From a47bc28317081fff10250a4d931821f64cfe191d Mon Sep 17 00:00:00 2001
From: Rich Salz <rsalz@openssl.org>
Date: Tue, 13 Dec 2016 11:52:22 -0500
Subject: [PATCH] Add X509_VERIFY_PARAM inheritance flag set/get

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2079)
---
 crypto/x509/x509_lcl.h                   |  2 +-
 crypto/x509/x509_vpm.c                   | 11 +++++
 doc/man3/X509_VERIFY_PARAM_set_flags.pod | 52 ++++++++++++++++++++++--
 include/openssl/x509_vfy.h               |  5 +++
 util/libcrypto.num                       |  6 ++-
 5 files changed, 70 insertions(+), 6 deletions(-)

diff --git a/crypto/x509/x509_lcl.h b/crypto/x509/x509_lcl.h
index 0cc38c6443..34e413530a 100644
--- a/crypto/x509/x509_lcl.h
+++ b/crypto/x509/x509_lcl.h
@@ -18,7 +18,7 @@
 struct X509_VERIFY_PARAM_st {
     char *name;
     time_t check_time;          /* Time to use */
-    unsigned long inh_flags;    /* Inheritance flags */
+    uint32_t inh_flags;         /* Inheritance flags */
     unsigned long flags;        /* Various verify flags */
     int purpose;                /* purpose to check untrusted certificates */
     int trust;                  /* trust setting to check */
diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c
index 386382d2ef..9e1b7c64cd 100644
--- a/crypto/x509/x509_vpm.c
+++ b/crypto/x509/x509_vpm.c
@@ -289,6 +289,17 @@ unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param)
     return param->flags;
 }
 
+uint32_t X509_VERIFY_PARAM_get_inh_flags(const X509_VERIFY_PARAM *param)
+{
+    return param->inh_flags;
+}
+
+int X509_VERIFY_PARAM_set_inh_flags(X509_VERIFY_PARAM *param, uint32_t flags)
+{
+    param->inh_flags = flags;
+    return 1;
+}
+
 int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose)
 {
     return X509_PURPOSE_set(&param->purpose, purpose);
diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
index 2800cd441d..388fdc212e 100644
--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod
+++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
@@ -2,18 +2,34 @@
 
 =head1 NAME
 
-X509_VERIFY_PARAM_set_flags, X509_VERIFY_PARAM_clear_flags, X509_VERIFY_PARAM_get_flags, X509_VERIFY_PARAM_set_purpose, X509_VERIFY_PARAM_set_trust, X509_VERIFY_PARAM_set_depth, X509_VERIFY_PARAM_get_depth, X509_VERIFY_PARAM_set_auth_level, X509_VERIFY_PARAM_get_auth_level, X509_VERIFY_PARAM_set_time, X509_VERIFY_PARAM_add0_policy, X509_VERIFY_PARAM_set1_policies, X509_VERIFY_PARAM_set1_host, X509_VERIFY_PARAM_add1_host, X509_VERIFY_PARAM_set_hostflags, X509_VERIFY_PARAM_get0_peername, X509_VERIFY_PARAM_set1_email, X509_VERIFY_PARAM_set1_ip, X509_VERIFY_PARAM_set1_ip_asc - X509 verification parameters
+X509_VERIFY_PARAM_set_flags, X509_VERIFY_PARAM_clear_flags,
+X509_VERIFY_PARAM_set_flags, X509_VERIFY_PARAM_clear_flags,
+X509_VERIFY_PARAM_get_flags, X509_VERIFY_PARAM_set_purpose,
+X509_VERIFY_PARAM_get_inh_flags, X509_VERIFY_PARAM_set_inh_flags,
+X509_VERIFY_PARAM_set_trust, X509_VERIFY_PARAM_set_depth,
+X509_VERIFY_PARAM_get_depth, X509_VERIFY_PARAM_set_auth_level,
+X509_VERIFY_PARAM_get_auth_level, X509_VERIFY_PARAM_set_time,
+X509_VERIFY_PARAM_add0_policy, X509_VERIFY_PARAM_set1_policies,
+X509_VERIFY_PARAM_set1_host, X509_VERIFY_PARAM_add1_host,
+X509_VERIFY_PARAM_set_hostflags, X509_VERIFY_PARAM_get0_peername,
+X509_VERIFY_PARAM_set1_email, X509_VERIFY_PARAM_set1_ip,
+X509_VERIFY_PARAM_set1_ip_asc
+- X509 verification parameters
 
 =head1 SYNOPSIS
 
  #include <openssl/x509_vfy.h>
 
  int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param,
-                                        unsigned long flags);
+                                 unsigned long flags);
  int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param,
-                                        unsigned long flags);
+                                   unsigned long flags);
  unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param);
 
+ int X509_VERIFY_PARAM_set_inh_flags(X509_VERIFY_PARAM *param,
+                                     uint32_t flags);
+ uint32_t X509_VERIFY_PARAM_get_inh_flags(const X509_VERIFY_PARAM *param);
+
  int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose);
  int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust);
 
@@ -55,6 +71,11 @@ description of values the B<flags> parameter can take.
 
