1 files changed, 196 insertions, 44 deletions
diff --git a/src/openssl.c b/src/openssl.c
index 8ff21ce..8cf79c0 100644
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -77,12 +77,38 @@
 #include "compat52.h"
 #endif
+#define GNUC_2VER(M, m, p) (((M) * 10000) + ((m) * 100) + (p))
+#define GNUC_PREREQ(M, m, p) (__GNUC__ > 0 && GNUC_2VER(__GNUC__, __GNUC_MINOR__, __GNUC_PATCHLEVEL__) >= GNUC_2VER((M), (m), (p)))
+#define MSC_2VER(M, m, p) ((((M) + 6) * 10000000) + ((m) * 1000000) + (p))
+#define MSC_PREREQ(M, m, p) (_MSC_FULL_VER > 0 && _MSC_FULL_VER >= MSC_2VER((M), (m), (p)))
 #define OPENSSL_PREREQ(M, m, p) \
        (OPENSSL_VERSION_NUMBER >= (((M) << 28) | ((m) << 20) | ((p) << 12)) && !defined LIBRESSL_VERSION_NUMBER)
 #define LIBRESSL_PREREQ(M, m, p) \
        (LIBRESSL_VERSION_NUMBER >= (((M) << 28) | ((m) << 20) | ((p) << 12)))
+#ifndef __has_builtin
+#define __has_builtin(x) 0
+#endif
+#ifndef __has_extension
+#define __has_extension(x) 0
+#endif
+#ifndef HAVE_C___ASSUME
+#define HAVE_C___ASSUME MSC_PREREQ(8,0,0)
+#endif
+#ifndef HAVE_C___BUILTIN_UNREACHABLE
+#define HAVE_C___BUILTIN_UNREACHABLE (GNUC_PREREQ(4,5,0) || __has_builtin(__builtin_unreachable))
+#endif
+#ifndef HAVE_C___DECLSPEC_NORETURN
+#define HAVE_C___DECLSPEC_NORETURN MSC_PREREQ(8,0,0)
+#endif
 #ifndef HAVE_ASN1_STRING_GET0_DATA
 #define HAVE_ASN1_STRING_GET0_DATA OPENSSL_PREREQ(1,1,0)
 #endif
@@ -255,6 +281,10 @@
 #define HAVE_X509_STORE_REFERENCES (!OPENSSL_PREREQ(1,1,0))
 #endif
+#ifndef HAVE_X509_STORE_UP_REF
+#define HAVE_X509_STORE_UP_REF OPENSSL_PREREQ(1,1,0)
+#endif
 #ifndef HAVE_X509_UP_REF
 #define HAVE_X509_UP_REF OPENSSL_PREREQ(1,1,0)
 #endif
@@ -312,6 +342,13 @@
 #define NOTUSED
 #endif
+#if HAVE_C___BUILTIN_UNREACHABLE
+#define NOTREACHED __builtin_unreachable()
+#elif HAVE_C___ASSUME
+#define NOTREACHED __assume(0)
+#else
+#define NOTREACHED (void)0
+#endif
 #define countof(a) (sizeof (a) / sizeof *(a))
 #define endof(a) (&(a)[countof(a)])
@@ -706,6 +743,8 @@ static size_t auxS_obj2txt(void *dst, size_t lim, const ASN1_OBJECT *obj) {
        return auxS_obj2id(dst, lim, obj);
 } /* auxS_obj2txt() */
+static const EVP_MD *auxS_todigest(const char *name, EVP_PKEY *key, const EVP_MD *def);
 static _Bool auxS_isoid(const char *txt) {
        return (*txt >= '0' && *txt <= '9');
 } /* auxS_isoid() */
@@ -1092,8 +1131,9 @@ static const char *auxL_pusherror(lua_State *L, int error, const char *fun) {
 static int auxL_error(lua_State *L, int error, const char *fun) {
        auxL_pusherror(L, error, fun);
+        lua_error(L);
-        return lua_error(L);
+        NOTREACHED;
+        return 0;
 } /* auxL_error() */
 static const char *auxL_pushnid(lua_State *L, int nid) {
@@ -1108,6 +1148,8 @@ static const char *auxL_pushnid(lua_State *L, int nid) {
        return lua_tostring(L, -1);
 } /* auxL_pushnid() */
+static const EVP_MD *auxL_optdigest(lua_State *L, int index, EVP_PKEY *key, const EVP_MD *def);
 /*
 * dl - dynamically loaded module management
@@ -1587,6 +1629,18 @@ static void compat_init_X509_STORE_onfree(void *store, void *data NOTUSED, CRYPT
        compat.tmp.store = NULL;
 } /* compat_init_X509_STORE_onfree() */
+#if !HAVE_X509_STORE_UP_REF
+#define X509_STORE_up_ref(...) compat_X509_STORE_up_ref(__VA_ARGS__)
+static int compat_X509_STORE_up_ref(X509_STORE *crt) {
+        /* our caller should already have had a proper reference */
+        if (CRYPTO_add(&crt->references, 1, CRYPTO_LOCK_X509_STORE) < 2)
+                return 0; /* fail */
+        return 1;
+} /* compat_X509_STORE_up_ref() */
+#endif
 #if !HAVE_X509_UP_REF
 #define X509_up_ref(...) compat_X509_up_ref(__VA_ARGS__)
@@ -1688,6 +1742,53 @@ sslerr:
 /*
+ * Auxiliary OpenSSL API routines (with dependencies on OpenSSL compat)
+ *
+ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+static const EVP_MD *auxS_todigest(const char *name, EVP_PKEY *key, const EVP_MD *def) {
+        const EVP_MD *md;
+        int nid;
+        if (name) {
+                if ((md = EVP_get_digestbyname(name)))
+                        return md;
+        } else if (key) {
+                if ((EVP_PKEY_get_default_digest_nid(key, &nid) > 0)) {
+                        if ((md = EVP_get_digestbynid(nid)))
+                                return md;
+                }
+        }
+        return def;
+} /* auxS_todigest() */
+/*
+ * Auxiliary Lua API routines (with dependencies on OpenSSL compat)
+ *
+ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+static const EVP_MD *auxL_optdigest(lua_State *L, int index, EVP_PKEY *key, const EVP_MD *def) {
+        const char *name = luaL_optstring(L, index, NULL);
+        const EVP_MD *md;
+        if ((md = auxS_todigest(name, key, NULL)))
+                return md;
+        if (name) {
+                luaL_argerror(L, index, lua_pushfstring(L, "invalid digest type (%s)", name));
+                NOTREACHED;
+        } else if (key) {
+                luaL_argerror(L, index, lua_pushfstring(L, "no digest type for key type (%d)", EVP_PKEY_base_id(key)));
+                NOTREACHED;
+        }
+        return def;
+} /* auxL_optdigest() */
+/*
 * External Application Data Hooks
 *
 * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
@@ -3453,18 +3554,11 @@ static int pk_toPEM(lua_State *L) {
 static int pk_getDefaultDigestName(lua_State *L) {
        EVP_PKEY *key = checksimple(L, 1, PKEY_CLASS);
        int nid;
-        char txt[256];
-        size_t len;
        if (!(EVP_PKEY_get_default_digest_nid(key, &nid) > 0))
                return auxL_error(L, auxL_EOPENSSL, "pkey:getDefaultDigestName");
-        if (!(len = auxS_nid2txt(txt, sizeof txt, nid)))
+        auxL_pushnid(L, nid);
-                return auxL_error(L, auxL_EOPENSSL, "pkey:getDefaultDigestName");
-        if (len > sizeof txt)
-                return auxL_error(L, EOVERFLOW, "pkey:getDefaultDigestName");
-        lua_pushlstring(L, txt, len);
        return 1;
 } /* pk_getDefaultDigestName() */
@@ -5785,49 +5879,50 @@ static int xc_setPublicKey(lua_State *L) {
 static int xc_getPublicKeyDigest(lua_State *L) {
-        ASN1_BIT_STRING *pk = X509_get0_pubkey_bitstr(checksimple(L, 1, X509_CERT_CLASS));
+        X509 *crt = checksimple(L, 1, X509_CERT_CLASS);
-        const char *id = luaL_optstring(L, 2, "sha1");
+        EVP_PKEY *key;
        const EVP_MD *md;
+        ASN1_BIT_STRING *bitstr;
        unsigned char digest[EVP_MAX_MD_SIZE];
        unsigned int len;
-        if (!(md = EVP_get_digestbyname(id)))
+        if (!(key = X509_get_pubkey(crt)))
-                return luaL_error(L, "x509.cert:getPublicKeyDigest: %s: invalid digest type", id);
+                return luaL_argerror(L, 1, "no public key");
+        md = auxL_optdigest(L, 2, key, NULL);
+        bitstr = X509_get0_pubkey_bitstr(crt);
-        if (!EVP_Digest(pk->data, pk->length, digest, &len, md, NULL))
+        if (!EVP_Digest(bitstr->data, bitstr->length, digest, &len, md, NULL))
                return auxL_error(L, auxL_EOPENSSL, "x509.cert:getPublicKeyDigest");
        lua_pushlstring(L, (char *)digest, len);
        return 1;
 } /* xc_getPublicKeyDigest() */
-static const EVP_MD *xc_signature(lua_State *L, int index, EVP_PKEY *key) {
+#if 0
-        const char *id;
+/*
-        const EVP_MD *md;
+ * TODO: X509_get_signature_type always seems to return NID_undef. Are we
+ * using it wrong or is it broken?
