Squashed 'src/deps/src/luasec/' content from commit fddde111f
git-subtree-dir: src/deps/src/luasec git-subtree-split: fddde111f7fe9ad5417d75ebbd70429d13eaad97
This commit is contained in:
commit
a7d4cc5bba
|
@ -0,0 +1,3 @@
|
|||
/src/*.o
|
||||
/src/luasocket/*.o
|
||||
/*.dll
|
|
@ -0,0 +1,248 @@
|
|||
--------------------------------------------------------------------------------
|
||||
LuaSec 1.3.1
|
||||
---------------
|
||||
This version includes:
|
||||
|
||||
* Fix: check if PSK is available
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
LuaSec 1.3.0
|
||||
---------------
|
||||
This version includes:
|
||||
|
||||
* Add :getlocalchain() + :getlocalcertificate() to mirror the peer methods (@mwild1)
|
||||
* Add Pre-Shared Key (PSK) support (@jclab-joseph)
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
LuaSec 1.2.0
|
||||
---------------
|
||||
This version includes:
|
||||
|
||||
* Add key material export method
|
||||
* Backguard compat for openssl on providers, like LTS linuxes
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
LuaSec 1.1.0
|
||||
---------------
|
||||
This version includes:
|
||||
|
||||
* Fix missing DANE flag
|
||||
* Remove unused parameter in https.lua
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
LuaSec 1.0.2
|
||||
---------------
|
||||
This version includes:
|
||||
|
||||
* Fix handle SSL_send SYSCALL error without errno
|
||||
* Fix off by one in cert:validat(notafter)
|
||||
* Fix meth_get_{sinagure => signature}_name function name
|
||||
* Fix update the Lua state reference on the selected SSL context after SNI
|
||||
* Fix ignore SSL_OP_BIT(n) macro and update option.c
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
LuaSec 1.0.1
|
||||
---------------
|
||||
This version includes:
|
||||
|
||||
|
||||
* Fix luaL_buffinit() can use the stack and broke buffer_meth_receive()
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
LuaSec 1.0
|
||||
---------------
|
||||
This version includes:
|
||||
|
||||
|
||||
* Add cert:getsignaturename()
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
LuaSec 0.9
|
||||
---------------
|
||||
This version includes:
|
||||
|
||||
|
||||
* Add DNS-based Authentication of Named Entities (DANE) support
|
||||
* Add __close() metamethod
|
||||
* Fix deprecation warnings with OpenSSL 1.1
|
||||
* Fix special case listing of TLS 1.3 EC curves
|
||||
* Fix general_name leak in cert:extensions()
|
||||
* Fix unexported 'ssl.config' table
|
||||
* Replace $(LD) with $(CCLD) variable
|
||||
* Remove multiple definitions of 'ssl_options' variable
|
||||
* Use tag in git format: v0.9
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
LuaSec 0.8.2
|
||||
---------------
|
||||
This version includes:
|
||||
|
||||
* Fix unexported 'ssl.config' table (backported)
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
LuaSec 0.8.1
|
||||
---------------
|
||||
This version includes:
|
||||
|
||||
* Fix general_name leak in cert:extensions() (backported)
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
LuaSec 0.8
|
||||
---------------
|
||||
This version includes:
|
||||
|
||||
* Add support to ALPN
|
||||
* Add support to TLS 1.3
|
||||
* Add support to multiple certificates
|
||||
* Add timeout to https module (https.TIMEOUT)
|
||||
* Drop support to SSL 3.0
|
||||
* Drop support to TLS 1.0 from https module
|
||||
* Fix invalid reference to Lua state
|
||||
* Fix memory leak when get certficate extensions
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
LuaSec 0.7.2
|
||||
---------------
|
||||
This version includes:
|
||||
|
||||
* Fix unexported 'ssl.config' table (backported)
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
LuaSec 0.7.1
|
||||
---------------
|
||||
This version includes:
|
||||
|
||||
* Fix general_name leak in cert:extensions() (backported)
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
LuaSec 0.7
|
||||
---------------
|
||||
LuaSec depends on OpenSSL, and integrates with LuaSocket to make it
|
||||
easy to add secure connections to any Lua applications or scripts.
|
||||
|
||||
Documentation: https://github.com/brunoos/luasec/wiki
|
||||
|
||||
This version includes:
|
||||
|
||||
* Add support to OpenSSL 1.1.0
|
||||
* Add support to elliptic curves list
|
||||
* Add ssl.config that exports some OpenSSL information
|
||||
* Add integration with luaossl
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
LuaSec 0.6
|
||||
------------
|
||||
LuaSec depends on OpenSSL, and integrates with LuaSocket to make it
|
||||
easy to add secure connections to any Lua applications or scripts.
|
||||
|
||||
Documentation: https://github.com/brunoos/luasec/wiki
|
||||
|
||||
This version includes:
|
||||
|
||||
* Lua 5.2 and 5.3 compatibility
|
||||
|
||||
* Context module:
|
||||
- Add ctx:checkkey()
|
||||
|
||||
* SSL module:
|
||||
- Add conn:sni() and conn:getsniname()
|
||||
|
||||
* Context options:
|
||||
- Add "any" protocol ("sslv23" is deprecated)
|
||||
|
||||
* HTTPS module:
|
||||
- Using "any" protocol without SSLv2/SSLv3, by default
|
||||
|
||||
* X509 module:
|
||||
- Human readable IP address
|
||||
- Add cert:issued()
|
||||
- Add cert:pubkey()
|
||||
|
||||
* Some bug fixes
|
||||
|
||||
|
||||
=> Thanks to everyone who collaborate with LuaSec <=
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
LuaSec 0.5
|
||||
------------
|
||||
LuaSec depends on OpenSSL, and integrates with LuaSocket to make it
|
||||
easy to add secure connections to any Lua applications or scripts.
|
||||
|
||||
This version includes:
|
||||
|
||||
* A new certificate (X509) API, which supports:
|
||||
- Reading the subject (identity) and issuer of the certificate.
|
||||
- Reading various X509 extensions, including email and dnsName.
|
||||
- Converting certificates to and from the standard ASCII PEM
|
||||
format.
|
||||
- Generating the fingerprint/digest of a certificate (using SHA1,
|
||||
SHA256 or SHA512).
|
||||
- Reading the certificate's expiration, serial number, and other
|
||||
info.
|
||||
|
||||
* The ability to get more detailed information from OpenSSL about
|
||||
why a certificate failed verification, for each certificate in the
|
||||
chain.
|
||||
|
||||
* Flags to force acceptance of invalid certificates, e.g. to allow
|
||||
the use of self-signed certificates in a Trust On First Use model.
|
||||
|
||||
* Flags to control checking CRLs for certificate revocation status.
|
||||
|
||||
* Support for ECDH cipher suites.
|
||||
|
||||
* An API to get the TLS 'finished' messages used for SASL channel
|
||||
binding (e.g. the SCRAM PLUS mechanisms).
|
||||
|
||||
The work in this release was undertaken by Kim Alvefur, Paul Aurich,
|
||||
Tobias Markmann, Bruno Silvestre and Matthew Wild.
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
LuaSec 0.4.1
|
||||
------------
|
||||
- SSL options updated --- based on OpenSSL 1.0.0d.
|
||||
- Activate SSL_MODE_RELEASE_BUFFERS by default if it is available.
|
||||
(thanks Prosody project)
|
||||
|
||||
---------------------------------------------------------------------------------
|
||||
LuaSec 0.4
|
||||
------------
|
||||
- Add option 'no_ticket' (included in OpenSSL 0.9.8f).
|
||||
- Add HTTPS module. (thanks Tomas Guisasola and Pablo Musa)
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
LuaSec 0.3.3
|
||||
------------
|
||||
- BUG: Clear the error queue before call I/O functions (see SSL_get_error
|
||||
manual).
|
||||
(thanks Matthew Wild)
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
LuaSec 0.3.2
|
||||
------------
|
||||
- BUG: Windows uses a different way to report socket error.
|
||||
(thanks Sebastien Perin)
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
LuaSec 0.3.1
|
||||
------------
|
||||
- BUG: receive("a") returns 'closed' error instead of the content when the
|
||||
SSL/TLS connection is shut down cleanly. (thanks Matthias Diener)
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
LuaSec 0.3
|
||||
----------
|
||||
- Add functions ssl.rawcontext() and ssl.rawconnection()
|
||||
- Add support to encrypted key password. (thanks Norbert Kiesel)
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
LuaSec 0.2.1
|
||||
------------
|
||||
- 'key' and 'certificate' configurations become optional. (thanks René Rebe)
|
||||
- Add '_VERSION' variable to module.
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
LuaSec 0.2
|
||||
----------
|
||||
Initial version
|
|
@ -0,0 +1,39 @@
|
|||
LuaSec 1.3.1
|
||||
------------
|
||||
|
||||
* OpenSSL options:
|
||||
|
||||
By default, this version includes options for OpenSSL 3.0.8
|
||||
|
||||
If you need to generate the options for a different version of OpenSSL:
|
||||
|
||||
$ cd src
|
||||
$ lua options.lua -g /usr/include/openssl/ssl.h > options.c
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
* On Linux, BSD, and Mac OS X:
|
||||
|
||||
- Edit 'Makefile'
|
||||
* Inform the path to where install the Lua modules (LUAPATH) and binaries
|
||||
modules (LUACPATH)
|
||||
* If Lua or OpenSSL are not in the default path, set the
|
||||
variables INCDIR and LIBDIR.
|
||||
* For Mac OS X, set the variable MACOSX_VERSION.
|
||||
|
||||
- Use 'make <platform>' to compile
|
||||
* Platforms: linux, bsd, or macosx
|
||||
|
||||
- Use 'make install' to install the modules.
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
* On Windows:
|
||||
|
||||
- Use the Visual C++ project to compile the library.
|
||||
|
||||
- Copy the 'ssl.lua' file to some place in your LUA_PATH.
|
||||
|
||||
- Copy the 'ssl.dll' file to some place in your LUA_CPATH.
|
||||
|
||||
- Create a directory 'ssl' in your LUA_PATH and copy 'https.lua' to it.
|
|
@ -0,0 +1,21 @@
|
|||
LuaSec 1.3.1 license
|
||||
Copyright (C) 2006-2023 Bruno Silvestre, UFG
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining
|
||||
a copy of this software and associated documentation files (the
|
||||
"Software"), to deal in the Software without restriction, including
|
||||
without limitation the rights to use, copy, modify, merge, publish,
|
||||
distribute, sublicense, and/or sell copies of the Software, and to
|
||||
permit persons to whom the Software is furnished to do so, subject to
|
||||
the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be
|
||||
included in all copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
||||
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
||||
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
||||
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
||||
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
||||
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
||||
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
|
@ -0,0 +1,56 @@
|
|||
# Inform the location to install the modules
|
||||
LUAPATH ?= /usr/share/lua/5.1
|
||||
LUACPATH ?= /usr/lib/lua/5.1
|
||||
|
||||
# Compile with build-in LuaSocket's help files.
|
||||
# Comment this lines if you will link with non-internal LuaSocket's help files
|
||||
# and edit INCDIR and LIBDIR properly.
|
||||
EXTRA = luasocket
|
||||
DEFS = -DWITH_LUASOCKET
|
||||
|
||||
# Edit the lines below to inform new path, if necessary.
|
||||
# Path below points to internal LuaSocket's help files.
|
||||
INC_PATH ?= -I/usr/include
|
||||
LIB_PATH ?= -L/usr/lib
|
||||
INCDIR = -I. $(INC_PATH)
|
||||
LIBDIR = -L./luasocket $(LIB_PATH)
|
||||
|
||||
# For Mac OS X: set the system version
|
||||
MACOSX_VERSION=10.11
|
||||
|
||||
#----------------------
|
||||
# Do not edit this part
|
||||
|
||||
.PHONY: all clean install none linux bsd macosx
|
||||
|
||||
all: none
|
||||
|
||||
none:
|
||||
@echo "Usage: $(MAKE) <platform>"
|
||||
@echo " * linux"
|
||||
@echo " * bsd"
|
||||
@echo " * macosx"
|
||||
|
||||
install:
|
||||
@cd src && $(MAKE) LUACPATH="$(LUACPATH)" LUAPATH="$(LUAPATH)" install
|
||||
|
||||
linux:
|
||||
@echo "---------------------"
|
||||
@echo "** Build for Linux **"
|
||||
@echo "---------------------"
|
||||
@cd src && $(MAKE) INCDIR="$(INCDIR)" LIBDIR="$(LIBDIR)" DEFS="$(DEFS)" EXTRA="$(EXTRA)" $@
|
||||
|
||||
bsd:
|
||||
@echo "-------------------"
|
||||
@echo "** Build for BSD **"
|
||||
@echo "-------------------"
|
||||
@cd src && $(MAKE) INCDIR="$(INCDIR)" LIBDIR="$(LIBDIR)" DEFS="$(DEFS)" EXTRA="$(EXTRA)" $@
|
||||
|
||||
macosx:
|
||||
@echo "------------------------------"
|
||||
@echo "** Build for Mac OS X $(MACOSX_VERSION) **"
|
||||
@echo "------------------------------"
|
||||
@cd src && $(MAKE) INCDIR="$(INCDIR)" LIBDIR="$(LIBDIR)" MACVER="$(MACOSX_VERSION)" DEFS="$(DEFS)" EXTRA="$(EXTRA)" $@
|
||||
|
||||
clean:
|
||||
@cd src && $(MAKE) clean
|
|
@ -0,0 +1,6 @@
|
|||
LuaSec 1.3.1
|
||||
===============
|
||||
LuaSec depends on OpenSSL, and integrates with LuaSocket to make it
|
||||
easy to add secure connections to any Lua applications or scripts.
|
||||
|
||||
Documentation: https://github.com/brunoos/luasec/wiki
|
|
@ -0,0 +1,105 @@
|
|||
package = "LuaSec"
|
||||
version = "1.3.1-1"
|
||||
source = {
|
||||
url = "git+https://github.com/brunoos/luasec",
|
||||
tag = "v1.3.1",
|
||||
}
|
||||
description = {
|
||||
summary = "A binding for OpenSSL library to provide TLS/SSL communication over LuaSocket.",
|
||||
detailed = "This version delegates to LuaSocket the TCP connection establishment between the client and server. Then LuaSec uses this connection to start a secure TLS/SSL session.",
|
||||
homepage = "https://github.com/brunoos/luasec/wiki",
|
||||
license = "MIT"
|
||||
}
|
||||
dependencies = {
|
||||
"lua >= 5.1", "luasocket"
|
||||
}
|
||||
external_dependencies = {
|
||||
platforms = {
|
||||
unix = {
|
||||
OPENSSL = {
|
||||
header = "openssl/ssl.h",
|
||||
library = "ssl"
|
||||
}
|
||||
},
|
||||
windows = {
|
||||
OPENSSL = {
|
||||
header = "openssl/ssl.h",
|
||||
}
|
||||
},
|
||||
}
|
||||
}
|
||||
build = {
|
||||
type = "builtin",
|
||||
copy_directories = {
|
||||
"samples"
|
||||
},
|
||||
platforms = {
|
||||
unix = {
|
||||
install = {
|
||||
lib = {
|
||||
"ssl.so"
|
||||
},
|
||||
lua = {
|
||||
"src/ssl.lua", ['ssl.https'] = "src/https.lua"
|
||||
}
|
||||
},
|
||||
modules = {
|
||||
ssl = {
|
||||
defines = {
|
||||
"WITH_LUASOCKET", "LUASOCKET_DEBUG",
|
||||
},
|
||||
incdirs = {
|
||||
"$(OPENSSL_INCDIR)", "src/", "src/luasocket",
|
||||
},
|
||||
libdirs = {
|
||||
"$(OPENSSL_LIBDIR)"
|
||||
},
|
||||
libraries = {
|
||||
"ssl", "crypto"
|
||||
},
|
||||
sources = {
|
||||
"src/options.c", "src/config.c", "src/ec.c",
|
||||
"src/x509.c", "src/context.c", "src/ssl.c",
|
||||
"src/luasocket/buffer.c", "src/luasocket/io.c",
|
||||
"src/luasocket/timeout.c", "src/luasocket/usocket.c"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
windows = {
|
||||
install = {
|
||||
lib = {
|
||||
"ssl.dll"
|
||||
},
|
||||
lua = {
|
||||
"src/ssl.lua", ['ssl.https'] = "src/https.lua"
|
||||
}
|
||||
},
|
||||
modules = {
|
||||
ssl = {
|
||||
defines = {
|
||||
"WIN32", "NDEBUG", "_WINDOWS", "_USRDLL", "LSEC_EXPORTS", "BUFFER_DEBUG", "LSEC_API=__declspec(dllexport)",
|
||||
"WITH_LUASOCKET", "LUASOCKET_DEBUG",
|
||||
"LUASEC_INET_NTOP", "WINVER=0x0501", "_WIN32_WINNT=0x0501", "NTDDI_VERSION=0x05010300"
|
||||
},
|
||||
libdirs = {
|
||||
"$(OPENSSL_LIBDIR)",
|
||||
"$(OPENSSL_BINDIR)",
|
||||
},
|
||||
libraries = {
|
||||
"libssl", "libcrypto", "ws2_32"
|
||||
},
|
||||
incdirs = {
|
||||
"$(OPENSSL_INCDIR)", "src/", "src/luasocket"
|
||||
},
|
||||
sources = {
|
||||
"src/options.c", "src/config.c", "src/ec.c",
|
||||
"src/x509.c", "src/context.c", "src/ssl.c",
|
||||
"src/luasocket/buffer.c", "src/luasocket/io.c",
|
||||
"src/luasocket/timeout.c", "src/luasocket/wsocket.c"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,19 @@
|
|||
Microsoft Visual Studio Solution File, Format Version 11.00
|
||||
# Visual C++ Express 2010
|
||||
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "luasec", "luasec.vcxproj", "{A629932F-8819-4C0B-8835-CBF1FEED6376}"
|
||||
EndProject
|
||||
Global
|
||||
GlobalSection(SolutionConfigurationPlatforms) = preSolution
|
||||
Debug|Win32 = Debug|Win32
|
||||
Release|Win32 = Release|Win32
|
||||
EndGlobalSection
|
||||
GlobalSection(ProjectConfigurationPlatforms) = postSolution
|
||||
{A629932F-8819-4C0B-8835-CBF1FEED6376}.Debug|Win32.ActiveCfg = Debug|Win32
|
||||
{A629932F-8819-4C0B-8835-CBF1FEED6376}.Debug|Win32.Build.0 = Debug|Win32
|
||||
{A629932F-8819-4C0B-8835-CBF1FEED6376}.Release|Win32.ActiveCfg = Release|Win32
|
||||
{A629932F-8819-4C0B-8835-CBF1FEED6376}.Release|Win32.Build.0 = Release|Win32
|
||||
EndGlobalSection
|
||||
GlobalSection(SolutionProperties) = preSolution
|
||||
HideSolutionNode = FALSE
|
||||
EndGlobalSection
|
||||
EndGlobal
|
|
@ -0,0 +1,131 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project DefaultTargets="Build" ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<ItemGroup Label="ProjectConfigurations">
|
||||
<ProjectConfiguration Include="Debug|Win32">
|
||||
<Configuration>Debug</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Release|Win32">
|
||||
<Configuration>Release</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
</ItemGroup>
|
||||
<PropertyGroup Label="Globals">
|
||||
<ProjectGuid>{A629932F-8819-4C0B-8835-CBF1FEED6376}</ProjectGuid>
|
||||
<Keyword>Win32Proj</Keyword>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||
<CharacterSet>MultiByte</CharacterSet>
|
||||
<PlatformToolset>v140</PlatformToolset>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
|
||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||
<CharacterSet>MultiByte</CharacterSet>
|
||||
<PlatformToolset>v140</PlatformToolset>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
||||
<ImportGroup Label="ExtensionSettings">
|
||||
</ImportGroup>
|
||||
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
<Import Project="$(VCTargetsPath)Microsoft.CPP.UpgradeFromVC71.props" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="PropertySheets">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
<Import Project="$(VCTargetsPath)Microsoft.CPP.UpgradeFromVC71.props" />
|
||||
</ImportGroup>
|
||||
<PropertyGroup Label="UserMacros" />
|
||||
<PropertyGroup>
|
||||
<_ProjectFileVersion>10.0.30319.1</_ProjectFileVersion>
|
||||
<OutDir Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Debug\</OutDir>
|
||||
<IntDir Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Debug\</IntDir>
|
||||
<LinkIncremental Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">true</LinkIncremental>
|
||||
<OutDir Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Release\</OutDir>
|
||||
<IntDir Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Release\</IntDir>
|
||||
<LinkIncremental Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">false</LinkIncremental>
|
||||
<TargetName Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">ssl</TargetName>
|
||||
</PropertyGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<ClCompile>
|
||||
<Optimization>Disabled</Optimization>
|
||||
<AdditionalIncludeDirectories>C:\devel\openssl\include;C:\devel\lua-dll9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
|
||||
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;LUASEC_EXPORTS;LUASEC_INET_NTOP;WINVER=0x0501;_WIN32_WINNT=0x0501;NTDDI_VERSION=0x05010300;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<MinimalRebuild>true</MinimalRebuild>
|
||||
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
|
||||
<RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
|
||||
<PrecompiledHeader>
|
||||
</PrecompiledHeader>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<DebugInformationFormat>EditAndContinue</DebugInformationFormat>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<AdditionalDependencies>ws2_32.lib;libssl.lib;libcrypto.lib;lua5.1.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
<OutputFile>$(OutDir)ssl.dll</OutputFile>
|
||||
<AdditionalLibraryDirectories>C:\devel\openssl\lib\VC;C:\devel\lua-dll9;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
<ProgramDatabaseFile>$(OutDir)luasec.pdb</ProgramDatabaseFile>
|
||||
<SubSystem>Windows</SubSystem>
|
||||
<RandomizedBaseAddress>false</RandomizedBaseAddress>
|
||||
<DataExecutionPrevention>
|
||||
</DataExecutionPrevention>
|
||||
<ImportLibrary>$(OutDir)ssl.lib</ImportLibrary>
|
||||
<TargetMachine>MachineX86</TargetMachine>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<ClCompile>
|
||||
<AdditionalIncludeDirectories>C:\devel\openssl-1.1.0\include;C:\devel\lua-5.1\include;.\src;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
|
||||
<PreprocessorDefinitions>WIN32;_WIN32;NDEBUG;_WINDOWS;_USRDLL;LUASOCKET_DEBUG;WITH_LUASOCKET;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||
<PrecompiledHeader>
|
||||
</PrecompiledHeader>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<AdditionalDependencies>ws2_32.lib;libssl.lib;libcrypto.lib;lua5.1.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
<OutputFile>$(OutDir)$(TargetName)$(TargetExt)</OutputFile>
|
||||
<AdditionalLibraryDirectories>C:\devel\openssl-1.1.0\lib\VC;C:\devel\lua-5.1\lib;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
<SubSystem>Windows</SubSystem>
|
||||
<OptimizeReferences>true</OptimizeReferences>
|
||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||
<RandomizedBaseAddress>false</RandomizedBaseAddress>
|
||||
<DataExecutionPrevention>
|
||||
</DataExecutionPrevention>
|
||||
<ImportLibrary>$(OutDir)ssl.lib</ImportLibrary>
|
||||
<TargetMachine>MachineX86</TargetMachine>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemGroup>
|
||||
<ClCompile Include="src\config.c" />
|
||||
<ClCompile Include="src\context.c" />
|
||||
<ClCompile Include="src\ec.c" />
|
||||
<ClCompile Include="src\luasocket\buffer.c" />
|
||||
<ClCompile Include="src\luasocket\io.c" />
|
||||
<ClCompile Include="src\luasocket\timeout.c" />
|
||||
<ClCompile Include="src\luasocket\wsocket.c" />
|
||||
<ClCompile Include="src\options.c" />
|
||||
<ClCompile Include="src\ssl.c" />
|
||||
<ClCompile Include="src\x509.c" />
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="src\compat.h" />
|
||||
<ClInclude Include="src\config.h" />
|
||||
<ClInclude Include="src\context.h" />
|
||||
<ClInclude Include="src\ec.h" />
|
||||
<ClInclude Include="src\luasocket\buffer.h" />
|
||||
<ClInclude Include="src\luasocket\io.h" />
|
||||
<ClInclude Include="src\luasocket\socket.h" />
|
||||
<ClInclude Include="src\luasocket\timeout.h" />
|
||||
<ClInclude Include="src\luasocket\wsocket.h" />
|
||||
<ClInclude Include="src\options.h" />
|
||||
<ClInclude Include="src\ssl.h" />
|
||||
<ClInclude Include="src\x509.h" />
|
||||
</ItemGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
|
||||
<ImportGroup Label="ExtensionTargets">
|
||||
</ImportGroup>
|
||||
</Project>
|
|
@ -0,0 +1,67 @@
|
|||
Directories:
|
||||
------------
|
||||
* alpn
|
||||
Test ALPN (Application-Layer Protocol Negotiation) support.
|
||||
|
||||
* certs
|
||||
Contains scripts to generate the certificates used by the examples.
|
||||
Generate Root CA 'A' and 'B' first, then the servers and clients.
|
||||
|
||||
* chain
|
||||
Example of certificate chain in handshake.
|
||||
|
||||
* curve-negotiation
|
||||
Elliptic curve negotiation.
|
||||
|
||||
* dhparam
|
||||
DH parameters for handshake.
|
||||
|
||||
* digest
|
||||
Certificate digest.
|
||||
|
||||
* ecdh
|
||||
Elliptic curve cipher.
|
||||
|
||||
* info
|
||||
Information about the connection.
|
||||
|
||||
* key
|
||||
Test encrypted private key.
|
||||
|
||||
* loop
|
||||
Test successive connections between the server and the client
|
||||
(to check memory leak).
|
||||
|
||||
* loop-gc
|
||||
Same of above, but the connection is not explicit closed, the gabage
|
||||
collector is encharge of that.
|
||||
|
||||
* luaossl
|
||||
Integration with luaossl.
|
||||
|
||||
* multicert
|
||||
Support to multiple certificate for dual RSA/ECDSA.
|
||||
|
||||
* oneshot
|
||||
A simple connection example.
|
||||
|
||||
* psk
|
||||
PSK(Pre Shared Key) support.
|
||||
|
||||
* sni
|
||||
Support to SNI (Server Name Indication).
|
||||
|
||||
* verification
|
||||
Retrieve the certificate verification errors from the handshake.
|
||||
|
||||
* verify
|
||||
Ignore handshake errors and proceed.
|
||||
|
||||
* want
|
||||
Test want() method.
|
||||
|
||||
* wantread
|
||||
Test timeout in handshake() and receive().
|
||||
|
||||
* wantwrite
|
||||
Test timeout in send().
|
|
@ -0,0 +1,27 @@
|
|||
--
|
||||
-- Public domain
|
||||
--
|
||||
local socket = require("socket")
|
||||
local ssl = require("ssl")
|
||||
|
||||
local params = {
|
||||
mode = "client",
|
||||
protocol = "tlsv1_2",
|
||||
key = "../certs/clientAkey.pem",
|
||||
certificate = "../certs/clientA.pem",
|
||||
cafile = "../certs/rootA.pem",
|
||||
verify = {"peer", "fail_if_no_peer_cert"},
|
||||
options = "all",
|
||||
--alpn = {"foo","bar","baz"}
|
||||
alpn = "foo"
|
||||
}
|
||||
|
||||
local peer = socket.tcp()
|
||||
peer:connect("127.0.0.1", 8888)
|
||||
|
||||
peer = assert( ssl.wrap(peer, params) )
|
||||
assert(peer:dohandshake())
|
||||
|
||||
print("ALPN", peer:getalpn())
|
||||
|
||||
peer:close()
|
|
@ -0,0 +1,77 @@
|
|||
--
|
||||
-- Public domain
|
||||
--
|
||||
local socket = require("socket")
|
||||
local ssl = require("ssl")
|
||||
|
||||
--
|
||||
-- Callback that selects one protocol from client's list.
|
||||
--
|
||||
local function alpncb01(protocols)
|
||||
print("--- ALPN protocols from client")
|
||||
for k, v in ipairs(protocols) do
|
||||
print(k, v)
|
||||
end
|
||||
print("--- Selecting:", protocols[1])
|
||||
return protocols[1]
|
||||
end
|
||||
|
||||
--
|
||||
-- Callback that returns a fixed list, ignoring the client's list.
|
||||
--
|
||||
local function alpncb02(protocols)
|
||||
print("--- ALPN protocols from client")
|
||||
for k, v in ipairs(protocols) do
|
||||
print(k, v)
|
||||
end
|
||||
print("--- Returning a fixed list")
|
||||
return {"bar", "foo"}
|
||||
end
|
||||
|
||||
--
|
||||
-- Callback that generates a list as it whishes.
|
||||
--
|
||||
local function alpncb03(protocols)
|
||||
local resp = {}
|
||||
print("--- ALPN protocols from client")
|
||||
for k, v in ipairs(protocols) do
|
||||
print(k, v)
|
||||
if k%2 ~= 0 then resp[#resp+1] = v end
|
||||
end
|
||||
print("--- Returning an odd list")
|
||||
return resp
|
||||
end
|
||||
|
||||
|
||||
local params = {
|
||||
mode = "server",
|
||||
protocol = "any",
|
||||
key = "../certs/serverAkey.pem",
|
||||
certificate = "../certs/serverA.pem",
|
||||
cafile = "../certs/rootA.pem",
|
||||
verify = {"peer", "fail_if_no_peer_cert"},
|
||||
options = "all",
|
||||
--alpn = alpncb01,
|
||||
--alpn = alpncb02,
|
||||
--alpn = alpncb03,
|
||||
alpn = {"bar", "baz", "foo"},
|
||||
}
|
||||
|
||||
|
||||
-- [[ SSL context
|
||||
local ctx = assert(ssl.newcontext(params))
|
||||
--]]
|
||||
|
||||
local server = socket.tcp()
|
||||
server:setoption('reuseaddr', true)
|
||||
assert( server:bind("127.0.0.1", 8888) )
|
||||
server:listen()
|
||||
|
||||
local peer = server:accept()
|
||||
peer = assert( ssl.wrap(peer, ctx) )
|
||||
assert( peer:dohandshake() )
|
||||
|
||||
print("ALPN", peer:getalpn())
|
||||
|
||||
peer:close()
|
||||
server:close()
|
|
@ -0,0 +1,14 @@
|
|||
REM make sure the 'openssl.exe' commandline tool is in your path before starting!
|
||||
REM set the path below;
|
||||
set opensslpath=c:\program files (x86)\openssl-win32\bin
|
||||
|
||||
|
||||
|
||||
setlocal
|
||||
set path=%opensslpath%;%path%
|
||||
call roota.bat
|
||||
call rootb.bat
|
||||
call servera.bat
|
||||
call serverb.bat
|
||||
call clienta.bat
|
||||
call clientb.bat
|
|
@ -0,0 +1,7 @@
|
|||
#!/bin/sh
|
||||
./rootA.sh
|
||||
./rootB.sh
|
||||
./clientA.sh
|
||||
./clientB.sh
|
||||
./serverA.sh
|
||||
./serverB.sh
|
|
@ -0,0 +1,9 @@
|
|||
rem #!/bin/sh
|
||||
|
||||
openssl req -newkey rsa:1024 -sha1 -keyout clientAkey.pem -out clientAreq.pem -nodes -config ./clientA.cnf -days 365 -batch
|
||||
|
||||
openssl x509 -req -in clientAreq.pem -sha1 -extfile ./clientA.cnf -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial -out clientAcert.pem -days 365
|
||||
|
||||
copy clientAcert.pem + rootA.pem clientA.pem
|
||||
|
||||
openssl x509 -subject -issuer -noout -in clientA.pem
|
|
@ -0,0 +1,316 @@
|
|||
#
|
||||
# OpenSSL example configuration file.
|
||||
# This is mostly being used for generation of certificate requests.
|
||||
#
|
||||
|
||||
# This definition stops the following lines choking if HOME isn't
|
||||
# defined.
|
||||
HOME = .
|
||||
RANDFILE = $ENV::HOME/.rnd
|
||||
|
||||
# Extra OBJECT IDENTIFIER info:
|
||||
#oid_file = $ENV::HOME/.oid
|
||||
oid_section = new_oids
|
||||
|
||||
# To use this configuration file with the "-extfile" option of the
|
||||
# "openssl x509" utility, name here the section containing the
|
||||
# X.509v3 extensions to use:
|
||||
# extensions =
|
||||
# (Alternatively, use a configuration file that has only
|
||||
# X.509v3 extensions in its main [= default] section.)
|
||||
|
||||
[ new_oids ]
|
||||
|
||||
# We can add new OIDs in here for use by 'ca' and 'req'.
|
||||
# Add a simple OID like this:
|
||||
# testoid1=1.2.3.4
|
||||
# Or use config file substitution like this:
|
||||
# testoid2=${testoid1}.5.6
|
||||
|
||||
####################################################################
|
||||
[ ca ]
|
||||
default_ca = CA_default # The default ca section
|
||||
|
||||
####################################################################
|
||||
[ CA_default ]
|
||||
|
||||
dir = ./demoCA # Where everything is kept
|
||||
certs = $dir/certs # Where the issued certs are kept
|
||||
crl_dir = $dir/crl # Where the issued crl are kept
|
||||
database = $dir/index.txt # database index file.
