFY_PARAM *src = checksimple(L, 2, X509_VERIFY_PARAM_CLASS);
-	int flags = luaL_optinteger(L, 3, 0);
-	unsigned long save_flags = dest->inh_flags;
 	int ret;
 
-	dest->inh_flags |= flags;
 	ret = X509_VERIFY_PARAM_inherit(dest, src);
-	dest->inh_flags = save_flags;
-
 	if (!ret)
 		/* Note: openssl doesn't set an error as it should for some cases */
 		return auxL_error(L, auxL_EOPENSSL, "x509.verify_param:inherit");
-- 
cgit v1.2.3-59-g8ed1b