Annotation of embedaddon/axTLS/samples/lua/axssl.lua, revision 1.1.1.1
1.1 misho 1: #!/usr/local/bin/lua
2:
3: --
4: -- Copyright (c) 2007, Cameron Rich
5: --
6: -- All rights reserved.
7: --
8: -- Redistribution and use in source and binary forms, with or without
9: -- modification, are permitted provided that the following conditions are met:
10: --
11: -- * Redistributions of source code must retain the above copyright notice,
12: -- this list of conditions and the following disclaimer.
13: -- * Redistributions in binary form must reproduce the above copyright
14: -- notice, this list of conditions and the following disclaimer in the
15: -- documentation and/or other materials provided with the distribution.
16: -- * Neither the name of the axTLS project nor the names of its
17: -- contributors may be used to endorse or promote products derived
18: -- from this software without specific prior written permission.
19: --
20: -- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21: -- "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22: -- LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
23: -- A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
24: -- CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
25: -- SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
26: -- TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
27: -- DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
28: -- OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
29: -- NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
30: -- THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31: --
32:
33: --
34: -- Demonstrate the use of the axTLS library in Lua with a set of
35: -- command-line parameters similar to openssl. In fact, openssl clients
36: -- should be able to communicate with axTLS servers and visa-versa.
37: --
38: -- This code has various bits enabled depending on the configuration. To enable
39: -- the most interesting version, compile with the 'full mode' enabled.
40: --
41: -- To see what options you have, run the following:
42: -- > [lua] axssl s_server -?
43: -- > [lua] axssl s_client -?
44: --
45: -- The axtls/axtlsl shared libraries must be in the same directory or be found
46: -- by the OS.
47: --
48: --
49: require "bit"
50: require("axtlsl")
51: local socket = require("socket")
52:
53: -- print version?
54: if #arg == 1 and arg[1] == "version" then
55: print("axssl.lua "..axtlsl.ssl_version())
56: os.exit(1)
57: end
58:
59: --
60: -- We've had some sort of command-line error. Print out the basic options.
61: --
62: function print_options(option)
63: print("axssl: Error: '"..option.."' is an invalid command.")
64: print("usage: axssl [s_server|s_client|version] [args ...]")
65: os.exit(1)
66: end
67:
68: --
69: -- We've had some sort of command-line error. Print out the server options.
70: --
71: function print_server_options(build_mode, option)
72: local cert_size = axtlsl.ssl_get_config(axtlsl.SSL_MAX_CERT_CFG_OFFSET)
73: local ca_cert_size = axtlsl.ssl_get_config(
74: axtlsl.SSL_MAX_CA_CERT_CFG_OFFSET)
75:
76: print("unknown option "..option)
77: print("usage: s_server [args ...]")
78: print(" -accept\t- port to accept on (default is 4433)")
79: print(" -quiet\t\t- No server output")
80:
81: if build_mode >= axtlsl.SSL_BUILD_SERVER_ONLY then
82: print(" -cert arg\t- certificate file to add (in addition to "..
83: "default) to chain -")
84: print("\t\t Can repeat up to "..cert_size.." times")
85: print(" -key arg\t- Private key file to use - default DER format")
86: print(" -pass\t\t- private key file pass phrase source")
87: end
88:
89: if build_mode >= axtlsl.SSL_BUILD_ENABLE_VERIFICATION then
90: print(" -verify\t- turn on peer certificate verification")
91: print(" -CAfile arg\t- Certificate authority - default DER format")
92: print("\t\t Can repeat up to "..ca_cert_size.." times")
93: end
94:
95: if build_mode == axtlsl.SSL_BUILD_FULL_MODE then
96: print(" -debug\t\t- Print more output")
97: print(" -state\t\t- Show state messages")
98: print(" -show-rsa\t- Show RSA state")
99: end
100:
101: os.exit(1)
102: end
103:
104: --
105: -- We've had some sort of command-line error. Print out the client options.
106: --
107: function print_client_options(build_mode, option)
108: local cert_size = axtlsl.ssl_get_config(axtlsl.SSL_MAX_CERT_CFG_OFFSET)
109: local ca_cert_size = axtlsl.ssl_get_config(
110: axtlsl.SSL_MAX_CA_CERT_CFG_OFFSET)
111:
112: print("unknown option "..option)
113:
114: if build_mode >= axtlsl.SSL_BUILD_ENABLE_CLIENT then
115: print("usage: s_client [args ...]")
116: print(" -connect host:port - who to connect to (default "..
117: "is localhost:4433)")
118: print(" -verify\t- turn on peer certificate verification")
119: print(" -cert arg\t- certificate file to use - default DER format")
120: print(" -key arg\t- Private key file to use - default DER format")
121: print("\t\t Can repeat up to "..cert_size.." times")
122: print(" -CAfile arg\t- Certificate authority - default DER format")
123: print("\t\t Can repeat up to "..ca_cert_size.."times")
124: print(" -quiet\t\t- No client output")
125: print(" -pass\t\t- private key file pass phrase source")
126: print(" -reconnect\t- Drop and re-make the connection "..
127: "with the same Session-ID")
128:
129: if build_mode == axtlsl.SSL_BUILD_FULL_MODE then
130: print(" -debug\t\t- Print more output")
131: print(" -state\t\t- Show state messages")
132: print(" -show-rsa\t- Show RSA state")
133: end
134: else
135: print("Change configuration to allow this feature")
136: end
137:
138: os.exit(1)
139: end
140:
141: -- Implement the SSL server logic.
142: function do_server(build_mode)
143: local i = 2
144: local v
145: local port = 4433
146: local options = axtlsl.SSL_DISPLAY_CERTS
147: local quiet = false
148: local password = ""
149: local private_key_file = nil
150: local cert_size = axtlsl.ssl_get_config(axtlsl.SSL_MAX_CERT_CFG_OFFSET)
151: local ca_cert_size = axtlsl.
152: ssl_get_config(axtlsl.SSL_MAX_CA_CERT_CFG_OFFSET)
153: local cert = {}
154: local ca_cert = {}
155:
156: while i <= #arg do
157: if arg[i] == "-accept" then
158: if i >= #arg then
159: print_server_options(build_mode, arg[i])
160: end
161:
162: i = i + 1
163: port = arg[i]
164: elseif arg[i] == "-quiet" then
165: quiet = true
166: options = bit.band(options, bit.bnot(axtlsl.SSL_DISPLAY_CERTS))
167: elseif build_mode >= axtlsl.SSL_BUILD_SERVER_ONLY then
168: if arg[i] == "-cert" then
169: if i >= #arg or #cert >= cert_size then
170: print_server_options(build_mode, arg[i])
171: end
172:
173: i = i + 1
174: table.insert(cert, arg[i])
175: elseif arg[i] == "-key" then
176: if i >= #arg then
177: print_server_options(build_mode, arg[i])
178: end
179:
180: i = i + 1
181: private_key_file = arg[i]
182: options = bit.bor(options, axtlsl.SSL_NO_DEFAULT_KEY)
183: elseif arg[i] == "-pass" then
184: if i >= #arg then
185: print_server_options(build_mode, arg[i])
186: end
187:
188: i = i + 1
189: password = arg[i]
190: elseif build_mode >= axtlsl.SSL_BUILD_ENABLE_VERIFICATION then
191: if arg[i] == "-verify" then
192: options = bit.bor(options, axtlsl.SSL_CLIENT_AUTHENTICATION)
193: elseif arg[i] == "-CAfile" then
194: if i >= #arg or #ca_cert >= ca_cert_size then
195: print_server_options(build_mode, arg[i])
196: end
197:
198: i = i + 1
199: table.insert(ca_cert, arg[i])
200: elseif build_mode == axtlsl.SSL_BUILD_FULL_MODE then
201: if arg[i] == "-debug" then
202: options = bit.bor(options, axtlsl.SSL_DISPLAY_BYTES)
203: elseif arg[i] == "-state" then
204: options = bit.bor(options, axtlsl.SSL_DISPLAY_STATES)
205: elseif arg[i] == "-show-rsa" then
206: options = bit.bor(options, axtlsl.SSL_DISPLAY_RSA)
207: else
208: print_server_options(build_mode, arg[i])
209: end
210: else
211: print_server_options(build_mode, arg[i])
212: end
213: else
214: print_server_options(build_mode, arg[i])
215: end
216: else
217: print_server_options(build_mode, arg[i])
218: end
219:
220: i = i + 1
221: end
222:
223: -- Create socket for incoming connections
224: local server_sock = socket.try(socket.bind("*", port))
225:
226: ---------------------------------------------------------------------------
227: -- This is where the interesting stuff happens. Up until now we've
228: -- just been setting up sockets etc. Now we do the SSL handshake.
229: ---------------------------------------------------------------------------
230: local ssl_ctx = axtlsl.ssl_ctx_new(options, axtlsl.SSL_DEFAULT_SVR_SESS)
231: if ssl_ctx == nil then error("Error: Server context is invalid") end
232:
233: if private_key_file ~= nil then
234: local obj_type = axtlsl.SSL_OBJ_RSA_KEY
235:
236: if string.find(private_key_file, ".p8") then
237: obj_type = axtlsl.SSL_OBJ_PKCS8
238: end
239:
240: if string.find(private_key_file, ".p12") then
241: obj_type = axtlsl.SSL_OBJ_PKCS12
242: end
243:
244: if axtlsl.ssl_obj_load(ssl_ctx, obj_type, private_key_file,
245: password) ~= axtlsl.SSL_OK then
246: error("Private key '" .. private_key_file .. "' is undefined.")
247: end
248: end
249:
250: for _, v in ipairs(cert) do
251: if axtlsl.ssl_obj_load(ssl_ctx, axtlsl.SSL_OBJ_X509_CERT, v, "") ~=
252: axtlsl.SSL_OK then
253: error("Certificate '"..v .. "' is undefined.")
254: end
255: end
256:
257: for _, v in ipairs(ca_cert) do
258: if axtlsl.ssl_obj_load(ssl_ctx, axtlsl.SSL_OBJ_X509_CACERT, v, "") ~=
259: axtlsl.SSL_OK then
260: error("Certificate '"..v .."' is undefined.")
261: end
262: end
263:
264: while true do
265: if not quiet then print("ACCEPT") end
266: local client_sock = server_sock:accept();
267: local ssl = axtlsl.ssl_server_new(ssl_ctx, client_sock:getfd())
268:
269: -- do the actual SSL handshake
270: local connected = false
271: local res
272: local buf
273:
274: while true do
275: socket.select({client_sock}, nil)
276: res, buf = axtlsl.ssl_read(ssl)
277:
278: if res == axtlsl.SSL_OK then -- connection established and ok
279: if axtlsl.ssl_handshake_status(ssl) == axtlsl.SSL_OK then
280: if not quiet and not connected then
281: display_session_id(ssl)
282: display_cipher(ssl)
283: end
284: connected = true
285: end
286: end
287:
288: if res > axtlsl.SSL_OK then
289: for _, v in ipairs(buf) do
290: io.write(string.format("%c", v))
291: end
292: elseif res < axtlsl.SSL_OK then
293: if not quiet then
294: axtlsl.ssl_display_error(res)
295: end
296: break
297: end
298: end
299:
300: -- client was disconnected or the handshake failed.
301: print("CONNECTION CLOSED")
302: axtlsl.ssl_free(ssl)
303: client_sock:close()
304: end
305:
306: axtlsl.ssl_ctx_free(ssl_ctx)
307: end
308:
309: --
310: -- Implement the SSL client logic.
311: --
312: function do_client(build_mode)
313: local i = 2
314: local v
315: local port = 4433
316: local options =
317: bit.bor(axtlsl.SSL_SERVER_VERIFY_LATER, axtlsl.SSL_DISPLAY_CERTS)
318: local private_key_file = nil
319: local reconnect = 0
320: local quiet = false
321: local password = ""
322: local session_id = {}
323: local host = "127.0.0.1"
324: local cert_size = axtlsl.ssl_get_config(axtlsl.SSL_MAX_CERT_CFG_OFFSET)
325: local ca_cert_size = axtlsl.
326: ssl_get_config(axtlsl.SSL_MAX_CA_CERT_CFG_OFFSET)
327: local cert = {}
328: local ca_cert = {}
329:
330: while i <= #arg do
331: if arg[i] == "-connect" then
332: if i >= #arg then
333: print_client_options(build_mode, arg[i])
334: end
335:
336: i = i + 1
337: local t = string.find(arg[i], ":")
338: host = string.sub(arg[i], 1, t-1)
339: port = string.sub(arg[i], t+1)
340: elseif arg[i] == "-cert" then
341: if i >= #arg or #cert >= cert_size then
342: print_client_options(build_mode, arg[i])
343: end
344:
345: i = i + 1
346: table.insert(cert, arg[i])
347: elseif arg[i] == "-key" then
348: if i >= #arg then
349: print_client_options(build_mode, arg[i])
350: end
351:
352: i = i + 1
353: private_key_file = arg[i]
354: options = bit.bor(options, axtlsl.SSL_NO_DEFAULT_KEY)
355: elseif arg[i] == "-CAfile" then
356: if i >= #arg or #ca_cert >= ca_cert_size then
357: print_client_options(build_mode, arg[i])
358: end
359:
360: i = i + 1
361: table.insert(ca_cert, arg[i])
362: elseif arg[i] == "-verify" then
363: options = bit.band(options,
364: bit.bnot(axtlsl.SSL_SERVER_VERIFY_LATER))
365: elseif arg[i] == "-reconnect" then
366: reconnect = 4
367: elseif arg[i] == "-quiet" then
368: quiet = true
369: options = bit.band(options, bnot(axtlsl.SSL_DISPLAY_CERTS))
370: elseif arg[i] == "-pass" then
371: if i >= #arg then
372: print_server_options(build_mode, arg[i])
373: end
374:
375: i = i + 1
376: password = arg[i]
377: elseif build_mode == axtlsl.SSL_BUILD_FULL_MODE then
378: if arg[i] == "-debug" then
379: options = bit.bor(options, axtlsl.SSL_DISPLAY_BYTES)
380: elseif arg[i] == "-state" then
381: options = bit.bor(axtlsl.SSL_DISPLAY_STATES)
382: elseif arg[i] == "-show-rsa" then
383: options = bit.bor(axtlsl.SSL_DISPLAY_RSA)
384: else -- don't know what this is
385: print_client_options(build_mode, arg[i])
386: end
387: else -- don't know what this is
388: print_client_options(build_mode, arg[i])
389: end
390:
391: i = i + 1
392: end
393:
394: local client_sock = socket.try(socket.connect(host, port))
395: local ssl
396: local res
397:
398: if not quiet then print("CONNECTED") end
399:
400: ---------------------------------------------------------------------------
401: -- This is where the interesting stuff happens. Up until now we've
402: -- just been setting up sockets etc. Now we do the SSL handshake.
403: ---------------------------------------------------------------------------
404: local ssl_ctx = axtlsl.ssl_ctx_new(options, axtlsl.SSL_DEFAULT_CLNT_SESS)
405:
406: if ssl_ctx == nil then
407: error("Error: Client context is invalid")
408: end
409:
410: if private_key_file ~= nil then
411: local obj_type = axtlsl.SSL_OBJ_RSA_KEY
412:
413: if string.find(private_key_file, ".p8") then
414: obj_type = axtlsl.SSL_OBJ_PKCS8
415: end
416:
417: if string.find(private_key_file, ".p12") then
418: obj_type = axtlsl.SSL_OBJ_PKCS12
419: end
420:
421: if axtlsl.ssl_obj_load(ssl_ctx, obj_type, private_key_file,
422: password) ~= axtlsl.SSL_OK then
423: error("Private key '"..private_key_file.."' is undefined.")
424: end
425: end
426:
427: for _, v in ipairs(cert) do
428: if axtlsl.ssl_obj_load(ssl_ctx, axtlsl.SSL_OBJ_X509_CERT, v, "") ~=
429: axtlsl.SSL_OK then
430: error("Certificate '"..v .. "' is undefined.")
431: end
432: end
433:
434: for _, v in ipairs(ca_cert) do
435: if axtlsl.ssl_obj_load(ssl_ctx, axtlsl.SSL_OBJ_X509_CACERT, v, "") ~=
436: axtlsl.SSL_OK then
437: error("Certificate '"..v .."' is undefined.")
438: end
439: end
440:
441: -- Try session resumption?
442: if reconnect ~= 0 then
443: local session_id = nil
444: local sess_id_size = 0
445:
446: while reconnect > 0 do
447: reconnect = reconnect - 1
448: ssl = axtlsl.ssl_client_new(ssl_ctx,
449: client_sock:getfd(), session_id, sess_id_size)
450:
451: res = axtlsl.ssl_handshake_status(ssl)
452: if res ~= axtlsl.SSL_OK then
453: if not quiet then axtlsl.ssl_display_error(res) end
454: axtlsl.ssl_free(ssl)
455: os.exit(1)
456: end
457:
458: display_session_id(ssl)
459: session_id = axtlsl.ssl_get_session_id(ssl)
460: sess_id_size = axtlsl.ssl_get_session_id_size(ssl)
461:
462: if reconnect > 0 then
463: axtlsl.ssl_free(ssl)
464: client_sock:close()
465: client_sock = socket.try(socket.connect(host, port))
466: end
467:
468: end
469: else
470: ssl = axtlsl.ssl_client_new(ssl_ctx, client_sock:getfd(), nil, 0)
471: end
472:
473: -- check the return status
474: res = axtlsl.ssl_handshake_status(ssl)
475: if res ~= axtlsl.SSL_OK then
476: if not quiet then axtlsl.ssl_display_error(res) end
477: os.exit(1)
478: end
479:
480: if not quiet then
481: local common_name = axtlsl.ssl_get_cert_dn(ssl,
482: axtlsl.SSL_X509_CERT_COMMON_NAME)
483:
484: if common_name ~= nil then
485: print("Common Name:\t\t\t"..common_name)
486: end
487:
488: display_session_id(ssl)
489: display_cipher(ssl)
490: end
491:
492: while true do
493: local line = io.read()
494: if line == nil then break end
495: local bytes = {}
496:
497: for i = 1, #line do
498: bytes[i] = line.byte(line, i)
499: end
500:
501: bytes[#line+1] = 10 -- add carriage return, null
502: bytes[#line+2] = 0
503:
504: res = axtlsl.ssl_write(ssl, bytes, #bytes)
505: if res < axtlsl.SSL_OK then
506: if not quiet then axtlsl.ssl_display_error(res) end
507: break
508: end
509: end
510:
511: axtlsl.ssl_ctx_free(ssl_ctx)
512: client_sock:close()
513: end
514:
515: --
516: -- Display what cipher we are using
517: --
518: function display_cipher(ssl)
519: io.write("CIPHER is ")
520: local cipher_id = axtlsl.ssl_get_cipher_id(ssl)
521:
522: if cipher_id == axtlsl.SSL_AES128_SHA then
523: print("AES128-SHA")
524: elseif cipher_id == axtlsl.SSL_AES256_SHA then
525: print("AES256-SHA")
526: elseif axtlsl.SSL_RC4_128_SHA then
527: print("RC4-SHA")
528: elseif axtlsl.SSL_RC4_128_MD5 then
529: print("RC4-MD5")
530: else
531: print("Unknown - "..cipher_id)
532: end
533: end
534:
535: --
536: -- Display what session id we have.
537: --
538: function display_session_id(ssl)
539: local session_id = axtlsl.ssl_get_session_id(ssl)
540: local v
541:
542: if #session_id > 0 then
543: print("-----BEGIN SSL SESSION PARAMETERS-----")
544: for _, v in ipairs(session_id) do
545: io.write(string.format("%02x", v))
546: end
547: print("\n-----END SSL SESSION PARAMETERS-----")
548: end
549: end
550:
551: --
552: -- Main entry point. Doesn't do much except works out whether we are a client
553: -- or a server.
554: --
555: if #arg == 0 or (arg[1] ~= "s_server" and arg[1] ~= "s_client") then
556: print_options(#arg > 0 and arg[1] or "")
557: end
558:
559: local build_mode = axtlsl.ssl_get_config(axtlsl.SSL_BUILD_MODE)
560: _ = arg[1] == "s_server" and do_server(build_mode) or do_client(build_mode)
561: os.exit(0)
562:
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to axssl.lua CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / axTLS / samples / lua