+ */
+static int xc_getSignatureName(lua_State *L) {
+        X509 *crt = checksimple(L, 1, X509_CERT_CLASS);
        int nid;
-        if ((id = luaL_optstring(L, index, NULL))) {
+        if (NID_undef == (nid = X509_get_signature_type(crt)))
-                if (!(md = EVP_get_digestbyname(id)))
+                return 0;
-                        goto unknown;
-        } else {
+        auxL_pushnid(L, nid);
-                if (!(EVP_PKEY_get_default_digest_nid(key, &nid) > 0))
-                        goto unknown;
+        return 1;
-                if (!(md = EVP_get_digestbynid(nid)))
+} /* xc_getSignatureName() */
-                        goto unknown;
+#endif
-        }
-        return md;
-unknown:
-        return EVP_sha1();
-} /* xc_signature() */
 static int xc_sign(lua_State *L) {
        X509 *crt = checksimple(L, 1, X509_CERT_CLASS);
        EVP_PKEY *key = checksimple(L, 2, PKEY_CLASS);
-        if (!X509_sign(crt, key, xc_signature(L, 3, key)))
+        if (!X509_sign(crt, key, auxL_optdigest(L, 3, key, NULL)))
                return auxL_error(L, auxL_EOPENSSL, "x509.cert:sign");
        lua_pushboolean(L, 1);
@@ -5967,6 +6062,9 @@ static const auxL_Reg xc_methods[] = {
        { "getPublicKey",  &xc_getPublicKey },
        { "setPublicKey",  &xc_setPublicKey },
        { "getPublicKeyDigest", &xc_getPublicKeyDigest },
+#if 0
+        { "getSignatureName", &xc_getSignatureName },
+#endif
        { "sign",          &xc_sign },
        { "text",          &xc_text },
        { "tostring",      &xc__tostring },
@@ -6220,7 +6318,7 @@ static int xr_sign(lua_State *L) {
        X509_REQ *csr = checksimple(L, 1, X509_CSR_CLASS);
        EVP_PKEY *key = checksimple(L, 2, PKEY_CLASS);
-        if (!X509_REQ_sign(csr, key, xc_signature(L, 3, key)))
+        if (!X509_REQ_sign(csr, key, auxL_optdigest(L, 3, key, NULL)))
                return auxL_error(L, auxL_EOPENSSL, "x509.csr:sign");
        lua_pushboolean(L, 1);
@@ -6595,7 +6693,7 @@ static int xx_sign(lua_State *L) {
        X509_CRL *crl = checksimple(L, 1, X509_CRL_CLASS);
        EVP_PKEY *key = checksimple(L, 2, PKEY_CLASS);
-        if (!X509_CRL_sign(crl, key, xc_signature(L, 3, key)))
+        if (!X509_CRL_sign(crl, key, auxL_optdigest(L, 3, key, NULL)))
                return auxL_error(L, auxL_EOPENSSL, "x509.crl:sign");
        lua_pushboolean(L, 1);
@@ -6873,6 +6971,16 @@ static int xs_new(lua_State *L) {
 } /* xs_new() */
+static X509_STORE *xs_push(lua_State *L, X509_STORE *store) {
+        X509_STORE **ud = prepsimple(L, X509_STORE_CLASS);
+        X509_STORE_up_ref(store);
+        *ud = store;
+        return *ud;
+} /* xs_push() */
 static int xs_interpose(lua_State *L) {
        return interpose(L, X509_STORE_CLASS);
 } /* xs_interpose() */
@@ -6881,17 +6989,24 @@ static int xs_interpose(lua_State *L) {
 static int xs_add(lua_State *L) {
        X509_STORE *store = checksimple(L, 1, X509_STORE_CLASS);
        int i, top = lua_gettop(L);
+        X509 *crt, *crt_dup;
+        X509_CRL *crl, *crl_dup;
        for (i = 2; i <= top; i++) {
-                if (lua_isuserdata(L, i)) {
+                if ((crt = testsimple(L, i, X509_CERT_CLASS))) {
-                        X509 *crt = checksimple(L, i, X509_CERT_CLASS);
+                        if (!(crt_dup = X509_dup(crt)))
-                        X509 *dup;
+                                return auxL_error(L, auxL_EOPENSSL, "x509.store:add");
-                        if (!(dup = X509_dup(crt)))
+                        if (!X509_STORE_add_cert(store, crt_dup)) {
+                                X509_free(crt_dup);
+                                return auxL_error(L, auxL_EOPENSSL, "x509.store:add");
+                        }
+                } else if ((crl = testsimple(L, i, X509_CRL_CLASS))) {
+                        if (!(crl_dup = X509_CRL_dup(crl)))
                                return auxL_error(L, auxL_EOPENSSL, "x509.store:add");
-                        if (!X509_STORE_add_cert(store, dup)) {
+                        if (!X509_STORE_add_crl(store, crl_dup)) {
-                                X509_free(dup);
+                                X509_CRL_free(crl_dup);
                                return auxL_error(L, auxL_EOPENSSL, "x509.store:add");
                        }
                } else {
@@ -6918,6 +7033,18 @@ static int xs_add(lua_State *L) {
 } /* xs_add() */
+static int xs_addDefaults(lua_State *L) {
+        X509_STORE *store = checksimple(L, 1, X509_STORE_CLASS);
+        if (!X509_STORE_set_default_paths(store))
+                return auxL_error(L, auxL_EOPENSSL, "x509.store:addDefaults");
+        lua_pushvalue(L, 1);
+        return 1;
+} /* xs_addDefaults() */
 static int xs_verify(lua_State *L) {
        X509_STORE *store = checksimple(L, 1, X509_STORE_CLASS);
        X509 *crt = checksimple(L, 2, X509_CERT_CLASS);
@@ -7000,9 +7127,10 @@ static int xs__gc(lua_State *L) {
 static const auxL_Reg xs_methods[] = {
-        { "add",    &xs_add },
+        { "add",         &xs_add },
-        { "verify", &xs_verify },
+        { "addDefaults", &xs_addDefaults },
-        { NULL,     NULL },
+        { "verify",      &xs_verify },
+        { NULL,          NULL },
 };
 static const auxL_Reg xs_metatable[] = {
@@ -7021,6 +7149,15 @@ int luaopen__openssl_x509_store(lua_State *L) {
        auxL_newlib(L, xs_globals, 0);
+        lua_pushstring(L, X509_get_default_cert_dir());
+        lua_setfield(L, -2, "CERT_DIR");
+        lua_pushstring(L, X509_get_default_cert_file());
+        lua_setfield(L, -2, "CERT_FILE");
+        lua_pushstring(L, X509_get_default_cert_dir_env());
+        lua_setfield(L, -2, "CERT_DIR_EVP");
+        lua_pushstring(L, X509_get_default_cert_file_env());
+        lua_setfield(L, -2, "CERT_FILE_EVP");
        return 1;
 } /* luaopen__openssl_x509_store() */
@@ -7366,6 +7503,20 @@ static int sx_setStore(lua_State *L) {
 } /* sx_setStore() */
+static int sx_getStore(lua_State *L) {
+        SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS);
+        X509_STORE *store;
+        if((store = SSL_CTX_get_cert_store(ctx))) {
+                xs_push(L, store);
+        } else {
+                lua_pushnil(L);
+        }
+        return 1;
+} /* sx_getStore() */
 static int sx_setVerify(lua_State *L) {
        SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS);
        int mode = luaL_optint(L, 2, -1);
@@ -7632,6 +7783,7 @@ static const auxL_Reg sx_methods[] = {
        { "getOptions",       &sx_getOptions },
        { "clearOptions",     &sx_clearOptions },
        { "setStore",         &sx_setStore },
+        { "getStore",         &sx_getStore },
        { "setVerify",        &sx_setVerify },
        { "getVerify",        &sx_getVerify },
        { "setCertificate",   &sx_setCertificate },

diff --git a/src/openssl.c b/src/openssl.c index 8ff21ce..8cf79c0 100644 --- a/src/openssl.c +++ b/src/openssl.c
@@ -77,12 +77,38 @@
77	#include "compat52.h"	77	#include "compat52.h"
78	#endif	78	#endif
79		79
		80	#define GNUC_2VER(M, m, p) (((M) * 10000) + ((m) * 100) + (p))
		81	#define GNUC_PREREQ(M, m, p) (__GNUC__ > 0 && GNUC_2VER(__GNUC__, __GNUC_MINOR__, __GNUC_PATCHLEVEL__) >= GNUC_2VER((M), (m), (p)))
		82
		83	#define MSC_2VER(M, m, p) ((((M) + 6) * 10000000) + ((m) * 1000000) + (p))
		84	#define MSC_PREREQ(M, m, p) (_MSC_FULL_VER > 0 && _MSC_FULL_VER >= MSC_2VER((M), (m), (p)))
		85
80	#define OPENSSL_PREREQ(M, m, p) \	86	#define OPENSSL_PREREQ(M, m, p) \
81	(OPENSSL_VERSION_NUMBER >= (((M) << 28) \| ((m) << 20) \| ((p) << 12)) && !defined LIBRESSL_VERSION_NUMBER)	87	(OPENSSL_VERSION_NUMBER >= (((M) << 28) \| ((m) << 20) \| ((p) << 12)) && !defined LIBRESSL_VERSION_NUMBER)
82		88
83	#define LIBRESSL_PREREQ(M, m, p) \	89	#define LIBRESSL_PREREQ(M, m, p) \
84	(LIBRESSL_VERSION_NUMBER >= (((M) << 28) \| ((m) << 20) \| ((p) << 12)))	90	(LIBRESSL_VERSION_NUMBER >= (((M) << 28) \| ((m) << 20) \| ((p) << 12)))
85		91
		92	#ifndef __has_builtin
		93	#define __has_builtin(x) 0
		94	#endif
		95
		96	#ifndef __has_extension
		97	#define __has_extension(x) 0
		98	#endif
		99
		100	#ifndef HAVE_C___ASSUME
		101	#define HAVE_C___ASSUME MSC_PREREQ(8,0,0)
		102	#endif
		103
		104	#ifndef HAVE_C___BUILTIN_UNREACHABLE
		105	#define HAVE_C___BUILTIN_UNREACHABLE (GNUC_PREREQ(4,5,0) \|\| __has_builtin(__builtin_unreachable))
		106	#endif
		107
		108	#ifndef HAVE_C___DECLSPEC_NORETURN
		109	#define HAVE_C___DECLSPEC_NORETURN MSC_PREREQ(8,0,0)
		110	#endif
		111
86	#ifndef HAVE_ASN1_STRING_GET0_DATA	112	#ifndef HAVE_ASN1_STRING_GET0_DATA
87	#define HAVE_ASN1_STRING_GET0_DATA OPENSSL_PREREQ(1,1,0)	113	#define HAVE_ASN1_STRING_GET0_DATA OPENSSL_PREREQ(1,1,0)
88	#endif	114	#endif
@@ -255,6 +281,10 @@
255	#define HAVE_X509_STORE_REFERENCES (!OPENSSL_PREREQ(1,1,0))	281	#define HAVE_X509_STORE_REFERENCES (!OPENSSL_PREREQ(1,1,0))
256	#endif	282	#endif
257		283
		284	#ifndef HAVE_X509_STORE_UP_REF
		285	#define HAVE_X509_STORE_UP_REF OPENSSL_PREREQ(1,1,0)
		286	#endif
		287
258	#ifndef HAVE_X509_UP_REF	288	#ifndef HAVE_X509_UP_REF
259	#define HAVE_X509_UP_REF OPENSSL_PREREQ(1,1,0)	289	#define HAVE_X509_UP_REF OPENSSL_PREREQ(1,1,0)
260	#endif	290	#endif
@@ -312,6 +342,13 @@
312	#define NOTUSED	342	#define NOTUSED
313	#endif	343	#endif
314		344
		345	#if HAVE_C___BUILTIN_UNREACHABLE
		346	#define NOTREACHED __builtin_unreachable()
		347	#elif HAVE_C___ASSUME
		348	#define NOTREACHED __assume(0)
		349	#else
		350	#define NOTREACHED (void)0
		351	#endif
315		352
316	#define countof(a) (sizeof (a) / sizeof *(a))	353	#define countof(a) (sizeof (a) / sizeof *(a))
317	#define endof(a) (&(a)[countof(a)])	354	#define endof(a) (&(a)[countof(a)])
@@ -706,6 +743,8 @@ static size_t auxS_obj2txt(void dst, size_t lim, const ASN1_OBJECT obj) {
706	return auxS_obj2id(dst, lim, obj);	743	return auxS_obj2id(dst, lim, obj);
707	} /* auxS_obj2txt() */	744	} /* auxS_obj2txt() */
708		745
		746	static const EVP_MD auxS_todigest(const char name, EVP_PKEY key, const EVP_MD def);
		747
709	static _Bool auxS_isoid(const char *txt) {	748	static _Bool auxS_isoid(const char *txt) {
710	return (txt >= '0' && txt <= '9');	749	return (txt >= '0' && txt <= '9');
711	} /* auxS_isoid() */	750	} /* auxS_isoid() */
@@ -1092,8 +1131,9 @@ static const char auxL_pusherror(lua_State L, int error, const char *fun) {
1092		1131
1093	static int auxL_error(lua_State L, int error, const char fun) {	1132	static int auxL_error(lua_State L, int error, const char fun) {
1094	auxL_pusherror(L, error, fun);	1133	auxL_pusherror(L, error, fun);
1095		1134	lua_error(L);
1096	return lua_error(L);	1135	NOTREACHED;
		1136	return 0;
1097	} /* auxL_error() */	1137	} /* auxL_error() */
1098		1138
1099	static const char auxL_pushnid(lua_State L, int nid) {	1139	static const char auxL_pushnid(lua_State L, int nid) {
@@ -1108,6 +1148,8 @@ static const char auxL_pushnid(lua_State L, int nid) {
1108	return lua_tostring(L, -1);	1148	return lua_tostring(L, -1);
1109	} /* auxL_pushnid() */	1149	} /* auxL_pushnid() */
1110		1150
		1151	static const EVP_MD auxL_optdigest(lua_State L, int index, EVP_PKEY key, const EVP_MD def);
		1152
1111		1153
1112	/*	1154	/*
1113	* dl - dynamically loaded module management	1155	* dl - dynamically loaded module management
@@ -1587,6 +1629,18 @@ static void compat_init_X509_STORE_onfree(void store, void data NOTUSED, CRYPT
1587	compat.tmp.store = NULL;	1629	compat.tmp.store = NULL;
1588	} /* compat_init_X509_STORE_onfree() */	1630	} /* compat_init_X509_STORE_onfree() */
1589		1631
		1632	#if !HAVE_X509_STORE_UP_REF
		1633	#define X509_STORE_up_ref(...) compat_X509_STORE_up_ref(__VA_ARGS__)
		1634
		1635	static int compat_X509_STORE_up_ref(X509_STORE *crt) {
		1636	/* our caller should already have had a proper reference */
		1637	if (CRYPTO_add(&crt->references, 1, CRYPTO_LOCK_X509_STORE) < 2)
		1638	return 0; /* fail */
		1639
		1640	return 1;
		1641	} /* compat_X509_STORE_up_ref() */
		1642	#endif
		1643
1590	#if !HAVE_X509_UP_REF	1644	#if !HAVE_X509_UP_REF
1591	#define X509_up_ref(...) compat_X509_up_ref(__VA_ARGS__)	1645	#define X509_up_ref(...) compat_X509_up_ref(__VA_ARGS__)
1592		1646
@@ -1688,6 +1742,53 @@ sslerr:
1688		1742
1689		1743
1690	/*	1744	/*
		1745	* Auxiliary OpenSSL API routines (with dependencies on OpenSSL compat)
		1746	*
		1747	* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
		1748
		1749	static const EVP_MD auxS_todigest(const char name, EVP_PKEY key, const EVP_MD def) {