|
||||
#unique_subject = no # Set to 'no' to allow creation of
|
||||
# several ctificates with same subject.
|
||||
new_certs_dir = $dir/newcerts # default place for new certs.
|
||||
|
||||
certificate = $dir/cacert.pem # The CA certificate
|
||||
serial = $dir/serial # The current serial number
|
||||
crlnumber = $dir/crlnumber # the current crl number
|
||||
# must be commented out to leave a V1 CRL
|
||||
crl = $dir/crl.pem # The current CRL
|
||||
private_key = $dir/private/cakey.pem # The private key
|
||||
RANDFILE = $dir/private/.rand # private random number file
|
||||
|
||||
x509_extensions = usr_cert # The extensions to add to the cert
|
||||
|
||||
# Comment out the following two lines for the "traditional"
|
||||
# (and highly broken) format.
|
||||
name_opt = ca_default # Subject Name options
|
||||
cert_opt = ca_default # Certificate field options
|
||||
|
||||
# Extension copying option: use with caution.
|
||||
# copy_extensions = copy
|
||||
|
||||
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
|
||||
# so this is commented out by default to leave a V1 CRL.
|
||||
# crlnumber must also be commented out to leave a V1 CRL.
|
||||
# crl_extensions = crl_ext
|
||||
|
||||
default_days = 365 # how long to certify for
|
||||
default_crl_days= 30 # how long before next CRL
|
||||
default_md = sha1 # which md to use.
|
||||
preserve = no # keep passed DN ordering
|
||||
|
||||
# A few difference way of specifying how similar the request should look
|
||||
# For type CA, the listed attributes must be the same, and the optional
|
||||
# and supplied fields are just that :-)
|
||||
policy = policy_match
|
||||
|
||||
# For the CA policy
|
||||
[ policy_match ]
|
||||
countryName = match
|
||||
stateOrProvinceName = match
|
||||
organizationName = match
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
emailAddress = optional
|
||||
|
||||
# For the 'anything' policy
|
||||
# At this point in time, you must list all acceptable 'object'
|
||||
# types.
|
||||
[ policy_anything ]
|
||||
countryName = optional
|
||||
stateOrProvinceName = optional
|
||||
localityName = optional
|
||||
organizationName = optional
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
emailAddress = optional
|
||||
|
||||
####################################################################
|
||||
[ req ]
|
||||
default_bits = 1024
|
||||
default_keyfile = privkey.pem
|
||||
distinguished_name = req_distinguished_name
|
||||
attributes = req_attributes
|
||||
x509_extensions = v3_ca # The extensions to add to the self signed cert
|
||||
|
||||
# Passwords for private keys if not present they will be prompted for
|
||||
# input_password = secret
|
||||
# output_password = secret
|
||||
|
||||
# This sets a mask for permitted string types. There are several options.
|
||||
# default: PrintableString, T61String, BMPString.
|
||||
# pkix : PrintableString, BMPString.
|
||||
# utf8only: only UTF8Strings.
|
||||
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
|
||||
# MASK:XXXX a literal mask value.
|
||||
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
|
||||
# so use this option with caution!
|
||||
string_mask = nombstr
|
||||
|
||||
# req_extensions = v3_req # The extensions to add to a certificate request
|
||||
|
||||
[ req_distinguished_name ]
|
||||
countryName = Country Name (2 letter code)
|
||||
countryName_default = BR
|
||||
countryName_min = 2
|
||||
countryName_max = 2
|
||||
|
||||
stateOrProvinceName = State or Province Name (full name)
|
||||
stateOrProvinceName_default = Some-State
|
||||
stateOrProvinceName_default = Espirito Santo
|
||||
|
||||
localityName = Locality Name (eg, city)
|
||||
localityName_default = Santo Antonio do Canaa
|
||||
|
||||
0.organizationName = Organization Name (eg, company)
|
||||
0.organizationName_default = Sao Tonico Ltda
|
||||
|
||||
# we can do this but it is not needed normally :-)
|
||||
#1.organizationName = Second Organization Name (eg, company)
|
||||
#1.organizationName_default = World Wide Web Pty Ltd
|
||||
|
||||
organizationalUnitName = Organizational Unit Name (eg, section)
|
||||
organizationalUnitName_default = Department of Computer Science
|
||||
|
||||
commonName = Common Name (eg, YOUR name)
|
||||
commonName_default = Client A
|
||||
commonName_max = 64
|
||||
|
||||
emailAddress = Email Address
|
||||
emailAddress_max = 64
|
||||
|
||||
# SET-ex3 = SET extension number 3
|
||||
|
||||
[ req_attributes ]
|
||||
challengePassword = A challenge password
|
||||
challengePassword_min = 4
|
||||
challengePassword_max = 20
|
||||
|
||||
unstructuredName = An optional company name
|
||||
|
||||
[ usr_cert ]
|
||||
|
||||
# These extensions are added when 'ca' signs a request.
|
||||
|
||||
# This goes against PKIX guidelines but some CAs do it and some software
|
||||
# requires this to avoid interpreting an end user certificate as a CA.
|
||||
|
||||
basicConstraints=CA:FALSE
|
||||
|
||||
# Here are some examples of the usage of nsCertType. If it is omitted
|
||||
# the certificate can be used for anything *except* object signing.
|
||||
|
||||
# This is OK for an SSL server.
|
||||
# nsCertType = server
|
||||
|
||||
# For an object signing certificate this would be used.
|
||||
# nsCertType = objsign
|
||||
|
||||
# For normal client use this is typical
|
||||
# nsCertType = client, email
|
||||
|
||||
# and for everything including object signing:
|
||||
# nsCertType = client, email, objsign
|
||||
|
||||
# This is typical in keyUsage for a client certificate.
|
||||
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
# This will be displayed in Netscape's comment listbox.
|
||||
nsComment = "OpenSSL Generated Certificate"
|
||||
|
||||
# PKIX recommendations harmless if included in all certificates.
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid,issuer
|
||||
|
||||
# This stuff is for subjectAltName and issuerAltname.
|
||||
# Import the email address.
|
||||
# subjectAltName=email:copy
|
||||
# An alternative to produce certificates that aren't
|
||||
# deprecated according to PKIX.
|
||||
# subjectAltName=email:move
|
||||
|
||||
# Copy subject details
|
||||
# issuerAltName=issuer:copy
|
||||
|
||||
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
|
||||
#nsBaseUrl
|
||||
#nsRevocationUrl
|
||||
#nsRenewalUrl
|
||||
#nsCaPolicyUrl
|
||||
#nsSslServerName
|
||||
|
||||
[ v3_req ]
|
||||
|
||||
# Extensions to add to a certificate request
|
||||
|
||||
basicConstraints = CA:FALSE
|
||||
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
[ v3_ca ]
|
||||
|
||||
|
||||
# Extensions for a typical CA
|
||||
|
||||
|
||||
# PKIX recommendation.
|
||||
|
||||
subjectKeyIdentifier=hash
|
||||
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
|
||||
# This is what PKIX recommends but some broken software chokes on critical
|
||||
# extensions.
|
||||
#basicConstraints = critical,CA:true
|
||||
# So we do this instead.
|
||||
basicConstraints = CA:true
|
||||
|
||||
# Key usage: this is typical for a CA certificate. However since it will
|
||||
# prevent it being used as an test self-signed certificate it is best
|
||||
# left out by default.
|
||||
# keyUsage = cRLSign, keyCertSign
|
||||
|
||||
# Some might want this also
|
||||
# nsCertType = sslCA, emailCA
|
||||
|
||||
# Include email address in subject alt name: another PKIX recommendation
|
||||
# subjectAltName=email:copy
|
||||
# Copy issuer details
|
||||
# issuerAltName=issuer:copy
|
||||
|
||||
# DER hex encoding of an extension: beware experts only!
|
||||
# obj=DER:02:03
|
||||
# Where 'obj' is a standard or added object
|
||||
# You can even override a supported extension:
|
||||
# basicConstraints= critical, DER:30:03:01:01:FF
|
||||
|
||||
[ crl_ext ]
|
||||
|
||||
# CRL extensions.
|
||||
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
|
||||
|
||||
# issuerAltName=issuer:copy
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
|
||||
[ proxy_cert_ext ]
|
||||
# These extensions should be added when creating a proxy certificate
|
||||
|
||||
# This goes against PKIX guidelines but some CAs do it and some software
|
||||
# requires this to avoid interpreting an end user certificate as a CA.
|
||||
|
||||
basicConstraints=CA:FALSE
|
||||
|
||||
# Here are some examples of the usage of nsCertType. If it is omitted
|
||||
# the certificate can be used for anything *except* object signing.
|
||||
|
||||
# This is OK for an SSL server.
|
||||
# nsCertType = server
|
||||
|
||||
# For an object signing certificate this would be used.
|
||||
# nsCertType = objsign
|
||||
|
||||
# For normal client use this is typical
|
||||
# nsCertType = client, email
|
||||
|
||||
# and for everything including object signing:
|
||||
# nsCertType = client, email, objsign
|
||||
|
||||
# This is typical in keyUsage for a client certificate.
|
||||
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
# This will be displayed in Netscape's comment listbox.
|
||||
nsComment = "OpenSSL Generated Certificate"
|
||||
|
||||
# PKIX recommendations harmless if included in all certificates.
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid,issuer:always
|
||||
|
||||
# This stuff is for subjectAltName and issuerAltname.
|
||||
# Import the email address.
|
||||
# subjectAltName=email:copy
|
||||
# An alternative to produce certificates that aren't
|
||||
# deprecated according to PKIX.
|
||||
# subjectAltName=email:move
|
||||
|
||||
# Copy subject details
|
||||
# issuerAltName=issuer:copy
|
||||
|
||||
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
|
||||
#nsBaseUrl
|
||||
#nsRevocationUrl
|
||||
#nsRenewalUrl
|
||||
#nsCaPolicyUrl
|
||||
#nsSslServerName
|
||||
|
||||
# This really needs to be in place for it to be a proxy certificate.
|
||||
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
|
|
@ -0,0 +1,12 @@
|
|||
#!/bin/sh
|
||||
|
||||
openssl req -newkey rsa:2048 -sha256 -keyout clientAkey.pem -out clientAreq.pem \
|
||||
-nodes -config ./clientA.cnf -days 365 -batch
|
||||
|
||||
openssl x509 -req -in clientAreq.pem -sha256 -extfile ./clientA.cnf \
|
||||
-extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial \
|
||||
-out clientAcert.pem -days 365
|
||||
|
||||
cat clientAcert.pem rootA.pem > clientA.pem
|
||||
|
||||
openssl x509 -subject -issuer -noout -in clientA.pem
|
|
@ -0,0 +1,9 @@
|
|||
rem #!/bin/sh
|
||||
|
||||
openssl req -newkey rsa:1024 -sha1 -keyout clientBkey.pem -out clientBreq.pem -nodes -config ./clientB.cnf -days 365 -batch
|
||||
|
||||
openssl x509 -req -in clientBreq.pem -sha1 -extfile ./clientB.cnf -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial -out clientBcert.pem -days 365
|
||||
|
||||
copy clientBcert.pem + rootB.pem clientB.pem
|
||||
|
||||
openssl x509 -subject -issuer -noout -in clientB.pem
|
|
@ -0,0 +1,316 @@
|
|||
#
|
||||
# OpenSSL example configuration file.
|
||||
# This is mostly being used for generation of certificate requests.
|
||||
#
|
||||
|
||||
# This definition stops the following lines choking if HOME isn't
|
||||
# defined.
|
||||
HOME = .
|
||||
RANDFILE = $ENV::HOME/.rnd
|
||||
|
||||
# Extra OBJECT IDENTIFIER info:
|
||||
#oid_file = $ENV::HOME/.oid
|
||||
oid_section = new_oids
|
||||
|
||||
# To use this configuration file with the "-extfile" option of the
|
||||
# "openssl x509" utility, name here the section containing the
|
||||
# X.509v3 extensions to use:
|
||||
# extensions =
|
||||
# (Alternatively, use a configuration file that has only
|
||||
# X.509v3 extensions in its main [= default] section.)
|
||||
|
||||
[ new_oids ]
|
||||
|
||||
# We can add new OIDs in here for use by 'ca' and 'req'.
|
||||
# Add a simple OID like this:
|
||||
# testoid1=1.2.3.4
|
||||
# Or use config file substitution like this:
|
||||
# testoid2=${testoid1}.5.6
|
||||
|
||||
####################################################################
|
||||
[ ca ]
|
||||
default_ca = CA_default # The default ca section
|
||||
|
||||
####################################################################
|
||||
[ CA_default ]
|
||||
|
||||
dir = ./demoCA # Where everything is kept
|
||||
certs = $dir/certs # Where the issued certs are kept
|
||||
crl_dir = $dir/crl # Where the issued crl are kept
|
||||
database = $dir/index.txt # database index file.
|
||||
#unique_subject = no # Set to 'no' to allow creation of
|
||||
# several ctificates with same subject.
|
||||
new_certs_dir = $dir/newcerts # default place for new certs.
|
||||
|
||||
certificate = $dir/cacert.pem # The CA certificate
|
||||
serial = $dir/serial # The current serial number
|
||||
crlnumber = $dir/crlnumber # the current crl number
|
||||
# must be commented out to leave a V1 CRL
|
||||
crl = $dir/crl.pem # The current CRL
|
||||
private_key = $dir/private/cakey.pem # The private key
|
||||
RANDFILE = $dir/private/.rand # private random number file
|
||||
|
||||
x509_extensions = usr_cert # The extensions to add to the cert
|
||||
|
||||
# Comment out the following two lines for the "traditional"
|
||||
# (and highly broken) format.
|
||||
name_opt = ca_default # Subject Name options
|
||||
cert_opt = ca_default # Certificate field options
|
||||
|
||||
# Extension copying option: use with caution.
|
||||
# copy_extensions = copy
|
||||
|
||||
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
|
||||
# so this is commented out by default to leave a V1 CRL.
|
||||
# crlnumber must also be commented out to leave a V1 CRL.
|
||||
# crl_extensions = crl_ext
|
||||
|
||||
default_days = 365 # how long to certify for
|
||||
default_crl_days= 30 # how long before next CRL
|
||||
default_md = sha1 # which md to use.
|
||||
preserve = no # keep passed DN ordering
|
||||
|
||||
# A few difference way of specifying how similar the request should look
|
||||
# For type CA, the listed attributes must be the same, and the optional
|
||||
# and supplied fields are just that :-)
|
||||
policy = policy_match
|
||||
|
||||
# For the CA policy
|
||||
[ policy_match ]
|
||||
countryName = match
|
||||
stateOrProvinceName = match
|
||||
organizationName = match
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
emailAddress = optional
|
||||
|
||||
# For the 'anything' policy
|
||||
# At this point in time, you must list all acceptable 'object'
|
||||
# types.
|
||||
[ policy_anything ]
|
||||
countryName = optional
|
||||
stateOrProvinceName = optional
|
||||
localityName = optional
|
||||
organizationName = optional
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
emailAddress = optional
|
||||
|
||||
####################################################################
|
||||
[ req ]
|
||||
default_bits = 1024
|
||||
default_keyfile = privkey.pem
|
||||
distinguished_name = req_distinguished_name
|
||||
attributes = req_attributes
|
||||
x509_extensions = v3_ca # The extensions to add to the self signed cert
|
||||
|
||||
# Passwords for private keys if not present they will be prompted for
|
||||
# input_password = secret
|
||||
# output_password = secret
|
||||
|
||||
# This sets a mask for permitted string types. There are several options.
|
||||
# default: PrintableString, T61String, BMPString.
|
||||
# pkix : PrintableString, BMPString.
|
||||
# utf8only: only UTF8Strings.
|
||||
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
|
||||
# MASK:XXXX a literal mask value.
|
||||
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
|
||||
# so use this option with caution!
|
||||
string_mask = nombstr
|
||||
|
||||
# req_extensions = v3_req # The extensions to add to a certificate request
|
||||
|
||||
[ req_distinguished_name ]
|
||||
countryName = Country Name (2 letter code)
|
||||
countryName_default = BR
|
||||
countryName_min = 2
|
||||
countryName_max = 2
|
||||
|
||||
stateOrProvinceName = State or Province Name (full name)
|
||||
stateOrProvinceName_default = Some-State
|
||||
stateOrProvinceName_default = Espirito Santo
|
||||
|
||||
localityName = Locality Name (eg, city)
|
||||
localityName_default = Santo Antonio do Canaa
|
||||
|
||||
0.organizationName = Organization Name (eg, company)
|
||||
0.organizationName_default = Sao Tonico Ltda
|
||||
|
||||
# we can do this but it is not needed normally :-)
|
||||
#1.organizationName = Second Organization Name (eg, company)
|
||||
#1.organizationName_default = World Wide Web Pty Ltd
|
||||
|
||||
organizationalUnitName = Organizational Unit Name (eg, section)
|
||||
organizationalUnitName_default = Department of Computer Science
|
||||
|
||||
commonName = Common Name (eg, YOUR name)
|
||||
commonName_default = Client B
|
||||
commonName_max = 64
|
||||
|
||||
emailAddress = Email Address
|
||||
emailAddress_max = 64
|
||||
|
||||
# SET-ex3 = SET extension number 3
|
||||
|
||||
[ req_attributes ]
|
||||
challengePassword = A challenge password
|
||||
challengePassword_min = 4
|
||||
challengePassword_max = 20
|
||||
|
||||
unstructuredName = An optional company name
|
||||
|
||||
[ usr_cert ]
|
||||
|
||||
# These extensions are added when 'ca' signs a request.
|
||||
|
||||
# This goes against PKIX guidelines but some CAs do it and some software
|
||||
# requires this to avoid interpreting an end user certificate as a CA.
|
||||
|
||||
basicConstraints=CA:FALSE
|
||||
|
||||
# Here are some examples of the usage of nsCertType. If it is omitted
|
||||
# the certificate can be used for anything *except* object signing.
|
||||
|
||||
# This is OK for an SSL server.
|
||||
# nsCertType = server
|
||||
|
||||
# For an object signing certificate this would be used.
|
||||
# nsCertType = objsign
|
||||
|
||||
# For normal client use this is typical
|
||||
# nsCertType = client, email
|
||||
|
||||
# and for everything including object signing:
|
||||
# nsCertType = client, email, objsign
|
||||
|
||||
# This is typical in keyUsage for a client certificate.
|
||||
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
# This will be displayed in Netscape's comment listbox.
|
||||
nsComment = "OpenSSL Generated Certificate"
|
||||
|
||||
# PKIX recommendations harmless if included in all certificates.
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid,issuer
|
||||
|
||||
# This stuff is for subjectAltName and issuerAltname.
|
||||
# Import the email address.
|
||||
# subjectAltName=email:copy
|
||||
# An alternative to produce certificates that aren't
|
||||
# deprecated according to PKIX.
|
||||
# subjectAltName=email:move
|
||||
|
||||
# Copy subject details
|
||||
# issuerAltName=issuer:copy
|
||||
|
||||
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
|
||||
#nsBaseUrl
|
||||
#nsRevocationUrl
|
||||
#nsRenewalUrl
|
||||
#nsCaPolicyUrl
|
||||
#nsSslServerName
|
||||
|
||||
[ v3_req ]
|
||||
|
||||
# Extensions to add to a certificate request
|
||||
|
||||
basicConstraints = CA:FALSE
|
||||
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
[ v3_ca ]
|
||||
|
||||
|
||||
# Extensions for a typical CA
|
||||
|
||||
|
||||
# PKIX recommendation.
|
||||
|
||||
subjectKeyIdentifier=hash
|
||||
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
|
||||
# This is what PKIX recommends but some broken software chokes on critical
|
||||
# extensions.
|
||||
#basicConstraints = critical,CA:true
|
||||
# So we do this instead.
|
||||
basicConstraints = CA:true
|
||||
|
||||
# Key usage: this is typical for a CA certificate. However since it will
|
||||
# prevent it being used as an test self-signed certificate it is best
|
||||
# left out by default.
|
||||
# keyUsage = cRLSign, keyCertSign
|
||||
|
||||
# Some might want this also
|
||||
# nsCertType = sslCA, emailCA
|
||||
|
||||
# Include email address in subject alt name: another PKIX recommendation
|
||||
# subjectAltName=email:copy
|
||||
# Copy issuer details
|
||||
# issuerAltName=issuer:copy
|
||||
|
||||
# DER hex encoding of an extension: beware experts only!
|
||||
# obj=DER:02:03
|
||||
# Where 'obj' is a standard or added object
|
||||
# You can even override a supported extension:
|
||||
# basicConstraints= critical, DER:30:03:01:01:FF
|
||||
|
||||
[ crl_ext ]
|
||||
|
||||
# CRL extensions.
|
||||
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
|
||||
|
||||
# issuerAltName=issuer:copy
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
|
||||
[ proxy_cert_ext ]
|
||||
# These extensions should be added when creating a proxy certificate
|
||||
|
||||
# This goes against PKIX guidelines but some CAs do it and some software
|
||||
# requires this to avoid interpreting an end user certificate as a CA.
|
||||
|
||||
basicConstraints=CA:FALSE
|
||||
|
||||
# Here are some examples of the usage of nsCertType. If it is omitted
|
||||
# the certificate can be used for anything *except* object signing.
|
||||
|
||||
# This is OK for an SSL server.
|
||||
# nsCertType = server
|
||||
|
||||
# For an object signing certificate this would be used.
|
||||
# nsCertType = objsign
|
||||
|
||||
# For normal client use this is typical
|
||||
# nsCertType = client, email
|
||||
|
||||
# and for everything including object signing:
|
||||
# nsCertType = client, email, objsign
|
||||
|
||||
# This is typical in keyUsage for a client certificate.
|
||||
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
# This will be displayed in Netscape's comment listbox.
|
||||
nsComment = "OpenSSL Generated Certificate"
|
||||
|
||||
# PKIX recommendations harmless if included in all certificates.
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid,issuer:always
|
||||
|
||||
# This stuff is for subjectAltName and issuerAltname.
|
||||
# Import the email address.
|
||||
# subjectAltName=email:copy
|
||||
# An alternative to produce certificates that aren't
|
||||
# deprecated according to PKIX.
|
||||
# subjectAltName=email:move
|
||||
|
||||
# Copy subject details
|
||||
# issuerAltName=issuer:copy
|
||||
|
||||
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
|
||||
#nsBaseUrl
|
||||
#nsRevocationUrl
|
||||
#nsRenewalUrl
|
||||
#nsCaPolicyUrl
|
||||
#nsSslServerName
|
||||
|
||||
# This really needs to be in place for it to be a proxy certificate.
|
||||
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
|
|
@ -0,0 +1,12 @@
|
|||
#!/bin/sh
|
||||
|
||||
openssl req -newkey rsa:2048 -sha256 -keyout clientBkey.pem -out clientBreq.pem \
|
||||
-nodes -config ./clientB.cnf -days 365 -batch
|
||||
|
||||
openssl x509 -req -in clientBreq.pem -sha256 -extfile ./clientB.cnf \
|
||||
-extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial \
|
||||
-out clientBcert.pem -days 365
|
||||
|
||||
cat clientBcert.pem rootB.pem > clientB.pem
|
||||
|
||||
openssl x509 -subject -issuer -noout -in clientB.pem
|
|
@ -0,0 +1,7 @@
|
|||
REM #!/bin/sh
|
||||
|
||||
openssl req -newkey rsa:1024 -sha1 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch
|
||||
|
||||
openssl x509 -req -in rootAreq.pem -sha1 -extfile ./rootA.cnf -extensions v3_ca -signkey rootAkey.pem -out rootA.pem -days 365
|
||||
|
||||
openssl x509 -subject -issuer -noout -in rootA.pem
|
|
@ -0,0 +1,315 @@
|
|||
#
|
||||
# OpenSSL example configuration file.
|
||||
# This is mostly being used for generation of certificate requests.
|
||||
#
|
||||
|
||||
# This definition stops the following lines choking if HOME isn't
|
||||
# defined.
|
||||
HOME = .
|
||||
RANDFILE = $ENV::HOME/.rnd
|
||||
|
||||
# Extra OBJECT IDENTIFIER info:
|
||||
#oid_file = $ENV::HOME/.oid
|
||||
oid_section = new_oids
|
||||
|
||||
# To use this configuration file with the "-extfile" option of the
|
||||
# "openssl x509" utility, name here the section containing the
|
||||
# X.509v3 extensions to use:
|
||||
# extensions =
|
||||
# (Alternatively, use a configuration file that has only
|
||||
# X.509v3 extensions in its main [= default] section.)
|
||||
|
||||
[ new_oids ]
|
||||
|
||||
# We can add new OIDs in here for use by 'ca' and 'req'.
|
||||
# Add a simple OID like this:
|
||||
# testoid1=1.2.3.4
|
||||
# Or use config file substitution like this:
|
||||
# testoid2=${testoid1}.5.6
|
||||
|
||||
####################################################################
|
||||
[ ca ]
|
||||
default_ca = CA_default # The default ca section
|
||||
|
||||
####################################################################
|
||||
[ CA_default ]
|
||||
|
||||
dir = ./demoCA # Where everything is kept
|
||||
certs = $dir/certs # Where the issued certs are kept
|
||||
crl_dir = $dir/crl # Where the issued crl are kept
|
||||
database = $dir/index.txt # database index file.
|
||||
#unique_subject = no # Set to 'no' to allow creation of
|
||||
# several ctificates with same subject.
|
||||
new_certs_dir = $dir/newcerts # default place for new certs.
|
||||
|
||||
certificate = $dir/cacert.pem # The CA certificate
|
||||
serial = $dir/serial # The current serial number
|
||||
crlnumber = $dir/crlnumber # the current crl number
|
||||
# must be commented out to leave a V1 CRL
|
||||
crl = $dir/crl.pem # The current CRL
|
||||
private_key = $dir/private/cakey.pem # The private key
|
||||
RANDFILE = $dir/private/.rand # private random number file
|
||||
|
||||
x509_extensions = usr_cert # The extensions to add to the cert
|
||||
|
||||
# Comment out the following two lines for the "traditional"
|
||||
# (and highly broken) format.
|
||||
name_opt = ca_default # Subject Name options
|
||||
cert_opt = ca_default # Certificate field options
|
||||
|
||||
# Extension copying option: use with caution.
|
||||
# copy_extensions = copy
|
||||
|
||||
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
|
||||
# so this is commented out by default to leave a V1 CRL.
|
||||
# crlnumber must also be commented out to leave a V1 CRL.
|
||||
# crl_extensions = crl_ext
|
||||
|
||||
default_days = 365 # how long to certify for
|
||||
default_crl_days= 30 # how long before next CRL
|
||||
default_md = sha1 # which md to use.
|
||||
preserve = no # keep passed DN ordering
|
||||
|
||||
# A few difference way of specifying how similar the request should look
|
||||
# For type CA, the listed attributes must be the same, and the optional
|
||||
# and supplied fields are just that :-)
|
||||
policy = policy_match
|
||||
|
||||
# For the CA policy
|
||||
[ policy_match ]
|
||||
countryName = match
|
||||
stateOrProvinceName = match
|
||||
organizationName = match
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
emailAddress = optional
|
||||
|
||||
# For the 'anything' policy
|
||||
# At this point in time, you must list all acceptable 'object'
|
||||
# types.
|
||||
[ policy_anything ]
|
||||
countryName = optional
|
||||
stateOrProvinceName = optional
|
||||
localityName = optional
|
||||
organizationName = optional
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
emailAddress = optional
|
||||
|
||||
####################################################################
|
||||
[ req ]
|
||||
default_bits = 1024
|
||||
default_keyfile = privkey.pem
|
||||
distinguished_name = req_distinguished_name
|
||||
attributes = req_attributes
|
||||
x509_extensions = v3_ca # The extensions to add to the self signed cert
|
||||
|
||||
# Passwords for private keys if not present they will be prompted for
|
||||
# input_password = secret
|
||||
# output_password = secret
|
||||
|
||||
# This sets a mask for permitted string types. There are several options.
|
||||
# default: PrintableString, T61String, BMPString.
|
||||
# pkix : PrintableString, BMPString.
|
||||
# utf8only: only UTF8Strings.
|
||||
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
|
||||
# MASK:XXXX a literal mask value.
|
||||
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
|
||||
# so use this option with caution!
|
||||
string_mask = nombstr
|
||||
|
||||
# req_extensions = v3_req # The extensions to add to a certificate request
|
||||
|
||||
[ req_distinguished_name ]
|
||||
countryName = Country Name (2 letter code)
|
||||
countryName_default = BR
|
||||
countryName_min = 2
|
||||
countryName_max = 2
|
||||
|
||||
stateOrProvinceName = State or Province Name (full name)
|
||||
stateOrProvinceName_default = Espirito Santo
|
||||
|
||||
localityName = Locality Name (eg, city)
|
||||
localityName_default = Santo Antonio do Canaa
|
||||
|
||||
0.organizationName = Organization Name (eg, company)
|
||||
0.organizationName_default = Santo Tonico Ltda
|
||||
|
||||
# we can do this but it is not needed normally :-)
|
||||
#1.organizationName = Second Organization Name (eg, company)
|
||||
#1.organizationName_default = World Wide Web Pty Ltd
|
||||
|
||||
organizationalUnitName = Organizational Unit Name (eg, section)
|
||||
organizationalUnitName_default = Department of Computer Science
|
||||
|
||||
commonName = Common Name (eg, YOUR name)
|
||||
commonName_max = 64
|
||||
commonName_default = Root A
|
||||
|
||||
emailAddress = Email Address
|
||||
emailAddress_max = 64
|
||||
|
||||
# SET-ex3 = SET extension number 3
|
||||
|
||||
[ req_attributes ]
|
||||
challengePassword = A challenge password
|
||||
challengePassword_min = 4
|
||||
challengePassword_max = 20
|
||||
|
||||
unstructuredName = An optional company name
|
||||
|
||||
[ usr_cert ]
|
||||
|
||||
# These extensions are added when 'ca' signs a request.
|
||||
|
||||
# This goes against PKIX guidelines but some CAs do it and some software
|
||||
# requires this to avoid interpreting an end user certificate as a CA.
|
||||
|
||||
basicConstraints=CA:FALSE
|
||||
|
||||
# Here are some examples of the usage of nsCertType. If it is omitted
|
||||
# the certificate can be used for anything *except* object signing.
|
||||
|
||||
# This is OK for an SSL server.
|
||||
# nsCertType = server
|
||||
|
||||
# For an object signing certificate this would be used.
|
||||
# nsCertType = objsign
|
||||
|
||||
# For normal client use this is typical
|
||||
# nsCertType = client, email
|
||||
|
||||
# and for everything including object signing:
|
||||
# nsCertType = client, email, objsign
|
||||
|
||||
# This is typical in keyUsage for a client certificate.
|
||||
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
# This will be displayed in Netscape's comment listbox.
|
||||
nsComment = "OpenSSL Generated Certificate"
|
||||
|
||||
# PKIX recommendations harmless if included in all certificates.
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid,issuer
|
||||
|
||||
# This stuff is for subjectAltName and issuerAltname.
|
||||
# Import the email address.
|
||||
# subjectAltName=email:copy
|
||||
# An alternative to produce certificates that aren't
|
||||
# deprecated according to PKIX.
|
||||
# subjectAltName=email:move
|
||||
|
||||
# Copy subject details
|
||||
# issuerAltName=issuer:copy
|
||||
|
||||
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
|
||||
#nsBaseUrl
|
||||
#nsRevocationUrl
|
||||
#nsRenewalUrl
|
||||
#nsCaPolicyUrl
|
||||
#nsSslServerName
|
||||
|
||||
[ v3_req ]
|
||||
|
||||
# Extensions to add to a certificate request
|
||||
|
||||
basicConstraints = CA:FALSE
|
||||
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
[ v3_ca ]
|
||||
|
||||
|
||||
# Extensions for a typical CA
|
||||
|
||||
|
||||
# PKIX recommendation.
|
||||
|
||||
subjectKeyIdentifier=hash
|
||||
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
|
||||
# This is what PKIX recommends but some broken software chokes on critical
|
||||
# extensions.
|
||||
#basicConstraints = critical,CA:true
|
||||
# So we do this instead.
|
||||
basicConstraints = CA:true
|
||||
|
||||
# Key usage: this is typical for a CA certificate. However since it will
|
||||
# prevent it being used as an test self-signed certificate it is best
|
||||
# left out by default.
|
||||
# keyUsage = cRLSign, keyCertSign
|
||||
|
||||
# Some might want this also
|
||||
# nsCertType = sslCA, emailCA
|
||||
|
||||
# Include email address in subject alt name: another PKIX recommendation
|
||||
# subjectAltName=email:copy
|
||||
# Copy issuer details
|
||||
# issuerAltName=issuer:copy
|
||||
|
||||
# DER hex encoding of an extension: beware experts only!
|
||||
# obj=DER:02:03
|
||||
# Where 'obj' is a standard or added object
|
||||
# You can even override a supported extension:
|
||||
# basicConstraints= critical, DER:30:03:01:01:FF
|
||||
|
||||
[ crl_ext ]
|
||||
|
||||
# CRL extensions.
|
||||
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
|
||||
|
||||
# issuerAltName=issuer:copy
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
|
||||
[ proxy_cert_ext ]
|
||||
# These extensions should be added when creating a proxy certificate
|
||||
|
||||
# This goes against PKIX guidelines but some CAs do it and some software
|
||||
# requires this to avoid interpreting an end user certificate as a CA.
|
||||
|
||||
basicConstraints=CA:FALSE
|
||||
|
||||
# Here are some examples of the usage of nsCertType. If it is omitted
|
||||
# the certificate can be used for anything *except* object signing.
|
||||
|
||||
# This is OK for an SSL server.
|
||||
# nsCertType = server
|
||||
|
||||
# For an object signing certificate this would be used.
|
||||
# nsCertType = objsign
|
||||
|
||||
# For normal client use this is typical
|
||||
# nsCertType = client, email
|
||||
|
||||
# and for everything including object signing:
|
||||
# nsCertType = client, email, objsign
|
||||
|
||||
# This is typical in keyUsage for a client certificate.
|
||||
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
# This will be displayed in Netscape's comment listbox.
|
||||
nsComment = "OpenSSL Generated Certificate"
|
||||
|
||||
# PKIX recommendations harmless if included in all certificates.
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid,issuer:always
|
||||
|
||||
# This stuff is for subjectAltName and issuerAltname.
|
||||
# Import the email address.
|
||||
# subjectAltName=email:copy
|
||||
# An alternative to produce certificates that aren't
|
||||
# deprecated according to PKIX.
|
||||
# subjectAltName=email:move
|
||||
|
||||
# Copy subject details
|
||||
# issuerAltName=issuer:copy
|
||||
|
||||
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
|
||||
#nsBaseUrl
|
||||
#nsRevocationUrl
|
||||
#nsRenewalUrl
|
||||
#nsCaPolicyUrl
|
||||
#nsSslServerName
|
||||
|
||||
# This really needs to be in place for it to be a proxy certificate.
|
||||
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
|
|
@ -0,0 +1,7 @@
|
|||
#!/bin/sh
|
||||
|
||||
openssl req -newkey rsa:2048 -sha256 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch
|
||||
|
||||
openssl x509 -req -in rootAreq.pem -sha256 -extfile ./rootA.cnf -extensions v3_ca -signkey rootAkey.pem -out rootA.pem -days 365
|
||||
|
||||
openssl x509 -subject -issuer -noout -in rootA.pem
|
|
@ -0,0 +1,7 @@
|
|||
rem #!/bin/sh
|
||||
|
||||
openssl req -newkey rsa:1024 -sha1 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch
|
||||
|
||||
openssl x509 -req -in rootBreq.pem -sha1 -extfile ./rootB.cnf -extensions v3_ca -signkey rootBkey.pem -out rootB.pem -days 365
|
||||
|
||||
openssl x509 -subject -issuer -noout -in rootB.pem
|
|
@ -0,0 +1,315 @@
|
|||
#
|
||||
# OpenSSL example configuration file.
|
||||
# This is mostly being used for generation of certificate requests.
|
||||
#
|
||||
|
||||
# This definition stops the following lines choking if HOME isn't
|
||||
# defined.
|
||||
HOME = .
|
||||
RANDFILE = $ENV::HOME/.rnd
|
||||
|
||||
# Extra OBJECT IDENTIFIER info:
|
||||
#oid_file = $ENV::HOME/.oid
|
||||
oid_section = new_oids
|
||||
|
||||
# To use this configuration file with the "-extfile" option of the
|
||||
# "openssl x509" utility, name here the section containing the
|
||||
# X.509v3 extensions to use:
|
||||
# extensions =
|
||||
# (Alternatively, use a configuration file that has only
|
||||
# X.509v3 extensions in its main [= default] section.)
|
||||
|
||||
[ new_oids ]
|
||||
|
||||
# We can add new OIDs in here for use by 'ca' and 'req'.
|
||||
# Add a simple OID like this:
|
||||
# testoid1=1.2.3.4
|
||||
# Or use config file substitution like this:
|
||||
# testoid2=${testoid1}.5.6
|
||||
|
||||
####################################################################
|
||||
[ ca ]
|
||||
default_ca = CA_default # The default ca section
|
||||
|
||||
####################################################################
|
||||
[ CA_default ]
|
||||
|
||||
dir = ./demoCA # Where everything is kept
|
||||
certs = $dir/certs # Where the issued certs are kept
|
||||
crl_dir = $dir/crl # Where the issued crl are kept
|
||||
database = $dir/index.txt # database index file.
|
||||
#unique_subject = no # Set to 'no' to allow creation of
|
||||
# several ctificates with same subject.
|
||||
new_certs_dir = $dir/newcerts # default place for new certs.
|
||||
|
||||
certificate = $dir/cacert.pem # The CA certificate
|
||||
serial = $dir/serial # The current serial number
|
||||
crlnumber = $dir/crlnumber # the current crl number
|
||||
# must be commented out to leave a V1 CRL
|
||||
crl = $dir/crl.pem # The current CRL
|
||||
private_key = $dir/private/cakey.pem # The private key
|
||||
RANDFILE = $dir/private/.rand # private random number file
|
||||
|
||||
x509_extensions = usr_cert # The extensions to add to the cert
|
||||
|
||||
# Comment out the following two lines for the "traditional"
|
||||
# (and highly broken) format.
|
||||
name_opt = ca_default # Subject Name options
|
||||
cert_opt = ca_default # Certificate field options
|
||||
|
||||
# Extension copying option: use with caution.
|
||||
# copy_extensions = copy
|
||||
|
||||
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
|
||||
# so this is commented out by default to leave a V1 CRL.
|
||||
# crlnumber must also be commented out to leave a V1 CRL.
|
||||
# crl_extensions = crl_ext
|
||||
|
||||
default_days = 365 # how long to certify for
|
||||
default_crl_days= 30 # how long before next CRL
|
||||
default_md = sha1 # which md to use.
|
||||
preserve = no # keep passed DN ordering
|
||||
|
||||
# A few difference way of specifying how similar the request should look
|
||||
# For type CA, the listed attributes must be the same, and the optional
|
||||
# and supplied fields are just that :-)
|
||||
policy = policy_match
|
||||
|
||||
# For the CA policy
|
||||
[ policy_match ]
|
||||
countryName = match
|
||||
stateOrProvinceName = match
|
||||
organizationName = match
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
emailAddress = optional
|
||||
|
||||
# For the 'anything' policy
|
||||
# At this point in time, you must list all acceptable 'object'
|
||||
# types.
|
||||
[ policy_anything ]
|
||||
countryName = optional
|
||||
stateOrProvinceName = optional
|
||||
localityName = optional
|
||||
organizationName = optional
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
emailAddress = optional
|
||||
|
||||
####################################################################
|
||||
[ req ]
|
||||
default_bits = 1024
|
||||
default_keyfile = privkey.pem
|
||||
distinguished_name = req_distinguished_name
|
||||
attributes = req_attributes
|
||||
x509_extensions = v3_ca # The extensions to add to the self signed cert
|
||||
|
||||
# Passwords for private keys if not present they will be prompted for
|
||||
# input_password = secret
|
||||
# output_password = secret
|
||||
|
||||
# This sets a mask for permitted string types. There are several options.
|
||||
# default: PrintableString, T61String, BMPString.
|
||||
# pkix : PrintableString, BMPString.
|
||||
# utf8only: only UTF8Strings.
|
||||
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
|
||||
# MASK:XXXX a literal mask value.
|
||||
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
|
||||
# so use this option with caution!
|
||||
string_mask = nombstr
|
||||
|
||||
# req_extensions = v3_req # The extensions to add to a certificate request
|
||||
|
||||
[ req_distinguished_name ]
|
||||
countryName = Country Name (2 letter code)
|
||||
countryName_default = BR
|
||||
countryName_min = 2
|
||||
countryName_max = 2
|
||||
|
||||
stateOrProvinceName = State or Province Name (full name)
|
||||
stateOrProvinceName_default = Espirito Santo
|
||||
|
||||
localityName = Locality Name (eg, city)
|
||||
localityName_default = Santo Antonio do Canaa
|
||||
|
||||
0.organizationName = Organization Name (eg, company)
|
||||
0.organizationName_default = Sao Tonico Ltda
|
||||
|
||||
# we can do this but it is not needed normally :-)
|
||||
#1.organizationName = Second Organization Name (eg, company)
|
||||
#1.organizationName_default = World Wide Web Pty Ltd
|
||||
|
||||
organizationalUnitName = Organizational Unit Name (eg, section)
|
||||
organizationalUnitName_default = Department of Computer Science
|
||||
|
||||
commonName = Common Name (eg, YOUR name)
|
||||
commonName_default = Root B
|
||||
commonName_max = 64
|
||||
|
||||
emailAddress = Email Address
|
||||
emailAddress_max = 64
|
||||
|
||||
# SET-ex3 = SET extension number 3
|
||||
|
||||
[ req_attributes ]
|
||||
challengePassword = A challenge password
|
||||
challengePassword_min = 4
|
||||
challengePassword_max = 20
|
||||
|
||||
unstructuredName = An optional company name
|
||||
|
||||
[ usr_cert ]
|
||||
|
||||
# These extensions are added when 'ca' signs a request.
|
||||
|
||||
# This goes against PKIX guidelines but some CAs do it and some software
|
||||
# requires this to avoid interpreting an end user certificate as a CA.
|
||||
|
||||
basicConstraints=CA:FALSE
|
||||
|
||||
# Here are some examples of the usage of nsCertType. If it is omitted
|
||||
# the certificate can be used for anything *except* object signing.
|
||||
|
||||
# This is OK for an SSL server.
|
||||
# nsCertType = server
|
||||
|
||||
# For an object signing certificate this would be used.
|
||||
# nsCertType = objsign
|
||||
|
||||
# For normal client use this is typical
|
||||
# nsCertType = client, email
|
||||
|
||||
# and for everything including object signing:
|
||||
# nsCertType = client, email, objsign
|
||||
|
||||
# This is typical in keyUsage for a client certificate.
|
||||
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
# This will be displayed in Netscape's comment listbox.
|
||||
nsComment = "OpenSSL Generated Certificate"
|
||||
|
||||
# PKIX recommendations harmless if included in all certificates.
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid,issuer
|
||||
|
||||
# This stuff is for subjectAltName and issuerAltname.
|
||||
# Import the email address.
|
||||
# subjectAltName=email:copy
|
||||
# An alternative to produce certificates that aren't
|
||||
# deprecated according to PKIX.
|
||||
# subjectAltName=email:move
|
||||
|
||||
# Copy subject details
|
||||
# issuerAltName=issuer:copy
|
||||
|
||||
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
|
||||
#nsBaseUrl
|
||||
#nsRevocationUrl
|
||||
#nsRenewalUrl
|
||||
#nsCaPolicyUrl
|
||||
#nsSslServerName
|
||||
|
||||
[ v3_req ]
|
||||
|
||||
# Extensions to add to a certificate request
|
||||
|
||||
basicConstraints = CA:FALSE
|
||||
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
[ v3_ca ]
|
||||
|
||||
|
||||
# Extensions for a typical CA
|
||||
|
||||
|
||||
# PKIX recommendation.
|
||||
|
||||
subjectKeyIdentifier=hash
|
||||
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
|
||||
# This is what PKIX recommends but some broken software chokes on critical
|
||||
# extensions.
|
||||
#basicConstraints = critical,CA:true
|
||||
# So we do this instead.
|
||||
basicConstraints = CA:true
|
||||
|
||||
# Key usage: this is typical for a CA certificate. However since it will
|
||||
# prevent it being used as an test self-signed certificate it is best
|
||||
# left out by default.
|
||||
# keyUsage = cRLSign, keyCertSign
|
||||
|
||||
# Some might want this also
|
||||
# nsCertType = sslCA, emailCA
|
||||
|
||||
# Include email address in subject alt name: another PKIX recommendation
|
||||
# subjectAltName=email:copy
|
||||
# Copy issuer details
|
||||
# issuerAltName=issuer:copy
|
||||
|
||||
# DER hex encoding of an extension: beware experts only!
|
||||
# obj=DER:02:03
|
||||
# Where 'obj' is a standard or added object
|
||||
# You can even override a supported extension:
|
||||
# basicConstraints= critical, DER:30:03:01:01:FF
|
||||
|
||||
[ crl_ext ]
|
||||
|
||||
# CRL extensions.
|
||||
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
|
||||
|
||||
# issuerAltName=issuer:copy
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
|
||||
[ proxy_cert_ext ]
|
||||
# These extensions should be added when creating a proxy certificate
|
||||
|
||||
# This goes against PKIX guidelines but some CAs do it and some software
|
||||
# requires this to avoid interpreting an end user certificate as a CA.
|
||||
|
||||
basicConstraints=CA:FALSE
|
||||
|
||||
# Here are some examples of the usage of nsCertType. If it is omitted
|
||||
# the certificate can be used for anything *except* object signing.
|
||||
|
||||
# This is OK for an SSL server.
|
||||
# nsCertType = server
|
||||
|
||||
# For an object signing certificate this would be used.
|
||||
# nsCertType = objsign
|
||||
|
||||
# For normal client use this is typical
|
||||
# nsCertType = client, email
|
||||
|
||||
# and for everything including object signing:
|
||||
# nsCertType = client, email, objsign
|
||||
|
||||
# This is typical in keyUsage for a client certificate.
|
||||
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
# This will be displayed in Netscape's comment listbox.
|
||||
nsComment = "OpenSSL Generated Certificate"
|
||||
|
||||
# PKIX recommendations harmless if included in all certificates.
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid,issuer:always
|
||||
|
||||
# This stuff is for subjectAltName and issuerAltname.
|
||||
# Import the email address.
|
||||
# subjectAltName=email:copy
|
||||
# An alternative to produce certificates that aren't
|
||||
# deprecated according to PKIX.
|
||||
# subjectAltName=email:move
|
||||
|
||||
# Copy subject details
|
||||
# issuerAltName=issuer:copy
|
||||
|
||||
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
|
||||
#nsBaseUrl
|
||||
#nsRevocationUrl
|
||||
#nsRenewalUrl
|
||||
#nsCaPolicyUrl
|
||||
#nsSslServerName
|
||||
|
||||
# This really needs to be in place for it to be a proxy certificate.
|
||||
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
|
|
@ -0,0 +1,7 @@
|
|||
#!/bin/sh
|
||||
|
||||
openssl req -newkey rsa:2048 -sha256 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch
|
||||
|
||||
openssl x509 -req -in rootBreq.pem -sha256 -extfile ./rootB.cnf -extensions v3_ca -signkey rootBkey.pem -out rootB.pem -days 365
|
||||
|
||||
openssl x509 -subject -issuer -noout -in rootB.pem
|
|
@ -0,0 +1,9 @@
|
|||
rem #!/bin/sh
|
||||
|
||||
openssl req -newkey rsa:1024 -keyout serverAkey.pem -out serverAreq.pem -config ./serverA.cnf -nodes -days 365 -batch
|
||||
|
||||
openssl x509 -req -in serverAreq.pem -sha1 -extfile ./serverA.cnf -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial -out serverAcert.pem -days 365
|
||||
|
||||
copy serverAcert.pem + rootA.pem serverA.pem
|
||||
|
||||
openssl x509 -subject -issuer -noout -in serverA.pem
|
|
@ -0,0 +1,316 @@
|
|||
#
|
||||
# OpenSSL example configuration file.
|
||||
# This is mostly being used for generation of certificate requests.
|
||||
#
|
||||
|
||||
# This definition stops the following lines choking if HOME isn't
|
||||
# defined.
|
||||
HOME = .
|
||||
RANDFILE = $ENV::HOME/.rnd
|
||||
|
||||
# Extra OBJECT IDENTIFIER info:
|
||||
#oid_file = $ENV::HOME/.oid
|
||||
oid_section = new_oids
|
||||
|
||||
# To use this configuration file with the "-extfile" option of the
|
||||
# "openssl x509" utility, name here the section containing the
|
||||
# X.509v3 extensions to use:
|
||||
# extensions =
|
||||
# (Alternatively, use a configuration file that has only
|
||||
# X.509v3 extensions in its main [= default] section.)
|
||||
|
||||
[ new_oids ]
|
||||
|
||||
# We can add new OIDs in here for use by 'ca' and 'req'.
|
||||
# Add a simple OID like this:
|
||||
# testoid1=1.2.3.4
|
||||
# Or use config file substitution like this:
|
||||
# testoid2=${testoid1}.5.6
|
||||
|
||||
####################################################################
|
||||
[ ca ]
|
||||
default_ca = CA_default # The default ca section
|
||||
|
||||
####################################################################
|
||||
[ CA_default ]
|
||||
|
||||
dir = ./demoCA # Where everything is kept
|
||||
certs = $dir/certs # Where the issued certs are kept
|
||||
crl_dir = $dir/crl # Where the issued crl are kept
|
||||
database = $dir/index.txt # database index file.
|
||||
#unique_subject = no # Set to 'no' to allow creation of
|
||||
# several ctificates with same subject.
|
||||
new_certs_dir = $dir/newcerts # default place for new certs.
|
||||
|
||||
certificate = $dir/cacert.pem # The CA certificate
|
||||
serial = $dir/serial # The current serial number
|
||||
crlnumber = $dir/crlnumber # the current crl number
|
||||
# must be commented out to leave a V1 CRL
|
||||
crl = $dir/crl.pem # The current CRL
|
||||
private_key = $dir/private/cakey.pem # The private key
|
||||
RANDFILE = $dir/private/.rand # private random number file
|
||||
|
||||
x509_extensions = usr_cert # The extensions to add to the cert
|
||||
|
||||
# Comment out the following two lines for the "traditional"
|
||||
# (and highly broken) format.
|
||||
name_opt = ca_default # Subject Name options
|
||||
cert_opt = ca_default # Certificate field options
|
||||
|
||||
# Extension copying option: use with caution.
|
||||
# copy_extensions = copy
|
||||
|
||||
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
|
||||
# so this is commented out by default to leave a V1 CRL.
|
||||
# crlnumber must also be commented out to leave a V1 CRL.
|
||||
# crl_extensions = crl_ext
|
||||
|
||||
default_days = 365 # how long to certify for
|
||||
default_crl_days= 30 # how long before next CRL
|
||||
default_md = sha1 # which md to use.
|
||||
preserve = no # keep passed DN ordering
|
||||
|
||||
# A few difference way of specifying how similar the request should look
|
||||
# For type CA, the listed attributes must be the same, and the optional
|
||||
# and supplied fields are just that :-)
|
||||
policy = policy_match
|
||||
|
||||
# For the CA policy
|
||||
[ policy_match ]
|
||||
countryName = match
|
||||
stateOrProvinceName = match
|
||||
organizationName = match
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
emailAddress = optional
|
||||
|
||||
# For the 'anything' policy
|
||||
# At this point in time, you must list all acceptable 'object'
|
||||
# types.
|
||||
[ policy_anything ]
|
||||
countryName = optional
|
||||
stateOrProvinceName = optional
|
||||
localityName = optional
|
||||
organizationName = optional
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
emailAddress = optional
|
||||
|
||||
####################################################################
|
||||
[ req ]
|
||||
default_bits = 1024
|
||||
default_keyfile = privkey.pem
|
||||
distinguished_name = req_distinguished_name
|
||||
attributes = req_attributes
|
||||
x509_extensions = v3_ca # The extensions to add to the self signed cert
|
||||
|
||||
# Passwords for private keys if not present they will be prompted for
|
||||
# input_password = secret
|
||||
# output_password = secret
|
||||
|
||||
# This sets a mask for permitted string types. There are several options.
|
||||
# default: PrintableString, T61String, BMPString.
|
||||
# pkix : PrintableString, BMPString.
|
||||
# utf8only: only UTF8Strings.
|
||||
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
|
||||
# MASK:XXXX a literal mask value.
|
||||
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
|
||||
# so use this option with caution!
|
||||
string_mask = nombstr
|
||||
|
||||
# req_extensions = v3_ext # The extensions to add to a certificate request
|
||||
|
||||
[ req_distinguished_name ]
|
||||
countryName = Country Name (2 letter code)
|
||||
countryName_default = BR
|
||||
countryName_min = 2
|
||||
countryName_max = 2
|
||||
|
||||
stateOrProvinceName = State or Province Name (full name)
|
||||
stateOrProvinceName_default = Some-State
|
||||
stateOrProvinceName_default = Espirito Santo
|
||||
|
||||
localityName = Locality Name (eg, city)
|
||||
localityName_default = Santo Antonio do Canaa
|
||||
|
||||
0.organizationName = Organization Name (eg, company)
|
||||
0.organizationName_default = Sao Tonico Ltda
|
||||
|
||||
# we can do this but it is not needed normally :-)
|
||||
#1.organizationName = Second Organization Name (eg, company)
|
||||
#1.organizationName_default = World Wide Web Pty Ltd
|
||||
|
||||
organizationalUnitName = Organizational Unit Name (eg, section)
|
||||
organizationalUnitName_default = Department of Computer Science
|
||||
|
||||
commonName = Common Name (eg, YOUR name)
|
||||
commonName_default = Server A
|
||||
commonName_max = 64
|
||||
|
||||
emailAddress = Email Address
|
||||
emailAddress_max = 64
|
||||
|
||||
# SET-ex3 = SET extension number 3
|
||||
|
||||
[ req_attributes ]
|
||||
challengePassword = A challenge password
|
||||
challengePassword_min = 4
|
||||
challengePassword_max = 20
|
||||
|
||||
unstructuredName = An optional company name
|
||||
|
||||
[ usr_cert ]
|
||||
|
||||
# These extensions are added when 'ca' signs a request.
|
||||
|
||||
# This goes against PKIX guidelines but some CAs do it and some software
|
||||
# requires this to avoid interpreting an end user certificate as a CA.
|
||||
|
||||
basicConstraints=CA:FALSE
|
||||
|
||||
# Here are some examples of the usage of nsCertType. If it is omitted
|
||||
# the certificate can be used for anything *except* object signing.
|
||||
|
||||
# This is OK for an SSL server.
|
||||
nsCertType = server
|
||||
|
||||
# For an object signing certificate this would be used.
|
||||
# nsCertType = objsign
|
||||
|
||||
# For normal client use this is typical
|
||||
# nsCertType = client, email
|
||||
|
||||
# and for everything including object signing:
|
||||
# nsCertType = client, email, objsign
|
||||
|
||||
# This is typical in keyUsage for a client certificate.
|
||||
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
# This will be displayed in Netscape's comment listbox.
|
||||
nsComment = "OpenSSL Generated Certificate"
|
||||
|
||||
# PKIX recommendations harmless if included in all certificates.
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid,issuer
|
||||
|
||||
# This stuff is for subjectAltName and issuerAltname.
|
||||
# Import the email address.
|
||||
# subjectAltName=email:copy
|
||||
# An alternative to produce certificates that aren't
|
||||
# deprecated according to PKIX.
|
||||
subjectAltName=DNS:foo.bar.example
|
||||
|
||||
# Copy subject details
|
||||
# issuerAltName=issuer:copy
|
||||
|
||||
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
|
||||
#nsBaseUrl
|
||||
#nsRevocationUrl
|
||||
#nsRenewalUrl
|
||||
#nsCaPolicyUrl
|
||||
#nsSslServerName
|
||||
|
||||
[ v3_req ]
|
||||
|
||||
# Extensions to add to a certificate request
|
||||
|
||||
basicConstraints = CA:FALSE
|
||||
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
[ v3_ca ]
|
||||
|
||||
|
||||
# Extensions for a typical CA
|
||||
|
||||
|
||||
# PKIX recommendation.
|
||||
|
||||
subjectKeyIdentifier=hash
|
||||
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
|
||||
# This is what PKIX recommends but some broken software chokes on critical
|
||||
# extensions.
|
||||
#basicConstraints = critical,CA:true
|
||||
# So we do this instead.
|
||||
basicConstraints = CA:true
|
||||
|
||||
# Key usage: this is typical for a CA certificate. However since it will
|
||||
# prevent it being used as an test self-signed certificate it is best
|
||||
# left out by default.
|
||||
# keyUsage = cRLSign, keyCertSign
|
||||
|
||||
# Some might want this also
|
||||
# nsCertType = sslCA, emailCA
|
||||
|
||||
# Include email address in subject alt name: another PKIX recommendation
|
||||
# subjectAltName=email:copy
|
||||
# Copy issuer details
|
||||
# issuerAltName=issuer:copy
|
||||
|
||||
# DER hex encoding of an extension: beware experts only!
|
||||
# obj=DER:02:03
|
||||
# Where 'obj' is a standard or added object
|
||||
# You can even override a supported extension:
|
||||
# basicConstraints= critical, DER:30:03:01:01:FF
|
||||
|
||||
[ crl_ext ]
|
||||
|
||||
# CRL extensions.
|
||||
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
|
||||
|
||||
# issuerAltName=issuer:copy
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
|
||||
[ proxy_cert_ext ]
|
||||
# These extensions should be added when creating a proxy certificate
|
||||
|
||||
# This goes against PKIX guidelines but some CAs do it and some software
|
||||
# requires this to avoid interpreting an end user certificate as a CA.
|
||||
|
||||
basicConstraints=CA:FALSE
|
||||
|
||||
# Here are some examples of the usage of nsCertType. If it is omitted
|
||||
# the certificate can be used for anything *except* object signing.
|
||||
|
||||
# This is OK for an SSL server.
|
||||
# nsCertType = server
|
||||
|
||||
# For an object signing certificate this would be used.
|
||||
# nsCertType = objsign
|
||||
|
||||
# For normal client use this is typical
|
||||
# nsCertType = client, email
|
||||
|
||||
# and for everything including object signing:
|
||||
# nsCertType = client, email, objsign
|
||||
|
||||
# This is typical in keyUsage for a client certificate.
|
||||
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
# This will be displayed in Netscape's comment listbox.
|
||||
nsComment = "OpenSSL Generated Certificate"
|
||||
|
||||
# PKIX recommendations harmless if included in all certificates.
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid,issuer:always
|
||||
|
||||
# This stuff is for subjectAltName and issuerAltname.
|
||||
# Import the email address.
|
||||
# subjectAltName=email:copy
|
||||
# An alternative to produce certificates that aren't
|
||||
# deprecated according to PKIX.
|
||||
# subjectAltName=email:move
|
||||
|
||||
# Copy subject details
|
||||
# issuerAltName=issuer:copy
|
||||
|
||||
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
|
||||
#nsBaseUrl
|
||||
#nsRevocationUrl
|
||||
#nsRenewalUrl
|
||||
#nsCaPolicyUrl
|
||||
#nsSslServerName
|
||||
|
||||
# This really needs to be in place for it to be a proxy certificate.
|
||||
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
|
|
@ -0,0 +1,12 @@
|
|||
#!/bin/sh
|
||||
|
||||
openssl req -newkey rsa:2048 -sha256 -keyout serverAkey.pem -out serverAreq.pem \
|
||||
-config ./serverA.cnf -nodes -days 365 -batch
|
||||
|
||||
openssl x509 -req -in serverAreq.pem -sha256 -extfile ./serverA.cnf \
|
||||
-extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial \
|
||||
-out serverAcert.pem -days 365
|
||||
|
||||
cat serverAcert.pem rootA.pem > serverA.pem
|
||||
|
||||
openssl x509 -subject -issuer -noout -in serverA.pem
|
|
@ -0,0 +1,9 @@
|
|||
rem #!/bin/sh
|
||||
|
||||
openssl req -newkey rsa:1024 -keyout serverBkey.pem -out serverBreq.pem -config ./serverB.cnf -nodes -days 365 -batch
|
||||
|
||||
openssl x509 -req -in serverBreq.pem -sha1 -extfile ./serverB.cnf -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial -out serverBcert.pem -days 365
|
||||
|
||||
copy serverBcert.pem + rootB.pem serverB.pem
|
||||
|
||||
openssl x509 -subject -issuer -noout -in serverB.pem
|
|
@ -0,0 +1,316 @@
|
|||
#
|
||||
# OpenSSL example configuration file.
|
||||
# This is mostly being used for generation of certificate requests.
|
||||
#
|
||||
|
||||
# This definition stops the following lines choking if HOME isn't
|
||||
# defined.
|
||||
HOME = .
|
||||
RANDFILE = $ENV::HOME/.rnd
|
||||
|
||||
# Extra OBJECT IDENTIFIER info:
|
||||
#oid_file = $ENV::HOME/.oid
|
||||
oid_section = new_oids
|
||||
|
||||
# To use this configuration file with the "-extfile" option of the
|
||||
# "openssl x509" utility, name here the section containing the
|
||||
# X.509v3 extensions to use:
|
||||
# extensions =
|
||||
# (Alternatively, use a configuration file that has only
|
||||
# X.509v3 extensions in its main [= default] section.)
|
||||
|
||||
[ new_oids ]
|
||||
|
||||
# We can add new OIDs in here for use by 'ca' and 'req'.
|
||||
# Add a simple OID like this:
|
||||
# testoid1=1.2.3.4
|
||||
# Or use config file substitution like this:
|
||||
# testoid2=${testoid1}.5.6
|
||||
|
||||
####################################################################
|
||||
[ ca ]
|
||||
default_ca = CA_default # The default ca section
|
||||
|
||||
####################################################################
|
||||
[ CA_default ]
|
||||
|
||||
dir = ./demoCA # Where everything is kept
|
||||
certs = $dir/certs # Where the issued certs are kept
|
||||
crl_dir = $dir/crl # Where the issued crl are kept
|
||||
database = $dir/index.txt # database index file.
|
||||
#unique_subject = no # Set to 'no' to allow creation of
|
||||
# several ctificates with same subject.
|
||||
new_certs_dir = $dir/newcerts # default place for new certs.
|
||||
|
||||
certificate = $dir/cacert.pem # The CA certificate
|
||||
serial = $dir/serial # The current serial number
|
||||
crlnumber = $dir/crlnumber # the current crl number
|
||||
# must be commented out to leave a V1 CRL
|
||||
crl = $dir/crl.pem # The current CRL
|
||||
private_key = $dir/private/cakey.pem # The private key
|
||||
RANDFILE = $dir/private/.rand # private random number file
|
||||
|
||||
x509_extensions = usr_cert # The extensions to add to the cert
|
||||
|
||||
# Comment out the following two lines for the "traditional"
|
||||
# (and highly broken) format.
|
||||
name_opt = ca_default # Subject Name options
|
||||
cert_opt = ca_default # Certificate field options
|
||||
|
||||
# Extension copying option: use with caution.
|
||||
# copy_extensions = copy
|
||||
|
||||
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
|
||||
# so this is commented out by default to leave a V1 CRL.
|
||||
# crlnumber must also be commented out to leave a V1 CRL.
|
||||
# crl_extensions = crl_ext
|
||||
|
||||
default_days = 365 # how long to certify for
|
||||
default_crl_days= 30 # how long before next CRL
|
||||
default_md = sha1 # which md to use.
|
||||
preserve = no # keep passed DN ordering
|
||||
|
||||
# A few difference way of specifying how similar the request should look
|
||||
# For type CA, the listed attributes must be the same, and the optional
|
||||
# and supplied fields are just that :-)
|
||||
policy = policy_match
|
||||
|
||||
# For the CA policy
|
||||
[ policy_match ]
|
||||
countryName = match
|
||||
stateOrProvinceName = match
|
||||
organizationName = match
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
emailAddress = optional
|
||||
|
||||
# For the 'anything' policy
|
||||
# At this point in time, you must list all acceptable 'object'
|
||||
# types.
|
||||
[ policy_anything ]
|
||||
countryName = optional
|
||||
stateOrProvinceName = optional
|
||||
localityName = optional
|
||||
organizationName = optional
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
emailAddress = optional
|
||||
|
||||
####################################################################
|
||||
[ req ]
|
||||
default_bits = 1024
|
||||
default_keyfile = privkey.pem
|
||||
distinguished_name = req_distinguished_name
|
||||
attributes = req_attributes
|
||||
x509_extensions = v3_ca # The extensions to add to the self signed cert
|
||||
|
||||
# Passwords for private keys if not present they will be prompted for
|
||||
# input_password = secret
|
||||
# output_password = secret
|
||||
|
||||
# This sets a mask for permitted string types. There are several options.
|
||||
# default: PrintableString, T61String, BMPString.
|
||||
# pkix : PrintableString, BMPString.
|
||||
# utf8only: only UTF8Strings.
|
||||
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
|
||||
# MASK:XXXX a literal mask value.
|
||||
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
|
||||
# so use this option with caution!
|
||||
string_mask = nombstr
|
||||
|
||||
# req_extensions = v3_req # The extensions to add to a certificate request
|
||||
|
||||
[ req_distinguished_name ]
|
||||
countryName = Country Name (2 letter code)
|
||||
countryName_default = BR
|
||||
countryName_min = 2
|
||||
countryName_max = 2
|
||||
|
||||
stateOrProvinceName = State or Province Name (full name)
|
||||
stateOrProvinceName_default = Some-State
|
||||
stateOrProvinceName_default = Espirito Santo
|
||||
|
||||
localityName = Locality Name (eg, city)
|
||||
localityName_default = Santo Antonio do Canaa
|
||||
|
||||
0.organizationName = Organization Name (eg, company)
|
||||
0.organizationName_default = Sao Tonico Ltda
|
||||
|
||||
# we can do this but it is not needed normally :-)
|
||||
#1.organizationName = Second Organization Name (eg, company)
|
||||
#1.organizationName_default = World Wide Web Pty Ltd
|
||||
|
||||
organizationalUnitName = Organizational Unit Name (eg, section)
|
||||
organizationalUnitName_default = Department of Computer Science
|
||||
|
||||
commonName = Common Name (eg, YOUR name)
|
||||
commonName_default = Server B
|
||||
commonName_max = 64
|
||||
|
||||
emailAddress = Email Address
|
||||
emailAddress_max = 64
|
||||
|
||||
# SET-ex3 = SET extension number 3
|
||||
|
||||
[ req_attributes ]
|
||||
challengePassword = A challenge password
|
||||
challengePassword_min = 4
|
||||
challengePassword_max = 20
|
||||
|
||||
unstructuredName = An optional company name
|
||||
|
||||
[ usr_cert ]
|
||||
|
||||
# These extensions are added when 'ca' signs a request.
|
||||
|
||||
# This goes against PKIX guidelines but some CAs do it and some software
|
||||
# requires this to avoid interpreting an end user certificate as a CA.
|
||||
|
||||
basicConstraints=CA:FALSE
|
||||
|
||||
# Here are some examples of the usage of nsCertType. If it is omitted
|
||||
# the certificate can be used for anything *except* object signing.
|
||||
|
||||
# This is OK for an SSL server.
|
||||
nsCertType = server
|
||||
|
||||
# For an object signing certificate this would be used.
|
||||
# nsCertType = objsign
|
||||
|
||||
# For normal client use this is typical
|
||||
# nsCertType = client, email
|
||||
|
||||
# and for everything including object signing:
|
||||
# nsCertType = client, email, objsign
|
||||
|
||||
# This is typical in keyUsage for a client certificate.
|
||||
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
# This will be displayed in Netscape's comment listbox.
|
||||
nsComment = "OpenSSL Generated Certificate"
|
||||
|
||||
# PKIX recommendations harmless if included in all certificates.
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid,issuer
|
||||
|
||||
# This stuff is for subjectAltName and issuerAltname.
|
||||
# Import the email address.
|
||||
subjectAltName=DNS:fnord.bar.example
|
||||
# An alternative to produce certificates that aren't
|
||||
# deprecated according to PKIX.
|
||||
# subjectAltName=email:move
|
||||
|
||||
# Copy subject details
|
||||
# issuerAltName=issuer:copy
|
||||
|
||||
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
|
||||
#nsBaseUrl
|
||||
#nsRevocationUrl
|
||||
#nsRenewalUrl
|
||||
#nsCaPolicyUrl
|
||||
#nsSslServerName
|
||||
|
||||
[ v3_req ]
|
||||
|
||||
# Extensions to add to a certificate request
|
||||
|
||||
basicConstraints = CA:FALSE
|
||||
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
[ v3_ca ]
|
||||
|
||||
|
||||
# Extensions for a typical CA
|
||||
|
||||
|
||||
# PKIX recommendation.
|
||||
|
||||
subjectKeyIdentifier=hash
|
||||
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
|
||||
# This is what PKIX recommends but some broken software chokes on critical
|
||||
# extensions.
|
||||
#basicConstraints = critical,CA:true
|
||||
# So we do this instead.
|
||||
basicConstraints = CA:true
|
||||
|
||||
# Key usage: this is typical for a CA certificate. However since it will
|
||||
# prevent it being used as an test self-signed certificate it is best
|
||||
# left out by default.
|
||||
# keyUsage = cRLSign, keyCertSign
|
||||
|
||||
# Some might want this also
|
||||
# nsCertType = sslCA, emailCA
|
||||
|
||||
# Include email address in subject alt name: another PKIX recommendation
|
||||
# subjectAltName=email:copy
|
||||
# Copy issuer details
|
||||
# issuerAltName=issuer:copy
|
||||
|
||||
# DER hex encoding of an extension: beware experts only!
|
||||
# obj=DER:02:03
|
||||
# Where 'obj' is a standard or added object
|
||||
# You can even override a supported extension:
|
||||
# basicConstraints= critical, DER:30:03:01:01:FF
|
||||
|
||||
[ crl_ext ]
|
||||
|
||||
# CRL extensions.
|
||||
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
|
||||
|
||||
# issuerAltName=issuer:copy
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
|
||||
[ proxy_cert_ext ]
|
||||
# These extensions should be added when creating a proxy certificate
|
||||
|
||||
# This goes against PKIX guidelines but some CAs do it and some software
|
||||
# requires this to avoid interpreting an end user certificate as a CA.
|
||||
|
||||
basicConstraints=CA:FALSE
|
||||
|
||||
# Here are some examples of the usage of nsCertType. If it is omitted
|
||||
# the certificate can be used for anything *except* object signing.
|
||||
|
||||
# This is OK for an SSL server.
|
||||
# nsCertType = server
|
||||
|
||||
# For an object signing certificate this would be used.
|
||||
# nsCertType = objsign
|
||||
|
||||
# For normal client use this is typical
|
||||
# nsCertType = client, email
|
||||
|
||||
# and for everything including object signing:
|
||||
# nsCertType = client, email, objsign
|
||||
|
||||
# This is typical in keyUsage for a client certificate.
|
||||
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
# This will be displayed in Netscape's comment listbox.
|
||||
nsComment = "OpenSSL Generated Certificate"
|
||||
|
||||
# PKIX recommendations harmless if included in all certificates.
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid,issuer:always
|
||||
|
||||
# This stuff is for subjectAltName and issuerAltname.
|
||||
# Import the email address.
|
||||
# subjectAltName=email:copy
|
||||
# An alternative to produce certificates that aren't
|
||||
# deprecated according to PKIX.
|
||||
# subjectAltName=email:move
|
||||
|
||||
# Copy subject details
|
||||
# issuerAltName=issuer:copy
|
||||
|
||||
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
|
||||
#nsBaseUrl
|
||||
#nsRevocationUrl
|
||||
#nsRenewalUrl
|
||||
#nsCaPolicyUrl
|
||||
#nsSslServerName
|
||||
|
||||
# This really needs to be in place for it to be a proxy certificate.
|
||||
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
|
|
@ -0,0 +1,12 @@
|
|||
#!/bin/sh
|
||||
|
||||
openssl req -newkey rsa:2048 -sha256 -keyout serverBkey.pem -out serverBreq.pem \
|
||||
-config ./serverB.cnf -nodes -days 365 -batch
|
||||
|
||||
openssl x509 -req -in serverBreq.pem -sha256 -extfile ./serverB.cnf \
|
||||
-extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial \
|
||||
-out serverBcert.pem -days 365
|
||||
|
||||
cat serverBcert.pem rootB.pem > serverB.pem
|
||||
|
||||
openssl x509 -subject -issuer -noout -in serverB.pem
|
|
@ -0,0 +1,36 @@
|
|||
--
|
||||
-- Public domain
|
||||
--
|
||||
local socket = require("socket")
|
||||
local ssl = require("ssl")
|
||||
local util = require("util")
|
||||
|
||||
local params = {
|
||||
mode = "client",
|
||||
protocol = "tlsv1_2",
|
||||
key = "../certs/clientAkey.pem",
|
||||
certificate = "../certs/clientA.pem",
|
||||
cafile = "../certs/rootA.pem",
|
||||
verify = {"peer", "fail_if_no_peer_cert"},
|
||||
options = "all",
|
||||
}
|
||||
|
||||
local conn = socket.tcp()
|
||||
conn:connect("127.0.0.1", 8888)
|
||||
|
||||
conn = assert( ssl.wrap(conn, params) )
|
||||
assert(conn:dohandshake())
|
||||
|
||||
util.show( conn:getpeercertificate() )
|
||||
|
||||
print("----------------------------------------------------------------------")
|
||||
|
||||
for k, cert in ipairs( conn:getpeerchain() ) do
|
||||
util.show(cert)
|
||||
end
|
||||
|
||||
local cert = conn:getpeercertificate()
|
||||
print( cert )
|
||||
print( cert:pem() )
|
||||
|
||||
conn:close()
|
|
@ -0,0 +1,72 @@
|
|||
--
|
||||
-- Public domain
|
||||
--
|
||||
local socket = require("socket")
|
||||
local ssl = require("ssl")
|
||||
local util = require("util")
|
||||
|
||||
local params = {
|
||||
mode = "server",
|
||||
protocol = "any",
|
||||
key = "../certs/serverAkey.pem",
|
||||
certificate = "../certs/serverA.pem",
|
||||
cafile = "../certs/rootA.pem",
|
||||
verify = {"peer", "fail_if_no_peer_cert"},
|
||||
options = "all",
|
||||
}
|
||||
|
||||
local ctx = assert(ssl.newcontext(params))
|
||||
|
||||
local server = socket.tcp()
|
||||
server:setoption('reuseaddr', true)
|
||||
assert( server:bind("127.0.0.1", 8888) )
|
||||
server:listen()
|
||||
|
||||
local conn = server:accept()
|
||||
|
||||
conn = assert( ssl.wrap(conn, ctx) )
|
||||
assert( conn:dohandshake() )
|
||||
|
||||
util.show( conn:getpeercertificate() )
|
||||
|
||||
print("----------------------------------------------------------------------")
|
||||
|
||||
local expectedpeerchain = { "../certs/clientAcert.pem", "../certs/rootA.pem" }
|
||||
|
||||
local peerchain = conn:getpeerchain()
|
||||
assert(#peerchain == #expectedpeerchain)
|
||||
for k, cert in ipairs( peerchain ) do
|
||||
util.show(cert)
|
||||
local expectedpem = assert(io.open(expectedpeerchain[k])):read("*a")
|
||||
assert(cert:pem() == expectedpem, "peer chain mismatch @ "..tostring(k))
|
||||
end
|
||||
|
||||
local expectedlocalchain = { "../certs/serverAcert.pem" }
|
||||
|
||||
local localchain = assert(conn:getlocalchain())
|
||||
assert(#localchain == #expectedlocalchain)
|
||||
for k, cert in ipairs( localchain ) do
|
||||
util.show(cert)
|
||||
local expectedpem = assert(io.open(expectedlocalchain[k])):read("*a")
|
||||
assert(cert:pem() == expectedpem, "local chain mismatch @ "..tostring(k))
|
||||
if k == 1 then
|
||||
assert(cert:pem() == conn:getlocalcertificate():pem())
|
||||
end
|
||||
end
|
||||
|
||||
local f = io.open(params.certificate)
|
||||
local str = f:read("*a")
|
||||
f:close()
|
||||
|
||||
util.show( ssl.loadcertificate(str) )
|
||||
|
||||
print("----------------------------------------------------------------------")
|
||||
local cert = conn:getpeercertificate()
|
||||
print( cert )
|
||||
print( cert:digest() )
|
||||
print( cert:digest("sha1") )
|
||||
print( cert:digest("sha256") )
|
||||
print( cert:digest("sha512") )
|
||||
|
||||
conn:close()
|
||||
server:close()
|
|
@ -0,0 +1,22 @@
|
|||
local print = print
|
||||
local ipairs = ipairs
|
||||
|
||||
local _ENV = {}
|
||||
|
||||
function _ENV.show(cert)
|
||||
print("Serial:", cert:serial())
|
||||
print("NotBefore:", cert:notbefore())
|
||||
print("NotAfter:", cert:notafter())
|
||||
print("--- Issuer ---")
|
||||
for k, v in ipairs(cert:issuer()) do
|
||||
print(v.name .. " = " .. v.value)
|
||||
end
|
||||
|
||||
print("--- Subject ---")
|
||||
for k, v in ipairs(cert:subject()) do
|
||||
print(v.name .. " = " .. v.value)
|
||||
end
|
||||
print("----------------------------------------------------------------------")
|
||||
end
|
||||
|
||||
return _ENV
|
|
@ -0,0 +1,28 @@
|
|||
--
|
||||
-- Public domain
|
||||
--
|
||||
local socket = require("socket")
|
||||
local ssl = require("ssl")
|
||||
|
||||
local params = {
|
||||
mode = "client",
|
||||
protocol = "any",
|
||||
key = "../certs/clientAkey.pem",
|
||||
certificate = "../certs/clientA.pem",
|
||||
cafile = "../certs/rootA.pem",
|
||||
verify = {"peer", "fail_if_no_peer_cert"},
|
||||
options = {"all"},
|
||||
--
|
||||
curve = "P-256:P-384",
|
||||
}
|
||||
|
||||
local peer = socket.tcp()
|
||||
peer:connect("127.0.0.1", 8888)
|
||||
|
||||
-- [[ SSL wrapper
|
||||
peer = assert( ssl.wrap(peer, params) )
|
||||
assert(peer:dohandshake())
|
||||
--]]
|
||||
|
||||
print(peer:receive("*l"))
|
||||
peer:close()
|
|
@ -0,0 +1,37 @@
|
|||
--
|
||||
-- Public domain
|
||||
--
|
||||
local socket = require("socket")
|
||||
local ssl = require("ssl")
|
||||
|
||||
local params = {
|
||||
mode = "server",
|
||||
protocol = "any",
|
||||
key = "../certs/serverAkey.pem",
|
||||
certificate = "../certs/serverA.pem",
|
||||
cafile = "../certs/rootA.pem",
|
||||
verify = {"peer", "fail_if_no_peer_cert"},
|
||||
options = {"all"},
|
||||
--
|
||||
curve = "P-384:P-256:P-521",
|
||||
}
|
||||
|
||||
|
||||
-- [[ SSL context
|
||||
local ctx = assert(ssl.newcontext(params))
|
||||
--]]
|
||||
|
||||
local server = socket.tcp()
|
||||
server:setoption('reuseaddr', true)
|
||||
assert( server:bind("127.0.0.1", 8888) )
|
||||
server:listen()
|
||||
|
||||
local peer = server:accept()
|
||||
|
||||
-- [[ SSL wrapper
|
||||
peer = assert( ssl.wrap(peer, ctx) )
|
||||
assert( peer:dohandshake() )
|
||||
--]]
|
||||
|
||||
peer:send("oneshot with curve negotiation test\n")
|
||||
peer:close()
|
|
@ -0,0 +1,40 @@
|
|||
|
||||
local socket = require "socket";
|
||||
local ssl = require "ssl";
|
||||
|
||||
local dns = require "lunbound".new();
|
||||
|
||||
|
||||
local cfg = {
|
||||
protocol = "tlsv1_2",
|
||||
mode = "client",
|
||||
ciphers = "DEFAULT",
|
||||
capath = "/etc/ssl/certs",
|
||||
verify = "peer",
|
||||
dane = true,
|
||||
};
|
||||
|
||||
local function daneconnect(host, port)
|
||||
port = port or "443";
|
||||
local conn = ssl.wrap(socket.connect(host, port), cfg);
|
||||
|
||||
local tlsa = dns:resolve("_" .. port .. "._tcp." .. host, 52);
|
||||
assert(tlsa.secure, "Insecure DNS");
|
||||
|
||||
assert(conn:setdane(host));
|
||||
for i = 1, tlsa.n do
|
||||
local usage, selector, mtype = tlsa[i] :byte(1, 3);
|
||||
assert(conn:settlsa(usage, selector, mtype, tlsa[i] :sub(4, - 1)));
|
||||
end
|
||||
|
||||
assert(conn:dohandshake());
|
||||
return conn;
|
||||
end
|
||||
|
||||
if not ... then
|
||||
print("Usage: client.lua example.com [port]");
|
||||
return os.exit(1);
|
||||
end
|
||||
local conn = daneconnect(...);
|
||||
|
||||
print(conn:getpeerverification());
|
|
@ -0,0 +1,27 @@
|
|||
--
|
||||
-- Public domain
|
||||
--
|
||||
local socket = require("socket")
|
||||
local ssl = require("ssl")
|
||||
|
||||
local params = {
|
||||
mode = "client",
|
||||
protocol = "any",
|
||||
key = "../certs/clientAkey.pem",
|
||||
certificate = "../certs/clientA.pem",
|
||||
cafile = "../certs/rootA.pem",
|
||||
verify = {"peer", "fail_if_no_peer_cert"},
|
||||
options = "all",
|
||||
ciphers = "EDH+AESGCM"
|
||||
}
|
||||
|
||||
local peer = socket.tcp()
|
||||
peer:connect("127.0.0.1", 8888)
|
||||
|
||||
-- [[ SSL wrapper
|
||||
peer = assert( ssl.wrap(peer, params) )
|
||||
assert(peer:dohandshake())
|
||||
--]]
|
||||
|
||||
print(peer:receive("*l"))
|
||||
peer:close()
|
|
@ -0,0 +1,4 @@
|
|||
#!/usr/bin/env sh
|
||||
|
||||
openssl dhparam -2 -out dh-512.pem -outform PEM 512
|
||||
openssl dhparam -2 -out dh-1024.pem -outform PEM 1024
|
|
@ -0,0 +1,62 @@
|
|||
--
|
||||
-- Public domain
|
||||
--
|
||||
local socket = require("socket")
|
||||
local ssl = require("ssl")
|
||||
|
||||
local function readfile(filename)
|
||||
local fd = assert(io.open(filename))
|
||||
local dh = fd:read("*a")
|
||||
fd:close()
|
||||
return dh
|
||||
end
|
||||
|
||||
local function dhparam_cb(export, keylength)
|
||||
print("---")
|
||||
print("DH Callback")
|
||||
print("Export", export)
|
||||
print("Key length", keylength)
|
||||
print("---")
|
||||
local filename
|
||||
if keylength == 512 then
|
||||
filename = "dh-512.pem"
|
||||
elseif keylength == 1024 then
|
||||
filename = "dh-1024.pem"
|
||||
else
|
||||
-- No key
|
||||
return nil
|
||||
end
|
||||
return readfile(filename)
|
||||
end
|
||||
|
||||
local params = {
|
||||
mode = "server",
|
||||
protocol = "any",
|
||||
key = "../certs/serverAkey.pem",
|
||||
certificate = "../certs/serverA.pem",
|
||||
cafile = "../certs/rootA.pem",
|
||||
verify = {"peer", "fail_if_no_peer_cert"},
|
||||
options = "all",
|
||||
dhparam = dhparam_cb,
|
||||
ciphers = "EDH+AESGCM"
|
||||
}
|
||||
|
||||
|
||||
-- [[ SSL context
|
||||
local ctx = assert(ssl.newcontext(params))
|
||||
--]]
|
||||
|
||||
local server = socket.tcp()
|
||||
server:setoption('reuseaddr', true)
|
||||
assert( server:bind("127.0.0.1", 8888) )
|
||||
server:listen()
|
||||
|
||||
local peer = server:accept()
|
||||
|
||||
-- [[ SSL wrapper
|
||||
peer = assert( ssl.wrap(peer, ctx) )
|
||||
assert( peer:dohandshake() )
|
||||
--]]
|
||||
|
||||
peer:send("oneshot test\n")
|
||||
peer:close()
|
|
@ -0,0 +1,26 @@
|
|||
--
|
||||
-- Public domain
|
||||
--
|
||||
local socket = require("socket")
|
||||
local ssl = require("ssl")
|
||||
|
||||
local params = {
|
||||
mode = "client",
|
||||
protocol = "tlsv1_2",
|
||||
key = "../certs/clientAkey.pem",
|
||||
certificate = "../certs/clientA.pem",
|
||||
cafile = "../certs/rootA.pem",
|
||||
verify = {"peer", "fail_if_no_peer_cert"},
|
||||
options = "all",
|
||||
}
|
||||
|
||||
local peer = socket.tcp()
|
||||
peer:connect("127.0.0.1", 8888)
|
||||
|
||||
-- [[ SSL wrapper
|
||||
peer = assert( ssl.wrap(peer, params) )
|
||||
assert(peer:dohandshake())
|
||||
--]]
|
||||
|
||||
print(peer:receive("*l"))
|
||||
peer:close()
|
|
@ -0,0 +1,44 @@
|
|||
--
|
||||
-- Public domain
|
||||
--
|
||||
local socket = require("socket")
|
||||
local ssl = require("ssl")
|
||||
|
||||
local params = {
|
||||
mode = "server",
|
||||
protocol = "any",
|
||||
key = "../certs/serverAkey.pem",
|
||||
certificate = "../certs/serverA.pem",
|
||||
cafile = "../certs/rootA.pem",
|
||||
verify = {"peer", "fail_if_no_peer_cert"},
|
||||
options = "all",
|
||||
}
|
||||
|
||||
|
||||
-- [[ SSL context
|
||||
local ctx = assert(ssl.newcontext(params))
|
||||
--]]
|
||||
|
||||
local server = socket.tcp()
|
||||
server:setoption('reuseaddr', true)
|
||||
assert( server:bind("127.0.0.1", 8888) )
|
||||
server:listen()
|
||||
|
||||
local peer = server:accept()
|
||||
|
||||
-- [[ SSL wrapper
|
||||
peer = assert( ssl.wrap(peer, ctx) )
|
||||
assert( peer:dohandshake() )
|
||||
--]]
|
||||
|
||||
local cert = peer:getpeercertificate()
|
||||
local sha1 = cert:digest("sha1")
|
||||
local sha256 = cert:digest("sha256")
|
||||
local sha512 = cert:digest("sha512")
|
||||
|
||||
print("SHA1", sha1)
|
||||
print("SHA256", sha256)
|
||||
print("SHA512", sha512)
|
||||
|
||||
peer:send("oneshot test\n")
|
||||
peer:close()
|
|
@ -0,0 +1,33 @@
|
|||
--
|
||||
-- Public domain
|
||||
--
|
||||
local socket = require("socket")
|
||||
local ssl = require("ssl")
|
||||
|
||||
local params = {
|
||||
mode = "client",
|
||||
protocol = "tlsv1_2",
|
||||
key = "../certs/clientAkey.pem",
|
||||
certificate = "../certs/clientA.pem",
|
||||
cafile = "../certs/rootA.pem",
|
||||
verify = {"peer", "fail_if_no_peer_cert"},
|
||||
options = "all",
|
||||
--
|
||||
curve = "secp384r1",
|
||||
}
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
local peer = socket.tcp()
|
||||
peer:connect("127.0.0.1", 8888)
|
||||
|
||||
peer = assert( ssl.wrap(peer, params) )
|
||||
assert(peer:dohandshake())
|
||||
|
||||
print("--- INFO ---")
|
||||
local info = peer:info()
|
||||
for k, v in pairs(info) do
|
||||
print(k, v)
|
||||
end
|
||||
print("---")
|
||||
|
||||
peer:close()
|
|
@ -0,0 +1,40 @@
|
|||
--
|
||||
-- Public domain
|
||||
--
|
||||
local socket = require("socket")
|
||||
local ssl = require("ssl")
|
||||
|
||||
local params = {
|
||||
mode = "server",
|
||||
protocol = "any",
|
||||
key = "../certs/serverAkey.pem",
|
||||
certificate = "../certs/serverA.pem",
|
||||
cafile = "../certs/rootA.pem",
|
||||
verify = {"peer", "fail_if_no_peer_cert"},
|
||||
options = "all",
|
||||
--
|
||||
curve = "secp384r1",
|
||||
}
|
||||
|
||||
------------------------------------------------------------------------------
|
||||
local ctx = assert(ssl.newcontext(params))
|
||||
|
||||
local server = socket.tcp()
|
||||
server:setoption('reuseaddr', true)
|
||||
assert( server:bind("127.0.0.1", 8888) )
|
||||
server:listen()
|
||||
|
||||
local peer = server:accept()
|
||||
|
||||
peer = assert( ssl.wrap(peer, ctx) )
|
||||
assert( peer:dohandshake() )
|
||||
|
||||
print("--- INFO ---")
|
||||
local info = peer:info()
|
||||
for k, v in pairs(info) do
|
||||
print(k, v)
|
||||
end
|
||||
print("---")
|
||||
|
||||
peer:close()
|
||||
server:close()
|
|
@ -0,0 +1,26 @@
|
|||
--
|
||||
-- Public domain
|
||||
--
|
||||
local socket = require("socket")
|
||||
local ssl = require("ssl")
|
||||
|
||||
local params = {
|
||||
mode = "client",
|
||||
protocol = "tlsv1_2",
|
||||
key = "../certs/clientAkey.pem",
|
||||
certificate = "../certs/clientA.pem",
|
||||
cafile = "../certs/rootA.pem",
|
||||
verify = {"peer", "fail_if_no_peer_cert"},
|
||||
options = "all",
|
||||
}
|
||||
|
||||
local peer = socket.tcp()
|
||||
peer:connect("127.0.0.1", 8888)
|
||||
|
||||
-- [[ SSL wrapper
|
||||
peer = assert( ssl.wrap(peer, params) )
|
||||
assert(peer:dohandshake())
|
||||
--]]
|
||||
|
||||
print(peer:receive("*l"))
|
||||
peer:close()
|
|
@ -0,0 +1,48 @@
|
|||
--
|
||||
-- Public domain
|
||||
--
|
||||
local socket = require("socket")
|
||||
local ssl = require("ssl")
|
||||
|
||||
local params = {
|
||||
mode = "server",
|
||||
protocol = "any",
|
||||
key = "../certs/serverAkey.pem",
|
||||
certificate = "../certs/serverA.pem",
|
||||
cafile = "../certs/rootA.pem",
|
||||
verify = {"peer", "fail_if_no_peer_cert"},
|
||||
options = "all",
|
||||
}
|
||||
|
||||
|
||||
-- [[ SSL context
|
||||
local ctx = assert(ssl.newcontext(params))
|
||||
--]]
|
||||
|
||||
local server = socket.tcp()
|
||||
server:setoption('reuseaddr', true)
|
||||
assert( server:bind("127.0.0.1", 8888) )
|
||||
server:listen()
|
||||
|
||||
local peer = server:accept()
|
||||
|
||||
-- [[ SSL wrapper
|
||||
peer = assert( ssl.wrap(peer, ctx) )
|
||||
|
||||
-- Before handshake: nil
|
||||
print( peer:info() )
|
||||
|
||||
assert( peer:dohandshake() )
|
||||
--]]
|
||||
|
||||
print("---")
|
||||
local info = peer:info()
|
||||
for k, v in pairs(info) do
|
||||
print(k, v)
|
||||
end
|
||||
|
||||
print("---")
|
||||
print("-> Compression", peer:info("compression"))
|
||||
|
||||
peer:send("oneshot test\n")
|
||||
peer:close()
|
|
@ -0,0 +1,3 @@
|
|||
#!/usr/bin/env sh
|
||||
|
||||
openssl genrsa -des3 -out key.pem -passout pass:foobar 2048
|
|
@ -0,0 +1,29 @@
|
|||
--
|
||||
-- Public domain
|
||||
--
|
||||
local ssl = require("ssl")
|
||||
|
||||
local pass = "foobar"
|
||||
local cfg = {
|
||||
protocol = "tlsv1",
|
||||
mode = "client",
|
||||
key = "key.pem",
|
||||
}
|
||||
|
||||
-- Shell
|
||||
print(string.format("*** Hint: password is '%s' ***", pass))
|
||||
ctx, err = ssl.newcontext(cfg)
|
||||
assert(ctx, err)
|
||||
print("Shell: ok")
|
||||
|
||||
-- Text password
|
||||
cfg.password = pass
|
||||
ctx, err = ssl.newcontext(cfg)
|
||||
assert(ctx, err)
|
||||
print("Text: ok")
|
||||
|
||||
-- Callback
|
||||
cfg.password = function() return pass end
|
||||
ctx, err = ssl.newcontext(cfg)
|
||||
assert(ctx, err)
|
||||
print("Callback: ok")
|
|
@ -0,0 +1,27 @@
|
|||
--
|
||||
-- Public domain
|
||||
--
|
||||
local socket = require("socket")
|
||||
local ssl = require("ssl")
|
||||
|
||||
local params = {
|
||||
mode = "client",
|
||||
protocol = "tlsv1_2",
|
||||
key = "../certs/clientAkey.pem",
|
||||
certificate = "../certs/clientA.pem",
|
||||
cafile = "../certs/rootA.pem",
|
||||
verify = {"peer", "fail_if_no_peer_cert"},
|
||||
options = "all",
|
||||
}
|
||||
|
||||
while true do
|
||||
local peer = socket.tcp()
|
||||
assert( peer:connect("127.0.0.1", 8888) )
|
||||
|
||||
-- [[ SSL wrapper
|
||||
peer = assert( ssl.wrap(peer, params) )
|
||||
assert( peer:dohandshake() )
|
||||
--]]
|
||||
|
||||
print(peer:receive("*l"))
|
||||
end
|
|
@ -0,0 +1,35 @@
|
|||
--
|
||||
-- Public domain
|
||||
--
|
||||
local socket = require("socket")
|
||||
local ssl = require("ssl")
|
||||
|
||||
local params = {
|
||||
mode = "server",
|
||||
protocol = "any",
|
||||
key = "../certs/serverAkey.pem",
|
||||
certificate = "../certs/serverA.pem",
|
||||
cafile = "../certs/rootA.pem",
|
||||
verify = {"peer", "fail_if_no_peer_cert"},
|
||||
options = "all",
|
||||
}
|
||||
|
||||
-- [[ SSL context
|
||||
local ctx = assert( ssl.newcontext(params) )
|
||||
--]]
|
||||
|
||||
local server = socket.tcp()
|
||||
server:setoption('reuseaddr', true)
|
||||
assert( server:bind("127.0.0.1", 8888) )
|
||||
server:listen()
|
||||
|
||||
while true do
|
||||
local peer = server:accept()
|
||||
|
||||
-- [[ SSL wrapper
|
||||
peer = assert( ssl.wrap(peer, ctx) )
|
||||
assert( peer:dohandshake() )
|
||||
--]]
|
||||
|
||||
peer:send("loop test\n")
|
||||
end
|
|
@ -0,0 +1,30 @@
|
|||
--
|
||||
-- Public domain
|
||||
--
|
||||
local socket = require("socket")
|
||||
local ssl = require("ssl")
|
||||
|
||||
local params = {
|
||||
mode = "client",
|
||||
protocol = "tlsv1_2",
|
||||
key = "../certs/clientAkey.pem",
|
||||
certificate = "../certs/clientA.pem",
|
||||
cafile = "../certs/rootA.pem",
|
||||
verify = {"peer", "fail_if_no_peer_cert"},
|
||||
options = "all",
|
||||
}
|
||||
|
||||
while true do
|
||||
local peer = socket.tcp()
|
||||
assert( peer:connect("127.0.0.1", 8888) )
|
||||
|
||||
-- [[ SSL wrapper
|
||||
peer = assert( ssl.wrap(peer, params) )
|
||||
assert( peer:dohandshake() )
|
||||
--]]
|
||||
|
||||
peer:getpeercertificate():extensions()
|
||||
|
||||
print(peer:receive("*l"))
|
||||
peer:close()
|
||||
end
|
|
@ -0,0 +1,36 @@
|
|||
--
|
||||
-- Public domain
|
||||
--
|
||||
local socket = require("socket")
|
||||
local ssl = require("ssl")
|
||||
|
||||
local params = {
|
||||
mode = "server",
|
||||
protocol = "any",
|
||||
key = "../certs/serverAkey.pem",
|
||||
certificate = "../certs/serverA.pem",
|
||||
cafile = "../certs/rootA.pem",
|
||||
verify = {"peer", "fail_if_no_peer_cert"},
|
||||
options = "all",
|
||||
}
|
||||
|
||||
-- [[ SSL context
|
||||
local ctx = assert( ssl.newcontext(params) )
|
||||
--]]
|
||||
|
||||
local server = socket.tcp()
|
||||
server:setoption('reuseaddr', true)
|
||||
assert( server:bind("127.0.0.1", 8888) )
|
