From avodonosov at common-lisp.net Sat Nov 1 02:56:07 2008 From: avodonosov at common-lisp.net (avodonosov) Date: Sat, 01 Nov 2008 02:56:07 +0000 Subject: [cl-plus-ssl-cvs] CVS cl+ssl Message-ID: Update of /project/cl-plus-ssl/cvsroot/cl+ssl In directory cl-net:/tmp/cvs-serv14721 Modified Files: streams.lisp Log Message: CLISP compilation error suggested by Luis Oliveira: http://common-lisp.net/pipermail/cl-plus-ssl-devel/2008-September/000137.html --- /project/cl-plus-ssl/cvsroot/cl+ssl/streams.lisp 2008/10/27 10:03:59 1.13 +++ /project/cl-plus-ssl/cvsroot/cl+ssl/streams.lisp 2008/11/01 02:56:07 1.14 @@ -165,8 +165,14 @@ #+clozure-common-lisp (defun install-nonblock-flag (fd) - (ccl::fd-set-flags fd (logior (ccl::fd-get-flags fd) #$O_NONBLOCK))) - + (ccl::fd-set-flags fd (logior (ccl::fd-get-flags fd) + #.(read-from-string "#$O_NONBLOCK")))) + ;; read-from-string is necessary because + ;; CLISP and perhaps other Lisps are confused + ;; by #$, signaling"undefined dispatch character $", + ;; even though the defun in conditionalized by + ;; #+clozure-common-lisp + #+(and sbcl (not win32)) (defun install-nonblock-flag (fd) (sb-posix:fcntl fd From avodonosov at common-lisp.net Sat Nov 1 03:13:23 2008 From: avodonosov at common-lisp.net (avodonosov) Date: Sat, 01 Nov 2008 03:13:23 +0000 Subject: [cl-plus-ssl-cvs] CVS trivial-gray-streams Message-ID: Update of /project/cl-plus-ssl/cvsroot/trivial-gray-streams In directory cl-net:/tmp/cvs-serv17925 Modified Files: mixin.lisp Log Message: better CLISP support for stream-read-sequence, stream-write-sequence --- /project/cl-plus-ssl/cvsroot/trivial-gray-streams/mixin.lisp 2008/09/10 16:36:29 1.6 +++ /project/cl-plus-ssl/cvsroot/trivial-gray-streams/mixin.lisp 2008/11/01 03:13:22 1.7 @@ -69,8 +69,38 @@ ((s trivial-gray-stream-mixin) seq start end) (stream-write-sequence s seq start end))) +;; up to version 2.43 there were no +;; stream-read-sequence, stream-write-sequence +;; functions in CLISP +#+clisp +(eval-when (:compile-toplevel :load-toplevel :execute) + (when (find-symbol "STREAM-READ-SEQUENCE" "GRAY") + (pushnew :clisp-has-stream-read/write-sequence *features*))) + #+clisp (progn + + #+clisp-has-stream-read/write-sequence + (defmethod gray:stream-read-sequence + (seq (s trivial-gray-stream-mixin) &key start end) + (stream-read-sequence s seq (or start 0) (or end (length seq)))) + + #+clisp-has-stream-read/write-sequence + (defmethod gray:stream-write-sequence + (seq (s trivial-gray-stream-mixin) &key start end) + (stream-write-sequence s seq (or start 0) (or end (length seq)))) + + ;; Even despite the stream-read/write-sequence are present in newer + ;; CLISP, it's better to provide stream-(read/write)-(byte/char)-sequence + ;; methods too. + ;; Example: if fundamental-binary-input-stream comes in the + ;; class precedence list of your user-defined stream before + ;; the trivial-gray-steam-mixin, the default CLISP's implementation + ;; of the gray:stream-read-sequence will be used; and this default + ;; implementation calls the gray:stream-read-byte-sequence. + ;; Therefore we override gray:stream-read-byte-sequence and call + ;; our stream-read-sequence. + (defmethod gray:stream-read-byte-sequence ((s trivial-gray-stream-mixin) seq From avodonosov at common-lisp.net Sat Nov 1 05:02:03 2008 From: avodonosov at common-lisp.net (avodonosov) Date: Sat, 01 Nov 2008 05:02:03 +0000 Subject: [cl-plus-ssl-cvs] CVS cl+ssl Message-ID: Update of /project/cl-plus-ssl/cvsroot/cl+ssl In directory cl-net:/tmp/cvs-serv6587 Modified Files: ffi-buffer-clisp.lisp Log Message: native buffer and lisp vector. http://common-lisp.net/pipermail/cl-plus-ssl-devel/2008-June/000131.html --- /project/cl-plus-ssl/cvsroot/cl+ssl/ffi-buffer-clisp.lisp 2007/07/07 15:25:09 1.1 +++ /project/cl-plus-ssl/cvsroot/cl+ssl/ffi-buffer-clisp.lisp 2008/11/01 05:02:01 1.2 @@ -13,13 +13,27 @@ (setf (ffi:memory-as buf 'ffi:uint8 index) val)) (defsetf buffer-elt set-buffer-elt) -(defun v/b-replace (vec buf &key (start1 0) end1 (start2 0) (end2 +initial-buffer-size+)) +(declaim + (inline calc-buf-end)) + +;; to calculate non NIL value of the buffer end index +(defun calc-buf-end (buf-start vec vec-start vec-end) + (+ buf-start + (- (or vec-end (length vec)) + vec-start))) + +(defun v/b-replace (vec buf &key (start1 0) end1 (start2 0) end2) + (when (null end2) + (setf end2 (calc-buf-end start2 vec start1 end1))) (replace vec (ffi:memory-as buf (ffi:parse-c-type `(ffi:c-array ffi:uint8 ,(- end2 start2))) start2) :start1 start1 :end1 end1)) -(defun b/v-replace (buf vec &key (start1 0) (end1 +initial-buffer-size+) (start2 0) end2) + +(defun b/v-replace (buf vec &key (start1 0) end1 (start2 0) end2) + (when (null end1) + (setf end1 (calc-buf-end start1 vec start2 end2))) (setf (ffi:memory-as buf (ffi:parse-c-type `(ffi:c-array ffi:uint8 ,(- end1 start1))) start1) (subseq vec start2 end2))) From avodonosov at common-lisp.net Sat Nov 1 05:13:53 2008 From: avodonosov at common-lisp.net (avodonosov) Date: Sat, 01 Nov 2008 05:13:53 +0000 Subject: [cl-plus-ssl-cvs] CVS cl+ssl Message-ID: Update of /project/cl-plus-ssl/cvsroot/cl+ssl In directory cl-net:/tmp/cvs-serv13125 Modified Files: index.html Log Message: fix anonymous CVS shell command in docs --- /project/cl-plus-ssl/cvsroot/cl+ssl/index.html 2008/03/07 21:28:49 1.15 +++ /project/cl-plus-ssl/cvsroot/cl+ssl/index.html 2008/11/01 05:13:53 1.16 @@ -34,7 +34,7 @@

Anonymous CVS (browse):

- 
$ cvs -d :pserver:anonymous:anonymous at common-lisp.net:/project/cl-plus-ssl/cvsroot cl+ssl
+ 
$ cvs -z3 -d :pserver:anonymous:anonymous at common-lisp.net:/project/cl-plus-ssl/cvsroot co cl+ssl

Tarballs From avodonosov at common-lisp.net Sat Nov 1 05:15:28 2008 From: avodonosov at common-lisp.net (avodonosov) Date: Sat, 01 Nov 2008 05:15:28 +0000 Subject: [cl-plus-ssl-cvs] CVS cl+ssl Message-ID: Update of /project/cl-plus-ssl/cvsroot/cl+ssl In directory cl-net:/tmp/cvs-serv13378 Modified Files: index.html Log Message: mark ECL as working in the docs --- /project/cl-plus-ssl/cvsroot/cl+ssl/index.html 2008/11/01 05:13:53 1.16 +++ /project/cl-plus-ssl/cvsroot/cl+ssl/index.html 2008/11/01 05:15:27 1.17 @@ -166,6 +166,7 @@ CMU CLWorking CLISPWorking LispWorksWorking + ECLWorking Allegro Broken @@ -174,7 +175,6 @@ Corman CLUnknown Digitool MCLUnknown Scieneer CLUnknown - ECLUnknown GCLUnknown From avodonosov at common-lisp.net Sat Nov 1 05:18:43 2008 From: avodonosov at common-lisp.net (avodonosov) Date: Sat, 01 Nov 2008 05:18:43 +0000 Subject: [cl-plus-ssl-cvs] CVS cl+ssl Message-ID: Update of /project/cl-plus-ssl/cvsroot/cl+ssl In directory cl-net:/tmp/cvs-serv13658 Modified Files: index.html Log Message: rollback previous change (marking ECL as supported in the docs) --- /project/cl-plus-ssl/cvsroot/cl+ssl/index.html 2008/11/01 05:15:27 1.17 +++ /project/cl-plus-ssl/cvsroot/cl+ssl/index.html 2008/11/01 05:18:43 1.18 @@ -166,7 +166,6 @@ CMU CLWorking CLISPWorking LispWorksWorking - ECLWorking Allegro Broken @@ -175,6 +174,7 @@ Corman CLUnknown Digitool MCLUnknown Scieneer CLUnknown + ECLUnknown GCLUnknown From avodonosov at common-lisp.net Mon Nov 3 09:21:16 2008 From: avodonosov at common-lisp.net (avodonosov) Date: Mon, 03 Nov 2008 09:21:16 +0000 Subject: [cl-plus-ssl-cvs] CVS cl+ssl Message-ID: Update of /project/cl-plus-ssl/cvsroot/cl+ssl In directory cl-net:/tmp/cvs-serv2656 Modified Files: package.lisp Log Message: formatting fix --- /project/cl-plus-ssl/cvsroot/cl+ssl/package.lisp 2007/07/07 16:26:11 1.3 +++ /project/cl-plus-ssl/cvsroot/cl+ssl/package.lisp 2008/11/03 09:21:16 1.4 @@ -10,6 +10,6 @@ (:use :common-lisp :trivial-gray-streams) (:export #:ensure-initialized #:reload - #:stream-fd - #:make-ssl-client-stream + #:stream-fd + #:make-ssl-client-stream #:make-ssl-server-stream)) From avodonosov at common-lisp.net Mon Nov 3 09:25:39 2008 From: avodonosov at common-lisp.net (avodonosov) Date: Mon, 03 Nov 2008 09:25:39 +0000 Subject: [cl-plus-ssl-cvs] CVS cl+ssl Message-ID: Update of /project/cl-plus-ssl/cvsroot/cl+ssl In directory cl-net:/tmp/cvs-serv3108 Modified Files: ffi.lisp index.html streams.lisp Log Message: Support for encrypted keys, thanks to Vsevolod Dyomkin. --- /project/cl-plus-ssl/cvsroot/cl+ssl/ffi.lisp 2008/04/17 20:58:29 1.8 +++ /project/cl-plus-ssl/cvsroot/cl+ssl/ffi.lisp 2008/11/03 09:25:39 1.9 @@ -196,6 +196,10 @@ (larg :long) (parg :long)) +(cffi:defcfun ("SSL_CTX_set_default_passwd_cb" ssl-ctx-set-default-passwd-cb) + :void + (ctx ssl-ctx) + (pem_passwd_cb :pointer)) ;;; Funcall wrapper ;;; @@ -318,6 +322,35 @@ (defun ssl-ctx-set-session-cache-mode (ctx mode) (ssl-ctx-ctrl ctx +SSL_CTRL_SET_SESS_CACHE_MODE+ mode 0)) +;;;;; Encrypted PEM files support + +;; see http://www.openssl.org/docs/ssl/SSL_CTX_set_default_passwd_cb.html + +(defvar *pem-password* "" + "The callback registered with SSL_CTX_set_default_passwd_cb +will use this value.") + +;; The callback itself +(cffi:defcallback pem-password-callback :int + ((buf :pointer) (size :int) (rwflag :int) (unused :pointer)) + (let* ((password-str (coerce *pem-password* 'base-string)) + (tmp (cffi:foreign-string-alloc password-str))) + (cffi:foreign-funcall "strncpy" + :pointer buf + :pointer tmp + :int size) + (cffi:foreign-string-free tmp) + (setf (cffi:mem-ref buf :char (1- size)) 0) + (cffi:foreign-funcall "strlen" :pointer buf :int))) + +;; The macro to be used by other code to provide password +;; when loading PEM file. +(defmacro with-pem-password ((password) &body body) + `(let ((*pem-password* (or ,password ""))) + , at body)) + +;;;;; Initialization + (defun initialize (&optional (method 'ssl-v23-method)) (setf *bio-lisp-method* (make-bio-lisp-method)) (ssl-load-error-strings) @@ -325,7 +358,9 @@ (init-prng) (setf *ssl-global-method* (funcall method)) (setf *ssl-global-context* (ssl-ctx-new *ssl-global-method*)) - (ssl-ctx-set-session-cache-mode *ssl-global-context* 3)) + (ssl-ctx-set-session-cache-mode *ssl-global-context* 3) + (ssl-ctx-set-default-passwd-cb *ssl-global-context* + (cffi:callback pem-password-callback))) (defun ensure-initialized (&optional (method 'ssl-v23-method)) (unless (ssl-initialized-p) --- /project/cl-plus-ssl/cvsroot/cl+ssl/index.html 2008/11/01 05:18:43 1.18 +++ /project/cl-plus-ssl/cvsroot/cl+ssl/index.html 2008/11/03 09:25:39 1.19 @@ -94,8 +94,8 @@

API functions

-

Function CL+SSL:MAKE-SSL-CLIENT-STREAM (fd-or-stream &key external-format certificate key close-callback (unwrap-streams-p t))

- Function CL+SSL:MAKE-SSL-SERVER-STREAM (fd-or-stream &key external-format certificate key close-callback (unwrap-streams-p t))
+
Function CL+SSL:MAKE-SSL-CLIENT-STREAM (fd-or-stream &key external-format certificate key password close-callback (unwrap-streams-p t))

+ Function CL+SSL:MAKE-SSL-SERVER-STREAM (fd-or-stream &key external-format certificate key password close-callback (unwrap-streams-p t))
Return an SSL stream for the client (server) socket fd-or-stream. All reads and writes to this stream will be pushed through the OpenSSL library. @@ -121,8 +121,11 @@

certificate is the path to a file containing the PEM-encoded - certificate for your client. key is the path to the PEM-encoded - key for the client, which must not be associated with a passphrase. + certificate. +

+

+ key is the path to the PEM-encoded key, which may be associated + with the passphrase password.

If external-format is nil (the default), a plain @@ -194,13 +197,16 @@

  • Support for I/O deadlines (Clozure CL and SBCL).
    • +
  • + Support for encrypted keys, thanks to Vsevolod Dyomkin. +

    • 2007-xx-yy

    • - Fixed windows support, thanks to Matthew Kennedy and Vodonosov Anton. + Fixed windows support, thanks to Matthew Kennedy and Anton Vodonosov.

    --- /project/cl-plus-ssl/cvsroot/cl+ssl/streams.lisp 2008/11/01 02:56:07 1.14 +++ /project/cl-plus-ssl/cvsroot/cl+ssl/streams.lisp 2008/11/03 09:25:39 1.15 @@ -226,12 +226,12 @@ ;; fixme: free the context when errors happen in this function (defun make-ssl-client-stream - (socket &key certificate key (method 'ssl-v23-method) external-format + (socket &key certificate key password (method 'ssl-v23-method) external-format close-callback (unwrap-stream-p t)) "Returns an SSL stream for the client socket descriptor SOCKET. CERTIFICATE is the path to a file containing the PEM-encoded certificate for your client. KEY is the path to the PEM-encoded key for the client, which -must not be associated with a passphrase." +may be associated with the passphrase PASSWORD." (ensure-initialized method) (let ((stream (make-instance 'ssl-stream :socket socket @@ -239,18 +239,19 @@ (handle (ssl-new *ssl-global-context*))) (setf socket (install-handle-and-bio stream handle socket unwrap-stream-p)) (ssl-set-connect-state handle) - (install-key-and-cert handle key certificate) + (with-pem-password (password) + (install-key-and-cert handle key certificate)) (ensure-ssl-funcall stream handle #'ssl-connect handle) (handle-external-format stream external-format))) ;; fixme: free the context when errors happen in this function (defun make-ssl-server-stream - (socket &key certificate key (method 'ssl-v23-method) external-format + (socket &key certificate key password (method 'ssl-v23-method) external-format close-callback (unwrap-stream-p t)) "Returns an SSL stream for the server socket descriptor SOCKET. CERTIFICATE is the path to a file containing the PEM-encoded certificate for your server. KEY is the path to the PEM-encoded key for the server, which -must not be associated with a passphrase." +may be associated with the passphrase PASSWORD." (ensure-initialized method) (let ((stream (make-instance 'ssl-server-stream :socket socket @@ -262,7 +263,8 @@ (ssl-set-accept-state handle) (when (zerop (ssl-set-cipher-list handle "ALL")) (error 'ssl-error-initialize :reason "Can't set SSL cipher list")) - (install-key-and-cert handle key certificate) + (with-pem-password (password) + (install-key-and-cert handle key certificate)) (ensure-ssl-funcall stream handle #'ssl-accept handle) (handle-external-format stream external-format))) From avodonosov at common-lisp.net Mon Nov 3 17:36:48 2008 From: avodonosov at common-lisp.net (avodonosov) Date: Mon, 03 Nov 2008 17:36:48 +0000 Subject: [cl-plus-ssl-cvs] CVS cl+ssl Message-ID: Update of /project/cl-plus-ssl/cvsroot/cl+ssl In directory cl-net:/tmp/cvs-serv9144 Modified Files: ffi.lisp Log Message: better formatting/comments --- /project/cl-plus-ssl/cvsroot/cl+ssl/ffi.lisp 2008/11/03 09:25:39 1.9 +++ /project/cl-plus-ssl/cvsroot/cl+ssl/ffi.lisp 2008/11/03 17:36:46 1.10 @@ -307,24 +307,10 @@ (warn "non-blocking stream encountered unexpectedly")) -;;; Initialization +;;; Encrypted PEM files support ;;; -(defun init-prng () - ;; this initialization of random entropy is not necessary on - ;; Linux, since the OpenSSL library automatically reads from - ;; /dev/urandom if it exists. On Solaris it is necessary. - (let ((buf (cffi-sys::make-shareable-byte-vector +random-entropy+))) - (dotimes (i +random-entropy+) - (setf (elt buf i) (random 256))) - (cffi-sys::with-pointer-to-vector-data (ptr buf) - (rand-seed ptr +random-entropy+)))) -(defun ssl-ctx-set-session-cache-mode (ctx mode) - (ssl-ctx-ctrl ctx +SSL_CTRL_SET_SESS_CACHE_MODE+ mode 0)) - -;;;;; Encrypted PEM files support - -;; see http://www.openssl.org/docs/ssl/SSL_CTX_set_default_passwd_cb.html +;; based on http://www.openssl.org/docs/ssl/SSL_CTX_set_default_passwd_cb.html (defvar *pem-password* "" "The callback registered with SSL_CTX_set_default_passwd_cb @@ -349,7 +335,21 @@ `(let ((*pem-password* (or ,password ""))) , at body)) -;;;;; Initialization + +;;; Initialization +;;; +(defun init-prng () + ;; this initialization of random entropy is not necessary on + ;; Linux, since the OpenSSL library automatically reads from + ;; /dev/urandom if it exists. On Solaris it is necessary. + (let ((buf (cffi-sys::make-shareable-byte-vector +random-entropy+))) + (dotimes (i +random-entropy+) + (setf (elt buf i) (random 256))) + (cffi-sys::with-pointer-to-vector-data (ptr buf) + (rand-seed ptr +random-entropy+)))) + +(defun ssl-ctx-set-session-cache-mode (ctx mode) + (ssl-ctx-ctrl ctx +SSL_CTRL_SET_SESS_CACHE_MODE+ mode 0)) (defun initialize (&optional (method 'ssl-v23-method)) (setf *bio-lisp-method* (make-bio-lisp-method)) From avodonosov at common-lisp.net Mon Nov 3 17:58:46 2008 From: avodonosov at common-lisp.net (avodonosov) Date: Mon, 03 Nov 2008 17:58:46 +0000 Subject: [cl-plus-ssl-cvs] CVS cl+ssl Message-ID: Update of /project/cl-plus-ssl/cvsroot/cl+ssl In directory cl-net:/tmp/cvs-serv12960 Modified Files: ffi.lisp index.html package.lisp Log Message: Certificate chains support, thanks to Juhani Rankimies --- /project/cl-plus-ssl/cvsroot/cl+ssl/ffi.lisp 2008/11/03 17:36:46 1.10 +++ /project/cl-plus-ssl/cvsroot/cl+ssl/ffi.lisp 2008/11/03 17:58:45 1.11 @@ -176,6 +176,10 @@ (ssl ssl-pointer) (str :string) (type :int)) +(cffi:defcfun ("SSL_CTX_use_certificate_chain_file" ssl-ctx-use-certificate-chain-file) + :int + (ctx ssl-ctx) + (str :string)) (cffi:defcfun ("SSL_CTX_load_verify_locations" ssl-ctx-load-verify-locations) :int (ctx ssl-ctx) @@ -368,6 +372,16 @@ (unless *bio-lisp-method* (setf *bio-lisp-method* (make-bio-lisp-method)))) +(defun use-certificate-chain-file (certificate-chain-file) + "Loads a PEM encoded certificate chain file CERTIFICATE-CHAIN-FILE +and adds the chain to global context. The certificates must be sorted +starting with the subject's certificate (actual client or server certificate), +followed by intermediate CA certificates if applicable, and ending at +the highest level (root) CA. Note: the RELOAD function clears the global +context and in particular the loaded certificate chain." + (ensure-initialized) + (ssl-ctx-use-certificate-chain-file *ssl-global-context* certificate-chain-file)) + (defun reload () (cffi:load-foreign-library 'libssl) (cffi:load-foreign-library 'libeay32) --- /project/cl-plus-ssl/cvsroot/cl+ssl/index.html 2008/11/03 09:25:39 1.19 +++ /project/cl-plus-ssl/cvsroot/cl+ssl/index.html 2008/11/03 17:58:45 1.20 @@ -1,4 +1,4 @@ - + @@ -123,8 +123,8 @@ certificate is the path to a file containing the PEM-encoded certificate.

    -

    - key is the path to the PEM-encoded key, which may be associated +

    + key is the path to the PEM-encoded key, which may be associated with the passphrase password.

    @@ -135,6 +135,18 @@ as its initial external format.

    +

    Function CL+SSL:USE-CERTIFICATE-CHAIN-FILE (certificate-chain-file)
    + Loads a PEM encoded certificate chain file CERTIFICATE-CHAIN-FILE + and adds the chain to global context. The certificates must be sorted + starting with the subject's certificate (actual client or server certificate), + followed by intermediate CA certificates if applicable, and ending at + the highest level (root) CA. +

    +

    + Note: the RELOAD function clears the global + context and in particular the loaded certificate chain. +

    +

    Function CL+SSL:RELOAD ()
    Reload libssl. Call this function after restarting a Lisp core with CL+SSL dumped into it on Lisp implementations that do @@ -200,6 +212,9 @@
  • Support for encrypted keys, thanks to Vsevolod Dyomkin.
    • +
  • + Chained certificates support, thanks to Juhani R??nkimies. +

    • 2007-xx-yy --- /project/cl-plus-ssl/cvsroot/cl+ssl/package.lisp 2008/11/03 09:21:16 1.4 +++ /project/cl-plus-ssl/cvsroot/cl+ssl/package.lisp 2008/11/03 17:58:45 1.5 @@ -12,4 +12,5 @@ #:reload #:stream-fd #:make-ssl-client-stream - #:make-ssl-server-stream)) + #:make-ssl-server-stream + #:use-certificate-chain-file)) From avodonosov at common-lisp.net Mon Nov 3 18:35:39 2008 From: avodonosov at common-lisp.net (avodonosov) Date: Mon, 03 Nov 2008 18:35:39 +0000 Subject: [cl-plus-ssl-cvs] CVS cl+ssl Message-ID: Update of /project/cl-plus-ssl/cvsroot/cl+ssl In directory cl-net:/tmp/cvs-serv21042 Modified Files: index.html Log Message: add utf-8 charset declaration to the index.html --- /project/cl-plus-ssl/cvsroot/cl+ssl/index.html 2008/11/03 17:58:45 1.20 +++ /project/cl-plus-ssl/cvsroot/cl+ssl/index.html 2008/11/03 18:35:39 1.21 @@ -2,6 +2,7 @@ + . CL+SSL From avodonosov at common-lisp.net Mon Nov 3 18:50:17 2008 From: avodonosov at common-lisp.net (avodonosov) Date: Mon, 03 Nov 2008 18:50:17 +0000 Subject: [cl-plus-ssl-cvs] CVS cl+ssl Message-ID: Update of /project/cl-plus-ssl/cvsroot/cl+ssl In directory cl-net:/tmp/cvs-serv24486 Modified Files: index.html Log Message: index.html: back to iso-8859-1 --- /project/cl-plus-ssl/cvsroot/cl+ssl/index.html 2008/11/03 18:35:39 1.21 +++ /project/cl-plus-ssl/cvsroot/cl+ssl/index.html 2008/11/03 18:50:17 1.22 @@ -1,8 +1,7 @@ - + - . CL+SSL @@ -214,7 +213,7 @@ Support for encrypted keys, thanks to Vsevolod Dyomkin.

  • - Chained certificates support, thanks to Juhani R??nkimies. + Chained certificates support, thanks to Juhani R?nkimies.

    • From avodonosov at common-lisp.net Mon Nov 3 23:19:29 2008 From: avodonosov at common-lisp.net (avodonosov) Date: Mon, 03 Nov 2008 23:19:29 +0000 Subject: [cl-plus-ssl-cvs] CVS cl+ssl Message-ID: Update of /project/cl-plus-ssl/cvsroot/cl+ssl In directory cl-net:/tmp/cvs-serv11901 Modified Files: index.html Log Message: formatting fix --- /project/cl-plus-ssl/cvsroot/cl+ssl/index.html 2008/11/03 18:50:17 1.22 +++ /project/cl-plus-ssl/cvsroot/cl+ssl/index.html 2008/11/03 23:19:28 1.23 @@ -136,7 +136,7 @@

    Function CL+SSL:USE-CERTIFICATE-CHAIN-FILE (certificate-chain-file)
    - Loads a PEM encoded certificate chain file CERTIFICATE-CHAIN-FILE + Loads a PEM encoded certificate chain file certificate-chain-file and adds the chain to global context. The certificates must be sorted starting with the subject's certificate (actual client or server certificate), followed by intermediate CA certificates if applicable, and ending at From avodonosov at common-lisp.net Tue Nov 4 00:25:52 2008 From: avodonosov at common-lisp.net (avodonosov) Date: Tue, 04 Nov 2008 00:25:52 +0000 Subject: [cl-plus-ssl-cvs] CVS cl+ssl Message-ID: Update of /project/cl-plus-ssl/cvsroot/cl+ssl In directory cl-net:/tmp/cvs-serv29000 Modified Files: ffi.lisp index.html streams.lisp Log Message: more secure initialization of OpenSSL random number generator --- /project/cl-plus-ssl/cvsroot/cl+ssl/ffi.lisp 2008/11/03 17:58:45 1.11 +++ /project/cl-plus-ssl/cvsroot/cl+ssl/ffi.lisp 2008/11/04 00:25:52 1.12 @@ -25,8 +25,6 @@ ;;; Constants ;;; -(defconstant +random-entropy+ 256) - (defconstant +ssl-filetype-pem+ 1) (defconstant +ssl-filetype-asn1+ 2) (defconstant +ssl-filetype-default+ 3) @@ -342,33 +340,49 @@ ;;; Initialization ;;; -(defun init-prng () - ;; this initialization of random entropy is not necessary on - ;; Linux, since the OpenSSL library automatically reads from - ;; /dev/urandom if it exists. On Solaris it is necessary. - (let ((buf (cffi-sys::make-shareable-byte-vector +random-entropy+))) - (dotimes (i +random-entropy+) - (setf (elt buf i) (random 256))) + +(defun init-prng (seed-byte-sequence) + (let* ((length (length seed-byte-sequence)) + (buf (cffi-sys::make-shareable-byte-vector length))) + (dotimes (i length) + (setf (elt buf i) (elt seed-byte-sequence i))) (cffi-sys::with-pointer-to-vector-data (ptr buf) - (rand-seed ptr +random-entropy+)))) + (rand-seed ptr length)))) (defun ssl-ctx-set-session-cache-mode (ctx mode) (ssl-ctx-ctrl ctx +SSL_CTRL_SET_SESS_CACHE_MODE+ mode 0)) -(defun initialize (&optional (method 'ssl-v23-method)) +(defun initialize (&key (method 'ssl-v23-method) rand-seed) (setf *bio-lisp-method* (make-bio-lisp-method)) (ssl-load-error-strings) (ssl-library-init) - (init-prng) + (when rand-seed + (init-prng rand-seed)) (setf *ssl-global-method* (funcall method)) (setf *ssl-global-context* (ssl-ctx-new *ssl-global-method*)) (ssl-ctx-set-session-cache-mode *ssl-global-context* 3) (ssl-ctx-set-default-passwd-cb *ssl-global-context* (cffi:callback pem-password-callback))) -(defun ensure-initialized (&optional (method 'ssl-v23-method)) +(defun ensure-initialized (&key (method 'ssl-v23-method) (rand-seed nil)) + "In most cases you do *not* need to call this function, because it +is called automatically by all other functions. The only reason to +call it explicitly is to supply the RAND-SEED parameter. In this case +do it before calling any other functions. + +Just leave the default value for the METHOD parameter. + +RAND-SEED is an octet sequence to initialize OpenSSL random number generator. +On many platforms, including Linux and Windows, it may be leaved NIL (default), +because OpenSSL initializes the random number generator from OS specific service. +But for example on Solaris it may be necessary to supply this value. +The minimum length required by OpenSSL is 128 bits. +See ttp://www.openssl.org/support/faq.html#USER1 for details. + +Hint: do not use Common Lisp RANDOM function to generate the RAND-SEED, +because the function usually returns predictable values." (unless (ssl-initialized-p) - (initialize method)) + (initialize :method method :rand-seed rand-seed)) (unless *bio-lisp-method* (setf *bio-lisp-method* (make-bio-lisp-method)))) --- /project/cl-plus-ssl/cvsroot/cl+ssl/index.html 2008/11/03 23:19:28 1.23 +++ /project/cl-plus-ssl/cvsroot/cl+ssl/index.html 2008/11/04 00:25:52 1.24 @@ -94,6 +94,30 @@

    API functions

    +

    Function CL+SSL:ENSURE-INITIALIZED (&key (method 'ssl-v23-method) (rand-seed nil))
    + In most cases you do not need to call this function, because it is called + automatically. The only reason to call it explicitly is to supply the rand-seed parameter. + In this case do it before calling any other functions. +

    +

    + Keyword arguments: +

    +

    + method. Just leave its default value. +

    +

    + rand-seed is an octet sequence to initialize OpenSSL random number generator. + On many platforms, including Linux and Windows, it may be leaved NIL (default), + because OpenSSL initializes the random number generator from OS specific service. But for + example on Solaris it may be necessary to supply this value. The minimum length required + by OpenSSL is 128 bits. See here + http://www.openssl.org/support/faq.html#USER1 for the details. +

    +

    + Hint: do not use Common Lisp RANDOM function to generate the rand-seed, because the function + usually returns predictable values. +

    +

    Function CL+SSL:MAKE-SSL-CLIENT-STREAM (fd-or-stream &key external-format certificate key password close-callback (unwrap-streams-p t))

    Function CL+SSL:MAKE-SSL-SERVER-STREAM (fd-or-stream &key external-format certificate key password close-callback (unwrap-streams-p t))
    Return an SSL stream for the client (server) @@ -213,7 +237,13 @@ Support for encrypted keys, thanks to Vsevolod Dyomkin.
  • - Chained certificates support, thanks to Juhani R?nkimies. + Chained certificates support, thanks to Juhani R?nkimies. +
    • +
  • + More secure initialization of OpenSSL random number generator. +
    • +
  • + Minor CLISP-specific fixes.

    • @@ -229,7 +259,7 @@

    • - Improved clisp support, thanks + Improved CLISP support, thanks to Pixel // pinterface, as well as client certificate support. --- /project/cl-plus-ssl/cvsroot/cl+ssl/streams.lisp 2008/11/03 09:25:39 1.15 +++ /project/cl-plus-ssl/cvsroot/cl+ssl/streams.lisp 2008/11/04 00:25:52 1.16 @@ -232,7 +232,7 @@ CERTIFICATE is the path to a file containing the PEM-encoded certificate for your client. KEY is the path to the PEM-encoded key for the client, which may be associated with the passphrase PASSWORD." - (ensure-initialized method) + (ensure-initialized :method method) (let ((stream (make-instance 'ssl-stream :socket socket :close-callback close-callback)) @@ -252,7 +252,7 @@ CERTIFICATE is the path to a file containing the PEM-encoded certificate for your server. KEY is the path to the PEM-encoded key for the server, which may be associated with the passphrase PASSWORD." - (ensure-initialized method) + (ensure-initialized :method method) (let ((stream (make-instance 'ssl-server-stream :socket socket :close-callback close-callback