 X509_VERIFY_PARAM_get_flags() returns the flags in B<param>.
 
+X509_VERIFY_PARAM_get_inh_flags() returns the inheritance flags in B<param>
+which specifies how verification flags are copied from one structure to
+another. X509_VERIFY_PARAM_set_inh_flags() sets the inheritance flags.
+See the B<INHERITANCE FLAGS> section for a description of these bits.
+
 X509_VERIFY_PARAM_clear_flags() clears the flags B<flags> in B<param>.
 
 X509_VERIFY_PARAM_set_purpose() sets the verification purpose in B<param>
@@ -154,6 +175,7 @@ IPv6.  The condensed "::" notation is supported for IPv6 addresses.
 =head1 RETURN VALUES
 
 X509_VERIFY_PARAM_set_flags(), X509_VERIFY_PARAM_clear_flags(),
+X509_VERIFY_PARAM_set_inh_flags(),
 X509_VERIFY_PARAM_set_purpose(), X509_VERIFY_PARAM_set_trust(),
 X509_VERIFY_PARAM_add0_policy() X509_VERIFY_PARAM_set1_policies(),
 X509_VERIFY_PARAM_set1_host(), X509_VERIFY_PARAM_add1_host(),
@@ -163,6 +185,8 @@ failure.
 
 X509_VERIFY_PARAM_get_flags() returns the current verification flags.
 
+X509_VERIFY_PARAM_get_inh_flags() returns the current inheritance flags.
+
 X509_VERIFY_PARAM_set_time() and X509_VERIFY_PARAM_set_depth() do not return
 values.
 
@@ -242,6 +266,28 @@ The B<X509_V_FLAG_NO_CHECK_TIME> flag suppresses checking the validity period
 of certificates and CRLs against the current time. If X509_VERIFY_PARAM_set_time()
 is used to specify a verification time, the check is not suppressed.
 
+=head1 INHERITANCE FLAGS
+
+These flags spevify how parameters are "inherited" from one structure to
+another.
+
+If B<X509_VP_FLAG_ONCE> is set then the current setting is zeroed
+after the next call.
+
+If B<X509_VP_FLAG_LOCKED> is set then no values are copied.  This overrides
+all of the following flags.
+
+If B<X509_VP_FLAG_DEFAULT> is set then anything set in the source is copied
+to the destination. Effectively the values in "to" become default values
+which will be used only if nothing new is set in "from".  This is the
+default.
+
+If B<X509_VP_FLAG_OVERWRITE> is set then all value are copied across whether
+they are set or not. Flags is still Ored though.
+
+If B<X509_VP_FLAG_RESET_FLAGS> is set then the flags value is copied instead
+of ORed.
+
 =head1 NOTES
 
 The above functions should be used to manipulate verification parameters
diff --git a/include/openssl/x509_vfy.h b/include/openssl/x509_vfy.h
index cab8005eee..5dc9d063fc 100644
--- a/include/openssl/x509_vfy.h
+++ b/include/openssl/x509_vfy.h
@@ -272,6 +272,7 @@ int X509_STORE_set_purpose(X509_STORE *ctx, int purpose);
 int X509_STORE_set_trust(X509_STORE *ctx, int trust);
 int X509_STORE_set1_param(X509_STORE *ctx, X509_VERIFY_PARAM *pm);
 X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *ctx);
+int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags);
 
 void X509_STORE_set_verify(X509_STORE *ctx, X509_STORE_CTX_verify_fn verify);
 #define X509_STORE_set_verify_func(ctx, func) \
@@ -464,6 +465,10 @@ int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param,
 int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
                                     STACK_OF(ASN1_OBJECT) *policies);
 
+int X509_VERIFY_PARAM_set_inh_flags(X509_VERIFY_PARAM *param,
+                                    uint32_t flags);
+uint32_t X509_VERIFY_PARAM_get_inh_flags(const X509_VERIFY_PARAM *param);
+
 int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
                                 const char *name, size_t namelen);
 int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param,
diff --git a/util/libcrypto.num b/util/libcrypto.num
index a1fdc3edfc..27d530a959 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -4218,5 +4218,7 @@ BIO_meth_get_write_ex                   4168	1_1_1	EXIST::FUNCTION:
 BIO_meth_set_write_ex                   4169	1_1_1	EXIST::FUNCTION:
 DSO_pathbyaddr                          4170	1_1_0c	EXIST::FUNCTION:
 DSO_dsobyaddr                           4171	1_1_0c	EXIST::FUNCTION:
-CT_POLICY_EVAL_CTX_get_time             4172	1_1_1	EXIST::FUNCTION:CT
-CT_POLICY_EVAL_CTX_set_time             4173	1_1_1	EXIST::FUNCTION:CT
+CT_POLICY_EVAL_CTX_get_time             4172	1_1_0d	EXIST::FUNCTION:CT
+CT_POLICY_EVAL_CTX_set_time             4173	1_1_0d	EXIST::FUNCTION:CT
+X509_VERIFY_PARAM_set_inh_flags         4174	1_1_0d	EXIST::FUNCTION:
+X509_VERIFY_PARAM_get_inh_flags         4175	1_1_0d	EXIST::FUNCTION: