#!/usr/local/bin/lua

--
-- Copyright (c) 2007, Cameron Rich
--
-- All rights reserved.
--
-- Redistribution and use in source and binary forms, with or without
-- modification, are permitted provided that the following conditions are met:
--
-- * Redistributions of source code must retain the above copyright notice,
--   this list of conditions and the following disclaimer.
-- * Redistributions in binary form must reproduce the above copyright
--   notice, this list of conditions and the following disclaimer in the
--   documentation and/or other materials provided with the distribution.
-- * Neither the name of the axTLS project nor the names of its
--   contributors may be used to endorse or promote products derived
--   from this software without specific prior written permission.
--
-- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-- "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-- LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 
-- A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
-- CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-- SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
-- TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-- DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY 
-- OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
-- NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-- THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--

--
-- Demonstrate the use of the axTLS library in Lua with a set of 
-- command-line parameters similar to openssl. In fact, openssl clients 
-- should be able to communicate with axTLS servers and visa-versa.
--
-- This code has various bits enabled depending on the configuration. To enable
-- the most interesting version, compile with the 'full mode' enabled.
--
-- To see what options you have, run the following:
-- > [lua] axssl s_server -?
-- > [lua] axssl s_client -?
--
-- The axtls/axtlsl shared libraries must be in the same directory or be found 
-- by the OS.
--
--
require "bit"
require("axtlsl")
local socket = require("socket")

-- print version?
if #arg == 1 and arg[1] == "version" then
    print("axssl.lua "..axtlsl.ssl_version())
    os.exit(1)
end

--
-- We've had some sort of command-line error. Print out the basic options.
--
function print_options(option)
    print("axssl: Error: '"..option.."' is an invalid command.")
    print("usage: axssl [s_server|s_client|version] [args ...]")
    os.exit(1)
end

--
-- We've had some sort of command-line error. Print out the server options.
--
function print_server_options(build_mode, option)
    local cert_size = axtlsl.ssl_get_config(axtlsl.SSL_MAX_CERT_CFG_OFFSET)
    local ca_cert_size = axtlsl.ssl_get_config(
            axtlsl.SSL_MAX_CA_CERT_CFG_OFFSET)

    print("unknown option "..option)
    print("usage: s_server [args ...]")
    print(" -accept\t- port to accept on (default is 4433)")
    print(" -quiet\t\t- No server output")

    if build_mode >= axtlsl.SSL_BUILD_SERVER_ONLY then
        print(" -cert arg\t- certificate file to add (in addition to "..
                "default) to chain -")
        print("\t\t  Can repeat up to "..cert_size.." times")
        print(" -key arg\t- Private key file to use - default DER format")
        print(" -pass\t\t- private key file pass phrase source")
    end

    if build_mode >= axtlsl.SSL_BUILD_ENABLE_VERIFICATION then
        print(" -verify\t- turn on peer certificate verification")
        print(" -CAfile arg\t- Certificate authority - default DER format")
        print("\t\t  Can repeat up to "..ca_cert_size.." times")
    end

    if build_mode == axtlsl.SSL_BUILD_FULL_MODE then
        print(" -debug\t\t- Print more output")
        print(" -state\t\t- Show state messages")
        print(" -show-rsa\t- Show RSA state")
    end

    os.exit(1)
end

--
-- We've had some sort of command-line error. Print out the client options.
--
function print_client_options(build_mode, option)
    local cert_size = axtlsl.ssl_get_config(axtlsl.SSL_MAX_CERT_CFG_OFFSET)
    local ca_cert_size = axtlsl.ssl_get_config(
            axtlsl.SSL_MAX_CA_CERT_CFG_OFFSET)

    print("unknown option "..option)

    if build_mode >= axtlsl.SSL_BUILD_ENABLE_CLIENT then
        print("usage: s_client [args ...]")
        print(" -connect host:port - who to connect to (default "..
                "is localhost:4433)")
        print(" -verify\t- turn on peer certificate verification")
        print(" -cert arg\t- certificate file to use - default DER format")
        print(" -key arg\t- Private key file to use - default DER format")
        print("\t\t  Can repeat up to "..cert_size.." times")
        print(" -CAfile arg\t- Certificate authority - default DER format")
        print("\t\t  Can repeat up to "..ca_cert_size.."times")
        print(" -quiet\t\t- No client output")
        print(" -pass\t\t- private key file pass phrase source")
        print(" -reconnect\t- Drop and re-make the connection "..
                "with the same Session-ID")

        if build_mode == axtlsl.SSL_BUILD_FULL_MODE then
            print(" -debug\t\t- Print more output")
            print(" -state\t\t- Show state messages")
            print(" -show-rsa\t- Show RSA state")
        end
    else
        print("Change configuration to allow this feature")
    end

    os.exit(1)
end

-- Implement the SSL server logic. 
function do_server(build_mode)
    local i = 2
    local v
    local port = 4433
    local options = axtlsl.SSL_DISPLAY_CERTS
    local quiet = false
    local password = ""
    local private_key_file = nil
    local cert_size = axtlsl.ssl_get_config(axtlsl.SSL_MAX_CERT_CFG_OFFSET)
    local ca_cert_size = axtlsl.
                            ssl_get_config(axtlsl.SSL_MAX_CA_CERT_CFG_OFFSET)
    local cert = {}
    local ca_cert = {}

    while i <= #arg do
        if arg[i] ==  "-accept" then
            if i >= #arg then
                print_server_options(build_mode, arg[i])
            end

            i = i + 1
            port = arg[i]
        elseif arg[i] == "-quiet" then
            quiet = true
            options = bit.band(options, bit.bnot(axtlsl.SSL_DISPLAY_CERTS))
        elseif build_mode >= axtlsl.SSL_BUILD_SERVER_ONLY then
            if arg[i] == "-cert" then
                if i >= #arg or #cert >= cert_size then
                    print_server_options(build_mode, arg[i]) 
                end

                i = i + 1
                table.insert(cert, arg[i])
            elseif arg[i] == "-key" then
                if i >= #arg then
                    print_server_options(build_mode, arg[i]) 
                end

                i = i + 1
                private_key_file = arg[i]
                options = bit.bor(options, axtlsl.SSL_NO_DEFAULT_KEY)
            elseif arg[i] == "-pass" then
                if i >= #arg then
                    print_server_options(build_mode, arg[i]) 
                end

                i = i + 1
                password = arg[i]
            elseif build_mode >= axtlsl.SSL_BUILD_ENABLE_VERIFICATION then
                if arg[i] == "-verify" then
                    options = bit.bor(options, axtlsl.SSL_CLIENT_AUTHENTICATION)
                elseif arg[i] == "-CAfile" then
                    if i >= #arg or #ca_cert >= ca_cert_size then
                        print_server_options(build_mode, arg[i])  
                    end

                    i = i + 1
                    table.insert(ca_cert, arg[i])
                elseif build_mode == axtlsl.SSL_BUILD_FULL_MODE then
                    if arg[i] == "-debug" then
                        options = bit.bor(options, axtlsl.SSL_DISPLAY_BYTES)
                    elseif arg[i] == "-state" then
                        options = bit.bor(options, axtlsl.SSL_DISPLAY_STATES)
                    elseif arg[i] == "-show-rsa" then
                        options = bit.bor(options, axtlsl.SSL_DISPLAY_RSA)
                    else
                        print_server_options(build_mode, arg[i])
                    end
                else
                    print_server_options(build_mode, arg[i])
                end
            else 
                print_server_options(build_mode, arg[i])
            end
        else 
            print_server_options(build_mode, arg[i])
        end

        i = i + 1
    end

    -- Create socket for incoming connections
    local server_sock = socket.try(socket.bind("*", port))

    ---------------------------------------------------------------------------
    -- This is where the interesting stuff happens. Up until now we've
    -- just been setting up sockets etc. Now we do the SSL handshake.
    ---------------------------------------------------------------------------
    local ssl_ctx = axtlsl.ssl_ctx_new(options, axtlsl.SSL_DEFAULT_SVR_SESS)
    if ssl_ctx == nil then error("Error: Server context is invalid") end

    if private_key_file ~= nil then
        local obj_type = axtlsl.SSL_OBJ_RSA_KEY

        if string.find(private_key_file, ".p8") then 
            obj_type = axtlsl.SSL_OBJ_PKCS8 
        end

        if string.find(private_key_file, ".p12") then 
            obj_type = axtlsl.SSL_OBJ_PKCS12 
        end

        if axtlsl.ssl_obj_load(ssl_ctx, obj_type, private_key_file, 
                                        password) ~= axtlsl.SSL_OK then
            error("Private key '" .. private_key_file .. "' is undefined.")
        end
    end

    for _, v in ipairs(cert) do
        if axtlsl.ssl_obj_load(ssl_ctx, axtlsl.SSL_OBJ_X509_CERT, v, "") ~= 
                                        axtlsl.SSL_OK then
            error("Certificate '"..v .. "' is undefined.")
        end
    end

    for _, v in ipairs(ca_cert) do
        if axtlsl.ssl_obj_load(ssl_ctx, axtlsl.SSL_OBJ_X509_CACERT, v, "") ~= 
                                        axtlsl.SSL_OK then
            error("Certificate '"..v .."' is undefined.")
        end
    end

    while true do
        if not quiet then print("ACCEPT") end
        local client_sock = server_sock:accept();
        local ssl = axtlsl.ssl_server_new(ssl_ctx, client_sock:getfd())

        -- do the actual SSL handshake
        local connected = false
        local res
        local buf

        while true do
            socket.select({client_sock}, nil)
            res, buf = axtlsl.ssl_read(ssl)

            if res == axtlsl.SSL_OK then -- connection established and ok
                if axtlsl.ssl_handshake_status(ssl) == axtlsl.SSL_OK then
                    if not quiet and not connected then
                        display_session_id(ssl)
                        display_cipher(ssl)
                    end
                    connected = true
                end
            end

            if res > axtlsl.SSL_OK then
                for _, v in ipairs(buf) do
                    io.write(string.format("%c", v))
                end
            elseif res < axtlsl.SSL_OK then 
                if not quiet then
                    axtlsl.ssl_display_error(res)
                end
                break
            end
        end

        -- client was disconnected or the handshake failed.
        print("CONNECTION CLOSED")
        axtlsl.ssl_free(ssl)
        client_sock:close()
    end

    axtlsl.ssl_ctx_free(ssl_ctx)
end

--
-- Implement the SSL client logic.
--
function do_client(build_mode)
    local i = 2
    local v
    local port = 4433
    local options = 
            bit.bor(axtlsl.SSL_SERVER_VERIFY_LATER, axtlsl.SSL_DISPLAY_CERTS)
    local private_key_file = nil
    local reconnect = 0
    local quiet = false
    local password = ""
    local session_id = {}
    local host = "127.0.0.1"
    local cert_size = axtlsl.ssl_get_config(axtlsl.SSL_MAX_CERT_CFG_OFFSET)
    local ca_cert_size = axtlsl.
                            ssl_get_config(axtlsl.SSL_MAX_CA_CERT_CFG_OFFSET)
    local cert = {}
    local ca_cert = {}

    while i <= #arg do
        if arg[i] == "-connect" then
            if i >= #arg then
                print_client_options(build_mode, arg[i]) 
            end

            i = i + 1
            local t = string.find(arg[i], ":")
            host = string.sub(arg[i], 1, t-1)
            port = string.sub(arg[i], t+1)
        elseif arg[i] == "-cert" then
            if i >= #arg or #cert >= cert_size then
                print_client_options(build_mode, arg[i]) 
            end

            i = i + 1
            table.insert(cert, arg[i])
        elseif arg[i] == "-key" then
            if i >= #arg then
                print_client_options(build_mode, arg[i])
            end

            i = i + 1
            private_key_file = arg[i]
            options = bit.bor(options, axtlsl.SSL_NO_DEFAULT_KEY)
        elseif arg[i] == "-CAfile" then
            if i >= #arg or #ca_cert >= ca_cert_size then
                print_client_options(build_mode, arg[i]) 
            end

            i = i + 1
            table.insert(ca_cert, arg[i])
        elseif arg[i] == "-verify" then
            options = bit.band(options, 
                                bit.bnot(axtlsl.SSL_SERVER_VERIFY_LATER))
        elseif arg[i] == "-reconnect" then
            reconnect = 4
        elseif arg[i] == "-quiet" then
            quiet = true
            options = bit.band(options, bnot(axtlsl.SSL_DISPLAY_CERTS))
        elseif arg[i] == "-pass" then
            if i >= #arg then
                print_server_options(build_mode, arg[i])
            end

            i = i + 1
            password = arg[i]
        elseif build_mode == axtlsl.SSL_BUILD_FULL_MODE then
            if arg[i] == "-debug" then
                options = bit.bor(options, axtlsl.SSL_DISPLAY_BYTES)
            elseif arg[i] == "-state" then
                options = bit.bor(axtlsl.SSL_DISPLAY_STATES)
            elseif arg[i] == "-show-rsa" then
                options = bit.bor(axtlsl.SSL_DISPLAY_RSA)
            else    -- don't know what this is
                print_client_options(build_mode, arg[i])
            end
        else    -- don't know what this is
            print_client_options(build_mode, arg[i])
        end

        i = i + 1
    end

    local client_sock = socket.try(socket.connect(host, port))
    local ssl
    local res

    if not quiet then print("CONNECTED") end

    ---------------------------------------------------------------------------
    -- This is where the interesting stuff happens. Up until now we've
    -- just been setting up sockets etc. Now we do the SSL handshake.
    ---------------------------------------------------------------------------
    local ssl_ctx = axtlsl.ssl_ctx_new(options, axtlsl.SSL_DEFAULT_CLNT_SESS)

    if ssl_ctx == nil then 
        error("Error: Client context is invalid")
    end

    if private_key_file ~= nil then
        local obj_type = axtlsl.SSL_OBJ_RSA_KEY

        if string.find(private_key_file, ".p8") then 
            obj_type = axtlsl.SSL_OBJ_PKCS8 
        end

        if string.find(private_key_file, ".p12") then 
            obj_type = axtlsl.SSL_OBJ_PKCS12 
        end

        if axtlsl.ssl_obj_load(ssl_ctx, obj_type, private_key_file, 
                                        password) ~= axtlsl.SSL_OK then
            error("Private key '"..private_key_file.."' is undefined.")
        end
    end

    for _, v in ipairs(cert) do
        if axtlsl.ssl_obj_load(ssl_ctx, axtlsl.SSL_OBJ_X509_CERT, v, "") ~= 
                                        axtlsl.SSL_OK then
            error("Certificate '"..v .. "' is undefined.")
        end
    end

    for _, v in ipairs(ca_cert) do
        if axtlsl.ssl_obj_load(ssl_ctx, axtlsl.SSL_OBJ_X509_CACERT, v, "") ~= 
                                        axtlsl.SSL_OK then
            error("Certificate '"..v .."' is undefined.")
        end
    end

    -- Try session resumption?
    if reconnect ~= 0 then
        local session_id = nil
        local sess_id_size = 0

        while reconnect > 0 do
            reconnect = reconnect - 1
            ssl = axtlsl.ssl_client_new(ssl_ctx, 
                    client_sock:getfd(), session_id, sess_id_size)

            res = axtlsl.ssl_handshake_status(ssl)
            if res ~= axtlsl.SSL_OK then
                if not quiet then axtlsl.ssl_display_error(res) end
                axtlsl.ssl_free(ssl)
                os.exit(1)
            end

            display_session_id(ssl)
            session_id = axtlsl.ssl_get_session_id(ssl)
            sess_id_size = axtlsl.ssl_get_session_id_size(ssl)

            if reconnect > 0 then
                axtlsl.ssl_free(ssl)
                client_sock:close()
                client_sock = socket.try(socket.connect(host, port))
            end

        end
    else
        ssl = axtlsl.ssl_client_new(ssl_ctx, client_sock:getfd(), nil, 0)
    end

    -- check the return status
    res = axtlsl.ssl_handshake_status(ssl)
    if res ~= axtlsl.SSL_OK then
        if not quiet then axtlsl.ssl_display_error(res) end
        os.exit(1)
    end

    if not quiet then
        local common_name = axtlsl.ssl_get_cert_dn(ssl, 
                            axtlsl.SSL_X509_CERT_COMMON_NAME)

        if common_name ~= nil then 
            print("Common Name:\t\t\t"..common_name)
        end

        display_session_id(ssl)
        display_cipher(ssl)
    end

    while true do
        local line = io.read()
    if line == nil then break end
        local bytes = {}

        for i = 1, #line do
            bytes[i] = line.byte(line, i)
        end

        bytes[#line+1] = 10      -- add carriage return, null
        bytes[#line+2] = 0

        res = axtlsl.ssl_write(ssl, bytes, #bytes)
        if res < axtlsl.SSL_OK then
            if not quiet then axtlsl.ssl_display_error(res) end
            break
        end
    end

    axtlsl.ssl_ctx_free(ssl_ctx)
    client_sock:close()
end

--
-- Display what cipher we are using 
--
function display_cipher(ssl)
    io.write("CIPHER is ")
    local cipher_id = axtlsl.ssl_get_cipher_id(ssl)

    if cipher_id == axtlsl.SSL_AES128_SHA then
        print("AES128-SHA")
    elseif cipher_id == axtlsl.SSL_AES256_SHA then
        print("AES256-SHA")
    elseif axtlsl.SSL_RC4_128_SHA then
        print("RC4-SHA")
    elseif axtlsl.SSL_RC4_128_MD5 then
        print("RC4-MD5")
    else 
        print("Unknown - "..cipher_id)
    end
end

--
-- Display what session id we have.
--
function display_session_id(ssl)
    local session_id = axtlsl.ssl_get_session_id(ssl)
    local v

    if #session_id > 0 then
        print("-----BEGIN SSL SESSION PARAMETERS-----")
        for _, v in ipairs(session_id) do
            io.write(string.format("%02x", v))
        end
        print("\n-----END SSL SESSION PARAMETERS-----")
    end
end

--
-- Main entry point. Doesn't do much except works out whether we are a client
-- or a server.
--
if #arg == 0 or (arg[1] ~= "s_server" and arg[1] ~= "s_client") then
    print_options(#arg > 0 and arg[1] or "")
end

local build_mode = axtlsl.ssl_get_config(axtlsl.SSL_BUILD_MODE)
_ = arg[1] == "s_server" and do_server(build_mode) or do_client(build_mode)
os.exit(0)