||||
server:listen()
|
||||
|
||||
while true do
|
||||
local peer = server:accept()
|
||||
|
||||
-- [[ SSL wrapper
|
||||
peer = assert( ssl.wrap(peer, ctx) )
|
||||
assert( peer:dohandshake() )
|
||||
--]]
|
||||
|
||||
peer:send("loop test\n")
|
||||
peer:close()
|
||||
end
|
|
@ -0,0 +1,40 @@
|
|||
--
|
||||
-- Public domain
|
||||
--
|
||||
local socket = require("socket")
|
||||
local ssl = require("ssl")
|
||||
|
||||
local pkey = require "openssl.pkey"
|
||||
local ssl_context = require "openssl.ssl.context"
|
||||
local x509 = require "openssl.x509"
|
||||
local x509_store = require "openssl.x509.store"
|
||||
|
||||
local function read_file(path)
|
||||
local file, err, errno = io.open(path, "rb")
|
||||
if not file then
|
||||
return nil, err, errno
|
||||
end
|
||||
local contents
|
||||
contents, err, errno = file:read "*a"
|
||||
file:close()
|
||||
return contents, err, errno
|
||||
end
|
||||
|
||||
local ctx = ssl_context.new("TLSv1_2", false)
|
||||
ctx:setPrivateKey(pkey.new(assert(read_file("../certs/clientAkey.pem"))))
|
||||
ctx:setCertificate(x509.new(assert(read_file("../certs/clientA.pem"))))
|
||||
local store = x509_store.new()
|
||||
store:add("../certs/rootA.pem")
|
||||
ctx:setStore(store)
|
||||
ctx:setVerify(ssl_context.VERIFY_FAIL_IF_NO_PEER_CERT)
|
||||
|
||||
local peer = socket.tcp()
|
||||
peer:connect("127.0.0.1", 8888)
|
||||
|
||||
-- [[ SSL wrapper
|
||||
peer = assert( ssl.wrap(peer, ctx) )
|
||||
assert(peer:dohandshake())
|
||||
--]]
|
||||
|
||||
print(peer:receive("*l"))
|
||||
peer:close()
|
|
@ -0,0 +1,58 @@
|
|||
--
|
||||
-- Public domain
|
||||
--
|
||||
local socket = require("socket")
|
||||
local ssl = require("ssl")
|
||||
|
||||
local pkey = require "openssl.pkey"
|
||||
local ssl_context = require "openssl.ssl.context"
|
||||
local x509 = require "openssl.x509"
|
||||
local x509_store = require "openssl.x509.store"
|
||||
|
||||
local function read_file(path)
|
||||
local file, err, errno = io.open(path, "rb")
|
||||
if not file then
|
||||
return nil, err, errno
|
||||
end
|
||||
local contents
|
||||
contents, err, errno = file:read "*a"
|
||||
file:close()
|
||||
return contents, err, errno
|
||||
end
|
||||
|
||||
local ctx = ssl_context.new("TLSv1_2", true)
|
||||
ctx:setPrivateKey(pkey.new(assert(read_file("../certs/serverAkey.pem"))))
|
||||
ctx:setCertificate(x509.new(assert(read_file("../certs/serverA.pem"))))
|
||||
local store = x509_store.new()
|
||||
store:add("../certs/rootA.pem")
|
||||
ctx:setStore(store)
|
||||
ctx:setVerify(ssl_context.VERIFY_FAIL_IF_NO_PEER_CERT)
|
||||
|
||||
|
||||
local server = socket.tcp()
|
||||
server:setoption('reuseaddr', true)
|
||||
assert( server:bind("127.0.0.1", 8888) )
|
||||
server:listen()
|
||||
|
||||
local peer = server:accept()
|
||||
|
||||
-- [[ SSL wrapper
|
||||
peer = assert( ssl.wrap(peer, ctx) )
|
||||
|
||||
-- Before handshake: nil
|
||||
print( peer:info() )
|
||||
|
||||
assert( peer:dohandshake() )
|
||||
--]]
|
||||
|
||||
print("---")
|
||||
local info = peer:info()
|
||||
for k, v in pairs(info) do
|
||||
print(k, v)
|
||||
end
|
||||
|
||||
print("---")
|
||||
print("-> Compression", peer:info("compression"))
|
||||
|
||||
peer:send("oneshot test\n")
|
||||
peer:close()
|
|
@ -0,0 +1,29 @@
|
|||
--
|
||||
-- Public domain
|
||||
--
|
||||
local socket = require("socket")
|
||||
local ssl = require("ssl")
|
||||
|
||||
local params = {
|
||||
mode = "client",
|
||||
protocol = "tlsv1_2",
|
||||
key = "certs/clientECDSAkey.pem",
|
||||
certificate = "certs/clientECDSA.pem",
|
||||
verify = "none",
|
||||
options = "all",
|
||||
ciphers = "ALL:!aRSA"
|
||||
}
|
||||
|
||||
local peer = socket.tcp()
|
||||
peer:connect("127.0.0.1", 8888)
|
||||
|
||||
-- [[ SSL wrapper
|
||||
peer = assert( ssl.wrap(peer, params) )
|
||||
assert(peer:dohandshake())
|
||||
--]]
|
||||
|
||||
local i = peer:info()
|
||||
for k, v in pairs(i) do print(k, v) end
|
||||
|
||||
print(peer:receive("*l"))
|
||||
peer:close()
|
|
@ -0,0 +1,29 @@
|
|||
--
|
||||
-- Public domain
|
||||
--
|
||||
local socket = require("socket")
|
||||
local ssl = require("ssl")
|
||||
|
||||
local params = {
|
||||
mode = "client",
|
||||
protocol = "tlsv1_2",
|
||||
key = "certs/clientRSAkey.pem",
|
||||
certificate = "certs/clientRSA.pem",
|
||||
verify = "none",
|
||||
options = "all",
|
||||
ciphers = "ALL:!ECDSA"
|
||||
}
|
||||
|
||||
local peer = socket.tcp()
|
||||
peer:connect("127.0.0.1", 8888)
|
||||
|
||||
-- [[ SSL wrapper
|
||||
peer = assert( ssl.wrap(peer, params) )
|
||||
assert(peer:dohandshake())
|
||||
--]]
|
||||
|
||||
local i = peer:info()
|
||||
for k, v in pairs(i) do print(k, v) end
|
||||
|
||||
print(peer:receive("*l"))
|
||||
peer:close()
|
|
@ -0,0 +1,13 @@
|
|||
#!/usr/bin/env sh
|
||||
|
||||
mkdir -p certs
|
||||
|
||||
openssl ecparam -name secp256r1 -genkey -out certs/serverECDSAkey.pem
|
||||
openssl req -new -config ../certs/serverA.cnf -extensions usr_cert -x509 -key certs/serverECDSAkey.pem -out certs/serverECDSA.pem -days 360 -batch
|
||||
|
||||
openssl ecparam -name secp256r1 -genkey -out certs/clientECDSAkey.pem
|
||||
openssl req -config ../certs/clientA.cnf -extensions usr_cert -x509 -new -key certs/clientECDSAkey.pem -out certs/clientECDSA.pem -days 360 -batch
|
||||
|
||||
openssl req -config ../certs/serverB.cnf -extensions usr_cert -x509 -new -newkey rsa:2048 -keyout certs/serverRSAkey.pem -out certs/serverRSA.pem -nodes -days 365 -batch
|
||||
|
||||
openssl req -config ../certs/clientB.cnf -extensions usr_cert -x509 -new -newkey rsa:2048 -keyout certs/clientRSAkey.pem -out certs/clientRSA.pem -nodes -days 365 -batch
|
|
@ -0,0 +1,38 @@
|
|||
--
|
||||
-- Public domain
|
||||
--
|
||||
local socket = require("socket")
|
||||
local ssl = require("ssl")
|
||||
|
||||
local params = {
|
||||
mode = "server",
|
||||
protocol = "any",
|
||||
certificates = {
|
||||
-- Comment line below and 'client-rsa' stop working
|
||||
{ certificate = "certs/serverRSA.pem", key = "certs/serverRSAkey.pem" },
|
||||
-- Comment line below and 'client-ecdsa' stop working
|
||||
{ certificate = "certs/serverECDSA.pem", key = "certs/serverECDSAkey.pem" }
|
||||
},
|
||||
verify = "none",
|
||||
options = "all"
|
||||
}
|
||||
|
||||
|
||||
-- [[ SSL context
|
||||
local ctx = assert(ssl.newcontext(params))
|
||||
--]]
|
||||
|
||||
local server = socket.tcp()
|
||||
server:setoption('reuseaddr', true)
|
||||
assert( server:bind("127.0.0.1", 8888) )
|
||||
server:listen()
|
||||
|
||||
local peer = server:accept()
|
||||
|
||||
-- [[ SSL wrapper
|
||||
peer = assert( ssl.wrap(peer, ctx) )
|
||||
assert( peer:dohandshake() )
|
||||
--]]
|
||||
|
||||
peer:send("oneshot test\n")
|
||||
peer:close()
|
|
@ -0,0 +1,26 @@
|
|||
--
|
||||
-- Public domain
|
||||
--
|
||||
local socket = require("socket")
|
||||
local ssl = require("ssl")
|
||||
|
||||
local params = {
|
||||
mode = "client",
|
||||
protocol = "tlsv1_2",
|
||||
key = "../certs/clientAkey.pem",
|
||||
certificate = "../certs/clientA.pem",
|
||||
cafile = "../certs/rootA.pem",
|
||||
verify = {"peer", "fail_if_no_peer_cert"},
|
||||
options = "all",
|
||||
}
|
||||
|
||||
local peer = socket.tcp()
|
||||
peer:connect("127.0.0.1", 8888)
|
||||
|
||||
-- [[ SSL wrapper
|
||||
peer = assert( ssl.wrap(peer, params) )
|
||||
assert(peer:dohandshake())
|
||||
--]]
|
||||
|
||||
print(peer:receive("*l"))
|
||||
peer:close()
|
|
@ -0,0 +1,35 @@
|
|||
--
|
||||
-- Public domain
|
||||
--
|
||||
local socket = require("socket")
|
||||
local ssl = require("ssl")
|
||||
|
||||
local params = {
|
||||
mode = "server",
|
||||
protocol = "any",
|
||||
key = "../certs/serverAkey.pem",
|
||||
certificate = "../certs/serverA.pem",
|
||||
cafile = "../certs/rootA.pem",
|
||||
verify = {"peer", "fail_if_no_peer_cert"},
|
||||
options = "all",
|
||||
}
|
||||
|
||||
|
||||
-- [[ SSL context
|
||||
local ctx = assert(ssl.newcontext(params))
|
||||
--]]
|
||||
|
||||
local server = socket.tcp()
|
||||
server:setoption('reuseaddr', true)
|
||||
assert( server:bind("127.0.0.1", 8888) )
|
||||
server:listen()
|
||||
|
||||
local peer = server:accept()
|
||||
|
||||
-- [[ SSL wrapper
|
||||
peer = assert( ssl.wrap(peer, ctx) )
|
||||
assert( peer:dohandshake() )
|
||||
--]]
|
||||
|
||||
peer:send("oneshot test\n")
|
||||
peer:close()
|
|
@ -0,0 +1,41 @@
|
|||
--
|
||||
-- Public domain
|
||||
--
|
||||
local socket = require("socket")
|
||||
local ssl = require("ssl")
|
||||
|
||||
if not ssl.config.capabilities.psk then
|
||||
print("[ERRO] PSK not available")
|
||||
os.exit(1)
|
||||
end
|
||||
|
||||
-- @param hint (nil | string)
|
||||
-- @param max_identity_len (number)
|
||||
-- @param max_psk_len (number)
|
||||
-- @return identity (string)
|
||||
-- @return PSK (string)
|
||||
local function pskcb(hint, max_identity_len, max_psk_len)
|
||||
print(string.format("PSK Callback: hint=%q, max_identity_len=%d, max_psk_len=%d", hint, max_identity_len, max_psk_len))
|
||||
return "abcd", "1234"
|
||||
end
|
||||
|
||||
local params = {
|
||||
mode = "client",
|
||||
protocol = "tlsv1_2",
|
||||
psk = pskcb,
|
||||
}
|
||||
|
||||
local peer = socket.tcp()
|
||||
peer:connect("127.0.0.1", 8888)
|
||||
|
||||
peer = assert( ssl.wrap(peer, params) )
|
||||
assert(peer:dohandshake())
|
||||
|
||||
print("--- INFO ---")
|
||||
local info = peer:info()
|
||||
for k, v in pairs(info) do
|
||||
print(k, v)
|
||||
end
|
||||
print("---")
|
||||
|
||||
peer:close()
|
|
@ -0,0 +1,60 @@
|
|||
--
|
||||
-- Public domain
|
||||
--
|
||||
local socket = require("socket")
|
||||
local ssl = require("ssl")
|
||||
|
||||
if not ssl.config.capabilities.psk then
|
||||
print("[ERRO] PSK not available")
|
||||
os.exit(1)
|
||||
end
|
||||
|
||||
-- @param identity (string)
|
||||
-- @param max_psk_len (number)
|
||||
-- @return psk (string)
|
||||
local function pskcb(identity, max_psk_len)
|
||||
print(string.format("PSK Callback: identity=%q, max_psk_len=%d", identity, max_psk_len))
|
||||
if identity == "abcd" then
|
||||
return "1234"
|
||||
end
|
||||
return nil
|
||||
end
|
||||
|
||||
local params = {
|
||||
mode = "server",
|
||||
protocol = "any",
|
||||
options = "all",
|
||||
|
||||
-- PSK with just a callback
|
||||
psk = pskcb,
|
||||
|
||||
-- PSK with identity hint
|
||||
-- psk = {
|
||||
-- hint = "hintpsksample",
|
||||
-- callback = pskcb,
|
||||
-- },
|
||||
}
|
||||
|
||||
|
||||
-- [[ SSL context
|
||||
local ctx = assert(ssl.newcontext(params))
|
||||
--]]
|
||||
|
||||
local server = socket.tcp()
|
||||
server:setoption('reuseaddr', true)
|
||||
assert( server:bind("127.0.0.1", 8888) )
|
||||
server:listen()
|
||||
|
||||
local peer = server:accept()
|
||||
peer = assert( ssl.wrap(peer, ctx) )
|
||||
assert( peer:dohandshake() )
|
||||
|
||||
print("--- INFO ---")
|
||||
local info = peer:info()
|
||||
for k, v in pairs(info) do
|
||||
print(k, v)
|
||||
end
|
||||
print("---")
|
||||
|
||||
peer:close()
|
||||
server:close()
|
|
@ -0,0 +1,35 @@
|
|||
local socket = require("socket")
|
||||
local ssl = require("ssl")
|
||||
|
||||
local params = {
|
||||
mode = "client",
|
||||
protocol = "tlsv1_2",
|
||||
key = "../certs/clientAkey.pem",
|
||||
certificate = "../certs/clientA.pem",
|
||||
cafile = "../certs/rootA.pem",
|
||||
verify = "peer",
|
||||
options = "all",
|
||||
}
|
||||
|
||||
local conn = socket.tcp()
|
||||
conn:connect("127.0.0.1", 8888)
|
||||
|
||||
-- TLS/SSL initialization
|
||||
conn = ssl.wrap(conn, params)
|
||||
|
||||
-- Comment the lines to not send a name
|
||||
--conn:sni("servera.br")
|
||||
--conn:sni("serveraa.br")
|
||||
conn:sni("serverb.br")
|
||||
|
||||
assert(conn:dohandshake())
|
||||
--
|
||||
local cert = conn:getpeercertificate()
|
||||
for k, v in pairs(cert:subject()) do
|
||||
for i, j in pairs(v) do
|
||||
print(i, j)
|
||||
end
|
||||
end
|
||||
--
|
||||
print(conn:receive("*l"))
|
||||
conn:close()
|
|
@ -0,0 +1,52 @@
|
|||
local socket = require("socket")
|
||||
local ssl = require("ssl")
|
||||
|
||||
local params01 = {
|
||||
mode = "server",
|
||||
protocol = "any",
|
||||
key = "../certs/serverAkey.pem",
|
||||
certificate = "../certs/serverA.pem",
|
||||
cafile = "../certs/rootA.pem",
|
||||
verify = "none",
|
||||
options = "all",
|
||||
ciphers = "ALL:!ADH:@STRENGTH",
|
||||
}
|
||||
|
||||
local params02 = {
|
||||
mode = "server",
|
||||
protocol = "any",
|
||||
key = "../certs/serverAAkey.pem",
|
||||
certificate = "../certs/serverAA.pem",
|
||||
cafile = "../certs/rootA.pem",
|
||||
verify = "none",
|
||||
options = "all",
|
||||
ciphers = "ALL:!ADH:@STRENGTH",
|
||||
}
|
||||
|
||||
--
|
||||
local ctx01 = ssl.newcontext(params01)
|
||||
local ctx02 = ssl.newcontext(params02)
|
||||
|
||||
--
|
||||
local server = socket.tcp()
|
||||
server:setoption('reuseaddr', true)
|
||||
server:bind("127.0.0.1", 8888)
|
||||
server:listen()
|
||||
local conn = server:accept()
|
||||
--
|
||||
|
||||
-- Default context (when client does not send a name) is ctx01
|
||||
conn = ssl.wrap(conn, ctx01)
|
||||
|
||||
-- Configure the name map
|
||||
local sni_map = {
|
||||
["servera.br"] = ctx01,
|
||||
["serveraa.br"] = ctx02,
|
||||
}
|
||||
|
||||
conn:sni(sni_map, true)
|
||||
|
||||
assert(conn:dohandshake())
|
||||
--
|
||||
conn:send("one line\n")
|
||||
conn:close()
|
|
@ -0,0 +1,29 @@
|
|||
--
|
||||
-- Public domain
|
||||
--
|
||||
local socket = require("socket")
|
||||
local ssl = require("ssl")
|
||||
|
||||
local params = {
|
||||
mode = "client",
|
||||
protocol = "tlsv1",
|
||||
key = "../../certs/clientBkey.pem",
|
||||
certificate = "../../certs/clientB.pem",
|
||||
cafile = "../../certs/rootB.pem",
|
||||
verify = "none",
|
||||
options = "all",
|
||||
}
|
||||
|
||||
local peer = socket.tcp()
|
||||
peer:connect("127.0.0.1", 8888)
|
||||
|
||||
-- [[ SSL wrapper
|
||||
peer = assert( ssl.wrap(peer, params) )
|
||||
assert(peer:dohandshake())
|
||||
--]]
|
||||
|
||||
local err, msg = peer:getpeerverification()
|
||||
print(err, msg)
|
||||
|
||||
print(peer:receive("*l"))
|
||||
peer:close()
|
|
@ -0,0 +1,37 @@
|
|||
--
|
||||
-- Public domain
|
||||
--
|
||||
local socket = require("socket")
|
||||
local ssl = require("ssl")
|
||||
|
||||
local params = {
|
||||
mode = "server",
|
||||
protocol = "tlsv1",
|
||||
key = "../../certs/serverAkey.pem",
|
||||
certificate = "../../certs/serverA.pem",
|
||||
cafile = "../../certs/rootA.pem",
|
||||
verify = "none",
|
||||
options = "all",
|
||||
}
|
||||
|
||||
-- [[ SSL context
|
||||
local ctx = assert(ssl.newcontext(params))
|
||||
--]]
|
||||
|
||||
local server = socket.tcp()
|
||||
server:setoption('reuseaddr', true)
|
||||
assert( server:bind("127.0.0.1", 8888) )
|
||||
server:listen()
|
||||
|
||||
local peer = server:accept()
|
||||
|
||||
-- [[ SSL wrapper
|
||||
peer = assert( ssl.wrap(peer, ctx) )
|
||||
assert( peer:dohandshake() )
|
||||
--]]
|
||||
|
||||
local err, msg = peer:getpeerverification()
|
||||
print(err, msg)
|
||||
|
||||
peer:send("oneshot test\n")
|
||||
peer:close()
|
|
@ -0,0 +1,39 @@
|
|||
--
|
||||
-- Public domain
|
||||
--
|
||||
local socket = require("socket")
|
||||
local ssl = require("ssl")
|
||||
|
||||
local params = {
|
||||
mode = "client",
|
||||
protocol = "tlsv1",
|
||||
key = "../../certs/clientBkey.pem",
|
||||
certificate = "../../certs/clientB.pem",
|
||||
cafile = "../../certs/rootB.pem",
|
||||
verify = {"peer", "fail_if_no_peer_cert"},
|
||||
options = "all",
|
||||
verifyext = "lsec_continue",
|
||||
}
|
||||
|
||||
-- [[ SSL context
|
||||
local ctx = assert(ssl.newcontext(params))
|
||||
--]]
|
||||
|
||||
local peer = socket.tcp()
|
||||
peer:connect("127.0.0.1", 8888)
|
||||
|
||||
-- [[ SSL wrapper
|
||||
peer = assert( ssl.wrap(peer, ctx) )
|
||||
assert(peer:dohandshake())
|
||||
--]]
|
||||
|
||||
local succ, errs = peer:getpeerverification()
|
||||
print(succ, errs)
|
||||
for i, err in pairs(errs) do
|
||||
for j, msg in ipairs(err) do
|
||||
print("depth = " .. i, "error = " .. msg)
|
||||
end
|
||||
end
|
||||
|
||||
print(peer:receive("*l"))
|
||||
peer:close()
|
|
@ -0,0 +1,43 @@
|
|||
--
|
||||
-- Public domain
|
||||
--
|
||||
local socket = require("socket")
|
||||
local ssl = require("ssl")
|
||||
|
||||
local params = {
|
||||
mode = "server",
|
||||
protocol = "tlsv1",
|
||||
key = "../../certs/serverAkey.pem",
|
||||
certificate = "../../certs/serverA.pem",
|
||||
cafile = "../../certs/rootA.pem",
|
||||
verify = {"peer", "fail_if_no_peer_cert"},
|
||||
options = "all",
|
||||
verifyext = {"lsec_continue", "crl_check", "crl_check_chain"},
|
||||
}
|
||||
|
||||
-- [[ SSL context
|
||||
local ctx = assert(ssl.newcontext(params))
|
||||
--]]
|
||||
|
||||
local server = socket.tcp()
|
||||
server:setoption('reuseaddr', true)
|
||||
assert( server:bind("127.0.0.1", 8888) )
|
||||
server:listen()
|
||||
|
||||
local peer = server:accept()
|
||||
|
||||
-- [[ SSL wrapper
|
||||
peer = assert( ssl.wrap(peer, ctx) )
|
||||
assert( peer:dohandshake() )
|
||||
--]]
|
||||
|
||||
local succ, errs = peer:getpeerverification()
|
||||
print(succ, errs)
|
||||
for i, err in pairs(errs) do
|
||||
for j, msg in ipairs(err) do
|
||||
print("depth = " .. i, "error = " .. msg)
|
||||
end
|
||||
end
|
||||
|
||||
peer:send("oneshot test\n")
|
||||
peer:close()
|
|
@ -0,0 +1,29 @@
|
|||
--
|
||||
-- Public domain
|
||||
--
|
||||
local socket = require("socket")
|
||||
local ssl = require("ssl")
|
||||
|
||||
local params = {
|
||||
mode = "client",
|
||||
protocol = "tlsv1",
|
||||
key = "../../certs/clientAkey.pem",
|
||||
certificate = "../../certs/clientA.pem",
|
||||
cafile = "../../certs/rootA.pem",
|
||||
verify = {"peer", "fail_if_no_peer_cert"},
|
||||
options = "all",
|
||||
}
|
||||
|
||||
local peer = socket.tcp()
|
||||
peer:connect("127.0.0.1", 8888)
|
||||
|
||||
-- [[ SSL wrapper
|
||||
peer = assert( ssl.wrap(peer, params) )
|
||||
assert(peer:dohandshake())
|
||||
--]]
|
||||
|
||||
local err, msg = peer:getpeerverification()
|
||||
print(err, msg)
|
||||
|
||||
print(peer:receive("*l"))
|
||||
peer:close()
|
|
@ -0,0 +1,38 @@
|
|||
--
|
||||
-- Public domain
|
||||
--
|
||||
local socket = require("socket")
|
||||
local ssl = require("ssl")
|
||||
|
||||
local params = {
|
||||
mode = "server",
|
||||
protocol = "tlsv1",
|
||||
key = "../../certs/serverAkey.pem",
|
||||
certificate = "../../certs/serverA.pem",
|
||||
cafile = "../../certs/rootA.pem",
|
||||
verify = {"peer", "fail_if_no_peer_cert"},
|
||||
options = "all",
|
||||
}
|
||||
|
||||
|
||||
-- [[ SSL context
|
||||
local ctx = assert(ssl.newcontext(params))
|
||||
--]]
|
||||
|
||||
local server = socket.tcp()
|
||||
server:setoption('reuseaddr', true)
|
||||
assert( server:bind("127.0.0.1", 8888) )
|
||||
server:listen()
|
||||
|
||||
local peer = server:accept()
|
||||
|
||||
-- [[ SSL wrapper
|
||||
peer = assert( ssl.wrap(peer, ctx) )
|
||||
assert( peer:dohandshake() )
|
||||
--]]
|
||||
|
||||
local err, msg = peer:getpeerverification()
|
||||
print(err, msg)
|
||||
|
||||
peer:send("oneshot test\n")
|
||||
peer:close()
|
|
@ -0,0 +1,35 @@
|
|||
--
|
||||
-- Public domain
|
||||
--
|
||||
local socket = require("socket")
|
||||
local ssl = require("ssl")
|
||||
|
||||
local params = {
|
||||
mode = "client",
|
||||
protocol = "tlsv1_2",
|
||||
key = "../certs/serverBkey.pem",
|
||||
certificate = "../certs/serverB.pem",
|
||||
cafile = "../certs/rootB.pem",
|
||||
verify = {"peer", "fail_if_no_peer_cert"},
|
||||
verifyext = {"lsec_continue", "lsec_ignore_purpose"},
|
||||
options = "all",
|
||||
}
|
||||
|
||||
local ctx = assert(ssl.newcontext(params))
|
||||
|
||||
local peer = socket.tcp()
|
||||
peer:connect("127.0.0.1", 8888)
|
||||
|
||||
peer = assert( ssl.wrap(peer, ctx) )
|
||||
assert(peer:dohandshake())
|
||||
|
||||
local succ, errs = peer:getpeerverification()
|
||||
print(succ, errs)
|
||||
for i, err in pairs(errs) do
|
||||
for j, msg in ipairs(err) do
|
||||
print("depth = " .. i, "error = " .. msg)
|
||||
end
|
||||
end
|
||||
|
||||
print(peer:receive("*l"))
|
||||
peer:close()
|
|
@ -0,0 +1,40 @@
|
|||
--
|
||||
-- Public domain
|
||||
--
|
||||
local socket = require("socket")
|
||||
local ssl = require("ssl")
|
||||
|
||||
local params = {
|
||||
mode = "server",
|
||||
protocol = "any",
|
||||
key = "../certs/serverAkey.pem",
|
||||
certificate = "../certs/serverA.pem",
|
||||
cafile = "../certs/rootA.pem",
|
||||
verify = {"peer", "fail_if_no_peer_cert"},
|
||||
verifyext = {"lsec_continue", "lsec_ignore_purpose"},
|
||||
options = "all",
|
||||
}
|
||||
|
||||
|
||||
local ctx = assert(ssl.newcontext(params))
|
||||
|
||||
local server = socket.tcp()
|
||||
server:setoption('reuseaddr', true)
|
||||
assert( server:bind("127.0.0.1", 8888) )
|
||||
server:listen()
|
||||
|
||||
local peer = server:accept()
|
||||
|
||||
peer = assert( ssl.wrap(peer, ctx) )
|
||||
assert( peer:dohandshake() )
|
||||
|
||||
local succ, errs = peer:getpeerverification()
|
||||
print(succ, errs)
|
||||
for i, err in pairs(errs) do
|
||||
for j, msg in ipairs(err) do
|
||||
print("depth = " .. i, "error = " .. msg)
|
||||
end
|
||||
end
|
||||
|
||||
peer:send("oneshot test\n")
|
||||
peer:close()
|
|
@ -0,0 +1,66 @@
|
|||
--
|
||||
-- Test the conn:want() function
|
||||
--
|
||||
-- Public domain
|
||||
--
|
||||
local socket = require("socket")
|
||||
local ssl = require("ssl")
|
||||
|
||||
local params = {
|
||||
mode = "client",
|
||||
protocol = "tlsv1_2",
|
||||
key = "../certs/clientAkey.pem",
|
||||
certificate = "../certs/clientA.pem",
|
||||
cafile = "../certs/rootA.pem",
|
||||
verify = {"peer", "fail_if_no_peer_cert"},
|
||||
options = "all",
|
||||
}
|
||||
|
||||
-- Wait until socket is ready (for reading or writing)
|
||||
local function wait(peer)
|
||||
-- What event blocked us?
|
||||
local err
|
||||
if peer.want then -- Is it an SSL connection?
|
||||
err = peer:want()
|
||||
print("Want? ", err)
|
||||
else
|
||||
-- No, it's a normal TCP connection...
|
||||
err = "timeout"
|
||||
end
|
||||
|
||||
if err == "read" or err == "timeout" then
|
||||
socket.select({peer}, nil)
|
||||
elseif err == "write" then
|
||||
socket.select(nil, {peer})
|
||||
else
|
||||
peer:close()
|
||||
os.exit(1)
|
||||
end
|
||||
end
|
||||
|
||||
-- Start the TCP connection
|
||||
local peer = socket.tcp()
|
||||
assert( peer:connect("127.0.0.1", 8888) )
|
||||
|
||||
-- [[ SSL wrapper
|
||||
peer = assert( ssl.wrap(peer, params) )
|
||||
peer:settimeout(0.3)
|
||||
local succ = peer:dohandshake()
|
||||
while not succ do
|
||||
wait(peer)
|
||||
succ = peer:dohandshake()
|
||||
end
|
||||
print("** Handshake done")
|
||||
--]]
|
||||
|
||||
-- If the section above is commented, the timeout is not set.
|
||||
-- We set it again for safetiness.
|
||||
peer:settimeout(0.3)
|
||||
|
||||
-- Try to receive a line
|
||||
local str = peer:receive("*l")
|
||||
while not str do
|
||||
wait(peer)
|
||||
str = peer:receive("*l")
|
||||
end
|
||||
peer:close()
|
|
@ -0,0 +1,43 @@
|
|||
--
|
||||
-- Public domain
|
||||
--
|
||||
local socket = require("socket")
|
||||
local ssl = require("ssl")
|
||||
|
||||
local params = {
|
||||
mode = "server",
|
||||
protocol = "any",
|
||||
key = "../certs/serverAkey.pem",
|
||||
certificate = "../certs/serverA.pem",
|
||||
cafile = "../certs/rootA.pem",
|
||||
verify = {"peer", "fail_if_no_peer_cert"},
|
||||
options = "all",
|
||||
}
|
||||
|
||||
-- [[ SSL context
|
||||
local ctx = assert(ssl.newcontext(params))
|
||||
--]]
|
||||
|
||||
local server = socket.tcp()
|
||||
server:setoption('reuseaddr', true)
|
||||
assert( server:bind("127.0.0.1", 8888) )
|
||||
server:listen()
|
||||
|
||||
local peer = server:accept()
|
||||
|
||||
-- [[ SSL wrapper
|
||||
peer = assert( ssl.wrap(peer, ctx) )
|
||||
socket.sleep(2) -- force the timeout in the client dohandshake()
|
||||
assert( peer:dohandshake() )
|
||||
--]]
|
||||
|
||||
for i = 1, 10 do
|
||||
local v = tostring(i)
|
||||
io.write(v)
|
||||
io.flush()
|
||||
peer:send(v)
|
||||
socket.sleep(1) -- force the timeout in the client receive()
|
||||
end
|
||||
io.write("\n")
|
||||
peer:send("\n")
|
||||
peer:close()
|
|
@ -0,0 +1,55 @@
|
|||
--
|
||||
-- Public domain
|
||||
--
|
||||
local socket = require("socket")
|
||||
local ssl = require("ssl")
|
||||
|
||||
local params = {
|
||||
mode = "client",
|
||||
protocol = "tlsv1_2",
|
||||
key = "../certs/clientAkey.pem",
|
||||
certificate = "../certs/clientA.pem",
|
||||
cafile = "../certs/rootA.pem",
|
||||
verify = {"peer", "fail_if_no_peer_cert"},
|
||||
options = "all",
|
||||
}
|
||||
|
||||
|
||||
local function wait(peer, err)
|
||||
if err == "timeout" or err == "wantread" then
|
||||
socket.select({peer}, nil)
|
||||
elseif err == "wantwrite" then
|
||||
socket.select(nil, {peer})
|
||||
else
|
||||
peer:close()
|
||||
os.exit(1)
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
local peer = socket.tcp()
|
||||
assert( peer:connect("127.0.0.1", 8888) )
|
||||
|
||||
-- [[ SSL wrapper
|
||||
peer = assert( ssl.wrap(peer, params) )
|
||||
peer:settimeout(0.3)
|
||||
local succ, err = peer:dohandshake()
|
||||
while not succ do
|
||||
print("handshake", err)
|
||||
wait(peer, err)
|
||||
succ, err = peer:dohandshake()
|
||||
end
|
||||
print("** Handshake done")
|
||||
--]]
|
||||
|
||||
-- If the section above is commented, the timeout is not set.
|
||||
-- We set it again for safetiness.
|
||||
peer:settimeout(0.3)
|
||||
|
||||
local str, err, part = peer:receive("*l")
|
||||
while not str do
|
||||
print(part, err)
|
||||
wait(peer, err)
|
||||
str, err, part = peer:receive("*l")
|
||||
end
|
||||
peer:close()
|
|
@ -0,0 +1,45 @@
|
|||
--
|
||||
-- Test the conn:want() function.
|
||||
--
|
||||
-- Public domain
|
||||
--
|
||||
local socket = require("socket")
|
||||
local ssl = require("ssl")
|
||||
|
||||
local params = {
|
||||
mode = "server",
|
||||
protocol = "any",
|
||||
key = "../certs/serverAkey.pem",
|
||||
certificate = "../certs/serverA.pem",
|
||||
cafile = "../certs/rootA.pem",
|
||||
verify = {"peer", "fail_if_no_peer_cert"},
|
||||
options = "all",
|
||||
}
|
||||
|
||||
-- [[ SSL context
|
||||
local ctx = assert(ssl.newcontext(params))
|
||||
--]]
|
||||
|
||||
local server = socket.tcp()
|
||||
server:setoption('reuseaddr', true)
|
||||
assert( server:bind("127.0.0.1", 8888) )
|
||||
server:listen()
|
||||
|
||||
local peer = server:accept()
|
||||
|
||||
-- [[ SSL wrapper
|
||||
peer = assert( ssl.wrap(peer, ctx) )
|
||||
socket.sleep(2) -- force the timeout in the client dohandshake()
|
||||
assert( peer:dohandshake() )
|
||||
--]]
|
||||
|
||||
for i = 1, 10 do
|
||||
local v = tostring(i)
|
||||
io.write(v)
|
||||
io.flush()
|
||||
peer:send(v)
|
||||
socket.sleep(1) -- force the timeout in the client receive()
|
||||
end
|
||||
io.write("\n")
|
||||
peer:send("\n")
|
||||
peer:close()
|
|
@ -0,0 +1,49 @@
|
|||
--
|
||||
-- Public domain
|
||||
--
|
||||
local socket = require("socket")
|
||||
local ssl = require("ssl")
|
||||
|
||||
local params = {
|
||||
mode = "client",
|
||||
protocol = "tlsv1_2",
|
||||
key = "../certs/clientAkey.pem",
|
||||
certificate = "../certs/clientA.pem",
|
||||
cafile = "../certs/rootA.pem",
|
||||
verify = {"peer", "fail_if_no_peer_cert"},
|
||||
options = "all",
|
||||
}
|
||||
|
||||
local function wait(peer, err)
|
||||
if err == "wantread" then
|
||||
socket.select({peer}, nil)
|
||||
elseif err == "timeout" or err == "wantwrite" then
|
||||
socket.select(nil, {peer})
|
||||
else
|
||||
peer:close()
|
||||
os.exit(1)
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
local peer = socket.tcp()
|
||||
assert( peer:connect("127.0.0.1", 8888) )
|
||||
|
||||
-- [[ SSL wrapper
|
||||
peer = assert( ssl.wrap(peer, params) )
|
||||
assert( peer:dohandshake() )
|
||||
--]]
|
||||
|
||||
peer:settimeout(0.3)
|
||||
|
||||
local str = "a rose is a rose is a rose is a...\n"
|
||||
while true do
|
||||
print("Sending...")
|
||||
local succ, err = peer:send(str)
|
||||
while succ do
|
||||
succ, err = peer:send(str)
|
||||
end
|
||||
print("Waiting...", err)
|
||||
wait(peer, err)
|
||||
end
|
||||
peer:close()
|
|
@ -0,0 +1,40 @@
|
|||
--
|
||||
-- Public domain
|
||||
--
|
||||
local socket = require("socket")
|
||||
local ssl = require("ssl")
|
||||
|
||||
print("Use Ctrl+S and Ctrl+Q to suspend and resume the server.")
|
||||
|
||||
local params = {
|
||||
mode = "server",
|
||||
protocol = "any",
|
||||
key = "../certs/serverAkey.pem",
|
||||
certificate = "../certs/serverA.pem",
|
||||
cafile = "../certs/rootA.pem",
|
||||
verify = {"peer", "fail_if_no_peer_cert"},
|
||||
options = "all",
|
||||
}
|
||||
|
||||
|
||||
-- [[ SSL context
|
||||
local ctx = assert(ssl.newcontext(params))
|
||||
--]]
|
||||
|
||||
local server = socket.tcp()
|
||||
server:setoption('reuseaddr', true)
|
||||
assert( server:bind("127.0.0.1", 8888) )
|
||||
server:listen()
|
||||
|
||||
local peer = server:accept()
|
||||
|
||||
-- [[ SSL wrapper
|
||||
peer = assert( ssl.wrap(peer, ctx) )
|
||||
assert( peer:dohandshake() )
|
||||
--]]
|
||||
|
||||
while true do
|
||||
local str = peer:receive("*l")
|
||||
print(str)
|
||||
end
|
||||
peer:close()
|
|
@ -0,0 +1,66 @@
|
|||
CMOD=ssl.so
|
||||
LMOD=ssl.lua
|
||||
|
||||
OBJS= \
|
||||
options.o \
|
||||
x509.o \
|
||||
context.o \
|
||||
ssl.o \
|
||||
config.o \
|
||||
ec.o
|
||||
|
||||
LIBS=-lssl -lcrypto -lluasocket
|
||||
|
||||
WARN=-Wall -pedantic
|
||||
|
||||
BSD_CFLAGS=-O2 -fPIC $(WARN) $(INCDIR) $(DEFS)
|
||||
BSD_LDFLAGS=-O -fPIC -shared $(LIBDIR)
|
||||
|
||||
LNX_CFLAGS=-O2 -fPIC $(WARN) $(INCDIR) $(DEFS)
|
||||
LNX_LDFLAGS=-O -fPIC -shared $(LIBDIR)
|
||||
|
||||
MAC_ENV=env MACOSX_DEPLOYMENT_TARGET='$(MACVER)'
|
||||
MAC_CFLAGS=-O2 -fno-common $(WARN) $(INCDIR) $(DEFS)
|
||||
MAC_LDFLAGS=-bundle -undefined dynamic_lookup $(LIBDIR)
|
||||
|
||||
INSTALL = install
|
||||
CC ?= cc
|
||||
CCLD ?= $(MYENV) $(CC)
|
||||
CFLAGS += $(MYCFLAGS)
|
||||
LDFLAGS += $(MYLDFLAGS)
|
||||
|
||||
.PHONY: all clean install none linux bsd macosx luasocket
|
||||
|
||||
all:
|
||||
|
||||
install: $(CMOD) $(LMOD)
|
||||
$(INSTALL) -d $(DESTDIR)$(LUAPATH)/ssl $(DESTDIR)$(LUACPATH)
|
||||
$(INSTALL) $(CMOD) $(DESTDIR)$(LUACPATH)
|
||||
$(INSTALL) -m644 $(LMOD) $(DESTDIR)$(LUAPATH)
|
||||
$(INSTALL) -m644 https.lua $(DESTDIR)$(LUAPATH)/ssl
|
||||
|
||||
linux:
|
||||
@$(MAKE) $(CMOD) MYCFLAGS="$(LNX_CFLAGS)" MYLDFLAGS="$(LNX_LDFLAGS)" EXTRA="$(EXTRA)"
|
||||
|
||||
bsd:
|
||||
@$(MAKE) $(CMOD) MYCFLAGS="$(BSD_CFLAGS)" MYLDFLAGS="$(BSD_LDFLAGS)" EXTRA="$(EXTRA)"
|
||||
|
||||
macosx:
|
||||
@$(MAKE) $(CMOD) MYCFLAGS="$(MAC_CFLAGS)" MYLDFLAGS="$(MAC_LDFLAGS)" MYENV="$(MAC_ENV)" EXTRA="$(EXTRA)"
|
||||
|
||||
luasocket:
|
||||
@cd luasocket && $(MAKE)
|
||||
|
||||
$(CMOD): $(EXTRA) $(OBJS)
|
||||
$(CCLD) $(LDFLAGS) -o $@ $(OBJS) $(LIBS)
|
||||
|
||||
clean:
|
||||
cd luasocket && $(MAKE) clean
|
||||
rm -f $(OBJS) $(CMOD)
|
||||
|
||||
options.o: options.h options.c
|
||||
ec.o: ec.c ec.h
|
||||
x509.o: x509.c x509.h compat.h
|
||||
context.o: context.c context.h ec.h compat.h options.h
|
||||
ssl.o: ssl.c ssl.h context.h x509.h compat.h
|
||||
config.o: config.c ec.h options.h compat.h
|
|
@ -0,0 +1,63 @@
|
|||
/*--------------------------------------------------------------------------
|
||||
* LuaSec 1.3.1
|
||||
*
|
||||
* Copyright (C) 2006-2023 Bruno Silvestre
|
||||
*
|
||||
*--------------------------------------------------------------------------*/
|
||||
|
||||
#ifndef LSEC_COMPAT_H
|
||||
#define LSEC_COMPAT_H
|
||||
|
||||
#include <openssl/ssl.h>
|
||||
|
||||
//------------------------------------------------------------------------------
|
||||
|
||||
#if defined(_WIN32)
|
||||
#define LSEC_API __declspec(dllexport)
|
||||
#else
|
||||
#define LSEC_API extern
|
||||
#endif
|
||||
|
||||
//------------------------------------------------------------------------------
|
||||
|
||||
#if (LUA_VERSION_NUM == 501)
|
||||
|
||||
#define luaL_testudata(L, ud, tname) lsec_testudata(L, ud, tname)
|
||||
#define setfuncs(L, R) luaL_register(L, NULL, R)
|
||||
#define lua_rawlen(L, i) lua_objlen(L, i)
|
||||
|
||||
#ifndef luaL_newlib
|
||||
#define luaL_newlib(L, R) do { lua_newtable(L); luaL_register(L, NULL, R); } while(0)
|
||||
#endif
|
||||
|
||||
#else
|
||||
#define setfuncs(L, R) luaL_setfuncs(L, R, 0)
|
||||
#endif
|
||||
|
||||
//------------------------------------------------------------------------------
|
||||
|
||||
#if (!defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x1010000fL))
|
||||
#define LSEC_ENABLE_DANE
|
||||
#endif
|
||||
|
||||
//------------------------------------------------------------------------------
|
||||
|
||||
#if !((defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER < 0x2070000fL)) || (OPENSSL_VERSION_NUMBER < 0x1010000fL))
|
||||
#define LSEC_API_OPENSSL_1_1_0
|
||||
#endif
|
||||
|
||||
//------------------------------------------------------------------------------
|
||||
|
||||
#if !defined(LIBRESSL_VERSION_NUMBER) && ((OPENSSL_VERSION_NUMBER & 0xFFFFF000L) == 0x10101000L)
|
||||
#define LSEC_OPENSSL_1_1_1
|
||||
#endif
|
||||
|
||||
//------------------------------------------------------------------------------
|
||||
|
||||
#if !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_NO_PSK)
|
||||
#define LSEC_ENABLE_PSK
|
||||
#endif
|
||||
|
||||
//------------------------------------------------------------------------------
|
||||
|
||||
#endif
|
|
@ -0,0 +1,108 @@
|
|||
/*--------------------------------------------------------------------------
|
||||
* LuaSec 1.3.1
|
||||
*
|
||||
* Copyright (C) 2006-2023 Bruno Silvestre
|
||||
*
|
||||
*--------------------------------------------------------------------------*/
|
||||
|
||||
#include "compat.h"
|
||||
#include "options.h"
|
||||
#include "ec.h"
|
||||
|
||||
/**
|
||||
* Registre the module.
|
||||
*/
|
||||
LSEC_API int luaopen_ssl_config(lua_State *L)
|
||||
{
|
||||
lsec_ssl_option_t *opt;
|
||||
|
||||
lua_newtable(L);
|
||||
|
||||
// Options
|
||||
lua_pushstring(L, "options");
|
||||
lua_newtable(L);
|
||||
for (opt = lsec_get_ssl_options(); opt->name; opt++) {
|
||||
lua_pushstring(L, opt->name);
|
||||
lua_pushboolean(L, 1);
|
||||
lua_rawset(L, -3);
|
||||
}
|
||||
lua_rawset(L, -3);
|
||||
|
||||
// Protocols
|
||||
lua_pushstring(L, "protocols");
|
||||
lua_newtable(L);
|
||||
|
||||
lua_pushstring(L, "tlsv1");
|
||||
lua_pushboolean(L, 1);
|
||||
lua_rawset(L, -3);
|
||||
lua_pushstring(L, "tlsv1_1");
|
||||
lua_pushboolean(L, 1);
|
||||
lua_rawset(L, -3);
|
||||
lua_pushstring(L, "tlsv1_2");
|
||||
lua_pushboolean(L, 1);
|
||||
lua_rawset(L, -3);
|
||||
#ifdef TLS1_3_VERSION
|
||||
lua_pushstring(L, "tlsv1_3");
|
||||
lua_pushboolean(L, 1);
|
||||
lua_rawset(L, -3);
|
||||
#endif
|
||||
|
||||
lua_rawset(L, -3);
|
||||
|
||||
// Algorithms
|
||||
lua_pushstring(L, "algorithms");
|
||||
lua_newtable(L);
|
||||
|
||||
#ifndef OPENSSL_NO_EC
|
||||
lua_pushstring(L, "ec");
|
||||
lua_pushboolean(L, 1);
|
||||
lua_rawset(L, -3);
|
||||
#endif
|
||||
lua_rawset(L, -3);
|
||||
|
||||
// Curves
|
||||
lua_pushstring(L, "curves");
|
||||
lsec_get_curves(L);
|
||||
lua_rawset(L, -3);
|
||||
|
||||
// Capabilities
|
||||
lua_pushstring(L, "capabilities");
|
||||
lua_newtable(L);
|
||||
|
||||
// ALPN
|
||||
lua_pushstring(L, "alpn");
|
||||
lua_pushboolean(L, 1);
|
||||
lua_rawset(L, -3);
|
||||
|
||||
#ifdef LSEC_ENABLE_PSK
|
||||
lua_pushstring(L, "psk");
|
||||
lua_pushboolean(L, 1);
|
||||
lua_rawset(L, -3);
|
||||
#endif
|
||||
|
||||
#ifdef LSEC_ENABLE_DANE
|
||||
// DANE
|
||||
lua_pushstring(L, "dane");
|
||||
#ifdef DANE_FLAG_NO_DANE_EE_NAMECHECKS
|
||||
lua_createtable(L, 0, 1);
|
||||
lua_pushstring(L, "no_ee_namechecks");
|
||||
lua_pushboolean(L, 1);
|
||||
lua_rawset(L, -3);
|
||||
#else
|
||||
lua_pushboolean(L, 1);
|
||||
#endif
|
||||
lua_rawset(L, -3);
|
||||
#endif
|
||||
|
||||
#ifndef OPENSSL_NO_EC
|
||||
lua_pushstring(L, "curves_list");
|
||||
lua_pushboolean(L, 1);
|
||||
lua_rawset(L, -3);
|
||||
lua_pushstring(L, "ecdh_auto");
|
||||
lua_pushboolean(L, 1);
|
||||
lua_rawset(L, -3);
|
||||
#endif
|
||||
lua_rawset(L, -3);
|
||||
|
||||
return 1;
|
||||
}
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,47 @@
|
|||
#ifndef LSEC_CONTEXT_H
|
||||
#define LSEC_CONTEXT_H
|
||||
|
||||
/*--------------------------------------------------------------------------
|
||||
* LuaSec 1.3.1
|
||||
*
|
||||
* Copyright (C) 2006-2023 Bruno Silvestre
|
||||
*
|
||||
*--------------------------------------------------------------------------*/
|
||||
|
||||
#include <lua.h>
|
||||
#include <openssl/ssl.h>
|
||||
|
||||
#include "compat.h"
|
||||
|
||||
#define LSEC_MODE_INVALID 0
|
||||
#define LSEC_MODE_SERVER 1
|
||||
#define LSEC_MODE_CLIENT 2
|
||||
|
||||
#define LSEC_VERIFY_CONTINUE 1
|
||||
#define LSEC_VERIFY_IGNORE_PURPOSE 2
|
||||
|
||||
typedef struct t_context_ {
|
||||
SSL_CTX *context;
|
||||
lua_State *L;
|
||||
DH *dh_param;
|
||||
void *alpn;
|
||||
int mode;
|
||||
} t_context;
|
||||
typedef t_context* p_context;
|
||||
|
||||
/* Retrieve the SSL context from the Lua stack */
|
||||
SSL_CTX *lsec_checkcontext(lua_State *L, int idx);
|
||||
SSL_CTX *lsec_testcontext(lua_State *L, int idx);
|
||||
|
||||
/* Retrieve the mode from the context in the Lua stack */
|
||||
int lsec_getmode(lua_State *L, int idx);
|
||||
|
||||
/* Registre the module. */
|
||||
LSEC_API int luaopen_ssl_context(lua_State *L);
|
||||
|
||||
/* Compat - Lua 5.1 */
|
||||
#if (LUA_VERSION_NUM == 501)
|
||||
void *lsec_testudata (lua_State *L, int ud, const char *tname);
|
||||
#endif
|
||||
|
||||
#endif
|
|
@ -0,0 +1,116 @@
|
|||
/*--------------------------------------------------------------------------
|
||||
* LuaSec 1.3.1
|
||||
*
|
||||
* Copyright (C) 2006-2023 Bruno Silvestre
|
||||
*
|
||||
*--------------------------------------------------------------------------*/
|
||||
|
||||
#include <openssl/objects.h>
|
||||
|
||||
#include "ec.h"
|
||||
|
||||
#ifndef OPENSSL_NO_EC
|
||||
|
||||
EC_KEY *lsec_find_ec_key(lua_State *L, const char *str)
|
||||
{
|
||||
int nid;
|
||||
lua_pushstring(L, "SSL:EC:CURVES");
|
||||
lua_rawget(L, LUA_REGISTRYINDEX);
|
||||
lua_pushstring(L, str);
|
||||
lua_rawget(L, -2);
|
||||
|
||||
if (!lua_isnumber(L, -1))
|
||||
return NULL;
|
||||
|
||||
nid = (int)lua_tonumber(L, -1);
|
||||
return EC_KEY_new_by_curve_name(nid);
|
||||
}
|
||||
|
||||
void lsec_load_curves(lua_State *L)
|
||||
{
|
||||
size_t i;
|
||||
size_t size;
|
||||
const char *name;
|
||||
EC_builtin_curve *curves = NULL;
|
||||
|
||||
lua_pushstring(L, "SSL:EC:CURVES");
|
||||
lua_newtable(L);
|
||||
|
||||
size = EC_get_builtin_curves(NULL, 0);
|
||||
if (size > 0) {
|
||||
curves = (EC_builtin_curve*)malloc(sizeof(EC_builtin_curve) * size);
|
||||
EC_get_builtin_curves(curves, size);
|
||||
for (i = 0; i < size; i++) {
|
||||
name = OBJ_nid2sn(curves[i].nid);
|
||||
if (name != NULL) {
|
||||
lua_pushstring(L, name);
|
||||
lua_pushnumber(L, curves[i].nid);
|
||||
lua_rawset(L, -3);
|
||||
}
|
||||
switch (curves[i].nid) {
|
||||
case NID_X9_62_prime256v1:
|
||||
lua_pushstring(L, "P-256");
|
||||
lua_pushnumber(L, curves[i].nid);
|
||||
lua_rawset(L, -3);
|
||||
break;
|
||||
case NID_secp384r1:
|
||||
lua_pushstring(L, "P-384");
|
||||
lua_pushnumber(L, curves[i].nid);
|
||||
lua_rawset(L, -3);
|
||||
break;
|
||||
case NID_secp521r1:
|
||||
lua_pushstring(L, "P-521");
|
||||
lua_pushnumber(L, curves[i].nid);
|
||||
lua_rawset(L, -3);
|
||||
break;
|
||||
}
|
||||
}
|
||||
free(curves);
|
||||
}
|
||||
|
||||
/* These are special so are manually added here */
|
||||
#ifdef NID_X25519
|
||||
lua_pushstring(L, "X25519");
|
||||
lua_pushnumber(L, NID_X25519);
|
||||
lua_rawset(L, -3);
|
||||
#endif
|
||||
|
||||
#ifdef NID_X448
|
||||
lua_pushstring(L, "X448");
|
||||
lua_pushnumber(L, NID_X448);
|
||||
lua_rawset(L, -3);
|
||||
#endif
|
||||
|
||||
lua_rawset(L, LUA_REGISTRYINDEX);
|
||||
}
|
||||
|
||||
void lsec_get_curves(lua_State *L)
|
||||
{
|
||||
lua_newtable(L);
|
||||
|
||||
lua_pushstring(L, "SSL:EC:CURVES");
|
||||
lua_rawget(L, LUA_REGISTRYINDEX);
|
||||
|
||||
lua_pushnil(L);
|
||||
while (lua_next(L, -2) != 0) {
|
||||
lua_pop(L, 1);
|
||||
lua_pushvalue(L, -1);
|
||||
lua_pushboolean(L, 1);
|
||||
lua_rawset(L, -5);
|
||||
}
|
||||
lua_pop(L, 1);
|
||||
}
|
||||
|
||||
#else
|
||||
|
||||
void lsec_load_curves(lua_State *L)
|
||||
{
|
||||
// do nothing
|
||||
}
|
||||
|
||||
void lsec_get_curves(lua_State *L)
|
||||
{
|
||||
lua_newtable(L);
|
||||
}
|
||||
|
||||
#endif
|
|
@ -0,0 +1,22 @@
|
|||
/*--------------------------------------------------------------------------
|
||||
* LuaSec 1.3.1
|
||||
*
|
||||
* Copyright (C) 2006-2023 Bruno Silvestre
|
||||
*
|
||||
*--------------------------------------------------------------------------*/
|
||||
|
||||
#ifndef LSEC_EC_H
|
||||
#define LSEC_EC_H
|
||||
|
||||
#include <lua.h>
|
||||
|
||||
#ifndef OPENSSL_NO_EC
|
||||
#include <openssl/ec.h>
|
||||
|
||||
EC_KEY *lsec_find_ec_key(lua_State *L, const char *str);
|
||||
#endif
|
||||
|
||||
void lsec_get_curves(lua_State *L);
|
||||
void lsec_load_curves(lua_State *L);
|
||||
|
||||
#endif
|
|
@ -0,0 +1,147 @@
|
|||
----------------------------------------------------------------------------
|
||||
-- LuaSec 1.3.1
|
||||
--
|
||||
-- Copyright (C) 2009-2023 PUC-Rio
|
||||
--
|
||||
-- Author: Pablo Musa
|
||||
-- Author: Tomas Guisasola
|
||||
---------------------------------------------------------------------------
|
||||
|
||||
local socket = require("socket")
|
||||
local ssl = require("ssl")
|
||||
local ltn12 = require("ltn12")
|
||||
local http = require("socket.http")
|
||||
local url = require("socket.url")
|
||||
|
||||
local try = socket.try
|
||||
|
||||
--
|
||||
-- Module
|
||||
--
|
||||
local _M = {
|
||||
_VERSION = "1.3.1",
|
||||
_COPYRIGHT = "LuaSec 1.3.1 - Copyright (C) 2009-2023 PUC-Rio",
|
||||
PORT = 443,
|
||||
TIMEOUT = 60
|
||||
}
|
||||
|
||||
-- TLS configuration
|
||||
local cfg = {
|
||||
protocol = "any",
|
||||
options = {"all", "no_sslv2", "no_sslv3", "no_tlsv1"},
|
||||
verify = "none",
|
||||
}
|
||||
|
||||
--------------------------------------------------------------------
|
||||
-- Auxiliar Functions
|
||||
--------------------------------------------------------------------
|
||||
|
||||
-- Insert default HTTPS port.
|
||||
local function default_https_port(u)
|
||||
return url.build(url.parse(u, {port = _M.PORT}))
|
||||
end
|
||||
|
||||
-- Convert an URL to a table according to Luasocket needs.
|
||||
local function urlstring_totable(url, body, result_table)
|
||||
url = {
|
||||
url = default_https_port(url),
|
||||
method = body and "POST" or "GET",
|
||||
sink = ltn12.sink.table(result_table)
|
||||
}
|
||||
if body then
|
||||
url.source = ltn12.source.string(body)
|
||||
url.headers = {
|
||||
["content-length"] = #body,
|
||||
["content-type"] = "application/x-www-form-urlencoded",
|
||||
}
|
||||
end
|
||||
return url
|
||||
end
|
||||
|
||||
-- Forward calls to the real connection object.
|
||||
local function reg(conn)
|
||||
local mt = getmetatable(conn.sock).__index
|
||||
for name, method in pairs(mt) do
|
||||
if type(method) == "function" then
|
||||
conn[name] = function (self, ...)
|
||||
return method(self.sock, ...)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
-- Return a function which performs the SSL/TLS connection.
|
||||
local function tcp(params)
|
||||
params = params or {}
|
||||
-- Default settings
|
||||
for k, v in pairs(cfg) do
|
||||
params[k] = params[k] or v
|
||||
end
|
||||
-- Force client mode
|
||||
params.mode = "client"
|
||||
-- 'create' function for LuaSocket
|
||||
return function ()
|
||||
local conn = {}
|
||||
conn.sock = try(socket.tcp())
|
||||
local st = getmetatable(conn.sock).__index.settimeout
|
||||
function conn:settimeout(...)
|
||||
return st(self.sock, _M.TIMEOUT)
|
||||
end
|
||||
-- Replace TCP's connection function
|
||||
function conn:connect(host, port)
|
||||
try(self.sock:connect(host, port))
|
||||
self.sock = try(ssl.wrap(self.sock, params))
|
||||
self.sock:sni(host)
|
||||
self.sock:settimeout(_M.TIMEOUT)
|
||||
try(self.sock:dohandshake())
|
||||
reg(self)
|
||||
return 1
|
||||
end
|
||||
return conn
|
||||
end
|
||||
end
|
||||
|
||||
--------------------------------------------------------------------
|
||||
-- Main Function
|
||||
--------------------------------------------------------------------
|
||||
|
||||
-- Make a HTTP request over secure connection. This function receives
|
||||
-- the same parameters of LuaSocket's HTTP module (except 'proxy' and
|
||||
-- 'redirect') plus LuaSec parameters.
|
||||
--
|
||||
-- @param url mandatory (string or table)
|
||||
-- @param body optional (string)
|
||||
-- @return (string if url == string or 1), code, headers, status
|
||||
--
|
||||
local function request(url, body)
|
||||
local result_table = {}
|
||||
local stringrequest = type(url) == "string"
|
||||
if stringrequest then
|
||||
url = urlstring_totable(url, body, result_table)
|
||||
else
|
||||
url.url = default_https_port(url.url)
|
||||
end
|
||||
if http.PROXY or url.proxy then
|
||||
return nil, "proxy not supported"
|
||||
elseif url.redirect then
|
||||
return nil, "redirect not supported"
|
||||
elseif url.create then
|
||||
return nil, "create function not permitted"
|
||||
end
|
||||
-- New 'create' function to establish a secure connection
|
||||
url.create = tcp(url)
|
||||
local res, code, headers, status = http.request(url)
|
||||
if res and stringrequest then
|
||||
return table.concat(result_table), code, headers, status
|
||||
end
|
||||
return res, code, headers, status
|
||||
end
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
-- Export module
|
||||
--
|
||||
|
||||
_M.request = request
|
||||
_M.tcp = tcp
|
||||
|
||||
return _M
|
|
@ -0,0 +1,21 @@
|
|||
LuaSocket 3.0-RC1 license
|
||||
Copyright (C) 2004-2013 Diego Nehab
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining
|
||||
a copy of this software and associated documentation files (the
|
||||
"Software"), to deal in the Software without restriction, including
|
||||
without limitation the rights to use, copy, modify, merge, publish,
|
||||
distribute, sublicense, and/or sell copies of the Software, and to
|
||||
permit persons to whom the Software is furnished to do so, subject to
|
||||
the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be
|
||||
included in all copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
||||
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
||||
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
|
||||
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
|
||||
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
|
||||
TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
|
||||
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
|
@ -0,0 +1,26 @@
|
|||
OBJS= \
|
||||
io.o \
|
||||
buffer.o \
|
||||
timeout.o \
|
||||
usocket.o
|
||||
|
||||
CC ?= cc
|
||||
CFLAGS += $(MYCFLAGS) -DLUASOCKET_DEBUG
|
||||
AR ?= ar
|
||||
RANLIB ?= ranlib
|
||||
|
||||
.PHONY: all clean
|
||||
|
||||
all: libluasocket.a
|
||||
|
||||
libluasocket.a: $(OBJS)
|
||||
$(AR) rcu $@ $(OBJS)
|
||||
$(RANLIB) $@
|
||||
|
||||
clean:
|
||||
rm -f $(OBJS) libluasocket.a
|
||||
|
||||
buffer.o: buffer.c buffer.h io.h timeout.h
|
||||
io.o: io.c io.h timeout.h
|
||||
timeout.o: timeout.c timeout.h
|
||||
usocket.o: usocket.c socket.h io.h timeout.h usocket.h
|
|
@ -0,0 +1,282 @@
|
|||
/*=========================================================================*\
|
||||
* Input/Output interface for Lua programs
|
||||
* LuaSocket toolkit
|
||||
\*=========================================================================*/
|
||||
#include "lua.h"
|
||||
#include "lauxlib.h"
|
||||
|
||||
#include "buffer.h"
|
||||
|
||||
/*=========================================================================*\
|
||||
* Internal function prototypes
|
||||
\*=========================================================================*/
|
||||
static int recvraw(p_buffer buf, size_t wanted, luaL_Buffer *b);
|
||||
static int recvline(p_buffer buf, luaL_Buffer *b);
|
||||
static int recvall(p_buffer buf, luaL_Buffer *b);
|
||||
static int buffer_get(p_buffer buf, const char **data, size_t *count);
|
||||
static void buffer_skip(p_buffer buf, size_t count);
|
||||
static int sendraw(p_buffer buf, const char *data, size_t count, size_t *sent);
|
||||
|
||||
/* min and max macros */
|
||||
#ifndef MIN
|
||||
#define MIN(x, y) ((x) < (y) ? x : y)
|
||||
#endif
|
||||
#ifndef MAX
|
||||
#define MAX(x, y) ((x) > (y) ? x : y)
|
||||
#endif
|
||||
|
||||
/*=========================================================================*\
|
||||
* Exported functions
|
||||
\*=========================================================================*/
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Initializes module
|
||||
\*-------------------------------------------------------------------------*/
|
||||
int buffer_open(lua_State *L) {
|
||||
(void) L;
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Initializes C structure
|
||||
\*-------------------------------------------------------------------------*/
|
||||
void buffer_init(p_buffer buf, p_io io, p_timeout tm) {
|
||||
buf->first = buf->last = 0;
|
||||
buf->io = io;
|
||||
buf->tm = tm;
|
||||
buf->received = buf->sent = 0;
|
||||
buf->birthday = timeout_gettime();
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* object:getstats() interface
|
||||
\*-------------------------------------------------------------------------*/
|
||||
int buffer_meth_getstats(lua_State *L, p_buffer buf) {
|
||||
lua_pushnumber(L, (lua_Number) buf->received);
|
||||
lua_pushnumber(L, (lua_Number) buf->sent);
|
||||
lua_pushnumber(L, timeout_gettime() - buf->birthday);
|
||||
return 3;
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* object:setstats() interface
|
||||
\*-------------------------------------------------------------------------*/
|
||||
int buffer_meth_setstats(lua_State *L, p_buffer buf) {
|
||||
buf->received = (long) luaL_optnumber(L, 2, (lua_Number) buf->received);
|
||||
buf->sent = (long) luaL_optnumber(L, 3, (lua_Number) buf->sent);
|
||||
if (lua_isnumber(L, 4)) buf->birthday = timeout_gettime() - lua_tonumber(L, 4);
|
||||
lua_pushnumber(L, 1);
|
||||
return 1;
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* object:send() interface
|
||||
\*-------------------------------------------------------------------------*/
|
||||
int buffer_meth_send(lua_State *L, p_buffer buf) {
|
||||
int top = lua_gettop(L);
|
||||
int err = IO_DONE;
|
||||
size_t size = 0, sent = 0;
|
||||
const char *data = luaL_checklstring(L, 2, &size);
|
||||
long start = (long) luaL_optnumber(L, 3, 1);
|
||||
long end = (long) luaL_optnumber(L, 4, -1);
|
||||
#ifdef LUASOCKET_DEBUG
|
||||
p_timeout tm = timeout_markstart(buf->tm);
|
||||
#endif
|
||||
if (start < 0) start = (long) (size+start+1);
|
||||
if (end < 0) end = (long) (size+end+1);
|
||||
if (start < 1) start = (long) 1;
|
||||
if (end > (long) size) end = (long) size;
|
||||
if (start <= end) err = sendraw(buf, data+start-1, end-start+1, &sent);
|
||||
/* check if there was an error */
|
||||
if (err != IO_DONE) {
|
||||
lua_pushnil(L);
|
||||
lua_pushstring(L, buf->io->error(buf->io->ctx, err));
|
||||
lua_pushnumber(L, (lua_Number) (sent+start-1));
|
||||
} else {
|
||||
lua_pushnumber(L, (lua_Number) (sent+start-1));
|
||||
lua_pushnil(L);
|
||||
lua_pushnil(L);
|
||||
}
|
||||
#ifdef LUASOCKET_DEBUG
|
||||
/* push time elapsed during operation as the last return value */
|
||||
lua_pushnumber(L, timeout_gettime() - timeout_getstart(tm));
|
||||
#endif
|
||||
return lua_gettop(L) - top;
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* object:receive() interface
|
||||
\*-------------------------------------------------------------------------*/
|
||||
int buffer_meth_receive(lua_State *L, p_buffer buf) {
|
||||
luaL_Buffer b;
|
||||
size_t size;
|
||||
const char *part;
|
||||
int err = IO_DONE;
|
||||
int top = lua_gettop(L);
|
||||
if (top < 3) {
|
||||
lua_settop(L, 3);
|
||||
top = 3;
|
||||
}
|
||||
part = luaL_optlstring(L, 3, "", &size);
|
||||
#ifdef LUASOCKET_DEBUG
|
||||
p_timeout tm = timeout_markstart(buf->tm);
|
||||
#endif
|
||||
/* initialize buffer with optional extra prefix
|
||||
* (useful for concatenating previous partial results) */
|
||||
luaL_buffinit(L, &b);
|
||||
luaL_addlstring(&b, part, size);
|
||||
/* receive new patterns */
|
||||
if (!lua_isnumber(L, 2)) {
|
||||
const char *p= luaL_optstring(L, 2, "*l");
|
||||
if (p[0] == '*' && p[1] == 'l') err = recvline(buf, &b);
|
||||
else if (p[0] == '*' && p[1] == 'a') err = recvall(buf, &b);
|
||||
else luaL_argcheck(L, 0, 2, "invalid receive pattern");
|
||||
/* get a fixed number of bytes (minus what was already partially
|
||||
* received) */
|
||||
} else {
|
||||
double n = lua_tonumber(L, 2);
|
||||
size_t wanted = (size_t) n;
|
||||
luaL_argcheck(L, n >= 0, 2, "invalid receive pattern");
|
||||
if (size == 0 || wanted > size)
|
||||
err = recvraw(buf, wanted-size, &b);
|
||||
}
|
||||
/* check if there was an error */
|
||||
if (err != IO_DONE) {
|
||||
/* we can't push anything in the stack before pushing the
|
||||
* contents of the buffer. this is the reason for the complication */
|
||||
luaL_pushresult(&b);
|
||||
lua_pushstring(L, buf->io->error(buf->io->ctx, err));
|
||||
lua_pushvalue(L, -2);
|
||||
lua_pushnil(L);
|
||||
lua_replace(L, -4);
|
||||
} else {
|
||||
luaL_pushresult(&b);
|
||||
lua_pushnil(L);
|
||||
lua_pushnil(L);
|
||||
}
|
||||
#ifdef LUASOCKET_DEBUG
|
||||
/* push time elapsed during operation as the last return value */
|
||||
lua_pushnumber(L, timeout_gettime() - timeout_getstart(tm));
|
||||
#endif
|
||||
return lua_gettop(L) - top;
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Determines if there is any data in the read buffer
|
||||
\*-------------------------------------------------------------------------*/
|
||||
int buffer_isempty(p_buffer buf) {
|
||||
return buf->first >= buf->last;
|
||||
}
|
||||
|
||||
/*=========================================================================*\
|
||||
* Internal functions
|
||||
\*=========================================================================*/
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Sends a block of data (unbuffered)
|
||||
\*-------------------------------------------------------------------------*/
|
||||
#define STEPSIZE 8192
|
||||
static int sendraw(p_buffer buf, const char *data, size_t count, size_t *sent) {
|
||||
p_io io = buf->io;
|
||||
p_timeout tm = buf->tm;
|
||||
size_t total = 0;
|
||||
int err = IO_DONE;
|
||||
while (total < count && err == IO_DONE) {
|
||||
size_t done = 0;
|
||||
size_t step = (count-total <= STEPSIZE)? count-total: STEPSIZE;
|
||||
err = io->send(io->ctx, data+total, step, &done, tm);
|
||||
total += done;
|
||||
}
|
||||
*sent = total;
|
||||
buf->sent += total;
|
||||
return err;
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Reads a fixed number of bytes (buffered)
|
||||
\*-------------------------------------------------------------------------*/
|
||||
static int recvraw(p_buffer buf, size_t wanted, luaL_Buffer *b) {
|
||||
int err = IO_DONE;
|
||||
size_t total = 0;
|
||||
while (err == IO_DONE) {
|
||||
size_t count; const char *data;
|
||||
err = buffer_get(buf, &data, &count);
|
||||
count = MIN(count, wanted - total);
|
||||
luaL_addlstring(b, data, count);
|
||||
buffer_skip(buf, count);
|
||||
total += count;
|
||||
if (total >= wanted) break;
|
||||
}
|
||||
return err;
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Reads everything until the connection is closed (buffered)
|
||||
\*-------------------------------------------------------------------------*/
|
||||
static int recvall(p_buffer buf, luaL_Buffer *b) {
|
||||
int err = IO_DONE;
|
||||
size_t total = 0;
|
||||
while (err == IO_DONE) {
|
||||
const char *data; size_t count;
|
||||
err = buffer_get(buf, &data, &count);
|
||||
total += count;
|
||||
luaL_addlstring(b, data, count);
|
||||
buffer_skip(buf, count);
|
||||
}
|
||||
if (err == IO_CLOSED) {
|
||||
if (total > 0) return IO_DONE;
|
||||
else return IO_CLOSED;
|
||||
} else return err;
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Reads a line terminated by a CR LF pair or just by a LF. The CR and LF
|
||||
* are not returned by the function and are discarded from the buffer
|
||||
\*-------------------------------------------------------------------------*/
|
||||
static int recvline(p_buffer buf, luaL_Buffer *b) {
|
||||
int err = IO_DONE;
|
||||
while (err == IO_DONE) {
|
||||
size_t count, pos; const char *data;
|
||||
err = buffer_get(buf, &data, &count);
|
||||
pos = 0;
|
||||
while (pos < count && data[pos] != '\n') {
|
||||
/* we ignore all \r's */
|
||||
if (data[pos] != '\r') luaL_addchar(b, data[pos]);
|
||||
pos++;
|
||||
}
|
||||
if (pos < count) { /* found '\n' */
|
||||
buffer_skip(buf, pos+1); /* skip '\n' too */
|
||||
break; /* we are done */
|
||||
} else /* reached the end of the buffer */
|
||||
buffer_skip(buf, pos);
|
||||
}
|
||||
return err;
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Skips a given number of bytes from read buffer. No data is read from the
|
||||
* transport layer
|
||||
\*-------------------------------------------------------------------------*/
|
||||
static void buffer_skip(p_buffer buf, size_t count) {
|
||||
buf->received += count;
|
||||
buf->first += count;
|
||||
if (buffer_isempty(buf))
|
||||
buf->first = buf->last = 0;
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Return any data available in buffer, or get more data from transport layer
|
||||
* if buffer is empty
|
||||
\*-------------------------------------------------------------------------*/
|
||||
static int buffer_get(p_buffer buf, const char **data, size_t *count) {
|
||||
int err = IO_DONE;
|
||||
p_io io = buf->io;
|
||||
p_timeout tm = buf->tm;
|
||||
if (buffer_isempty(buf)) {
|
||||
size_t got;
|
||||
err = io->recv(io->ctx, buf->data, BUF_SIZE, &got, tm);
|
||||
buf->first = 0;
|
||||
buf->last = got;
|
||||
}
|
||||
*count = buf->last - buf->first;
|
||||
*data = buf->data + buf->first;
|
||||
return err;
|
||||
}
|
|
@ -0,0 +1,45 @@
|
|||
#ifndef BUF_H
|
||||
#define BUF_H
|
||||
/*=========================================================================*\
|
||||
* Input/Output interface for Lua programs
|
||||
* LuaSocket toolkit
|
||||
*
|
||||
* Line patterns require buffering. Reading one character at a time involves
|
||||
* too many system calls and is very slow. This module implements the
|
||||
* LuaSocket interface for input/output on connected objects, as seen by
|
||||
* Lua programs.
|
||||
*
|
||||
* Input is buffered. Output is *not* buffered because there was no simple
|
||||
* way of making sure the buffered output data would ever be sent.
|
||||
*
|
||||
* The module is built on top of the I/O abstraction defined in io.h and the
|
||||
* timeout management is done with the timeout.h interface.
|
||||
\*=========================================================================*/
|
||||
#include "lua.h"
|
||||
|
||||
#include "io.h"
|
||||
#include "timeout.h"
|
||||
|
||||
/* buffer size in bytes */
|
||||
#define BUF_SIZE 8192
|
||||
|
||||
/* buffer control structure */
|
||||
typedef struct t_buffer_ {
|
||||
double birthday; /* throttle support info: creation time, */
|
||||
size_t sent, received; /* bytes sent, and bytes received */
|
||||
p_io io; /* IO driver used for this buffer */
|
||||
p_timeout tm; /* timeout management for this buffer */
|
||||
size_t first, last; /* index of first and last bytes of stored data */
|
||||
char data[BUF_SIZE]; /* storage space for buffer data */
|
||||
} t_buffer;
|
||||
typedef t_buffer *p_buffer;
|
||||
|
||||
int buffer_open(lua_State *L);
|
||||
void buffer_init(p_buffer buf, p_io io, p_timeout tm);
|
||||
int buffer_meth_send(lua_State *L, p_buffer buf);
|
||||
int buffer_meth_receive(lua_State *L, p_buffer buf);
|
||||
int buffer_meth_getstats(lua_State *L, p_buffer buf);
|
||||
int buffer_meth_setstats(lua_State *L, p_buffer buf);
|
||||
int buffer_isempty(p_buffer buf);
|
||||
|
||||
#endif /* BUF_H */
|
|
@ -0,0 +1,30 @@
|
|||
/*=========================================================================*\
|
||||
* Input/Output abstraction
|
||||
* LuaSocket toolkit
|
||||
\*=========================================================================*/
|
||||
#include "io.h"
|
||||
|
||||
/*=========================================================================*\
|
||||
* Exported functions
|
||||
\*=========================================================================*/
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Initializes C structure
|
||||
\*-------------------------------------------------------------------------*/
|
||||
void io_init(p_io io, p_send send, p_recv recv, p_error error, void *ctx) {
|
||||
io->send = send;
|
||||
io->recv = recv;
|
||||
io->error = error;
|
||||
io->ctx = ctx;
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* I/O error strings
|
||||
\*-------------------------------------------------------------------------*/
|
||||
const char *io_strerror(int err) {
|
||||
switch (err) {
|
||||
case IO_DONE: return NULL;
|
||||
case IO_CLOSED: return "closed";
|
||||
case IO_TIMEOUT: return "timeout";
|
||||
default: return "unknown error";
|
||||
}
|
||||
}
|
|
@ -0,0 +1,65 @@
|
|||
#ifndef IO_H
|
||||
#define IO_H
|
||||
/*=========================================================================*\
|
||||
* Input/Output abstraction
|
||||
* LuaSocket toolkit
|
||||
*
|
||||
* This module defines the interface that LuaSocket expects from the
|
||||
* transport layer for streamed input/output. The idea is that if any
|
||||
* transport implements this interface, then the buffer.c functions
|
||||
* automatically work on it.
|
||||
*
|
||||
* The module socket.h implements this interface, and thus the module tcp.h
|
||||
* is very simple.
|
||||
\*=========================================================================*/
|
||||
#include <stdio.h>
|
||||
#include "lua.h"
|
||||
|
||||
#include "timeout.h"
|
||||
|
||||
/* IO error codes */
|
||||
enum {
|
||||
IO_DONE = 0, /* operation completed successfully */
|
||||
IO_TIMEOUT = -1, /* operation timed out */
|
||||
IO_CLOSED = -2, /* the connection has been closed */
|
||||
IO_UNKNOWN = -3
|
||||
};
|
||||
|
||||
/* interface to error message function */
|
||||
typedef const char *(*p_error) (
|
||||
void *ctx, /* context needed by send */
|
||||
int err /* error code */
|
||||
);
|
||||
|
||||
/* interface to send function */
|
||||
typedef int (*p_send) (
|
||||
void *ctx, /* context needed by send */
|
||||
const char *data, /* pointer to buffer with data to send */
|
||||
size_t count, /* number of bytes to send from buffer */
|
||||
size_t *sent, /* number of bytes sent uppon return */
|
||||
p_timeout tm /* timeout control */
|
||||
);
|
||||
|
||||
/* interface to recv function */
|
||||
typedef int (*p_recv) (
|
||||
void *ctx, /* context needed by recv */
|
||||
char *data, /* pointer to buffer where data will be written */
|
||||
size_t count, /* number of bytes to receive into buffer */
|
||||
size_t *got, /* number of bytes received uppon return */
|
||||
p_timeout tm /* timeout control */
|
||||
);
|
||||
|
||||
/* IO driver definition */
|
||||
typedef struct t_io_ {
|
||||
void *ctx; /* context needed by send/recv */
|
||||
p_send send; /* send function pointer */
|
||||
p_recv recv; /* receive function pointer */
|
||||
p_error error; /* strerror function */
|
||||
} t_io;
|
||||
typedef t_io *p_io;
|
||||
|
||||
void io_init(p_io io, p_send send, p_recv recv, p_error error, void *ctx);
|
||||
const char *io_strerror(int err);
|
||||
|
||||
#endif /* IO_H */
|
||||
|
|
@ -0,0 +1,78 @@
|
|||
#ifndef SOCKET_H
|
||||
#define SOCKET_H
|
||||
/*=========================================================================*\
|
||||
* Socket compatibilization module
|
||||
* LuaSocket toolkit
|
||||
*
|
||||
* BSD Sockets and WinSock are similar, but there are a few irritating
|
||||
* differences. Also, not all *nix platforms behave the same. This module
|
||||
* (and the associated usocket.h and wsocket.h) factor these differences and
|
||||
* creates a interface compatible with the io.h module.
|
||||
\*=========================================================================*/
|
||||
#include "io.h"
|
||||
|
||||
/*=========================================================================*\
|
||||
* Platform specific compatibilization
|
||||
\*=========================================================================*/
|
||||
#ifdef _WIN32
|
||||
#include "wsocket.h"
|
||||
#else
|
||||
#include "usocket.h"
|
||||
#endif
|
||||
|
||||
/*=========================================================================*\
|
||||
* The connect and accept functions accept a timeout and their
|
||||
* implementations are somewhat complicated. We chose to move
|
||||
* the timeout control into this module for these functions in
|
||||
* order to simplify the modules that use them.
|
||||
\*=========================================================================*/
|
||||
#include "timeout.h"
|
||||
|
||||
/* we are lazy... */
|
||||
typedef struct sockaddr SA;
|
||||
|
||||
/*=========================================================================*\
|
||||
* Functions below implement a comfortable platform independent
|
||||
* interface to sockets
|
||||
\*=========================================================================*/
|
||||
int socket_open(void);
|
||||
int socket_close(void);
|
||||
void socket_destroy(p_socket ps);
|
||||
void socket_shutdown(p_socket ps, int how);
|
||||
int socket_sendto(p_socket ps, const char *data, size_t count,
|
||||
size_t *sent, SA *addr, socklen_t addr_len, p_timeout tm);
|
||||
int socket_recvfrom(p_socket ps, char *data, size_t count,
|
||||
size_t *got, SA *addr, socklen_t *addr_len, p_timeout tm);
|
||||
|
||||
void socket_setnonblocking(p_socket ps);
|
||||
void socket_setblocking(p_socket ps);
|
||||
|
||||
int socket_waitfd(p_socket ps, int sw, p_timeout tm);
|
||||
int socket_select(t_socket n, fd_set *rfds, fd_set *wfds, fd_set *efds,
|
||||
p_timeout tm);
|
||||
|
||||
int socket_connect(p_socket ps, SA *addr, socklen_t addr_len, p_timeout tm);
|
||||
int socket_create(p_socket ps, int domain, int type, int protocol);
|
||||
int socket_bind(p_socket ps, SA *addr, socklen_t addr_len);
|
||||
int socket_listen(p_socket ps, int backlog);
|
||||
int socket_accept(p_socket ps, p_socket pa, SA *addr,
|
||||
socklen_t *addr_len, p_timeout tm);
|
||||
|
||||
const char *socket_hoststrerror(int err);
|
||||
const char *socket_gaistrerror(int err);
|
||||
const char *socket_strerror(int err);
|
||||
|
||||
/* these are perfect to use with the io abstraction module
|
||||
and the buffered input module */
|
||||
int socket_send(p_socket ps, const char *data, size_t count,
|
||||
size_t *sent, p_timeout tm);
|
||||
int socket_recv(p_socket ps, char *data, size_t count, size_t *got, p_timeout tm);
|
||||
int socket_write(p_socket ps, const char *data, size_t count,
|
||||
size_t *sent, p_timeout tm);
|
||||
int socket_read(p_socket ps, char *data, size_t count, size_t *got, p_timeout tm);
|
||||
const char *socket_ioerror(p_socket ps, int err);
|
||||
|
||||
int socket_gethostbyaddr(const char *addr, socklen_t len, struct hostent **hp);
|
||||
int socket_gethostbyname(const char *addr, struct hostent **hp);
|
||||
|
||||
#endif /* SOCKET_H */
|
|
@ -0,0 +1,220 @@
|
|||
/*=========================================================================*\
|
||||
* Timeout management functions
|
||||
* LuaSocket toolkit
|
||||
\*=========================================================================*/
|
||||
#include <stdio.h>
|
||||
#include <limits.h>
|
||||
#include <float.h>
|
||||
|
||||
#include "lua.h"
|
||||
#include "lauxlib.h"
|
||||
|
||||
#include "timeout.h"
|
||||
|
||||
#ifdef _WIN32
|
||||
#include <windows.h>
|
||||
#else
|
||||
#include <time.h>
|
||||
#include <sys/time.h>
|
||||
#endif
|
||||
|
||||
/* min and max macros */
|
||||
#ifndef MIN
|
||||
#define MIN(x, y) ((x) < (y) ? x : y)
|
||||
#endif
|
||||
#ifndef MAX
|
||||
#define MAX(x, y) ((x) > (y) ? x : y)
|
||||
#endif
|
||||
|
||||
/*=========================================================================*\
|
||||
* Internal function prototypes
|
||||
\*=========================================================================*/
|
||||
static int timeout_lua_gettime(lua_State *L);
|
||||
static int timeout_lua_sleep(lua_State *L);
|
||||
|
||||
static luaL_Reg func[] = {
|
||||
{ "gettime", timeout_lua_gettime },
|
||||
{ "sleep", timeout_lua_sleep },
|
||||
{ NULL, NULL }
|
||||
};
|
||||
|
||||
/*=========================================================================*\
|
||||
* Exported functions.
|
||||
\*=========================================================================*/
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Initialize structure
|
||||
\*-------------------------------------------------------------------------*/
|
||||
void timeout_init(p_timeout tm, double block, double total) {
|
||||
tm->block = block;
|
||||
tm->total = total;
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Determines how much time we have left for the next system call,
|
||||
* if the previous call was successful
|
||||
* Input
|
||||
* tm: timeout control structure
|
||||
* Returns
|
||||
* the number of ms left or -1 if there is no time limit
|
||||
\*-------------------------------------------------------------------------*/
|
||||
double timeout_get(p_timeout tm) {
|
||||
if (tm->block < 0.0 && tm->total < 0.0) {
|
||||
return -1;
|
||||
} else if (tm->block < 0.0) {
|
||||
double t = tm->total - timeout_gettime() + tm->start;
|
||||
return MAX(t, 0.0);
|
||||
} else if (tm->total < 0.0) {
|
||||
return tm->block;
|
||||
} else {
|
||||
double t = tm->total - timeout_gettime() + tm->start;
|
||||
return MIN(tm->block, MAX(t, 0.0));
|
||||
}
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Returns time since start of operation
|
||||
* Input
|
||||
* tm: timeout control structure
|
||||
* Returns
|
||||
* start field of structure
|
||||
\*-------------------------------------------------------------------------*/
|
||||
double timeout_getstart(p_timeout tm) {
|
||||
return tm->start;
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Determines how much time we have left for the next system call,
|
||||
* if the previous call was a failure
|
||||
* Input
|
||||
* tm: timeout control structure
|
||||
* Returns
|
||||
* the number of ms left or -1 if there is no time limit
|
||||
\*-------------------------------------------------------------------------*/
|
||||
double timeout_getretry(p_timeout tm) {
|
||||
if (tm->block < 0.0 && tm->total < 0.0) {
|
||||
return -1;
|
||||
} else if (tm->block < 0.0) {
|
||||
double t = tm->total - timeout_gettime() + tm->start;
|
||||
return MAX(t, 0.0);
|
||||
} else if (tm->total < 0.0) {
|
||||
double t = tm->block - timeout_gettime() + tm->start;
|
||||
return MAX(t, 0.0);
|
||||
} else {
|
||||
double t = tm->total - timeout_gettime() + tm->start;
|
||||
return MIN(tm->block, MAX(t, 0.0));
|
||||
}
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Marks the operation start time in structure
|
||||
* Input
|
||||
* tm: timeout control structure
|
||||
\*-------------------------------------------------------------------------*/
|
||||
p_timeout timeout_markstart(p_timeout tm) {
|
||||
tm->start = timeout_gettime();
|
||||
return tm;
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Gets time in s, relative to January 1, 1970 (UTC)
|
||||
* Returns
|
||||
* time in s.
|
||||
\*-------------------------------------------------------------------------*/
|
||||
#ifdef _WIN32
|
||||
double timeout_gettime(void) {
|
||||
FILETIME ft;
|
||||
double t;
|
||||
GetSystemTimeAsFileTime(&ft);
|
||||
/* Windows file time (time since January 1, 1601 (UTC)) */
|
||||
t = ft.dwLowDateTime/1.0e7 + ft.dwHighDateTime*(4294967296.0/1.0e7);
|
||||
/* convert to Unix Epoch time (time since January 1, 1970 (UTC)) */
|
||||
return (t - 11644473600.0);
|
||||
}
|
||||
#else
|
||||
double timeout_gettime(void) {
|
||||
struct timeval v;
|
||||
gettimeofday(&v, (struct timezone *) NULL);
|
||||
/* Unix Epoch time (time since January 1, 1970 (UTC)) */
|
||||
return v.tv_sec + v.tv_usec/1.0e6;
|
||||
}
|
||||
#endif
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Initializes module
|
||||
\*-------------------------------------------------------------------------*/
|
||||
int timeout_open(lua_State *L) {
|
||||
#if LUA_VERSION_NUM > 501 && !defined(LUA_COMPAT_MODULE)
|
||||
luaL_setfuncs(L, func, 0);
|
||||
#else
|
||||
luaL_openlib(L, NULL, func, 0);
|
||||
#endif
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Sets timeout values for IO operations
|
||||
* Lua Input: base, time [, mode]
|
||||
* time: time out value in seconds
|
||||
* mode: "b" for block timeout, "t" for total timeout. (default: b)
|
||||
\*-------------------------------------------------------------------------*/
|
||||
int timeout_meth_settimeout(lua_State *L, p_timeout tm) {
|
||||
double t = luaL_optnumber(L, 2, -1);
|
||||
const char *mode = luaL_optstring(L, 3, "b");
|
||||
switch (*mode) {
|
||||
case 'b':
|
||||
tm->block = t;
|
||||
break;
|
||||
case 'r': case 't':
|
||||
tm->total = t;
|
||||
break;
|
||||
default:
|
||||
luaL_argcheck(L, 0, 3, "invalid timeout mode");
|
||||
break;
|
||||
}
|
||||
lua_pushnumber(L, 1);
|
||||
return 1;
|
||||
}
|
||||
|
||||
/*=========================================================================*\
|
||||
* Test support functions
|
||||
\*=========================================================================*/
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Returns the time the system has been up, in secconds.
|
||||
\*-------------------------------------------------------------------------*/
|
||||
static int timeout_lua_gettime(lua_State *L)
|
||||
{
|
||||
lua_pushnumber(L, timeout_gettime());
|
||||
return 1;
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Sleep for n seconds.
|
||||
\*-------------------------------------------------------------------------*/
|
||||
#ifdef _WIN32
|
||||
int timeout_lua_sleep(lua_State *L)
|
||||
{
|
||||
double n = luaL_checknumber(L, 1);
|
||||
if (n < 0.0) n = 0.0;
|
||||
if (n < DBL_MAX/1000.0) n *= 1000.0;
|
||||
if (n > INT_MAX) n = INT_MAX;
|
||||
Sleep((int)n);
|
||||
return 0;
|
||||
}
|
||||
#else
|
||||
int timeout_lua_sleep(lua_State *L)
|
||||
{
|
||||
double n = luaL_checknumber(L, 1);
|
||||
struct timespec t, r;
|
||||
if (n < 0.0) n = 0.0;
|
||||
if (n > INT_MAX) n = INT_MAX;
|
||||
t.tv_sec = (int) n;
|
||||
n -= t.tv_sec;
|
||||
t.tv_nsec = (int) (n * 1000000000);
|
||||
if (t.tv_nsec >= 1000000000) t.tv_nsec = 999999999;
|
||||
while (nanosleep(&t, &r) != 0) {
|
||||
t.tv_sec = r.tv_sec;
|
||||
t.tv_nsec = r.tv_nsec;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
#endif
|
|
@ -0,0 +1,28 @@
|
|||
#ifndef TIMEOUT_H
|
||||
#define TIMEOUT_H
|
||||
/*=========================================================================*\
|
||||
* Timeout management functions
|
||||
* LuaSocket toolkit
|
||||
\*=========================================================================*/
|
||||
#include "lua.h"
|
||||
|
||||
/* timeout control structure */
|
||||
typedef struct t_timeout_ {
|
||||
double block; /* maximum time for blocking calls */
|
||||
double total; /* total number of milliseconds for operation */
|
||||
double start; /* time of start of operation */
|
||||
} t_timeout;
|
||||
typedef t_timeout *p_timeout;
|
||||
|
||||
int timeout_open(lua_State *L);
|
||||
void timeout_init(p_timeout tm, double block, double total);
|
||||
double timeout_get(p_timeout tm);
|
||||
double timeout_getretry(p_timeout tm);
|
||||
p_timeout timeout_markstart(p_timeout tm);
|
||||
double timeout_getstart(p_timeout tm);
|
||||
double timeout_gettime(void);
|
||||
int timeout_meth_settimeout(lua_State *L, p_timeout tm);
|
||||
|
||||
#define timeout_iszero(tm) ((tm)->block == 0.0)
|
||||
|
||||
#endif /* TIMEOUT_H */
|
|
@ -0,0 +1,439 @@
|
|||
/*=========================================================================*\
|
||||
* Socket compatibilization module for Unix
|
||||
* LuaSocket toolkit
|
||||
*
|
||||
* The code is now interrupt-safe.
|
||||
* The penalty of calling select to avoid busy-wait is only paid when
|
||||
* the I/O call fail in the first place.
|
||||
\*=========================================================================*/
|
||||
#include <string.h>
|
||||
#include <signal.h>
|
||||
|
||||
#include "socket.h"
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Wait for readable/writable/connected socket with timeout
|
||||
\*-------------------------------------------------------------------------*/
|
||||
#ifndef SOCKET_SELECT
|
||||
int socket_waitfd(p_socket ps, int sw, p_timeout tm) {
|
||||
int ret;
|
||||
struct pollfd pfd;
|
||||
pfd.fd = *ps;
|
||||
pfd.events = sw;
|
||||
pfd.revents = 0;
|
||||
if (timeout_iszero(tm)) return IO_TIMEOUT; /* optimize timeout == 0 case */
|
||||
do {
|
||||
int t = (int)(timeout_getretry(tm)*1e3);
|
||||
ret = poll(&pfd, 1, t >= 0? t: -1);
|
||||
} while (ret == -1 && errno == EINTR);
|
||||
if (ret == -1) return errno;
|
||||
if (ret == 0) return IO_TIMEOUT;
|
||||
if (sw == WAITFD_C && (pfd.revents & (POLLIN|POLLERR))) return IO_CLOSED;
|
||||
return IO_DONE;
|
||||
}
|
||||
#else
|
||||
int socket_waitfd(p_socket ps, int sw, p_timeout tm) {
|
||||
int ret;
|
||||
fd_set rfds, wfds, *rp, *wp;
|
||||
struct timeval tv, *tp;
|
||||
double t;
|
||||
if (*ps >= FD_SETSIZE) return EINVAL;
|
||||
if (timeout_iszero(tm)) return IO_TIMEOUT; /* optimize timeout == 0 case */
|
||||
do {
|
||||
/* must set bits within loop, because select may have modified them */
|
||||
rp = wp = NULL;
|
||||
if (sw & WAITFD_R) { FD_ZERO(&rfds); FD_SET(*ps, &rfds); rp = &rfds; }
|
||||
if (sw & WAITFD_W) { FD_ZERO(&wfds); FD_SET(*ps, &wfds); wp = &wfds; }
|
||||
t = timeout_getretry(tm);
|
||||
tp = NULL;
|
||||
if (t >= 0.0) {
|
||||
tv.tv_sec = (int)t;
|
||||
tv.tv_usec = (int)((t-tv.tv_sec)*1.0e6);
|
||||
tp = &tv;
|
||||
}
|
||||
ret = select(*ps+1, rp, wp, NULL, tp);
|
||||
} while (ret == -1 && errno == EINTR);
|
||||
if (ret == -1) return errno;
|
||||
if (ret == 0) return IO_TIMEOUT;
|
||||
if (sw == WAITFD_C && FD_ISSET(*ps, &rfds)) return IO_CLOSED;
|
||||
return IO_DONE;
|
||||
}
|
||||
#endif
|
||||
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Initializes module
|
||||
\*-------------------------------------------------------------------------*/
|
||||
int socket_open(void) {
|
||||
/* instals a handler to ignore sigpipe or it will crash us */
|
||||
signal(SIGPIPE, SIG_IGN);
|
||||
return 1;
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Close module
|
||||
\*-------------------------------------------------------------------------*/
|
||||
int socket_close(void) {
|
||||
return 1;
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Close and inutilize socket
|
||||
\*-------------------------------------------------------------------------*/
|
||||
void socket_destroy(p_socket ps) {
|
||||
if (*ps != SOCKET_INVALID) {
|
||||
socket_setblocking(ps);
|
||||
close(*ps);
|
||||
*ps = SOCKET_INVALID;
|
||||
}
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Select with timeout control
|
||||
\*-------------------------------------------------------------------------*/
|
||||
int socket_select(t_socket n, fd_set *rfds, fd_set *wfds, fd_set *efds,
|
||||
p_timeout tm) {
|
||||
int ret;
|
||||
do {
|
||||
struct timeval tv;
|
||||
double t = timeout_getretry(tm);
|
||||
tv.tv_sec = (int) t;
|
||||
tv.tv_usec = (int) ((t - tv.tv_sec) * 1.0e6);
|
||||
/* timeout = 0 means no wait */
|
||||
ret = select(n, rfds, wfds, efds, t >= 0.0 ? &tv: NULL);
|
||||
} while (ret < 0 && errno == EINTR);
|
||||
return ret;
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Creates and sets up a socket
|
||||
\*-------------------------------------------------------------------------*/
|
||||
int socket_create(p_socket ps, int domain, int type, int protocol) {
|
||||
*ps = socket(domain, type, protocol);
|
||||
if (*ps != SOCKET_INVALID) return IO_DONE;
|
||||
else return errno;
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Binds or returns error message
|
||||
\*-------------------------------------------------------------------------*/
|
||||
int socket_bind(p_socket ps, SA *addr, socklen_t len) {
|
||||
int err = IO_DONE;
|
||||
socket_setblocking(ps);
|
||||
if (bind(*ps, addr, len) < 0) err = errno;
|
||||
socket_setnonblocking(ps);
|
||||
return err;
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
*
|
||||
\*-------------------------------------------------------------------------*/
|
||||
int socket_listen(p_socket ps, int backlog) {
|
||||
int err = IO_DONE;
|
||||
socket_setblocking(ps);
|
||||
if (listen(*ps, backlog)) err = errno;
|
||||
socket_setnonblocking(ps);
|
||||
return err;
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
*
|
||||
\*-------------------------------------------------------------------------*/
|
||||
void socket_shutdown(p_socket ps, int how) {
|
||||
socket_setblocking(ps);
|
||||
shutdown(*ps, how);
|
||||
socket_setnonblocking(ps);
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Connects or returns error message
|
||||
\*-------------------------------------------------------------------------*/
|
||||
int socket_connect(p_socket ps, SA *addr, socklen_t len, p_timeout tm) {
|
||||
int err;
|
||||
/* avoid calling on closed sockets */
|
||||
if (*ps == SOCKET_INVALID) return IO_CLOSED;
|
||||
/* call connect until done or failed without being interrupted */
|
||||
do if (connect(*ps, addr, len) == 0) return IO_DONE;
|
||||
while ((err = errno) == EINTR);
|
||||
/* if connection failed immediately, return error code */
|
||||
if (err != EINPROGRESS && err != EAGAIN) return err;
|
||||
/* zero timeout case optimization */
|
||||
if (timeout_iszero(tm)) return IO_TIMEOUT;
|
||||
/* wait until we have the result of the connection attempt or timeout */
|
||||
err = socket_waitfd(ps, WAITFD_C, tm);
|
||||
if (err == IO_CLOSED) {
|
||||
if (recv(*ps, (char *) &err, 0, 0) == 0) return IO_DONE;
|
||||
else return errno;
|
||||
} else return err;
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Accept with timeout
|
||||
\*-------------------------------------------------------------------------*/
|
||||
int socket_accept(p_socket ps, p_socket pa, SA *addr, socklen_t *len, p_timeout tm) {
|
||||
if (*ps == SOCKET_INVALID) return IO_CLOSED;
|
||||
for ( ;; ) {
|
||||
int err;
|
||||
if ((*pa = accept(*ps, addr, len)) != SOCKET_INVALID) return IO_DONE;
|
||||
err = errno;
|
||||
if (err == EINTR) continue;
|
||||
if (err != EAGAIN && err != ECONNABORTED) return err;
|
||||
if ((err = socket_waitfd(ps, WAITFD_R, tm)) != IO_DONE) return err;
|
||||
}
|
||||
/* can't reach here */
|
||||
return IO_UNKNOWN;
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Send with timeout
|
||||
\*-------------------------------------------------------------------------*/
|
||||
int socket_send(p_socket ps, const char *data, size_t count,
|
||||
size_t *sent, p_timeout tm)
|
||||
{
|
||||
int err;
|
||||
*sent = 0;
|
||||
/* avoid making system calls on closed sockets */
|
||||
if (*ps == SOCKET_INVALID) return IO_CLOSED;
|
||||
/* loop until we send something or we give up on error */
|
||||
for ( ;; ) {
|
||||
long put = (long) send(*ps, data, count, 0);
|
||||
/* if we sent anything, we are done */
|
||||
if (put >= 0) {
|
||||
*sent = put;
|
||||
return IO_DONE;
|
||||
}
|
||||
err = errno;
|
||||
/* EPIPE means the connection was closed */
|
||||
if (err == EPIPE) return IO_CLOSED;
|
||||
/* we call was interrupted, just try again */
|
||||
if (err == EINTR) continue;
|
||||
/* if failed fatal reason, report error */
|
||||
if (err != EAGAIN) return err;
|
||||
/* wait until we can send something or we timeout */
|
||||
if ((err = socket_waitfd(ps, WAITFD_W, tm)) != IO_DONE) return err;
|
||||
}
|
||||
/* can't reach here */
|
||||
return IO_UNKNOWN;
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Sendto with timeout
|
||||
\*-------------------------------------------------------------------------*/
|
||||
int socket_sendto(p_socket ps, const char *data, size_t count, size_t *sent,
|
||||
SA *addr, socklen_t len, p_timeout tm)
|
||||
{
|
||||
int err;
|
||||
*sent = 0;
|
||||
if (*ps == SOCKET_INVALID) return IO_CLOSED;
|
||||
for ( ;; ) {
|
||||
long put = (long) sendto(*ps, data, count, 0, addr, len);
|
||||
if (put >= 0) {
|
||||
*sent = put;
|
||||
return IO_DONE;
|
||||
}
|
||||
err = errno;
|
||||
if (err == EPIPE) return IO_CLOSED;
|
||||
if (err == EINTR) continue;
|
||||
if (err != EAGAIN) return err;
|
||||
if ((err = socket_waitfd(ps, WAITFD_W, tm)) != IO_DONE) return err;
|
||||
}
|
||||
return IO_UNKNOWN;
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Receive with timeout
|
||||
\*-------------------------------------------------------------------------*/
|
||||
int socket_recv(p_socket ps, char *data, size_t count, size_t *got, p_timeout tm) {
|
||||
int err;
|
||||
*got = 0;
|
||||
if (*ps == SOCKET_INVALID) return IO_CLOSED;
|
||||
for ( ;; ) {
|
||||
long taken = (long) recv(*ps, data, count, 0);
|
||||
if (taken > 0) {
|
||||
*got = taken;
|
||||
return IO_DONE;
|
||||
}
|
||||
err = errno;
|
||||
if (taken == 0) return IO_CLOSED;
|
||||
if (err == EINTR) continue;
|
||||
if (err != EAGAIN) return err;
|
||||
if ((err = socket_waitfd(ps, WAITFD_R, tm)) != IO_DONE) return err;
|
||||
}
|
||||
return IO_UNKNOWN;
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Recvfrom with timeout
|
||||
\*-------------------------------------------------------------------------*/
|
||||
int socket_recvfrom(p_socket ps, char *data, size_t count, size_t *got,
|
||||
SA *addr, socklen_t *len, p_timeout tm) {
|
||||
int err;
|
||||
*got = 0;
|
||||
if (*ps == SOCKET_INVALID) return IO_CLOSED;
|
||||
for ( ;; ) {
|
||||
long taken = (long) recvfrom(*ps, data, count, 0, addr, len);
|
||||
if (taken > 0) {
|
||||
*got = taken;
|
||||
return IO_DONE;
|
||||
}
|
||||
err = errno;
|
||||
if (taken == 0) return IO_CLOSED;
|
||||
if (err == EINTR) continue;
|
||||
if (err != EAGAIN) return err;
|
||||
if ((err = socket_waitfd(ps, WAITFD_R, tm)) != IO_DONE) return err;
|
||||
}
|
||||
return IO_UNKNOWN;
|
||||
}
|
||||
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Write with timeout
|
||||
*
|
||||
* socket_read and socket_write are cut-n-paste of socket_send and socket_recv,
|
||||
* with send/recv replaced with write/read. We can't just use write/read
|
||||
* in the socket version, because behaviour when size is zero is different.
|
||||
\*-------------------------------------------------------------------------*/
|
||||
int socket_write(p_socket ps, const char *data, size_t count,
|
||||
size_t *sent, p_timeout tm)
|
||||
{
|
||||
int err;
|
||||
*sent = 0;
|
||||
/* avoid making system calls on closed sockets */
|
||||
if (*ps == SOCKET_INVALID) return IO_CLOSED;
|
||||
/* loop until we send something or we give up on error */
|
||||
for ( ;; ) {
|
||||
long put = (long) write(*ps, data, count);
|
||||
/* if we sent anything, we are done */
|
||||
if (put >= 0) {
|
||||
*sent = put;
|
||||
return IO_DONE;
|
||||
}
|
||||
err = errno;
|
||||
/* EPIPE means the connection was closed */
|
||||
if (err == EPIPE) return IO_CLOSED;
|
||||
/* we call was interrupted, just try again */
|
||||
if (err == EINTR) continue;
|
||||
/* if failed fatal reason, report error */
|
||||
if (err != EAGAIN) return err;
|
||||
/* wait until we can send something or we timeout */
|
||||
if ((err = socket_waitfd(ps, WAITFD_W, tm)) != IO_DONE) return err;
|
||||
}
|
||||
/* can't reach here */
|
||||
return IO_UNKNOWN;
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Read with timeout
|
||||
* See note for socket_write
|
||||
\*-------------------------------------------------------------------------*/
|
||||
int socket_read(p_socket ps, char *data, size_t count, size_t *got, p_timeout tm) {
|
||||
int err;
|
||||
*got = 0;
|
||||
if (*ps == SOCKET_INVALID) return IO_CLOSED;
|
||||
for ( ;; ) {
|
||||
long taken = (long) read(*ps, data, count);
|
||||
if (taken > 0) {
|
||||
*got = taken;
|
||||
return IO_DONE;
|
||||
}
|
||||
err = errno;
|
||||
if (taken == 0) return IO_CLOSED;
|
||||
if (err == EINTR) continue;
|
||||
if (err != EAGAIN) return err;
|
||||
if ((err = socket_waitfd(ps, WAITFD_R, tm)) != IO_DONE) return err;
|
||||
}
|
||||
return IO_UNKNOWN;
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Put socket into blocking mode
|
||||
\*-------------------------------------------------------------------------*/
|
||||
void socket_setblocking(p_socket ps) {
|
||||
int flags = fcntl(*ps, F_GETFL, 0);
|
||||
flags &= (~(O_NONBLOCK));
|
||||
fcntl(*ps, F_SETFL, flags);
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Put socket into non-blocking mode
|
||||
\*-------------------------------------------------------------------------*/
|
||||
void socket_setnonblocking(p_socket ps) {
|
||||
int flags = fcntl(*ps, F_GETFL, 0);
|
||||
flags |= O_NONBLOCK;
|
||||
fcntl(*ps, F_SETFL, flags);
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* DNS helpers
|
||||
\*-------------------------------------------------------------------------*/
|
||||
int socket_gethostbyaddr(const char *addr, socklen_t len, struct hostent **hp) {
|
||||
*hp = gethostbyaddr(addr, len, AF_INET);
|
||||
if (*hp) return IO_DONE;
|
||||
else if (h_errno) return h_errno;
|
||||
else if (errno) return errno;
|
||||
else return IO_UNKNOWN;
|
||||
}
|
||||
|
||||
int socket_gethostbyname(const char *addr, struct hostent **hp) {
|
||||
*hp = gethostbyname(addr);
|
||||
if (*hp) return IO_DONE;
|
||||
else if (h_errno) return h_errno;
|
||||
else if (errno) return errno;
|
||||
else return IO_UNKNOWN;
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Error translation functions
|
||||
* Make sure important error messages are standard
|
||||
\*-------------------------------------------------------------------------*/
|
||||
const char *socket_hoststrerror(int err) {
|
||||
if (err <= 0) return io_strerror(err);
|
||||
switch (err) {
|
||||
case HOST_NOT_FOUND: return "host not found";
|
||||
default: return hstrerror(err);
|
||||
}
|
||||
}
|
||||
|
||||
const char *socket_strerror(int err) {
|
||||
if (err <= 0) return io_strerror(err);
|
||||
switch (err) {
|
||||
case EADDRINUSE: return "address already in use";
|
||||
case EISCONN: return "already connected";
|
||||
case EACCES: return "permission denied";
|
||||
case ECONNREFUSED: return "connection refused";
|
||||
case ECONNABORTED: return "closed";
|
||||
case ECONNRESET: return "closed";
|
||||
case ETIMEDOUT: return "timeout";
|
||||
default: return strerror(err);
|
||||
}
|
||||
}
|
||||
|
||||
const char *socket_ioerror(p_socket ps, int err) {
|
||||
(void) ps;
|
||||
return socket_strerror(err);
|
||||
}
|
||||
|
||||
const char *socket_gaistrerror(int err) {
|
||||
if (err == 0) return NULL;
|
||||
switch (err) {
|
||||
case EAI_AGAIN: return "temporary failure in name resolution";
|
||||
case EAI_BADFLAGS: return "invalid value for ai_flags";
|
||||
#ifdef EAI_BADHINTS
|
||||
case EAI_BADHINTS: return "invalid value for hints";
|
||||
#endif
|
||||
case EAI_FAIL: return "non-recoverable failure in name resolution";
|
||||
case EAI_FAMILY: return "ai_family not supported";
|
||||
case EAI_MEMORY: return "memory allocation failure";
|
||||
case EAI_NONAME:
|
||||
return "host or service not provided, or not known";
|
||||
case EAI_OVERFLOW: return "argument buffer overflow";
|
||||
#ifdef EAI_PROTOCOL
|
||||
case EAI_PROTOCOL: return "resolved protocol is unknown";
|
||||
#endif
|
||||
case EAI_SERVICE: return "service not supported for socket type";
|
||||
case EAI_SOCKTYPE: return "ai_socktype not supported";
|
||||
case EAI_SYSTEM: return strerror(errno);
|
||||
default: return gai_strerror(err);
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,70 @@
|
|||
#ifndef USOCKET_H
|
||||
#define USOCKET_H
|
||||
/*=========================================================================*\
|
||||
* Socket compatibilization module for Unix
|
||||
* LuaSocket toolkit
|
||||
\*=========================================================================*/
|
||||
|
||||
/*=========================================================================*\
|
||||
* BSD include files
|
||||
\*=========================================================================*/
|
||||
/* error codes */
|
||||
#include <errno.h>
|
||||
/* close function */
|
||||
#include <unistd.h>
|
||||
/* fnctnl function and associated constants */
|
||||
#include <fcntl.h>
|
||||
/* struct sockaddr */
|
||||
#include <sys/types.h>
|
||||
/* socket function */
|
||||
#include <sys/socket.h>
|
||||
/* struct timeval */
|
||||
#include <sys/time.h>
|
||||
/* gethostbyname and gethostbyaddr functions */
|
||||
#include <netdb.h>
|
||||
/* sigpipe handling */
|
||||
#include <signal.h>
|
||||
/* IP stuff*/
|
||||
#include <netinet/in.h>
|
||||
#include <arpa/inet.h>
|
||||
/* TCP options (nagle algorithm disable) */
|
||||
#include <netinet/tcp.h>
|
||||
#include <net/if.h>
|
||||
|
||||
#ifndef SOCKET_SELECT
|
||||
#include <sys/poll.h>
|
||||
#define WAITFD_R POLLIN
|
||||
#define WAITFD_W POLLOUT
|
||||
#define WAITFD_C (POLLIN|POLLOUT)
|
||||
#else
|
||||
#define WAITFD_R 1
|
||||
#define WAITFD_W 2
|
||||
#define WAITFD_C (WAITFD_R|WAITFD_W)
|
||||
#endif
|
||||
|
||||
#ifndef SO_REUSEPORT
|
||||
#define SO_REUSEPORT SO_REUSEADDR
|
||||
#endif
|
||||
|
||||
/* Some platforms use IPV6_JOIN_GROUP instead if
|
||||
* IPV6_ADD_MEMBERSHIP. The semantics are same, though. */
|
||||
#ifndef IPV6_ADD_MEMBERSHIP
|
||||
#ifdef IPV6_JOIN_GROUP
|
||||
#define IPV6_ADD_MEMBERSHIP IPV6_JOIN_GROUP
|
||||
#endif /* IPV6_JOIN_GROUP */
|
||||
#endif /* !IPV6_ADD_MEMBERSHIP */
|
||||
|
||||
/* Same with IPV6_DROP_MEMBERSHIP / IPV6_LEAVE_GROUP. */
|
||||
#ifndef IPV6_DROP_MEMBERSHIP
|
||||
#ifdef IPV6_LEAVE_GROUP
|
||||
#define IPV6_DROP_MEMBERSHIP IPV6_LEAVE_GROUP
|
||||
#endif /* IPV6_LEAVE_GROUP */
|
||||
#endif /* !IPV6_DROP_MEMBERSHIP */
|
||||
|
||||
typedef int t_socket;
|
||||
typedef t_socket *p_socket;
|
||||
typedef struct sockaddr_storage t_sockaddr_storage;
|
||||
|
||||
#define SOCKET_INVALID (-1)
|
||||
|
||||
#endif /* USOCKET_H */
|
|
@ -0,0 +1,429 @@
|
|||
/*=========================================================================*\
|
||||
* Socket compatibilization module for Win32
|
||||
* LuaSocket toolkit
|
||||
*
|
||||
* The penalty of calling select to avoid busy-wait is only paid when
|
||||
* the I/O call fail in the first place.
|
||||
\*=========================================================================*/
|
||||
#include <string.h>
|
||||
|
||||
#include "socket.h"
|
||||
|
||||
/* WinSock doesn't have a strerror... */
|
||||
static const char *wstrerror(int err);
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Initializes module
|
||||
\*-------------------------------------------------------------------------*/
|
||||
int socket_open(void) {
|
||||
WSADATA wsaData;
|
||||
WORD wVersionRequested = MAKEWORD(2, 0);
|
||||
int err = WSAStartup(wVersionRequested, &wsaData );
|
||||
if (err != 0) return 0;
|
||||
if ((LOBYTE(wsaData.wVersion) != 2 || HIBYTE(wsaData.wVersion) != 0) &&
|
||||
(LOBYTE(wsaData.wVersion) != 1 || HIBYTE(wsaData.wVersion) != 1)) {
|
||||
WSACleanup();
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Close module
|
||||
\*-------------------------------------------------------------------------*/
|
||||
int socket_close(void) {
|
||||
WSACleanup();
|
||||
return 1;
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Wait for readable/writable/connected socket with timeout
|
||||
\*-------------------------------------------------------------------------*/
|
||||
int socket_waitfd(p_socket ps, int sw, p_timeout tm) {
|
||||
int ret;
|
||||
fd_set rfds, wfds, efds, *rp = NULL, *wp = NULL, *ep = NULL;
|
||||
struct timeval tv, *tp = NULL;
|
||||
double t;
|
||||
if (timeout_iszero(tm)) return IO_TIMEOUT; /* optimize timeout == 0 case */
|
||||
if (sw & WAITFD_R) {
|
||||
FD_ZERO(&rfds);
|
||||
FD_SET(*ps, &rfds);
|
||||
rp = &rfds;
|
||||
}
|
||||
if (sw & WAITFD_W) { FD_ZERO(&wfds); FD_SET(*ps, &wfds); wp = &wfds; }
|
||||
if (sw & WAITFD_C) { FD_ZERO(&efds); FD_SET(*ps, &efds); ep = &efds; }
|
||||
if ((t = timeout_get(tm)) >= 0.0) {
|
||||
tv.tv_sec = (int) t;
|
||||
tv.tv_usec = (int) ((t-tv.tv_sec)*1.0e6);
|
||||
tp = &tv;
|
||||
}
|
||||
ret = select(0, rp, wp, ep, tp);
|
||||
if (ret == -1) return WSAGetLastError();
|
||||
if (ret == 0) return IO_TIMEOUT;
|
||||
if (sw == WAITFD_C && FD_ISSET(*ps, &efds)) return IO_CLOSED;
|
||||
return IO_DONE;
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Select with int timeout in ms
|
||||
\*-------------------------------------------------------------------------*/
|
||||
int socket_select(t_socket n, fd_set *rfds, fd_set *wfds, fd_set *efds,
|
||||
p_timeout tm) {
|
||||
struct timeval tv;
|
||||
double t = timeout_get(tm);
|
||||
tv.tv_sec = (int) t;
|
||||
tv.tv_usec = (int) ((t - tv.tv_sec) * 1.0e6);
|
||||
if (n <= 0) {
|
||||
Sleep((DWORD) (1000*t));
|
||||
return 0;
|
||||
} else return select(0, rfds, wfds, efds, t >= 0.0? &tv: NULL);
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Close and inutilize socket
|
||||
\*-------------------------------------------------------------------------*/
|
||||
void socket_destroy(p_socket ps) {
|
||||
if (*ps != SOCKET_INVALID) {
|
||||
socket_setblocking(ps); /* close can take a long time on WIN32 */
|
||||
closesocket(*ps);
|
||||
*ps = SOCKET_INVALID;
|
||||
}
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
*
|
||||
\*-------------------------------------------------------------------------*/
|
||||
void socket_shutdown(p_socket ps, int how) {
|
||||
socket_setblocking(ps);
|
||||
shutdown(*ps, how);
|
||||
socket_setnonblocking(ps);
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Creates and sets up a socket
|
||||
\*-------------------------------------------------------------------------*/
|
||||
int socket_create(p_socket ps, int domain, int type, int protocol) {
|
||||
*ps = socket(domain, type, protocol);
|
||||
if (*ps != SOCKET_INVALID) return IO_DONE;
|
||||
else return WSAGetLastError();
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Connects or returns error message
|
||||
\*-------------------------------------------------------------------------*/
|
||||
int socket_connect(p_socket ps, SA *addr, socklen_t len, p_timeout tm) {
|
||||
int err;
|
||||
/* don't call on closed socket */
|
||||
if (*ps == SOCKET_INVALID) return IO_CLOSED;
|
||||
/* ask system to connect */
|
||||
if (connect(*ps, addr, len) == 0) return IO_DONE;
|
||||
/* make sure the system is trying to connect */
|
||||
err = WSAGetLastError();
|
||||
if (err != WSAEWOULDBLOCK && err != WSAEINPROGRESS) return err;
|
||||
/* zero timeout case optimization */
|
||||
if (timeout_iszero(tm)) return IO_TIMEOUT;
|
||||
/* we wait until something happens */
|
||||
err = socket_waitfd(ps, WAITFD_C, tm);
|
||||
if (err == IO_CLOSED) {
|
||||
int len = sizeof(err);
|
||||
/* give windows time to set the error (yes, disgusting) */
|
||||
Sleep(10);
|
||||
/* find out why we failed */
|
||||
getsockopt(*ps, SOL_SOCKET, SO_ERROR, (char *)&err, &len);
|
||||
/* we KNOW there was an error. if 'why' is 0, we will return
|
||||
* "unknown error", but it's not really our fault */
|
||||
return err > 0? err: IO_UNKNOWN;
|
||||
} else return err;
|
||||
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Binds or returns error message
|
||||
\*-------------------------------------------------------------------------*/
|
||||
int socket_bind(p_socket ps, SA *addr, socklen_t len) {
|
||||
int err = IO_DONE;
|
||||
socket_setblocking(ps);
|
||||
if (bind(*ps, addr, len) < 0) err = WSAGetLastError();
|
||||
socket_setnonblocking(ps);
|
||||
return err;
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
*
|
||||
\*-------------------------------------------------------------------------*/
|
||||
int socket_listen(p_socket ps, int backlog) {
|
||||
int err = IO_DONE;
|
||||
socket_setblocking(ps);
|
||||
if (listen(*ps, backlog) < 0) err = WSAGetLastError();
|
||||
socket_setnonblocking(ps);
|
||||
return err;
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Accept with timeout
|
||||
\*-------------------------------------------------------------------------*/
|
||||
int socket_accept(p_socket ps, p_socket pa, SA *addr, socklen_t *len,
|
||||
p_timeout tm) {
|
||||
if (*ps == SOCKET_INVALID) return IO_CLOSED;
|
||||
for ( ;; ) {
|
||||
int err;
|
||||
/* try to get client socket */
|
||||
if ((*pa = accept(*ps, addr, len)) != SOCKET_INVALID) return IO_DONE;
|
||||
/* find out why we failed */
|
||||
err = WSAGetLastError();
|
||||
/* if we failed because there was no connectoin, keep trying */
|
||||
if (err != WSAEWOULDBLOCK && err != WSAECONNABORTED) return err;
|
||||
/* call select to avoid busy wait */
|
||||
if ((err = socket_waitfd(ps, WAITFD_R, tm)) != IO_DONE) return err;
|
||||
}
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Send with timeout
|
||||
* On windows, if you try to send 10MB, the OS will buffer EVERYTHING
|
||||
* this can take an awful lot of time and we will end up blocked.
|
||||
* Therefore, whoever calls this function should not pass a huge buffer.
|
||||
\*-------------------------------------------------------------------------*/
|
||||
int socket_send(p_socket ps, const char *data, size_t count,
|
||||
size_t *sent, p_timeout tm)
|
||||
{
|
||||
int err;
|
||||
*sent = 0;
|
||||
/* avoid making system calls on closed sockets */
|
||||
if (*ps == SOCKET_INVALID) return IO_CLOSED;
|
||||
/* loop until we send something or we give up on error */
|
||||
for ( ;; ) {
|
||||
/* try to send something */
|
||||
int put = send(*ps, data, (int) count, 0);
|
||||
/* if we sent something, we are done */
|
||||
if (put > 0) {
|
||||
*sent = put;
|
||||
return IO_DONE;
|
||||
}
|
||||
/* deal with failure */
|
||||
err = WSAGetLastError();
|
||||
/* we can only proceed if there was no serious error */
|
||||
if (err != WSAEWOULDBLOCK) return err;
|
||||
/* avoid busy wait */
|
||||
if ((err = socket_waitfd(ps, WAITFD_W, tm)) != IO_DONE) return err;
|
||||
}
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Sendto with timeout
|
||||
\*-------------------------------------------------------------------------*/
|
||||
int socket_sendto(p_socket ps, const char *data, size_t count, size_t *sent,
|
||||
SA *addr, socklen_t len, p_timeout tm)
|
||||
{
|
||||
int err;
|
||||
*sent = 0;
|
||||
if (*ps == SOCKET_INVALID) return IO_CLOSED;
|
||||
for ( ;; ) {
|
||||
int put = sendto(*ps, data, (int) count, 0, addr, len);
|
||||
if (put > 0) {
|
||||
*sent = put;
|
||||
return IO_DONE;
|
||||
}
|
||||
err = WSAGetLastError();
|
||||
if (err != WSAEWOULDBLOCK) return err;
|
||||
if ((err = socket_waitfd(ps, WAITFD_W, tm)) != IO_DONE) return err;
|
||||
}
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Receive with timeout
|
||||
\*-------------------------------------------------------------------------*/
|
||||
int socket_recv(p_socket ps, char *data, size_t count, size_t *got,
|
||||
p_timeout tm)
|
||||
{
|
||||
int err, prev = IO_DONE;
|
||||
*got = 0;
|
||||
if (*ps == SOCKET_INVALID) return IO_CLOSED;
|
||||
for ( ;; ) {
|
||||
int taken = recv(*ps, data, (int) count, 0);
|
||||
if (taken > 0) {
|
||||
*got = taken;
|
||||
return IO_DONE;
|
||||
}
|
||||
if (taken == 0) return IO_CLOSED;
|
||||
err = WSAGetLastError();
|
||||
/* On UDP, a connreset simply means the previous send failed.
|
||||
* So we try again.
|
||||
* On TCP, it means our socket is now useless, so the error passes.
|
||||
* (We will loop again, exiting because the same error will happen) */
|
||||
if (err != WSAEWOULDBLOCK) {
|
||||
if (err != WSAECONNRESET || prev == WSAECONNRESET) return err;
|
||||
prev = err;
|
||||
}
|
||||
if ((err = socket_waitfd(ps, WAITFD_R, tm)) != IO_DONE) return err;
|
||||
}
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Recvfrom with timeout
|
||||
\*-------------------------------------------------------------------------*/
|
||||
int socket_recvfrom(p_socket ps, char *data, size_t count, size_t *got,
|
||||
SA *addr, socklen_t *len, p_timeout tm)
|
||||
{
|
||||
int err, prev = IO_DONE;
|
||||
*got = 0;
|
||||
if (*ps == SOCKET_INVALID) return IO_CLOSED;
|
||||
for ( ;; ) {
|
||||
int taken = recvfrom(*ps, data, (int) count, 0, addr, len);
|
||||
if (taken > 0) {
|
||||
*got = taken;
|
||||
return IO_DONE;
|
||||
}
|
||||
if (taken == 0) return IO_CLOSED;
|
||||
err = WSAGetLastError();
|
||||
/* On UDP, a connreset simply means the previous send failed.
|
||||
* So we try again.
|
||||
* On TCP, it means our socket is now useless, so the error passes.
|
||||
* (We will loop again, exiting because the same error will happen) */
|
||||
if (err != WSAEWOULDBLOCK) {
|
||||
if (err != WSAECONNRESET || prev == WSAECONNRESET) return err;
|
||||
prev = err;
|
||||
}
|
||||
if ((err = socket_waitfd(ps, WAITFD_R, tm)) != IO_DONE) return err;
|
||||
}
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Put socket into blocking mode
|
||||
\*-------------------------------------------------------------------------*/
|
||||
void socket_setblocking(p_socket ps) {
|
||||
u_long argp = 0;
|
||||
ioctlsocket(*ps, FIONBIO, &argp);
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Put socket into non-blocking mode
|
||||
\*-------------------------------------------------------------------------*/
|
||||
void socket_setnonblocking(p_socket ps) {
|
||||
u_long argp = 1;
|
||||
ioctlsocket(*ps, FIONBIO, &argp);
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* DNS helpers
|
||||
\*-------------------------------------------------------------------------*/
|
||||
int socket_gethostbyaddr(const char *addr, socklen_t len, struct hostent **hp) {
|
||||
*hp = gethostbyaddr(addr, len, AF_INET);
|
||||
if (*hp) return IO_DONE;
|
||||
else return WSAGetLastError();
|
||||
}
|
||||
|
||||
int socket_gethostbyname(const char *addr, struct hostent **hp) {
|
||||
*hp = gethostbyname(addr);
|
||||
if (*hp) return IO_DONE;
|
||||
else return WSAGetLastError();
|
||||
}
|
||||
|
||||
/*-------------------------------------------------------------------------*\
|
||||
* Error translation functions
|
||||
\*-------------------------------------------------------------------------*/
|
||||
const char *socket_hoststrerror(int err) {
|
||||
if (err <= 0) return io_strerror(err);
|
||||
switch (err) {
|
||||
case WSAHOST_NOT_FOUND: return "host not found";
|
||||
default: return wstrerror(err);
|
||||
}
|
||||
}
|
||||
|
||||
const char *socket_strerror(int err) {
|
||||
if (err <= 0) return io_strerror(err);
|
||||
switch (err) {
|
||||
case WSAEADDRINUSE: return "address already in use";
|
||||
case WSAECONNREFUSED: return "connection refused";
|
||||
case WSAEISCONN: return "already connected";
|
||||
case WSAEACCES: return "permission denied";
|
||||
case WSAECONNABORTED: return "closed";
|
||||
case WSAECONNRESET: return "closed";
|
||||
case WSAETIMEDOUT: return "timeout";
|
||||
default: return wstrerror(err);
|
||||
}
|
||||
}
|
||||
|
||||
const char *socket_ioerror(p_socket ps, int err) {
|
||||
(void) ps;
|
||||
return socket_strerror(err);
|
||||
}
|
||||
|
||||
static const char *wstrerror(int err) {
|
||||
switch (err) {
|
||||
case WSAEINTR: return "Interrupted function call";
|
||||
case WSAEACCES: return "Permission denied";
|
||||
case WSAEFAULT: return "Bad address";
|
||||
case WSAEINVAL: return "Invalid argument";
|
||||
case WSAEMFILE: return "Too many open files";
|
||||
case WSAEWOULDBLOCK: return "Resource temporarily unavailable";
|
||||
case WSAEINPROGRESS: return "Operation now in progress";
|
||||
case WSAEALREADY: return "Operation already in progress";
|
||||
case WSAENOTSOCK: return "Socket operation on nonsocket";
|
||||
case WSAEDESTADDRREQ: return "Destination address required";
|
||||
case WSAEMSGSIZE: return "Message too long";
|
||||
case WSAEPROTOTYPE: return "Protocol wrong type for socket";
|
||||
case WSAENOPROTOOPT: return "Bad protocol option";
|
||||
case WSAEPROTONOSUPPORT: return "Protocol not supported";
|
||||
case WSAESOCKTNOSUPPORT: return "Socket type not supported";
|
||||
case WSAEOPNOTSUPP: return "Operation not supported";
|
||||
case WSAEPFNOSUPPORT: return "Protocol family not supported";
|
||||
case WSAEAFNOSUPPORT:
|
||||
return "Address family not supported by protocol family";
|
||||
case WSAEADDRINUSE: return "Address already in use";
|
||||
case WSAEADDRNOTAVAIL: return "Cannot assign requested address";
|
||||
case WSAENETDOWN: return "Network is down";
|
||||
case WSAENETUNREACH: return "Network is unreachable";
|
||||
case WSAENETRESET: return "Network dropped connection on reset";
|
||||
case WSAECONNABORTED: return "Software caused connection abort";
|
||||
case WSAECONNRESET: return "Connection reset by peer";
|
||||
case WSAENOBUFS: return "No buffer space available";
|
||||
case WSAEISCONN: return "Socket is already connected";
|
||||
case WSAENOTCONN: return "Socket is not connected";
|
||||
case WSAESHUTDOWN: return "Cannot send after socket shutdown";
|
||||
case WSAETIMEDOUT: return "Connection timed out";
|
||||
case WSAECONNREFUSED: return "Connection refused";
|
||||
case WSAEHOSTDOWN: return "Host is down";
|
||||
case WSAEHOSTUNREACH: return "No route to host";
|
||||
case WSAEPROCLIM: return "Too many processes";
|
||||
case WSASYSNOTREADY: return "Network subsystem is unavailable";
|
||||
case WSAVERNOTSUPPORTED: return "Winsock.dll version out of range";
|
||||
case WSANOTINITIALISED:
|
||||
return "Successful WSAStartup not yet performed";
|
||||
case WSAEDISCON: return "Graceful shutdown in progress";
|
||||
case WSAHOST_NOT_FOUND: return "Host not found";
|
||||
case WSATRY_AGAIN: return "Nonauthoritative host not found";
|
||||
case WSANO_RECOVERY: return "Nonrecoverable name lookup error";
|
||||
case WSANO_DATA: return "Valid name, no data record of requested type";
|
||||
default: return "Unknown error";
|
||||
}
|
||||
}
|
||||
|
||||
const char *socket_gaistrerror(int err) {
|
||||
if (err == 0) return NULL;
|
||||
switch (err) {
|
||||
case EAI_AGAIN: return "temporary failure in name resolution";
|
||||
case EAI_BADFLAGS: return "invalid value for ai_flags";
|
||||
#ifdef EAI_BADHINTS
|
||||
case EAI_BADHINTS: return "invalid value for hints";
|
||||
#endif
|
||||
case EAI_FAIL: return "non-recoverable failure in name resolution";
|
||||
case EAI_FAMILY: return "ai_family not supported";
|
||||
case EAI_MEMORY: return "memory allocation failure";
|
||||
case EAI_NONAME:
|
||||
return "host or service not provided, or not known";
|
||||
#ifdef EAI_OVERFLOW
|
||||
case EAI_OVERFLOW: return "argument buffer overflow";
|
||||
#endif
|
||||
#ifdef EAI_PROTOCOL
|
||||
case EAI_PROTOCOL: return "resolved protocol is unknown";
|
||||
#endif
|
||||
case EAI_SERVICE: return "service not supported for socket type";
|
||||
case EAI_SOCKTYPE: return "ai_socktype not supported";
|
||||
#ifdef EAI_SYSTEM
|
||||
case EAI_SYSTEM: return strerror(errno);
|
||||
#endif
|
||||
default: return gai_strerror(err);
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,38 @@
|
|||
#ifndef WSOCKET_H
|
||||
#define WSOCKET_H
|
||||
/*=========================================================================*\
|
||||
* Socket compatibilization module for Win32
|
||||
* LuaSocket toolkit
|
||||
\*=========================================================================*/
|
||||
|
||||
/*=========================================================================*\
|
||||
* WinSock include files
|
||||
\*=========================================================================*/
|
||||
#include <winsock2.h>
|
||||
#include <ws2tcpip.h>
|
||||
|
||||
typedef int socklen_t;
|
||||
typedef SOCKADDR_STORAGE t_sockaddr_storage;
|
||||
typedef SOCKET t_socket;
|
||||
typedef t_socket *p_socket;
|
||||
|
||||
#define WAITFD_R 1
|
||||
#define WAITFD_W 2
|
||||
#define WAITFD_E 4
|
||||
#define WAITFD_C (WAITFD_E|WAITFD_W)
|
||||
|
||||
#ifndef IPV6_V6ONLY
|
||||
#define IPV6_V6ONLY 27
|
||||
#endif
|
||||
|
||||
#define SOCKET_INVALID (INVALID_SOCKET)
|
||||
|
||||
#ifndef SO_REUSEPORT
|
||||
#define SO_REUSEPORT SO_REUSEADDR
|
||||
#endif
|
||||
|
||||
#ifndef AI_NUMERICSERV
|
||||
#define AI_NUMERICSERV (0)
|
||||
#endif
|
||||
|
||||
#endif /* WSOCKET_H */
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue