CL+SSL

A Common Lisp interface to OpenSSL.

About

This library is a fork of SSL-CMUCL. The original SSL-CMUCL source code was written by Eric Marsden and includes contributions by Jochen Schmidt. Development into CL+SSL was done by David Lichteblau. License: MIT-style.

Distinguishing features: CL+SSL is portable code based on CFFI and gray streams. It defines its own libssl BIO method, so that SSL I/O can be written over portable Lisp streams instead of bypassing the streams and sending data over Unix file descriptors directly. (But the traditional approach is still used if possible.)

Download

The library is available via Quicklisp.

The Git repository: https://gitorious.org/cl-plus-ssl/cl-plus-ssl. (download snapshot).

Send bug reports to cl-plus-ssl-devel@common-lisp.net (list information).

Note that you need the libssl-dev package on Debian to load this package without manual configuration.

OpenSSL binaries for Windows may be found at http://www.slproweb.com/products/Win32OpenSSL.html (slproweb.com is a 3rd party; if you have questions about the OpenSSL installer they provide, please ask in the mailing list specified on the linked page).

API functions

Function CL+SSL:ENSURE-INITIALIZED (&key (method 'ssl-v23-method) (rand-seed nil))
In most cases you do not need to call this function, because it is called automatically. The only reason to call it explicitly is to supply the rand-seed parameter. In this case do it before calling any other functions.

Keyword arguments:

method. Just leave its default value.

rand-seed is an octet sequence to initialize OpenSSL random number generator. On many platforms, including Linux and Windows, it may be leaved NIL (default), because OpenSSL initializes the random number generator from OS specific service. But for example on Solaris it may be necessary to supply this value. The minimum length required by OpenSSL is 128 bits. See here http://www.openssl.org/support/faq.html#USER1 for the details.

Hint: do not use Common Lisp RANDOM function to generate the rand-seed, because the function usually returns predictable values.

Function CL+SSL:MAKE-SSL-CLIENT-STREAM (fd-or-stream &key external-format certificate key password close-callback (unwrap-streams-p t))

Function CL+SSL:MAKE-SSL-SERVER-STREAM (fd-or-stream &key external-format certificate key password close-callback (unwrap-streams-p t))
Return an SSL stream for the client (server) socket fd-or-stream. All reads and writes to this stream will be pushed through the OpenSSL library.

Keyword arguments:

If fd-or-stream is a lisp stream, the SSL stream will close it automatically. File descriptors are not closed automatically. However, if close-callback is non-nil, it will be called with zero arguments when the SSL stream is closed.

If unwrap-stream-p is true (the default), a stream for a file descriptor will be replaced by that file descriptor automatically. This is similar to passing the result of stream-fd as an argument, except that a deadline associated with the stream object will be taken into account, and that the stream will be closed automatically. As with file descriptor arguments, no I/O will actually be done on the stream object.

certificate is the path to a file containing the PEM-encoded certificate.

key is the path to the PEM-encoded key, which may be associated with the passphrase password.

If external-format is nil (the default), a plain (unsigned-byte 8) SSL stream is returned. With a non-null external-format, a flexi-stream capable of character I/O will be returned instead, with the specified value as its initial external format.

Function CL+SSL:USE-CERTIFICATE-CHAIN-FILE (certificate-chain-file)
Loads a PEM encoded certificate chain file certificate-chain-file and adds the chain to global context. The certificates must be sorted starting with the subject's certificate (actual client or server certificate), followed by intermediate CA certificates if applicable, and ending at the highest level (root) CA.

Note: the RELOAD function clears the global context and in particular the loaded certificate chain.

Function CL+SSL:RELOAD ()
Reload libssl. Call this function after restarting a Lisp core with CL+SSL dumped into it on Lisp implementations that do not reload shared libraries automatically.

Function CL+SSL:STREAM-FD (stream)
Return stream's file descriptor as an integer, if known. Otherwise return stream itself. The result of this function can be passed to make-ssl-client-stream and make-ssl-server-stream.

Function CL+SSL:RANDOM-BYTES (count)
Generates count cryptographically strong pseudo-random bytes. Returns the bytes as a simple-array with element-type '(unsigned-byte 8). Signals an error in case of problems, for example when the OpenSSL random number generator has not been seeded with enough randomness to ensure an unpredictable byte sequence.

Portability

CL+SSL requires CFFI with callback support.

Test results for Linux/x86, except OpenMCL which was tested on Linux/PPC:

Lisp Implementation Status Comments
OpenMCLWorking
SBCLWorking
CMU CLWorking
CLISPWorking
LispWorksWorking
Allegro Broken segfault
Corman CLUnknown
Digitool MCLUnknown
Scieneer CLUnknown
ECLUnknown
GCLUnknown

TODO

News

2011-05-22

2011-05-22

2011-03-25

2010-05-26

2009-09-17

2008-xx-yy

2007-xx-yy

2007-07-07

2007-01-16: CL+SSL is now available under an MIT-style license.