4 -- Copyright (c) 2007, Cameron Rich
6 -- All rights reserved.
8 -- Redistribution and use in source and binary forms, with or without
9 -- modification, are permitted provided that the following conditions are met:
11 -- * Redistributions of source code must retain the above copyright notice,
12 -- this list of conditions and the following disclaimer.
13 -- * Redistributions in binary form must reproduce the above copyright
14 -- notice, this list of conditions and the following disclaimer in the
15 -- documentation and/or other materials provided with the distribution.
16 -- * Neither the name of the axTLS project nor the names of its
17 -- contributors may be used to endorse or promote products derived
18 -- from this software without specific prior written permission.
20 -- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21 -- "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22 -- LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
23 -- A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
24 -- CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
25 -- SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
26 -- TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
27 -- DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
28 -- OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
29 -- NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
30 -- THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 -- Demonstrate the use of the axTLS library in Lua with a set of
35 -- command-line parameters similar to openssl. In fact, openssl clients
36 -- should be able to communicate with axTLS servers and visa-versa.
38 -- This code has various bits enabled depending on the configuration. To enable
39 -- the most interesting version, compile with the 'full mode' enabled.
41 -- To see what options you have, run the following:
42 -- > [lua] axssl s_server -?
43 -- > [lua] axssl s_client -?
45 -- The axtls/axtlsl shared libraries must be in the same directory or be found
51 local socket = require("socket")
54 if #arg == 1 and arg[1] == "version" then
55 print("axssl.lua "..axtlsl.ssl_version())
60 -- We've had some sort of command-line error. Print out the basic options.
62 function print_options(option)
63 print("axssl: Error: '"..option.."' is an invalid command.")
64 print("usage: axssl [s_server|s_client|version] [args ...]")
69 -- We've had some sort of command-line error. Print out the server options.
71 function print_server_options(build_mode, option)
72 local cert_size = axtlsl.ssl_get_config(axtlsl.SSL_MAX_CERT_CFG_OFFSET)
73 local ca_cert_size = axtlsl.ssl_get_config(
74 axtlsl.SSL_MAX_CA_CERT_CFG_OFFSET)
76 print("unknown option "..option)
77 print("usage: s_server [args ...]")
78 print(" -accept\t- port to accept on (default is 4433)")
79 print(" -quiet\t\t- No server output")
81 if build_mode >= axtlsl.SSL_BUILD_SERVER_ONLY then
82 print(" -cert arg\t- certificate file to add (in addition to "..
83 "default) to chain -")
84 print("\t\t Can repeat up to "..cert_size.." times")
85 print(" -key arg\t- Private key file to use - default DER format")
86 print(" -pass\t\t- private key file pass phrase source")
89 if build_mode >= axtlsl.SSL_BUILD_ENABLE_VERIFICATION then
90 print(" -verify\t- turn on peer certificate verification")
91 print(" -CAfile arg\t- Certificate authority - default DER format")
92 print("\t\t Can repeat up to "..ca_cert_size.." times")
95 if build_mode == axtlsl.SSL_BUILD_FULL_MODE then
96 print(" -debug\t\t- Print more output")
97 print(" -state\t\t- Show state messages")
98 print(" -show-rsa\t- Show RSA state")
105 -- We've had some sort of command-line error. Print out the client options.
107 function print_client_options(build_mode, option)
108 local cert_size = axtlsl.ssl_get_config(axtlsl.SSL_MAX_CERT_CFG_OFFSET)
109 local ca_cert_size = axtlsl.ssl_get_config(
110 axtlsl.SSL_MAX_CA_CERT_CFG_OFFSET)
112 print("unknown option "..option)
114 if build_mode >= axtlsl.SSL_BUILD_ENABLE_CLIENT then
115 print("usage: s_client [args ...]")
116 print(" -connect host:port - who to connect to (default "..
117 "is localhost:4433)")
118 print(" -verify\t- turn on peer certificate verification")
119 print(" -cert arg\t- certificate file to use - default DER format")
120 print(" -key arg\t- Private key file to use - default DER format")
121 print("\t\t Can repeat up to "..cert_size.." times")
122 print(" -CAfile arg\t- Certificate authority - default DER format")
123 print("\t\t Can repeat up to "..ca_cert_size.."times")
124 print(" -quiet\t\t- No client output")
125 print(" -pass\t\t- private key file pass phrase source")
126 print(" -reconnect\t- Drop and re-make the connection "..
127 "with the same Session-ID")
129 if build_mode == axtlsl.SSL_BUILD_FULL_MODE then
130 print(" -debug\t\t- Print more output")
131 print(" -state\t\t- Show state messages")
132 print(" -show-rsa\t- Show RSA state")
135 print("Change configuration to allow this feature")
141 -- Implement the SSL server logic.
142 function do_server(build_mode)
146 local options = axtlsl.SSL_DISPLAY_CERTS
149 local private_key_file = nil
150 local cert_size = axtlsl.ssl_get_config(axtlsl.SSL_MAX_CERT_CFG_OFFSET)
151 local ca_cert_size = axtlsl.
152 ssl_get_config(axtlsl.SSL_MAX_CA_CERT_CFG_OFFSET)
157 if arg[i] == "-accept" then
159 print_server_options(build_mode, arg[i])
164 elseif arg[i] == "-quiet" then
166 options = bit.band(options, bit.bnot(axtlsl.SSL_DISPLAY_CERTS))
167 elseif build_mode >= axtlsl.SSL_BUILD_SERVER_ONLY then
168 if arg[i] == "-cert" then
169 if i >= #arg or #cert >= cert_size then
170 print_server_options(build_mode, arg[i])
174 table.insert(cert, arg[i])
175 elseif arg[i] == "-key" then
177 print_server_options(build_mode, arg[i])
181 private_key_file = arg[i]
182 options = bit.bor(options, axtlsl.SSL_NO_DEFAULT_KEY)
183 elseif arg[i] == "-pass" then
185 print_server_options(build_mode, arg[i])
190 elseif build_mode >= axtlsl.SSL_BUILD_ENABLE_VERIFICATION then
191 if arg[i] == "-verify" then
192 options = bit.bor(options, axtlsl.SSL_CLIENT_AUTHENTICATION)
193 elseif arg[i] == "-CAfile" then
194 if i >= #arg or #ca_cert >= ca_cert_size then
195 print_server_options(build_mode, arg[i])
199 table.insert(ca_cert, arg[i])
200 elseif build_mode == axtlsl.SSL_BUILD_FULL_MODE then
201 if arg[i] == "-debug" then
202 options = bit.bor(options, axtlsl.SSL_DISPLAY_BYTES)
203 elseif arg[i] == "-state" then
204 options = bit.bor(options, axtlsl.SSL_DISPLAY_STATES)
205 elseif arg[i] == "-show-rsa" then
206 options = bit.bor(options, axtlsl.SSL_DISPLAY_RSA)
208 print_server_options(build_mode, arg[i])
211 print_server_options(build_mode, arg[i])
214 print_server_options(build_mode, arg[i])
217 print_server_options(build_mode, arg[i])
223 -- Create socket for incoming connections
224 local server_sock = socket.try(socket.bind("*", port))
226 ---------------------------------------------------------------------------
227 -- This is where the interesting stuff happens. Up until now we've
228 -- just been setting up sockets etc. Now we do the SSL handshake.
229 ---------------------------------------------------------------------------
230 local ssl_ctx = axtlsl.ssl_ctx_new(options, axtlsl.SSL_DEFAULT_SVR_SESS)
231 if ssl_ctx == nil then error("Error: Server context is invalid") end
233 if private_key_file ~= nil then
234 local obj_type = axtlsl.SSL_OBJ_RSA_KEY
236 if string.find(private_key_file, ".p8") then
237 obj_type = axtlsl.SSL_OBJ_PKCS8
240 if string.find(private_key_file, ".p12") then
241 obj_type = axtlsl.SSL_OBJ_PKCS12
244 if axtlsl.ssl_obj_load(ssl_ctx, obj_type, private_key_file,
245 password) ~= axtlsl.SSL_OK then
246 error("Private key '" .. private_key_file .. "' is undefined.")
250 for _, v in ipairs(cert) do
251 if axtlsl.ssl_obj_load(ssl_ctx, axtlsl.SSL_OBJ_X509_CERT, v, "") ~=
253 error("Certificate '"..v .. "' is undefined.")
257 for _, v in ipairs(ca_cert) do
258 if axtlsl.ssl_obj_load(ssl_ctx, axtlsl.SSL_OBJ_X509_CACERT, v, "") ~=
260 error("Certificate '"..v .."' is undefined.")
265 if not quiet then print("ACCEPT") end
266 local client_sock = server_sock:accept();
267 local ssl = axtlsl.ssl_server_new(ssl_ctx, client_sock:getfd())
269 -- do the actual SSL handshake
270 local connected = false
275 socket.select({client_sock}, nil)
276 res, buf = axtlsl.ssl_read(ssl)
278 if res == axtlsl.SSL_OK then -- connection established and ok
279 if axtlsl.ssl_handshake_status(ssl) == axtlsl.SSL_OK then
280 if not quiet and not connected then
281 display_session_id(ssl)
288 if res > axtlsl.SSL_OK then
289 for _, v in ipairs(buf) do
290 io.write(string.format("%c", v))
292 elseif res < axtlsl.SSL_OK then
294 axtlsl.ssl_display_error(res)
300 -- client was disconnected or the handshake failed.
301 print("CONNECTION CLOSED")
306 axtlsl.ssl_ctx_free(ssl_ctx)
310 -- Implement the SSL client logic.
312 function do_client(build_mode)
317 bit.bor(axtlsl.SSL_SERVER_VERIFY_LATER, axtlsl.SSL_DISPLAY_CERTS)
318 local private_key_file = nil
322 local session_id = {}
323 local host = "127.0.0.1"
324 local cert_size = axtlsl.ssl_get_config(axtlsl.SSL_MAX_CERT_CFG_OFFSET)
325 local ca_cert_size = axtlsl.
326 ssl_get_config(axtlsl.SSL_MAX_CA_CERT_CFG_OFFSET)
331 if arg[i] == "-connect" then
333 print_client_options(build_mode, arg[i])
337 local t = string.find(arg[i], ":")
338 host = string.sub(arg[i], 1, t-1)
339 port = string.sub(arg[i], t+1)
340 elseif arg[i] == "-cert" then
341 if i >= #arg or #cert >= cert_size then
342 print_client_options(build_mode, arg[i])
346 table.insert(cert, arg[i])
347 elseif arg[i] == "-key" then
349 print_client_options(build_mode, arg[i])
353 private_key_file = arg[i]
354 options = bit.bor(options, axtlsl.SSL_NO_DEFAULT_KEY)
355 elseif arg[i] == "-CAfile" then
356 if i >= #arg or #ca_cert >= ca_cert_size then
357 print_client_options(build_mode, arg[i])
361 table.insert(ca_cert, arg[i])
362 elseif arg[i] == "-verify" then
363 options = bit.band(options,
364 bit.bnot(axtlsl.SSL_SERVER_VERIFY_LATER))
365 elseif arg[i] == "-reconnect" then
367 elseif arg[i] == "-quiet" then
369 options = bit.band(options, bnot(axtlsl.SSL_DISPLAY_CERTS))
370 elseif arg[i] == "-pass" then
372 print_server_options(build_mode, arg[i])
377 elseif build_mode == axtlsl.SSL_BUILD_FULL_MODE then
378 if arg[i] == "-debug" then
379 options = bit.bor(options, axtlsl.SSL_DISPLAY_BYTES)
380 elseif arg[i] == "-state" then
381 options = bit.bor(axtlsl.SSL_DISPLAY_STATES)
382 elseif arg[i] == "-show-rsa" then
383 options = bit.bor(axtlsl.SSL_DISPLAY_RSA)
384 else -- don't know what this is
385 print_client_options(build_mode, arg[i])
387 else -- don't know what this is
388 print_client_options(build_mode, arg[i])
394 local client_sock = socket.try(socket.connect(host, port))
398 if not quiet then print("CONNECTED") end
400 ---------------------------------------------------------------------------
401 -- This is where the interesting stuff happens. Up until now we've
402 -- just been setting up sockets etc. Now we do the SSL handshake.
403 ---------------------------------------------------------------------------
404 local ssl_ctx = axtlsl.ssl_ctx_new(options, axtlsl.SSL_DEFAULT_CLNT_SESS)
406 if ssl_ctx == nil then
407 error("Error: Client context is invalid")
410 if private_key_file ~= nil then
411 local obj_type = axtlsl.SSL_OBJ_RSA_KEY
413 if string.find(private_key_file, ".p8") then
414 obj_type = axtlsl.SSL_OBJ_PKCS8
417 if string.find(private_key_file, ".p12") then
418 obj_type = axtlsl.SSL_OBJ_PKCS12
421 if axtlsl.ssl_obj_load(ssl_ctx, obj_type, private_key_file,
422 password) ~= axtlsl.SSL_OK then
423 error("Private key '"..private_key_file.."' is undefined.")
427 for _, v in ipairs(cert) do
428 if axtlsl.ssl_obj_load(ssl_ctx, axtlsl.SSL_OBJ_X509_CERT, v, "") ~=
430 error("Certificate '"..v .. "' is undefined.")
434 for _, v in ipairs(ca_cert) do
435 if axtlsl.ssl_obj_load(ssl_ctx, axtlsl.SSL_OBJ_X509_CACERT, v, "") ~=
437 error("Certificate '"..v .."' is undefined.")
441 -- Try session resumption?
442 if reconnect ~= 0 then
443 local session_id = nil
444 local sess_id_size = 0
446 while reconnect > 0 do
447 reconnect = reconnect - 1
448 ssl = axtlsl.ssl_client_new(ssl_ctx,
449 client_sock:getfd(), session_id, sess_id_size)
451 res = axtlsl.ssl_handshake_status(ssl)
452 if res ~= axtlsl.SSL_OK then
453 if not quiet then axtlsl.ssl_display_error(res) end
458 display_session_id(ssl)
459 session_id = axtlsl.ssl_get_session_id(ssl)
460 sess_id_size = axtlsl.ssl_get_session_id_size(ssl)
462 if reconnect > 0 then
465 client_sock = socket.try(socket.connect(host, port))
470 ssl = axtlsl.ssl_client_new(ssl_ctx, client_sock:getfd(), nil, 0)
473 -- check the return status
474 res = axtlsl.ssl_handshake_status(ssl)
475 if res ~= axtlsl.SSL_OK then
476 if not quiet then axtlsl.ssl_display_error(res) end
481 local common_name = axtlsl.ssl_get_cert_dn(ssl,
482 axtlsl.SSL_X509_CERT_COMMON_NAME)
484 if common_name ~= nil then
485 print("Common Name:\t\t\t"..common_name)
488 display_session_id(ssl)
493 local line = io.read()
494 if line == nil then break end
498 bytes[i] = line.byte(line, i)
501 bytes[#line+1] = 10 -- add carriage return, null
504 res = axtlsl.ssl_write(ssl, bytes, #bytes)
505 if res < axtlsl.SSL_OK then
506 if not quiet then axtlsl.ssl_display_error(res) end
511 axtlsl.ssl_ctx_free(ssl_ctx)
516 -- Display what cipher we are using
518 function display_cipher(ssl)
519 io.write("CIPHER is ")
520 local cipher_id = axtlsl.ssl_get_cipher_id(ssl)
522 if cipher_id == axtlsl.SSL_AES128_SHA then
524 elseif cipher_id == axtlsl.SSL_AES256_SHA then
526 elseif axtlsl.SSL_RC4_128_SHA then
528 elseif axtlsl.SSL_RC4_128_MD5 then
531 print("Unknown - "..cipher_id)
536 -- Display what session id we have.
538 function display_session_id(ssl)
539 local session_id = axtlsl.ssl_get_session_id(ssl)
542 if #session_id > 0 then
543 print("-----BEGIN SSL SESSION PARAMETERS-----")
544 for _, v in ipairs(session_id) do
545 io.write(string.format("%02x", v))
547 print("\n-----END SSL SESSION PARAMETERS-----")
552 -- Main entry point. Doesn't do much except works out whether we are a client
555 if #arg == 0 or (arg[1] ~= "s_server" and arg[1] ~= "s_client") then
556 print_options(#arg > 0 and arg[1] or "")
559 local build_mode = axtlsl.ssl_get_config(axtlsl.SSL_BUILD_MODE)
560 _ = arg[1] == "s_server" and do_server(build_mode) or do_client(build_mode)