		1750	const EVP_MD *md;
		1751	int nid;
		1752
		1753	if (name) {
		1754	if ((md = EVP_get_digestbyname(name)))
		1755	return md;
		1756	} else if (key) {
		1757	if ((EVP_PKEY_get_default_digest_nid(key, &nid) > 0)) {
		1758	if ((md = EVP_get_digestbynid(nid)))
		1759	return md;
		1760	}
		1761	}
		1762
		1763	return def;
		1764	} /* auxS_todigest() */
		1765
		1766
		1767	/*
		1768	* Auxiliary Lua API routines (with dependencies on OpenSSL compat)
		1769	*
		1770	* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
		1771
		1772	static const EVP_MD auxL_optdigest(lua_State L, int index, EVP_PKEY key, const EVP_MD def) {
		1773	const char *name = luaL_optstring(L, index, NULL);
		1774	const EVP_MD *md;
		1775
		1776	if ((md = auxS_todigest(name, key, NULL)))
		1777	return md;
		1778
		1779	if (name) {
		1780	luaL_argerror(L, index, lua_pushfstring(L, "invalid digest type (%s)", name));
		1781	NOTREACHED;
		1782	} else if (key) {
		1783	luaL_argerror(L, index, lua_pushfstring(L, "no digest type for key type (%d)", EVP_PKEY_base_id(key)));
		1784	NOTREACHED;
		1785	}
		1786
		1787	return def;
		1788	} /* auxL_optdigest() */
		1789
		1790
		1791	/*
1691	* External Application Data Hooks	1792	* External Application Data Hooks
1692	*	1793	*
1693	* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */	1794	* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
@@ -3453,18 +3554,11 @@ static int pk_toPEM(lua_State *L) {
3453	static int pk_getDefaultDigestName(lua_State *L) {	3554	static int pk_getDefaultDigestName(lua_State *L) {
3454	EVP_PKEY *key = checksimple(L, 1, PKEY_CLASS);	3555	EVP_PKEY *key = checksimple(L, 1, PKEY_CLASS);
3455	int nid;	3556	int nid;
3456	char txt[256];
3457	size_t len;
3458		3557
3459	if (!(EVP_PKEY_get_default_digest_nid(key, &nid) > 0))	3558	if (!(EVP_PKEY_get_default_digest_nid(key, &nid) > 0))
3460	return auxL_error(L, auxL_EOPENSSL, "pkey:getDefaultDigestName");	3559	return auxL_error(L, auxL_EOPENSSL, "pkey:getDefaultDigestName");
3461		3560
3462	if (!(len = auxS_nid2txt(txt, sizeof txt, nid)))	3561	auxL_pushnid(L, nid);
3463	return auxL_error(L, auxL_EOPENSSL, "pkey:getDefaultDigestName");
3464	if (len > sizeof txt)
3465	return auxL_error(L, EOVERFLOW, "pkey:getDefaultDigestName");
3466
3467	lua_pushlstring(L, txt, len);
3468		3562
3469	return 1;	3563	return 1;
3470	} /* pk_getDefaultDigestName() */	3564	} /* pk_getDefaultDigestName() */
@@ -5785,49 +5879,50 @@ static int xc_setPublicKey(lua_State *L) {
5785		5879
5786		5880
5787	static int xc_getPublicKeyDigest(lua_State *L) {	5881	static int xc_getPublicKeyDigest(lua_State *L) {
5788	ASN1_BIT_STRING *pk = X509_get0_pubkey_bitstr(checksimple(L, 1, X509_CERT_CLASS));	5882	X509 *crt = checksimple(L, 1, X509_CERT_CLASS);
5789	const char *id = luaL_optstring(L, 2, "sha1");	5883	EVP_PKEY *key;
5790	const EVP_MD *md;	5884	const EVP_MD *md;
		5885	ASN1_BIT_STRING *bitstr;
5791	unsigned char digest[EVP_MAX_MD_SIZE];	5886	unsigned char digest[EVP_MAX_MD_SIZE];
5792	unsigned int len;	5887	unsigned int len;
5793		5888
5794	if (!(md = EVP_get_digestbyname(id)))	5889	if (!(key = X509_get_pubkey(crt)))
5795	return luaL_error(L, "x509.cert:getPublicKeyDigest: %s: invalid digest type", id);	5890	return luaL_argerror(L, 1, "no public key");
		5891	md = auxL_optdigest(L, 2, key, NULL);
		5892	bitstr = X509_get0_pubkey_bitstr(crt);
5796		5893
5797	if (!EVP_Digest(pk->data, pk->length, digest, &len, md, NULL))	5894	if (!EVP_Digest(bitstr->data, bitstr->length, digest, &len, md, NULL))
5798	return auxL_error(L, auxL_EOPENSSL, "x509.cert:getPublicKeyDigest");	5895	return auxL_error(L, auxL_EOPENSSL, "x509.cert:getPublicKeyDigest");
5799
5800	lua_pushlstring(L, (char *)digest, len);	5896	lua_pushlstring(L, (char *)digest, len);
5801		5897
5802	return 1;	5898	return 1;
5803	} /* xc_getPublicKeyDigest() */	5899	} /* xc_getPublicKeyDigest() */
5804		5900
5805		5901
5806	static const EVP_MD xc_signature(lua_State L, int index, EVP_PKEY *key) {	5902	#if 0
5807	const char *id;	5903	/*
5808	const EVP_MD *md;	5904	* TODO: X509_get_signature_type always seems to return NID_undef. Are we
		5905	* using it wrong or is it broken?
		5906	*/
		5907	static int xc_getSignatureName(lua_State *L) {
		5908	X509 *crt = checksimple(L, 1, X509_CERT_CLASS);
5809	int nid;	5909	int nid;
5810		5910
5811	if ((id = luaL_optstring(L, index, NULL))) {	5911	if (NID_undef == (nid = X509_get_signature_type(crt)))
5812	if (!(md = EVP_get_digestbyname(id)))	5912	return 0;
5813	goto unknown;	5913
5814	} else {	5914	auxL_pushnid(L, nid);
5815	if (!(EVP_PKEY_get_default_digest_nid(key, &nid) > 0))	5915
5816	goto unknown;	5916	return 1;
5817	if (!(md = EVP_get_digestbynid(nid)))	5917	} /* xc_getSignatureName() */
5818	goto unknown;	5918	#endif
5819	}
5820		5919
5821	return md;
5822	unknown:
5823	return EVP_sha1();
5824	} /* xc_signature() */
5825		5920
5826	static int xc_sign(lua_State *L) {	5921	static int xc_sign(lua_State *L) {
5827	X509 *crt = checksimple(L, 1, X509_CERT_CLASS);	5922	X509 *crt = checksimple(L, 1, X509_CERT_CLASS);
5828	EVP_PKEY *key = checksimple(L, 2, PKEY_CLASS);	5923	EVP_PKEY *key = checksimple(L, 2, PKEY_CLASS);
5829		5924
5830	if (!X509_sign(crt, key, xc_signature(L, 3, key)))	5925	if (!X509_sign(crt, key, auxL_optdigest(L, 3, key, NULL)))
5831	return auxL_error(L, auxL_EOPENSSL, "x509.cert:sign");	5926	return auxL_error(L, auxL_EOPENSSL, "x509.cert:sign");
5832		5927
5833	lua_pushboolean(L, 1);	5928	lua_pushboolean(L, 1);
@@ -5967,6 +6062,9 @@ static const auxL_Reg xc_methods[] = {
5967	{ "getPublicKey", &xc_getPublicKey },	6062	{ "getPublicKey", &xc_getPublicKey },
5968	{ "setPublicKey", &xc_setPublicKey },	6063	{ "setPublicKey", &xc_setPublicKey },
5969	{ "getPublicKeyDigest", &xc_getPublicKeyDigest },	6064	{ "getPublicKeyDigest", &xc_getPublicKeyDigest },
		6065	#if 0
		6066	{ "getSignatureName", &xc_getSignatureName },
		6067	#endif
5970	{ "sign", &xc_sign },	6068	{ "sign", &xc_sign },
5971	{ "text", &xc_text },	6069	{ "text", &xc_text },
5972	{ "tostring", &xc__tostring },	6070	{ "tostring", &xc__tostring },
@@ -6220,7 +6318,7 @@ static int xr_sign(lua_State *L) {
6220	X509_REQ *csr = checksimple(L, 1, X509_CSR_CLASS);	6318	X509_REQ *csr = checksimple(L, 1, X509_CSR_CLASS);
6221	EVP_PKEY *key = checksimple(L, 2, PKEY_CLASS);	6319	EVP_PKEY *key = checksimple(L, 2, PKEY_CLASS);
6222		6320
6223	if (!X509_REQ_sign(csr, key, xc_signature(L, 3, key)))	6321	if (!X509_REQ_sign(csr, key, auxL_optdigest(L, 3, key, NULL)))
6224	return auxL_error(L, auxL_EOPENSSL, "x509.csr:sign");	6322	return auxL_error(L, auxL_EOPENSSL, "x509.csr:sign");
6225		6323
6226	lua_pushboolean(L, 1);	6324	lua_pushboolean(L, 1);
@@ -6595,7 +6693,7 @@ static int xx_sign(lua_State *L) {
6595	X509_CRL *crl = checksimple(L, 1, X509_CRL_CLASS);	6693	X509_CRL *crl = checksimple(L, 1, X509_CRL_CLASS);
6596	EVP_PKEY *key = checksimple(L, 2, PKEY_CLASS);	6694	EVP_PKEY *key = checksimple(L, 2, PKEY_CLASS);
6597		6695
6598	if (!X509_CRL_sign(crl, key, xc_signature(L, 3, key)))	6696	if (!X509_CRL_sign(crl, key, auxL_optdigest(L, 3, key, NULL)))
6599	return auxL_error(L, auxL_EOPENSSL, "x509.crl:sign");	6697	return auxL_error(L, auxL_EOPENSSL, "x509.crl:sign");
6600		6698
6601	lua_pushboolean(L, 1);	6699	lua_pushboolean(L, 1);
@@ -6873,6 +6971,16 @@ static int xs_new(lua_State *L) {
6873	} /* xs_new() */	6971	} /* xs_new() */
6874		6972
6875		6973
		6974	static X509_STORE xs_push(lua_State L, X509_STORE *store) {
		6975	X509_STORE **ud = prepsimple(L, X509_STORE_CLASS);
		6976
		6977	X509_STORE_up_ref(store);
		6978	*ud = store;
		6979
		6980	return *ud;
		6981	} /* xs_push() */
		6982
		6983
6876	static int xs_interpose(lua_State *L) {	6984	static int xs_interpose(lua_State *L) {
6877	return interpose(L, X509_STORE_CLASS);	6985	return interpose(L, X509_STORE_CLASS);
6878	} /* xs_interpose() */	6986	} /* xs_interpose() */
@@ -6881,17 +6989,24 @@ static int xs_interpose(lua_State *L) {
6881	static int xs_add(lua_State *L) {	6989	static int xs_add(lua_State *L) {
6882	X509_STORE *store = checksimple(L, 1, X509_STORE_CLASS);	6990	X509_STORE *store = checksimple(L, 1, X509_STORE_CLASS);
6883	int i, top = lua_gettop(L);	6991	int i, top = lua_gettop(L);
		6992	X509 crt, crt_dup;
		6993	X509_CRL crl, crl_dup;
6884		6994
6885	for (i = 2; i <= top; i++) {	6995	for (i = 2; i <= top; i++) {
6886	if (lua_isuserdata(L, i)) {	6996	if ((crt = testsimple(L, i, X509_CERT_CLASS))) {
6887	X509 *crt = checksimple(L, i, X509_CERT_CLASS);	6997	if (!(crt_dup = X509_dup(crt)))
6888	X509 *dup;	6998	return auxL_error(L, auxL_EOPENSSL, "x509.store:add");
6889		6999
6890	if (!(dup = X509_dup(crt)))	7000	if (!X509_STORE_add_cert(store, crt_dup)) {
		7001	X509_free(crt_dup);
		7002	return auxL_error(L, auxL_EOPENSSL, "x509.store:add");
		7003	}
		7004	} else if ((crl = testsimple(L, i, X509_CRL_CLASS))) {
		7005	if (!(crl_dup = X509_CRL_dup(crl)))
6891	return auxL_error(L, auxL_EOPENSSL, "x509.store:add");	7006	return auxL_error(L, auxL_EOPENSSL, "x509.store:add");
6892		7007
6893	if (!X509_STORE_add_cert(store, dup)) {	7008	if (!X509_STORE_add_crl(store, crl_dup)) {
6894	X509_free(dup);	7009	X509_CRL_free(crl_dup);
6895	return auxL_error(L, auxL_EOPENSSL, "x509.store:add");	7010	return auxL_error(L, auxL_EOPENSSL, "x509.store:add");
6896	}	7011	}
6897	} else {	7012	} else {
@@ -6918,6 +7033,18 @@ static int xs_add(lua_State *L) {
6918	} /* xs_add() */	7033	} /* xs_add() */
6919		7034
6920		7035
		7036	static int xs_addDefaults(lua_State *L) {
		7037	X509_STORE *store = checksimple(L, 1, X509_STORE_CLASS);
		7038
		7039	if (!X509_STORE_set_default_paths(store))
		7040	return auxL_error(L, auxL_EOPENSSL, "x509.store:addDefaults");
		7041
		7042	lua_pushvalue(L, 1);
		7043
		7044	return 1;
		7045	} /* xs_addDefaults() */
		7046
		7047
6921	static int xs_verify(lua_State *L) {	7048	static int xs_verify(lua_State *L) {
6922	X509_STORE *store = checksimple(L, 1, X509_STORE_CLASS);	7049	X509_STORE *store = checksimple(L, 1, X509_STORE_CLASS);
6923	X509 *crt = checksimple(L, 2, X509_CERT_CLASS);	7050	X509 *crt = checksimple(L, 2, X509_CERT_CLASS);
@@ -7000,9 +7127,10 @@ static int xs__gc(lua_State *L) {
7000		7127
7001		7128
7002	static const auxL_Reg xs_methods[] = {	7129	static const auxL_Reg xs_methods[] = {
7003	{ "add", &xs_add },	7130	{ "add", &xs_add },
7004	{ "verify", &xs_verify },	7131	{ "addDefaults", &xs_addDefaults },
7005	{ NULL, NULL },	7132	{ "verify", &xs_verify },
		7133	{ NULL, NULL },
7006	};	7134	};
7007		7135
7008	static const auxL_Reg xs_metatable[] = {	7136	static const auxL_Reg xs_metatable[] = {
@@ -7021,6 +7149,15 @@ int luaopen__openssl_x509_store(lua_State *L) {
7021		7149
7022	auxL_newlib(L, xs_globals, 0);	7150	auxL_newlib(L, xs_globals, 0);
7023		7151
		7152	lua_pushstring(L, X509_get_default_cert_dir());
		7153	lua_setfield(L, -2, "CERT_DIR");
		7154	lua_pushstring(L, X509_get_default_cert_file());
		7155	lua_setfield(L, -2, "CERT_FILE");
		7156	lua_pushstring(L, X509_get_default_cert_dir_env());
		7157	lua_setfield(L, -2, "CERT_DIR_EVP");
		7158	lua_pushstring(L, X509_get_default_cert_file_env());
		7159	lua_setfield(L, -2, "CERT_FILE_EVP");
		7160
7024	return 1;	7161	return 1;
7025	} /* luaopen__openssl_x509_store() */	7162	} /* luaopen__openssl_x509_store() */
7026		7163
@@ -7366,6 +7503,20 @@ static int sx_setStore(lua_State *L) {
7366	} /* sx_setStore() */	7503	} /* sx_setStore() */
7367		7504
7368		7505
		7506	static int sx_getStore(lua_State *L) {
		7507	SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS);
		7508	X509_STORE *store;
		7509
		7510	if((store = SSL_CTX_get_cert_store(ctx))) {
		7511	xs_push(L, store);
		7512	} else {
		7513	lua_pushnil(L);
		7514	}
		7515
		7516	return 1;
		7517	} /* sx_getStore() */
		7518
		7519
7369	static int sx_setVerify(lua_State *L) {	7520	static int sx_setVerify(lua_State *L) {
7370	SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS);	7521	SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS);
7371	int mode = luaL_optint(L, 2, -1);	7522	int mode = luaL_optint(L, 2, -1);
@@ -7632,6 +7783,7 @@ static const auxL_Reg sx_methods[] = {
7632	{ "getOptions", &sx_getOptions },	7783	{ "getOptions", &sx_getOptions },
7633	{ "clearOptions", &sx_clearOptions },	7784	{ "clearOptions", &sx_clearOptions },
7634	{ "setStore", &sx_setStore },	7785	{ "setStore", &sx_setStore },
		7786	{ "getStore", &sx_getStore },
7635	{ "setVerify", &sx_setVerify },	7787	{ "setVerify", &sx_setVerify },
7636	{ "getVerify", &sx_getVerify },	7788	{ "getVerify", &sx_getVerify },
7637	{ "setCertificate", &sx_setCertificate },	7789	{ "setCertificate", &sx_setCertificate },